def test_get_uri_no_registered(self):
_ec = self.endpoint.endpoint_context
_ec.cdb["client_id"] = {"redirect_uris": [("https://rp.example.com/cb", {})]}
request = {"client_id": "client_id"}
with pytest.raises(ParameterError):
get_uri(_ec, request, "post_logout_redirect_uri")
def test_get_uri_more_then_one_registered(self):
_ec = self.endpoint.endpoint_context
_ec.cdb["client_id"] = {
"redirect_uris": [
("https://rp.example.com/cb", {}),
("https://rp.example.org/authz_cb", {"foo": "bar"}),
]
}
request = {"client_id": "client_id"}
with pytest.raises(ParameterError):
get_uri(_ec, request, "redirect_uri")
def test_get_uri_no_redirect_uri(self):
_ec = self.endpoint.endpoint_context
_ec.cdb["client_id"] = {"redirect_uris": [("https://rp.example.com/cb", {})]}
request = {"client_id": "client_id"}
assert get_uri(_ec, request, "redirect_uri") == "https://rp.example.com/cb"
def _post_parse_request(self, request, client_id, endpoint_context,
**kwargs):
"""
Verify the authorization request.
:param endpoint_context:
:param request:
:param client_id:
:param kwargs:
:return:
"""
if not request:
logger.debug("No AuthzRequest")
return AuthorizationErrorResponse(
error="invalid_request",
error_description="Can not parse AuthzRequest")
request = self.filter_request(endpoint_context, request)
_cinfo = endpoint_context.cdb.get(client_id)
if not _cinfo:
logger.error("Client ID ({}) not in client database".format(
request["client_id"]))
return AuthorizationErrorResponse(
error="unauthorized_client",
error_description="unknown client")
# Is the asked for response_type among those that are permitted
if not self.verify_response_type(request, _cinfo):
return AuthorizationErrorResponse(
error="invalid_request",
error_description="Trying to use unregistered response_type",
)
# Get a verified redirect URI
try:
redirect_uri = get_uri(endpoint_context, request, "redirect_uri")
except (RedirectURIError, ParameterError, UnknownClient) as err:
return AuthorizationErrorResponse(
error="invalid_request",
error_description="{}:{}".format(err.__class__.__name__, err),
)
else:
request["redirect_uri"] = redirect_uri
return request
def post_authentication(self, user, request, sid, **kwargs):
"""
Things that are done after a successful authentication.
:param user:
:param request:
:param sid:
:param kwargs:
:return: A dictionary with 'response_args'
"""
response_info = {}
# Do the authorization
try:
permission = self.endpoint_context.authz(
user, client_id=request["client_id"])
except ToOld as err:
return self.error_response(
response_info,
"access_denied",
"Authentication to old {}".format(err.args),
)
except Exception as err:
return self.error_response(response_info, "access_denied",
"{}".format(err.args))
else:
try:
self.endpoint_context.sdb.update(sid, permission=permission)
except Exception as err:
return self.error_response(response_info, "server_error",
"{}".format(err.args))
logger.debug("response type: %s" % request["response_type"])
if self.endpoint_context.sdb.is_session_revoked(sid):
return self.error_response(response_info, "access_denied",
"Session is revoked")
response_info = create_authn_response(self, request, sid)
logger.debug("Known clients: {}".format(
list(self.endpoint_context.cdb.keys())))
try:
redirect_uri = get_uri(self.endpoint_context, request,
"redirect_uri")
except (RedirectURIError, ParameterError) as err:
return self.error_response(response_info, "invalid_request",
"{}".format(err.args))
else:
response_info["return_uri"] = redirect_uri
# Must not use HTTP unless implicit grant type and native application
# info = self.aresp_check(response_info['response_args'], request)
# if isinstance(info, ResponseMessage):
# return info
_cookie = new_cookie(
self.endpoint_context,
sub=user,
sid=sid,
state=request["state"],
client_id=request["client_id"],
cookie_name=self.endpoint_context.cookie_name["session"],
)
# Now about the response_mode. Should not be set if it's obvious
# from the response_type. Knows about 'query', 'fragment' and
# 'form_post'.
if "response_mode" in request:
try:
response_info = self.response_mode(request, **response_info)
except InvalidRequest as err:
return self.error_response(response_info, "invalid_request",
"{}".format(err.args))
response_info["cookie"] = [_cookie]
return response_info