예제 #1
0
    def test_do_2nd_refresh_access_token(self):
        areq = AUTH_REQ.copy()
        areq["scope"] = ["openid", "offline_access"]
        _cntx = self.token_endpoint.endpoint_context
        session_id = setup_session(
            _cntx, areq, uid="user", acr=INTERNETPROTOCOLPASSWORD
        )
        _cntx.sdb.update(session_id, user="******")
        _token_request = TOKEN_REQ_DICT.copy()
        _token_request["code"] = _cntx.sdb[session_id]["code"]
        _req = self.token_endpoint.parse_request(_token_request)
        _resp = self.token_endpoint.process_request(request=_req)

        _request = REFRESH_TOKEN_REQ.copy()
        _request["refresh_token"] = _resp["response_args"]["refresh_token"]
        _req = self.refresh_token_endpoint.parse_request(_request.to_json())
        _resp = self.refresh_token_endpoint.process_request(request=_req)

        _request = REFRESH_TOKEN_REQ.copy()
        _request["refresh_token"] = _resp["response_args"]["refresh_token"]
        _req = self.refresh_token_endpoint.parse_request(_request.to_json())
        _resp = self.refresh_token_endpoint.process_request(request=_req)

        assert set(_resp.keys()) == {"response_args", "http_headers"}
        assert set(_resp["response_args"].keys()) == {
            "access_token",
            "token_type",
            "expires_in",
            "refresh_token",
            "id_token",
        }
        msg = self.refresh_token_endpoint.do_response(request=_req, **_resp)
        assert isinstance(msg, dict)
    def test_process_request_using_private_key_jwt(self):
        session_id = setup_session(
            self.endpoint.endpoint_context,
            AUTH_REQ,
            uid="user",
            acr=INTERNETPROTOCOLPASSWORD,
        )
        _token_request = TOKEN_REQ_DICT.copy()
        del _token_request["client_id"]
        del _token_request["client_secret"]
        _context = self.endpoint.endpoint_context

        _jwt = JWT(CLIENT_KEYJAR, iss=AUTH_REQ["client_id"], sign_alg="RS256")
        _jwt.with_jti = True
        _assertion = _jwt.pack({"aud": [_context.endpoint["token"].full_path]})
        _token_request.update({
            "client_assertion": _assertion,
            "client_assertion_type": JWT_BEARER
        })
        _token_request["code"] = self.endpoint.endpoint_context.sdb[
            session_id]["code"]

        _context.sdb.update(session_id, user="******")
        _req = self.endpoint.parse_request(_token_request)
        _resp = self.endpoint.process_request(request=_req)

        # 2nd time used
        with pytest.raises(UnAuthorizedClient):
            self.endpoint.parse_request(_token_request)
예제 #3
0
 def test_parse_no_authn(self):
     _ = setup_session(self.introspection_endpoint.endpoint_context,
                       AUTH_REQ,
                       uid="diana")
     _token = self._create_jwt("diana")
     with pytest.raises(UnknownOrNoAuthnMethod):
         self.introspection_endpoint.parse_request({"token": _token})
예제 #4
0
 def test_do_response(self):
     _context = self.introspection_endpoint.endpoint_context
     _ = setup_session(_context, AUTH_REQ, uid="diana")
     _token = self._create_jwt("diana", lifetime=6000, with_jti=True)
     _req = self.introspection_endpoint.parse_request({
         "token":
         _token,
         "client_id":
         "client_1",
         "client_secret":
         _context.cdb["client_1"]["client_secret"],
     })
     _resp = self.introspection_endpoint.process_request(_req)
     msg_info = self.introspection_endpoint.do_response(request=_req,
                                                        **_resp)
     assert isinstance(msg_info, dict)
     assert set(msg_info.keys()) == {"response", "http_headers"}
     assert msg_info["http_headers"] == [
         ("Content-type", "application/json"),
         ("Pragma", "no-cache"),
         ("Cache-Control", "no-store"),
     ]
     _payload = json.loads(msg_info["response"])
     assert set(_payload.keys()) == {
         "sub",
         "username",
         "exp",
         "iat",
         "aud",
         "active",
         "iss",
         "jti",
     }
     assert _payload["active"] == True
예제 #5
0
 def test_custom_scope(self):
     _auth_req = AUTH_REQ.copy()
     _auth_req["scope"] = ["openid", "research_and_scholarship"]
     session_id = setup_session(
         self.endpoint.endpoint_context,
         _auth_req,
         uid="userID",
         authn_event={
             "authn_info": "loa1",
             "uid": "diana",
             "authn_time": utc_time_sans_frac(),
             "valid_until": utc_time_sans_frac() + 3600,
         },
     )
     _dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
         key=session_id)
     _req = self.endpoint.parse_request({},
                                        auth="Bearer {}".format(
                                            _dic["access_token"]))
     args = self.endpoint.process_request(_req)
     assert set(args["response_args"].keys()) == {
         "sub",
         "name",
         "given_name",
         "family_name",
         "email",
         "email_verified",
         "eduperson_scoped_affiliation",
     }
예제 #6
0
    def test_access_token(self):
        _context = self.introspection_endpoint.endpoint_context

        session_id = setup_session(
            _context,
            AUTH_REQ,
            uid="user",
            acr=INTERNETPROTOCOLPASSWORD,
        )
        _token_request = TOKEN_REQ_DICT.copy()
        _token_request["code"] = _context.sdb[session_id]["code"]
        _context.sdb.update(session_id, user="******")

        _req = self.token_endpoint.parse_request(_token_request)
        _resp = self.token_endpoint.process_request(request=_req)

        _req = self.introspection_endpoint.parse_request({
            "token":
            _resp["response_args"]["access_token"],
            "client_id":
            "client_1",
            "client_secret":
            _context.cdb["client_1"]["client_secret"],
        })
        _resp = self.introspection_endpoint.process_request(_req)
        _resp_args = _resp["response_args"]
        assert "sub" in _resp_args
        assert _resp_args["active"]
        assert _resp_args["scope"] == "openid"
    def test_parse(self):
        session_id = setup_session(self.endpoint.endpoint_context, AUTH_REQ, uid="user")
        _token_request = TOKEN_REQ_DICT.copy()
        _token_request["code"] = self.endpoint.endpoint_context.sdb[session_id]["code"]
        _req = self.endpoint.parse_request(_token_request)

        assert isinstance(_req, AccessTokenRequest)
        assert set(_req.keys()) == set(_token_request.keys())
예제 #8
0
    def authz_part2(self, user, authn_event, request, **kwargs):
        """
        After the authentication this is where you should end up

        :param user:
        :param request: The Authorization Request
        :param sid: Session key
        :param kwargs: possible other parameters
        :return: A redirect to the redirect_uri of the client
        """
        sid = setup_session(
            self.endpoint_context, request, user, authn_event=authn_event
        )

        try:
            resp_info = self.post_authentication(user, request, sid, **kwargs)
        except Exception as err:
            return self.error_response({}, "server_error", err)

        if "check_session_iframe" in self.endpoint_context.provider_info:
            ec = self.endpoint_context
            salt = rndstr()
            if ec.sdb.is_session_revoked(sid):
                pass
            else:
                authn_event = ec.sdb.get_authentication_event(
                    sid
                )  # use the last session
                _state = json.dumps({"authn_time": authn_event["authn_time"]})

                session_cookie = ec.cookie_dealer.create_cookie(
                    json.dumps(_state),
                    typ="session",
                    cookie_name=ec.cookie_name["session_management"],
                )

                opbs = session_cookie[ec.cookie_name["session_management"]]

                _session_state = compute_session_state(
                    opbs.value, salt, request["client_id"], resp_info["return_uri"]
                )

                if "cookie" in resp_info:
                    if isinstance(resp_info["cookie"], list):
                        resp_info["cookie"].append(session_cookie)
                    else:
                        append_cookie(resp_info["cookie"], session_cookie)
                else:
                    resp_info["cookie"] = session_cookie

                resp_info["response_args"]["session_state"] = _session_state

        # Mix-Up mitigation
        resp_info["response_args"]["iss"] = self.endpoint_context.issuer
        resp_info["response_args"]["client_id"] = request["client_id"]

        return resp_info
예제 #9
0
    def test_info(self):
        session_id = setup_session(
            self.endpoint.endpoint_context, AUTH_REQ, uid="diana"
        )
        _dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(key=session_id)

        handler = self.endpoint.endpoint_context.sdb.handler.handler["access_token"]
        _info = handler.info(_dic["access_token"])
        assert _info["type"] == "T"
        assert _info["sid"] == session_id
예제 #10
0
 def test_do_response_no_token(self):
     _context = self.introspection_endpoint.endpoint_context
     _ = setup_session(_context, AUTH_REQ, uid="diana")
     _req = self.introspection_endpoint.parse_request({
         "client_id":
         "client_1",
         "client_secret":
         _context.cdb["client_1"]["client_secret"],
     })
     _resp = self.introspection_endpoint.process_request(_req)
     assert "error" in _resp
예제 #11
0
    def test_parse(self):
        session_id = setup_session(
            self.endpoint.endpoint_context, AUTH_REQ, uid="diana"
        )
        _dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(key=session_id)

        _verifier = JWT(self.endpoint.endpoint_context.keyjar)
        _info = _verifier.unpack(_dic["access_token"])

        assert _info["ttype"] == "T"
        assert _info["phone_number"] == "+46907865000"
        assert set(_info["aud"]) == {"client_1", "https://example.org/appl"}
예제 #12
0
    def test_parse_with_wrong_client_authn(self):
        _context = self.introspection_endpoint.endpoint_context
        _ = setup_session(_context, AUTH_REQ, uid="diana")
        _token = self._create_jwt("diana")
        _basic_token = "{}:{}".format(
            "client_1", _context.cdb["client_1"]["client_secret"])
        _basic_token = as_unicode(base64.b64encode(as_bytes(_basic_token)))
        _basic_authz = "Basic {}".format(_basic_token)

        with pytest.raises(WrongAuthnMethod):
            self.introspection_endpoint.parse_request({"token": _token},
                                                      _basic_authz)
예제 #13
0
    def test_is_expired(self):
        session_id = setup_session(
            self.endpoint.endpoint_context, AUTH_REQ, uid="diana"
        )
        _dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(key=session_id)

        handler = self.endpoint.endpoint_context.sdb.handler.handler["access_token"]
        assert handler.is_expired(_dic["access_token"]) is False

        assert (
            handler.is_expired(_dic["access_token"], utc_time_sans_frac() + 4000)
            is True
        )
예제 #14
0
def test_setup_session():
    endpoint_context = EndpointContext(conf)
    uid = "_user_"
    client_id = "EXTERNAL"
    areq = None
    acr = None
    sid = setup_session(endpoint_context,
                        areq,
                        uid,
                        client_id,
                        acr,
                        salt="salt")
    assert sid
    def test_do_response(self):
        session_id = setup_session(
            self.endpoint.endpoint_context,
            AUTH_REQ,
            uid="user",
            acr=INTERNETPROTOCOLPASSWORD,
        )
        self.endpoint.endpoint_context.sdb.update(session_id, user="******")
        _token_request = TOKEN_REQ_DICT.copy()
        _token_request["code"] = self.endpoint.endpoint_context.sdb[session_id]["code"]
        _req = self.endpoint.parse_request(_token_request)

        _resp = self.endpoint.process_request(request=_req)
        msg = self.endpoint.do_response(request=_req, **_resp)
        assert isinstance(msg, dict)
예제 #16
0
def test_sub_minting_class():
    conf["sub_func"] = {"public": {"class": SubMinter}}

    endpoint_context = EndpointContext(conf)
    uid = "_user_"
    client_id = "EXTERNAL"
    areq = None
    acr = None
    sid = setup_session(endpoint_context,
                        areq,
                        uid,
                        client_id,
                        acr,
                        salt="salt")
    assert endpoint_context.sdb[sid]["sub"] == uid
예제 #17
0
    def test_parse_with_client_auth_in_req(self):
        _context = self.introspection_endpoint.endpoint_context
        _ = setup_session(_context, AUTH_REQ, uid="diana")
        _token = self._create_jwt("diana")
        _req = self.introspection_endpoint.parse_request({
            "token":
            _token,
            "client_id":
            "client_1",
            "client_secret":
            _context.cdb["client_1"]["client_secret"],
        })

        assert isinstance(_req, TokenIntrospectionRequest)
        assert set(_req.keys()) == {"token", "client_id", "client_secret"}
예제 #18
0
    def test_process_request(self):
        _context = self.introspection_endpoint.endpoint_context
        _ = setup_session(_context, AUTH_REQ, uid="diana")
        _token = self._create_jwt("diana", lifetime=6000)
        _req = self.introspection_endpoint.parse_request({
            "token":
            _token,
            "client_id":
            "client_1",
            "client_secret":
            _context.cdb["client_1"]["client_secret"],
        })
        _resp = self.introspection_endpoint.process_request(_req)

        assert _resp
        assert set(_resp.keys()) == {"response_args"}
예제 #19
0
    def _create_at(self, uid, lifetime=0, with_jti=False):
        _context = self.introspection_endpoint.endpoint_context

        session_id = setup_session(
            _context,
            AUTH_REQ,
            uid=uid,
            acr=INTERNETPROTOCOLPASSWORD,
        )
        _token_request = TOKEN_REQ_DICT.copy()
        _token_request["code"] = _context.sdb[session_id]["code"]
        _context.sdb.update(session_id, user=uid)

        _req = self.token_endpoint.parse_request(_token_request)
        _resp = self.token_endpoint.process_request(request=_req)
        _resp = AccessTokenResponse(**_resp["response_args"])
        return _resp["access_token"]
    def test_process_request(self):
        session_id = setup_session(
            self.endpoint.endpoint_context,
            AUTH_REQ,
            uid="user",
            acr=INTERNETPROTOCOLPASSWORD,
        )
        _token_request = TOKEN_REQ_DICT.copy()
        _context = self.endpoint.endpoint_context
        _token_request["code"] = _context.sdb[session_id]["code"]
        _context.sdb.update(session_id, user="******")
        _req = self.endpoint.parse_request(_token_request)

        _resp = self.endpoint.process_request(request=_req)

        assert _resp
        assert set(_resp.keys()) == {"http_headers", "response_args"}
    def test_do_refresh_access_token_not_allowed(self):
        areq = AUTH_REQ.copy()
        areq["scope"] = ["openid", "offline_access"]
        _cntx = self.endpoint.endpoint_context
        session_id = setup_session(
            _cntx, areq, uid="user", acr=INTERNETPROTOCOLPASSWORD
        )
        _cntx.sdb.update(session_id, user="******")
        _token_request = TOKEN_REQ_DICT.copy()
        _token_request["code"] = _cntx.sdb[session_id]["code"]
        _req = self.endpoint.parse_request(_token_request)
        _resp = self.endpoint.process_request(request=_req)

        self.endpoint.allow_refresh = False

        _request = REFRESH_TOKEN_REQ.copy()
        _request["refresh_token"] = _resp["response_args"]["refresh_token"]
        with pytest.raises(ProcessError):
            self.endpoint.parse_request(_request.to_json())
예제 #22
0
 def test_process_request(self):
     session_id = setup_session(
         self.endpoint.endpoint_context,
         AUTH_REQ,
         uid="userID",
         authn_event={
             "authn_info": "loa1",
             "uid": "diana",
             "authn_time": utc_time_sans_frac(),
             "valid_until": utc_time_sans_frac() + 3600,
         },
     )
     _dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
         key=session_id)
     _req = self.endpoint.parse_request({},
                                        auth="Bearer {}".format(
                                            _dic["access_token"]))
     args = self.endpoint.process_request(_req)
     assert args
예제 #23
0
    def test_process_request_using_code_twice(self):
        session_id = setup_session(
            self.endpoint.endpoint_context,
            AUTH_REQ,
            uid="user",
            acr=INTERNETPROTOCOLPASSWORD,
        )
        _token_request = TOKEN_REQ_DICT.copy()
        _context = self.endpoint.endpoint_context
        _token_request["code"] = _context.sdb[session_id]["code"]
        _context.sdb.update(session_id, user="******")
        _req = self.endpoint.parse_request(_token_request)
        _resp = self.endpoint.process_request(request=_req)

        # 2nd time used
        _req = self.endpoint.parse_request(_token_request)
        _resp = self.endpoint.process_request(request=_req)

        assert _resp
        assert set(_resp.keys()) == {"error"}
예제 #24
0
 def test_process_request_not_allowed(self):
     session_id = setup_session(
         self.endpoint.endpoint_context,
         AUTH_REQ,
         uid="userID",
         authn_event={
             "authn_info": "loa1",
             "uid": "diana",
             "authn_time": utc_time_sans_frac() - 7200,
             "valid_until": utc_time_sans_frac() - 3600,
         },
     )
     _dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
         key=session_id)
     _req = self.endpoint.parse_request({},
                                        auth="Bearer {}".format(
                                            _dic["access_token"]))
     args = self.endpoint.process_request(_req)
     assert set(
         args["response_args"].keys()) == {"error", "error_description"}
예제 #25
0
 def test_process_request_offline_access(self):
     auth_req = AUTH_REQ.copy()
     auth_req["scope"] = ["openid", "offline_access"]
     session_id = setup_session(
         self.endpoint.endpoint_context,
         auth_req,
         uid="userID",
         authn_event={
             "authn_info": "loa1",
             "uid": "diana",
             "authn_time": utc_time_sans_frac() - 7200,
             "valid_until": utc_time_sans_frac() - 3600,
         },
     )
     _dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
         key=session_id)
     _req = self.endpoint.parse_request({},
                                        auth="Bearer {}".format(
                                            _dic["access_token"]))
     args = self.endpoint.process_request(_req)
     assert set(args["response_args"].keys()) == {"sub"}
예제 #26
0
def test_setup_session_upgrade_to_token():
    endpoint_context = EndpointContext(conf)
    uid = "_user_"
    client_id = "EXTERNAL"
    areq = None
    acr = None
    sid = setup_session(endpoint_context,
                        areq,
                        uid,
                        client_id,
                        acr,
                        salt="salt")
    assert sid
    code = endpoint_context.sdb[sid]["code"]
    assert code

    res = endpoint_context.sdb.upgrade_to_token(code)
    assert "access_token" in res

    endpoint_context.sdb.revoke_uid("_user_")
    assert endpoint_context.sdb.is_session_revoked(sid)
    def test_process_request_using_code_twice(self):
        session_id = setup_session(
            self.endpoint.endpoint_context,
            AUTH_REQ,
            uid="user",
            acr=INTERNETPROTOCOLPASSWORD,
        )
        _token_request = TOKEN_REQ_DICT.copy()
        _context = self.endpoint.endpoint_context
        _token_request["code"] = _context.sdb[session_id]["code"]
        _context.sdb.update(session_id, user="******")
        _req = self.endpoint.parse_request(_token_request)
        _resp = self.endpoint.process_request(request=_req)

        # 2nd time used
        # TODO: There is a bug in _post_parse_request, the returned error
        # should be invalid_grant, not invalid_client
        _req = self.endpoint.parse_request(_token_request)
        _resp = self.endpoint.process_request(request=_req)

        assert _resp
        assert set(_resp.keys()) == {"error"}
예제 #28
0
    def test_do_signed_response(self):
        self.endpoint.endpoint_context.cdb["client_1"][
            "userinfo_signed_response_alg"] = "ES256"

        session_id = setup_session(
            self.endpoint.endpoint_context,
            AUTH_REQ,
            uid="userID",
            authn_event={
                "authn_info": "loa1",
                "uid": "diana",
                "authn_time": utc_time_sans_frac(),
                "valid_until": utc_time_sans_frac() + 3600,
            },
        )
        _dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
            key=session_id)
        _req = self.endpoint.parse_request({},
                                           auth="Bearer {}".format(
                                               _dic["access_token"]))
        args = self.endpoint.process_request(_req)
        assert args
        res = self.endpoint.do_response(request=_req, **args)
        assert res