示例#1
0
def test_get_trust_mark_3rd_party():
    _iss = "https://feide.no"
    _sub = "https://op.ntnu.no"

    config = {'keys': {'key_defs': KEYSPEC}}

    federation_entity = FederationEntity(
        _iss,
        trusted_roots=ANCHOR,
        config=config,
        authority_hints=['https://ntnu.no'],
        entity_type='openid_relying_party',
        httpd=Publisher(ROOT_DIR),
        opponent_entity_type='openid_relying_party')

    federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
                                                 trusted_roots=ANCHOR,
                                                 root_dir=ROOT_DIR)

    _tm = TrustMark(
        id="https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf",
        sub=_sub,
    )

    # Create the Signed JWT representing the Trust Mark
    _jwt0 = JWT(key_jar=federation_entity.keyjar, iss=_iss, lifetime=3600)
    _jws = _jwt0.pack(_tm)

    trust_anchor_id = list(ANCHOR.keys())[0]

    _tm = get_trust_mark(federation_entity, _jws, _sub, trust_anchor_id)

    assert isinstance(_tm, TrustMark)
示例#2
0
 def rp_service_setup(self):
     federation_entity = FederationEntity(
         RECEIVER,
         trusted_roots=ANCHOR,
         authority_hints={},
         httpd=Publisher(os.path.join(BASE_PATH, 'base_data')),
         entity_type='openid_relying_party',
         opponent_entity_type='openid_provider')
     # Swap in the DummyCollector
     federation_entity.collector = DummyCollector(
         trusted_roots=ANCHOR,
         httpd=Publisher(os.path.join(BASE_PATH, 'base_data')),
         root_dir=os.path.join(BASE_PATH, 'base_data'))
     self.fedent = federation_entity
    def create_endpoint(self):
        conf = {
            "issuer": ENTITY_ID,
            "password": "******",
            "token_expires_in": 600,
            "grant_expires_in": 300,
            "refresh_token_expires_in": 86400,
            "verify_ssl": False,
            'keys': {
                'key_defs': KEYSPEC
            },
            "endpoint": {},
            "jwks": {
                "private_path": "own/jwks.json",
                "uri_path": "static/jwks.json"
            },
            "authentication": {
                "anon": {
                    'acr': UNSPECIFIED,
                    "class": NoAuthn,
                    "kwargs": {
                        "user": "******"
                    }
                }
            },
            'template_dir': 'template'
        }
        endpoint_context = EndpointContext(conf)
        self.endpoint = ProviderConfiguration(endpoint_context)

        # === Federation stuff =======
        fe_conf = {'keys': {'key_defs': KEYSPEC}}

        federation_entity = FederationEntity(
            ENTITY_ID,
            trusted_roots=ANCHOR,
            authority_hints={'https://ntnu.no': ['https://feide.no']},
            httpd=Publisher(ROOT_DIR),
            config=fe_conf,
            entity_type='openid_relying_party',
            opponent_entity_type='openid_provider')

        federation_entity.collector = DummyCollector(httpd=Publisher(
            os.path.join(BASE_PATH, 'data')),
                                                     trusted_roots=ANCHOR,
                                                     root_dir=ROOT_DIR)

        self.fedent = federation_entity
        self.endpoint.endpoint_context.federation_entity = federation_entity
示例#4
0
    def __init__(self,
                 conf: Union[dict, Configuration],
                 keyjar: Optional[KeyJar] = None,
                 httpc: Optional[Any] = None):
        entity.Entity.__init__(self, config=conf, keyjar=keyjar)

        fed_conf = conf["federation"]
        federation_entity = FederationEntity(httpd=httpc, config=fed_conf)

        self.client_get(
            "service_context").federation_entity = federation_entity
示例#5
0
    def __init__(self,
                 conf: Union[dict, FedOpConfiguration],
                 keyjar: Optional[KeyJar] = None,
                 cwd: Optional[str] = "",
                 cookie_handler: Optional[Any] = None,
                 httpc: Optional[Any] = None
                 ):
        server.Server.__init__(self, conf=conf, keyjar=keyjar, cwd=cwd,
                               cookie_handler=cookie_handler, httpc=httpc)

        fed_conf = conf["federation"]
        federation_entity = FederationEntity(httpd=httpc, config=fed_conf)

        self.server_get("endpoint_context").federation_entity = federation_entity
示例#6
0
def test_get_trust_mark_self_signed():
    _entity_id = "https://op.ntnu.no"
    config = {'keys': {'key_defs': KEYSPEC}}

    federation_entity = FederationEntity(
        _entity_id,
        trusted_roots=ANCHOR,
        config=config,
        authority_hints=['https://ntnu.no'],
        entity_type='openid_relying_party',
        httpd=Publisher(ROOT_DIR),
        opponent_entity_type='openid_relying_party')

    federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
                                                 trusted_roots=ANCHOR,
                                                 root_dir=ROOT_DIR)

    _tm = TrustMark(
        id="https://openid.net/certification/op",
        sub=_entity_id,
        mark=("http://openid.net/wordpress-content/uploads/2016/05/"
              "oid-l-certification-mark-l-cmyk-150dpi-90mm.jpg"),
        ref=("https://openid.net/wordpress-content/uploads/2015/09/"
             "RolandHedberg-pyoidc-0.7.7-Basic-26-Sept-2015.zip"))

    # Create the Signed JWT representing the Trust Mark
    _jwt0 = JWT(key_jar=federation_entity.keyjar,
                iss=_entity_id,
                lifetime=3600)
    _jws = _jwt0.pack(_tm)

    trust_anchor_id = list(ANCHOR.keys())[0]

    _tm = get_trust_mark(federation_entity, _jws, _entity_id, trust_anchor_id)

    assert isinstance(_tm, TrustMark)
示例#7
0
    def rp_service_setup(self):
        entity_id = 'https://foodle.uninett.no'
        entity = Entity(config={
            'issuer': 'https://op.ntnu.no',
            'keys': {
                'key_defs': KEY_DEFS
            }
        })
        service_context = entity.get_service_context()

        http_cli = Publisher(os.path.join(BASE_PATH, 'base_data'))

        self.federation_entity = FederationEntity(
            entity_id,
            trusted_roots=ANCHOR,
            authority_hints=['https://ntnu.no'],
            httpd=http_cli,
            entity_type='openid_relying_party',
            opponent_entity_type='openid_provider',
            config={'keys': {
                'key_defs': KEY_DEFS
            }})

        # The test data collector
        self.federation_entity.collector = DummyCollector(
            trusted_roots=ANCHOR,
            httpd=http_cli,
            root_dir=os.path.join(BASE_PATH, 'base_data'))

        service_context.federation_entity = self.federation_entity
        service_context.redirect_uris = ['https://foodle.uninett.no/cb']
        # Note that the keys used for OIDC base protocol communication are separate from those used
        # in the federation context
        # service_context.keyjar = init_key_jar(key_defs=KEY_DEFS, issuer_id=entity_id)
        service_context.client_preferences = {
            "grant_types": ['authorization_code', 'implicit', 'refresh_token'],
            "id_token_signed_response_alg": "ES256",
            "token_endpoint_auth_method": "client_secret_basic",
            "federation_type": ['automatic']
        }

        self.service = {
            'discovery':
            FedProviderInfoDiscovery(client_get=entity.client_get),
            'registration': Registration(client_get=entity.client_get)
        }
示例#8
0
    return statements


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-n', dest='netloc')
    parser.add_argument('-e', dest='entity_id')
    parser.add_argument('-t', dest="entity_type")
    parser.add_argument('-k', dest='insecure', action='store_true')
    args = parser.parse_args()

    jwks = open(os.path.join(ROOT_DIR, 'swamid', 'swamid.jwks.json')).read()

    ANCHOR = {'https://{}/swamid'.format(args.netloc): json.loads(jwks)}

    my_entity_id = "https://{}/me".format(args.netloc)
    fedent = FederationEntity(
        my_entity_id,
        trusted_roots=ANCHOR,
        authority_hints={'https://ntnu.no': ['https://feide.no']},
        entity_type="",
        opponent_entity_type=args.entity_type)

    if args.insecure:
        fedent.keyjar.verify_ssl = False
        fedent.collector.insecure = True

    for statement in main(fedent, args.entity_id, args.entity_type):
        print(20 * "=", statement.anchor, 20 * "=")
        print(json.dumps(statement.metadata, indent=4, sort_keys=True))
    def create_endpoint(self):
        # First the RP
        service_context = ServiceContext(
            config={
                'behaviour': {
                    'federation_types_supported': ['explicit']
                },
                'issuer': "https://op.ntnu.no",
                'keys': {
                    'key_defs': KEYSPEC
                }
            })

        # the federation part of the RP
        self.rp_federation_entity = FederationEntity(
            entity_id=ENTITY_ID,
            trusted_roots=ANCHOR,
            authority_hints=['https://ntnu.no'],
            entity_type='openid_relying_party',
            opponent_entity_type='openid_provider')

        self.rp_federation_entity.collector = DummyCollector(
            trusted_roots=ANCHOR, root_dir=ROOT_DIR)

        self.rp_federation_entity.keyjar.import_jwks(read_info(
            os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
            'jwks'),
                                                     issuer_id=ENTITY_ID)

        # add the federation part to the service context
        service_context.federation_entity = self.rp_federation_entity

        # The RP has/supports 3 services
        self.service = {
            'discovery': FedProviderInfoDiscovery(service_context),
            'registration': Registration(service_context),
            'authorization': FedAuthorization(service_context),
        }

        # and now for the OP
        op_entity_id = "https://op.ntnu.no"
        conf = {
            "issuer": op_entity_id,
            "password": "******",
            "token_expires_in": 600,
            "grant_expires_in": 300,
            "refresh_token_expires_in": 86400,
            "verify_ssl": False,
            "endpoint": {
                'provider_info': {
                    'path': '.well-known/openid-federation',
                    'class': provider_config.ProviderConfiguration,
                    'kwargs': {
                        'client_authn_method': None
                    }
                },
                'registration': {
                    'path': 'fed_registration',
                    'class': registration.Registration,
                    'kwargs': {
                        'client_authn_method': None
                    }
                },
                'authorization': {
                    'path': 'authorization',
                    'class': authorization.Authorization,
                    'kwargs': {
                        "response_modes_supported":
                        ['query', 'fragment', 'form_post'],
                        "claims_parameter_supported":
                        True,
                        "request_parameter_supported":
                        True,
                        "request_uri_parameter_supported":
                        True,
                        "client_authn_method": ['request_param']
                    }
                }
            },
            "keys": {
                "private_path": "own/jwks.json",
                "uri_path": "static/jwks.json",
                "key_defs": KEYSPEC
            },
            "authentication": {
                "anon": {
                    'acr': UNSPECIFIED,
                    "class": NoAuthn,
                    "kwargs": {
                        "user": "******"
                    }
                }
            },
            'template_dir': 'template'
        }
        endpoint_context = EndpointContext(conf)
        self.registration_endpoint = endpoint_context.endpoint["registration"]
        self.authorization_endpoint = endpoint_context.endpoint[
            "authorization"]
        self.provider_endpoint = endpoint_context.endpoint["provider_config"]

        # === Federation stuff =======
        federation_entity = FederationEntity(
            op_entity_id,
            trusted_roots=ANCHOR,
            authority_hints=['https://ntnu.no'],
            entity_type='openid_relying_party',
            httpd=Publisher(ROOT_DIR),
            opponent_entity_type='openid_relying_party')

        federation_entity.keyjar.import_jwks(read_info(
            os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
                                             issuer_id=op_entity_id)

        federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
                                                     trusted_roots=ANCHOR,
                                                     root_dir=ROOT_DIR)

        self.registration_endpoint.endpoint_context.federation_entity = federation_entity
示例#10
0
    def create_setup(self):
        # First the RP
        service_context = ServiceContext(
            config={
                'behaviour': {
                    'federation_types_supported': ['automatic']
                },
                'issuer': "https://op.ntnu.no",
                'keys': {
                    'key_defs': KEYSPEC
                }
            })

        self.rp_federation_entity = FederationEntity(
            entity_id=RP_ENTITY_ID,
            trusted_roots=ANCHOR,
            authority_hints=['https://ntnu.no'],
            entity_type='openid_relying_party',
            opponent_entity_type='openid_provider')

        self.rp_federation_entity.keyjar.import_jwks(read_info(
            os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
            'jwks'),
                                                     issuer_id=RP_ENTITY_ID)

        self.rp_federation_entity.collector = DummyCollector(
            trusted_roots=ANCHOR, root_dir=ROOT_DIR)

        # add the federation part to the service context
        service_context.federation_entity = self.rp_federation_entity

        # The RP has/supports 2 services
        self.service = {
            'discovery': FedProviderInfoDiscovery(service_context),
            'registration': RPRegistration(service_context),
            'authorization': FedAuthorization(service_context),
        }

        # and now for the OP
        op_entity_id = "https://op.ntnu.no"
        conf = {
            "issuer": op_entity_id,
            "password": "******",
            "token_handler_args": {
                "jwks_def": {
                    "private_path":
                    "private/token_jwks.json",
                    "read_only":
                    False,
                    "key_defs": [
                        {
                            "type": "oct",
                            "bytes": 24,
                            "use": ["enc"],
                            "kid": "code"
                        },
                        {
                            "type": "oct",
                            "bytes": 24,
                            "use": ["enc"],
                            "kid": "refresh"
                        },
                    ],
                },
                "code": {
                    "lifetime": 600
                },
                "token": {
                    "class": "oidcendpoint.jwt_token.JWTToken",
                    "kwargs": {
                        "lifetime":
                        3600,
                        "add_claims": [
                            "email",
                            "email_verified",
                            "phone_number",
                            "phone_number_verified",
                        ],
                        "add_claim_by_scope":
                        True,
                        "aud": ["https://example.org/appl"]
                    },
                },
                "refresh": {
                    "lifetime": 86400
                },
            },
            "verify_ssl": False,
            "capabilities": CAPABILITIES,
            "keys": {
                "uri_path": "static/jwks.json",
                "key_defs": KEYSPEC
            },
            "id_token": {
                "class": IDToken,
                "kwargs": {
                    "default_claims": {
                        "email": {
                            "essential": True
                        },
                        "email_verified": {
                            "essential": True
                        },
                    }
                },
            },
            "endpoint": {
                "provider_config": {
                    "path": ".well-known/openid-configuration",
                    "class": ProviderConfiguration,
                    "kwargs": {},
                },
                "registration": {
                    "path": "registration",
                    "class": OPRegistration,
                    "kwargs": {},
                },
                "authorization": {
                    "path": "authorization",
                    "class": Authorization,
                    "kwargs": {
                        "response_types_supported":
                        [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
                        "response_modes_supported":
                        ["query", "fragment", "form_post"],
                        "claims_parameter_supported":
                        True,
                        "request_parameter_supported":
                        True,
                        "request_uri_parameter_supported":
                        True,
                    },
                },
                "pushed_authorization": {
                    "path": "pushed_authorization",
                    "class": PushedAuthorization,
                    "kwargs": {
                        "client_authn_method": [
                            "client_secret_post",
                            "client_secret_basic",
                            "client_secret_jwt",
                            "private_key_jwt",
                        ]
                    },
                },
            },
            "authentication": {
                "anon": {
                    "acr": "http://www.swamid.se/policy/assurance/al1",
                    "class": "oidcendpoint.user_authn.user.NoAuthn",
                    "kwargs": {
                        "user": "******"
                    },
                }
            },
            "template_dir": "template",
            "cookie_dealer": {
                "class": CookieDealer,
                "kwargs": {
                    "sign_key":
                    "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
                    "default_values": {
                        "name": "oidcop",
                        "domain": "127.0.0.1",
                        "path": "/",
                        "max_age": 3600,
                    },
                },
            },
            'add_on': {
                "automatic_registration": {
                    "function":
                    "fedservice.op.add_on.automatic_registration.add_support",
                    "kwargs": {
                        "new_id": False,  # default False
                        "where": ["pushed_authorization"]
                    }
                }
            }
        }
        endpoint_context = EndpointContext(conf)
        _clients = yaml.safe_load(io.StringIO(client_yaml))
        # endpoint_context.cdb = _clients["oidc_clients"]
        endpoint_context.keyjar.import_jwks(
            endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])

        self.pushed_authorization_endpoint = endpoint_context.endpoint[
            "pushed_authorization"]
        self.authorization_endpoint = endpoint_context.endpoint[
            "authorization"]
        self.registration_endpoint = endpoint_context.endpoint["registration"]

        federation_entity = FederationEntity(
            op_entity_id,
            trusted_roots=ANCHOR,
            authority_hints=['https://ntnu.no'],
            entity_type='openid_relying_party',
            httpd=Publisher(ROOT_DIR),
            opponent_entity_type='openid_relying_party')

        federation_entity.keyjar.import_jwks(read_info(
            os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
                                             issuer_id=op_entity_id)

        federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
                                                     trusted_roots=ANCHOR,
                                                     root_dir=ROOT_DIR)

        self.authorization_endpoint.endpoint_context.federation_entity = federation_entity
示例#11
0
    def create_endpoint(self):
        # First the RP
        entity = Entity(
            config={
                'behaviour': {
                    'federation_types_supported': ['explicit']
                },
                'issuer': "https://op.ntnu.no",
                'keys': {
                    'key_defs': KEYSPEC
                },
                "httpc_param": {
                    'verify': False,
                    "timeout": 2
                },
            })

        # the federation part of the RP
        self.rp_federation_entity = FederationEntity(
            entity_id=ENTITY_ID,
            trusted_roots=ANCHOR,
            authority_hints=['https://ntnu.no'],
            entity_type='openid_relying_party',
            opponent_entity_type='openid_provider')

        self.rp_federation_entity.collector = DummyCollector(
            trusted_roots=ANCHOR, root_dir=ROOT_DIR)

        self.rp_federation_entity.keyjar.import_jwks(read_info(
            os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
            'jwks'),
                                                     issuer_id=ENTITY_ID)

        # add the federation part to the service context
        entity.client_get(
            "service_context").federation_entity = self.rp_federation_entity

        # The RP has/supports 3 services
        self.service = {
            'discovery':
            FedProviderInfoDiscovery(entity.client_get),
            'registration':
            Registration(entity.client_get),
            'authorization':
            FedAuthorization(entity.client_get,
                             conf={"request_object_expires_in": 300}),
        }

        # and now for the OP
        op_entity_id = "https://op.ntnu.no"
        conf = {
            "issuer": op_entity_id,
            "httpc_param": {
                'verify': False,
                "timeout": 2
            },
            "password": "******",
            "token_expires_in": 600,
            "grant_expires_in": 300,
            "refresh_token_expires_in": 86400,
            "verify_ssl": False,
            "cookie_handler": {
                "class": CookieHandler,
                "kwargs": {
                    "keys": {
                        "key_defs": COOKIE_KEYDEFS
                    },
                    "name": {
                        "session": "oidc_op",
                        "register": "oidc_op_reg",
                        "session_management": "oidc_op_sman"
                    }
                },
            },
            "endpoint": {
                'provider_info': {
                    'path': '.well-known/openid-federation',
                    'class': provider_config.ProviderConfiguration,
                    'kwargs': {
                        'client_authn_method': None
                    }
                },
                'registration': {
                    'path': 'fed_registration',
                    'class': registration.Registration,
                    'kwargs': {
                        'client_authn_method': None
                    }
                },
                'authorization': {
                    'path': 'authorization',
                    'class': authorization.Authorization,
                    'kwargs': {
                        "response_modes_supported":
                        ['query', 'fragment', 'form_post'],
                        "claims_parameter_supported":
                        True,
                        "request_parameter_supported":
                        True,
                        "request_uri_parameter_supported":
                        True,
                        "client_authn_method": ['request_param']
                    }
                }
            },
            "keys": {
                "private_path": "own/jwks.json",
                "uri_path": "static/jwks.json",
                "key_defs": KEYSPEC
            },
            "authentication": {
                "anon": {
                    'acr': UNSPECIFIED,
                    "class": NoAuthn,
                    "kwargs": {
                        "user": "******"
                    }
                }
            },
            'template_dir': 'template',
            "claims_interface": {
                "class": "oidcop.session.claims.ClaimsInterface",
                "kwargs": {}
            },
            'add_on': {
                "automatic_registration": {
                    "function":
                    "fedservice.op.add_on.automatic_registration.add_support",
                    "kwargs": {
                        "new_id": False,  # default False
                        'client_registration_authn_methods_supported': {
                            "ar": ['request_object']
                        },
                        'where': ['authorization']
                    }
                }
            }
        }
        server = Server(conf)
        self.registration_endpoint = server.server_get("endpoint",
                                                       "registration")
        self.authorization_endpoint = server.server_get(
            "endpoint", "authorization")
        self.provider_endpoint = server.server_get("endpoint",
                                                   "provider_config")

        # === Federation stuff =======
        federation_entity = FederationEntity(
            op_entity_id,
            trusted_roots=ANCHOR,
            authority_hints=['https://ntnu.no'],
            entity_type='openid_relying_party',
            httpd=Publisher(ROOT_DIR),
            opponent_entity_type='openid_relying_party')

        federation_entity.keyjar.import_jwks(read_info(
            os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
                                             issuer_id=op_entity_id)

        federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
                                                     trusted_roots=ANCHOR,
                                                     root_dir=ROOT_DIR)

        self.registration_endpoint.server_get(
            "endpoint_context").federation_entity = federation_entity
示例#12
0
    parser.add_argument('-t', dest='trusted_roots_file')
    parser.add_argument('-e', dest='entity_type')
    parser.add_argument('-o', dest='opponent_entity_type')
    parser.add_argument('-l', dest='logging', action='store_true')
    parser.add_argument(dest="url")
    args = parser.parse_args()

    if args.logging:
        logger = configure_logging(config=LOGGING).getChild(__name__)

    trusted_roots = json.loads(open(args.trusted_roots_file).read())

    # Creates an entity that can do the collecting of information
    federation_entity = FederationEntity(
        'issuer',
        trusted_roots=trusted_roots,
        entity_type=args.entity_type,
        opponent_entity_type=args.opponent_entity_type)

    if args.insecure:
        federation_entity.collector.insecure = args.insecure

    jws = federation_entity.get_configuration_information(args.url)
    metadata = verify_self_signed_signature(jws)

    _tree = federation_entity.collect_statement_chains(metadata['iss'],
                                                       metadata)
    chains = branch2lists(_tree)
    for c in chains:
        c.append(jws)