# In-Memory non-persistent SessionDB issuing DefaultTokens
sessionDB = create_session_db(config.ISSUER,
secret=rndstr(32),
password=rndstr(32))
provider = Provider(
name=config.ISSUER, # name
sdb=sessionDB, # session database.
cdb=clientDB, # client database
authn_broker=authnBroker, # authn broker
userinfo=None, # user information
authz=authz, # authz
client_authn=verify_client, # client authentication
symkey=config.SYM_KEY, # Used for Symmetric key authentication
# urlmap = None, # ?
# keyjar = None, # ?
# hostname = "", # ?
template_renderer=mako_renderer, # Rendering custom templates
# verify_ssl = True, # Enable SSL certs
# capabilities = None, # ?
# schema = OpenIDSchema, # ?
# jwks_uri = '', # ?
# jwks_name = '', # ?
baseurl=config.ISSUER,
# client_cert = None # ?
)
# SessionDB:
# This is database where the provider keeps information about
# the authenticated/authorised users. It includes information
# such as "what has been asked for (claims, scopes, and etc. )"
# In-Memory SessionDB issuing DefaultTokens
sdb = create_session_db(config.baseurl,
secret=rndstr(32),
password=rndstr(32))
if args.test:
URLS.append((r'tracelog', trace_log))
OAS = TestProvider(config.issuer, sdb, cdb, ac, None, authz,
config.SYM_KEY)
elif args.XpressConnect:
from XpressConnect import XpressConnectProvider
OAS = XpressConnectProvider(config.issuer, sdb, cdb, ac, None, authz,
verify_client, config.SYM_KEY)
else:
OAS = Provider(config.issuer, sdb, cdb, ac, None, authz, verify_client,
config.SYM_KEY, **kwargs)
try:
OAS.cookie_ttl = config.COOKIETTL
except AttributeError:
pass
try:
OAS.cookie_name = config.COOKIENAME
except AttributeError:
pass
#print URLS
if args.debug:
OAS.debug = True
if args.test:
sessionDB = create_session_db(config.ISSUER,
secret=rndstr(32),
password=rndstr(32))
provider = Provider(
name=config.ISSUER, # name
sdb=sessionDB, # session database.
cdb=clientDB, # client database
authn_broker=authnBroker, # authn broker
userinfo=None, # user information
authz=authz, # authz
client_authn=verify_client, # client authentication
symkey=config.SYM_KEY, # Used for Symmetric key authentication
# urlmap = None, # ?
# ca_certs = "", # ?
# keyjar = None, # ?
# hostname = "", # ?
template_lookup=lookup, # ?
template={"form_post": "form_response.mako"}, # ?
# verify_ssl = True, # ?
# capabilities = None, # ?
# schema = OpenIDSchema, # ?
# jwks_uri = '', # ?
# jwks_name = '', # ?
baseurl=config.ISSUER,
# client_cert = None # ?
)
# SessionDB:
# This is database where the provider keeps information about
# the authenticated/authorised users. It includes information
URLMAP = {CLIENT_ID: ["https://example.com/authz"]}
PASSWD = {"user": "******"}
ROOT = '../oc3/'
tl = TemplateLookup(directories=[ROOT + 'templates', ROOT + 'htdocs'],
module_directory=ROOT + 'modules',
input_encoding='utf-8',
output_encoding='utf-8')
AUTHN_BROKER = AuthnBroker()
AUTHN_BROKER.add(
"1", UsernamePasswordMako(None, "login.mako", tl, PASSWD, "authenticated"))
# dealing with authorization
AUTHZ = AuthzHandling()
SYMKEY = "symmetric key used to encrypt cookie info"
USERINFO = UserInfo(USERDB)
provider_init = Provider("pyoicserv",
SessionDB(),
CDB,
AUTHN_BROKER,
USERINFO,
AUTHZ,
verify_client,
SYMKEY,
urlmap=URLMAP,
keyjar=KEYJAR)
def main():
parser = argparse.ArgumentParser(description='Example OIDC Provider.')
parser.add_argument("-p", "--port", default=80, type=int)
parser.add_argument("-b", "--base", default="https://localhost", type=str)
parser.add_argument("-d", "--debug", action="store_true")
parser.add_argument("settings")
args = parser.parse_args()
# Load configuration
with open(args.settings, "r") as f:
settings = yaml.safe_load(f)
issuer = args.base.rstrip("/")
template_dirs = settings["server"].get("template_dirs", "templates")
jinja_env = Environment(loader=FileSystemLoader(template_dirs),
autoescape=select_autoescape(['html']))
authn_broker, auth_routing = setup_authentication_methods(
settings["authn"], jinja_env)
# Setup userinfo
userinfo_conf = settings["userinfo"]
cls = make_cls_from_name(userinfo_conf["class"])
i = cls(**userinfo_conf["kwargs"])
userinfo = UserInfo(i)
client_db = {}
session_db = create_session_db(issuer,
secret=rndstr(32),
password=rndstr(32))
provider = Provider(issuer, session_db, client_db, authn_broker, userinfo,
AuthzHandling(), verify_client, None)
provider.baseurl = issuer
provider.symkey = rndstr(16)
# Setup keys
path = os.path.join(os.path.dirname(__file__), "static")
try:
os.makedirs(path)
except OSError as e:
if e.errno != errno.EEXIST:
raise e
pass
jwks = keyjar_init(provider, settings["provider"]["keys"])
name = "jwks.json"
with open(os.path.join(path, name), "w") as f:
f.write(json.dumps(jwks))
#TODO: I take this out and it still works, what was this for?
#provider.jwks_uri.append(
# "{}/static/{}".format(provider.baseurl, name))
# Mount the WSGI callable object (app) on the root directory
app_routing = setup_endpoints(provider)
app_routing["/.well-known/openid-configuration"] = pyoidcMiddleware(
provider.providerinfo_endpoint)
app_routing["/.well-known/webfinger"] = pyoidcMiddleware(
partial(_webfinger, provider))
routing = dict(list(auth_routing.items()) + list(app_routing.items()))
routing["/static"] = make_static_handler(path)
dispatcher = WSGIPathInfoDispatcher(routing)
server = wsgiserver.CherryPyWSGIServer(('0.0.0.0', args.port),
dispatcher) # nosec
# Setup SSL
if provider.baseurl.startswith("https://"):
server.ssl_adapter = BuiltinSSLAdapter(
settings["server"]["cert"], settings["server"]["key"],
settings["server"]["cert_chain"])
# Start the CherryPy WSGI web server
try:
print("Server started: {}".format(issuer))
server.start()
except KeyboardInterrupt:
server.stop()
},
# "template_args": {"form_post": {"action": "form_post"}}
}
# Should I care about verifying the certificates used by other entities
if args.insecure:
kwargs["verify_ssl"] = False
else:
kwargs["verify_ssl"] = True
if args.capabilities:
kwargs["capabilities"] = json.loads(open(args.capabilities).read())
else:
pass
OAS = Provider(_issuer, SessionDB(_issuer), cdb, ac, None, authz,
verify_client, config.SYM_KEY, **kwargs)
OAS.baseurl = _issuer
for authn in ac:
authn.srv = OAS
if config.USERINFO == "SIMPLE":
# User info is a simple dictionary in this case statically defined in
# the configuration file
OAS.userinfo = UserInfo(config.USERDB)
elif config.USERINFO == "SAML":
OAS.userinfo = UserInfo(config.SAML)
elif config.USERINFO == "AA":
OAS.userinfo = AaUserInfo(config.SP_CONFIG, config.issuer, config.SAML)
else:
raise Exception("Unsupported userinfo source")
