def test_create_fo_keys_bundle():
jb = JWKSBundle(ORGOP.iss, ORGOP.keyjar)
jb[FOP.iss] = FOP.keyjar
jb[FO1P.iss] = FO1P.keyjar
sb = jb.create_signed_bundle()
_jw = jws.factory(sb)
assert _jw
def test_set_del_get():
bundle = JWKSBundle(ISS, SIGN_KEYS)
bundle['https://www.swamid.se'] = KEYJAR['https://www.swamid.se']
bundle['https://www.sunet.se'] = KEYJAR['https://www.sunet.se']
bundle['https://www.feide.no'] = KEYJAR['https://www.feide.no']
del bundle['https://www.sunet.se']
assert set(
bundle.keys()) == {'https://www.swamid.se', 'https://www.feide.no'}
def test_dump_load():
jb = make_jwks_bundle('', ['fo0', 'fo1', 'fo2', 'fo3'], None, KEYDEFS)
bs = jb.dumps()
receiver = JWKSBundle('')
receiver.loads(bs)
assert len(receiver.keys()) == 4
assert set(receiver.keys()) == {'fo0', 'fo1', 'fo2', 'fo3'}
def test_dumps_loads():
bundle = JWKSBundle(ISS, SIGN_KEYS)
bundle['https://www.swamid.se'] = KEYJAR['https://www.swamid.se']
bundle['https://www.sunet.se'] = KEYJAR['https://www.sunet.se']
bundle['https://www.feide.no'] = KEYJAR['https://www.feide.no']
_str = bundle.dumps()
bundle2 = JWKSBundle(ISS, SIGN_KEYS)
bundle2.loads(_str)
assert set(bundle.keys()) == set(bundle2.keys())
for iss, kj in bundle.items():
assert bundle2[iss] == kj
def test_create_verify_fo_keys_bundle():
jb = JWKSBundle(ORGOP.iss, ORGOP.keyjar)
jb[FOP.iss] = FOP.keyjar
jb[FO1P.iss] = FO1P.keyjar
sb = jb.create_signed_bundle()
kj = KeyJar()
kj.add_keyjar(ORGOP.keyjar)
# Necessary since otherwise it won't find the key
kj.issuer_keys[ORGOP.iss] = kj.issuer_keys['']
_jwt = verify_signed_bundle(sb, kj)
bundle = _jwt["bundle"]
assert set(bundle.keys()) == {FOP.iss, FO1P.iss}
def create_federation_entity(iss, conf, fos, sup, entity=''):
_keybundle = FSJWKSBundle('',
fdir=conf.JWKS_DIR,
key_conv={
'to': quote_plus,
'from': unquote_plus
})
# Organisation information
_kj = _keybundle[sup]
fname = os.path.join(conf.MS_DIR, quote_plus(sup))
signer = Signer(InternalSigningService(sup, _kj), fname)
# And then the FOs
jb = JWKSBundle('')
for fo in fos:
jb[fo] = _keybundle[fo]
# The OPs own signing keys
_keys = build_keyjar(conf.SIG_DEF_KEYS)[1]
return FederationEntity(entity,
iss=iss,
keyjar=_keys,
signer=signer,
fo_bundle=jb)
def test_sign_verify():
bundle = JWKSBundle(ISS, SIGN_KEYS)
bundle['https://www.swamid.se'] = KEYJAR['https://www.swamid.se']
bundle['https://www.sunet.se'] = KEYJAR['https://www.sunet.se']
bundle['https://www.feide.no'] = KEYJAR['https://www.feide.no']
_jws = bundle.create_signed_bundle()
bundle2 = JWKSBundle(ISS2)
verify_keys = SIGN_KEYS.copy()
verify_keys.issuer_keys[ISS] = verify_keys.issuer_keys['']
bundle2.upload_signed_bundle(_jws, verify_keys)
assert set(bundle.keys()) == set(bundle2.keys())
for iss, kj in bundle.items():
assert bundle2[iss] == kj
def test_set_jwks():
bundle = JWKSBundle(ISS, SIGN_KEYS)
bundle['https://www.sunet.se'] = KEYJAR[
'https://www.sunet.se'].export_jwks(private=True)
_kj = KEYJAR['https://www.sunet.se'].copy()
_kj.issuer_keys['https://www.sunet.se'] = _kj.issuer_keys['']
del _kj.issuer_keys['']
assert bundle['https://www.sunet.se'] == _kj
def test_set_get():
bundle = JWKSBundle(ISS, SIGN_KEYS)
bundle['https://www.swamid.se'] = KEYJAR['https://www.swamid.se']
# When imported the key in issuer_keys are changed from '' to the issuer ID
_kj = KEYJAR['https://www.swamid.se'].copy()
_kj.issuer_keys['https://www.swamid.se'] = _kj.issuer_keys['']
del _kj.issuer_keys['']
_sekj = bundle['https://www.swamid.se']
assert _sekj == _kj
def test_get_metadata_statement():
jb = JWKSBundle('')
for iss in ['https://example.org/', 'https://example.com/']:
jb[iss] = build_keyjar(KEYDEFS)[1]
op = Operator(keyjar=jb['https://example.com/'],
iss='https://example.com/')
req = MetadataStatement(foo='bar')
sms = op.pack_metadata_statement(req, alg='RS256')
sms_dir = {'https://example.com': sms}
req['metadata_statements'] = Message(**sms_dir)
ent = FederationEntity(None, fo_bundle=jb)
loe = ent.get_metadata_statement(req)
assert loe
def test_ace():
jb = JWKSBundle('')
for iss in ['https://example.org/', 'https://example.com/']:
jb[iss] = build_keyjar(KEYDEFS)[1]
kj = build_keyjar(KEYDEFS)[1]
sign_serv = InternalSigningService('https://signer.example.com',
signing_keys=kj)
signer = Signer(sign_serv)
signer.metadata_statements['response'] = {
'https://example.org/': 'https://example.org/sms1'
}
ent = FederationEntity(None, keyjar=kj, signer=signer, fo_bundle=jb)
req = MetadataStatement(foo='bar')
ent.ace(req, ['https://example.org/'], 'response')
assert 'metadata_statements' in req
assert 'signing_keys' not in req
def fo_jb(jb, test_info):
fjb = JWKSBundle('')
try:
_vals = test_info['metadata_statements']
except KeyError:
_vals = test_info['metadata_statement_uris']
for ms in _vals:
try:
for fo in ms['federations']:
fjb[fo] = jb[fo]
except KeyError:
try:
fo = ms['federation']
fjb[fo] = jb[fo]
except KeyError:
fo = ms['signer']
fjb[fo] = jb[fo]
return fjb
def make_jwks_bundle(iss, fo_liss, sign_keyjar, keydefs, base_path=''):
"""
Given a list of Federation identifiers creates a FSJWKBundle containing all
the signing keys.
:param iss: The issuer ID of the entity owning the JWKSBundle
:param fo_liss: List of federation identifiers
:param sign_keyjar: Keys that the JWKSBundel owner can use to sign
an export version of the JWKS bundle.
:param keydefs: What type of keys that should be created for each
federation. The same for all of them.
:return: A JWKSBundle instance.
"""
jb = JWKSBundle(iss, sign_keyjar)
for entity in fo_liss:
_keydef = copy.deepcopy(keydefs)
_jwks, _keyjar, _kidd = build_keyjar(_keydef)
jb[entity] = _keyjar
return jb
KEYS = {}
ISSUER = {}
OPERATOR = {}
for entity in ['fo', 'fo1', 'org', 'inter', 'admin', 'ligo', 'op']:
fname = os.path.join(BASE_PATH, "{}.key".format(entity))
_keydef = KEYDEFS[:]
_keydef[0]['key'] = fname
_jwks, _keyjar, _kidd = build_keyjar(_keydef)
KEYS[entity] = {'jwks': _jwks, 'keyjar': _keyjar, 'kidd': _kidd}
ISSUER[entity] = 'https://{}.example.org'.format(entity)
OPERATOR[entity] = Operator(keyjar=_keyjar, iss=ISSUER[entity])
FOP = OPERATOR['fo']
FOP.jwks_bundle = JWKSBundle(FOP.iss)
FOP.jwks_bundle[FOP.iss] = FOP.keyjar
FO1P = OPERATOR['fo1']
FO1P.jwks_bundle = JWKSBundle(FO1P.iss)
FO1P.jwks_bundle[FO1P.iss] = FO1P.keyjar
ORGOP = OPERATOR['org']
ADMINOP = OPERATOR['admin']
INTEROP = OPERATOR['inter']
LIGOOP = OPERATOR['ligo']
OPOP = OPERATOR['ligo']
def fo_member(*args):
_jb = JWKSBundle('https://sunet.se/op')
# What I want to create is something like
# (ms_OA + SK[X])
_kj = build_keyjar(config.KEY_DEFS)[1]
req = MetadataStatement(
federation_usage='discovery',
signing_keys={'keys': [x.serialize() for x in _kj.get_signing_key()]})
# FO(ms_OA + SK[X])
_fo_signer = operator[fo]
ms_0 = _fo_signer.pack_metadata_statement(req)
# OA(ms_IA + SK[IA] + FO(ms_OA + SK[X]))
_ia_signer = operator["https://bogus.example.org"]
req = MetadataStatement(tos_uri='https://example.org/tos',
metadata_statements={fo: ms_0},
signing_keys=_ia_signer.signing_keys_as_jwks())
oa = "https://example.org"
_oa_signer = operator[oa]
ms_1 = _oa_signer.pack_metadata_statement(req)
metadata_statements[fo] = ms_1
_jb = JWKSBundle('https://op.sunet.se')
_jb[_fo_signer.iss] = _fo_signer.signing_keys_as_jwks()
# uninett_op = Operator(iss='https://op.sunet.se', jwks_bundle=_jb)
# foo = uninett_op.unpack_metadata_statement(jwt_ms=ms_1)
# print(foo)
def fo_member(*args):
_jb = JWKSBundle('https://sunet.se/op')
for fo in args:
_jb[fo.iss] = fo.signing_keys_as_jwks()
return Operator(jwks_bundle=_jb)
tests = _flows.keys()
# Get the necessary information about the JWKS bundle
info = {}
for path in ['bundle', 'bundle/signer', 'bundle/sigkey']:
_url = "{}/{}".format(tool_url, path)
resp = requests.request('GET', _url, verify=False)
info[path] = resp.text
# Create a KeyJar instance that contains the key that the bundle was signed with
kj = KeyJar()
kj.import_jwks(json.loads(info['bundle/sigkey']), info['bundle/signer'])
# Create a JWKSBundle instance and load it with the keys in the bundle
# I got from the tool
jb = JWKSBundle('')
jb.upload_signed_bundle(info['bundle'], kj)
# This is for the federation entity to use when signing something
# like the keys at jwks_uri.
_kj = build_keyjar(KEY_DEFS)[1]
SIGNERS = [
'https://swamid.sunet.se', 'https://edugain.com', 'https://www.feide.no'
]
# A dictionary of web based signers
sig = {}
for iss in SIGNERS:
qp = urlencode({'signer': iss, 'context': 'registration'})
url = '{}/sign?{}'.format(tool_url, qp)
sig[iss] = WebSigningService(iss, url, jb.bundle[iss])
def test_create():
bundle = JWKSBundle(ISS, SIGN_KEYS)
assert bundle
import argparse
from fedoidc import read_jwks_file
from fedoidc.bundle import JWKSBundle
from fedoidc.operator import Operator
parser = argparse.ArgumentParser()
parser.add_argument(
'-j',
dest='jwks',
help="A JWKS file that contains the federation operators public keys")
parser.add_argument('-r', dest='req', help="The message")
parser.add_argument('-f', dest='fo', help='The identifier of the Federation')
parser.add_argument('-l',
dest='flatten',
action='store_true',
help="Flatten the compounded metadata statement")
args = parser.parse_args()
kj = read_jwks_file(args.jwks)
_bundle = JWKSBundle('')
_bundle[args.fo] = kj
op = Operator(jwks_bundle=_bundle)
_fo, _req = open(args.req).read().rsplit(':', 1)
res = op.unpack_metadata_statement(jwt_ms=_req.strip())
print(res.result)
for d in ['mds', 'ms']:
if os.path.isdir(d):
shutil.rmtree(d)
liss = list(FO.values())
liss.extend(list(OA.values()))
liss.extend(list(EO.values()))
signer, keybundle = test_utils.setup(KEYDEFS,
TOOL_ISS,
liss,
ms_path='ms',
csms_def=SMS_DEF,
mds_dir='mds')
fo_keybundle = JWKSBundle('https://example.com')
for iss in FO.values():
fo_keybundle[iss] = keybundle[iss]
def test_parse_pi():
# Sunet OP
sunet_op = 'https://sunet.se/op'
# _kj = build_keyjar(KEYDEFS)[1]
_kj = signer[EO['sunet.op']].signing_service.signing_keys
op_fed_ent = FederationEntity(None,
keyjar=_kj,
iss=sunet_op,
signer=signer['https://sunet.se'],
fo_bundle=fo_keybundle)