def test_cdb():
endpoint_context = EndpointContext(conf)
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["oidc_clients"]
assert set(
endpoint_context.cdb.keys()) == {"client1", "client2", "client3"}
def create_endpoint(self):
self.endpoint = userinfo.UserInfo(KEYJAR)
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"jwks": {
'url_path': '{}/jwks.json',
'local_path': 'static/jwks.json',
'private_path': 'own/jwks.json'
},
'endpoint': {
'provider_config': {
'path': '{}/.well-known/openid-configuration',
'class': ProviderConfiguration,
'kwargs': {}
},
'registration': {
'path': '{}/registration',
'class': Registration,
'kwargs': {}
},
'authorization': {
'path': '{}/authorization',
'class': Authorization,
'kwargs': {}
},
'token': {
'path': '{}/token',
'class': AccessToken,
'kwargs': {}
},
'userinfo': {
'path': '{}/userinfo',
'class': userinfo.UserInfo,
'kwargs': {'db_file': 'users.json'}
}
},
'client_authn': verify_client,
"authentication": [{
'acr': INTERNETPROTOCOLPASSWORD,
'name': 'NoAuthn',
'kwargs': {'user': '******'}
}],
'template_dir': 'template'
}
endpoint_context = EndpointContext(conf, keyjar=KEYJAR)
endpoint_context.cdb['client_1'] = {
"client_secret": 'hemligt',
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
'token_endpoint_auth_method': 'client_secret_post',
'response_types': ['code', 'token', 'code id_token', 'id_token']
}
self.endpoint = userinfo.UserInfo(endpoint_context)
def test_get_sign_algorithm_3(self):
client_info = RegistrationResponse()
endpoint_context = EndpointContext(conf)
endpoint_context.jwx_def["signing_alg"] = {"id_token": "RS384"}
algs = get_sign_and_encrypt_algorithms(endpoint_context,
client_info,
"id_token",
sign=True)
# default signing alg
assert algs == {"sign": True, "encrypt": False, "sign_alg": "RS384"}
def test_get_sign_algorithm_4():
client_info = RegistrationResponse(id_token_signed_response_alg='RS512')
endpoint_context = EndpointContext(conf)
endpoint_context.jwx_def["signing_alg"] = {'id_token': 'RS384'}
algs = get_sign_and_encrypt_algorithms(endpoint_context,
client_info,
'id_token',
sign=True)
# default signing alg
assert algs == {'sign': True, 'encrypt': False, 'sign_alg': 'RS512'}
def test_capabilities_default():
endpoint_context = EndpointContext(conf, keyjar=KEYJAR)
assert set(endpoint_context.provider_info['response_types_supported']) == {
'code', 'token', 'id_token', 'code token', 'code id_token',
'id_token token', 'code token id_token', 'none'}
assert endpoint_context.provider_info[
"request_uri_parameter_supported"] is True
def create_cookie_dealer(self):
conf = {
"issuer":
"https://example.com/",
"password":
"******",
"token_expires_in":
600,
"grant_expires_in":
300,
"refresh_token_expires_in":
86400,
"verify_ssl":
False,
"endpoint": {},
"authentication": [{
'acr': INTERNETPROTOCOLPASSWORD,
'name': 'NoAuthn',
'kwargs': {
'user': '******'
}
}],
'template_dir':
'template'
}
endpoint_context = EndpointContext(conf, keyjar=KEYJAR)
self.cookie_dealer = CookieDealer(endpoint_context, 'kaka',
'https://example.com', 'op')
def init_oidc_op_endpoints(app):
_config = app.srv_config.op
_server_info_config = _config['server_info']
_kj_args = {
k: v
for k, v in _server_info_config['jwks'].items() if k != 'uri_path'
}
_kj = init_key_jar(**_kj_args)
iss = _server_info_config['issuer']
# make sure I have a set of keys under my 'real' name
_kj.import_jwks_as_json(_kj.export_jwks_as_json(True, ''), iss)
try:
_kj.verify_ssl = _config['server_info']['verify_ssl']
except KeyError:
pass
endpoint_context = EndpointContext(_server_info_config,
keyjar=_kj,
cwd=folder)
for endp in endpoint_context.endpoint.values():
p = urlparse(endp.endpoint_path)
_vpath = p.path.split('/')
if _vpath[0] == '':
endp.vpath = _vpath[1:]
else:
endp.vpath = _vpath
return endpoint_context
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {},
"jwks": {
"public_path": "jwks.json",
"key_defs": KEYDEFS,
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json",
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcendpoint.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
}
self.endpoint_context = EndpointContext(conf)
self.endpoint = Endpoint(self.endpoint_context)
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"jwks": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"token": {
"path": "token",
"class": AccessToken,
"kwargs": {}
},
},
"template_dir": "template",
}
self.endpoint_context = EndpointContext(conf)
self.endpoint = self.endpoint_context.endpoint["provider_config"]
def init_oidc_op_endpoints(app):
_config = app.srv_config.op
_server_info_config = _config['server_info']
_kj_args = {
k: v
for k, v in _server_info_config['jwks'].items() if k != 'uri_path'
}
_kj = init_key_jar(**_kj_args)
iss = _server_info_config['issuer']
# make sure I have a set of keys under my 'real' name
_kj.import_jwks_as_json(_kj.export_jwks_as_json(True, ''), iss)
endpoint_context = EndpointContext(_server_info_config,
keyjar=_kj,
cwd=folder)
# sort of backward but work so...
_kj.httpc_params = endpoint_context.httpc_params
for endp in endpoint_context.endpoint.values():
p = urlparse(endp.endpoint_path)
_vpath = p.path.split('/')
if _vpath[0] == '':
endp.vpath = _vpath[1:]
else:
endp.vpath = _vpath
return endpoint_context
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"webfinger": {
"path": ".well-known/webfinger",
"class": Discovery,
"kwargs": {"client_authn_method": None},
}
},
"jwks": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcendpoint.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"template_dir": "template",
}
endpoint_context = EndpointContext(conf)
self.endpoint = endpoint_context.endpoint["webfinger"]
def test_capabilities_subset1():
_cnf = copy(conf)
_cnf["capabilities"] = {"response_types_supported": "code"}
endpoint_context = EndpointContext(_cnf)
assert endpoint_context.provider_info["response_types_supported"] == [
"code"
]
def test_capabilities_subset2():
_cnf = copy(conf)
_cnf["capabilities"] = {"response_types_supported": ["code", "id_token"]}
endpoint_context = EndpointContext(_cnf)
assert set(endpoint_context.provider_info["response_types_supported"]) == {
"code",
"id_token",
}
def test_capabilities_no_support():
_cnf = copy(conf)
_cnf["id_token"]["kwargs"] = {
"id_token_signing_alg_values_supported": "RC4"
}
with pytest.raises(ValueError):
EndpointContext(_cnf)
_cnf["id_token"]["kwargs"] = {}
def test_capabilities_bool():
_cnf = copy(conf)
_cnf["endpoint"]["authorization_endpoint"]["kwargs"] = {
"request_uri_parameter_supported": False
}
endpoint_context = EndpointContext(_cnf)
assert endpoint_context.provider_info[
"request_uri_parameter_supported"] is False
def create_idtoken(self):
self.endpoint_context = EndpointContext(conf)
self.endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
def create_endpoint_context(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {},
"jwks": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"authentication": {
"user": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": UserPassJinja2,
"verify_endpoint": "verify/user",
"kwargs": {
"template": "user_pass.jinja2",
"sym_key": "24AA/LR6HighEnergy",
"db": {
"class": JSONDictDB,
"kwargs": {
"json_path": full_path("passwd.json")
},
},
"page_header": "Testing log in",
"submit_btn": "Get me in!",
"user_label": "Nickname",
"passwd_label": "Secret sauce",
},
},
"anon": {
"acr": UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
},
},
},
"cookie_dealer": {
"class": "oidcendpoint.cookie.CookieDealer",
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"default_values": {
"name": "oidc_op",
"domain": "example.com",
"path": "/",
"max_age": 3600,
},
},
},
"template_dir": "template",
}
self.endpoint_context = EndpointContext(conf)
def test_capabilities_subset1():
_cnf = copy(conf)
_cnf["endpoint"]["authorization_endpoint"]["kwargs"] = {
"response_types_supported": ["code"]
}
endpoint_context = EndpointContext(_cnf)
assert endpoint_context.provider_info["response_types_supported"] == [
"code"
]
def test_no_default_encrypt_algorithms():
client_info = RegistrationResponse()
endpoint_context = EndpointContext(conf)
with pytest.raises(UnknownAlgorithm):
get_sign_and_encrypt_algorithms(endpoint_context,
client_info,
'id_token',
sign=True,
encrypt=True)
def create_endpoint_context(self):
self.endpoint_context = EndpointContext({
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_DB
}
},
"password": "******",
"issuer": "https://example.com/op",
"token_expires_in": 900,
"grant_expires_in": 600,
"refresh_token_expires_in": 86400,
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "{}/registration",
"class": Registration,
"kwargs": {},
},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
},
},
},
"jwks": {
"public_path": "jwks.json",
"key_defs": KEYDEFS,
"uri_path": "static/jwks.json",
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcendpoint.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
})
def test_get_sign_algorithm():
client_info = RegistrationResponse()
endpoint_context = EndpointContext(conf)
algs = get_sign_and_encrypt_algorithms(endpoint_context,
client_info,
'id_token',
sign=True)
# default signing alg
assert algs == {'sign': True, 'encrypt': False, 'sign_alg': 'RS256'}
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"jwks": {
"key_defs": KEYDEFS,
"uri_path": "static/jwks.json"
},
"endpoint": {
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {
"client_auth_method": None
},
},
"registration_api": {
"path": "registration_api",
"class": RegistrationRead,
"kwargs": {
"client_authn_method": ["bearer_header"]
},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "token",
"class": AccessToken,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {
"path": "userinfo",
"class": UserInfo,
"kwargs": {}
},
},
"template_dir": "template",
}
endpoint_context = EndpointContext(conf)
self.registration_endpoint = endpoint_context.endpoint["registration"]
self.registration_api_endpoint = endpoint_context.endpoint[
"registration_read"]
def test_get_sign_algorithm_2(self):
client_info = RegistrationResponse(
id_token_signed_response_alg="RS512")
endpoint_context = EndpointContext(conf)
algs = get_sign_and_encrypt_algorithms(endpoint_context,
client_info,
"id_token",
sign=True)
# default signing alg
assert algs == {"sign": True, "encrypt": False, "sign_alg": "RS512"}
def test_no_default_encrypt_algorithms(self):
client_info = RegistrationResponse()
endpoint_context = EndpointContext(conf)
args = get_sign_and_encrypt_algorithms(endpoint_context,
client_info,
"id_token",
sign=True,
encrypt=True)
assert args["sign_alg"] == "RS256"
assert args["enc_enc"] == "A128CBC-HS256"
assert args["enc_alg"] == "RSA1_5"
def test_capabilities_default():
endpoint_context = EndpointContext(conf)
assert set(endpoint_context.provider_info["response_types_supported"]) == {
"code",
"token",
"id_token",
"code token",
"code id_token",
"id_token token",
"code id_token token",
}
assert endpoint_context.provider_info[
"request_uri_parameter_supported"] is True
def test_setup_session():
endpoint_context = EndpointContext(conf)
uid = "_user_"
client_id = "EXTERNAL"
areq = None
acr = None
sid = setup_session(endpoint_context,
areq,
uid,
client_id,
acr,
salt="salt")
assert sid
def create_endpoint(self):
conf = {
"issuer": ENTITY_ID,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
'keys': {
'key_defs': KEYSPEC
},
"endpoint": {},
"jwks": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json"
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template'
}
endpoint_context = EndpointContext(conf)
self.endpoint = ProviderConfiguration(endpoint_context)
# === Federation stuff =======
fe_conf = {'keys': {'key_defs': KEYSPEC}}
federation_entity = FederationEntity(
ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints={'https://ntnu.no': ['https://feide.no']},
httpd=Publisher(ROOT_DIR),
config=fe_conf,
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
federation_entity.collector = DummyCollector(httpd=Publisher(
os.path.join(BASE_PATH, 'data')),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.fedent = federation_entity
self.endpoint.endpoint_context.federation_entity = federation_entity
def test_sub_minting_class():
conf["sub_func"] = {"public": {"class": SubMinter}}
endpoint_context = EndpointContext(conf)
uid = "_user_"
client_id = "EXTERNAL"
areq = None
acr = None
sid = setup_session(endpoint_context,
areq,
uid,
client_id,
acr,
salt="salt")
assert endpoint_context.sdb[sid]["sub"] == uid
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"jwks": {
'url_path': '{}/jwks.json',
'local_path': 'static/jwks.json',
'private_path': 'own/jwks.json'
},
'endpoint': {
'provider_config': {
'path': '{}/.well-known/openid-configuration',
'class': ProviderConfiguration,
'kwargs': {}
},
'registration': {
'path': '{}/registration',
'class': Registration,
'kwargs': {}
},
'authorization': {
'path': '{}/authorization',
'class': Authorization,
'kwargs': {}
},
'token': {
'path': '{}/token',
'class': AccessToken,
'kwargs': {}
},
'userinfo': {
'path': '{}/userinfo',
'class': userinfo.UserInfo,
'kwargs': {
'db_file': 'users.json'
}
}
},
'template_dir': 'template'
}
endpoint_context = EndpointContext(conf, keyjar=KEYJAR)
self.endpoint = Registration(endpoint_context)
def test_collect_user_info():
_session_info = {'authn_req': OIDR}
session = _session_info.copy()
session['sub'] = 'doe'
session['uid'] = 'diana'
session['authn_event'] = create_authn_event('diana', 'salt')
endpoint_context = EndpointContext({
'userinfo': {
'class': UserInfo,
'kwargs': {
'db': USERINFO_DB
}
},
'password':
"******",
'issuer':
'https://example.com/op',
'token_expires_in':
900,
'grant_expires_in':
600,
'refresh_token_expires_in':
86400,
"endpoint": {},
"authentication": [{
'acr': INTERNETPROTOCOLPASSWORD,
'name': 'NoAuthn',
'kwargs': {
'user': '******'
}
}],
'template_dir':
'template'
})
res = collect_user_info(endpoint_context, session)
assert res == {
'given_name': 'Diana',
'nickname': 'Dina',
'sub': 'doe',
'email': '*****@*****.**',
'email_verified': False
}
