def test_authenticated(self):
_session_db = {}
cons = Consumer(_session_db, client_config=CLIENT_CONFIG,
server_info=SERVER_INFO, **CONSUMER_CONFIG)
sid, location = cons.begin("http://localhost:8087",
"http://localhost:8088/authorization")
resp = self.provider.authorization_endpoint(urlparse(location).query)
assert resp.status == "303 See Other"
resp = urlparse(resp.message).query
with LogCapture(level=logging.DEBUG) as logcap:
aresp = cons.handle_authorization_response(query=resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss'])
assert _eq(cons.grant[sid].keys(), ['tokens', 'code', 'exp_in',
'seed', 'id_token',
'grant_expiration_time'])
state = aresp['state']
assert _eq(logcap.records[0].msg, '- authorization - code flow -')
assert logcap.records[1].msg in expected_outcome(
'QUERY: ', ['state={}'.format(state), 'code=<REDACTED>',
'client_id=client1',
'iss=https%3A%2F%2Fexample.com%2Fas'])
expected = {'iss': 'https://example.com/as',
'state': state, 'code': '<REDACTED>',
'client_id': 'client1'}
# Eval here to avoid intermittent failures due to dict ordering
assert _eq(eval(logcap.records[2].msg[29:-1]), expected)
expected = ["'client_id': 'client1'", "'iss': 'https://example.com/as'",
"'keyjar': <KeyJar(issuers=[])>"]
assert _eq(sorted(logcap.records[3].msg[22:-1].split(', ')), expected)
def test_authenticated_token(self):
_state, location = self.cons.begin("openid", response_type="token",
path="http://localhost:8087")
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
parsed = parse_qs(urlparse(resp.message).fragment)
assert parsed["token_type"][0] == "Bearer"
assert "access_token" in parsed
def checkRoundtrips(self, url, parsed, split):
result = urllib_parse.urlparse(url)
self.assertEqual(result, parsed)
t = (result.scheme, result.netloc, result.path,
result.params, result.query, result.fragment)
self.assertEqual(t, parsed)
# put it back together and it should be the same
result2 = urllib_parse.urlunparse(result)
self.assertEqual(result2, url)
self.assertEqual(result2, result.geturl())
# the result of geturl() is a fixpoint; we can always parse it
# again to get the same result:
result3 = urllib_parse.urlparse(result.geturl())
self.assertEqual(result3.geturl(), result.geturl())
self.assertEqual(result3, result)
self.assertEqual(result3.scheme, result.scheme)
self.assertEqual(result3.netloc, result.netloc)
self.assertEqual(result3.path, result.path)
self.assertEqual(result3.params, result.params)
self.assertEqual(result3.query, result.query)
self.assertEqual(result3.fragment, result.fragment)
self.assertEqual(result3.username, result.username)
self.assertEqual(result3.password, result.password)
self.assertEqual(result3.hostname, result.hostname)
self.assertEqual(result3.port, result.port)
# check the roundtrip using urlsplit() as well
result = urllib_parse.urlsplit(url)
self.assertEqual(result, split)
t = (result.scheme, result.netloc, result.path,
result.query, result.fragment)
self.assertEqual(t, split)
result2 = urllib_parse.urlunsplit(result)
self.assertEqual(result2, url)
self.assertEqual(result2, result.geturl())
# check the fixpoint property of re-parsing the result of geturl()
result3 = urllib_parse.urlsplit(result.geturl())
self.assertEqual(result3.geturl(), result.geturl())
self.assertEqual(result3, result)
self.assertEqual(result3.scheme, result.scheme)
self.assertEqual(result3.netloc, result.netloc)
self.assertEqual(result3.path, result.path)
self.assertEqual(result3.query, result.query)
self.assertEqual(result3.fragment, result.fragment)
self.assertEqual(result3.username, result.username)
self.assertEqual(result3.password, result.password)
self.assertEqual(result3.hostname, result.hostname)
self.assertEqual(result3.port, result.port)
def test_issue14072(self):
p1 = urllib_parse.urlsplit('tel:+31-641044153')
self.assertEqual(p1.scheme, 'tel')
self.assertEqual(p1.path, '+31-641044153')
p2 = urllib_parse.urlsplit('tel:+31641044153')
self.assertEqual(p2.scheme, 'tel')
self.assertEqual(p2.path, '+31641044153')
# assert the behavior for urlparse
p1 = urllib_parse.urlparse('tel:+31-641044153')
self.assertEqual(p1.scheme, 'tel')
self.assertEqual(p1.path, '+31-641044153')
p2 = urllib_parse.urlparse('tel:+31641044153')
self.assertEqual(p2.scheme, 'tel')
self.assertEqual(p2.path, '+31641044153')
def parse_discovery_service_request(self, url="", query=""):
if url:
part = urlparse(url)
dsr = parse_qs(part[4])
elif query:
dsr = parse_qs(query)
else:
dsr = {}
# verify
for key in ["isPassive", "return", "returnIDParam", "policy",
'entityID']:
try:
assert len(dsr[key]) == 1
dsr[key] = dsr[key][0]
except KeyError:
pass
if "return" in dsr:
part = urlparse(dsr["return"])
if part.query:
qp = parse_qs(part.query)
if "returnIDParam" in dsr:
assert dsr["returnIDParam"] not in qp.keys()
else:
assert "entityID" not in qp.keys()
else:
# If metadata not used this is mandatory
raise VerificationError("Missing mandatory parameter 'return'")
if "policy" not in dsr:
dsr["policy"] = IDPDISC_POLICY
try:
assert dsr["isPassive"] in ["true", "false"]
except KeyError:
pass
if "isPassive" in dsr and dsr["isPassive"] == "true":
dsr["isPassive"] = True
else:
dsr["isPassive"] = False
if not "returnIDParam" in dsr:
dsr["returnIDParam"] = "entityID"
return dsr
def clean_domain(self):
parsed = urlparse(self.cleaned_data['domain'])
if parsed.scheme or parsed.netloc:
domain_string = parsed.netloc
else:
domain_string = parsed.path
return domain_string
def _parse_request(self, request, data, sformat, client_id=None):
if sformat == "json":
request = request().from_json(data)
elif sformat == "jwt":
request = request().from_jwt(data, keyjar=self.keyjar)
elif sformat == "urlencoded":
if '?' in data:
parts = urlparse(data)
scheme, netloc, path, params, query, fragment = parts[:6]
else:
query = data
request = request().from_urlencoded(query)
else:
raise ParseError("Unknown package format: '%s'" % sformat,
request)
# get the verification keys
if client_id:
keys = self.keyjar.verify_keys(client_id)
sender = client_id
else:
try:
keys = self.keyjar.verify_keys(request["client_id"])
sender = request['client_id']
except KeyError:
keys = None
sender = ''
logger.debug("verify keys: {}".format(keys))
request.verify(key=keys, keyjar=self.keyjar, sender=sender)
return request
def url_compare(url1, url2):
url1 = urlparse(url1)
url2 = urlparse(url2)
if url1.scheme != url2.scheme:
return False
if url1.netloc != url2.netloc:
return False
if url1.path != url2.path:
return False
if not query_string_compare(url1.query, url2.query):
return False
if not query_string_compare(url1.fragment, url2.fragment):
return False
return True
def parse_resource(resource):
"""
:param resource:
:return: A tuple: op_id and test_id
"""
p = urlparse(resource)
if p[0] == 'acct':
loc, dom = p[2].split('@', 1) # Should I check the domain part ?
_x = loc.split('.')
if len(_x) == 2:
return _x
elif len(_x) > 2:
return '.'.join(_x[0:-1]), _x[-1]
else:
raise ValueError('Need both op_id and test_id, got {}'.format(_x))
elif p[0] in ['http', 'https']:
_x = p[2][1:].split('/') # skip leading '/'
if len(_x) >= 2:
return _x[:2] # only return the first two parts
else:
_txt = 'Need both op_id and test_id, got {}'.format(_x)
logger.error(_txt)
raise ValueError(_txt)
else:
return None
def test_complete_auth_token(self):
_state = "state0"
self.consumer.consumer_config["response_type"] = ["code", "token"]
args = {
"client_id": self.consumer.client_id,
"response_type": self.consumer.consumer_config["response_type"],
"scope": ["openid"],
}
result = self.consumer.do_authorization_request(state=_state,
request_args=args)
self.consumer._backup("state0")
assert result.status_code == 302
parsed = urlparse(result.headers["location"])
baseurl = "{}://{}{}".format(parsed.scheme, parsed.netloc, parsed.path)
assert baseurl == self.consumer.redirect_uris[0]
part = self.consumer.parse_authz(query=parsed.query)
auth = part[0]
acc = part[1]
assert part[2] is None
assert isinstance(auth, AuthorizationResponse)
assert isinstance(acc, AccessTokenResponse)
print(auth.keys())
assert _eq(auth.keys(), ['code', 'access_token',
'token_type', 'state', 'client_id', 'scope'])
assert _eq(acc.keys(), ['token_type', 'state', 'access_token', 'scope'])
def migrate_url(apps, schema_editor):
Domain = apps.get_model("projects", "Domain")
Domain.objects.filter(count=0).delete()
for domain in Domain.objects.all():
if domain.project.superprojects.count() or domain.project.main_language_project:
print("{project} is a subproject or translation. Deleting domain.".format(
project=domain.project.slug))
domain.delete()
continue
parsed = urlparse(domain.url)
if parsed.scheme or parsed.netloc:
domain_string = parsed.netloc
else:
domain_string = parsed.path
try:
domain.domain = domain_string
domain.save()
print(u"Added {domain} from {url}".format(url=domain.url, domain=domain_string))
except Exception as e:
print(e)
print(u"Failed {domain} from {url}".format(url=domain.url, domain=domain_string))
dms = Domain.objects.filter(domain=domain_string).order_by('-count')
if dms.count() > 1:
for dm in list(dms)[1:]:
dm.delete()
def login_hint(oper, args):
"""
Context: AsyncAuthn
Action: Sets the request argument 'login_hint' to a value picked from the
configuration.
Example:
"login_hint": null
:param oper:
:param args:
:return:
"""
_iss = oper.conv.entity.provider_info["issuer"]
p = urlparse(_iss)
_default = "buffy@%s" % p.netloc
try:
hint = oper.conv.get_tool_attribute("login_hint")
except KeyError:
hint = _default
else:
if hint is None:
hint = _default
# elif "@" not in hint:
# hint = "%s@%s" % (hint, p.netloc)
oper.req_args["login_hint"] = hint
def __call__(self, value):
allow_private_repos = getattr(settings, 'ALLOW_PRIVATE_REPOS', False)
public_schemes = ['https', 'http', 'git', 'ftps', 'ftp']
private_schemes = ['ssh', 'ssh+git']
valid_schemes = public_schemes
if allow_private_repos:
valid_schemes += private_schemes
url = urlparse(value)
# Malicious characters go first
if '&&' in value or '|' in value:
raise ValidationError(_('Invalid character in the URL'))
elif url.scheme in valid_schemes:
return value
# Repo URL is not a supported scheme at this point, but there are
# several cases where we might support it
# Launchpad
elif value.startswith('lp:'):
return value
# Relative paths are conditionally supported
elif value.startswith('.') and not self.disallow_relative_url:
return value
# SSH cloning and ``[email protected]:user/project.git``
elif self.re_git_user.search(value) or url.scheme in private_schemes:
if allow_private_repos:
return value
else:
# Throw a more helpful error message
raise ValidationError('Manual cloning via SSH is not supported')
# No more valid URLs without supported URL schemes
raise ValidationError(_('Invalid scheme for URL'))
def __call__(self):
# find the name of the file to which the JWKS should be written
try:
_uri = self.conv.entity.registration_response["jwks_uri"]
except KeyError:
raise RequirementsNotMet("No dynamic key handling")
r = urlparse(_uri)
# find the old key for this key usage and mark that as inactive
for kb in self.conv.entity.keyjar.issuer_keys[""]:
for key in list(kb.keys()):
if key.use in self.new_key["use"]:
key.inactive = True
kid = 0
# only one key
_nk = self.new_key
_typ = _nk["type"].upper()
if _typ == "RSA":
kb = KeyBundle(source="file://%s" % _nk["key"],
fileformat="der", keytype=_typ,
keyusage=_nk["use"])
else:
kb = {}
for k in list(kb.keys()):
k.serialize()
k.kid = self.kid_template % kid
kid += 1
self.conv.entity.kid[k.use][k.kty] = k.kid
self.conv.entity.keyjar.add_kb("", kb)
dump_jwks(self.conv.entity.keyjar[""], r.path[1:])
def __init__(self, rememberer_name, config, saml_client, wayf, cache,
sid_store=None, discovery="", idp_query_param="",
sid_store_cert=None, ):
self.rememberer_name = rememberer_name
self.wayf = wayf
self.saml_client = saml_client
self.conf = config
self.cache = cache
self.discosrv = discovery
self.idp_query_param = idp_query_param
self.logout_endpoints = [urlparse(ep)[2] for ep in config.endpoint(
"single_logout_service")]
try:
self.metadata = self.conf.metadata
except KeyError:
self.metadata = None
if sid_store:
self.outstanding_queries = shelve.open(sid_store, writeback=True,
protocol=2)
else:
self.outstanding_queries = {}
if sid_store_cert:
self.outstanding_certs = shelve.open(sid_store_cert, writeback=True,
protocol=2)
else:
self.outstanding_certs = {}
self.iam = platform.node()
def test_begin_file(self, tmpdir):
path = tmpdir.strpath
self.consumer.consumer_config["request_method"] = "file"
self.consumer.consumer_config["temp_dir"] = path
self.consumer.consumer_config["temp_path"] = path
self.consumer.consumer_config["authz_page"] = "/authz"
srv = Server()
srv.keyjar = SRVKEYS
sid, location = self.consumer.begin("openid", "code",
path="http://localhost:8087")
with responses.RequestsMock() as rsps:
p = urlparse(self.consumer.request_uri)
rsps.add(rsps.GET, self.consumer.request_uri,
body=open(p.path).read(), status=200,
content_type='application/urlencoded')
authreq = srv.parse_authorization_request(url=location)
assert _eq(list(authreq.keys()),
['max_age', 'state', 'redirect_uri', 'response_type',
'client_id', 'scope', 'claims'])
assert authreq["state"] == sid
assert authreq["scope"] == self.consumer.consumer_config["scope"]
assert authreq["client_id"] == self.consumer.client_id
assert authreq["redirect_uri"].startswith(
"http://localhost:8087/authz")
def test_complete_secret_auth(self):
_state = "state0"
del self.consumer.consumer_config["password"]
args = {
"client_id": self.consumer.client_id,
"response_type": "code",
"scope": ["openid"],
}
result = self.consumer.do_authorization_request(state=_state,
request_args=args)
assert result.status_code == 302
parsed = urlparse(result.headers["location"])
baseurl = "{}://{}{}".format(parsed.scheme, parsed.netloc, parsed.path)
assert baseurl == self.consumer.redirect_uris[0]
self.consumer.parse_response(AuthorizationResponse, info=parsed.query,
sformat="urlencoded")
resp = self.consumer.complete(_state)
assert isinstance(resp, AccessTokenResponse)
assert _eq(resp.keys(),
['token_type', 'state', 'access_token', 'scope'])
assert resp["state"] == _state
def test_userinfo(self):
_state = "state0"
args = {
"client_id": self.consumer.client_id,
"response_type": "code",
"scope": ["openid"],
}
result = self.consumer.do_authorization_request(state=_state,
request_args=args)
assert result.status_code == 302
parsed = urlparse(result.headers["location"])
baseurl = "{}://{}{}".format(parsed.scheme, parsed.netloc, parsed.path)
assert baseurl == self.consumer.redirect_uris[0]
self.consumer.parse_response(AuthorizationResponse, info=parsed.query,
sformat="urlencoded")
self.consumer.complete(_state)
result = self.consumer.get_user_info(_state)
assert isinstance(result, OpenIDSchema)
assert _eq(result.keys(),
['name', 'email', 'verified', 'nickname', 'sub'])
def test_token_endpoint_auth(self):
state, location = self.cons.begin("openid", "code",
path="http://localhost:8087")
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
aresp = self.cons.parse_response(AuthorizationResponse, resp.message,
sformat="urlencoded")
# Construct Access token request
areq = self.cons.construct_AccessTokenRequest(
redirect_uri="http://example.com/authz",
client_id="client_1",
client_secret='abcdefghijklmnop',
state=state)
txt = areq.to_urlencoded()
self.cons.client_secret='drickyoughurt'
csb = ClientSecretBasic(self.cons)
http_args = csb.construct(areq)
resp = self.provider.token_endpoint(request=txt, remote_user="******",
request_method="POST",
authn=http_args['headers'][
'Authorization'])
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert atr["token_type"] == 'Bearer'
def test_sign_userinfo(self):
_state = "state0"
self.consumer.client_prefs = {"userinfo_signed_response_alg": "RS256"}
self.consumer.provider_info = {
"userinfo_endpoint": "http://localhost:8088/userinfo",
"issuer": "http://localhost:8088/"}
del self.consumer.consumer_config["request_method"]
args = {
"client_id": self.consumer.client_id,
"response_type": "code",
"scope": ["openid"],
}
self.consumer.begin("openid", "code")
result = self.consumer.do_authorization_request(state=_state,
request_args=args)
parsed = urlparse(result.headers["location"])
self.consumer.parse_response(AuthorizationResponse, info=parsed.query,
sformat="urlencoded")
self.consumer.complete(_state)
result = self.consumer.get_user_info(_state)
assert isinstance(result, OpenIDSchema)
assert _eq(result.keys(),
['name', 'email', 'verified', 'nickname', 'sub'])
def test_authenticated_hybrid(self):
_state, location = self.cons.begin(
scope="openid email claims_in_id_token",
response_type="code id_token",
path="http://localhost:8087")
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
part = self.cons.parse_authz(resp.message)
aresp = part[0]
assert part[1] is None
assert part[2] is not None
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['scope', 'state', 'code', 'id_token'])
assert _eq(self.cons.grant[_state].keys(),
['code', 'id_token', 'tokens',
'exp_in',
'grant_expiration_time', 'seed'])
id_token = part[2]
assert isinstance(id_token, IdToken)
assert _eq(id_token.keys(),
['nonce', 'c_hash', 'sub', 'iss', 'acr', 'exp', 'auth_time',
'iat', 'aud'])
def set_webfinger_resource(oper, args):
"""
Context: WebFinger Query
Action: Specifies the webfinger resource. If the OP supports
webfinger queries then the resource is set to the value of 'webfinger_url'
or 'webfinger_email' from the test instance configuration.
:param oper: An WebFinger instance
:param args: None or a dictionary with the key 'pattern'
"""
try:
oper.resource = oper.op_args["resource"]
except KeyError:
if oper.dynamic:
if args:
_p = urlparse(get_issuer(oper.conv))
oper.op_args["resource"] = args["pattern"].format(
test_id=oper.conv.test_id, host=_p.netloc,
oper_id=oper.conv.operator_id)
else:
_base = oper.sh.tool_conf['issuer']
if oper.conv.operator_id is None:
oper.resource = _base
else:
oper.resource = os.path.join(_base, oper.conv.operator_id,
oper.conv.test_id)
def find_identifier(uri):
if uri.startswith("http"):
p = urlparse(uri)
return p.path[1:] # Skip leading "/"
elif uri.startswith("acct:"):
a = uri[5:]
l, d = a.split("@")
return l
def test_authenticated(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = "https://example.com/as"
sid = rndstr(8)
args = {"redirect_uri": "http://localhost:8087/authz", "state": sid, "response_type": "code"}
url, body, ht_args, csi = client.request_info(AuthorizationRequest, "GET", request_args=args)
resp = self.provider.authorization_endpoint(urlparse(url).query)
assert resp.status == "302 Found"
resp = urlparse(resp.message).query
aresp = client.parse_authz_response(resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ["state", "code", "client_id", "iss"])
assert _eq(client.grant[sid].keys(), ["tokens", "code", "exp_in", "seed", "id_token", "grant_expiration_time"])
def parse_url_request(request, url=None, query=None):
if url:
parts = urlparse(url)
scheme, netloc, path, params, query, fragment = parts[:6]
req = request().deserialize(query, "urlencoded")
req.verify()
return req
def test_attributes_bad_port(self):
"""Check handling of non-integer ports."""
p = urllib_parse.urlsplit("http://www.example.net:foo")
self.assertEqual(p.netloc, "www.example.net:foo")
self.assertRaises(ValueError, lambda: p.port)
p = urllib_parse.urlparse("http://www.example.net:foo")
self.assertEqual(p.netloc, "www.example.net:foo")
self.assertRaises(ValueError, lambda: p.port)
# Once again, repeat ourselves to test bytes
p = urllib_parse.urlsplit(b"http://www.example.net:foo")
self.assertEqual(p.netloc, b"www.example.net:foo")
self.assertRaises(ValueError, lambda: p.port)
p = urllib_parse.urlparse(b"http://www.example.net:foo")
self.assertEqual(p.netloc, b"www.example.net:foo")
self.assertRaises(ValueError, lambda: p.port)
def save(self, *args, **kwargs): # pylint: disable=arguments-differ
from readthedocs.projects import tasks
parsed = urlparse(self.domain)
if parsed.scheme or parsed.netloc:
self.domain = parsed.netloc
else:
self.domain = parsed.path
super(Domain, self).save(*args, **kwargs)
broadcast(type='app', task=tasks.symlink_domain, args=[self.project.pk, self.pk])
def include(url, test_id):
p = urlparse(url)
if p.path[1:].startswith(test_id):
if len(p.path[1:].split("/")) <= 1:
return os.path.join(url, "_/_/_/normal")
else:
return url
return "%s://%s/%s%s_/_/_/normal" % (p.scheme, p.netloc, test_id, p.path)
def test_authenticated(self):
_session_db = {}
cons = Consumer(_session_db, client_config=CLIENT_CONFIG,
server_info=SERVER_INFO, **CONSUMER_CONFIG)
sid, location = cons.begin("http://localhost:8087",
"http://localhost:8088/authorization")
resp = self.provider.authorization_endpoint(urlparse(location).query)
assert resp.status == "303 See Other"
resp = urlparse(resp.message).query
aresp = cons.handle_authorization_response(query=resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss'])
assert _eq(cons.grant[sid].keys(), ['tokens', 'code', 'exp_in',
'seed', 'id_token',
'grant_expiration_time'])
def _verify_redirect_uri(self, areq):
"""
MUST NOT contain a fragment
MAY contain query component
:return: An error response if the redirect URI is faulty otherwise
None
"""
try:
_redirect_uri = unquote(areq["redirect_uri"])
part = urlparse(_redirect_uri)
if part.fragment:
raise URIError("Contains fragment")
(_base, _query) = splitquery(_redirect_uri)
if _query:
_query = parse_qs(_query)
match = False
for regbase, rquery in self.cdb[str(areq["client_id"])][
"redirect_uris"]:
if _base == regbase or _redirect_uri.startswith(regbase):
# every registered query component must exist in the
# redirect_uri
if rquery:
for key, vals in rquery.items():
assert key in _query
for val in vals:
assert val in _query[key]
# and vice versa, every query component in the redirect_uri
# must be registered
if _query:
if rquery is None:
raise ValueError
for key, vals in _query.items():
assert key in rquery
for val in vals:
assert val in rquery[key]
match = True
break
if not match:
raise RedirectURIError("Doesn't match any registered uris")
# ignore query components that are not registered
return None
except Exception as err:
logger.error("Faulty redirect_uri: %s" % areq["redirect_uri"])
try:
_cinfo = self.cdb[str(areq["client_id"])]
except KeyError:
logger.info("Unknown client: %s" % areq["client_id"])
raise UnknownClient(areq["client_id"])
else:
logger.info("Registered redirect_uris: %s" % _cinfo)
raise RedirectURIError(
"Faulty redirect_uri: %s" % areq["redirect_uri"])
def get_urlinfo(self, info):
if '?' in info or '#' in info:
parts = urlparse(info)
scheme, netloc, path, params, query, fragment = parts[:6]
# either query of fragment
if query:
info = query
else:
info = fragment
return info
def test_authenticated_none(self):
_state, location = self.cons.begin("openid", response_type="none",
path="http://localhost:8087")
resp = self.provider.authorization_endpoint(
request=location.split("?")[1])
parsed = urlparse(resp.message)
assert "{}://{}{}".format(parsed.scheme, parsed.netloc,
parsed.path) == "http://localhost:8087/authz"
assert "state" in parse_qs(parsed.query)
def test_userinfo_endpoint(self):
self.cons.client_secret = "drickyoughurt"
self.cons.config["response_type"] = ["token"]
self.cons.config["request_method"] = "parameter"
state, location = self.cons.begin("openid", "token",
path="http://localhost:8087")
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
# redirect
atr = AuthorizationResponse().deserialize(
urlparse(resp.message).fragment, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded())
ident = OpenIDSchema().deserialize(resp.message, "json")
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
def update_url_with_kwargs(url, **kwargs):
if not url:
return
url_parts = list(urlparse(url))
query = dict(parse_qsl(url_parts[4]))
query.update(kwargs)
url_parts[4] = urlencode(query)
return urlunparse(url_parts)
def test_authenticated(self):
_session_db = {}
cons = Consumer(_session_db,
client_config=CLIENT_CONFIG,
server_info=SERVER_INFO,
**CONSUMER_CONFIG)
sid, location = cons.begin("http://localhost:8087",
"http://localhost:8088/authorization")
resp = self.provider.authorization_endpoint(urlparse(location).query)
assert resp.status == "303 See Other"
resp = urlparse(resp.message).query
with LogCapture(level=logging.DEBUG) as logcap:
aresp = cons.handle_authorization_response(query=resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss'])
assert _eq(cons.grant[sid].keys(), [
'tokens', 'code', 'exp_in', 'seed', 'id_token',
'grant_expiration_time'
])
state = aresp['state']
assert _eq(logcap.records[0].msg, '- authorization - code flow -')
assert verify_outcome(logcap.records[1].msg, 'QUERY: ', [
'state={}'.format(state), 'code=<REDACTED>', 'client_id=client1',
'iss=https://example.com/as'
])
expected = {
'iss': 'https://example.com/as',
'state': state,
'code': '<REDACTED>',
'client_id': 'client1'
}
# Eval here to avoid intermittent failures due to dict ordering
assert _eq(eval(logcap.records[2].msg[29:-1]), expected)
expected = [
"'client_id': 'client1'", "'iss': 'https://example.com/as'",
"'keyjar': <KeyJar(issuers=[])>"
]
assert _eq(sorted(logcap.records[3].msg[22:-1].split(', ')), expected)
def save(self, *args, **kwargs): # pylint: disable=arguments-differ
from readthedocs.projects import tasks
parsed = urlparse(self.domain)
if parsed.scheme or parsed.netloc:
self.domain = parsed.netloc
else:
self.domain = parsed.path
super(Domain, self).save(*args, **kwargs)
broadcast(type='app', task=tasks.symlink_domain,
args=[self.project.pk, self.pk],)
def wait(self, url):
domain = urlparse(url).netloc
last_accessed = self.domains.get(domain)
if self.delay > 0 and last_accessed is not None:
sleep_secs = self.delay - (datetime.datetime.now() -
last_accessed).seconds
if sleep_secs > 0:
time.sleep(sleep_secs)
self.domains[domain] = datetime.datetime.now()
def get_urlinfo(info):
# If info is a whole URL pick out the query or fragment part
if '?' in info or '#' in info:
parts = urlparse(info)
scheme, netloc, path, params, query, fragment = parts[:6]
# either query of fragment
if query:
info = query
else:
info = fragment
return info
def parse_url_request(request, url=None, query=None):
if url:
parts = urlparse(url)
scheme, netloc, path, params, query, fragment = parts[:6]
if isinstance(query, dict):
req = request(**query)
else:
req = request().deserialize(query, "urlencoded")
req.verify()
return req
def test_telurl_params(self):
p1 = urllib_parse.urlparse('tel:123-4;phone-context=+1-650-516')
self.assertEqual(p1.scheme, 'tel')
self.assertEqual(p1.path, '123-4')
self.assertEqual(p1.params, 'phone-context=+1-650-516')
p1 = urllib_parse.urlparse('tel:+1-201-555-0123')
self.assertEqual(p1.scheme, 'tel')
self.assertEqual(p1.path, '+1-201-555-0123')
self.assertEqual(p1.params, '')
p1 = urllib_parse.urlparse('tel:7042;phone-context=example.com')
self.assertEqual(p1.scheme, 'tel')
self.assertEqual(p1.path, '7042')
self.assertEqual(p1.params, 'phone-context=example.com')
p1 = urllib_parse.urlparse('tel:863-1234;phone-context=+1-914-555')
self.assertEqual(p1.scheme, 'tel')
self.assertEqual(p1.path, '863-1234')
self.assertEqual(p1.params, 'phone-context=+1-914-555')
def test_authorization_endpoint_id_token(self):
bib = {
"scope": ["openid"],
"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
"redirect_uri": "http://localhost:8087/authz",
"response_type": ["code", "id_token"],
"client_id": "a1b2c3",
"nonce": "Nonce",
"prompt": ["none"]
}
req = AuthorizationRequest(**bib)
areq = AuthorizationRequest(response_type="code",
client_id="client_1",
redirect_uri="http://example.com/authz",
scope=["openid"],
state="state000")
sdb = self.provider.sdb
ae = AuthnEvent("userX", "salt")
sid = sdb.create_authz_session(ae, areq)
sdb.do_sub(sid, "client_salt")
_info = sdb[sid]
# All this is jut removed when the id_token is constructed
# The proper information comes from the session information
_user_info = IdToken(iss="https://foo.example.om",
sub="foo",
aud=bib["client_id"],
exp=epoch_in_a_while(minutes=10),
acr="2",
nonce=bib["nonce"])
idt = self.provider.id_token_as_signed_jwt(_info,
access_token="access_token",
user_info=_user_info)
req["id_token"] = idt
query_string = req.to_urlencoded()
# client_id not in id_token["aud"] so login required
resp = self.provider.authorization_endpoint(request=query_string,
cookie="FAIL")
parsed_resp = parse_qs(urlparse(resp.message).fragment)
assert parsed_resp["error"][0] == "login_required"
req["client_id"] = "client_1"
query_string = req.to_urlencoded()
# client_id is in id_token["aud"] so no login required
resp = self.provider.authorization_endpoint(request=query_string,
cookie="FAIL")
assert resp.message.startswith("http://localhost:8087/authz")
def replace_host(url, host):
"""
将一个url的host替换成为目标host, 生成新的url.
:param url:
:param host:
:return:
"""
if url is None:
return ''
pr = urlparse(url)
r = pr._replace(netloc=host)
return r.geturl()
def test_authenticated_url(self):
state, location = self.cons.begin("openid", "code",
path="http://localhost:8087")
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
aresp = self.cons.parse_response(AuthorizationResponse, resp.message,
sformat="urlencoded")
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['code', 'state', 'scope', 'client_id', 'iss'])
def sign_http_args(method, url, headers, body=''):
p = urlparse(url)
kwargs = {'path': p.path, 'host': p.netloc, 'headers': headers,
'method': method}
if body:
kwargs['body'] = body
query_params = compact(parse_qs(p.query))
kwargs['query_params'] = query_params
return kwargs
def login_hint(oper, args):
_iss = oper.conv.entity.provider_info["issuer"]
p = urlparse(_iss)
try:
hint = oper.conv.get_tool_attribute("login_hint")
except KeyError:
hint = "buffy@%s" % p.netloc
else:
if "@" not in hint:
hint = "%s@%s" % (hint, p.netloc)
oper.req_args["login_hint"] = hint
def pack_redirect_uri(redirect_uris):
ruri = []
for uri in redirect_uris:
if urlparse(uri).fragment:
print("Faulty redirect uri, contains fragment", file=sys.stderr)
base, query = splitquery(uri)
if query:
ruri.append([base, parse_qs(query)])
else:
ruri.append([base, query])
return ruri
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
# in, but doesn't. Since it's a URI and doesn't use the
# scheme://netloc syntax, the netloc and related attributes
# should be left empty.
uri = "sip:[email protected];maddr=239.255.255.1;ttl=15"
p = urllib_parse.urlsplit(uri)
self.assertEqual(p.netloc, "")
self.assertEqual(p.username, None)
self.assertEqual(p.password, None)
self.assertEqual(p.hostname, None)
self.assertEqual(p.port, None)
self.assertEqual(p.geturl(), uri)
p = urllib_parse.urlparse(uri)
self.assertEqual(p.netloc, "")
self.assertEqual(p.username, None)
self.assertEqual(p.password, None)
self.assertEqual(p.hostname, None)
self.assertEqual(p.port, None)
self.assertEqual(p.geturl(), uri)
# You guessed it, repeating the test with bytes input
uri = b"sip:[email protected];maddr=239.255.255.1;ttl=15"
p = urllib_parse.urlsplit(uri)
self.assertEqual(p.netloc, b"")
self.assertEqual(p.username, None)
self.assertEqual(p.password, None)
self.assertEqual(p.hostname, None)
self.assertEqual(p.port, None)
self.assertEqual(p.geturl(), uri)
p = urllib_parse.urlparse(uri)
self.assertEqual(p.netloc, b"")
self.assertEqual(p.username, None)
self.assertEqual(p.password, None)
self.assertEqual(p.hostname, None)
self.assertEqual(p.port, None)
self.assertEqual(p.geturl(), uri)
def test_authorization_endpoint_bad_scope(self):
bib = {"scope": ["openid", "offline_access"],
"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
"redirect_uri": "http://localhost:8087/authz",
"response_type": ["code"],
"client_id": "a1b2c3"}
arq = AuthorizationRequest(**bib)
resp = self.provider.authorization_endpoint(request=arq.to_urlencoded())
assert resp.status == "303 See Other"
parsed = parse_qs(urlparse(resp.message).query)
assert parsed["error"][0] == "invalid_request"
assert parsed["error_description"][0] == "consent in prompt"
def test_authenticated(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = 'https://example.com/as'
sid = rndstr(8)
args = {
'redirect_uri': "http://localhost:8087/authz",
"state": sid, "response_type": 'code'}
url, body, ht_args, csi = client.request_info(
AuthorizationRequest, 'GET', request_args=args)
resp = self.provider.authorization_endpoint(urlparse(url).query)
assert resp.status == "303 See Other"
resp = urlparse(resp.message).query
aresp = client.parse_authz_response(resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss'])
assert _eq(client.grant[sid].keys(), ['tokens', 'code', 'exp_in',
'seed', 'id_token',
'grant_expiration_time'])
def test_portseparator(self):
# Issue 754016 makes changes for port separator ':' from scheme separator
self.assertEqual(urllib_parse.urlparse("path:80"),
('','','path:80','','',''))
self.assertEqual(urllib_parse.urlparse("http:"),('http','','','','',''))
self.assertEqual(urllib_parse.urlparse("https:"),('https','','','','',''))
self.assertEqual(urllib_parse.urlparse("http://www.python.org:80"),
('http','www.python.org:80','','','',''))
# As usual, need to check bytes input as well
self.assertEqual(urllib_parse.urlparse(b"path:80"),
(b'',b'',b'path:80',b'',b'',b''))
self.assertEqual(urllib_parse.urlparse(b"http:"),(b'http',b'',b'',b'',b'',b''))
self.assertEqual(urllib_parse.urlparse(b"https:"),(b'https',b'',b'',b'',b'',b''))
self.assertEqual(urllib_parse.urlparse(b"http://www.python.org:80"),
(b'http',b'www.python.org:80',b'',b'',b'',b''))
def test_authenticated(self):
_state, location = self.cons.begin("openid", "code",
path="http://localhost:8087")
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
parsed = urlparse(resp.message)
assert "{}://{}{}".format(parsed.scheme, parsed.netloc,
parsed.path) == "http://localhost:8087/authz"
part = self.cons.parse_authz(query=resp.message)
aresp = part[0]
assert part[1] is None
assert part[2] is None
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['code', 'state', 'scope', 'client_id', 'iss'])
assert _eq(self.cons.grant[_state].keys(),
['code', 'tokens', 'id_token', 'exp_in', 'seed',
'grant_expiration_time'])
def test_mixed_types_rejected(self):
# Several functions that process either strings or ASCII encoded bytes
# accept multiple arguments. Check they reject mixed type input
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urlparse("www.python.org", b"http")
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urlparse(b"www.python.org", "http")
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urlsplit("www.python.org", b"http")
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urlsplit(b"www.python.org", "http")
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urlunparse(( b"http", "www.python.org","","","",""))
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urlunparse(("http", b"www.python.org","","","",""))
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urlunsplit((b"http", "www.python.org","","",""))
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urlunsplit(("http", b"www.python.org","","",""))
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urljoin("http://python.org", b"http://python.org")
with self.assertRaisesRegex(TypeError, "Cannot mix str"):
urllib_parse.urljoin(b"http://python.org", "http://python.org")
def decide_if_cors(sender, request, **kwargs): # pylint: disable=unused-argument
"""
Decide whether a request should be given CORS access.
This checks that:
* The URL is whitelisted against our CORS-allowed domains
* The Domain exists in our database, and belongs to the project being queried.
Returns True when a request should be given CORS access.
"""
if 'HTTP_ORIGIN' not in request.META:
return False
host = urlparse(request.META['HTTP_ORIGIN']).netloc.split(':')[0]
# Don't do domain checking for this API for now
if request.path_info.startswith('/api/v2/sustainability'):
return True
# Don't do domain checking for APIv2 when the Domain is known
if request.path_info.startswith('/api/v2/') and request.method in SAFE_METHODS:
domain = Domain.objects.filter(domain__icontains=host)
if domain.exists():
return True
valid_url = False
for url in WHITELIST_URLS:
if request.path_info.startswith(url):
valid_url = True
break
if valid_url:
project_slug = request.GET.get('project', None)
try:
project = Project.objects.get(slug=project_slug)
except Project.DoesNotExist:
log.warning(
'Invalid project passed to domain. [%s:%s]',
project_slug,
host,
)
return False
domain = Domain.objects.filter(
Q(domain__icontains=host),
Q(project=project) | Q(project__subprojects__child=project),
)
if domain.exists():
return True
return False
def main_setup(log):
from oidctest import profiles
from oidctest import oper
parser = argparse.ArgumentParser()
parser.add_argument('-f', dest='flows')
parser.add_argument('-l', dest="log_name")
parser.add_argument('-p', dest="profile")
parser.add_argument(dest="config")
cargs = parser.parse_args()
if "/" in cargs.flows:
head, tail = os.path.split(cargs.flows)
sys.path.insert(0, head)
FLOWS = importlib.import_module(tail)
else:
FLOWS = importlib.import_module(cargs.flows)
CONF = importlib.import_module(cargs.config)
if cargs.log_name:
setup_logger(log, cargs.log_name)
else:
setup_logger(log)
# Add own keys for signing/encrypting JWTs
try:
jwks, keyjar, kidd = build_keyjar(CONF.keys)
except KeyError:
raise
else:
# export JWKS
p = urlparse(CONF.KEY_EXPORT_URL)
with open("." + p.path, "w") as f:
f.write(json.dumps(jwks))
jwks_uri = p.geturl()
return {
"base_url": CONF.BASE,
"kidd": kidd,
"jwks_uri": jwks_uri,
"flows": FLOWS.FLOWS,
"conf": CONF,
"cinfo": CONF.INFO,
"orddesc": FLOWS.ORDDESC,
"profiles": profiles,
"operations": oper,
"profile": cargs.profile
}
def resource(oper, args):
"""
Context:
Action:
Example:
:param oper:
:param args:
:return:
"""
_p = urlparse(get_issuer(oper.conv))
oper.op_args["resource"] = args["pattern"].format(
test_id=oper.conv.test_id, host=_p.netloc,
oper_id=oper.conv.operator_id)
def test_authorization_endpoint(self):
bib = {"scope": ["openid"],
"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
"redirect_uri": "http://localhost:8087/authz",
"response_type": ["code"],
"client_id": "a1b2c3",
"nonce": "Nonce"}
arq = AuthorizationRequest(**bib)
resp = self.provider.authorization_endpoint(request=arq.to_urlencoded())
parsed = parse_qs(urlparse(resp.message).query)
assert parsed["scope"] == ["openid"]
assert parsed["state"][0] == "id-6da9ca0cc23959f5f33e8becd9b08cae"
assert "code" in parsed
def test_authenticated_token(self):
_session_db = {}
cons = Consumer(_session_db, client_config=CLIENT_CONFIG,
server_info=SERVER_INFO, **CONSUMER_CONFIG)
sid, location = cons.begin("http://localhost:8087",
"http://localhost:8088/authorization",
"token")
QUERY_STRING = location.split("?")[1]
resp = self.provider.authorization_endpoint(QUERY_STRING)
auth_resp = parse_qs(urlparse(resp.message).fragment)
assert "access_token" in auth_resp
assert auth_resp["token_type"][0] == "Bearer"
def get_base(base):
"""
Make sure a '/' terminated URL is returned
"""
part = urlparse(base)
if part.path:
if not part.path.endswith("/"):
_path = part.path[:] + "/"
else:
_path = part.path[:]
else:
_path = "/"
return "%s://%s%s" % (part.scheme, part.netloc, _path,)
def test_unparse_parse(self):
str_cases = [
'Python',
'./Python',
'x-newscheme://foo.com/stuff',
'x://y',
'x:/y',
'x:/',
'/',
]
bytes_cases = [x.encode('ascii') for x in str_cases]
for u in str_cases + bytes_cases:
self.assertEqual(urllib_parse.urlunsplit(urllib_parse.urlsplit(u)),
u)
self.assertEqual(urllib_parse.urlunparse(urllib_parse.urlparse(u)),
u)
def verify(self, **kwargs):
if "initiate_login_uri" in self and not self[
"initiate_login_uri"].startswith("https:"):
raise RegistrationError('initiate_login_uri is not https')
if "redirect_uris" in self:
for uri in self["redirect_uris"]:
if urlparse(uri).fragment:
raise InvalidRedirectUri(
"redirect_uri contains fragment: %s" % uri)
for uri in ["client_uri", "logo_uri", "tos_uri", "policy_uri"]:
if uri in self:
try:
resp = requests.request("GET",
str(self[uri]),
allow_redirects=True,
verify=False)
except requests.ConnectionError:
raise MissingPage(self[uri])
if resp.status_code not in SUCCESSFUL:
raise MissingPage(self[uri])
# if "grant_types" in self and "response_types" in self:
# for typ in self["grant_types"]:
# if typ == "authorization_code":
# assert "code" in self["response_types"]
# elif typ == "implicit":
# assert "token" in self["response_types"]
try:
ss = self['software_statement']
except KeyError:
pass
else:
# need to get the client keys before I can verify any signature
# kj = kwargs['keyjar']
# The case where jwks_uri is used
# try:
# kj.add(,self['jwks_uri'])
_ss = []
for _s in ss:
_ss.append(unpack_software_statement(_s, '', kwargs['keyjar']))
self['__software_statement'] = _ss
return super(RegistrationRequest, self).verify(**kwargs)