def to_prr(self, request, ressrv): """ Trying to register a permission for an unknown resource set will fail :param request: JSON encoded permission request or list of permission requests :param ressrv: Client id of the resource server """ decoded_req = json.loads(request) pr_req = [] adb = self.get_adb(ressrv) if isinstance(decoded_req, list): for item in decoded_req: if item['resource_set_id'] in adb.resource_set.rsid2oid: pr_req.append(PermissionRegistrationRequest(**item)) else: logger.warning( 'Trying to register permission for unknown resource set' ) else: if decoded_req['resource_set_id'] in adb.resource_set.rsid2oid: pr_req.append(PermissionRegistrationRequest(**decoded_req)) else: logger.warning( 'Trying to register permission for unknown resource set') return pr_req
def test_requestor(self): prreq = PermissionRegistrationRequest(resource_set_id='1', scopes=[READ]) self.pr['ticket1'] = [prreq] prreq = PermissionRegistrationRequest(resource_set_id='2', scopes=[READ, WRITE]) self.pr['ticket2'] = [prreq] assert self.pr.len() == 2 assert _eq(set(self.pr.keys()), {'ticket1', 'ticket2'}) self.pr.bind_requestor_to_ticket('requestor', 'ticket1') assert self.pr.requestor2tickets('requestor') == ['ticket1'] assert self.pr.rsid2requestor('1') == ['requestor'] self.pr.bind_requestor_to_ticket('requestor', 'ticket2') assert _eq(self.pr.requestor2tickets('requestor'), ['ticket1', 'ticket2']) assert self.pr.rsid2requestor('2') == ['requestor'] del self.pr['ticket1'] assert self.pr.requestor2tickets('requestor') == ['ticket2']
def add_request(self, ticket, req): """ :param req: The Permission Registration Request as a JSON encoded string Note that the request can be a list of requests. """ decoded_req = json.loads(req) if isinstance(decoded_req, list): prr_req = [] for item in decoded_req: prr_req.append(PermissionRegistrationRequest(**item)) self.request[ticket] = prr_req else: self.request[ticket] = [ PermissionRegistrationRequest(**decoded_req) ]
def test_simple(self): prreq = PermissionRegistrationRequest(resource_set_id='1', scopes=[READ]) self.pr['ticket'] = [prreq] _prreq = self.pr['ticket'] assert [prreq] == _prreq assert list(self.pr.keys()) == ['ticket'] assert self.pr.ticket2rsid('ticket') == ['1'] req = self.pr.rsid2requests('1') assert list(req.keys()) == ['ticket'] assert req['ticket'] == [prreq] del self.pr['ticket'] try: self.pr['ticket'] except KeyError: pass else: assert False assert self.pr.len() == 0 assert list(self.pr.keys()) == []
def test_senario_1(): # create ADB instance adb = ADB(KEYJAR, 3600, issuer, RESSRV, RSR_PATH) # register resource set rsd = ResourceSetDescription(name='foo', scopes=[READ, WRITE]) status = adb.resource_set.create(rsd.to_json(), 'alice') rsid = status['_id'] # assume no authorization decisions has been made # accessing a resource set will eventually result in a ticket being issued prreq = PermissionRegistrationRequest(resource_set_id=rsid, scopes=[READ]) ticket = adb.ticket_factory.pack(aud=['client_id']) adb.permission_requests[ticket] = [prreq] # Still no authz dec. So this should fail try: adb.issue_rpt(ticket, {'sub': 'roger'}) except TicketError as err: assert err.typ == 'not_authorized' else: assert False # Authz dec made permission = { 'resource_set_id': rsid, 'scopes': [READ], 'require': { 'sub': 'roger' } } pid = adb.store_permission(permission, 'alice') # Get an RPT. This should now work rpt = adb.issue_rpt(ticket, {'sub': 'roger'}) assert rpt # later use the RPT, turn into authz descriptions ad = adb.introspection(rpt) assert len(ad) == 1 assert ad[0]['resource_set_id'] == rsid assert ad[0]['scopes'] == [READ] # Get an RPT. This should not work since the ticket is 'one time use' try: adb.issue_rpt(ticket, {'sub': 'roger'}) except TicketError as err: assert err.typ == 'invalid' else: assert False # The authz on which issuing the RPT is based is removed adb.remove_permission('alice', pid=pid) # Now introspections should fail assert adb.introspection(rpt) == []
def test_rpt_endpoint(self): """ A couple of things have to happen before any action can occur on the rpt endpoint. 1. registration of Resource set 2. Registration of a permission request 3. Registration of an authorization """ # (1) register resource set read_write = [SCOPES[s] for s in ['read', 'write']] rsd = ResourceSetDescription(name='foo', scopes=read_write) resp = self.uas.resource_set_registration_endpoint_( "alice", RSR_PATH, method="POST", body=rsd.to_json(), client_id="12345678") rsid = StatusResponse().from_json(resp.message)['_id'] # (2) register a permission request read_write = [SCOPES[s] for s in ['read', 'write']] perm_reg = PermissionRegistrationRequest(resource_set_id=rsid, scopes=read_write) resp = self.uas.permission_registration_endpoint_( owner="alice", request=perm_reg.to_json(), client_id="12345678") assert isinstance(resp, Created) ticket = json.loads(resp.message)['ticket'] # (3) registration of authorization permission = {'resource_set_id': rsid, 'scopes': read_write, 'require': {'sub': 'roger'}} adb = self.uas.get_adb("12345678") adb.store_permission(permission, 'alice') # Get an RPT. This should work req = AuthorizationDataRequest(ticket=ticket) resp = self.uas.rpt_endpoint_('roger', '12345678', request=req.to_json()) assert resp
def create_permission_request(self, operation, uid, query): res_set = self.rs_handler.query2permission_registration_request_primer( operation, uid, query) pre_rpp = [(self.rs_handler.rsd_map[lid]['_id'], [scope]) for lid, scope in res_set] prrs = [] for rsid, scopes in pre_rpp: prrs.append(PermissionRegistrationRequest(resource_set_id=rsid, scopes=scopes).to_dict()) return prrs
def test_inital_add(): uas = UmaAS() data = ResourceSetDescription(name="stuff", scopes=ALL).to_json() resp = uas.resource_set_registration_endpoint_("alice", RSR_PATH, method="POST", body=data, client_id="12345678", if_match="xyzzy") _stat = StatusResponse().from_json(resp.message) rsid = _stat["_id"] headers = dict(resp.headers) assert headers["Location"] == "/{}/{}".format(RSR_PATH, rsid) read_write = [SCOPES["read"], SCOPES["write"]] uas.permission_registration_endpoint_("alice", request=PermissionRegistrationRequest( resource_set_id=rsid, scopes=read_write).to_json()) uas.store_permission("alice", "roger", {rsid: read_write}) scopes, ts = uas.read_permission("alice", "roger", rsid) assert _eq(scopes, read_write)
def test_permission_registration_endpoint(self): data = ResourceSetDescription(name="stuff", scopes=ALL).to_json() # Register a resource set resp = self.uas.resource_set_registration_endpoint_( "alice", RSR_PATH, method="POST", body=data, client_id="12345678", if_match="xyzzy") rsid = StatusResponse().from_json(resp.message)['_id'] read_write = [SCOPES[s] for s in ['read', 'write']] perm_reg = PermissionRegistrationRequest(resource_set_id=rsid, scopes=read_write) resp = self.uas.permission_registration_endpoint_( owner="alice", request=perm_reg.to_json(), client_id="12345678") assert isinstance(resp, Created) # Trying to register a request with an unknown rsid perm_reg = PermissionRegistrationRequest( resource_set_id='0987654321', scopes=read_write) resp = self.uas.permission_registration_endpoint_( owner="alice", request=perm_reg.to_json(), client_id="12345678") assert isinstance(resp, BadRequest)
# set permissions such that the request below succeeds owner = safe_name(RESOURCE_OWNER, ressrv.client.client_id) for rsid, scopes in pre_rpp: authzsrv.permit.set_permit(owner, REQUESTOR, rsid, scopes) # ----------------------------------------------------------------------------- # The client does a first attempt at getting information from the RS # (not shown here) but without a RPT it only gets information about where # the AS is. # The RS on the other hand registers the necessary permission at the AS prrs = [] for rsid, scopes in pre_rpp: prrs.append( PermissionRegistrationRequest(resource_set_id=rsid, scopes=scopes).to_dict()) pat = ressrv.rs_handler.token['PAT'] resp = authzsrv.permission_registration_endpoint(json.dumps(prrs), 'Bearer {}'.format(pat)) assert resp.status == "201 Created" ticket = PermissionRegistrationResponse().from_json(resp.message)["ticket"] # ============================== 4 =========================================== # Crank up the client such that the relationship with the AS can be # settled. CLI_PORT = 8090 CLI_BASE = "https://localhost:%s" % CLI_PORT
rtr = RPTResponse().from_json(resp.message) _uma_client.token[USER]["RPT"] = rtr["rpt"] # Client tries to grab some info using the RPT as authn information # => fails the Resource server registers authz request # Introspection reveals no permissions are bound to the RPT ir = introspect(_uma_client, ressrv, authzsrv) assert ir["active"] is True assert "permissions" not in ir # The RS registers an Authorization request REQ_SCOPES = ["http://its.umu.se/uma/attr/displayName"] prr = PermissionRegistrationRequest(resource_set_id=_rsid, scopes=REQ_SCOPES) client, url, ht_args = ressrv.register_init(RESOURCE_OWNER, "permission_registration_endpoint", prr, _rsid) authninfo = ht_args["headers"]["Authorization"] permresp = authzsrv.permission_registration_endpoint(prr.to_json(), authninfo) created = PermissionRegistrationResponse().from_json(permresp.message) _, kwargs = _uma_client.create_authorization_data_request(USER, created["ticket"]) request = kwargs["data"] authn_info = kwargs["headers"]["Authorization"] res = authzsrv.authorization_request_endpoint(request, authn_info)
request_args = {"access_token": pat} ht_args = client_x.client_authn_method["bearer_header"](ressrv).construct( ir, request_args=request_args) resp = authzsrv.introspection_endpoint(ir.to_json(), ht_args["headers"]["Authorization"]) ir = IntrospectionResponse().from_json(resp.message) assert ir["active"] is True assert "permissions" not in ir # The RS registers an Authorization request REQ_SCOPES = ["http://its.umu.se/uma/attr/displayName"] prr = PermissionRegistrationRequest(resource_set_id=_rsid, scopes=REQ_SCOPES) client, url, ht_args = ressrv.register_init( RESOURCE_OWNER, "permission_registration_endpoint", prr, _rsid) authninfo = ht_args["headers"]["Authorization"] permresp = authzsrv.permission_registration_endpoint(prr.to_json(), authninfo) created = PermissionRegistrationResponse().from_json(permresp.message) _, kwargs = _uma_client.create_authorization_data_request( USER, created["ticket"]) request = kwargs["data"] authn_info = kwargs["headers"]["Authorization"] res = authzsrv.authorization_request_endpoint(request, authn_info) assert res.status == "200 OK"