def test_multiple_fo_all_working():
cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'],
contacts=['*****@*****.**'])
# signed by FO
ms_org1 = FOP.pack_metadata_statement(cms_org,
alg='RS256',
scope=['openid'])
# signed by FO1
ms_org2 = FO1P.pack_metadata_statement(cms_org,
alg='RS256',
scope=['openid', 'address'])
cms_rp = ClientMetadataStatement(
signing_keys=KEYS['admin']['jwks'],
redirect_uris=['https://rp.example.com/auth_cb'])
ms_rp = ORGOP.pack_metadata_statement(
cms_rp,
alg='RS256',
metadata_statements=Message(**{
FOP.iss: ms_org1,
FO1P.iss: ms_org2
}))
# knows all FO's
receiver = fo_member(FOP, FO1P)
ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp)
assert len(ri.result['metadata_statements']) == 2
_iss = [iss for iss, val in ri.result['metadata_statements'].items()]
assert set(_iss) == {ISSUER['fo'], ISSUER['fo1']}
def test_multiple_fo_one_working():
cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'],
contacts=['*****@*****.**'])
# signed by FO
ms_org1 = FOP.pack_metadata_statement(cms_org,
alg='RS256',
scope=['openid'])
# signed by FO1
ms_org2 = FO1P.pack_metadata_statement(cms_org,
alg='RS256',
scope=['openid', 'address'])
cms_rp = ClientMetadataStatement(
signing_keys=KEYS['admin']['jwks'],
redirect_uris=['https://rp.example.com/auth_cb'])
ms_rp = ORGOP.pack_metadata_statement(
cms_rp,
alg='RS256',
metadata_statements=Message(**{
FOP.iss: ms_org1,
FO1P.iss: ms_org2
}))
# only knows about one FO
receiver = fo_member(FOP)
ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp)
assert len(ri.result['metadata_statements']) == 1
_key = list(ri.result['metadata_statements'].keys())[0]
_ms = ri.result['metadata_statements'][_key]
assert _ms['iss'] == ISSUER['fo']
def test_pack_and_unpack_ms_lev2():
cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'],
contacts=['*****@*****.**'])
# signed by FO
ms_org = FOP.pack_metadata_statement(cms_org,
alg='RS256',
scope=['openid'])
cms_inter = ClientMetadataStatement(
signing_keys=KEYS['inter']['jwks'],
tos_uri='https://inter.example.com/tos.html')
# signed by org
ms_inter = ORGOP.pack_metadata_statement(
cms_inter,
alg='RS256',
metadata_statements=Message(**{FOP.iss: ms_org}))
cms_rp = ClientMetadataStatement(
signing_keys=KEYS['admin']['jwks'],
redirect_uris=['https://rp.example.com/auth_cb'])
# signed by intermediate
ms_rp = INTEROP.pack_metadata_statement(
cms_rp,
alg='RS256',
metadata_statements=Message(**{FOP.iss: ms_inter}))
receiver = fo_member(FOP)
ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp)
assert ri.result
def test_evaluate_metadata_statement_4():
"""
One 4-level (FO, Org, Inter, admin) and one 2-level (FO1, Inter, admin)
"""
cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'],
contacts=['*****@*****.**'])
# signed by FO
ms_org = FOP.pack_metadata_statement(
cms_org,
alg='RS256',
claims=['email', 'email_verified', 'phone', 'phone_verified'],
scope=['openid', 'email', 'phone'])
cms_inter = ClientMetadataStatement(
signing_keys=KEYS['inter']['jwks'],
tos_uri='https://inter.example.com/tos.html')
# signed by org
ms_inter0 = ORGOP.pack_metadata_statement(
cms_inter,
alg='RS256',
metadata_statements=Message(**{FOP.iss: ms_org}))
ms_inter1 = LIGOOP.pack_metadata_statement(cms_inter, alg='ES256')
cms_rp = ClientMetadataStatement(
signing_keys=KEYS['admin']['jwks'],
redirect_uris=['https://rp.example.com/auth_cb'],
scope=['openid', 'email'])
# signed by intermediate
ms_rp = INTEROP.pack_metadata_statement(
cms_rp,
alg='RS256',
metadata_statements=Message(**{
FOP.iss: ms_inter0,
LIGOOP.iss: ms_inter1
}))
# knows both FO's
receiver = fo_member(FOP, LIGOOP)
ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp)
_re = receiver.evaluate_metadata_statement(ri.result)
res = le_dict(_re)
assert set(res.keys()) == {ISSUER['fo'], ISSUER['ligo']}
assert sorted(list(res[ISSUER['fo']].keys())) == sorted(
['claims', 'contacts', 'redirect_uris', 'scope', 'tos_uri'])
assert res[ISSUER['fo']]['scope'] == ['openid', 'email', 'phone']
def test_evaluate_metadata_statement_3():
cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'],
contacts=['*****@*****.**'])
# signed by FO
ms_org1 = FOP.pack_metadata_statement(
cms_org,
alg='RS256',
claims=['email', 'email_verified', 'phone', 'phone_verified'],
scope=['openid', 'email', 'phone'])
# signed by FO1
ms_org2 = FO1P.pack_metadata_statement(
cms_org, alg='RS256', scope=['openid', 'email', 'address'])
cms_inter = ClientMetadataStatement(
signing_keys=KEYS['inter']['jwks'],
tos_uri='https://inter.example.com/tos.html')
ms_inter = {}
for k, v in {FOP.iss: ms_org1, FO1P.iss: ms_org2}.items():
# signed by org
ms_inter[k] = ORGOP.pack_metadata_statement(
cms_inter, alg='RS256', metadata_statements=Message(**{k: v}))
cms_rp = ClientMetadataStatement(
signing_keys=KEYS['admin']['jwks'],
redirect_uris=['https://rp.example.com/auth_cb'],
scope=['openid', 'email'])
# signed by intermediate
ms_rp = INTEROP.pack_metadata_statement(
cms_rp, alg='RS256', metadata_statements=Message(**ms_inter))
# knows all FO's
receiver = fo_member(FOP, FO1P)
ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp)
res = receiver.evaluate_metadata_statement(ri.result)
assert len(res) == 2
assert set([r.fo for r in res]) == {ISSUER['fo'], ISSUER['fo1']}
for r in res:
if r.fo == ISSUER['fo']:
assert sorted(list(r.keys())) == sorted(
['claims', 'contacts', 'tos_uri', 'redirect_uris', 'scope'])
assert r['scope'] == ['openid', 'email', 'phone']
else:
assert sorted(list(r.keys())) == sorted(
['contacts', 'tos_uri', 'redirect_uris', 'scope'])
assert r['scope'] == ['openid', 'email', 'address']
def test_create_client_metadata_statement():
ms = MetadataStatement(signing_keys=KEYS['org']['jwks'])
ms_jwt = ms.to_jwt(KEYS['fo']['keyjar'].get_signing_key('rsa'))
cms = ClientMetadataStatement(
metadata_statements=Message(**{ISSUER['org']: ms_jwt}),
contacts=['*****@*****.**'])
assert cms
def test_pack_ms_wrong_fo():
cms = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'],
contacts=['*****@*****.**'])
_jwt = FOP.pack_metadata_statement(cms, alg='RS256', scope=['openid'])
member = fo_member(FO1P)
pr = member.unpack_metadata_statement(jwt_ms=_jwt)
assert pr.result is None
assert isinstance(pr.error[_jwt], (MissingSigningKey, KeyError))
def test_evaluate_metadata_statement_2():
cms_org = ClientMetadataStatement(signing_keys=KEYS['org']['jwks'],
contacts=['*****@*****.**'])
# signed by FO
ms_org = FOP.pack_metadata_statement(cms_org,
alg='RS256',
scope=['openid', 'email', 'address'])
cms_inter = ClientMetadataStatement(
signing_keys=KEYS['inter']['jwks'],
tos_uri='https://inter.example.com/tos.html')
# signed by org
ms_inter = ORGOP.pack_metadata_statement(
cms_inter,
alg='RS256',
metadata_statements=Message(**{FOP.iss: ms_org}))
cms_rp = ClientMetadataStatement(
signing_keys=KEYS['admin']['jwks'],
redirect_uris=['https://rp.example.com/auth_cb'],
scope=['openid', 'email'])
# signed by intermediate
ms_rp = INTEROP.pack_metadata_statement(
cms_rp,
alg='RS256',
metadata_statements=Message(**{FOP.iss: ms_inter}))
receiver = fo_member(FOP)
ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp)
res = receiver.evaluate_metadata_statement(ri.result)
assert len(res) == 1
assert res[0].iss == ISSUER['org']
assert res[0].fo == ISSUER['fo']
assert sorted(list(res[0].keys())) == sorted(
['contacts', 'tos_uri', 'redirect_uris', 'scope'])
assert res[0]['scope'] == ['openid', 'email', 'address']
def test_pack_and_unpack_ms_lev1():
# metadata statement created by the organization
cms_org = ClientMetadataStatement(
signing_keys=ORGOP.keyjar.export_jwks_as_json(),
contacts=['*****@*****.**'])
# signed by FO
ms_org = FOP.pack_metadata_statement(cms_org,
alg='RS256',
scope=['openid'])
# metadata statement created by the admin
cms_rp = ClientMetadataStatement(
signing_keys=ADMINOP.keyjar.export_jwks_as_json(),
redirect_uris=['https://rp.example.com/auth_cb'])
# signed by the org
ms_rp = ORGOP.pack_metadata_statement(
cms_rp, alg='RS256', metadata_statements=Message(**{FOP.iss: ms_org}))
receiver = fo_member(FOP)
ri = receiver.unpack_metadata_statement(jwt_ms=ms_rp)
assert ri.result
def test_pack_and_unpack_ms_lev0():
cms = ClientMetadataStatement(signing_keys=json.dumps(
FOP.keyjar.export_jwks_as_json()),
contacts=['*****@*****.**'])
_jwt = FOP.pack_metadata_statement(cms, alg='RS256', scope=['openid'])
assert _jwt
json_ms = unfurl(_jwt)
# print(json_ms.keys())
assert set(json_ms.keys()) == {
'signing_keys', 'iss', 'iat', 'exp', 'kid', 'scope', 'contacts', 'aud'
}
# Unpack what you have packed
_kj = public_keys_keyjar(FOP.keyjar, '', None, FOP.iss)
op = Operator(_kj, jwks_bundle=public_jwks_bundle(FOP.jwks_bundle))
pr = op.unpack_metadata_statement(jwt_ms=_jwt)
assert pr.result