def create_provider(self):
sunet_op = 'https://www.sunet.se/op'
_kj = build_keyjar(KEYDEFS)[1]
fed_ent = FederationEntity(None,
keyjar=_kj,
iss=sunet_op,
signer=signer[OA['sunet']],
fo_bundle=keybundle)
self.op = Provider(sunet_op,
SessionDB(sunet_op), {},
AUTHN_BROKER,
USERINFO,
AUTHZ,
client_authn=verify_client,
symkey=SYMKEY,
federation_entity=fed_ent)
self.op.baseurl = self.op.name
self.op.signer = signer[OA['sunet']]
def test_parse_pi():
# Sunet OP
sunet_op = 'https://sunet.se/op'
# _kj = build_keyjar(KEYDEFS)[1]
_kj = signer[EO['sunet.op']].signing_service.signing_keys
op_fed_ent = FederationEntity(None,
keyjar=_kj,
iss=sunet_op,
signer=signer['https://sunet.se'],
fo_bundle=fo_keybundle)
op = Provider(sunet_op,
None, {},
None, {},
None,
client_authn=None,
symkey=SYMKEY,
federation_entity=op_fed_ent,
response_metadata_statements=signer[
EO['sunet.op']].metadata_statements['response'])
op.baseurl = op.name
op.signer = signer[EO['sunet.op']]
# UNINETT RP
_kj = signer[EO['foodle.rp']].signing_service.signing_keys
rp_fed_ent = FederationEntity(None,
keyjar=_kj,
iss=EO['foodle.rp'],
signer=signer['https://uninett.no'],
fo_bundle=fo_keybundle)
rp = Client(federation_entity=rp_fed_ent, fo_priority=list(FO.values()))
pi = op.create_fed_providerinfo()
assert pi
rp.parse_federation_provider_info(pi, sunet_op)
assert len(rp.provider_federations) == 2
assert set([r.fo for r in rp.provider_federations
]) == {'https://swamid.sunet.se', 'https://www.feide.no'}
# Got two alternative FOs, one I can use the other not
req = rp.federated_client_registration_request(
redirect_uris='https://foodle.uninett.no/authz',
scope=['openid', 'email', 'phone'])
assert req
resp = op.registration_endpoint(req.to_dict())
assert isinstance(resp, Created)
rp.parse_federation_registration(json.loads(resp.message), '')
assert rp.federation == FO['feide']
assert rp.registration_response
AUTHN_BROKER = AuthnBroker()
AUTHN_BROKER.add("UNDEFINED", DummyAuthn(None, "username"))
# dealing with authorization
AUTHZ = AuthzHandling()
SYMKEY = rndstr(16) # symmetric key used to encrypt cookie info
USERINFO = {}
# ------------------------------------------------------------
op = Provider(sunet_op,
SessionDB(sunet_op), {},
AUTHN_BROKER,
USERINFO,
AUTHZ,
client_authn=verify_client,
symkey=SYMKEY,
federation_entity=fed_ent)
fedpi = op.create_fed_providerinfo()
data = urlencode({
'iss':
FO['oidf'],
'ms':
fedpi['metadata_statements'][FO['oidf']],
'jwks':
json.dumps(keybundle[FO['oidf']].export_jwks(issuer=FO['oidf']))
})
r = requests.get('https://localhost:8080/verify?{}'.format(data), verify=False)
class TestProvider(object):
@pytest.fixture(autouse=True)
def create_provider(self):
sunet_op = 'https://www.sunet.se/op'
_kj = build_keyjar(KEYDEFS)[1]
fed_ent = FederationEntity(None,
keyjar=_kj,
iss=sunet_op,
signer=signer[OA['sunet']],
fo_bundle=keybundle)
_sdb = create_session_db(sunet_op, 'hemlighet', 'ordet', {})
self.op = Provider(sunet_op,
_sdb, {},
AUTHN_BROKER,
USERINFO,
AUTHZ,
client_authn=verify_client,
symkey=SYMKEY,
federation_entity=fed_ent)
self.op.baseurl = self.op.name
self.op.signer = signer[OA['sunet']]
def test_create_metadata_statement_request(self):
_fe = self.op.federation_entity
statement = self.op.create_providerinfo()
req = _fe.add_signing_keys(statement)
assert 'signing_keys' in req
def test_use_signing_service(self):
_fe = self.op.federation_entity
statement = self.op.create_providerinfo()
req = _fe.add_signing_keys(statement)
sjwt = _fe.signer.create_signed_metadata_statement(
req,
'discovery',
fos=_fe.signer.metadata_statements.keys(),
single=True)
assert sjwt
# should be a signed JWT
_js = jws.factory(sjwt)
assert _js
assert _js.jwt.headers['alg'] == 'RS256'
_req = json.loads(as_unicode(_js.jwt.part[1]))
assert _req['iss'] == OA['sunet']
def test_create_fed_provider_info(self):
fedpi = self.op.create_fed_providerinfo()
assert 'signing_keys' not in fedpi
assert len(fedpi['metadata_statements']) == 1
_js = jws.factory(fedpi['metadata_statements'][FO['swamid']])
assert _js
assert _js.jwt.headers['alg'] == 'RS256'
_body = json.loads(as_unicode(_js.jwt.part[1]))
assert _body[
'iss'] == self.op.federation_entity.signer.signing_service.iss
def test_provider_endpoint(self):
pi_resp = self.op.providerinfo_endpoint()
assert isinstance(pi_resp, Response)
assert pi_resp.status == "200 OK"
_info = json.loads(pi_resp.message)
assert list(_info['metadata_statements'].keys()) == [FO['swamid']]
_js = jws.factory(_info['metadata_statements'][FO['swamid']])
assert _js
assert _js.jwt.headers['alg'] == 'RS256'
_body = json.loads(as_unicode(_js.jwt.part[1]))
assert _body[
'iss'] == self.op.federation_entity.signer.signing_service.iss
def test_registration_endpoint_no_fed(self):
request = {'redirect_uris': ['https://example.com/rp']}
resp = self.op.registration_endpoint(json.dumps(request))
assert isinstance(resp, Created)
assert resp.status == "201 Created"
clresp = json.loads(resp.message)
assert 'metadata_statements' not in clresp
def test_registration_endpoint_fed(self):
request = ClientMetadataStatement(
redirect_uris=['https://example.com/rp'])
rp = Operator(keyjar=keybundle[FO['swamid']], iss=FO['swamid'])
sms = rp.pack_metadata_statement(request, alg='RS256')
request = rp.extend_with_ms(request, {FO['swamid']: sms})
resp = self.op.registration_endpoint(request.to_dict())
assert isinstance(resp, Created)
assert resp.status == "201 Created"
clresp = json.loads(resp.message)
assert list(clresp['metadata_statements'].keys()) == [FO['swamid']]