def test_is_valid(self): ae1 = create_authn_event("uid", "salt") sid = self.sdb.create_authz_session(ae1, AREQ, client_id="client_id") self.sdb[sid]["sub"] = "sub" grant = self.sdb[sid]["code"] assert self.sdb.is_valid(grant) sinfo = self.sdb.upgrade_to_token(grant, issue_refresh=True) assert not self.sdb.is_valid(grant) access_token = sinfo["access_token"] assert self.sdb.is_valid(access_token) refresh_token = sinfo["refresh_token"] sinfo = self.sdb.refresh_token(refresh_token, AREQ["client_id"]) access_token2 = sinfo["access_token"] assert self.sdb.is_valid(access_token2) # The old access code should be invalid try: self.sdb.is_valid(access_token) except KeyError: pass
def test_upgrade_to_token(self): ae1 = create_authn_event("uid", "salt") sid = self.sdb.create_authz_session(ae1, AREQ, client_id="client_id") self.sdb[sid]["sub"] = "sub" grant = self.sdb[sid]["code"] _dict = self.sdb.upgrade_to_token(grant) print(_dict.keys()) assert set(_dict.keys()) == { "authn_event", "code", "authn_req", "access_token", "token_type", "client_id", "oauth_state", "expires_in", } # can't update again with pytest.raises(AccessCodeUsed): self.sdb.upgrade_to_token(grant) self.sdb.upgrade_to_token(_dict["access_token"])
def setup_auth(self, request, redirect_uri, cinfo, cookie, acr=None, **kwargs): """ :param request: The authorization/authentication request :param redirect_uri: :param cinfo: client info :param cookie: :param acr: Default ACR, if nothing else is specified :param kwargs: :return: """ res = self.pick_authn_method(request, redirect_uri, acr, **kwargs) authn = res["method"] authn_class_ref = res["acr"] try: _auth_info = kwargs.get("authn", "") if "upm_answer" in request and request["upm_answer"] == "true": _max_age = 0 else: _max_age = max_age(request) identity, _ts = authn.authenticated_as(cookie, authorization=_auth_info, max_age=_max_age) except (NoSuchAuthentication, TamperAllert): identity = None _ts = 0 except ToOld: logger.info("Too old authentication") identity = None _ts = 0 else: if identity: try: # If identity['uid'] is in fact a base64 encoded JSON string _id = b64d(as_bytes(identity["uid"])) except BadSyntax: pass else: identity = json.loads(as_unicode(_id)) session = self.endpoint_context.sdb[identity.get("sid")] if not session or "revoked" in session: identity = None authn_args = authn_args_gather(request, authn_class_ref, cinfo, **kwargs) # To authenticate or Not if identity is None: # No! logger.info("No active authentication") logger.debug("Known clients: {}".format( list(self.endpoint_context.cdb.keys()))) if "prompt" in request and "none" in request["prompt"]: # Need to authenticate but not allowed return { "error": "login_required", "return_uri": redirect_uri, "return_type": request["response_type"], } else: return {"function": authn, "args": authn_args} else: logger.info("Active authentication") if re_authenticate(request, authn): # demand re-authentication return {"function": authn, "args": authn_args} else: # I get back a dictionary user = identity["uid"] if "req_user" in kwargs: sids = self.endpoint_context.sdb.get_sids_by_sub( kwargs["req_user"]) if (sids and user != self.endpoint_context.sdb.get_authentication_event( sids[-1]).uid): logger.debug("Wanted to be someone else!") if "prompt" in request and "none" in request["prompt"]: # Need to authenticate but not allowed return { "error": "login_required", "return_uri": redirect_uri, } else: return {"function": authn, "args": authn_args} authn_event = create_authn_event( identity["uid"], identity.get("salt", ""), authn_info=authn_class_ref, time_stamp=_ts, ) if "valid_until" in authn_event: vu = time.time() + authn.kwargs.get("expires_in", 0.0) authn_event["valid_until"] = vu return {"authn_event": authn_event, "identity": identity, "user": user}
def test_create_authz_session_with_nonce(self): ae = create_authn_event("sub", "salt") sid = self.sdb.create_authz_session(ae, AREQN, client_id='client_id') info = self.sdb[sid] authz_request = info['authn_req'] assert authz_request["nonce"] == "something"
def test_create_authz_session_without_nonce(self): ae = create_authn_event("sub", "salt") sid = self.sdb.create_authz_session(ae, AREQ, client_id='client_id') info = self.sdb[sid] assert info["oauth_state"] == "authz"
def test_valid_grant(self): ae = create_authn_event("another:user", "salt") sid = self.sdb.create_authz_session(ae, AREQ, client_id='client_id') grant = self.sdb[sid]["code"] assert self.sdb.is_valid(grant)
def setup_auth(self, request, redirect_uri, cinfo, cookie, **kwargs): """ :param endpoint_context: :param request: :param redirect_uri: :param cinfo: :param cookie: :param kwargs: :return: """ authn, authn_class_ref = self.pick_authn_method(request, redirect_uri) try: try: _auth_info = kwargs["authn"] except KeyError: _auth_info = "" if "upm_answer" in request and request["upm_answer"] == "true": _max_age = 0 else: _max_age = max_age(request) identity, _ts = authn.authenticated_as( cookie, authorization=_auth_info, max_age=_max_age) except (NoSuchAuthentication, TamperAllert): identity = None _ts = 0 except ToOld: logger.info("Too old authentication") identity = None _ts = 0 else: logger.info("No active authentication") authn_args = authn_args_gather(request, authn_class_ref, cinfo, **kwargs) # To authenticate or Not if identity is None: # No! if "prompt" in request and "none" in request["prompt"]: # Need to authenticate but not allowed return { 'error': "login_required", 'return_uri': redirect_uri, 'return_type': request["response_type"] } else: return {'function': authn, 'args': authn_args} else: if re_authenticate(request, authn): # demand re-authentication return {'function': authn, 'args': authn_args} else: # I get back a dictionary user = identity["uid"] if "req_user" in kwargs: sids = self.endpoint_context.sdb.get_sids_by_sub( kwargs["req_user"]) if sids and user != \ self.endpoint_context.sdb.get_authentication_event( sids[-1]).uid: logger.debug("Wanted to be someone else!") if "prompt" in request and "none" in request["prompt"]: # Need to authenticate but not allowed return { 'error': "login_required", 'return_uri': redirect_uri } else: return {'function': authn, 'args': authn_args} authn_event = create_authn_event(identity["uid"], identity.get('salt', ''), authn_info=authn_class_ref, time_stamp=_ts) return {"authn_event": authn_event, "identity": identity, "user": user}