def test_is_valid(self):
ae1 = create_authn_event("uid", "salt")
sid = self.sdb.create_authz_session(ae1, AREQ, client_id="client_id")
self.sdb[sid]["sub"] = "sub"
grant = self.sdb[sid]["code"]
assert self.sdb.is_valid(grant)
sinfo = self.sdb.upgrade_to_token(grant, issue_refresh=True)
assert not self.sdb.is_valid(grant)
access_token = sinfo["access_token"]
assert self.sdb.is_valid(access_token)
refresh_token = sinfo["refresh_token"]
sinfo = self.sdb.refresh_token(refresh_token, AREQ["client_id"])
access_token2 = sinfo["access_token"]
assert self.sdb.is_valid(access_token2)
# The old access code should be invalid
try:
self.sdb.is_valid(access_token)
except KeyError:
pass
def test_upgrade_to_token(self):
ae1 = create_authn_event("uid", "salt")
sid = self.sdb.create_authz_session(ae1, AREQ, client_id="client_id")
self.sdb[sid]["sub"] = "sub"
grant = self.sdb[sid]["code"]
_dict = self.sdb.upgrade_to_token(grant)
print(_dict.keys())
assert set(_dict.keys()) == {
"authn_event",
"code",
"authn_req",
"access_token",
"token_type",
"client_id",
"oauth_state",
"expires_in",
}
# can't update again
with pytest.raises(AccessCodeUsed):
self.sdb.upgrade_to_token(grant)
self.sdb.upgrade_to_token(_dict["access_token"])
def setup_auth(self,
request,
redirect_uri,
cinfo,
cookie,
acr=None,
**kwargs):
"""
:param request: The authorization/authentication request
:param redirect_uri:
:param cinfo: client info
:param cookie:
:param acr: Default ACR, if nothing else is specified
:param kwargs:
:return:
"""
res = self.pick_authn_method(request, redirect_uri, acr, **kwargs)
authn = res["method"]
authn_class_ref = res["acr"]
try:
_auth_info = kwargs.get("authn", "")
if "upm_answer" in request and request["upm_answer"] == "true":
_max_age = 0
else:
_max_age = max_age(request)
identity, _ts = authn.authenticated_as(cookie,
authorization=_auth_info,
max_age=_max_age)
except (NoSuchAuthentication, TamperAllert):
identity = None
_ts = 0
except ToOld:
logger.info("Too old authentication")
identity = None
_ts = 0
else:
if identity:
try: # If identity['uid'] is in fact a base64 encoded JSON string
_id = b64d(as_bytes(identity["uid"]))
except BadSyntax:
pass
else:
identity = json.loads(as_unicode(_id))
session = self.endpoint_context.sdb[identity.get("sid")]
if not session or "revoked" in session:
identity = None
authn_args = authn_args_gather(request, authn_class_ref, cinfo,
**kwargs)
# To authenticate or Not
if identity is None: # No!
logger.info("No active authentication")
logger.debug("Known clients: {}".format(
list(self.endpoint_context.cdb.keys())))
if "prompt" in request and "none" in request["prompt"]:
# Need to authenticate but not allowed
return {
"error": "login_required",
"return_uri": redirect_uri,
"return_type": request["response_type"],
}
else:
return {"function": authn, "args": authn_args}
else:
logger.info("Active authentication")
if re_authenticate(request, authn):
# demand re-authentication
return {"function": authn, "args": authn_args}
else:
# I get back a dictionary
user = identity["uid"]
if "req_user" in kwargs:
sids = self.endpoint_context.sdb.get_sids_by_sub(
kwargs["req_user"])
if (sids and user !=
self.endpoint_context.sdb.get_authentication_event(
sids[-1]).uid):
logger.debug("Wanted to be someone else!")
if "prompt" in request and "none" in request["prompt"]:
# Need to authenticate but not allowed
return {
"error": "login_required",
"return_uri": redirect_uri,
}
else:
return {"function": authn, "args": authn_args}
authn_event = create_authn_event(
identity["uid"],
identity.get("salt", ""),
authn_info=authn_class_ref,
time_stamp=_ts,
)
if "valid_until" in authn_event:
vu = time.time() + authn.kwargs.get("expires_in", 0.0)
authn_event["valid_until"] = vu
return {"authn_event": authn_event, "identity": identity, "user": user}
def test_create_authz_session_with_nonce(self):
ae = create_authn_event("sub", "salt")
sid = self.sdb.create_authz_session(ae, AREQN, client_id='client_id')
info = self.sdb[sid]
authz_request = info['authn_req']
assert authz_request["nonce"] == "something"
def test_create_authz_session_without_nonce(self):
ae = create_authn_event("sub", "salt")
sid = self.sdb.create_authz_session(ae, AREQ, client_id='client_id')
info = self.sdb[sid]
assert info["oauth_state"] == "authz"
def test_valid_grant(self):
ae = create_authn_event("another:user", "salt")
sid = self.sdb.create_authz_session(ae, AREQ, client_id='client_id')
grant = self.sdb[sid]["code"]
assert self.sdb.is_valid(grant)
def setup_auth(self, request, redirect_uri, cinfo, cookie, **kwargs):
"""
:param endpoint_context:
:param request:
:param redirect_uri:
:param cinfo:
:param cookie:
:param kwargs:
:return:
"""
authn, authn_class_ref = self.pick_authn_method(request, redirect_uri)
try:
try:
_auth_info = kwargs["authn"]
except KeyError:
_auth_info = ""
if "upm_answer" in request and request["upm_answer"] == "true":
_max_age = 0
else:
_max_age = max_age(request)
identity, _ts = authn.authenticated_as(
cookie, authorization=_auth_info, max_age=_max_age)
except (NoSuchAuthentication, TamperAllert):
identity = None
_ts = 0
except ToOld:
logger.info("Too old authentication")
identity = None
_ts = 0
else:
logger.info("No active authentication")
authn_args = authn_args_gather(request, authn_class_ref, cinfo,
**kwargs)
# To authenticate or Not
if identity is None: # No!
if "prompt" in request and "none" in request["prompt"]:
# Need to authenticate but not allowed
return {
'error': "login_required", 'return_uri': redirect_uri,
'return_type': request["response_type"]
}
else:
return {'function': authn, 'args': authn_args}
else:
if re_authenticate(request, authn):
# demand re-authentication
return {'function': authn, 'args': authn_args}
else:
# I get back a dictionary
user = identity["uid"]
if "req_user" in kwargs:
sids = self.endpoint_context.sdb.get_sids_by_sub(
kwargs["req_user"])
if sids and user != \
self.endpoint_context.sdb.get_authentication_event(
sids[-1]).uid:
logger.debug("Wanted to be someone else!")
if "prompt" in request and "none" in request["prompt"]:
# Need to authenticate but not allowed
return {
'error': "login_required",
'return_uri': redirect_uri
}
else:
return {'function': authn, 'args': authn_args}
authn_event = create_authn_event(identity["uid"],
identity.get('salt', ''),
authn_info=authn_class_ref,
time_stamp=_ts)
return {"authn_event": authn_event, "identity": identity, "user": user}
