def register_client(self): """Register ourselves as a client of the platform. Skips registration if client is already registered (client_id/secret loaded from state file). """ if not "client_id" in self.state: if self.scim_client == None: self.scim_client = EOEPCA_Scim(self.base_url + "/") self.client = self.scim_client.registerClient( "Demo Client", grantTypes=[ "client_credentials", "password", "urn:ietf:params:oauth:grant-type:uma-ticket" ], redirectURIs=[""], logoutURI="", responseTypes=["code", "token", "id_token"], scopes=[ 'openid', 'email', 'user_name ', 'uma_protection', 'permission' ], token_endpoint_auth_method=ENDPOINT_AUTH_CLIENT_POST) if self.client["client_id"] and self.client["client_secret"]: self.state["client_id"] = self.client["client_id"] self.state["client_secret"] = self.client["client_secret"] print(f"client_id: {self.state['client_id']}") else: print("ERROR: Incomplete client credentials") else: print(f"client_id: {self.state['client_id']} [REUSED]")
def registerScimClient(auth_server_url: str, client_id: str = None, client_secret: str = None, verify_ssl: bool = False): """ Static method to dynamically register a PDP client, using the EOEPCA_Scim library. """ if not ScimHandler.__eoepca_scim_instance: if (os.path.isfile('./private.pem')): print("SCIM Handler: private key found, initiating...") ScimHandler.__eoepca_scim_instance = EOEPCA_Scim( host=auth_server_url, clientID=client_id, clientSecret=client_secret, jks_path="./private.pem") else: ScimHandler.__eoepca_scim_instance = EOEPCA_Scim( host=auth_server_url, clientID=client_id, clientSecret=client_secret) if not client_id or not client_secret: grantTypes = [ "client_credentials", "urn:ietf:params:oauth:grant-type:uma-ticket", "password", "implicit" ] scopes = ['openid', 'uma_protection', 'permission', 'profile'] ScimHandler.__scim_client = ScimHandler.__eoepca_scim_instance.registerClient( "PDP Dynamic Client", grantTypes=grantTypes, redirectURIs=[""], logoutURI="", responseTypes=["code", "token", "id_token"], scopes=scopes, token_endpoint_auth_method= ENDPOINT_AUTH_CLIENT_PRIVATE_KEY_JWT, useJWT=1) print("SCIM Handler: created new PDP client: " + ScimHandler.__scim_client["client_id"]) else: ScimHandler.__scim_client = { "client_id": client_id, "client_secret": client_secret } ScimHandler.__wkh = WellKnownHandler(auth_server_url, secure=False) ScimHandler.__verify_ssl = verify_ssl return ScimHandler.__scim_client
def register_client(self): # Generate client dynamically if one is not configured. if not self.client_id or not self.client_secret: print ("NOTICE: Client not found, generating one... ") scim_client = EOEPCA_Scim(self.server_url) new_client = scim_client.registerClient("PDP Dynamic Client", grantTypes = ["client_credentials"], redirectURIs = [""], logoutURI = "", responseTypes = ["code","token","id_token"], scopes = ['openid', 'uma_protection', 'permission'], token_endpoint_auth_method = ENDPOINT_AUTH_CLIENT_POST) print("NEW CLIENT created with ID '"+new_client["client_id"]+"', since no client config was found on config.json or environment") self.client_id = new_client["client_id"] self.client_secret = new_client["client_secret"] return self.client_id, self.client_secret
def scim_client_get_details(self): if self.details == None: print("Registering new client") scim_client = EOEPCA_Scim(self.hostname) self.client = scim_client.registerClient( "UMA Flow Test Client", grantTypes=[ "client_credentials", "password", "urn:ietf:params:oauth:grant-type:uma-ticket" ], redirectURIs=[""], logoutURI="", responseTypes=["code", "token", "id_token"], scopes=[ 'openid', 'email', 'user_name ', 'uma_protection', 'permission' ], token_endpoint_auth_method=ENDPOINT_AUTH_CLIENT_POST) self.details = {} self.details["client_id"] = self.client["client_id"] self.details["client_secret"] = self.client["client_secret"] else: print("Reusing existing client") return self.details
def get_config(config_path: str): """ Loads entire configuration onto memory """ env_vars = [ "PEP_REALM", "PEP_AUTH_SERVER_URL", "PEP_SERVICE_HOST", "PEP_PROXY_SERVICE_PORT", "PEP_RESOURCES_SERVICE_PORT", "PEP_S_MARGIN_RPT_VALID", "PEP_CHECK_SSL_CERTS", "PEP_USE_THREADS", "PEP_DEBUG_MODE", "PEP_RESOURCE_SERVER_ENDPOINT", "PEP_API_RPT_UMA_VALIDATION", "PEP_RPT_LIMIT_USES", "PEP_PDP_URL", "PEP_PDP_PORT", "PEP_PDP_POLICY_ENDPOINT", "PEP_VERIFY_SIGNATURE" ] use_env_var = True for env_var in env_vars: if env_var not in os.environ: use_env_var = False g_config = {} # Global config objects if use_env_var is False: g_config = load_config(config_path) else: for env_var in env_vars: env_var_config = env_var.replace('PEP_', '') if "true" in os.environ[env_var].replace('"', ''): g_config[env_var_config.lower()] = True elif "false" in os.environ[env_var].replace('"', ''): g_config[env_var_config.lower()] = False else: g_config[env_var_config.lower()] = os.environ[env_var].replace( '"', '') # Sanitize PDP "policy" endpoint config value, VERY IMPORTANT to ensure proper function of the endpoint if g_config["pdp_policy_endpoint"][0] is not "/": g_config["pdp_policy_endpoint"] = "/" + g_config["pdp_policy_endpoint"] if g_config["pdp_policy_endpoint"][-1] is not "/": g_config["pdp_policy_endpoint"] = g_config["pdp_policy_endpoint"] + "/" # Global handlers g_wkh = WellKnownHandler(g_config["auth_server_url"], secure=False) # Global setting to validate RPTs received at endpoints api_rpt_uma_validation = g_config["api_rpt_uma_validation"] if api_rpt_uma_validation: print("UMA RPT validation is ON.") else: print("UMA RPT validation is OFF.") # Generate client dynamically if one is not configured. if "client_id" not in g_config or "client_secret" not in g_config: print("NOTICE: Client not found, generating one... ") scim_client = EOEPCA_Scim(g_config["auth_server_url"]) new_client = scim_client.registerClient( "PEP Dynamic Client", grantTypes=["client_credentials", "password"], redirectURIs=[""], logoutURI="", responseTypes=["code", "token", "id_token"], scopes=[ 'openid', 'uma_protection', 'permission', 'profile', 'is_operator' ], token_endpoint_auth_method=ENDPOINT_AUTH_CLIENT_POST) print( "NEW CLIENT created with ID '" + new_client["client_id"] + "', since no client config was found on config.json or environment" ) g_config["client_id"] = new_client["client_id"] g_config["client_secret"] = new_client["client_secret"] if use_env_var is False: save_config("config/config.json", g_config) else: os.environ["PEP_CLIENT_ID"] = new_client["client_id"] os.environ["PEP_CLIENT_SECRET"] = new_client["client_secret"] print("New client saved to config!") else: print("Client found in config, using: " + g_config["client_id"]) save_config(config_path, g_config) return g_config, g_wkh
def main(): logging.getLogger().setLevel(logging.INFO) #Determine Gluu host address gluuHost = "https://demoexample.gluu.org" #Initiate class scim_client = EOEPCA_Scim(host=gluuHost) #Initiate class with an existing user (INUM), specifying the location of their private RSA key file and kid (key ID) for UMA purposes #When no kid is provided, default value "RSA1" is used #scim_client = EOEPCA_Scim(host=gluuHost, clientID="", clientSecret="", jks_path="", kid="") #Register a new client, returns client information in JSON format clientName = "TestClient" grantTypes = [ "client_credentials", "urn:ietf:params:oauth:grant-type:uma-ticket", "password", "implicit" ] redirectURIs = ["https://demoexample.gluu.org/web_ui/oauth/callback"] logoutURI = "https://demoexample.gluu.org/logout" responseTypes = [] #Sector identifier is OPTIONAL field #Redirect URIs MUST be contained in Sector Identifier, if this is used sectorIdentifier = "https://demoexample.gluu.org/oxauth/sectoridentifier/9b473868-fa96-4fd1-a662-76e3663c9726" #sectorIdentifiers=None #OpenID scope examples scopes = ["openid", "oxd", "permission"] #UMA scope example #scopes=["https://demoexample.gluu.org/oxauth/restv1/uma/scopes/scim_access"] #Register call, with useJWK=1 if JWK is being used #clientJSON = scim_client.registerClient(clientName=clientName, grantTypes=grantTypes, redirectURIs=redirectURIs, logoutURI=logoutURI, responseTypes=responseTypes, scopes=scopes, token_endpoint_auth_method= ENDPOINT_AUTH_CLIENT_POST) clientJSON = scim_client.registerClient( clientName=clientName, grantTypes=grantTypes, redirectURIs=redirectURIs, logoutURI=logoutURI, responseTypes=responseTypes, scopes=scopes, sectorIdentifier=sectorIdentifier, token_endpoint_auth_method=ENDPOINT_AUTH_CLIENT_POST) #clientJSON = scim_client.registerClient(clientName=clientName, grantTypes=grantTypes, redirectURIs=redirectURIs, logoutURI=logoutURI, responseTypes=responseTypes, scopes=scopes, token_endpoint_auth_method= ENDPOINT_AUTH_CLIENT_PRIVATE_KEY_JWT , useJWK=1) print(clientJSON) #User to which we want to obtain all attributes userID = "*****@*****.**" #Get user attributes attributes = scim_client.getUserAttributes(userID=userID) print(attributes) #Add a new attribute attributePath = "name.middleName" newValue = "Middle" scim_client.addUserAttribute(userID=userID, attributePath=attributePath, newValue=newValue) #Modify an attribute attributePath = "name.familyName" newValue = "Last" scim_client.editUserAttribute(userID=userID, attributePath=attributePath, newValue=newValue) #Remove an attribute attributePath = "name.middleName" scim_client.removeUserAttribute(userID=userID, attributePath=attributePath) #Delete user reply = scim_client.deleteUser(userID=userID) print(reply)
class DemoClient: """Example client calling EOEPCA public endpoints """ ROBOT_LIBRARY_SCOPE = 'GLOBAL' ROBOT_LIBRARY_VERSION = '0.1' def __init__(self, base_url): """Initialise client session with provided base URL. """ self.base_url = base_url requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) self.session = requests.Session() self.session.verify = False self.token_endpoint = None self.scim_client = None self.client = None self.load_state() def load_state(self): """Load state from file 'state.json'. """ self.state = {} try: with open("state.json") as state_file: self.state = json.loads(state_file.read()) print(f"State loaded from file: {self.state}") except FileNotFoundError: pass except json.decoder.JSONDecodeError: print(f"ERROR loading state from file. Using clean state...") @keyword(name='Client Save State') def save_state(self): """Save state to file 'state.json'. """ state_filename = "state.json" with open(state_filename, "w") as state_file: state_file.write(json.dumps(self.state, sort_keys=True, indent=2)) print("Client state saved to file:", state_filename) #--------------------------------------------------------------------------- # USER MANAGEMENT #--------------------------------------------------------------------------- def get_token_endpoint(self): """Get the URL of the token endpoint. Requires no authentication. """ if self.token_endpoint == None: headers = { 'content-type': "application/json" } r = self.session.get(self.base_url + "/.well-known/uma2-configuration", headers=headers) self.token_endpoint = r.json()["token_endpoint"] print(f"token_endpoint: {self.token_endpoint}") return self.token_endpoint def register_client(self): """Register ourselves as a client of the platform. Skips registration if client is already registered (client_id/secret loaded from state file). """ if not "client_id" in self.state: if self.scim_client == None: self.scim_client = EOEPCA_Scim(self.base_url + "/") self.client = self.scim_client.registerClient( "Demo Client", grantTypes = ["client_credentials", "password", "urn:ietf:params:oauth:grant-type:uma-ticket"], redirectURIs = [""], logoutURI = "", responseTypes = ["code","token","id_token"], scopes = ['openid', 'email', 'user_name ','uma_protection', 'permission'], token_endpoint_auth_method = ENDPOINT_AUTH_CLIENT_POST) if self.client["client_id"] and self.client["client_secret"]: self.state["client_id"] = self.client["client_id"] self.state["client_secret"] = self.client["client_secret"] print(f"client_id: {self.state['client_id']}") else: print("ERROR: Incomplete client credentials") else: print(f"client_id: {self.state['client_id']} [REUSED]") def get_client_credentials(self): """Returns the client credentials (client_id/secret) Performs client registration if needed. """ if not "client_id" in self.state: self.register_client() return self.state["client_id"], self.state["client_secret"] @keyword(name='Get ID Token') def get_id_token(self, username, password): """Gets a user ID token using username/password authentication. """ client_id, client_secret = self.get_client_credentials() headers = { 'cache-control': "no-cache" } data = { "scope": "openid user_name", "grant_type": "password", "username": username, "password": password, "client_id": client_id, "client_secret": client_secret } r = self.session.post(self.get_token_endpoint(), headers=headers, data=data) id_token = r.json()["id_token"] print(f"id_token: {id_token}") return id_token @keyword(name='Register Protected Resource') def register_protected_resource(self, service_url, uri, id_token, name, scopes): """Register a resource in the PEP Uses provided user ID token to authorise the request. Resource is identified by its path (URI). Resource is registered with the provided 'nice' name. """ resource_id = None if "resources" in self.state: if service_url in self.state["resources"]: if uri in self.state["resources"][service_url]: resource_id = self.state["resources"][service_url][uri] else: self.state["resources"][service_url] = {} else: self.state["resources"] = { service_url: {} } if resource_id == None: headers = { 'content-type': "application/json", "Authorization": f"Bearer {id_token}" } data = { "resource_scopes":scopes, "icon_uri":uri, "name":name} r = self.session.post(f"{service_url}/resources/{name}", headers=headers, json=data) resource_id = r.text if resource_id: self.state["resources"][service_url][uri] = resource_id print(f"resource_id: {resource_id} ({service_url}{uri})") else: print(f"ERROR: Empty resource ID for {service_url}{uri}") else: print(f"resource_id: {resource_id} ({service_url}{uri}) [REUSED]") return resource_id def get_access_token_from_ticket(self, ticket, id_token): """Convert UMA ticket to access token, using ID token for authentication. """ if ticket == None or len(ticket) == 0 or id_token == None or len(id_token) == 0: print("ERROR: ticket and id_token are required") return client_id, client_secret = self.get_client_credentials() headers = { 'content-type': "application/x-www-form-urlencoded", "cache-control": "no-cache" } data = { "claim_token_format": "http://openid.net/specs/openid-connect-core-1_0.html#IDToken", "claim_token": id_token, "ticket": ticket, "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", "client_id": client_id, "client_secret": client_secret, "scope": "openid" } r = self.session.post(self.get_token_endpoint(), headers=headers, data=data) access_token = r.json()["access_token"] print(f"access_token: {access_token}") return access_token def get_access_token_from_password(self, username, password): """Convert UMA ticket to access token, using username/password for authentication. """ client_id, client_secret = self.get_client_credentials() headers = { 'content-type': "application/x-www-form-urlencoded", "cache-control": "no-cache" } data = { "grant_type": "password", "client_id": client_id, "client_secret": client_secret, "username": username, "password": password, "scope": "openid" } r = self.session.post(self.get_token_endpoint(), headers=headers, data=data) access_token = r.json()["access_token"] print(f"access_token: {access_token}") return access_token def uma_http_request(self, requestor, url, headers=None, id_token=None, access_token=None, json=None, data=None): """Helper to perform an http request via a UMA flow. Handles response code 401 to perform the UMA flow. The 'requestor' argument provides the function to be called to make the request, e.g. `requests.get`, `requests.post`, ... """ # loop control variables count = 0 repeat = True # max 2 loops. Repeat if we got a 401 and used UMA to get a new access token while repeat and count < 2: count += 1 repeat = False # init headers if needed if headers is None: headers = {} # use access token if we have one if access_token is not None: headers["Authorization"] = f"Bearer {access_token}" # attempt access r = requestor(url, headers=headers, json=json, data=data) # if response is OK then nothing else to do if r.ok: pass # if we got a 401 then initiate the UMA flow elif r.status_code == 401: # need an id token for the UMA flow if id_token is not None: # get ticket from the supplied header location_header = r.headers["WWW-Authenticate"] for item in location_header.split(","): if item.split("=")[0] == "ticket": ticket = item.split("=")[1] break # if we have a ticket then request an access token if ticket is not None: access_token = self.get_access_token_from_ticket(ticket, id_token) repeat = True # unhandled response code else: print(f"UNEXPECTED status code: {r.status_code} for resource {url}") # return the response and the access token which may be reusable return r, access_token #--------------------------------------------------------------------------- # ADES WPS #--------------------------------------------------------------------------- @keyword(name='WPS Get Capabilities') def wps_get_capabilities(self, service_base_url, id_token=None, access_token=None): """Call the WPS GetCapabilities endpoint """ url = service_base_url + "/?service=WPS&version=1.0.0&request=GetCapabilities" r, access_token = self.uma_http_request(self.session.get, url, id_token=id_token, access_token=access_token) print(f"[WPS Capabilities]=({r.status_code}-{r.reason})={r.text}") return r, access_token #--------------------------------------------------------------------------- # ADES API PROCESSES #--------------------------------------------------------------------------- @keyword(name='Proc List Processes') def proc_list_processes(self, service_base_url, id_token=None, access_token=None): """Call the 'API Processes' endpoint """ url = service_base_url + "/processes" headers = { "Accept": "application/json" } r, access_token = self.uma_http_request(self.session.get, url, headers=headers, id_token=id_token, access_token=access_token) print(f"[Process List]=({r.status_code}-{r.reason})={r.text}") return r, access_token @keyword(name='Proc Deploy App') def proc_deploy_application(self, service_base_url, app_deploy_body_filename, id_token=None, access_token=None): """Deploy application via 'API Processes' endpoint The body of the deployment request is obtained from the supplied file """ # get request body from file app_deploy_body = {} try: with open(app_deploy_body_filename) as app_deploy_body_file: app_deploy_body = json.loads(app_deploy_body_file.read()) print(f"Application details read from file: {app_deploy_body_filename}") except FileNotFoundError: print(f"ERROR could not find application details file: {app_deploy_body_filename}") except json.decoder.JSONDecodeError: print(f"ERROR loading application details from file: {app_deploy_body_filename}") # make request url = service_base_url + "/processes" headers = { "Accept": "application/json", "Content-Type": "application/json" } r, access_token = self.uma_http_request(self.session.post, url, headers=headers, id_token=id_token, access_token=access_token, json=app_deploy_body) print(f"[Deploy Response]=({r.status_code}-{r.reason})={r.text}") return r, access_token @keyword(name='Proc App Details') def proc_get_app_details(self, service_base_url, app_name, id_token=None, access_token=None): """Get details for the application with the supplied name """ url = service_base_url + "/processes/" + app_name headers = { "Accept": "application/json" } r, access_token = self.uma_http_request(self.session.get, url, headers=headers, id_token=id_token, access_token=access_token) print(f"[App Details]=({r.status_code}-{r.reason})={r.text}") return r, access_token @keyword(name='Proc Execute App') def proc_execute_application(self, service_base_url, app_name, app_execute_body_filename, id_token=None, access_token=None): """Execute application via 'API Processes' endpoint The body of the execute request is obtained from the supplied file """ # get request body from file app_execute_body = {} try: with open(app_execute_body_filename) as app_execute_body_file: app_execute_body = json.loads(app_execute_body_file.read()) print(f"Application execute details read from file: {app_execute_body_filename}") except FileNotFoundError: print(f"ERROR could not find application execute details file: {app_execute_body_filename}") except json.decoder.JSONDecodeError: print(f"ERROR loading application execute details from file: {app_execute_body_filename}") # make request url = service_base_url + "/processes/" + app_name + "/jobs" headers = { "Accept": "application/json", "Content-Type": "application/json", "Prefer": "respond-async" } r, access_token = self.uma_http_request(self.session.post, url, headers=headers, id_token=id_token, access_token=access_token, json=app_execute_body) job_location = r.headers['Location'] print(f"[Execute Response]=({r.status_code}-{r.reason})=> job={job_location}") return r, access_token, job_location @keyword(name='Proc Job Status') def proc_get_job_status(self, service_base_url, job_location, id_token=None, access_token=None): """Get the job status from the supplied location """ url = service_base_url + job_location headers = { "Accept": "application/json" } r, access_token = self.uma_http_request(self.session.get, url, headers=headers, id_token=id_token, access_token=access_token) print(f"[Job Status]=({r.status_code}-{r.reason})={r.text}") return r, access_token def proc_get_job_result(self, service_base_url, job_location, id_token=None, access_token=None): """Get the job result from the supplied location """ url = service_base_url + job_location + "/result" headers = { "Accept": "application/json" } r, access_token = self.uma_http_request(self.session.get, url, headers=headers, id_token=id_token, access_token=access_token) print(f"[Job Result]=({r.status_code}-{r.reason})={r.text}") return r, access_token @keyword(name='Proc Undeploy App') def proc_undeploy_application(self, service_base_url, app_name, id_token=None, access_token=None): """Undeploy application via 'API Processes' endpoint """ # make request url = service_base_url + "/processes/" + app_name headers = { "Accept": "application/json" } r, access_token = self.uma_http_request(self.session.delete, url, headers=headers, id_token=id_token, access_token=access_token) print(f"[Undeploy Response]=({r.status_code}-{r.reason})={r.text}") return r, access_token
env_var_config = env_var.replace('PEP_', '') if "true" in os.environ[env_var].replace('"', ''): g_config[env_var_config.lower()] = True elif "false" in os.environ[env_var].replace('"', ''): g_config[env_var_config.lower()] = False else: g_config[env_var_config.lower()] = os.environ[env_var].replace('"', '') # Global handlers g_wkh = WellKnownHandler(g_config["auth_server_url"], secure=False) # Generate client dynamically if one is not configured. if "client_id" not in g_config or "client_secret" not in g_config: print ("NOTICE: Client not found, generating one... ") scim_client = EOEPCA_Scim(g_config["auth_server_url"]) new_client = scim_client.registerClient("PEP Dynamic Client", grantTypes = ["client_credentials"], redirectURIs = [""], logoutURI = "", responseTypes = ["code","token","id_token"], scopes = ['openid', 'uma_protection', 'permission'], token_endpoint_auth_method = ENDPOINT_AUTH_CLIENT_POST) print("NEW CLIENT created with ID '"+new_client["client_id"]+"', since no client config was found on config.json or environment") g_config["client_id"] = new_client["client_id"] g_config["client_secret"] = new_client["client_secret"] if use_env_var is False: save_config("config/config.json", g_config) else: os.environ["PEP_CLIENT_ID"] = new_client["client_id"]