def sign_jwt(self, additional_payload={}):
now = int(time())
aud = self.app.app_config.oidc.client_id
payload = {"aud": aud, "exp": now + (60 * 10), "iat": now, "iss": "issuer",
"jti": str(uuid4()), "acr": ACR_VALUES}
private_key = read_file("test/data/jwt-private-key")
return jwt.encode({**payload, **additional_payload}, private_key, algorithm="RS256", headers={"kid": "test"})
def test_sfo_scenario_invalid_sub(self):
responses.add(responses.GET, self.app.app_config.oidc.jwks_endpoint,
read_file("test/data/public.json"), status=200)
access_token = self.sign_jwt({"sub": "nope", "kid": "test"})
res = self.get("/api/mfa/sfo", query_data={"access_token": access_token}, response_status_code=302,
with_basic_auth=False)
self.assertTrue(
res.headers.get("location").startswith(f"{self.app.app_config.oidc.sfo_eduteams_redirect_uri}?error="))
def _get_public_key():
global public_key_json
if public_key_json is None:
public_key = read_file(current_app.app_config.oidc.public_rsa_signing_key_path)
jwks = jwk.dumps(public_key, kty='RSA')
jwks["alg"] = "RS256"
jwks["kid"] = "sbs"
jwks["use"] = "sig"
public_key_json = {"keys": [jwks]}
return public_key_json
def login(self, uid="urn:john", schac_home_organisation=None, user_info={}):
responses.add(responses.POST, current_app.app_config.oidc.token_endpoint,
json={"access_token": "some_token", "id_token": self.sign_jwt()},
status=200)
json_body = {"sub": uid}
if schac_home_organisation:
json_body["voperson_external_id"] = f"jdoe@{schac_home_organisation}"
responses.add(responses.GET, current_app.app_config.oidc.userinfo_endpoint,
json={**json_body, **user_info}, status=200)
responses.add(responses.GET, current_app.app_config.oidc.jwks_endpoint,
read_file("test/data/public.json"), status=200)
with requests.Session():
self.client.get("/api/users/resume-session?code=123456")
def test_resume_session_with_allowed_idp(self):
responses.add(responses.POST, current_app.app_config.oidc.token_endpoint,
json={"access_token": "some_token", "id_token": self.sign_jwt({"acr": "nope"})},
status=200)
responses.add(responses.GET, current_app.app_config.oidc.userinfo_endpoint,
json={"sub": "urn:john", "voperson_external_id": "*****@*****.**"}, status=200)
responses.add(responses.GET, current_app.app_config.oidc.jwks_endpoint,
read_file("test/data/public.json"), status=200)
with requests.Session():
res = self.client.get("/api/users/resume-session?code=123456")
self.assertEqual("http://localhost:3000", res.headers.get("Location"))
user = self.client.get("/api/users/me", ).json
self.assertTrue(user["second_factor_confirmed"])
self.assertTrue("organisation_memberships" in user)
def _get_private_key():
global private_key
if private_key is None:
private_key = read_file(current_app.app_config.oidc.private_rsa_signing_key_path)
return private_key
debug_handler = TimedRotatingFileHandler(f"{os.path.dirname(os.path.realpath(__file__))}/../log/sbs_debug.log",
when="midnight", backupCount=30)
debug_handler.setFormatter(formatter)
debug_handler.setLevel(logging.DEBUG)
logging.getLogger("sqlalchemy.engine").setLevel(logging.WARNING)
logger = logging.getLogger()
logger.setLevel(logging.DEBUG)
logger.addHandler(handler)
logger.addHandler(debug_handler)
config_file_location = os.environ.get("CONFIG", "config/config.yml")
config = munchify(yaml.load(read_file(config_file_location), Loader=yaml.FullLoader))
config.base_url = config.base_url[:-1] if config.base_url.endswith("/") else config.base_url
test = os.environ.get("TESTING")
profile = os.environ.get("PROFILE")
is_local = profile is not None and profile == "local"
is_test = test is not None and bool(int(test))
_init_logging(is_test or is_local)
def page_not_found(_):
return jsonify({"message": f"{current_request.base_url} not found"}), 404
def links():
return {
"pdf_link": current_app.app_config.aup.pdf_link,
"pdf": current_app.app_config.aup.pdf,
"html": read_file(f"./static/{current_app.app_config.aup.html}")
}, 200