def authorization(environ, start_response, session_info, events, jlog, **kwargs): events.store(EV_REQUEST, Operation("Authorization")) _op = session_info["op"] logger.info('OP keys:{}'.format(key_summary(_op.keyjar, ''))) return wsgi_wrapper(environ, start_response, _op.authorization_endpoint, session_info, events, jlog)
def _add_key(self, keyjar, issuer, key, key_type='', kid='', no_kid_issuer=None): if issuer not in keyjar: logger.error('Issuer "{}" not in keyjar'.format(issuer)) return logger.debug('Key set summary for {}: {}'.format( issuer, key_summary(keyjar, issuer))) if kid: _key = keyjar.get_key_by_kid(kid, issuer) if _key and _key not in key: key.append(_key) return else: try: kl = keyjar.get_verify_key(owner=issuer, key_type=key_type) except KeyError: pass else: if len(kl) == 1: if kl[0] not in key: key.append(kl[0]) elif no_kid_issuer: try: allowed_kids = no_kid_issuer[issuer] except KeyError: return else: if allowed_kids: key.extend([k for k in kl if k.kid in allowed_kids]) else: key.extend(kl)
def op_info(environ, start_response, session_info, events, jlog, **kwargs): _ev = Operation("ProviderConfiguration", path=environ["PATH_INFO"]) try: _ev.query = environ["QUERY_STRING"] except KeyError: pass events.store(EV_REQUEST, _ev) _op = session_info["op"] logger.info('OP keys:{}'.format(key_summary(_op.keyjar, ''))) return wsgi_wrapper(environ, start_response, _op.providerinfo_endpoint, session_info, events, jlog)
def get(self, oper_id, test_id, events, endpoint): # addr = get_client_address(environ) key = path = '{}/{}'.format(oper_id, test_id) try: _op = self.op[key] _op.events = events if endpoint == '.well-known/openid-configuration': if test_id == 'rp-key-rotation-op-sign-key-native': pass elif test_id == 'rp-id_token-kid-absent-multiple-jwks': setattr(_op, 'keys', self.op_args['marg']['keys']) _op_args = { 'baseurl': self.op_args['baseurl'], 'jwks': self.op_args['marg']['jwks'] } write_jwks_uri(_op, _op_args, self.folder) else: init_keyjar(_op, self.op_args['keyjar'], self.com_args) _kj = _op.keyjar.export_jwks(True, '') _op.keyjar.import_jwks(_kj, _op.name) write_jwks_uri(_op, self.op_args, self.folder) except KeyError: if test_id in ['rp-id_token-kid-absent-multiple-jwks']: _op_args = {} for param in [ 'baseurl', 'cookie_name', 'cookie_ttl', 'endpoints' ]: _op_args[param] = self.op_args[param] for param in ["jwks", "keys"]: _op_args[param] = self.op_args["marg"][param] _op = self.setup_op(oper_id, test_id, self.com_args, _op_args, self.test_conf, events) else: _op = self.setup_op(oper_id, test_id, self.com_args, self.op_args, self.test_conf, events) if test_id.startswith('rp-init-logout-session'): _csi = self.check_session_iframe.replace( '<PATH>', '{}/{}'.format(oper_id, test_id)) _op.capabilities['check_session_iframe'] = _csi elif test_id.startswith('rp-backchannel-'): _op.capabilities['backchannel_logout_supported'] = True _op.capabilities[ 'backchannel_logout_session_supported'] = True elif test_id.startswith('rp-frontchannel-'): _op.capabilities['frontchannel_logout_supported'] = True _op.capabilities[ 'frontchannel_logout_session_supported'] = True _op.conv = Conversation(test_id, _op, None) _op.orig_keys = key_summary(_op.keyjar, '').split(', ') self.op[key] = _op return _op, path, key
def _add_key(self, keyjar, issuer, key, key_type=""): try: logger.debug("Key set summary for {}: {}".format(issuer, key_summary(keyjar, issuer))) except KeyError: logger.error('Issuer "{}" not in keyjar'.format(issuer)) try: kl = keyjar.get_verify_key(owner=issuer, key_type=key_type) except KeyError: pass else: for k in kl: if k not in key: key.append(k)
def _add_key(self, keyjar, issuer, key, key_type=''): try: logger.debug('Key set summary for {}: {}'.format( issuer, key_summary(keyjar, issuer))) except KeyError: logger.error('Issuer "{}" not in keyjar'.format(issuer)) try: kl = keyjar.get_verify_key(owner=issuer, key_type=key_type) except KeyError: pass else: for k in kl: if k not in key: key.append(k)
def get(self, oper_id, test_id, events, endpoint): # addr = get_client_address(environ) key = path = '{}/{}'.format(oper_id, test_id) try: _op = self.op[key] _op.events = events if endpoint == '.well-known/openid-configuration': init_keyjar(_op, self.op_args['keyjar'], self.com_args) write_jwks_uri(_op, self.op_args, self.folder) except KeyError: _op = self.setup_op(oper_id, test_id, self.com_args, self.op_args, self.test_conf, events) _op.conv = Conversation(test_id, _op, None) _op.orig_keys = key_summary(_op.keyjar, '').split(', ') self.op[key] = _op return _op, path, key
def get(self, oper_id, test_id, events, endpoint): # addr = get_client_address(environ) key = path = '{}/{}'.format(oper_id, test_id) try: _op = self.op[key] _op.events = events if endpoint == '.well-known/openid-configuration': if test_id == 'rp-key-rotation-op-sign-key-native': pass elif test_id == 'rp-id_token-kid-absent-multiple-jwks': setattr(_op, 'keys', self.op_args['marg']['keys']) _op_args = { 'baseurl': self.op_args['baseurl'], 'jwks': self.op_args['marg']['jwks'] } write_jwks_uri(_op, _op_args, self.folder) else: init_keyjar(_op, self.op_args['keyjar'], self.com_args) write_jwks_uri(_op, self.op_args, self.folder) except KeyError: if test_id in ['rp-id_token-kid-absent-multiple-jwks']: _op_args = {} for param in [ 'baseurl', 'cookie_name', 'cookie_ttl', 'endpoints' ]: _op_args[param] = self.op_args[param] for param in ["jwks", "keys"]: _op_args[param] = self.op_args["marg"][param] _op = self.setup_op(oper_id, test_id, self.com_args, _op_args, self.test_conf, events) else: _op = self.setup_op(oper_id, test_id, self.com_args, self.op_args, self.test_conf, events) _op.conv = Conversation(test_id, _op, None) _op.orig_keys = key_summary(_op.keyjar, '').split(', ') self.op[key] = _op return _op, path, key
def op_setup(self, environ, mode, events, test_conf, endpoint): addr = get_client_address(environ) path = '/'.join([mode['oper_id'], mode['test_id']]) key = "{}:{}".format(addr, path) # LOGGER.debug("OP key: {}".format(key)) try: _op = self.op[key] _op.events = events if endpoint == '.well-known/openid-configuration': if mode["test_id"] == 'rp-id_token-kid-absent-multiple-jwks': setattr(_op, 'keys', self.op_args['marg']['keys']) _op_args = { 'baseurl': self.op_args['baseurl'], 'jwks': self.op_args['marg']['jwks'] } write_jwks_uri(_op, _op_args) else: init_keyjar(_op, self.op_args['keyjar'], self.com_args) write_jwks_uri(_op, self.op_args) except KeyError: if mode["test_id"] in ['rp-id_token-kid-absent-multiple-jwks']: _op_args = {} for param in ['baseurl', 'cookie_name', 'cookie_ttl', 'endpoints']: _op_args[param] = self.op_args[param] for param in ["jwks", "keys"]: _op_args[param] = self.op_args["marg"][param] _op = setup_op(mode, self.com_args, _op_args, self.test_conf, events) else: _op = setup_op(mode, self.com_args, self.op_args, self.test_conf, events) _op.conv = Conversation(mode["test_id"], _op, None) _op.orig_keys = key_summary(_op.keyjar, '').split(', ') self.op[key] = _op return _op, path, key
def get(self, oper_id, test_id, events, endpoint): # addr = get_client_address(environ) key = path = '{}/{}'.format(oper_id, test_id) try: _op = self.op[key] _op.events = events if endpoint == '.well-known/openid-configuration': if test_id == 'rp-key-rotation-op-sign-key-native': pass elif test_id == 'rp-id_token-kid-absent-multiple-jwks': setattr(_op, 'keys', self.op_args['marg']['keys']) _op_args = { 'baseurl': self.op_args['baseurl'], 'jwks': self.op_args['marg']['jwks'] } write_jwks_uri(_op, _op_args, self.folder) else: init_keyjar(_op, self.op_args['keyjar'], self.com_args) write_jwks_uri(_op, self.op_args, self.folder) except KeyError: if test_id in ['rp-id_token-kid-absent-multiple-jwks']: _op_args = {} for param in ['baseurl', 'cookie_name', 'cookie_ttl', 'endpoints']: _op_args[param] = self.op_args[param] for param in ["jwks", "keys"]: _op_args[param] = self.op_args["marg"][param] _op = self.setup_op(oper_id, test_id, self.com_args, _op_args, self.test_conf, events) else: _op = self.setup_op(oper_id, test_id, self.com_args, self.op_args, self.test_conf, events) _op.conv = Conversation(test_id, _op, None) _op.orig_keys = key_summary(_op.keyjar, '').split(', ') self.op[key] = _op return _op, path, key
def authorization_endpoint(self, request="", cookie=None, **kwargs): if isinstance(request, dict): _req = request else: _req = {} for key, val in parse_qs(request).items(): if len(val) == 1: _req[key] = val[0] else: _req[key] = val # self.events.store(EV_REQUEST, _req) try: _scope = _req["scope"] except KeyError: return error( error="incorrect_behavior", descr="No scope parameter" ) else: # verify that openid is among the scopes _scopes = _scope.split(" ") if "openid" not in _scopes: return error( error="incorrect_behavior", descr="Scope does not contain 'openid'" ) client_id = _req["client_id"] try: f = response_type_cmp(self.capabilities['response_types_supported'], _req['response_type']) except KeyError: pass else: if f is False: self.events.store( EV_FAULT, 'Wrong response type: {}'.format(_req['response_type'])) return error_response(error="incorrect_behavior", descr="Not supported response_type") _rtypes = _req['response_type'].split(' ') if 'id_token' in _rtypes: try: self._update_client_keys(client_id) except TestError: return error(error="incorrect_behavior", descr="No change in client keys") if isinstance(request, dict): request = urlencode(request) _response = provider.Provider.authorization_endpoint(self, request, cookie, **kwargs) if "rotenc" in self.behavior_type: # Rollover encryption keys rsa_key = RSAKey(kid="rotated_rsa_{}".format(time.time()), use="enc").load_key(RSA.generate(2048)) ec_key = ECKey(kid="rotated_ec_{}".format(time.time()), use="enc").load_key(P256) keys = [rsa_key.serialize(private=True), ec_key.serialize(private=True)] new_keys = {"keys": keys} self.events.store("New encryption keys", new_keys) self.do_key_rollover(new_keys, "%d") self.events.store("Rotated encryption keys", '') logger.info( 'Rotated OP enc keys, new set: {}'.format( key_summary(self.keyjar, ''))) # This is just for logging purposes try: _resp = self.server.http_request(_req["request_uri"]) except KeyError: pass except requests.ConnectionError as err: self.events.store(EV_EXCEPTION, err) err = unwrap_exception(err) return error_response(error="server_error", descr=err) else: if _resp.status_code == 200: self.events.store(EV_REQUEST, "Request from request_uri: {}".format( _resp.text)) return _response
def authorization_endpoint(self, request="", cookie=None, **kwargs): if isinstance(request, dict): _req = request else: _req = {} for key, val in parse_qs(request).items(): if len(val) == 1: _req[key] = val[0] else: _req[key] = val # self.events.store(EV_REQUEST, _req) try: _scope = _req["scope"] except KeyError: return error_response( error="incorrect_behavior", descr="No scope parameter" ) else: # verify that openid is among the scopes _scopes = _scope.split(" ") if "openid" not in _scopes: return error_response( error="incorrect_behavior", descr="Scope does not contain 'openid'" ) client_id = _req["client_id"] try: f = response_type_cmp(self.capabilities['response_types_supported'], _req['response_type']) except KeyError: pass else: if f is False: self.events.store( EV_FAULT, 'Wrong response type: {}'.format(_req['response_type'])) return error_response(error="incorrect_behavior", descr="Not supported response_type") _rtypes = _req['response_type'].split(' ') if 'id_token' in _rtypes: try: self._update_client_keys(client_id) except TestError: return error_response(error="incorrect_behavior", descr="No change in client keys") if isinstance(request, dict): request = urlencode(request) if "max_age" in _req and _req["max_age"] == "0" and "prompt" in _req and _req["prompt"] == "none": aresp = { "error": "login_required", } if "state" in _req: aresp['state'] = _req["state"] return self.response_mode(_req, False, aresp=aresp, redirect_uri=_req['redirect_uri'], headers={}) else: _response = provider.Provider.authorization_endpoint(self, request, cookie, **kwargs) if "rotenc" in self.behavior_type: # Rollover encryption keys rsa_key = RSAKey(kid="rotated_rsa_{}".format(time.time()), use="enc").load_key(RSA.generate(2048)) ec_key = ECKey(kid="rotated_ec_{}".format(time.time()), use="enc").load_key(P256) keys = [rsa_key.serialize(private=True), ec_key.serialize(private=True)] new_keys = {"keys": keys} self.events.store("New encryption keys", new_keys) self.do_key_rollover(new_keys, "%d") self.events.store("Rotated encryption keys", '') logger.info( 'Rotated OP enc keys, new set: {}'.format( key_summary(self.keyjar, ''))) # This is just for logging purposes try: _resp = self.server.http_request(_req["request_uri"]) except KeyError: pass except requests.ConnectionError as err: self.events.store(EV_EXCEPTION, err) err = unwrap_exception(err) return error_response(error="server_error", descr=err) else: if _resp.status_code == 200: self.events.store(EV_REQUEST, "Request from request_uri: {}".format( _resp.text)) return _response
def authorization_endpoint(self, request="", cookie=None, **kwargs): _req = parse_qs(request) #self.events.store(EV_REQUEST, _req) try: _scope = _req["scope"] except KeyError: return self._error( error="incorrect_behavior", descr="No scope parameter" ) else: # verify that openid is among the scopes _scopes = _scope[0].split(" ") if "openid" not in _scopes: return self._error( error="incorrect_behavior", descr="Scope does not contain 'openid'" ) client_id = _req["client_id"][0] try: f = response_type_cmp(kwargs['test_cnf']['response_type'], _req['response_type']) except KeyError: pass else: if f is False: self.events.store( EV_FAULT, 'Wrong response type: {}'.format(_req['response_type'])) return self._error_response(error="incorrect_behavior", descr="Wrong response_type") _rtypes = [] for rt in _req['response_type']: _rtypes.extend(rt.split(' ')) if 'id_token' in _rtypes: try: self._update_client_keys(client_id) except TestError: return self._error(error="incorrect_behavior", descr="No change in client keys") _response = provider.Provider.authorization_endpoint(self, request, cookie, **kwargs) if "rotenc" in self.behavior_type: # Rollover encryption keys rsa_key = RSAKey(kid="rotated_rsa_{}".format(time.time()), use="enc").load_key(RSA.generate(2048)) ec_key = ECKey(kid="rotated_ec_{}".format(time.time()), use="enc").load_key(P256) keys = [rsa_key.serialize(private=True), ec_key.serialize(private=True)] new_keys = {"keys": keys} self.events.store("New encryption keys", new_keys) self.do_key_rollover(new_keys, "%d") self.events.store("Rotated encryption keys", '') logger.info( 'Rotated OP enc keys, new set: {}'.format( key_summary(self.keyjar, ''))) # This is just for logging purposes try: _resp = self.server.http_request(_req["request_uri"][0]) except KeyError: pass else: if _resp.status_code == 200: self.events.store(EV_REQUEST, "Request from request_uri: {}".format(_resp.text)) return _response
def authorization_endpoint(self, request="", cookie=None, **kwargs): _req = parse_qs(request) #self.events.store(EV_REQUEST, _req) try: _scope = _req["scope"] except KeyError: return self._error(error="incorrect_behavior", descr="No scope parameter") else: # verify that openid is among the scopes _scopes = _scope[0].split(" ") if "openid" not in _scopes: return self._error(error="incorrect_behavior", descr="Scope does not contain 'openid'") client_id = _req["client_id"][0] try: f = response_type_cmp(kwargs['test_cnf']['response_type'], _req['response_type']) except KeyError: pass else: if f is False: self.events.store( EV_FAULT, 'Wrong response type: {}'.format(_req['response_type'])) return self._error_response(error="incorrect_behavior", descr="Wrong response_type") _rtypes = [] for rt in _req['response_type']: _rtypes.extend(rt.split(' ')) if 'id_token' in _rtypes: try: self._update_client_keys(client_id) except TestError: return self._error(error="incorrect_behavior", descr="No change in client keys") _response = provider.Provider.authorization_endpoint( self, request, cookie, **kwargs) if "rotenc" in self.behavior_type: # Rollover encryption keys rsa_key = RSAKey(kid="rotated_rsa_{}".format(time.time()), use="enc").load_key(RSA.generate(2048)) ec_key = ECKey(kid="rotated_ec_{}".format(time.time()), use="enc").load_key(P256) keys = [ rsa_key.serialize(private=True), ec_key.serialize(private=True) ] new_keys = {"keys": keys} self.events.store("New encryption keys", new_keys) self.do_key_rollover(new_keys, "%d") self.events.store("Rotated encryption keys", '') logger.info('Rotated OP enc keys, new set: {}'.format( key_summary(self.keyjar, ''))) # This is just for logging purposes try: _resp = self.server.http_request(_req["request_uri"][0]) except KeyError: pass else: if _resp.status_code == 200: self.events.store( EV_REQUEST, "Request from request_uri: {}".format(_resp.text)) return _response