def setup_multi_auth(auth_broker, urls, auth_modules):
"""
:param auth_broker: auth broker
:param urls: list of (callback) endpoint URLS and their associated
callback functions
:param auth_modules: list of auth modules specifying the order of the
multi auth chain
:return: a multi auth object which must be added to the list of callback
endpoints
"""
multi_auth = MultiAuthnMethod(auth_modules[0][0])
for i, module_pair in enumerate(auth_modules):
(module_instance, callback_regexp) = module_pair
auth_broker.add("", module_instance, 0, "")
next_module_instance = None
if i < len(auth_modules) - 1:
next_module_instance = auth_modules[i + 1][0]
urls.append((callback_regexp, make_auth_verify(module_instance.verify,
next_module_instance)))
return multi_auth
def saml_login(self, info):
from saml2 import BINDING_HTTP_REDIRECT, BINDING_HTTP_POST
if self.saml_authn is None:
self.init_mako()
self.saml_authn = SAMLAuthnMethod(None,
self.lookup,
self.config.SAML,
self.config.SP_CONFIG,
self.issuer,
"{}authorization".format(
self.issuer),
userinfo=self.config.USERINFO)
self.ac.add("", self.saml_authn, "", "")
SAML_END_POINT_INDEX = 0
end_point = info["END_POINTS"][SAML_END_POINT_INDEX]
end_point_indexes = {
BINDING_HTTP_REDIRECT: 0,
BINDING_HTTP_POST: 0,
"disco_end_point_index": 0
}
authn = AuthnIndexedEndpointWrapper(self.saml_authn, end_point_indexes)
self.urls.append((r'^' + end_point, make_auth_verify(authn.verify)))
return authn
def setup_multi_auth(auth_broker, urls, auth_modules):
"""
:param auth_broker: auth broker
:param urls: list of (callback) endpoint URLS and their associated
callback functions
:param auth_modules: list of auth modules specifying the order of the
multi auth chain
:return: a multi auth object which must be added to the list of callback
endpoints
"""
multi_auth = MultiAuthnMethod(auth_modules[0][0])
for i, module_pair in enumerate(auth_modules):
(module_instance, callback_regexp) = module_pair
auth_broker.add("", module_instance, 0, "")
next_module_instance = None
if i < len(auth_modules) - 1:
next_module_instance = auth_modules[i + 1][0]
urls.append((callback_regexp,
make_auth_verify(module_instance.verify,
next_module_instance)))
return multi_auth
def setup():
with open("config.yaml", 'r') as f:
config = yaml.load(f)
issuer = config["baseurl"]
ac = AuthnBroker()
authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD,
"{}/authorization".format(issuer))
ac.add("password", authn)
URLS.append((r'^verify', make_auth_verify(authn.verify)))
authz = AuthzHandling()
client_db_path = os.environ.get("OIDC_CLIENT_DB", "client_db")
LOGGER.info("Using db: {}".format(client_db_path))
cdb = shelve_wrapper.open(client_db_path)
global OAS
OAS = CourseProvider(issuer, SessionDB(issuer), cdb, ac, None, authz,
verify_client, rndstr(16))
OAS.baseurl = issuer
OAS.userinfo = UserInfo(config["userdb"])
# Additional endpoints the OpenID Connect Provider should answer on
add_endpoints(ENDPOINTS, ENDPOINT_FUNCS)
OAS.endpoints = ENDPOINTS
authn.srv = OAS
try:
OAS.cookie_ttl = config["cookie_ttl"]
except KeyError:
pass
try:
OAS.cookie_name = config["cookie_name"]
except KeyError:
pass
keyjar_init(OAS, config["keys"])
public_keys = []
for keybundle in OAS.keyjar[""]:
for key in keybundle.keys():
public_keys.append(key.serialize())
public_jwks = {"keys": public_keys}
filename = "static/jwks.json"
with open(filename, "w") as f:
f.write(json.dumps(public_jwks))
OAS.jwks_uri = "{}/{}".format(OAS.baseurl, filename)
return config
def setup():
with open("config.yaml", 'r') as f:
config = yaml.load(f)
issuer = config["baseurl"]
ac = AuthnBroker()
authn = UsernamePasswordMako(
None, "login.mako", LOOKUP, PASSWD, "{}/authorization".format(issuer))
ac.add("password", authn)
URLS.append((r'^verify', make_auth_verify(authn.verify)))
authz = AuthzHandling()
client_db_path = os.environ.get("OIDC_CLIENT_DB", "client_db")
LOGGER.info("Using db: {}".format(client_db_path))
cdb = shelve_wrapper.open(client_db_path)
global OAS
OAS = CourseProvider(issuer, SessionDB(issuer), cdb, ac, None,
authz, verify_client, rndstr(16))
OAS.baseurl = issuer
OAS.userinfo = UserInfo(config["userdb"])
# Additional endpoints the OpenID Connect Provider should answer on
add_endpoints(ENDPOINTS, ENDPOINT_FUNCS)
OAS.endpoints = ENDPOINTS
authn.srv = OAS
try:
OAS.cookie_ttl = config["cookie_ttl"]
except KeyError:
pass
try:
OAS.cookie_name = config["cookie_name"]
except KeyError:
pass
keyjar_init(OAS, config["keys"])
public_keys = []
for keybundle in OAS.keyjar[""]:
for key in keybundle.keys():
public_keys.append(key.serialize())
public_jwks = {"keys": public_keys}
filename = "static/jwks.json"
with open(filename, "w") as f:
f.write(json.dumps(public_jwks))
OAS.jwks_uri = "{}/{}".format(OAS.baseurl, filename)
return config
def user_password(self, info):
self.init_mako()
self.username_password_authn = UsernamePasswordMako(
None, "login.mako", self.lookup, self.config.PASSWD,
"%sauthorization" % self.issuer, None, self.full_end_point_paths)
PASSWORD_END_POINT_INDEX = 0
end_point = info["END_POINTS"][PASSWORD_END_POINT_INDEX]
authn = AuthnIndexedEndpointWrapper(self.username_password_authn,
PASSWORD_END_POINT_INDEX)
self.urls.append((r'^' + end_point, make_auth_verify(authn.verify)))
return authn
def javascript_login(self, info):
if self.javascript_login_authn is None:
self.init_mako()
end_points = self.config.AUTHENTICATION[
"JavascriptLogin"]["END_POINTS"]
full_end_point_paths = [
"{}{}".format(self.issuer, ep) for ep in end_points]
self.javascript_login_authn = JavascriptFormMako(
None, "javascript_login.mako", self.lookup, self.config.PASSWD,
"{}authorization".format(self.issuer), None,
full_end_point_paths)
self.ac.add("", self.javascript_login_authn, "", "")
JAVASCRIPT_END_POINT_INDEX = 0
end_point = info["END_POINTS"][JAVASCRIPT_END_POINT_INDEX]
authn = AuthnIndexedEndpointWrapper(self.javascript_login_authn,
JAVASCRIPT_END_POINT_INDEX)
self.urls.append((r'^' + end_point, make_auth_verify(authn.verify)))
return authn
end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"]
full_end_point_paths = ["%s%s" % (config.issuer, ep) for ep in end_points]
username_password_authn = UsernamePasswordMako(
None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % config.issuer,
None, full_end_point_paths)
for authkey, value in config.AUTHENTICATION.items():
authn = None
if "UserPassword" == authkey:
PASSWORD_END_POINT_INDEX = 0
end_point = config.AUTHENTICATION[authkey]["END_POINTS"][
PASSWORD_END_POINT_INDEX]
authn = AuthnIndexedEndpointWrapper(username_password_authn,
PASSWORD_END_POINT_INDEX)
URLS.append((r'^' + end_point, make_auth_verify(authn.verify)))
# Ensure javascript_login_authn to be defined
try:
javascript_login_authn
except NameError:
javascript_login_authn = None
if "JavascriptLogin" == authkey:
if not javascript_login_authn:
end_points = config.AUTHENTICATION["JavascriptLogin"][
"END_POINTS"]
full_end_point_paths = [
"%s/%s" % (config.issuer, ep) for ep in end_points
]
javascript_login_authn = JavascriptFormMako(
username_password_authn = UsernamePasswordMako(None, "login.mako", LOOKUP,
PASSWD,
"%sauthorization" % _issuer,
None, full_end_point_paths)
_urls = []
for authkey, value in config.AUTHENTICATION.items():
authn = None
if "UserPassword" == authkey:
PASSWORD_END_POINT_INDEX = 0
end_point = config.AUTHENTICATION[authkey]["END_POINTS"][
PASSWORD_END_POINT_INDEX]
authn = AuthnIndexedEndpointWrapper(username_password_authn,
PASSWORD_END_POINT_INDEX)
_urls.append((r'^' + end_point, make_auth_verify(authn.verify)))
# Ensure javascript_login_authn to be defined
try:
javascript_login_authn
except NameError:
javascript_login_authn = None
if "JavascriptLogin" == authkey:
if not javascript_login_authn:
end_points = config.AUTHENTICATION["JavascriptLogin"][
"END_POINTS"]
full_end_point_paths = [
"{}{}".format(_issuer, ep) for ep in end_points
]
javascript_login_authn = JavascriptFormMako(
full_end_point_paths = ["%s%s" % (_issuer, ep) for ep in end_points]
username_password_authn = UsernamePasswordMako(
None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % _issuer,
None, full_end_point_paths)
_urls = []
for authkey, value in config.AUTHENTICATION.items():
authn = None
if "UserPassword" == authkey:
PASSWORD_END_POINT_INDEX = 0
end_point = config.AUTHENTICATION[authkey]["END_POINTS"][
PASSWORD_END_POINT_INDEX]
authn = AuthnIndexedEndpointWrapper(username_password_authn,
PASSWORD_END_POINT_INDEX)
_urls.append((r'^' + end_point, make_auth_verify(authn.verify)))
# Ensure javascript_login_authn to be defined
try:
javascript_login_authn
except NameError:
javascript_login_authn = None
if "JavascriptLogin" == authkey:
if not javascript_login_authn:
end_points = config.AUTHENTICATION[
"JavascriptLogin"]["END_POINTS"]
full_end_point_paths = [
"{}{}".format(_issuer, ep) for ep in end_points]
javascript_login_authn = JavascriptFormMako(
None, "javascript_login.mako", LOOKUP, PASSWD,
end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"]
full_end_point_paths = ["%s%s" % (config.issuer, ep) for ep in end_points]
username_password_authn = UsernamePasswordMako(
None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % config.issuer,
None, full_end_point_paths)
for authkey, value in config.AUTHENTICATION.items():
authn = None
if "UserPassword" == authkey:
PASSWORD_END_POINT_INDEX = 0
end_point = config.AUTHENTICATION[authkey]["END_POINTS"][
PASSWORD_END_POINT_INDEX]
authn = AuthnIndexedEndpointWrapper(username_password_authn,
PASSWORD_END_POINT_INDEX)
URLS.append((r'^' + end_point, make_auth_verify(authn.verify)))
# Ensure javascript_login_authn to be defined
try:
javascript_login_authn
except NameError:
javascript_login_authn = None
if "JavascriptLogin" == authkey:
if not javascript_login_authn:
end_points = config.AUTHENTICATION[
"JavascriptLogin"]["END_POINTS"]
full_end_point_paths = [
"%s/%s" % (config.issuer, ep) for ep in end_points]
javascript_login_authn = JavascriptFormMako(
None, "javascript_login.mako", LOOKUP, PASSWD,
provider.jwks_uri = "%s%s" % (provider.baseurl, jwksFileName)
# for b in OAS.keyjar[""]:
# LOGGER.info("OC3 server keys: %s" % b)
# TODO: Questions:
# END_POINT is defined as a dictionary in the configuration file,
# why not defining it as string with "verify" value?
# after all, we have only one end point.
# can we have multiple end points for password? why?
endPoint = config.AUTHENTICATION["UserPassword"]["EndPoints"][
passwordEndPointIndex]
_urls = []
_urls.append((r'^' + endPoint,
make_auth_verify(authnIndexedEndPointWrapper.verify)))
_app = Application(provider, _urls)
# Setup the web server
server = wsgiserver.CherryPyWSGIServer(('0.0.0.0', config.PORT),
_app.application)
server.ssl_adapter = BuiltinSSLAdapter(config.SERVER_CERT,
config.SERVER_KEY)
print "OIDC Provider server started (issuer={}, port={})".format(
config.ISSUER, config.PORT)
try:
server.start()
except KeyboardInterrupt:
f = open(jwksFileName, "w")
f.write(json.dumps(jwks))
f.close()
provider.jwks_uri = "%s%s" % (provider.baseurl, jwksFileName)
# for b in OAS.keyjar[""]:
# LOGGER.info("OC3 server keys: %s" % b)
# TODO: Questions:
# END_POINT is defined as a dictionary in the configuration file,
# why not defining it as string with "verify" value?
# after all, we have only one end point.
# can we have multiple end points for password? why?
endPoint = config.AUTHENTICATION["UserPassword"]["EndPoints"][passwordEndPointIndex]
_urls = []
_urls.append((r'^' + endPoint, make_auth_verify(authnIndexedEndPointWrapper.verify)))
_app = Application(provider, _urls)
# Setup the web server
server = wsgiserver.CherryPyWSGIServer(('0.0.0.0', config.PORT), _app.application) # nosec
server.ssl_adapter = BuiltinSSLAdapter(config.SERVER_CERT, config.SERVER_KEY)
print("OIDC Provider server started (issuer={}, port={})".format(config.ISSUER, config.PORT))
try:
server.start()
except KeyboardInterrupt:
server.stop()
f = open(jwksFileName, "w")
f.write(json.dumps(jwks))
f.close()
provider.jwks_uri = "%s%s" % (provider.baseurl, jwksFileName)
# for b in OAS.keyjar[""]:
# LOGGER.info("OC3 server keys: %s" % b)
# TODO: Questions:
# END_POINT is defined as a dictionary in the configuration file,
# why not defining it as string with "verify" value?
# after all, we have only one end point.
# can we have multiple end points for password? why?
endPoint = config.AUTHENTICATION["UserPassword"]["EndPoints"][passwordEndPointIndex]
_urls = []
_urls.append((r'^' + endPoint, make_auth_verify(authnIndexedEndPointWrapper.verify)))
_app = Application(provider, _urls)
# Setup the web server
server = wsgiserver.CherryPyWSGIServer(('0.0.0.0', config.PORT), _app.application)
server.ssl_adapter = BuiltinSSLAdapter(config.SERVER_CERT, config.SERVER_KEY)
print "OIDC Provider server started (issuer={}, port={})".format(config.ISSUER, config.PORT)
try:
server.start()
except KeyboardInterrupt:
server.stop()