def test_unpack_metadata_statement_uri():
s = signer[OA['sunet']]
req = MetadataStatement(issuer='https://example.org/op')
# Not intermediate
ms = s.create_signed_metadata_statement(req, 'discovery', single=True)
jb = FSJWKSBundle('',
None,
'fo_jwks',
key_conv={
'to': quote_plus,
'from': unquote_plus
})
mds = MetaDataStore('msd')
op = Operator(jwks_bundle=public_jwks_bundle(jb))
op.httpcli = MockHTTPClient(mds)
res = op.unpack_metadata_statement(jwt_ms=ms)
assert len(res.parsed_statement) == 3
loel = op.evaluate_metadata_statement(res.result)
assert len(loel) == 3
assert set([l.fo for l in loel]) == {
'https://swamid.sunet.se', 'https://edugain.com',
'https://www.feide.no'
}
def test_get_metadata_statement():
jb = JWKSBundle('')
for iss in ['https://example.org/', 'https://example.com/']:
jb[iss] = build_keyjar(KEYDEFS)[1]
op = Operator(keyjar=jb['https://example.com/'],
iss='https://example.com/')
req = MetadataStatement(foo='bar')
sms = op.pack_metadata_statement(req, alg='RS256')
sms_dir = {'https://example.com': sms}
req['metadata_statements'] = Message(**sms_dir)
ent = FederationEntity(None, fo_bundle=public_jwks_bundle(jb))
loe = ent.get_metadata_statement(req)
assert loe
def test_pack_metadata_statement_other_alg():
_keyjar = build_keyjar(KEYDEFS)[1]
op = Operator(keyjar=_keyjar, iss='https://example.com/')
req = MetadataStatement(issuer='https://example.org/op')
sms = op.pack_metadata_statement(req, alg='ES256')
assert sms # Should be a signed JWT
_jwt = factory(sms)
_body = json.loads(as_unicode(_jwt.jwt.part[1]))
assert _body['iss'] == 'https://example.com/'
# verify signature
_kj = public_keys_keyjar(_keyjar, '', None, op.iss)
r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss))
assert r
def test_pack_and_unpack_ms_lev0():
cms = ClientMetadataStatement(signing_keys=json.dumps(
FOP.keyjar.export_jwks_as_json()),
contacts=['*****@*****.**'])
_jwt = FOP.pack_metadata_statement(cms, alg='RS256', scope=['openid'])
assert _jwt
json_ms = unfurl(_jwt)
# print(json_ms.keys())
assert set(json_ms.keys()) == {
'signing_keys', 'iss', 'iat', 'exp', 'kid', 'scope', 'contacts', 'aud'
}
# Unpack what you have packed
_kj = public_keys_keyjar(FOP.keyjar, '', None, FOP.iss)
op = Operator(_kj, jwks_bundle=public_jwks_bundle(FOP.jwks_bundle))
pr = op.unpack_metadata_statement(jwt_ms=_jwt)
assert pr.result
def __init__(self, srv, iss='', keyjar=None, signer=None, fo_bundle=None):
"""
:param srv: A Client or Provider instance
:param iss: A identifier assigned to this entity by the operator
:param keyjar: Key this entity can use to sign things
:param signer: A dsigner to use for signing documents
(client registration requests/provide info response) this
entity produces.
:param fo_bundle: A bundle of keys that can be used to verify
the root signature of a compounded metadata statement.
"""
Operator.__init__(self,
iss=iss,
keyjar=keyjar,
httpcli=srv,
jwks_bundle=fo_bundle)
# Who can sign request from this entity
self.signer = signer
self.federation = None
def test_pack_metadata_statement():
jb = FSJWKSBundle('',
None,
'fo_jwks',
key_conv={
'to': quote_plus,
'from': unquote_plus
})
_keyjar = build_keyjar(KEYDEFS)[1]
op = Operator(keyjar=_keyjar, jwks_bundle=jb, iss='https://example.com/')
req = MetadataStatement(issuer='https://example.org/op')
sms = op.pack_metadata_statement(req)
assert sms # Should be a signed JWT
_jwt = factory(sms)
assert _jwt
assert _jwt.jwt.headers['alg'] == 'RS256'
_body = json.loads(as_unicode(_jwt.jwt.part[1]))
assert _body['iss'] == op.iss
assert _body['issuer'] == 'https://example.org/op'
# verify signature
_kj = public_keys_keyjar(_keyjar, '', None, op.iss)
r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss))
assert r
def test_make_signed_metadata_statement_mixed():
liss = list(FO.values())
liss.extend(list(OA.values()))
key_bundle = make_fs_jwks_bundle(TEST_ISS, liss, SIGN_KEYJAR, KEYDEFS,
'./')
operator = {}
for entity, _keyjar in key_bundle.items():
operator[entity] = Operator(iss=entity, keyjar=_keyjar)
_spec = SMS_DEF[OA['sunet']]["discovery"][FO['swamid']]
mds = MetaDataStore('mds')
mds.clear()
sms = make_signed_metadata_statement(_spec,
operator,
mds=mds,
base_uri='https:/example.org/ms')
assert sms
_spec = SMS_DEF[OA['sunet']]["discovery"][FO['edugain']]
sms = make_signed_metadata_statement(_spec,
operator,
mds=mds,
base_uri='https:/example.org/ms')
assert list(sms['ms_uri'].keys()) == [FO['edugain']]
# Now parse the result
_md0 = unpack_using_metadata_store(sms['ms_uri'][FO['edugain']], mds)
op = Operator()
_res = op.evaluate_metadata_statement(_md0)
assert _res[0].le == {'federation_usage': 'discovery'}
def init(keydefs, tool_iss, liss, lifetime):
# The FOs signing keys
sig_keys = build_keyjar(keydefs)[1]
key_bundle = make_fs_jwks_bundle(tool_iss, liss, sig_keys, keydefs, './')
#sig_keys = build_keyjar(keydefs)[1]
operator = {}
for entity, _keyjar in key_bundle.items():
_keyjar[''] = _keyjar[entity]
operator[entity] = Operator(iss=entity, keyjar=_keyjar,
lifetime=lifetime)
return {'operator': operator, 'key_bundle': key_bundle}
def test_metadatastore():
mds = MetaDataStore('mds')
mds.clear()
desc = SMS_DEF[OA['sunet']]["discovery"][FO['swamid']][0]
operator = {}
liss = list(FO.values())
liss.extend(list(OA.values()))
key_bundle = make_fs_jwks_bundle(TEST_ISS, liss, SIGN_KEYJAR, KEYDEFS,
'./')
for entity, _keyjar in key_bundle.items():
operator[entity] = Operator(iss=entity, keyjar=_keyjar)
_x = make_ms(desc, False, operator)
_jws = list(_x.values())[0]
mds[mds.hash(_jws)] = _jws
assert mds.hash(_jws) in list(mds.keys())
def test_make_signed_metadata_statements():
mds = MetaDataStore('mds')
mds.clear()
liss = list(FO.values())
liss.extend(list(OA.values()))
key_bundle = make_fs_jwks_bundle(TEST_ISS, liss, SIGN_KEYJAR, KEYDEFS,
'./')
operator = {}
for entity, _keyjar in key_bundle.items():
operator[entity] = Operator(iss=entity, keyjar=_keyjar)
_spec = SMS_DEF[OA['sunet']]["discovery"][FO['swamid']]
ms = make_signed_metadata_statement(_spec,
operator,
mds=mds,
base_uri='https:/example.org/ms')
assert ms
_spec = SMS_DEF[OA['sunet']]["discovery"][FO['edugain']]
res = make_signed_metadata_statement(_spec,
operator,
mds=mds,
base_uri='https:/example.org/ms')
assert list(res['ms_uri'].keys()) == [FO['edugain']]
_spec = SMS_DEF[OA['sunet']]["discovery"][FO['example']]
res = make_signed_metadata_statement(_spec,
operator,
mds=mds,
base_uri='https:/example.org/ms')
assert list(res['ms'].keys()) == [FO['example']]
_jws = factory(res['ms'][FO['example']])
assert _jws
def fo_member(*args):
_jb = JWKSBundle('https://sunet.se/op')
for fo in args:
_jb[fo.iss] = fo.signing_keys_as_jwks()
return Operator(jwks_bundle=_jb)
ISSUER = {}
OPERATOR = {}
for entity in ['fo', 'fo1', 'org', 'inter', 'admin', 'ligo', 'op']:
fname = os.path.join(BASE_PATH, "{}.key".format(entity))
_keydef = KEYDEFS[:]
_keydef[0]['key'] = fname
_jwks, _keyjar, _kidd = build_keyjar(_keydef)
KEYS[entity] = {
'jwks': json.dumps(_jwks),
'keyjar': _keyjar,
'kidd': _kidd
}
ISSUER[entity] = 'https://{}.example.org'.format(entity)
OPERATOR[entity] = Operator(keyjar=_keyjar, iss=ISSUER[entity])
FOP = OPERATOR['fo']
FOP.jwks_bundle = JWKSBundle(FOP.iss)
FOP.jwks_bundle[FOP.iss] = FOP.keyjar
FO1P = OPERATOR['fo1']
FO1P.jwks_bundle = JWKSBundle(FO1P.iss)
FO1P.jwks_bundle[FO1P.iss] = FO1P.keyjar
ORGOP = OPERATOR['org']
ADMINOP = OPERATOR['admin']
INTEROP = OPERATOR['inter']
LIGOOP = OPERATOR['ligo']
OPOP = OPERATOR['ligo']