def test_handle_registration_response(self):
federation_key = sym_key()
op_root_key = rsa_key()
op_intermediate_key = rsa_key()
op_signed_intermediate_key = JWS(json.dumps(op_intermediate_key.serialize(private=False)),
alg=op_root_key.alg).sign_compact(keys=[op_root_key])
op_software_statement = Federation(federation_key).create_software_statement(
dict(issuer=ISSUER, root_key=op_root_key.serialize(private=False),
scopes_supported=["openid", "test_scope"]))
rp = RP(None, sym_key(), [], [federation_key], None)
signed_jwks_uri = "{}/signed_jwks".format(ISSUER)
# fake provider discovery
rp.client.provider_info = FederationProviderConfigurationResponse(
**dict(signing_key=op_signed_intermediate_key, signed_jwks_uri=signed_jwks_uri,
issuer=ISSUER))
# signed_jwks_uri
expected_kid = "OP key 1"
keys = [RSAKey(key=RSA.generate(1024), kid=expected_kid).serialize(private=False)]
jwks = json.dumps(dict(keys=keys))
jws = JWS(jwks, alg=op_intermediate_key.alg).sign_compact(keys=[op_intermediate_key])
responses.add(responses.GET, signed_jwks_uri, body=jws, status=200,
content_type="application/jose")
resp_args = dict(provider_software_statement=op_software_statement, client_id="foo")
reg_resp = FederationRegistrationResponse(**resp_args)
rp._handle_registration_response(reg_resp)
assert set(rp.client.provider_info["scopes_supported"]) == {"openid", "test_scope"}
assert rp.client.client_id == "foo"
assert rp.client.keyjar[ISSUER][0].keys()[0].kid == expected_kid
def test_accept_signed_metadata_provider_intermediate_key(self):
op_intermediate_key = rsa_key()
rp = RP(None, sym_key(), [], None, None)
signed_provider_metadata = JWS(json.dumps(DEFAULT_PROVIDER_CONFIG),
alg=op_intermediate_key.alg).sign_compact(
keys=[op_intermediate_key])
assert rp._verify_signed_provider_metadata(signed_provider_metadata, op_intermediate_key)
def test_reject_signed_metadata_not_signed_by_provider_intermediate_key(self):
op_intermediate_key = rsa_key()
other_key = rsa_key()
rp = RP(None, sym_key(), [], None, None)
signed_provider_metadata = JWS(json.dumps(DEFAULT_PROVIDER_CONFIG),
alg=other_key.alg).sign_compact(keys=[other_key])
with pytest.raises(OIDCFederationError):
rp._verify_signed_provider_metadata(signed_provider_metadata, op_intermediate_key)
def test_sign_registration_request(self):
rp_root_key = rsa_key()
rp = RP(None, rp_root_key, [], None, None)
reg_req = FederationRegistrationRequest(**{"foo": "bar"})
signed = rp._sign_registration_request(reg_req)
_jws = JWS()
assert _jws.is_jws(signed)
assert _jws.jwt.headers["kid"] == rp.intermediate_key.kid
assert SignedHttpRequest(rp.intermediate_key).verify(signed, body=reg_req.to_json())
def test_reject_software_statement_with_mismatching_issuer(self):
fed_key = sym_key()
op_root_key = rsa_key()
provider_config = self.create_provider_config(op_root_key, fed_key)
provider_config["issuer"] = "https://other-op.example.com"
rp = RP(None, sym_key(), [], [fed_key], None)
with pytest.raises(OIDCFederationError) as exc:
rp._validate_provider_configuration(
FederationProviderConfigurationResponse(**provider_config))
assert "issuer" in str(exc.value)
def test_handle_registration_response_fail_when_wrong_software_statement(self):
rp = RP(None, sym_key(), [], None, None)
rp.client.provider_info = FederationProviderConfigurationResponse(
**dict(signing_key="whatever")) # fake provider discovery
resp_args = dict(provider_software_statement="abcdef")
reg_resp = FederationRegistrationResponse(**resp_args)
with pytest.raises(OIDCFederationError) as exc:
rp._handle_registration_response(reg_resp)
assert "software statement" in str(exc.value)
def test_create_registration_request(self):
signed_jwks_uri = "{}/signed_jwks".format(ISSUER)
federation_key = sym_key()
rp_root_key = rsa_key()
rp_software_statement = Federation(federation_key).create_software_statement(
dict(redirect_uris=["https://rp.example.com"]))
rp = RP(None, rp_root_key, [rp_software_statement], [federation_key], signed_jwks_uri)
reg_req = rp._create_registration_request({})
assert reg_req.verify()
assert reg_req["software_statements"] == [rp_software_statement]
assert reg_req["signing_key"] == rp.signed_intermediate_key
assert reg_req["signed_jwks_uri"] == signed_jwks_uri
def test_get_provider_configuration(self):
# key/signing stuff
federation_key = sym_key()
op_root_key = rsa_key()
provider_config = self.create_provider_config(op_root_key, federation_key)
# provider configuration endpoint
responses.add(responses.GET, "{}/.well-known/openid-configuration".format(ISSUER),
body=json.dumps(provider_config), status=200,
content_type="application/json")
rp = RP(None, sym_key(), [], [federation_key], None)
provider_config = rp.get_provider_configuration(ISSUER)
assert provider_config["issuer"] == ISSUER
# value from signed metadata overrides plain value
assert provider_config["id_token_signing_alg_values_supported"] == ["RS512"]
def test_register_with_provider(self):
registration_endpoint = "{}/registration".format(ISSUER)
signed_jwks_uri = "{}/signed_jwks".format(ISSUER)
federation_key = sym_key()
rp_root_key = rsa_key()
rp_software_statement = Federation(federation_key).create_software_statement(
dict(redirect_uris=["https://rp.example.com"]))
op_root_key = rsa_key()
op_intermediate_key = rsa_key()
op_signed_intermediate_key = JWS(json.dumps(op_intermediate_key.serialize(private=False)),
alg=op_root_key.alg).sign_compact(keys=[op_root_key])
op_software_statement = Federation(federation_key).create_software_statement(
dict(issuer=ISSUER, root_key=op_root_key.serialize(private=False),
scopes_supported=["openid", "test_scope"]))
# signed_jwks_uri
expected_kid = "OP key 1"
keys = [RSAKey(key=RSA.generate(1024), kid=expected_kid).serialize(private=False)]
jwks = json.dumps(dict(keys=keys))
jws = JWS(jwks, alg=op_intermediate_key.alg).sign_compact(keys=[op_intermediate_key])
responses.add(responses.GET, signed_jwks_uri, body=jws, status=200,
content_type="application/jose")
rp = RP(None, rp_root_key, [rp_software_statement], [federation_key], None)
rp.client.provider_info = FederationProviderConfigurationResponse(
**dict(issuer=ISSUER, signing_key=op_signed_intermediate_key,
registration_endpoint=registration_endpoint,
signed_jwks_uri=signed_jwks_uri))
reg_resp = FederationRegistrationResponse(
**dict(provider_software_statement=op_software_statement,
client_id="foo", redirect_uris=["https://rp.example.com"]))
responses.add(responses.POST, registration_endpoint, body=reg_resp.to_json(), status=201,
content_type="application/json")
client_registration_data = {}
rp.register_with_provider(ISSUER, client_registration_data)
assert rp.client.client_id == "foo"
assert rp.client.provider_signing_key == op_intermediate_key
assert rp.client.keyjar[ISSUER][0].keys()[0].kid == expected_kid
def test_reject_provider_configuration_with_missing_parameter(self):
rp = RP(None, sym_key(), [], None, None)
with pytest.raises(OIDCFederationError) as exc:
# default provider config missing all extra required attributes of FederationProviderConfigurationResponse
rp._validate_provider_configuration(
FederationProviderConfigurationResponse(**DEFAULT_PROVIDER_CONFIG))
