def test_keyjar_remove_key(): ks = KeyJar() ks[""] = KeyBundle([{"kty": "oct", "key": "a1b2c3d4", "use": "sig"}, {"kty": "oct", "key": "a1b2c3d4", "use": "ver"}]) ks["http://www.example.org"] = [ KeyBundle([ {"kty": "oct", "key": "e5f6g7h8", "use": "sig"}, {"kty": "oct", "key": "e5f6g7h8", "use": "ver"}]), keybundle_from_local_file(RSAKEY, "rsa", ["enc", "dec"]) ] ks["http://www.example.com"] = keybundle_from_local_file(RSA0, "rsa", ["enc", "dec"]) coll = ks["http://www.example.org"] # coll is list of KeyBundles assert len(coll) == 2 keys = ks.get_encrypt_key(key_type="RSA", owner="http://www.example.org") assert len(keys) == 1 _key = keys[0] ks.remove_key("http://www.example.org", "RSA", _key) coll = ks["http://www.example.org"] assert len(coll) == 1 # Only one remaining key keys = ks.get_encrypt_key(key_type="rsa", owner="http://www.example.org") assert len(keys) == 0 keys = ks.verify_keys("http://www.example.com") assert len(keys) == 1 assert len([k for k in keys if k.kty == "oct"]) == 1 keys = ks.decrypt_keys("http://www.example.org") assert keys == []
def test_remove_key(self): ks = KeyJar() ks[""] = KeyBundle([ { "kty": "oct", "key": "a1b2c3d4", "use": "sig" }, { "kty": "oct", "key": "a1b2c3d4", "use": "ver" }, ]) ks["http://www.example.org"] = [ KeyBundle([ { "kty": "oct", "key": "e5f6g7h8", "use": "sig" }, { "kty": "oct", "key": "e5f6g7h8", "use": "ver" }, ]), keybundle_from_local_file(RSAKEY, "rsa", ["enc", "dec"]), ] ks["http://www.example.com"] = keybundle_from_local_file( RSA0, "rsa", ["enc", "dec"]) coll = ks["http://www.example.org"] # coll is list of KeyBundles assert len(coll) == 2 keys = ks.get_encrypt_key(key_type="RSA", owner="http://www.example.org") assert len(keys) == 1 _key = keys[0] ks.remove_key("http://www.example.org", "RSA", _key) coll = ks["http://www.example.org"] assert len(coll) == 1 # Only one remaining key keys = ks.get_encrypt_key(key_type="rsa", owner="http://www.example.org") assert len(keys) == 0 keys = ks.verify_keys("http://www.example.com") assert len(keys) == 2 assert len([k for k in keys if k.kty == "oct"]) == 2 keys = ks.decrypt_keys("http://www.example.org") assert keys == []
def test_keyjar_pairkeys(): ks = KeyJar() ks[""] = KeyBundle([{ "kty": "oct", "key": "a1b2c3d4", "use": "sig" }, { "kty": "oct", "key": "a1b2c3d4", "use": "ver" }]) ks["http://www.example.org"] = KeyBundle([{ "kty": "oct", "key": "e5f6g7h8", "use": "sig" }, { "kty": "oct", "key": "e5f6g7h8", "use": "ver" }]) ks["http://www.example.org"].append( keybundle_from_local_file(RSAKEY, "rsa", ["ver", "sig"])) collection = ks.verify_keys("http://www.example.org") assert len(collection) == 3 assert len([k for k in collection if k.kty == "oct"]) == 2 assert len([k for k in collection if k.kty == "RSA"]) == 1
def test_srv2(): cc = ClaimsClient(client_id="client_1") cc.client_secret = "hemlig" req = cc.construct_UserClaimsRequest( request_args={ "sub": "diana", "claims_names": ["gender", "birthdate"] }) srv = ClaimsServer("pyoicserv", SessionDB(), CDB, USERINFO, verify_client, keyjar=KEYJAR, dist_claims_mode=ClaimsMode(USER2MODE)) srv.keyjar[""] = keybundle_from_local_file("rsa.key", "rsa", ["ver", "sig"]) assert srv resp = srv.claims_endpoint(req.to_urlencoded(), "") print resp.message ucr = UserClaimsResponse().deserialize(resp.message, "json") ucr.verify(keyjar=srv.keyjar) print ucr assert _eq(ucr["claims_names"], ["gender", "birthdate"]) assert "jwt" in ucr
def test_keyjar_group_keys(self): ks = KeyJar() ks[""] = KeyBundle([{ "kty": "oct", "key": "a1b2c3d4", "use": "sig" }, { "kty": "oct", "key": "a1b2c3d4", "use": "ver" }]) ks["http://www.example.org"] = KeyBundle([{ "kty": "oct", "key": "e5f6g7h8", "use": "sig" }, { "kty": "oct", "key": "e5f6g7h8", "use": "ver" }]) ks["http://www.example.org"].append( keybundle_from_local_file(RSAKEY, "rsa", ["ver", "sig"])) verified_keys = ks.verify_keys("http://www.example.org") assert len(verified_keys) == 6 assert len([k for k in verified_keys if k.kty == "oct"]) == 4 assert len([k for k in verified_keys if k.kty == "RSA"]) == 2
def test_sign_enc_request(self): cli = Client() cli.redirect_uris = ["http://www.example.org/authz"] cli.client_id = "client_1" for kb in self.server.keyjar.issuer_keys[""]: _jwks = kb.jwks() _keys = [k for k in json.loads(_jwks)["keys"] if k["use"] in ["ver"]] _kb = KeyBundle(_keys) cli.keyjar.add_kb(self.server.name, _kb) _kb = keybundle_from_local_file("%s/rsa.pub" % BASE_PATH, "RSA", ["enc"]) cli.keyjar.add_kb(self.server.name, _kb) request_args = {"redirect_uri": cli.redirect_uris[0], "client_id": cli.client_id, "scope": "openid", "response_type": "code"} kwargs = {"request_object_signing_alg": "none", "request_object_encryption_alg": "RSA1_5", "request_object_encryption_enc": "A128CBC-HS256", "request_method": "parameter", "target": self.server.name} areq = cli.construct_AuthorizationRequest(request_args=request_args, **kwargs) assert areq assert areq["request"]
def test_dump_issuer_keys(self): kb = keybundle_from_local_file("file://%s/jwk.json" % BASE_PATH, "jwk", ["ver", "sig"]) assert len(kb) == 1 kj = KeyJar() kj.issuer_keys[""] = [kb] res = kj.dump_issuer_keys("") assert len(res) == 1 assert res[0] == { 'use': 'sig', 'e': 'AQAB', 'kty': 'RSA', 'alg': 'RS256', 'n': 'pKybs0WaHU_y4cHxWbm8Wzj66HtcyFn7Fh3n-99qTXu5yNa30MRYIYfSDwe9JVc1JUoGw41yq2StdGBJ40HxichjE-Yopfu3B58Q' 'lgJvToUbWD4gmTDGgMGxQxtv1En2yedaynQ73sDpIK-12JJDY55pvf-PCiSQ9OjxZLiVGKlClDus44_uv2370b9IN2JiEOF-a7JB' 'qaTEYLPpXaoKWDSnJNonr79tL0T7iuJmO1l705oO3Y0TQ-INLY6jnKG_RpsvyvGNnwP9pMvcP1phKsWZ10ofuuhJGRp8IxQL9Rfz' 'T87OvF0RBSO1U73h09YP-corWDsnKIi6TbzRpN5YDw', 'kid': 'abc' }
def test_srv2(): cc = ClaimsClient(client_id="client_1") cc.client_secret = "hemlig" req = cc.construct_UserClaimsRequest( request_args={"sub": "diana", "claims_names": ["gender", "birthdate"]}) srv = ClaimsServer("pyoicserv", SessionDB("https://example.com"), CDB, USERINFO, verify_client, keyjar=KEYJAR, dist_claims_mode=ClaimsMode(USER2MODE)) srv.keyjar[""] = keybundle_from_local_file("%s/rsa.key" % BASE_PATH, "rsa", ["ver", "sig"]) assert srv resp = srv.claims_endpoint(req.to_urlencoded(), "") print resp.message ucr = UserClaimsResponse().deserialize(resp.message, "json") ucr.verify(keyjar=srv.keyjar) print ucr assert _eq(ucr["claims_names"], ["gender", "birthdate"]) assert "jwt" in ucr
def test_kid_usage(): kb = keybundle_from_local_file("file://jwk.json", "jwk", ["ver", "sig"]) kj = KeyJar() kj.issuer_keys["https://example.com"] = [kb] _key = kj.get_key_by_kid("abc", "https://example.com") assert _key assert _key.kid == "abc"
def test_local_jwk_file(): kb = keybundle_from_local_file("file://jwk.json", "jwk", ["ver", "sig"]) assert len(kb) == 1 kj = KeyJar() kj.issuer_keys[""] = [kb] keys = kj.get_signing_key() assert len(keys) == 1 key = keys[0] assert isinstance(key, RSAKey) assert key.kid == "abc"
def keyjar(self): symkey = KeyBundle( [{"kty": "oct", "key": "abcdefghijklmnop", "use": "ver"}, {"kty": "oct", "key": "abcdefghijklmnop", "use": "sig"}]) base_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "data/keys")) rsakey = keybundle_from_local_file( os.path.abspath(os.path.join(base_path, "rsa.key")), "rsa", ["ver", "sig"]) keyjar = KeyJar() keyjar["client1"] = [symkey, rsakey] keyjar[""] = rsakey return keyjar
def test_unpack_verify_key(self): srv = JWT(keyjar, iss=issuer) _jwt = srv.pack(sub="sub") # Remove the signing key from keyjar keyjar.remove_key("", "RSA", "") # And add it back as verify kb = keybundle_from_local_file(os.path.join(BASE_PATH, "cert.key"), "RSA", ["ver"]) # keybundle_from_local_file doesn'assign kid, so assign manually kb._keys[0].kid = kidd["sig"]["RSA"] keyjar.add_kb("", kb) info = srv.unpack(_jwt) assert info["sub"] == "sub"
def test_signing(): kb = keybundle_from_local_file("file://jwk.json", "jwk", ["ver", "sig"]) assert len(kb) == 1 kj = KeyJar() kj.issuer_keys[""] = [kb] keys = kj.get_signing_key() payload = "Please take a moment to register today" _jws = JWS(payload, alg="RS512") try: _jwt = _jws.sign_compact(keys) assert False except (NoSuitableSigningKeys, WrongTypeOfKey): assert True
def test_signing(): # Signing is only possible if key is a private RSA key kb = keybundle_from_local_file("rsa.key", "rsa", ["ver", "sig"]) assert len(kb) == 2 kj = KeyJar() kj.issuer_keys[""] = [kb] keys = kj.get_signing_key() payload = "Please take a moment to register today" _jws = JWS(payload, alg="RS512") try: _jwt = _jws.sign_compact(keys) assert True except (NoSuitableSigningKeys, WrongTypeOfKey): assert False
def test_keyjar_pairkeys(): ks = KeyJar() ks[""] = KeyBundle([{"kty": "oct", "key": "a1b2c3d4", "use": "sig"}, {"kty": "oct", "key": "a1b2c3d4", "use": "ver"}]) ks["http://www.example.org"] = KeyBundle([ {"kty": "oct", "key": "e5f6g7h8", "use": "sig"}, {"kty": "oct", "key": "e5f6g7h8", "use": "ver"}]) ks["http://www.example.org"].append( keybundle_from_local_file(RSAKEY, "rsa", ["ver", "sig"])) collection = ks.verify_keys("http://www.example.org") assert len(collection) == 3 assert len([k for k in collection if k.kty == "oct"]) == 2 assert len([k for k in collection if k.kty == "RSA"]) == 1
def test_keyjar_group_keys(self): ks = KeyJar() ks[""] = KeyBundle([{"kty": "oct", "key": "a1b2c3d4", "use": "sig"}, {"kty": "oct", "key": "a1b2c3d4", "use": "ver"}]) ks["http://www.example.org"] = KeyBundle([ {"kty": "oct", "key": "e5f6g7h8", "use": "sig"}, {"kty": "oct", "key": "e5f6g7h8", "use": "ver"}]) ks["http://www.example.org"].append( keybundle_from_local_file(RSAKEY, "rsa", ["ver", "sig"])) verified_keys = ks.verify_keys("http://www.example.org") assert len(verified_keys) == 3 assert len([k for k in verified_keys if k.kty == "oct"]) == 2 assert len([k for k in verified_keys if k.kty == "RSA"]) == 1
def test_dump_own_keys(): kb = keybundle_from_local_file("file://jwk.json", "jwk", ["ver", "sig"]) assert len(kb) == 1 kj = KeyJar() kj.issuer_keys[""] = [kb] res = kj.dump_issuer_keys("") assert len(res) == 1 assert res[0] == { 'use': u'sig', 'e': u'AQAB', 'kty': u'RSA', 'alg': u'RS256', 'n': u'pKybs0WaHU_y4cHxWbm8Wzj66HtcyFn7Fh3n-99qTXu5yNa30MRYIYfSDwe9JVc1JUoGw41yq2StdGBJ40HxichjE-Yopfu3B58QlgJvToUbWD4gmTDGgMGxQxtv1En2yedaynQ73sDpIK-12JJDY55pvf-PCiSQ9OjxZLiVGKlClDus44_uv2370b9IN2JiEOF-a7JBqaTEYLPpXaoKWDSnJNonr79tL0T7iuJmO1l705oO3Y0TQ-INLY6jnKG_RpsvyvGNnwP9pMvcP1phKsWZ10ofuuhJGRp8IxQL9RfzT87OvF0RBSO1U73h09YP-corWDsnKIi6TbzRpN5YDw', 'kid': u'abc'}
def test_update_RSA(self): kc = keybundle_from_local_file(RSAKEY, "rsa", ["ver", "sig"]) assert kc.remote is False assert len(kc.get("oct")) == 0 assert len(kc.get("RSA")) == 2 key = kc.get("RSA")[0] assert isinstance(key, RSAKey) kc.update() assert kc.remote is False assert len(kc.get("oct")) == 0 assert len(kc.get("RSA")) == 2 key = kc.get("RSA")[0] assert isinstance(key, RSAKey)
def test_chain_2(): kc = keybundle_from_local_file(RSAKEY, "rsa", ["ver","sig"]) assert kc.remote is False assert len(kc.get("oct")) == 0 assert len(kc.get("RSA")) == 2 key = kc.get("RSA")[0] assert isinstance(key, RSAKey) kc.update() assert kc.remote is False assert len(kc.get("oct")) == 0 assert len(kc.get("RSA")) == 2 key = kc.get("RSA")[0] assert isinstance(key, RSAKey)
def keyjar(self): symkey = KeyBundle([{ "kty": "oct", "key": "abcdefghijklmnop", "use": "ver" }, { "kty": "oct", "key": "abcdefghijklmnop", "use": "sig" }]) base_path = os.path.abspath( os.path.join(os.path.dirname(__file__), "data/keys")) rsakey = keybundle_from_local_file( os.path.abspath(os.path.join(base_path, "rsa.key")), "rsa", ["ver", "sig"]) keyjar = KeyJar() keyjar["client1"] = [symkey, rsakey] keyjar[""] = rsakey return keyjar
def test_sign_enc_request(self): cli = Client() cli.redirect_uris = ["http://www.example.org/authz"] cli.client_id = "client_1" for kb in self.server.keyjar.issuer_keys[""]: _jwks = kb.jwks() _keys = [ k for k in json.loads(_jwks)["keys"] if k["use"] in ["ver"] ] _kb = KeyBundle(_keys) cli.keyjar.add_kb(self.server.name, _kb) _kb = keybundle_from_local_file("%s/rsa.pub" % BASE_PATH, "RSA", ["enc"]) cli.keyjar.add_kb(self.server.name, _kb) request_args = { "redirect_uri": cli.redirect_uris[0], "client_id": cli.client_id, "scope": "openid", "response_type": "code" } kwargs = { "request_object_signing_alg": "none", "request_object_encryption_alg": "RSA1_5", "request_object_encryption_enc": "A128CBC-HS256", "request_method": "parameter", "target": self.server.name } areq = cli.construct_AuthorizationRequest(request_args=request_args, **kwargs) assert areq assert areq["request"]
def __init__(self, base_url, client_metadata_func): # Read OP configuration from file with open("conf/op_config.json", "r") as f: op_capabilities = json.load(f) for key, value in op_capabilities.iteritems(): if isinstance(value, basestring): op_capabilities[key] = value.format(base=base_url) # replace placeholder with the actual base name self.OP = Provider(base_url, {}, client_metadata_func, None, None, None, None, None, capabilities=op_capabilities) self.OP.baseurl = op_capabilities["issuer"] # Setup up keys for signing and encrypting self.OP.keyjar = KeyJar() kb = keybundle_from_local_file("inAcademia", "RSA", ["sig", "enc"]) self.OP.keyjar.add_kb("", kb) try: file_name = "static/jwks.json" dump_jwks([kb], file_name) self.OP.jwks_uri.append("{}/{}".format(base_url, file_name)) except Exception as e: logger.exception("Signing and encryption keys could not be written to jwks.json.") raise
from oic.utils.keyio import KeyJar from oic.utils.keyio import keybundle_from_local_file from oic.utils.sdb import SessionDB from software_statement.message import SWSMessage from six.moves.urllib.parse import urlparse, parse_qs from software_statement.provider import SWSProvider, SWS_CACHE_KEY OP_ISSUER = "https://connect-op.heroku.com" CLIENT_ID = "client_1" SIGNING_KEY_FILE = "private.key" BASE_PATH = os.path.abspath( os.path.join(os.path.dirname(__file__), "keys")) KC_RSA = keybundle_from_local_file(os.path.join(BASE_PATH, SIGNING_KEY_FILE), "RSA", ["ver", "sig"]) KEYJAR = KeyJar() KEYJAR[CLIENT_ID] = [KC_RSA] KEYJAR[""] = KC_RSA CDB = {} class DummyAuthn(UserAuthnMethod): def __init__(self, srv, user): UserAuthnMethod.__init__(self, srv) self.user = user def authenticated_as(self, cookie=None, **kwargs): if cookie == "FAIL":
def create_client(self, userid="", **kwargs): """ Do an instantiation of a client instance :param userid: An identifier of the user :param: Keyword arguments Keys are ["srv_discovery_url", "client_info", "client_registration", "provider_info"] :return: client instance """ _key_set = set(kwargs.keys()) args = {} for param in ["verify_ssl"]: try: args[param] = kwargs[param] except KeyError: pass else: _key_set.discard(param) try: verify_ssl = default_ssl_check except: verify_ssl = True # Check to see if there is a keyset specified in the client_registration (if it is a client_registration type) # This gets used if the authentication method is "private_key_jwt if "client_registration" in _key_set: if "keyset_jwk_file" in kwargs["client_registration"].keys(): key_bundle = keyio.keybundle_from_local_file(kwargs["client_registration"]["keyset_jwk_file"],"jwk","sig") key_jar =keyio.KeyJar(verify_ssl=verify_ssl) key_jar.add_kb("",key_bundle) args["keyjar"] = key_jar client = self.client_cls(client_authn_method=CLIENT_AUTHN_METHOD, behaviour=kwargs["behaviour"], verify_ssl=verify_ssl, **args) # The behaviour parameter is not significant for the election process _key_set.discard("behaviour") for param in ["allow"]: try: setattr(client, param, kwargs[param]) except KeyError: pass else: _key_set.discard(param) if _key_set == set(["client_info"]): # Everything dynamic # There has to be a userid if not userid: raise MissingAttribute("Missing userid specification") # Find the service that provides information about the OP issuer = client.wf.discovery_query(userid) # Gather OP information client.provider_config(issuer) # register the client client.register( client.provider_info["registration_endpoint"], **kwargs["client_info"] ) elif _key_set == set(["client_info", "srv_discovery_url"]): # Ship the webfinger part # Gather OP information client.provider_config(kwargs["srv_discovery_url"]) # register the client client.register( client.provider_info["registration_endpoint"], **kwargs["client_info"] ) elif _key_set == set(["provider_info", "client_info"]): client.handle_provider_config( ProviderConfigurationResponse(**kwargs["provider_info"]), kwargs["provider_info"]["issuer"]) client.register(client.provider_info["registration_endpoint"], **kwargs["client_info"]) elif _key_set == set(["provider_info", "client_registration"]): client.handle_provider_config( ProviderConfigurationResponse(**kwargs["provider_info"]), kwargs["provider_info"]["issuer"]) client.store_registration_info(RegistrationResponse( **kwargs["client_registration"])) elif _key_set == set(["srv_discovery_url", "client_registration"]): try: client.provider_config(kwargs["srv_discovery_url"]) client.store_registration_info( RegistrationResponse(**kwargs["client_registration"]) ) except Exception as e: logger.error( "Provider info discovery failed for %s - assume backend unworkable", kwargs["srv_discovery_url"] ) logger.exception(e) else: raise Exception("Configuration error ?") return client
from oic.oic.consumer import Consumer from oic.oic.consumer import IGNORE from oic.oic.consumer import clean_response from oic.utils.time_util import utc_time_sans_frac from oic.utils.sdb import SessionDB from fakeoicsrv import MyFakeOICServer CLIENT_SECRET = "abcdefghijklmnop" CLIENT_ID = "client_1" KC_SYM_VS = KeyBundle({"kty": "oct", "key": "abcdefghijklmnop", "use": "ver"}) KC_SYM_S = KeyBundle({"kty": "oct", "key": "abcdefghijklmnop", "use": "sig"}) KC_RSA = keybundle_from_local_file("../oidc_example/op1/certs/mycert.key", "rsa", ["ver", "sig"]) SRVKEYS = KeyJar() SRVKEYS[""] = [KC_RSA] SRVKEYS["client_1"] = [KC_SYM_VS, KC_RSA] CLIKEYS = KeyJar() CLIKEYS["http://localhost:8088"] = [KC_RSA] CLIKEYS[""] = [KC_SYM_VS] CLIKEYS["http://example.com"] = [KC_RSA] BASE_ENVIRON = {'SERVER_PROTOCOL': 'HTTP/1.1', 'REQUEST_METHOD': 'GET', 'QUERY_STRING': '', 'HTTP_CONNECTION': 'keep-alive', 'REMOTE_ADDR': '127.0.0.1',
from oic.utils.sdb import SessionDB from fakeoicsrv import MyFakeOICServer from mitmsrv import MITMServer from utils_for_tests import _eq CLIENT_SECRET = "abcdefghijklmnop" CLIENT_ID = "client_1" KC_SYM_VS = KeyBundle({"kty": "oct", "key": "abcdefghijklmnop", "use": "ver"}) KC_SYM_S = KeyBundle({"kty": "oct", "key": "abcdefghijklmnop", "use": "sig"}) BASE_PATH = os.path.dirname(os.path.abspath(__file__)) KC_RSA = keybundle_from_local_file("%s/rsa.key" % BASE_PATH, "rsa", ["ver", "sig"]) SRVKEYS = KeyJar() SRVKEYS[""] = [KC_RSA] SRVKEYS["client_1"] = [KC_SYM_VS, KC_RSA] CLIKEYS = KeyJar() CLIKEYS["http://localhost:8088"] = [KC_RSA] CLIKEYS[""] = [KC_SYM_VS] CLIKEYS["http://example.com"] = [KC_RSA] BASE_ENVIRON = { 'SERVER_PROTOCOL': 'HTTP/1.1', 'REQUEST_METHOD': 'GET', 'QUERY_STRING': '', 'HTTP_CONNECTION': 'keep-alive',
from oic.oic.consumer import Consumer from oic.oic.consumer import IGNORE from oic.oic.consumer import clean_response from oic.utils.time_util import utc_time_sans_frac from oic.utils.sdb import SessionDB from fakeoicsrv import MyFakeOICServer from mitmsrv import MITMServer __author__ = 'rohe0002' KC_SYM_VS = KeyBundle({"kty": "oct", "key": "abcdefghijklmnop", "use": "ver"}) KC_SYM_S = KeyBundle({"kty": "oct", "key": "abcdefghijklmnop", "use": "sig"}) BASE_PATH = os.path.abspath(os.path.join(os.path.dirname(__file__), "data/keys")) KC_RSA = keybundle_from_local_file(os.path.join(BASE_PATH, "rsa.key"), "rsa", ["ver", "sig"]) SRVKEYS = KeyJar() SRVKEYS[""] = [KC_RSA] SRVKEYS["client_1"] = [KC_SYM_VS, KC_RSA] CLIKEYS = KeyJar() CLIKEYS["http://localhost:8088"] = [KC_RSA] CLIKEYS[""] = [KC_RSA, KC_SYM_VS] CLIKEYS["http://example.com"] = [KC_RSA] SERVER_INFO = { "version": "3.0", "issuer": "https://localhost:8088", "authorization_endpoint": "http://localhost:8088/authorization", "token_endpoint": "http://localhost:8088/token",
from oic.oic.message import OpenIDSchema from oic.oic.message import ProviderConfigurationResponse from oic.utils.authn.client import CLIENT_AUTHN_METHOD from oic.utils.keyio import KeyBundle from oic.utils.keyio import KeyJar from oic.utils.keyio import keybundle_from_local_file from oic.utils.time_util import utc_time_sans_frac __author__ = 'rohe0002' KC_SYM_VS = KeyBundle({"kty": "oct", "key": "abcdefghijklmnop", "use": "ver"}) KC_SYM_S = KeyBundle({"kty": "oct", "key": "abcdefghijklmnop", "use": "sig"}) BASE_PATH = os.path.abspath( os.path.join(os.path.dirname(__file__), "data/keys")) KC_RSA = keybundle_from_local_file(os.path.join(BASE_PATH, "rsa.key"), "rsa", ["ver", "sig"]) SRVKEYS = KeyJar() SRVKEYS[""] = [KC_RSA] SRVKEYS["client_1"] = [KC_SYM_VS, KC_RSA] CLIKEYS = KeyJar() CLIKEYS["http://localhost:8088"] = [KC_RSA] CLIKEYS[""] = [KC_RSA, KC_SYM_VS] CLIKEYS["http://example.com"] = [KC_RSA] SERVER_INFO = { "version": "3.0", "issuer": "https://localhost:8088", "authorization_endpoint": "http://localhost:8088/authorization", "token_endpoint": "http://localhost:8088/token",
cdb = json.loads(open("claims_client.json").read()) userinfo = UserInfo(USERDB) # in memory session storage config = json.loads(open(args.config).read()) sdb = create_session_db(config["issuer"], config["SESSION_KEY"], password="******") OAS = ClaimsServer(config["issuer"], sdb, cdb, userinfo, verify_client) if "keys" in config: for typ, info in config["keys"].items(): OAS.keyjar.add_kb("", keybundle_from_local_file(info["key"], "rsa", ["ver", "sig"])) try: OAS.jwks_uri.append(info["jwk"]) except KeyError: pass #print URLS if args.debug: OAS.debug = True OAS.endp = ENDPOINTS if args.port == 80: OAS.baseurl = config["baseurl"] else: if config["baseurl"].endswith("/"): config["baseurl"] = config["baseurl"][:-1]
from jwkest.jws import alg2keytype from oic.oic.message import IdToken from oic.utils.keyio import KeyJar, keybundle_from_local_file __author__ = 'rohe0002' kc = keybundle_from_local_file("../oc3/certs/mycert.key", "rsa", ["ver", "sig"]) kj = KeyJar() kj["foobar"] = [kc] idt = IdToken().from_dict({"user_id": "diana", "aud": "uo5nowsdL3ck", "iss": "https://localhost:8092", "acr": "2", "exp": 1354442188, "iat": 1354359388}) ckey = kj.get_signing_key(alg2keytype("RS256"), "foobar") _signed_jwt = idt.to_jwt(key=ckey, algorithm="RS256")
"flows_supported": ["code", "token", "code token"], #"identifiers_supported":["public","ppid"], #"x509_url":"https://connect-op.heroku.com/cert.pem" } BASE_PATH = os.path.dirname(os.path.abspath(__file__)) CLIENT_SECRET = "abcdefghijklmnop" CLIENT_ID = "client_1" KC_SYM = KeyBundle([{"kty": "oct", "key": CLIENT_SECRET, "use": "ver"}, {"kty": "oct", "key": CLIENT_SECRET, "use": "sig"}]) KC_SYM2 = KeyBundle([{"kty": "oct", "key": "drickyoughurt", "use": "sig"}, {"kty": "oct", "key": "drickyoughurt", "use": "ver"}]) KC_RSA = keybundle_from_local_file("%s/rsa.key" % BASE_PATH, "RSA", ["ver", "sig"]) KEYJAR = KeyJar() KEYJAR[CLIENT_ID] = [KC_SYM, KC_RSA] KEYJAR["number5"] = [KC_SYM2, KC_RSA] KEYJAR[""] = KC_RSA CDB = { "number5": { "password": "******", "client_secret": "drickyoughurt", # "jwk_key": CONSUMER_CONFIG["key"], "redirect_uris": [("http://localhost:8087/authz", None)], "post_logout_redirect_uris": [("https://example.com/post_logout", None)] }, "a1b2c3": {
cdb = json.loads(open("claims_client.json").read()) userinfo = UserInfo(USERDB) # in memory session storage config = json.loads(open(args.config).read()) sdb = create_session_db(config["issuer"], config["SESSION_KEY"], password="******") OAS = ClaimsServer(config["issuer"], sdb, cdb, userinfo, verify_client) if "keys" in config: for typ, info in config["keys"].items(): OAS.keyjar.add_kb("", keybundle_from_local_file(info["key"], "rsa", ["ver", "sig"])) try: OAS.jwks_uri.append(info["jwk"]) except KeyError: pass #print URLS if args.debug: OAS.debug = True OAS.endpoints = ENDPOINTS if args.port == 80: OAS.baseurl = config["baseurl"] else: if config["baseurl"].endswith("/"): config["baseurl"] = config["baseurl"][:-1]
args = parser.parse_args() cdb = json.loads(open("claims_client.json").read()) userinfo = UserInfo(USERDB) # in memory session storage config = json.loads(open(args.config).read()) OAS = ClaimsServer(config["issuer"], SessionDB(), cdb, userinfo, verify_client) if "keys" in config: for typ, info in config["keys"].items(): OAS.keyjar.add_kb( "", keybundle_from_local_file(info["key"], "rsa", ["ver", "sig"])) try: OAS.jwks_uri.append(info["jwk"]) except KeyError: pass #print URLS if args.debug: OAS.debug = True OAS.endpoints = ENDPOINTS if args.port == 80: OAS.baseurl = config["baseurl"] else: if config["baseurl"].endswith("/"): config["baseurl"] = config["baseurl"][:-1]
}, { "kty": "oct", "key": CLIENT_SECRET, "use": "sig" }]) KC_SYM2 = KeyBundle([{ "kty": "oct", "key": "drickyoughurt", "use": "sig" }, { "kty": "oct", "key": "drickyoughurt", "use": "ver" }]) KC_RSA = keybundle_from_local_file("../oidc_example/op1/certs/mycert.key", "rsa", ["ver", "sig"]) KEYJAR = KeyJar() KEYJAR[CLIENT_ID] = [KC_SYM, KC_RSA] KEYJAR["number5"] = [KC_SYM2, KC_RSA] KEYJAR[""] = KC_RSA CDB = { "number5": { "password": "******", "client_secret": "drickyoughurt", #"jwk_key": CONSUMER_CONFIG["key"], "redirect_uris": [("http://localhost:8087/authz", None)], }, "a1b2c3": { "redirect_uris": [("http://localhost:8087/authz", None)]
#"registration_endpoint":"https://connect-op.heroku.com/connect/client", #"scopes_supported":["openid","profile","email","address","PPID"], "flows_supported": ["code", "token", "code token"], #"identifiers_supported":["public","ppid"], #"x509_url":"https://connect-op.heroku.com/cert.pem" } CLIENT_SECRET = "abcdefghijklmnop" CLIENT_ID = "client_1" KC_SYM = KeyBundle([{"kty": "oct", "key": CLIENT_SECRET, "use": "ver"}, {"kty": "oct", "key": CLIENT_SECRET, "use": "sig"}]) KC_SYM2 = KeyBundle([{"kty": "oct", "key": "drickyoughurt", "use": "sig"}, {"kty": "oct", "key": "drickyoughurt", "use": "ver"}]) KC_RSA = keybundle_from_local_file("../oc3/certs/mycert.key", "RSA", ["ver", "sig"]) KEYJAR = KeyJar() KEYJAR[CLIENT_ID] = [KC_SYM, KC_RSA] KEYJAR["number5"] = [KC_SYM2, KC_RSA] KEYJAR[""] = KC_RSA CDB = { "number5": { "password": "******", "client_secret": "drickyoughurt", #"jwk_key": CONSUMER_CONFIG["key"], "redirect_uris": [("http://localhost:8087/authz", None)], }, "a1b2c3": { "redirect_uris": [("http://localhost:8087/authz", None)]
"client_secret": "drickyoghurt", "redirect_uris": [("http://*****:*****@example.com", "verified": True, "sub": "username" } } PROVIDER_RSA = keybundle_from_local_file( "tests/keys/cert.key", "RSA", ["ver", "sig"]) PROVIDER_KEYJAR = KeyJar() PROVIDER_KEYJAR[""] = PROVIDER_RSA CLIENT_RSA = keybundle_from_local_file( "tests/keys/rsa.key", "RSA", ["ver", "sig"]) CLIENT_KEYJAR = KeyJar() CLIENT_KEYJAR[""] = CLIENT_RSA class DummyAuthn(UserAuthnMethod): def __init__(self, srv, user): UserAuthnMethod.__init__(self, srv) self.user = user