コード例 #1
0
ファイル: authzsrv.py プロジェクト: simudream/pyuma
    def __init__(self, configuration=None, baseurl=""):

        self.conf_info = configuration or {}
        self.resource_set = MemResourceSetDB()
        self.rpt = {}
        self.baseurl = baseurl
        if not self.baseurl.endswith("/"):
            self.baseurl += "/"
        self.session = Session()
        self.permit = Permission()
        self.permission_requests = PermissionRequests()
        self.map_rsid_id = {}
        self.map_id_rsid = {}
        self.map_user_id = {}
        self.eid2rpt = {}
        self.get_requester = get_requester
コード例 #2
0
ファイル: authzsrv.py プロジェクト: simudream/pyuma
    def __init__(self, configuration=None, baseurl=""):

        self.conf_info = configuration or {}
        self.resource_set = MemResourceSetDB()
        self.rpt = {}
        self.baseurl = baseurl
        if not self.baseurl.endswith("/"):
            self.baseurl += "/"
        self.session = Session()
        self.permit = Permission()
        self.permission_requests = PermissionRequests()
        self.map_rsid_id = {}
        self.map_id_rsid = {}
        self.map_user_id = {}
        self.eid2rpt = {}
        self.get_requester = get_requester
コード例 #3
0
ファイル: authzsrv.py プロジェクト: simudream/pyuma
class UmaAS(object):
    endp = [
        AuthorizationEndpoint,
        DynamicClientEndpoint,
        IntrospectionEndpoint,
        PermissionRegistrationEndpoint,
        RequestingPartyClaimsEndpoint,
        ResourceSetRegistrationEndpoint,
        RPTEndpoint,
        TokenEndpoint,
        ClientInfoEndpoint,
    ]

    def __init__(self, configuration=None, baseurl=""):

        self.conf_info = configuration or {}
        self.resource_set = MemResourceSetDB()
        self.rpt = {}
        self.baseurl = baseurl
        if not self.baseurl.endswith("/"):
            self.baseurl += "/"
        self.session = Session()
        self.permit = Permission()
        self.permission_requests = PermissionRequests()
        self.map_rsid_id = {}
        self.map_id_rsid = {}
        self.map_user_id = {}
        self.eid2rpt = {}
        self.get_requester = get_requester

    def endpoints(self):
        for endp in self.endp:
            yield endp(None).name

    def services(self):
        for endp in self.endp:
            yield endp.etype

    # def rpt_endpoint_(self, requestor, client_id, **kwargs):
    # """
    # The endpoint URI at which the client asks the authorization server for
    # a RPT.
    #     """
    #     #res = self.client_authentication(authn)
    #     #if isinstance(res, Response):
    #     #    return res
    #
    #     # create RPT, just overwrites whatever was there before
    #     rpt = rndstr(32)
    #     self.rpt[rpt] = {"requestor": requestor, "client_id": client_id}
    #     self.session.set(rpt)
    #
    #     msg = RPTResponse(rpt=rpt)
    #     return Response(msg.to_json(), content="application/json")

    def resource_set_registration_endpoint_(self, entity, path, method, client_id, body="", if_match="", **kwargs):
        """
        The endpoint at which the resource server handles resource sets
        descriptions.

        :param entity: The entity that controls the resource set
        :param path:
        :param method: HTTP method
        :param body: The resource set registration message
        :paran client_id: Which client I'm talking to
        :param if_match: The HTTP If-Match header if any
        :param kwargs: possible other arguments
        :returns: A Response instance
        """

        # path should be /resource_set/{rsid} or /resource_set
        # Path may or may not start with '/'
        if path.startswith("/"):
            assert path[1:].startswith(RSR_PATH)
            rsid = path[PLEN + 1 :]
        else:
            assert path.startswith(RSR_PATH)
            rsid = path[PLEN:]

        if rsid.startswith("/"):
            rsid = rsid[1:]

        _user = safe_name(entity, client_id)
        logger.debug("handling resource set belonging to '%s'" % _user)
        #  self.resource_set.set_collection(_user)
        if method == "POST":  # create
            args = {"oid": _user, "data": body}
            func = self.resource_set.create
        elif method == "PUT":  # update
            args = {
                "oid": _user,
                "data": body,
                "rsid": rsid,
                # "if_match": if_match
            }
            func = self.resource_set.update
        elif method == "GET":
            args = {"oid": _user}
            if not rsid:  # List
                func = self.resource_set.list
            else:  # Read
                func = self.resource_set.read
                args["rsid"] = rsid
        elif method == "DELETE":
            args = {"rsid": rsid, "oid": _user}
            func = self.resource_set.delete
        else:
            return BadRequest("Message error")

        logger.debug("operation: %s" % func)
        logger.debug("operation args: %s" % (args,))
        try:
            body = func(**args)
        except MessageException as err:
            _err = ErrorResponse(error="invalid_request", error_description=str(err))
            response = BadRequest(_err.to_json(), content="application/json")
        except UnknownObject:
            _err = ErrorResponse(error="not_found")
            response = NotFound(_err.to_json(), content="application/json")
        else:
            response = None
            if isinstance(body, ErrorResponse):
                pass
            else:
                if func == self.resource_set.delete:
                    # As a side effect all permissions assigned that references
                    # this resource set should be deleted
                    self.permit.delete_permit_by_resource_id(entity, rsid)
                    response = NoContent()
                elif func == self.resource_set.create:
                    _etag = self.resource_set.etag[body["_id"]]
                    response = Created(
                        body.to_json(),
                        content="application/json",
                        headers=[("ETag", _etag), ("Location", "/{}/{}".format(RSR_PATH, body["_id"]))],
                    )
                elif func == self.resource_set.update:
                    _etag = self.resource_set.etag[body["_id"]]
                    response = NoContent(content="application/json", headers=[("ETag", _etag)])
                elif func == self.resource_set.list:
                    response = Response(json.dumps(body))

            if not response:
                response = Response(body.to_json(), content="application/json")

        return response

    def _collapse(self, items):
        referenced = {}
        ibrsid = {}
        for item in items:
            try:
                for rsid in item["subsets"]:
                    if rsid not in referenced:
                        referenced[rsid] = 1
                    else:
                        referenced[rsid] += 1
            except KeyError:
                pass

            _rsid = self.map_id_rsid[item["_id"]]
            if _rsid not in referenced:
                referenced[_rsid] = 0
            ibrsid[_rsid] = item

        res = []
        for key, val in list(referenced.items()):
            if val == 0:
                res.append(ibrsid[key])

        return res

    def resource_sets_by_user(self, entity, client_id, collapse=False):
        """
        :param entity: The entity for which resource set descriptions has been
            registered.
        :return: A list of ResourceSetDescriptions
        """
        res = []
        _user = safe_name(entity, client_id)
        try:
            rss = self.resource_set.list(_user)
        except KeyError:
            return []

        for _id in rss:
            try:
                res.append(self.resource_set.read(_user, _id))
            except Exception:
                raise

        if collapse:
            res = self._collapse(res)

        return res

    # def resource_set_tree_by_rsid(self, owner, rsid):
    #     rs = self.resource_set.read(owner, rsid)
    #     _name = rs["name"].split("/")[-1]
    #     try:
    #         _rsids = rs["subsets"]
    #     except KeyError:
    #         return rsid, _name
    #     else:
    #         res = {}
    #         for _rsid in _rsids:
    #             _rs = self.resource_set_tree_by_rsid(owner, _rsid)
    #             try:
    #                 res.update(_rs)
    #             except ValueError:
    #                 try:
    #                     res.append(_rs)
    #                 except AttributeError:
    #                     res = [_rs]
    #
    #         return {(rsid, _name): res}
    #
    # def resource_set_name(self, rsid):
    #     rs = self.resource_set.read(self.map_rsid_id[rsid])
    #     return rs["name"]

    def permits_by_user(self, owner):
        """
        :param owner: The owner of the resource
        :return: A dictionary with requestors as keys and permissions as values
        """
        return self.permit.get_permits(owner)

    def authz_session_info(self, token):
        pass

    def introspection_endpoint_(self, entity, **kwargs):
        """
        The endpoint URI at which the resource server introspects an RPT
        presented to it by a client.
        """

        request = kwargs["request"]
        logger.debug("requestor: %s, request: %s" % (entity, request))
        ir = IntrospectionRequest().from_json(request)
        owner = safe_name(entity, kwargs["client_id"])
        try:
            try:
                # requestor = self.rpt[ir["token"]]["requestor"]
                perms = self.permit.get_accepted(owner, ir["token"])
            except KeyError:
                response = BadRequest()
            else:
                if perms:
                    irep = IntrospectionResponse(active=True, exp=perms[0]["exp"], permissions=perms)
                    logger.debug("response: %s" % irep.to_json())
                    response = Response(irep.to_json(), content="application/json")
                else:
                    logger.info("No permissions bound to this RPT")
                    response = BadRequest()
        except ToOld:
            logger.info("RPT expired")
            irep = IntrospectionResponse(valid=False)
            response = Response(irep.to_json(), content="application/json")
        except KeyError:
            response = BadRequest()

        return response

    def permission_registration_endpoint_(self, entity, **kwargs):
        """
        The endpoint URI at which the resource server registers a
        client-requested permission with the authorization server.
        This is a proposed permission waiting for the user to accept it.
        """
        request = kwargs["request"]
        _ticket = rndstr(24)
        logging.debug("Registering permission request: %s" % request)
        resp = PermissionRegistrationResponse(ticket=_ticket)
        self.permission_requests.add_request(_ticket, request)

        return Created(resp.to_json(), content="application/json")

    def requesting_party_claims_endpoint(self, request="", **kwargs):
        """
        The endpoint at which the resource server gathers the consent of
        the end-user resource owner or the client gathers the consent of the
        end-user requesting party, if the "authorization_code" grant type is
        used.
        """
        pass

    def dynamic_client_endpoint(self, request="", **kwargs):
        pass

    def token_endpoint(self, request="", **kwargs):
        pass

    def authorization_endpoint(self, request="", **kwargs):
        pass

    @staticmethod
    def token_scope_check(areq, info):
        """
        verifies that the scope that is demanded for the access token is
        one that I'm comfortable with.

        :param areq: AccessTokenRequest
        :param info: What's in the session db
        :return: None if OK otherwise and error response.
        """
        try:
            assert areq["scope"] in info["scope"]
        except AssertionError:
            logger.error("Not the same scope as for the AuthzRequest")
            err = TokenErrorResponse(error="invalid_scope")
            return Response(err.to_json(), content="application/json")

        try:
            assert areq["scope"] in list(UMA_SCOPE.values())
        except AssertionError:
            logger.error("Asked for scope which I don't deal with")
            err = TokenErrorResponse(error="invalid_scope")
            return Response(err.to_json(), content="application/json")

        return None

    def create_uma_providerinfo(self, pcr_class=ProviderConfiguration):
        kwargs = dict([(k, v) for k, v in list(self.conf_info.items()) if k in pcr_class.c_param])
        _response = pcr_class(**kwargs)

        for endp in UmaAS.endp:
            _response.update(endpoint_ava(endp, self.baseurl))

        logger.debug("provider_info_response: %s" % (_response.to_dict(),))
        return _response

    # noinspection PyUnusedLocal
    def providerinfo_endpoint_(self, handle="", **kwargs):
        logger.debug("@providerinfo_endpoint")
        try:
            _response = self.create_uma_providerinfo()

            headers = [("Cache-Control", "no-store"), ("x-ffo", "bar")]
            # if handle:
            #     (key, timestamp) = handle
            #     if key.startswith(STR) and key.endswith(STR):
            #         cookie = self.cookie_func(key, self.cookie_name, "pinfo",
            #                                   self.sso_ttl)
            #         headers.append(cookie)

            resp = Response(_response.to_json(), content="application/json", headers=headers)
        except Exception as err:
            message = traceback.format_exception(*sys.exc_info())
            logger.error(message)
            resp = Response(message, content="html/text")

        return resp

    def get_subsets(self, owner, requestor, scopes):
        res = {}
        try:
            permits = self.permit.get_permit_by_requestor(owner, requestor)
        except KeyError:
            return res

        for permit, (_scopes, time_stamp) in list(permits.items()):
            _scs = []
            for scope in scopes:
                try:
                    assert scope in _scopes
                except AssertionError:
                    pass
                else:
                    _scs.append(scope)
            if _scs:
                res[permit] = _scs
        return res

    def register_permission(self, owner, rpt, rsid, scopes):
        now = utc_time_sans_frac()
        perm = AuthzDescription(resource_set_id=rsid, scopes=scopes, exp=now + self.session.lifetime, iat=now)

        self.permit.set_accepted(owner, rpt, perm)

    def rpt_endpoint_(self, entity, client_id, **kwargs):
        """
        Registers an Authorization Description

        :param entity: Who's on the other side
        :param client_id: The UMA client
        :return: A Response instance
        """

        adr = AuthorizationDataRequest().from_json(kwargs["request"])

        # Get request permission that the resource server has registered
        try:
            prr_list = self.permission_requests.get_request(adr["ticket"])
        except KeyError:
            errmsg = ErrorResponse(error="invalid_ticket")
            return BadRequest(errmsg.to_json(), content="application/json")

        self.permission_requests.del_request(adr["ticket"])
        try:
            _rpt = adr["rpt"]
        except KeyError:
            _rpt = rndstr(32)

        for prr in prr_list:
            _rsid = prr["resource_set_id"]

            # Verify that the scopes are defined for the resource set
            owner = self.resource_set.rsid2oid[_rsid]
            rsd = self.resource_set.read(owner, _rsid)
            for scope in prr["scopes"]:
                try:
                    assert scope in rsd["scopes"]
                except AssertionError:
                    errmsg = ErrorResponse(error="not_authorized", error_description="Undefined scopes")
                    return BadRequest(errmsg.to_json(), content="application/json")

            # Is there any permissions registered by the owner, if so verify
            # that it allows what is requested. Return what is allowed !

            try:
                allow_scopes, timestamp = self.permit.get_permit(owner, entity, _rsid)
            except KeyError:  #
                errmsg = ErrorResponse(error="not_authorized", error_description="No permission given")
                return BadRequest(errmsg.to_json(), content="application/json")
            else:
                _scopes = []
                for scope in prr["scopes"]:
                    try:
                        assert scope in allow_scopes
                    except AssertionError:
                        pass
                    else:
                        _scopes.append(scope)

                # bind _requester to specific RPT for this user
                try:
                    self.eid2rpt[owner][entity] = _rpt
                except KeyError:
                    self.eid2rpt[owner] = {entity: _rpt}

                self.register_permission(owner, _rpt, _rsid, _scopes)

        rsp = AuthorizationDataResponse(rpt=_rpt)

        return Response(rsp.to_json())

    def name2id(self, owner, requestor, rsid):
        _user = safe_name(owner, requestor)
        obj = self.resource_set.read(_user, rsid)
        return obj["_id"]

    def remove_permission(self, owner, requestor, resource_name):
        """
        :param owner: The resource owner
        :param requestor: The SP entity ID
        :param resource_name: The name of the resource set
        """
        _id = self.name2id(owner, requestor, resource_name)

        try:
            self.permit.delete_permit(owner, requestor, _id)
        except KeyError:
            pass

        try:
            _user = "******" % (owner, requestor)
            rm_rpt = self.permit.rm_accepted(_user, _id)
        except KeyError:
            pass
        else:
            for _rpt in rm_rpt:
                # immediate expiration
                self.session.update(_rpt, expires_at=0)

    def store_permission(self, user, requestor, rsids):
        """
        :param user: The resource owner
        :param requestor: The requestor ID
        :param rsids: dictionary with Resource set IDs as keys and scopes
            as values
        """

        logger.info("store: (%s, %s, %s)" % (user, requestor, rsids))

        present = self.permit.get_rsid_permits(user, requestor)
        _new = [k for k in list(rsids.keys()) if k not in present]
        _user = safe_name(user, requestor)
        for rsid in _new:
            scopes = rsids[rsid]
            if scopes is None:
                rs = self.resource_set.read(_user, rsid)
                scopes = rs["scopes"]
            self.permit.set_permit(user, requestor, rsid, scopes)

        _rem = [k for k in present if k not in rsids]
        for rsid in _rem:
            self.permit.delete_permit(user, requestor, rsid)

    def read_permission(self, user, requestor, rsid):
        return self.permit.get_permit(user, requestor, rsid)

    def rec_rm_permission(self, user, requestor, rsid):
        """
        If the resource set is a complex set, remove all subset permissions
        :param user: The owner of the resource
        :param requestor: Who the permission is applying to
        :param rsid: The resource set name
        """
        _user = safe_name(user, requestor)
        rs = self.resource_set.read(_user, rsid)
        if "subsets" in rs:
            for ss in rs["subsets"]:
                self.rec_rm_permission(user, requestor, ss)
        try:
            self.permit.delete_permit(user, requestor, rsid)
        except KeyError:
            pass

    def rm_permission(self, user, requestor, rsid):
        """
        If the resource set is a complex set, remove all subset permissions
        :param user: The owner of the resource
        :param requestor: Who the permission is applying to
        :param rsid: The resource set name
        """
        logger.info("remove: (%s, %s, %s)" % (user, requestor, rsid))
        self.rec_rm_permission(user, requestor, rsid)
        return True

    def rsid_permits(self, user, requestor):
        return self.permit.get_rsid_permits(user, requestor)
コード例 #4
0
ファイル: authzsrv.py プロジェクト: simudream/pyuma
class UmaAS(object):
    endp = [
        AuthorizationEndpoint, DynamicClientEndpoint, IntrospectionEndpoint,
        PermissionRegistrationEndpoint, RequestingPartyClaimsEndpoint,
        ResourceSetRegistrationEndpoint, RPTEndpoint, TokenEndpoint,
        ClientInfoEndpoint
    ]

    def __init__(self, configuration=None, baseurl=""):

        self.conf_info = configuration or {}
        self.resource_set = MemResourceSetDB()
        self.rpt = {}
        self.baseurl = baseurl
        if not self.baseurl.endswith("/"):
            self.baseurl += "/"
        self.session = Session()
        self.permit = Permission()
        self.permission_requests = PermissionRequests()
        self.map_rsid_id = {}
        self.map_id_rsid = {}
        self.map_user_id = {}
        self.eid2rpt = {}
        self.get_requester = get_requester

    def endpoints(self):
        for endp in self.endp:
            yield endp(None).name

    def services(self):
        for endp in self.endp:
            yield endp.etype

    # def rpt_endpoint_(self, requestor, client_id, **kwargs):
    # """
    # The endpoint URI at which the client asks the authorization server for
    # a RPT.
    #     """
    #     #res = self.client_authentication(authn)
    #     #if isinstance(res, Response):
    #     #    return res
    #
    #     # create RPT, just overwrites whatever was there before
    #     rpt = rndstr(32)
    #     self.rpt[rpt] = {"requestor": requestor, "client_id": client_id}
    #     self.session.set(rpt)
    #
    #     msg = RPTResponse(rpt=rpt)
    #     return Response(msg.to_json(), content="application/json")

    def resource_set_registration_endpoint_(self,
                                            entity,
                                            path,
                                            method,
                                            client_id,
                                            body="",
                                            if_match="",
                                            **kwargs):
        """
        The endpoint at which the resource server handles resource sets
        descriptions.

        :param entity: The entity that controls the resource set
        :param path:
        :param method: HTTP method
        :param body: The resource set registration message
        :paran client_id: Which client I'm talking to
        :param if_match: The HTTP If-Match header if any
        :param kwargs: possible other arguments
        :returns: A Response instance
        """

        # path should be /resource_set/{rsid} or /resource_set
        # Path may or may not start with '/'
        if path.startswith("/"):
            assert path[1:].startswith(RSR_PATH)
            rsid = path[PLEN + 1:]
        else:
            assert path.startswith(RSR_PATH)
            rsid = path[PLEN:]

        if rsid.startswith("/"):
            rsid = rsid[1:]

        _user = safe_name(entity, client_id)
        logger.debug("handling resource set belonging to '%s'" % _user)
        #  self.resource_set.set_collection(_user)
        if method == "POST":  # create
            args = {"oid": _user, "data": body}
            func = self.resource_set.create
        elif method == "PUT":  # update
            args = {
                "oid": _user,
                "data": body,
                "rsid": rsid,
                # "if_match": if_match
            }
            func = self.resource_set.update
        elif method == "GET":
            args = {"oid": _user}
            if not rsid:  # List
                func = self.resource_set.list
            else:  # Read
                func = self.resource_set.read
                args["rsid"] = rsid
        elif method == "DELETE":
            args = {"rsid": rsid, "oid": _user}
            func = self.resource_set.delete
        else:
            return BadRequest("Message error")

        logger.debug("operation: %s" % func)
        logger.debug("operation args: %s" % (args, ))
        try:
            body = func(**args)
        except MessageException as err:
            _err = ErrorResponse(error="invalid_request",
                                 error_description=str(err))
            response = BadRequest(_err.to_json(), content="application/json")
        except UnknownObject:
            _err = ErrorResponse(error="not_found")
            response = NotFound(_err.to_json(), content="application/json")
        else:
            response = None
            if isinstance(body, ErrorResponse):
                pass
            else:
                if func == self.resource_set.delete:
                    # As a side effect all permissions assigned that references
                    # this resource set should be deleted
                    self.permit.delete_permit_by_resource_id(entity, rsid)
                    response = NoContent()
                elif func == self.resource_set.create:
                    _etag = self.resource_set.etag[body["_id"]]
                    response = Created(body.to_json(),
                                       content="application/json",
                                       headers=[("ETag", _etag),
                                                ("Location", "/{}/{}".format(
                                                    RSR_PATH, body["_id"]))])
                elif func == self.resource_set.update:
                    _etag = self.resource_set.etag[body["_id"]]
                    response = NoContent(content="application/json",
                                         headers=[("ETag", _etag)])
                elif func == self.resource_set.list:
                    response = Response(json.dumps(body))

            if not response:
                response = Response(body.to_json(), content="application/json")

        return response

    def _collapse(self, items):
        referenced = {}
        ibrsid = {}
        for item in items:
            try:
                for rsid in item["subsets"]:
                    if rsid not in referenced:
                        referenced[rsid] = 1
                    else:
                        referenced[rsid] += 1
            except KeyError:
                pass

            _rsid = self.map_id_rsid[item["_id"]]
            if _rsid not in referenced:
                referenced[_rsid] = 0
            ibrsid[_rsid] = item

        res = []
        for key, val in list(referenced.items()):
            if val == 0:
                res.append(ibrsid[key])

        return res

    def resource_sets_by_user(self, entity, client_id, collapse=False):
        """
        :param entity: The entity for which resource set descriptions has been
            registered.
        :return: A list of ResourceSetDescriptions
        """
        res = []
        _user = safe_name(entity, client_id)
        try:
            rss = self.resource_set.list(_user)
        except KeyError:
            return []

        for _id in rss:
            try:
                res.append(self.resource_set.read(_user, _id))
            except Exception:
                raise

        if collapse:
            res = self._collapse(res)

        return res

    # def resource_set_tree_by_rsid(self, owner, rsid):
    #     rs = self.resource_set.read(owner, rsid)
    #     _name = rs["name"].split("/")[-1]
    #     try:
    #         _rsids = rs["subsets"]
    #     except KeyError:
    #         return rsid, _name
    #     else:
    #         res = {}
    #         for _rsid in _rsids:
    #             _rs = self.resource_set_tree_by_rsid(owner, _rsid)
    #             try:
    #                 res.update(_rs)
    #             except ValueError:
    #                 try:
    #                     res.append(_rs)
    #                 except AttributeError:
    #                     res = [_rs]
    #
    #         return {(rsid, _name): res}
    #
    # def resource_set_name(self, rsid):
    #     rs = self.resource_set.read(self.map_rsid_id[rsid])
    #     return rs["name"]

    def permits_by_user(self, owner):
        """
        :param owner: The owner of the resource
        :return: A dictionary with requestors as keys and permissions as values
        """
        return self.permit.get_permits(owner)

    def authz_session_info(self, token):
        pass

    def introspection_endpoint_(self, entity, **kwargs):
        """
        The endpoint URI at which the resource server introspects an RPT
        presented to it by a client.
        """

        request = kwargs["request"]
        logger.debug("requestor: %s, request: %s" % (entity, request))
        ir = IntrospectionRequest().from_json(request)
        owner = safe_name(entity, kwargs["client_id"])
        try:
            try:
                # requestor = self.rpt[ir["token"]]["requestor"]
                perms = self.permit.get_accepted(owner, ir["token"])
            except KeyError:
                response = BadRequest()
            else:
                if perms:
                    irep = IntrospectionResponse(active=True,
                                                 exp=perms[0]["exp"],
                                                 permissions=perms)
                    logger.debug("response: %s" % irep.to_json())
                    response = Response(irep.to_json(),
                                        content="application/json")
                else:
                    logger.info("No permissions bound to this RPT")
                    response = BadRequest()
        except ToOld:
            logger.info("RPT expired")
            irep = IntrospectionResponse(valid=False)
            response = Response(irep.to_json(), content="application/json")
        except KeyError:
            response = BadRequest()

        return response

    def permission_registration_endpoint_(self, entity, **kwargs):
        """
        The endpoint URI at which the resource server registers a
        client-requested permission with the authorization server.
        This is a proposed permission waiting for the user to accept it.
        """
        request = kwargs["request"]
        _ticket = rndstr(24)
        logging.debug("Registering permission request: %s" % request)
        resp = PermissionRegistrationResponse(ticket=_ticket)
        self.permission_requests.add_request(_ticket, request)

        return Created(resp.to_json(), content="application/json")

    def requesting_party_claims_endpoint(self, request="", **kwargs):
        """
        The endpoint at which the resource server gathers the consent of
        the end-user resource owner or the client gathers the consent of the
        end-user requesting party, if the "authorization_code" grant type is
        used.
        """
        pass

    def dynamic_client_endpoint(self, request="", **kwargs):
        pass

    def token_endpoint(self, request="", **kwargs):
        pass

    def authorization_endpoint(self, request="", **kwargs):
        pass

    @staticmethod
    def token_scope_check(areq, info):
        """
        verifies that the scope that is demanded for the access token is
        one that I'm comfortable with.

        :param areq: AccessTokenRequest
        :param info: What's in the session db
        :return: None if OK otherwise and error response.
        """
        try:
            assert areq["scope"] in info["scope"]
        except AssertionError:
            logger.error("Not the same scope as for the AuthzRequest")
            err = TokenErrorResponse(error="invalid_scope")
            return Response(err.to_json(), content="application/json")

        try:
            assert areq["scope"] in list(UMA_SCOPE.values())
        except AssertionError:
            logger.error("Asked for scope which I don't deal with")
            err = TokenErrorResponse(error="invalid_scope")
            return Response(err.to_json(), content="application/json")

        return None

    def create_uma_providerinfo(self, pcr_class=ProviderConfiguration):
        kwargs = dict([(k, v) for k, v in list(self.conf_info.items())
                       if k in pcr_class.c_param])
        _response = pcr_class(**kwargs)

        for endp in UmaAS.endp:
            _response.update(endpoint_ava(endp, self.baseurl))

        logger.debug("provider_info_response: %s" % (_response.to_dict(), ))
        return _response

    # noinspection PyUnusedLocal
    def providerinfo_endpoint_(self, handle="", **kwargs):
        logger.debug("@providerinfo_endpoint")
        try:
            _response = self.create_uma_providerinfo()

            headers = [("Cache-Control", "no-store"), ("x-ffo", "bar")]
            # if handle:
            #     (key, timestamp) = handle
            #     if key.startswith(STR) and key.endswith(STR):
            #         cookie = self.cookie_func(key, self.cookie_name, "pinfo",
            #                                   self.sso_ttl)
            #         headers.append(cookie)

            resp = Response(_response.to_json(),
                            content="application/json",
                            headers=headers)
        except Exception as err:
            message = traceback.format_exception(*sys.exc_info())
            logger.error(message)
            resp = Response(message, content="html/text")

        return resp

    def get_subsets(self, owner, requestor, scopes):
        res = {}
        try:
            permits = self.permit.get_permit_by_requestor(owner, requestor)
        except KeyError:
            return res

        for permit, (_scopes, time_stamp) in list(permits.items()):
            _scs = []
            for scope in scopes:
                try:
                    assert scope in _scopes
                except AssertionError:
                    pass
                else:
                    _scs.append(scope)
            if _scs:
                res[permit] = _scs
        return res

    def register_permission(self, owner, rpt, rsid, scopes):
        now = utc_time_sans_frac()
        perm = AuthzDescription(resource_set_id=rsid,
                                scopes=scopes,
                                exp=now + self.session.lifetime,
                                iat=now)

        self.permit.set_accepted(owner, rpt, perm)

    def rpt_endpoint_(self, entity, client_id, **kwargs):
        """
        Registers an Authorization Description

        :param entity: Who's on the other side
        :param client_id: The UMA client
        :return: A Response instance
        """

        adr = AuthorizationDataRequest().from_json(kwargs["request"])

        # Get request permission that the resource server has registered
        try:
            prr_list = self.permission_requests.get_request(adr["ticket"])
        except KeyError:
            errmsg = ErrorResponse(error="invalid_ticket")
            return BadRequest(errmsg.to_json(), content="application/json")

        self.permission_requests.del_request(adr["ticket"])
        try:
            _rpt = adr["rpt"]
        except KeyError:
            _rpt = rndstr(32)

        for prr in prr_list:
            _rsid = prr["resource_set_id"]

            # Verify that the scopes are defined for the resource set
            owner = self.resource_set.rsid2oid[_rsid]
            rsd = self.resource_set.read(owner, _rsid)
            for scope in prr["scopes"]:
                try:
                    assert scope in rsd["scopes"]
                except AssertionError:
                    errmsg = ErrorResponse(
                        error="not_authorized",
                        error_description="Undefined scopes")
                    return BadRequest(errmsg.to_json(),
                                      content="application/json")

            # Is there any permissions registered by the owner, if so verify
            # that it allows what is requested. Return what is allowed !

            try:
                allow_scopes, timestamp = self.permit.get_permit(
                    owner, entity, _rsid)
            except KeyError:  #
                errmsg = ErrorResponse(error="not_authorized",
                                       error_description="No permission given")
                return BadRequest(errmsg.to_json(), content="application/json")
            else:
                _scopes = []
                for scope in prr["scopes"]:
                    try:
                        assert scope in allow_scopes
                    except AssertionError:
                        pass
                    else:
                        _scopes.append(scope)

                # bind _requester to specific RPT for this user
                try:
                    self.eid2rpt[owner][entity] = _rpt
                except KeyError:
                    self.eid2rpt[owner] = {entity: _rpt}

                self.register_permission(owner, _rpt, _rsid, _scopes)

        rsp = AuthorizationDataResponse(rpt=_rpt)

        return Response(rsp.to_json())

    def name2id(self, owner, requestor, rsid):
        _user = safe_name(owner, requestor)
        obj = self.resource_set.read(_user, rsid)
        return obj["_id"]

    def remove_permission(self, owner, requestor, resource_name):
        """
        :param owner: The resource owner
        :param requestor: The SP entity ID
        :param resource_name: The name of the resource set
        """
        _id = self.name2id(owner, requestor, resource_name)

        try:
            self.permit.delete_permit(owner, requestor, _id)
        except KeyError:
            pass

        try:
            _user = "******" % (owner, requestor)
            rm_rpt = self.permit.rm_accepted(_user, _id)
        except KeyError:
            pass
        else:
            for _rpt in rm_rpt:
                # immediate expiration
                self.session.update(_rpt, expires_at=0)

    def store_permission(self, user, requestor, rsids):
        """
        :param user: The resource owner
        :param requestor: The requestor ID
        :param rsids: dictionary with Resource set IDs as keys and scopes
            as values
        """

        logger.info("store: (%s, %s, %s)" % (user, requestor, rsids))

        present = self.permit.get_rsid_permits(user, requestor)
        _new = [k for k in list(rsids.keys()) if k not in present]
        _user = safe_name(user, requestor)
        for rsid in _new:
            scopes = rsids[rsid]
            if scopes is None:
                rs = self.resource_set.read(_user, rsid)
                scopes = rs["scopes"]
            self.permit.set_permit(user, requestor, rsid, scopes)

        _rem = [k for k in present if k not in rsids]
        for rsid in _rem:
            self.permit.delete_permit(user, requestor, rsid)

    def read_permission(self, user, requestor, rsid):
        return self.permit.get_permit(user, requestor, rsid)

    def rec_rm_permission(self, user, requestor, rsid):
        """
        If the resource set is a complex set, remove all subset permissions
        :param user: The owner of the resource
        :param requestor: Who the permission is applying to
        :param rsid: The resource set name
        """
        _user = safe_name(user, requestor)
        rs = self.resource_set.read(_user, rsid)
        if "subsets" in rs:
            for ss in rs["subsets"]:
                self.rec_rm_permission(user, requestor, ss)
        try:
            self.permit.delete_permit(user, requestor, rsid)
        except KeyError:
            pass

    def rm_permission(self, user, requestor, rsid):
        """
        If the resource set is a complex set, remove all subset permissions
        :param user: The owner of the resource
        :param requestor: Who the permission is applying to
        :param rsid: The resource set name
        """
        logger.info("remove: (%s, %s, %s)" % (user, requestor, rsid))
        self.rec_rm_permission(user, requestor, rsid)
        return True

    def rsid_permits(self, user, requestor):
        return self.permit.get_rsid_permits(user, requestor)