def test_create_fo_keys_bundle(): jb = JWKSBundle(ORGOP.iss, ORGOP.keyjar) jb[FOP.iss] = FOP.keyjar jb[FO1P.iss] = FO1P.keyjar sb = jb.create_signed_bundle() _jw = jws.factory(sb) assert _jw
def test_dumps(): jb = JWKSBundle('iss') for iss, op in OPERATOR.items(): jb[op.iss] = op.keyjar bs = jb.dumps() assert len(bs) > 2000
def __init__(self, keyjar=None, fo_keyjar=None, httpcli=None, jwks_file='', iss=None, keyconf=None, bundle_sign_alg='RS256'): Operator.__init__(self, keyjar=keyjar, fo_keyjar=fo_keyjar, httpcli=httpcli, iss=iss, jwks_file=jwks_file) if self.keyjar is None: self.keyjar = build_keyjar(keyconf)[1] if jwks_file: fp = open(jwks_file, 'w') fp.write(json.dumps(self.keyjar.export_jwks(private=True))) fp.close() self.keyconf = keyconf self.bundle_sign_alg = bundle_sign_alg self.jb = JWKSBundle(iss, self.keyjar)
def test_create_verify(): jb = JWKSBundle('iss', SignKeyJar) for iss, op in OPERATOR.items(): jb[op.iss] = op.keyjar _jws = jb.create_signed_bundle() _jwks = SignKeyJar.export_jwks() kj = KeyJar() kj.import_jwks(_jwks, 'iss') bundle = verify_signed_bundle(_jws, kj) assert bundle
def test_create_verify_fo_keys_bundle(): jb = JWKSBundle(ORGOP.iss, ORGOP.keyjar) jb[FOP.iss] = FOP.keyjar jb[FO1P.iss] = FO1P.keyjar sb = jb.create_signed_bundle() kj = KeyJar() kj.add_keyjar(ORGOP.keyjar) # Necessary since otherwise it won't find the key kj.issuer_keys[ORGOP.iss] = kj.issuer_keys[''] _jwt = verify_signed_bundle(sb, kj) bundle = json.loads(_jwt["bundle"]) assert set(bundle.keys()) == {FOP.iss, FO1P.iss}
def test_dump_load(): jb = JWKSBundle('iss') for iss, op in OPERATOR.items(): jb[op.iss] = op.keyjar bs = jb.dumps() receiver = JWKSBundle('') receiver.loads(bs) assert len(receiver.keys()) == 4 assert set(receiver.keys()) == set([op.iss for op in OPERATOR.values()])
class FederationOperator(Operator): def __init__(self, keyjar=None, fo_keyjar=None, httpcli=None, jwks_file='', iss=None, keyconf=None, bundle_sign_alg='RS256'): Operator.__init__(self, keyjar=keyjar, fo_keyjar=fo_keyjar, httpcli=httpcli, iss=iss, jwks_file=jwks_file) if self.keyjar is None: self.keyjar = build_keyjar(keyconf)[1] if jwks_file: fp = open(jwks_file, 'w') fp.write(json.dumps(self.keyjar.export_jwks(private=True))) fp.close() self.keyconf = keyconf self.bundle_sign_alg = bundle_sign_alg self.jb = JWKSBundle(iss, self.keyjar) def public_keys(self): return self.keyjar.export_jwks() def rotate_keys(self, keyconf=None): _old = [k.kid for k in self.keyjar.get_issuers_keys('') if k.kid] if keyconf: self.keyjar = build_keyjar(keyconf, keyjar=self.keyjar)[1] else: self.keyjar = build_keyjar(self.keyconf, keyjar=self.keyjar)[1] for k in self.keyjar.get_issuers_keys(''): if k.kid in _old: if not k.inactive_since: k.inactive_since = time.time() def export_jwks(self): return self.keyjar.export_jwks() def add_to_bundle(self, fo, jwks): self.jb[fo] = jwks def remove_from_bundle(self, fo): del self.jb[fo] def export_bundle(self): return self.jb.create_signed_bundle(sign_alg=self.bundle_sign_alg)
def import_from_bundle(self, uri, sign_key): _jb = {} p = urlparse(uri) if p[0] == 'file': jwks_bundle = open(p.path, 'r').read() _jb = JWKSBundle('', sign_keys=sign_key) _jb.loads(jwks_bundle) elif p[0] in ['http', 'https']: r = self.httpcli.http_request(uri) if r.status == 200: _jb = JWKSBundle('', sign_keys=sign_key) _jb.loads(r.text) else: raise ValueError('Unsupported scheme') if self.fo_keyjar: kj = self.fo_keyjar else: kj = KeyJar() for iss, ikj in _jb.items(): kj.issuer_keys[iss] = ikj.issuer_keys['']
def fo_member(*args): _jb = JWKSBundle('') for fo in args: _jb[fo.iss] = fo.keyjar.issuer_keys[''] return Operator(jwks_bundle=_jb)
def fo_member(*args): _jb = JWKSBundle('https://sunet.se/op') for fo in args: _jb[fo.iss] = fo.signing_keys_as_jwks() return Operator(jwks_bundle=_jb)
KEYS = {} ISSUER = {} OPERATOR = {} for entity in ['fo', 'fo1', 'org', 'inter', 'admin', 'ligo', 'op']: fname = os.path.join(BASE_PATH, "{}.key".format(entity)) _keydef = KEYDEFS[:] _keydef[0]['key'] = fname _jwks, _keyjar, _kidd = build_keyjar(_keydef) KEYS[entity] = {'jwks': _jwks, 'keyjar': _keyjar, 'kidd': _kidd} ISSUER[entity] = 'https://{}.example.org'.format(entity) OPERATOR[entity] = Operator(keyjar=_keyjar, iss=ISSUER[entity]) FOP = OPERATOR['fo'] FOP.jwks_bundle = JWKSBundle(FOP.iss) FOP.jwks_bundle[FOP.iss] = FOP.keyjar FO1P = OPERATOR['fo1'] FO1P.jwks_bundle = JWKSBundle(FO1P.iss) FO1P.jwks_bundle[FO1P.iss] = FO1P.keyjar ORGOP = OPERATOR['org'] ADMINOP = OPERATOR['admin'] INTEROP = OPERATOR['inter'] LIGOOP = OPERATOR['ligo'] OPOP = OPERATOR['ligo'] def fo_member(*args): _jb = JWKSBundle('https://sunet.se/op')
def test_create(): jb = JWKSBundle('iss') for iss, op in OPERATOR.items(): jb[op.iss] = op.keyjar assert len(jb.keys()) == 4
# ---------------------------------------------------------------------------- # The RP publishes Registration Request # ---------------------------------------------------------------------------- rere = Message( redirect_uris=['https://sunet.se/rp1/callback'], metadata_statements=[rp_sunet_swamid, rp_sunet_incommon] ) print_request('Registration Request published by RP', rere) # ### ====================================================================== # # On the OP # ### ====================================================================== _jb = JWKSBundle('https://sunet.se/op') _jb[swamid.iss] = swamid.signing_keys_as_jwks() _jb[incommon.iss] = incommon.signing_keys_as_jwks() op = Operator(iss='https://sunet.se/op', jwks_bundle=_jb) print('Unpack the request') # ----------------------------------------------------------------------------- # Unpacking the russian doll (= the metadata_statements) # ----------------------------------------------------------------------------- _cms = op.unpack_metadata_statement(json_ms=rere) res = op.evaluate_metadata_statement(_cms) print(70 * ":")