def test_get_trust_mark_3rd_party():
_iss = "https://feide.no"
_sub = "https://op.ntnu.no"
config = {'keys': {'key_defs': KEYSPEC}}
federation_entity = FederationEntity(
_iss,
trusted_roots=ANCHOR,
config=config,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
_tm = TrustMark(
id="https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf",
sub=_sub,
)
# Create the Signed JWT representing the Trust Mark
_jwt0 = JWT(key_jar=federation_entity.keyjar, iss=_iss, lifetime=3600)
_jws = _jwt0.pack(_tm)
trust_anchor_id = list(ANCHOR.keys())[0]
_tm = get_trust_mark(federation_entity, _jws, _sub, trust_anchor_id)
assert isinstance(_tm, TrustMark)
def rp_service_setup(self):
federation_entity = FederationEntity(
RECEIVER,
trusted_roots=ANCHOR,
authority_hints={},
httpd=Publisher(os.path.join(BASE_PATH, 'base_data')),
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
# Swap in the DummyCollector
federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR,
httpd=Publisher(os.path.join(BASE_PATH, 'base_data')),
root_dir=os.path.join(BASE_PATH, 'base_data'))
self.fedent = federation_entity
def create_endpoint(self):
conf = {
"issuer": ENTITY_ID,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
'keys': {
'key_defs': KEYSPEC
},
"endpoint": {},
"jwks": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json"
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template'
}
endpoint_context = EndpointContext(conf)
self.endpoint = ProviderConfiguration(endpoint_context)
# === Federation stuff =======
fe_conf = {'keys': {'key_defs': KEYSPEC}}
federation_entity = FederationEntity(
ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints={'https://ntnu.no': ['https://feide.no']},
httpd=Publisher(ROOT_DIR),
config=fe_conf,
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
federation_entity.collector = DummyCollector(httpd=Publisher(
os.path.join(BASE_PATH, 'data')),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.fedent = federation_entity
self.endpoint.endpoint_context.federation_entity = federation_entity
def __init__(self,
conf: Union[dict, Configuration],
keyjar: Optional[KeyJar] = None,
httpc: Optional[Any] = None):
entity.Entity.__init__(self, config=conf, keyjar=keyjar)
fed_conf = conf["federation"]
federation_entity = FederationEntity(httpd=httpc, config=fed_conf)
self.client_get(
"service_context").federation_entity = federation_entity
def __init__(self,
conf: Union[dict, FedOpConfiguration],
keyjar: Optional[KeyJar] = None,
cwd: Optional[str] = "",
cookie_handler: Optional[Any] = None,
httpc: Optional[Any] = None
):
server.Server.__init__(self, conf=conf, keyjar=keyjar, cwd=cwd,
cookie_handler=cookie_handler, httpc=httpc)
fed_conf = conf["federation"]
federation_entity = FederationEntity(httpd=httpc, config=fed_conf)
self.server_get("endpoint_context").federation_entity = federation_entity
def test_get_trust_mark_self_signed():
_entity_id = "https://op.ntnu.no"
config = {'keys': {'key_defs': KEYSPEC}}
federation_entity = FederationEntity(
_entity_id,
trusted_roots=ANCHOR,
config=config,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
_tm = TrustMark(
id="https://openid.net/certification/op",
sub=_entity_id,
mark=("http://openid.net/wordpress-content/uploads/2016/05/"
"oid-l-certification-mark-l-cmyk-150dpi-90mm.jpg"),
ref=("https://openid.net/wordpress-content/uploads/2015/09/"
"RolandHedberg-pyoidc-0.7.7-Basic-26-Sept-2015.zip"))
# Create the Signed JWT representing the Trust Mark
_jwt0 = JWT(key_jar=federation_entity.keyjar,
iss=_entity_id,
lifetime=3600)
_jws = _jwt0.pack(_tm)
trust_anchor_id = list(ANCHOR.keys())[0]
_tm = get_trust_mark(federation_entity, _jws, _entity_id, trust_anchor_id)
assert isinstance(_tm, TrustMark)
def rp_service_setup(self):
entity_id = 'https://foodle.uninett.no'
entity = Entity(config={
'issuer': 'https://op.ntnu.no',
'keys': {
'key_defs': KEY_DEFS
}
})
service_context = entity.get_service_context()
http_cli = Publisher(os.path.join(BASE_PATH, 'base_data'))
self.federation_entity = FederationEntity(
entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
httpd=http_cli,
entity_type='openid_relying_party',
opponent_entity_type='openid_provider',
config={'keys': {
'key_defs': KEY_DEFS
}})
# The test data collector
self.federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR,
httpd=http_cli,
root_dir=os.path.join(BASE_PATH, 'base_data'))
service_context.federation_entity = self.federation_entity
service_context.redirect_uris = ['https://foodle.uninett.no/cb']
# Note that the keys used for OIDC base protocol communication are separate from those used
# in the federation context
# service_context.keyjar = init_key_jar(key_defs=KEY_DEFS, issuer_id=entity_id)
service_context.client_preferences = {
"grant_types": ['authorization_code', 'implicit', 'refresh_token'],
"id_token_signed_response_alg": "ES256",
"token_endpoint_auth_method": "client_secret_basic",
"federation_type": ['automatic']
}
self.service = {
'discovery':
FedProviderInfoDiscovery(client_get=entity.client_get),
'registration': Registration(client_get=entity.client_get)
}
return statements
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-n', dest='netloc')
parser.add_argument('-e', dest='entity_id')
parser.add_argument('-t', dest="entity_type")
parser.add_argument('-k', dest='insecure', action='store_true')
args = parser.parse_args()
jwks = open(os.path.join(ROOT_DIR, 'swamid', 'swamid.jwks.json')).read()
ANCHOR = {'https://{}/swamid'.format(args.netloc): json.loads(jwks)}
my_entity_id = "https://{}/me".format(args.netloc)
fedent = FederationEntity(
my_entity_id,
trusted_roots=ANCHOR,
authority_hints={'https://ntnu.no': ['https://feide.no']},
entity_type="",
opponent_entity_type=args.entity_type)
if args.insecure:
fedent.keyjar.verify_ssl = False
fedent.collector.insecure = True
for statement in main(fedent, args.entity_id, args.entity_type):
print(20 * "=", statement.anchor, 20 * "=")
print(json.dumps(statement.metadata, indent=4, sort_keys=True))
def create_endpoint(self):
# First the RP
service_context = ServiceContext(
config={
'behaviour': {
'federation_types_supported': ['explicit']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
# the federation part of the RP
self.rp_federation_entity = FederationEntity(
entity_id=ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=ENTITY_ID)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': Registration(service_context),
'authorization': FedAuthorization(service_context),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
'provider_info': {
'path': '.well-known/openid-federation',
'class': provider_config.ProviderConfiguration,
'kwargs': {
'client_authn_method': None
}
},
'registration': {
'path': 'fed_registration',
'class': registration.Registration,
'kwargs': {
'client_authn_method': None
}
},
'authorization': {
'path': 'authorization',
'class': authorization.Authorization,
'kwargs': {
"response_modes_supported":
['query', 'fragment', 'form_post'],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"client_authn_method": ['request_param']
}
}
},
"keys": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template'
}
endpoint_context = EndpointContext(conf)
self.registration_endpoint = endpoint_context.endpoint["registration"]
self.authorization_endpoint = endpoint_context.endpoint[
"authorization"]
self.provider_endpoint = endpoint_context.endpoint["provider_config"]
# === Federation stuff =======
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.registration_endpoint.endpoint_context.federation_entity = federation_entity
def create_setup(self):
# First the RP
service_context = ServiceContext(
config={
'behaviour': {
'federation_types_supported': ['automatic']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
self.rp_federation_entity = FederationEntity(
entity_id=RP_ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=RP_ENTITY_ID)
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 2 services
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': RPRegistration(service_context),
'authorization': FedAuthorization(service_context),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "code"
},
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "refresh"
},
],
},
"code": {
"lifetime": 600
},
"token": {
"class": "oidcendpoint.jwt_token.JWTToken",
"kwargs": {
"lifetime":
3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope":
True,
"aud": ["https://example.org/appl"]
},
},
"refresh": {
"lifetime": 86400
},
},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": OPRegistration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcendpoint.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"cookie_dealer": {
"class": CookieDealer,
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"default_values": {
"name": "oidcop",
"domain": "127.0.0.1",
"path": "/",
"max_age": 3600,
},
},
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
"where": ["pushed_authorization"]
}
}
}
}
endpoint_context = EndpointContext(conf)
_clients = yaml.safe_load(io.StringIO(client_yaml))
# endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.pushed_authorization_endpoint = endpoint_context.endpoint[
"pushed_authorization"]
self.authorization_endpoint = endpoint_context.endpoint[
"authorization"]
self.registration_endpoint = endpoint_context.endpoint["registration"]
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.authorization_endpoint.endpoint_context.federation_entity = federation_entity
def create_endpoint(self):
# First the RP
entity = Entity(
config={
'behaviour': {
'federation_types_supported': ['explicit']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
},
"httpc_param": {
'verify': False,
"timeout": 2
},
})
# the federation part of the RP
self.rp_federation_entity = FederationEntity(
entity_id=ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=ENTITY_ID)
# add the federation part to the service context
entity.client_get(
"service_context").federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.service = {
'discovery':
FedProviderInfoDiscovery(entity.client_get),
'registration':
Registration(entity.client_get),
'authorization':
FedAuthorization(entity.client_get,
conf={"request_object_expires_in": 300}),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"httpc_param": {
'verify': False,
"timeout": 2
},
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman"
}
},
},
"endpoint": {
'provider_info': {
'path': '.well-known/openid-federation',
'class': provider_config.ProviderConfiguration,
'kwargs': {
'client_authn_method': None
}
},
'registration': {
'path': 'fed_registration',
'class': registration.Registration,
'kwargs': {
'client_authn_method': None
}
},
'authorization': {
'path': 'authorization',
'class': authorization.Authorization,
'kwargs': {
"response_modes_supported":
['query', 'fragment', 'form_post'],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"client_authn_method": ['request_param']
}
}
},
"keys": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template',
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
'client_registration_authn_methods_supported': {
"ar": ['request_object']
},
'where': ['authorization']
}
}
}
}
server = Server(conf)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
# === Federation stuff =======
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.registration_endpoint.server_get(
"endpoint_context").federation_entity = federation_entity
parser.add_argument('-t', dest='trusted_roots_file')
parser.add_argument('-e', dest='entity_type')
parser.add_argument('-o', dest='opponent_entity_type')
parser.add_argument('-l', dest='logging', action='store_true')
parser.add_argument(dest="url")
args = parser.parse_args()
if args.logging:
logger = configure_logging(config=LOGGING).getChild(__name__)
trusted_roots = json.loads(open(args.trusted_roots_file).read())
# Creates an entity that can do the collecting of information
federation_entity = FederationEntity(
'issuer',
trusted_roots=trusted_roots,
entity_type=args.entity_type,
opponent_entity_type=args.opponent_entity_type)
if args.insecure:
federation_entity.collector.insecure = args.insecure
jws = federation_entity.get_configuration_information(args.url)
metadata = verify_self_signed_signature(jws)
_tree = federation_entity.collect_statement_chains(metadata['iss'],
metadata)
chains = branch2lists(_tree)
for c in chains:
c.append(jws)