def test_collect_superiors():
# entity_id = 'https://feide.no'
entity_id = 'https://foodle.uninett.no'
target = 'https://foodle.uninett.no'
collector = DummyCollector(trusted_roots=ANCHOR,
httpd=Publisher(
os.path.join(BASE_PATH, 'base_data')),
root_dir=os.path.join(BASE_PATH, 'base_data'))
entity_statement = collector.get_entity_statement(
api_endpoint='https://foodle.uninett.no/fed_api',
issuer=entity_id,
subject=entity_id)
_config = verify_self_signed_signature(entity_statement)
assert _config
tree = collector.collect_superiors(_config['iss'], entity_statement)
node = {entity_id: (entity_statement, tree)}
chains = branch2lists(node)
assert len(chains) == 1 # only one chain
assert len(chains[0]) == 4 # And that chain contains 4 statements
_jws00 = factory(chains[0][0])
payload = _jws00.jwt.payload()
# The Federation Entity Statement will be first in line
assert payload["iss"] == 'https://feide.no'
def create_op_enpoint_context(self):
cwd = os.getcwd()
if cwd.endswith('tests'):
sys.path.append(".")
else: # assume it's run from the package root dir
sys.path.append("tests")
import conf_op_umu_se
_conf = conf_op_umu_se.CONF.copy()
configuration = FedOpConfiguration(conf=_conf,
base_path=BASE_PATH,
domain="127.0.0.1",
port=443)
server = Server(configuration)
# _endpoint_context = init_oidc_op_endpoints(op_conf, BASE_PATH)
_endpoint_context = server.get_endpoint_context()
_endpoint_context.federation_entity.collector = DummyCollector(
httpd=Publisher(ROOT_DIR), trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.provider_endpoint = server.server_get("endpoint",
'provider_config')
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
def test_explicit_registration(self):
config = create_from_config_file(
Configuration,
entity_conf=[{
"class": FedRPConfiguration,
"attr": "rp"
}],
filename=full_path('conf_foodle.uninett.no.yaml'),
base_path=BASE_PATH)
config.rp.federation.web_cert_path = "{}/{}".format(
dir_path, lower_or_upper(config.web_conf, "server_cert"))
rph = init_oidc_rp_handler(config.rp, BASE_PATH)
rp = rph.init_client('ntnu')
rp.client_get(
"service_context").federation_entity.collector = DummyCollector(
httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
_service = rp.client_get("service", 'provider_info')
args = self.provider_endpoint.process_request()
info = self.provider_endpoint.do_response(**args)
_resp = _service.parse_response(info["response"])
with responses.RequestsMock() as rsps:
_jwks = open(
os.path.join(BASE_PATH, 'base_data', 'ntnu.no', 'op.ntnu.no',
'jwks.json')).read()
rsps.add("GET",
"https://op.ntnu.no/static/jwks.json",
body=_jwks,
adding_headers={"Content-Type": "application/json"},
status=200)
_service.update_service_context(_resp)
# Do the client registration request
# First let the client construct the client registration request
_service = rp.client_get("service", 'registration')
_request_args = _service.get_request_parameters()
# send it to the provider
args = self.registration_endpoint.process_request(
_request_args["body"])
response_args = self.provider_endpoint.do_response(**args)
# Let the client deal with the response from the provider
_resp = _service.parse_response(response_args["response"],
request=_request_args["body"])
_service.update_service_context(_resp)
# and we're done
reg_resp = _service.client_get("service_context").get(
"registration_response")
assert reg_resp["token_endpoint_auth_method"] == "private_key_jwt"
def test_eval_chains():
target = 'https://foodle.uninett.no'
collector = DummyCollector(trusted_roots=ANCHOR,
httpd=Publisher(
os.path.join(BASE_PATH, 'base_data')),
root_dir=os.path.join(BASE_PATH, 'base_data'))
entity_statement = collector.get_entity_statement(target,
issuer=target,
subject=target)
_config = verify_self_signed_signature(entity_statement)
assert _config
tree = collector.collect_superiors(_config['iss'], entity_statement)
_node = {target: (entity_statement, tree)}
chains = branch2lists(_node)
key_jar = KeyJar()
key_jar.import_jwks_as_json(jwks, 'https://feide.no')
statements = [
eval_chain(c, key_jar, 'openid_relying_party') for c in chains
]
assert len(statements) == 1
statement = statements[0]
assert statement.fo == "https://feide.no"
assert set(statement.metadata.keys()) == {
'response_types', 'claims', 'contacts', 'application_type',
'redirect_uris', 'id_token_signing_alg_values_supported', 'jwks_uri'
}
def rp_service_setup(self):
config = {
"entity_id": RECEIVER,
"httpc_params": {"verify": False, "timeout": 1},
"federation": {
"endpoint": {
"fetch": {
"path": "fetch",
"class": Fetch,
"kwargs": {"client_authn_method": None},
}
},
"trusted_roots": ANCHOR,
"authority_hints": [],
"entity_type": 'openid_relying_party',
"opponent_entity_type": 'openid_provider',
}
}
federation_entity = FederationEntity(
config=config,
httpc=Publisher(os.path.join(BASE_PATH, 'base_data')),
)
# Swap in the DummyCollector
federation_entity.collector = DummyCollector(trusted_roots=ANCHOR,
httpd=Publisher(
os.path.join(BASE_PATH, 'base_data')),
root_dir=os.path.join(BASE_PATH, 'base_data'))
self.fedent = federation_entity
def test_get_configuration_information():
target = 'https://foodle.uninett.no'
collector = DummyCollector(trusted_roots=ANCHOR,
httpd=Publisher(
os.path.join(BASE_PATH, 'base_data')),
root_dir=os.path.join(BASE_PATH, 'base_data'))
_jws = collector.get_configuration_information(target)
entity_statement = verify_self_signed_signature(_jws)
assert entity_statement['iss'] == target
assert entity_statement['sub'] == target
assert 'metadata' in entity_statement
def rp_service_setup(self):
federation_entity = FederationEntity(
RECEIVER,
trusted_roots=ANCHOR,
authority_hints={},
httpd=Publisher(os.path.join(BASE_PATH, 'base_data')),
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
# Swap in the DummyCollector
federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR,
httpd=Publisher(os.path.join(BASE_PATH, 'base_data')),
root_dir=os.path.join(BASE_PATH, 'base_data'))
self.fedent = federation_entity
def create_endpoint(self):
conf = {
"issuer": ENTITY_ID,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
'keys': {
'key_defs': KEYSPEC
},
"endpoint": {},
"jwks": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json"
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template'
}
endpoint_context = EndpointContext(conf)
self.endpoint = ProviderConfiguration(endpoint_context)
# === Federation stuff =======
fe_conf = {'keys': {'key_defs': KEYSPEC}}
federation_entity = FederationEntity(
ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints={'https://ntnu.no': ['https://feide.no']},
httpd=Publisher(ROOT_DIR),
config=fe_conf,
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
federation_entity.collector = DummyCollector(httpd=Publisher(
os.path.join(BASE_PATH, 'data')),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.fedent = federation_entity
self.endpoint.endpoint_context.federation_entity = federation_entity
def test_get_entity_statement():
entity_id = 'https://foodle.uninett.no'
target = 'https://foodle.uninett.no'
collector = DummyCollector(trusted_roots=ANCHOR,
httpd=Publisher(
os.path.join(BASE_PATH, 'base_data')),
root_dir=os.path.join(BASE_PATH, 'base_data'))
_jws = collector.get_entity_statement(
api_endpoint='https://foodle.uninett.no/fed_api',
issuer=entity_id,
subject=target)
msg = verify_self_signed_signature(_jws)
assert msg['iss'] == entity_id
assert msg['sub'] == target
def create_op_enpoint_context(self):
cwd = os.getcwd()
if cwd.endswith('tests'):
sys.path.append(".")
else: # assume it's run from the package root dir
sys.path.append("tests")
import conf_op_ntnu_no
_conf = conf_op_ntnu_no.CONF.copy()
add_base_path(
_conf, {
"session_key": ['filename'],
"keys": ['private_path', 'public_path'],
"jwks": ["private_path", "public_path"],
"": ["template"]
}, dir_path)
add_base_path(
_conf["federation"], {
"session_key": ['filename'],
"keys": ['private_path', 'public_path'],
"": ["authority_hints", "trusted_roots"]
}, dir_path)
add_base_path(_conf["token_handler_args"], {
"jwks_def": ['private_path', 'public_path'],
}, dir_path)
add_base_path(_conf["userinfo"], {
"kwargs": ['db_file'],
}, dir_path)
add_base_path(_conf["cookie_dealer"], {
"sign_jwk": ['filename'],
}, dir_path)
server = Server(_conf)
# _endpoint_context = init_oidc_op_endpoints(op_conf, BASE_PATH)
_endpoint_context = server.get_endpoint_context()
_endpoint_context.federation_entity.collector = DummyCollector(
httpd=Publisher(ROOT_DIR), trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.provider_endpoint = server.server_get("endpoint",
'provider_config')
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
def test_automatic_registration(self):
config = create_from_config_file(
Configuration,
entity_conf=[{
"class": FedRPConfiguration,
"attr": "rp"
}],
filename=full_path('conf_foodle.uninett.no.yaml'),
base_path=BASE_PATH)
rph = init_oidc_rp_handler(config.rp, BASE_PATH)
rp = rph.init_client('ntnu')
rp.client_get(
"service_context").federation_entity.collector = DummyCollector(
httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
_service = rp.client_get("service", 'provider_info')
# don't need to parse the request since there is none
args = self.provider_endpoint.process_request()
info = self.provider_endpoint.do_response(**args)
_resp = _service.parse_response(info["response"])
with responses.RequestsMock() as rsps:
_jwks = open(
os.path.join(BASE_PATH, 'base_data', 'ntnu.no', 'op.ntnu.no',
'jwks.json')).read()
rsps.add("GET",
"https://op.ntnu.no/static/jwks.json",
body=_jwks,
adding_headers={"Content-Type": "application/json"},
status=200)
_service.update_service_context(_resp)
# Do the client authorization request
# First let the client construct the authorization request
_service = rp.client_get("service", 'authorization')
_request_args = _service.get_request_parameters()
# send it to the provider
_req_args = parse_qs(_request_args['url'].split('?')[1])
with responses.RequestsMock() as rsps:
_jwks = open(os.path.join(BASE_PATH,
'static/jwks_auto.json')).read()
_url = 'https://foodle.uninett.no/jwks.json'
rsps.add("GET",
_url,
body=_jwks,
adding_headers={"Content-Type": "application/json"},
status=200)
_req_args = self.authorization_endpoint.parse_request(
compact(_req_args))
# need to register a user session info
args = self.authorization_endpoint.process_request(_req_args)
response_args = self.authorization_endpoint.do_response(**args)
# Let the client deal with the response from the provider
_resp = _service.parse_response(response_args["response"],
request=compact(_req_args))
_service.update_service_context(_resp)
# and we're done
assert 'trust_anchor_id' in _resp
def create_endpoint(self):
conf = {
"issuer": ENTITY_ID,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
'keys': {
'key_defs': KEYSPEC,
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json"
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
}
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template',
"federation": {
"entity_id": ENTITY_ID,
'keys': {
'key_defs': KEYSPEC
},
"endpoint": {
"fetch": {
"path": "fetch",
"class": Fetch,
"kwargs": {
"client_authn_method": None
},
}
},
"trusted_roots": ANCHOR,
"authority_hints": ['https://feide.no'],
"entity_type": 'openid_relying_party',
"opponent_entity_type": 'openid_provider'
}
}
server = FederationServer(conf)
self.endpoint = server.server_get('endpoint', 'provider_config')
server.endpoint_context.federation_entity.collector = DummyCollector(
httpd=Publisher(os.path.join(BASE_PATH, 'data')),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)