def test_multiple_fo_all_working(): cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'], contacts=['*****@*****.**']) # signed by FO ms_org1 = FOP.pack_metadata_statement(cms_org, alg='RS256', scope=['openid']) # signed by FO1 ms_org2 = FO1P.pack_metadata_statement(cms_org, alg='RS256', scope=['openid', 'address']) cms_rp = ClientMetadataStatement( signing_keys=KEYS['admin']['jwks'], redirect_uris=['https://rp.example.com/auth_cb']) ms_rp = ORGOP.pack_metadata_statement( cms_rp, alg='RS256', metadata_statements=Message(**{ FOP.iss: ms_org1, FO1P.iss: ms_org2 })) # knows all FO's receiver = fo_member(FOP, FO1P) ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp) assert len(ri.result['metadata_statements']) == 2 _iss = [iss for iss, val in ri.result['metadata_statements'].items()] assert set(_iss) == {ISSUER['fo'], ISSUER['fo1']}
def test_multiple_fo_one_working(): cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'], contacts=['*****@*****.**']) # signed by FO ms_org1 = FOP.pack_metadata_statement(cms_org, alg='RS256', scope=['openid']) # signed by FO1 ms_org2 = FO1P.pack_metadata_statement(cms_org, alg='RS256', scope=['openid', 'address']) cms_rp = ClientMetadataStatement( signing_keys=KEYS['admin']['jwks'], redirect_uris=['https://rp.example.com/auth_cb']) ms_rp = ORGOP.pack_metadata_statement( cms_rp, alg='RS256', metadata_statements=Message(**{ FOP.iss: ms_org1, FO1P.iss: ms_org2 })) # only knows about one FO receiver = fo_member(FOP) ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp) assert len(ri.result['metadata_statements']) == 1 _key = list(ri.result['metadata_statements'].keys())[0] _ms = ri.result['metadata_statements'][_key] assert _ms['iss'] == ISSUER['fo']
def test_pack_and_unpack_ms_lev2(): cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'], contacts=['*****@*****.**']) # signed by FO ms_org = FOP.pack_metadata_statement(cms_org, alg='RS256', scope=['openid']) cms_inter = ClientMetadataStatement( signing_keys=KEYS['inter']['jwks'], tos_uri='https://inter.example.com/tos.html') # signed by org ms_inter = ORGOP.pack_metadata_statement( cms_inter, alg='RS256', metadata_statements=Message(**{FOP.iss: ms_org})) cms_rp = ClientMetadataStatement( signing_keys=KEYS['admin']['jwks'], redirect_uris=['https://rp.example.com/auth_cb']) # signed by intermediate ms_rp = INTEROP.pack_metadata_statement( cms_rp, alg='RS256', metadata_statements=Message(**{FOP.iss: ms_inter})) receiver = fo_member(FOP) ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp) assert ri.result
def test_evaluate_metadata_statement_4(): """ One 4-level (FO, Org, Inter, admin) and one 2-level (FO1, Inter, admin) """ cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'], contacts=['*****@*****.**']) # signed by FO ms_org = FOP.pack_metadata_statement( cms_org, alg='RS256', claims=['email', 'email_verified', 'phone', 'phone_verified'], scope=['openid', 'email', 'phone']) cms_inter = ClientMetadataStatement( signing_keys=KEYS['inter']['jwks'], tos_uri='https://inter.example.com/tos.html') # signed by org ms_inter0 = ORGOP.pack_metadata_statement( cms_inter, alg='RS256', metadata_statements=Message(**{FOP.iss: ms_org})) ms_inter1 = LIGOOP.pack_metadata_statement(cms_inter, alg='ES256') cms_rp = ClientMetadataStatement( signing_keys=KEYS['admin']['jwks'], redirect_uris=['https://rp.example.com/auth_cb'], scope=['openid', 'email']) # signed by intermediate ms_rp = INTEROP.pack_metadata_statement( cms_rp, alg='RS256', metadata_statements=Message(**{ FOP.iss: ms_inter0, LIGOOP.iss: ms_inter1 })) # knows both FO's receiver = fo_member(FOP, LIGOOP) ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp) _re = receiver.evaluate_metadata_statement(ri.result) res = le_dict(_re) assert set(res.keys()) == {ISSUER['fo'], ISSUER['ligo']} assert sorted(list(res[ISSUER['fo']].keys())) == sorted( ['claims', 'contacts', 'redirect_uris', 'scope', 'tos_uri']) assert res[ISSUER['fo']]['scope'] == ['openid', 'email', 'phone']
def test_evaluate_metadata_statement_3(): cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'], contacts=['*****@*****.**']) # signed by FO ms_org1 = FOP.pack_metadata_statement( cms_org, alg='RS256', claims=['email', 'email_verified', 'phone', 'phone_verified'], scope=['openid', 'email', 'phone']) # signed by FO1 ms_org2 = FO1P.pack_metadata_statement( cms_org, alg='RS256', scope=['openid', 'email', 'address']) cms_inter = ClientMetadataStatement( signing_keys=KEYS['inter']['jwks'], tos_uri='https://inter.example.com/tos.html') ms_inter = {} for k, v in {FOP.iss: ms_org1, FO1P.iss: ms_org2}.items(): # signed by org ms_inter[k] = ORGOP.pack_metadata_statement( cms_inter, alg='RS256', metadata_statements=Message(**{k: v})) cms_rp = ClientMetadataStatement( signing_keys=KEYS['admin']['jwks'], redirect_uris=['https://rp.example.com/auth_cb'], scope=['openid', 'email']) # signed by intermediate ms_rp = INTEROP.pack_metadata_statement( cms_rp, alg='RS256', metadata_statements=Message(**ms_inter)) # knows all FO's receiver = fo_member(FOP, FO1P) ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp) res = receiver.evaluate_metadata_statement(ri.result) assert len(res) == 2 assert set([r.fo for r in res]) == {ISSUER['fo'], ISSUER['fo1']} for r in res: if r.fo == ISSUER['fo']: assert sorted(list(r.keys())) == sorted( ['claims', 'contacts', 'tos_uri', 'redirect_uris', 'scope']) assert r['scope'] == ['openid', 'email', 'phone'] else: assert sorted(list(r.keys())) == sorted( ['contacts', 'tos_uri', 'redirect_uris', 'scope']) assert r['scope'] == ['openid', 'email', 'address']
def test_create_client_metadata_statement(): ms = MetadataStatement(signing_keys=KEYS['org']['jwks']) ms_jwt = ms.to_jwt(KEYS['fo']['keyjar'].get_signing_key('rsa')) cms = ClientMetadataStatement( metadata_statements=Message(**{ISSUER['org']: ms_jwt}), contacts=['*****@*****.**']) assert cms
def test_pack_ms_wrong_fo(): cms = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'], contacts=['*****@*****.**']) _jwt = FOP.pack_metadata_statement(cms, alg='RS256', scope=['openid']) member = fo_member(FO1P) pr = member.unpack_metadata_statement(jwt_ms=_jwt) assert pr.result is None assert isinstance(pr.error[_jwt], (MissingSigningKey, KeyError))
def test_evaluate_metadata_statement_2(): cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'], contacts=['*****@*****.**']) # signed by FO ms_org = FOP.pack_metadata_statement(cms_org, alg='RS256', scope=['openid', 'email', 'address']) cms_inter = ClientMetadataStatement( signing_keys=KEYS['inter']['jwks'], tos_uri='https://inter.example.com/tos.html') # signed by org ms_inter = ORGOP.pack_metadata_statement( cms_inter, alg='RS256', metadata_statements=Message(**{FOP.iss: ms_org})) cms_rp = ClientMetadataStatement( signing_keys=KEYS['admin']['jwks'], redirect_uris=['https://rp.example.com/auth_cb'], scope=['openid', 'email']) # signed by intermediate ms_rp = INTEROP.pack_metadata_statement( cms_rp, alg='RS256', metadata_statements=Message(**{FOP.iss: ms_inter})) receiver = fo_member(FOP) ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp) res = receiver.evaluate_metadata_statement(ri.result) assert len(res) == 1 assert res[0].iss == ISSUER['org'] assert res[0].fo == ISSUER['fo'] assert sorted(list(res[0].keys())) == sorted( ['contacts', 'tos_uri', 'redirect_uris', 'scope']) assert res[0]['scope'] == ['openid', 'email', 'address']
def test_pack_and_unpack_ms_lev1(): # metadata statement created by the organization cms_org = ClientMetadataStatement( signing_keys=ORGOP.keyjar.export_jwks_as_json(), contacts=['*****@*****.**']) # signed by FO ms_org = FOP.pack_metadata_statement(cms_org, alg='RS256', scope=['openid']) # metadata statement created by the admin cms_rp = ClientMetadataStatement( signing_keys=ADMINOP.keyjar.export_jwks_as_json(), redirect_uris=['https://rp.example.com/auth_cb']) # signed by the org ms_rp = ORGOP.pack_metadata_statement( cms_rp, alg='RS256', metadata_statements=Message(**{FOP.iss: ms_org})) receiver = fo_member(FOP) ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp) assert ri.result
def test_pack_and_unpack_ms_lev0(): cms = ClientMetadataStatement(signing_keys=json.dumps( FOP.keyjar.export_jwks_as_json()), contacts=['*****@*****.**']) _jwt = FOP.pack_metadata_statement(cms, alg='RS256', scope=['openid']) assert _jwt json_ms = unfurl(_jwt) # print(json_ms.keys()) assert set(json_ms.keys()) == { 'signing_keys', 'iss', 'iat', 'exp', 'kid', 'scope', 'contacts', 'aud' } # Unpack what you have packed _kj = public_keys_keyjar(FOP.keyjar, '', None, FOP.iss) op = Operator(_kj, jwks_bundle=public_jwks_bundle(FOP.jwks_bundle)) pr = op.unpack_metadata_statement(jwt_ms=_jwt) assert pr.result