示例#1
0
    def __init__(self, config, callback_func):
        """
        :type config: satosa.satosa_config.SATOSAConfig
        :type callback_func:
        (satosa.context.Context, satosa.internal_data.InternalResponse) -> satosa.response.Response

        :param config: The SATOSA proxy config
        :param callback_func: Callback function when the linking is done
        """
        self.config = config
        self.callback_func = callback_func
        self.enabled = \
            "ACCOUNT_LINKING" in config and ("enable" not in config.ACCOUNT_LINKING or
                                             config.ACCOUNT_LINKING["enable"])
        if self.enabled:
            self.proxy_base = config.BASE
            self.al_rest_uri = config.ACCOUNT_LINKING["rest_uri"]
            self.al_redirect = config.ACCOUNT_LINKING["redirect"]
            self.endpoint = config.ACCOUNT_LINKING["endpoint"]
            self.verify_ssl = True if "verify_ssl" not in config.ACCOUNT_LINKING else \
                config.ACCOUNT_LINKING["verify_ssl"]
            _bkey = rsa_load(config.ACCOUNT_LINKING["sign_key"])
            self.sign_key = RSAKey().load_key(_bkey)
            self.sign_key.use = "sig"
            LOGGER.info("Account linking is active")
        else:
            LOGGER.info("Account linking is not active")
示例#2
0
    def test_handle_authn_response_returns_id_token_for_verified_affiliation(
            self, signing_key_path, context, scope_value, affiliation):
        authn_req = AuthorizationRequest(
            scope='openid ' + scope_value,
            client_id='client1',
            redirect_uri='https://client.example.com',
            response_type='id_token')
        context.state[self.frontend.name] = {
            'oidc_request': authn_req.to_urlencoded()
        }
        internal_response = InternalResponse(
            AuthenticationInformation(None, str(datetime.now()),
                                      'https://idp.example.com'))
        internal_response.attributes['affiliation'] = [affiliation]
        internal_response.user_id = 'user1'

        resp = self.frontend.handle_authn_response(context, internal_response)
        auth_resp = AuthorizationResponse().from_urlencoded(
            urlparse(resp.message).fragment)

        id_token = IdToken().from_jwt(
            auth_resp['id_token'],
            key=[RSAKey(key=rsa_load(signing_key_path))])
        assert id_token['iss'] == self.frontend.base_url
        assert id_token['aud'] == ['client1']
        assert id_token['auth_time'] == internal_response.auth_info.timestamp
    def test_full_flow(self, account_linking_config, internal_response, context):
        ticket = "ticket"
        with responses.RequestsMock() as rsps:
            rsps.add(
                responses.GET,
                "%s/get_id" % account_linking_config["api_url"],
                status=404,
                body=ticket,
                content_type="text/html"
            )
            result = self.account_linking.process(context, internal_response)
        assert isinstance(result, Redirect)
        assert result.message.startswith(account_linking_config["redirect_url"])

        data = {
            "idp": internal_response.auth_info.issuer,
            "id": internal_response.user_id,
            "redirect_endpoint": self.account_linking.base_url + "/account_linking/handle_account_linking"
        }
        key = RSAKey(key=rsa_load(account_linking_config["sign_key"]), use="sig", alg="RS256")
        jws = JWS(json.dumps(data), alg=key.alg).sign_compact([key])
        uuid = "uuid"
        with responses.RequestsMock() as rsps:
            # account is linked, 200 OK
            rsps.add(
                responses.GET,
                "%s/get_id?jwt=%s" % (account_linking_config["api_url"], jws),
                status=200,
                body=uuid,
                content_type="text/html",
                match_querystring=True
            )
            internal_response = self.account_linking._handle_al_response(context)
        assert internal_response.user_id == uuid
示例#4
0
文件: app.py 项目: jkakavas/loidc-op
def init_oidc_provider(app):
    with app.app_context():
        issuer = url_for('oidc_provider.index')[:-1]
        authentication_endpoint = url_for('oidc_provider.authentication_endpoint')
        jwks_uri = url_for('oidc_provider.jwks_uri')
        token_endpoint = url_for('oidc_provider.token_endpoint')
        userinfo_endpoint = url_for('oidc_provider.userinfo_endpoint')
        registration_endpoint = url_for('oidc_provider.registration_endpoint')
        end_session_endpoint = url_for('oidc_provider.end_session_endpoint')
        userinfo_ldap = LdapUserInfo()

    configuration_information = {
        'issuer': issuer,
        'authorization_endpoint': authentication_endpoint,
        'jwks_uri': jwks_uri,
        'token_endpoint': token_endpoint,
        'userinfo_endpoint': userinfo_endpoint,
        'registration_endpoint': registration_endpoint,
        'end_session_endpoint': end_session_endpoint,
        'scopes_supported': ['openid', 'profile'],
        'response_types_supported': ['code', 'code id_token', 'code token', 'code id_token token'],  # code and hybrid
        'response_modes_supported': ['query', 'fragment'],
        'grant_types_supported': ['authorization_code', 'implicit'],
        'subject_types_supported': ['pairwise'],
        'token_endpoint_auth_methods_supported': ['client_secret_basic'],
        'claims_parameter_supported': True
    }

    signing_key = RSAKey(key=rsa_load('signing_key.pem'), alg='RS256')
    provider = Provider(signing_key, configuration_information,
                        AuthorizationState(HashBasedSubjectIdentifierFactory(app.config['SUBJECT_ID_HASH_SALT'])),
                        {}, userinfo_ldap)

    return provider
 def __init__(self, patch, config={}):
     Server.__init__(self)
     self.patch = patch
     self.session = None
     self.config = {
         'issuer': 'https://example.com',
     }
     self.config.update(config)
     self.authz_codes = {}
     self.access_tokens = {}
     self.client = {
         'test-client': {
             'client_name': 'Test Client',
             'client_secret': 'test-secret',
             'post_logout_redirect_uris': [
                 'http://localhost:5000/sign-out',
             ],
             'redirect_uris': [
                 'http://localhost:5000/oidc_callback',
             ],
             'response_types': ['code'],
         }
     }
     self.access_token_lifetime = 3600
     self.authorization_code_lifetime = 600
     self.id_token_lifetime = 3600
     self.registration_expires_in = 3600
     self.host = ''
     self.userinfo_signed_response_alg = ''
     self.signing_key = RSAKey(key=rsa_load('signing_key.pem'), alg='RS256')
     self.urls = []
 def __init__(self, patch, config={}):
     Server.__init__(self)
     self.patch = patch
     self.session = None
     self.config = {
         'issuer': 'https://example.com',
     }
     self.config.update(config)
     self.authz_codes = {}
     self.access_tokens = {}
     self.client = {
         'test-client': {
             'client_name': 'Test Client',
             'client_secret': 'test-secret',
             'post_logout_redirect_uris': [
                 'http://localhost:5000/sign-out',
             ],
             'redirect_uris': [
                 'http://localhost:5000/oidc_callback',
             ],
             'response_types': ['code'],
         }
     }
     self.access_token_lifetime = 3600
     self.authorization_code_lifetime = 600
     self.id_token_lifetime = 3600
     self.registration_expires_in = 3600
     self.host = ''
     self.userinfo_signed_response_alg = ''
     self.signing_key = RSAKey(key=rsa_load('signing_key.pem'), alg='RS256')
     self.urls = []
示例#7
0
 def test_construct(self, client):
     _key = rsa_load(os.path.join(BASE_PATH, "data/keys/rsa.key"))
     kc_rsa = KeyBundle([{
         "key": _key,
         "kty": "RSA",
         "use": "ver"
     }, {
         "key": _key,
         "kty": "RSA",
         "use": "sig"
     }])
     client.keyjar[""] = kc_rsa
     client.token_endpoint = "https://example.com/token"
     client.provider_info = {
         'issuer': 'https://example.com/',
         'token_endpoint': "https://example.com/token"
     }
     cis = AccessTokenRequest()
     pkj = PrivateKeyJWT(client)
     http_args = pkj.construct(cis,
                               algorithm="RS256",
                               authn_endpoint='token')
     assert http_args == {}
     cas = cis["client_assertion"]
     _jwt = JWT().unpack(cas)
     jso = _jwt.payload()
     assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
     assert _jwt.headers == {'alg': 'RS256'}
     assert jso['aud'] == [client.provider_info['token_endpoint']]
示例#8
0
    def __init__(self, config, callback_func):
        """
        :type config: satosa.satosa_config.SATOSAConfig
        :type callback_func:
        (satosa.context.Context, satosa.internal_data.InternalResponse) -> satosa.response.Response

        :param config: The SATOSA proxy config
        :param callback_func: Callback function when the linking is done
        """
        self.config = config
        self.callback_func = callback_func
        self.enabled = \
            "ACCOUNT_LINKING" in config and ("enable" not in config.ACCOUNT_LINKING or
                                             config.ACCOUNT_LINKING["enable"])
        if self.enabled:
            self.proxy_base = config.BASE
            self.al_rest_uri = config.ACCOUNT_LINKING["rest_uri"]
            self.al_redirect = config.ACCOUNT_LINKING["redirect"]
            self.endpoint = config.ACCOUNT_LINKING["endpoint"]
            self.verify_ssl = True if "verify_ssl" not in config.ACCOUNT_LINKING else \
                config.ACCOUNT_LINKING["verify_ssl"]
            _bkey = rsa_load(config.ACCOUNT_LINKING["sign_key"])
            self.sign_key = RSAKey().load_key(_bkey)
            self.sign_key.use = "sig"
            LOGGER.info("Account linking is active")
        else:
            LOGGER.info("Account linking is not active")
示例#9
0
文件: keyio.py 项目: HaToHo/pyoidc
def key_setup(vault, **kwargs):
    """
    :param vault: Where the keys are kept
    :return: 2-tuple: result of urlsplit and a dictionary with
        parameter name as key and url and value
    """
    vault_path = proper_path(vault)

    if not os.path.exists(vault_path):
        os.makedirs(vault_path)

    kb = KeyBundle()
    kid = 1
    for usage in ["sig", "enc"]:
        if usage in kwargs:
            if kwargs[usage] is None:
                continue

            _args = kwargs[usage]
            if _args["alg"] == "RSA":
                try:
                    _key = rsa_load('%s%s' % (vault_path, "pyoidc"))
                except Exception:
                    devnull = open(os.devnull, 'w')
                    with RedirectStdStreams(stdout=devnull, stderr=devnull):
                        _key = create_and_store_rsa_key_pair(
                            path=vault_path)

                kb.append(RSAKey(key=_key, use=usage, kid=kid))
                kid += 1
                if usage == "sig" and "enc" not in kwargs:
                    kb.append(RSAKey(key=_key, use="enc", kid=kid))
                    kid += 1

    return kb
    def test_existing_account_linking_with_known_known_uuid(
            self, account_linking_config, internal_response, context):
        uuid = "uuid"
        data = {
            "idp":
            internal_response.auth_info.issuer,
            "id":
            internal_response.subject_id,
            "redirect_endpoint":
            self.account_linking.base_url +
            "/account_linking/handle_account_linking"
        }
        key = RSAKey(key=rsa_load(account_linking_config["sign_key"]),
                     use="sig",
                     alg="RS256")
        jws = JWS(json.dumps(data), alg=key.alg).sign_compact([key])
        responses.add(responses.GET,
                      "%s/get_id?jwt=%s" %
                      (account_linking_config["api_url"], jws),
                      status=200,
                      body=uuid,
                      content_type="text/html",
                      match_querystring=True)

        self.account_linking.process(context, internal_response)
        assert internal_response.subject_id == uuid
示例#11
0
文件: keyio.py 项目: Daul89/myoidc
def key_setup(vault, **kwargs):
    """
    :param vault: Where the keys are kept
    :return: 2-tuple: result of urlsplit and a dictionary with
        parameter name as key and url and value
    """
    vault_path = proper_path(vault)

    if not os.path.exists(vault_path):
        os.makedirs(vault_path)

    kb = KeyBundle()
    for usage in ["sig", "enc"]:
        if usage in kwargs:
            if kwargs[usage] is None:
                continue

            _args = kwargs[usage]
            if _args["alg"].upper() == "RSA":
                try:
                    _key = rsa_load('%s%s' % (vault_path, "pyoidc"))
                except Exception:
                    devnull = open(os.devnull, 'w')
                    with RedirectStdStreams(stdout=devnull, stderr=devnull):
                        _key = create_and_store_rsa_key_pair(path=vault_path)

                k = RSAKey(key=_key, use=usage)
                k.add_kid()
                kb.append(k)
    return kb
示例#12
0
def test_rsa_load():
    _ckey = rsa_load(KEY)
    assert isinstance(_ckey, M2Crypto.RSA.RSA)
    jwk = dump_jwk(_ckey)
    print jwk
    assert _eq(jwk.keys(), ["kty", "e", "n"])
    assert jwk["n"] == '5zbNbHIYIkGGJ3RGdRKkYmF4gOorv5eDuUKTVtuu3VvxrpOWvwnFV-NY0LgqkQSMMyVzodJE3SUuwQTUHPXXY5784vnkFqzPRx6bHgPxKz7XfwQjEBTafQTMmOeYI8wFIOIHY5i0RWR-gxDbh_D5TXuUqScOOqR47vSpIbUH-nc'
    assert jwk['e'] == 'AQAB'
示例#13
0
    def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_config, idp_conf):
        subject_id = "testuser1"

        # proxy config
        satosa_config_dict["FRONTEND_MODULES"] = [oidc_frontend_config]
        satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config]
        satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {attr_name: {"openid": [attr_name],
                                                                               "saml": [attr_name]}
                                                                   for attr_name in USERS[subject_id]}
        _, backend_metadata = create_entity_descriptors(SATOSAConfig(satosa_config_dict))

        # application
        test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), Response)

        # get frontend OP config info
        provider_config = json.loads(test_client.get("/.well-known/openid-configuration").data.decode("utf-8"))

        # create auth req
        claims_request = ClaimsRequest(id_token=Claims(**{k: None for k in USERS[subject_id]}))
        req_args = {"scope": "openid", "response_type": "id_token", "client_id": CLIENT_ID,
                    "redirect_uri": REDIRECT_URI, "nonce": "nonce",
                    "claims": claims_request.to_json()}
        auth_req = urlparse(provider_config["authorization_endpoint"]).path + "?" + urlencode(req_args)

        # make auth req to proxy
        proxied_auth_req = test_client.get(auth_req)
        assert proxied_auth_req.status == "303 See Other"

        # config test IdP
        backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0])
        idp_conf["metadata"]["inline"].append(backend_metadata_str)
        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf))

        # create auth resp
        req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query))
        url, authn_resp = fakeidp.handle_auth_req(
            req_params["SAMLRequest"],
            req_params["RelayState"],
            BINDING_HTTP_REDIRECT,
            subject_id,
            response_binding=BINDING_HTTP_REDIRECT)

        # make auth resp to proxy
        authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp)
        authn_resp = test_client.get(authn_resp_req)
        assert authn_resp.status == "303 See Other"

        # verify auth resp from proxy
        resp_dict = dict(parse_qsl(urlparse(authn_resp.data.decode("utf-8")).fragment))
        signing_key = RSAKey(key=rsa_load(oidc_frontend_config["config"]["signing_key_path"]),
                             use="sig", alg="RS256")
        id_token_claims = JWS().verify_compact(resp_dict["id_token"], keys=[signing_key])

        assert all(
            (name, values) in id_token_claims.items()
            for name, values in OIDC_USERS[subject_id].items()
        )
示例#14
0
def init_oidc_provider(app):
    with app.app_context():
        issuer = url_for("oidc_provider.index")[:-1]
        authentication_endpoint = url_for("oidc_provider.authentication_endpoint")
        jwks_uri = url_for("oidc_provider.jwks_uri")
        token_endpoint = url_for("oidc_provider.token_endpoint")
        userinfo_endpoint = url_for("oidc_provider.userinfo_endpoint")
        registration_endpoint = url_for("oidc_provider.registration_endpoint")
        end_session_endpoint = url_for("oidc_provider.end_session_endpoint")

    configuration_information = {
        "issuer": issuer,
        "authorization_endpoint": authentication_endpoint,
        "jwks_uri": jwks_uri,
        "token_endpoint": token_endpoint,
        "userinfo_endpoint": userinfo_endpoint,
        "registration_endpoint": registration_endpoint,
        "end_session_endpoint": end_session_endpoint,
        "scopes_supported": ["openid", "profile"],
        "response_types_supported": [
            "code",
            "code id_token",
            "code token",
            "code id_token token",
        ],  # code and hybrid
        "response_modes_supported": ["query", "fragment"],
        "grant_types_supported": ["authorization_code", "implicit"],
        "subject_types_supported": ["pairwise"],
        "token_endpoint_auth_methods_supported": [
            "client_secret_post",
            "client_secret_basic",
        ],
        "claims_parameter_supported": True,
    }

    clients = {
        "sample": {
            "client_secret": "sample",
            "redirect_uris": ["http://localhost:5000/test_auth_callback",],
            "response_types": ["code"],
        }
    }

    userinfo_db = Userinfo(app.users)
    signing_key = RSAKey(key=rsa_load("signing_key.pem"), alg="RS256")
    provider = Provider(
        signing_key,
        configuration_information,
        AuthorizationState(
            HashBasedSubjectIdentifierFactory(app.config["SUBJECT_ID_HASH_SALT"])
        ),
        clients,
        userinfo_db,
    )

    return provider
示例#15
0
def init_consent_manager(app: Flask):
    consent_db = ConsentDatasetDB(app.config['CONSENT_SALT'], app.config['MAX_CONSENT_EXPIRATION_MONTH'],
                                  app.config.get('CONSENT_DATABASE_URL'))
    consent_request_db = ConsentRequestDatasetDB(app.config['CONSENT_SALT'],
                                                 app.config.get('CONSENT_REQUEST_DATABASE_URL'))

    trusted_keys = [RSAKey(key=rsa_load(key)) for key in app.config['TRUSTED_KEYS']]
    cm = ConsentManager(consent_db, consent_request_db, trusted_keys, app.config['TICKET_TTL'],
                        app.config['MAX_CONSENT_EXPIRATION_MONTH'])
    return cm
示例#16
0
    def __init__(self, auth_req_callback_func, internal_attributes, conf,
                 base_url, name):
        self._validate_config(conf)
        super().__init__(auth_req_callback_func, internal_attributes, base_url,
                         name)

        self.config = conf
        self.signing_key = RSAKey(key=rsa_load(conf["signing_key_path"]),
                                  use="sig",
                                  alg="RS256")
示例#17
0
    def do_local_der(self, filename, keytype, keyusage):
        # This is only for RSA keys
        _bkey = rsa_load(filename)

        if not keyusage:
            keyusage = ["enc", "sig"]

        for use in keyusage:
            _key = RSAKey().load_key(_bkey)
            _key.use = use
            self._keys.append(_key)
示例#18
0
文件: keyio.py 项目: serac/pyoidc
    def do_local_der(self, filename, keytype, keyusage):
        # This is only for RSA keys
        _bkey = rsa_load(filename)

        if not keyusage:
            keyusage = ["enc", "sig"]

        for use in keyusage:
            _key = RSAKey().load_key(_bkey)
            _key.use = use
            self._keys.append(_key)
示例#19
0
 def __init__(self, config, *args, **kwargs):
     """
     :type config: satosa.satosa_config.SATOSAConfig
     :param config: The SATOSA proxy config
     """
     super().__init__(*args, **kwargs)
     self.api_url = config["api_url"]
     self.redirect_url = config["redirect_url"]
     self.signing_key = RSAKey(key=rsa_load(config["sign_key"]), use="sig", alg="RS256")
     self.endpoint = "/handle_account_linking"
     logger.info("Account linking is active")
示例#20
0
    def __init__(self, config, internal_attributes, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.name = "consent"
        self.api_url = config["api_url"]
        self.redirect_url = config["redirect_url"]
        self.locked_attr = None
        if "user_id_to_attr" in internal_attributes:
            self.locked_attr = internal_attributes["user_id_to_attr"]

        self.signing_key = RSAKey(key=rsa_load(config["sign_key"]), use="sig", alg="RS256")
        self.endpoint = "/handle_consent"
        logger.info("Consent flow is active")
示例#21
0
 def __init__(self, config, *args, **kwargs):
     """
     :type config: satosa.satosa_config.SATOSAConfig
     :param config: The SATOSA proxy config
     """
     super().__init__(*args, **kwargs)
     self.api_url = config["api_url"]
     self.redirect_url = config["redirect_url"]
     self.signing_key = RSAKey(key=rsa_load(config["sign_key"]), use="sig", alg="RS256")
     self.endpoint = "/handle_account_linking"
     self.id_to_attr = config.get("id_to_attr", None)
     logger.info("Account linking is active")
示例#22
0
    def __init__(self, config, internal_attributes, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.name = "consent"
        self.api_url = config["api_url"]
        self.redirect_url = config["redirect_url"]
        self.locked_attr = None
        if "user_id_to_attr" in internal_attributes:
            self.locked_attr = internal_attributes["user_id_to_attr"]

        self.signing_key = RSAKey(key=rsa_load(config["sign_key"]), use="sig", alg="RS256")
        self.endpoint = "/handle_consent"
        logger.info("Consent flow is active")
示例#23
0
    def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_config, idp_conf):
        user_id = "testuser1"

        # proxy config
        satosa_config_dict["FRONTEND_MODULES"] = [oidc_frontend_config]
        satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config]
        satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {attr_name: {"openid": [attr_name],
                                                                               "saml": [attr_name]}
                                                                   for attr_name in USERS[user_id]}
        _, backend_metadata = create_entity_descriptors(SATOSAConfig(satosa_config_dict))

        # application
        test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), BaseResponse)

        # get frontend OP config info
        provider_config = json.loads(test_client.get("/.well-known/openid-configuration").data.decode("utf-8"))

        # create auth req
        claims_request = ClaimsRequest(id_token=Claims(**{k: None for k in USERS[user_id]}))
        req_args = {"scope": "openid", "response_type": "id_token", "client_id": CLIENT_ID,
                    "redirect_uri": REDIRECT_URI, "nonce": "nonce",
                    "claims": claims_request.to_json()}
        auth_req = urlparse(provider_config["authorization_endpoint"]).path + "?" + urlencode(req_args)

        # make auth req to proxy
        proxied_auth_req = test_client.get(auth_req)
        assert proxied_auth_req.status == "303 See Other"

        # config test IdP
        backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0])
        idp_conf["metadata"]["inline"].append(backend_metadata_str)
        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False))

        # create auth resp
        req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query))
        url, authn_resp = fakeidp.handle_auth_req(
            req_params["SAMLRequest"],
            req_params["RelayState"],
            BINDING_HTTP_REDIRECT,
            user_id,
            response_binding=BINDING_HTTP_REDIRECT)

        # make auth resp to proxy
        authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp)
        authn_resp = test_client.get("/" + authn_resp_req)
        assert authn_resp.status == "303 See Other"

        # verify auth resp from proxy
        resp_dict = dict(parse_qsl(urlparse(authn_resp.data.decode("utf-8")).fragment))
        signing_key = RSAKey(key=rsa_load(oidc_frontend_config["config"]["signing_key_path"]),
                             use="sig", alg="RS256")
        id_token_claims = JWS().verify_compact(resp_dict["id_token"], keys=[signing_key])
        assert all((k, v[0]) in id_token_claims.items() for k, v in USERS[user_id].items())
示例#24
0
    def __init__(self, config: dict) -> None:
        """
        :param config: service config
        """

        super(StatisticsService, self).__init__()
        self.config = config
        self.stat_uri = config["rest_uri"]
        self.verify_ssl = config["verify_ssl"] if "verify_ssl" in config else False

        _bkey = rsa_load(config["signing_key"])
        self.sign_key = RSAKey().load_key(_bkey)
        self.sign_key.use = "sig"
示例#25
0
文件: keyio.py 项目: biancini/pyoidc
    def do_local_der(self, filename, keytype, keyusage):
        _bkey = None
        if keytype == "RSA":
            _bkey = rsa_load(filename)

        if not keyusage:
            keyusage = ["enc", "sig"]

        for use in keyusage:
            _key = K2C[keytype]()
            _key.key = _bkey
            _key.decomp()
            _key.use = use
            self._keys.append(_key)
示例#26
0
    def __init__(self, auth_req_callback_func, internal_attributes, conf,
                 base_url, name):
        _validate_config(conf)
        super().__init__(auth_req_callback_func, internal_attributes, base_url,
                         name)

        self.config = conf
        provider_config = self.config["provider"]
        provider_config["issuer"] = base_url

        self.signing_key = RSAKey(
            key=rsa_load(self.config["signing_key_path"]),
            use="sig",
            alg="RS256",
            kid=self.config.get("signing_key_id", ""),
        )

        db_uri = self.config.get("db_uri")
        self.stateless = StorageBase.type(db_uri) == "stateless"
        self.user_db = (StorageBase.from_uri(
            db_uri, db_name="satosa", collection="authz_codes")
                        if db_uri and not self.stateless else {})

        sub_hash_salt = self.config.get("sub_hash_salt", rndstr(16))
        authz_state = _init_authorization_state(provider_config, db_uri,
                                                sub_hash_salt)

        client_db_uri = self.config.get("client_db_uri")
        cdb_file = self.config.get("client_db_path")
        if client_db_uri:
            cdb = StorageBase.from_uri(client_db_uri,
                                       db_name="satosa",
                                       collection="clients",
                                       ttl=None)
        elif cdb_file:
            with open(cdb_file) as f:
                cdb = json.loads(f.read())
        else:
            cdb = {}

        self.endpoint_baseurl = "{}/{}".format(self.base_url, self.name)
        self.provider = _create_provider(
            provider_config,
            self.endpoint_baseurl,
            self.internal_attributes,
            self.signing_key,
            authz_state,
            self.user_db,
            cdb,
        )
示例#27
0
文件: wsgi.py 项目: mrvanes/CMservice
def init_consent_manager(app: Flask):
    consent_db = ConsentDatasetDB(app.config['CONSENT_SALT'],
                                  app.config['MAX_CONSENT_EXPIRATION_MONTH'],
                                  app.config.get('CONSENT_DATABASE_URL'))
    consent_request_db = ConsentRequestDatasetDB(
        app.config['CONSENT_SALT'],
        app.config.get('CONSENT_REQUEST_DATABASE_URL'))

    trusted_keys = [
        RSAKey(key=rsa_load(key)) for key in app.config['TRUSTED_KEYS']
    ]
    cm = ConsentManager(consent_db, consent_request_db, trusted_keys,
                        app.config['TICKET_TTL'],
                        app.config['MAX_CONSENT_EXPIRATION_MONTH'])
    return cm
 def __init__(self, config, *args, **kwargs):
     super().__init__(*args, **kwargs)
     self.redirect_url = config["redirect_url"]
     self.api_url = config["api_url"]
     self.exclude = config["exclude"]
     self.user_id = config["user_identificator"]
     self.conflict_compatibility = config["conflict_compatibility"]
     self.included_requesters = config["included_requesters"] or []
     self.excluded_requesters = config["excluded_requesters"] or []
     self.signing_key = RSAKey(key=rsa_load(config["private_key"]),
                               use="sig",
                               alg="RS256")
     self.endpoint = "/process"
     self.id_to_attr = config.get("id_to_attr", None)
     logger.info("Webauthn is active")
示例#29
0
    def assert_registration_req(self, request, internal_response, sign_key_path, base_url, requester_name):
        split_path = request.path_url.lstrip("/").split("/")
        assert len(split_path) == 2
        jwks = split_path[1]

        # Verify signature
        sign_key = RSAKey(key=rsa_load(sign_key_path), use="sig")
        jws = JWS()
        jws.verify_compact(jwks, [sign_key])

        consent_args = jws.msg
        assert consent_args["attr"] == internal_response.attributes
        assert consent_args["redirect_endpoint"] == base_url + "/consent/handle_consent"
        assert consent_args["requester_name"] == requester_name
        assert consent_args["locked_attrs"] == [USER_ID_ATTR]
        assert "id" in consent_args
示例#30
0
    def do_local_der(self, filename, keytype, keyusage):
        _bkey = None
        if keytype == "RSA":
            _bkey = rsa_load(filename)

        if not keyusage:
            keyusage = ["enc", "sig"]

        for use in keyusage:
            _key = K2C[keytype]()
            _key.key = _bkey

            if _bkey:
                _key.serialize()

            _key.use = use
            self._keys.append(_key)
示例#31
0
    def test_construct(self, client):
        _key = rsa_load(
            os.path.join(BASE_PATH, "data/keys/rsa.key"))
        kc_rsa = KeyBundle([{"key": _key, "kty": "RSA", "use": "ver"},
                            {"key": _key, "kty": "RSA", "use": "sig"}])
        client.keyjar[""] = kc_rsa
        client.token_endpoint = "https://example.com/token"

        cis = AccessTokenRequest()
        pkj = PrivateKeyJWT(client)
        http_args = pkj.construct(cis, algorithm="RS256")
        assert http_args == {}
        cas = cis["client_assertion"]
        _jwt = JWT().unpack(cas)
        jso = _jwt.payload()
        assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
        assert _jwt.headers == {'alg': 'RS256'}
示例#32
0
def init_account_linking(app: Flask, mail_client: Email = None):
    trusted_keys = [RSAKey(key=rsa_load(path)) for path in app.config["JWT_PUB_KEY"]]
    salt = app.config["SALT"]

    with open(app.config["MESSAGE_TEMPLATE"]) as f:
        message = f.read()

    message_from = app.config["MESSAGE_FROM"]
    message_subject = app.config["MESSAGE_SUBJECT"]
    smtp_server = app.config["SMTP_SERVER"]

    email_sender = mail_client or EmailSmtp(message_subject, message, message_from, smtp_server)
    database = ALDatasetDatabase(app.config.get("DATABASE_URL"))

    al = AccountLinking(trusted_keys, database, salt, email_sender, pin_verify=app.config["PIN_CHECK"],
                        pin_empty=app.config["PIN_EMPTY"])

    return al
示例#33
0
    def test_handle_authn_response_returns_id_token_for_verified_affiliation(
            self, signing_key_path, context, scope_value, affiliation):
        authn_req = AuthorizationRequest(scope='openid ' + scope_value, client_id='client1',
                                         redirect_uri='https://client.example.com',
                                         response_type='id_token')
        context.state[self.frontend.name] = {'oidc_request': authn_req.to_urlencoded()}
        internal_response = InternalResponse(AuthenticationInformation(None, str(datetime.now()),
                                                                       'https://idp.example.com'))
        internal_response.attributes['affiliation'] = [affiliation]
        internal_response.user_id = 'user1'

        resp = self.frontend.handle_authn_response(context, internal_response)
        auth_resp = AuthorizationResponse().from_urlencoded(urlparse(resp.message).fragment)

        id_token = IdToken().from_jwt(auth_resp['id_token'], key=[RSAKey(key=rsa_load(signing_key_path))])
        assert id_token['iss'] == self.frontend.base_url
        assert id_token['aud'] == ['client1']
        assert id_token['auth_time'] == internal_response.auth_info.timestamp
示例#34
0
    def assert_registration_req(self, request, internal_response,
                                sign_key_path, base_url, requester_name):
        split_path = request.path_url.lstrip("/").split("/")
        assert len(split_path) == 2
        jwks = split_path[1]

        # Verify signature
        sign_key = RSAKey(key=rsa_load(sign_key_path), use="sig")
        jws = JWS()
        jws.verify_compact(jwks, [sign_key])

        consent_args = jws.msg
        assert consent_args["attr"] == internal_response.attributes
        assert consent_args[
            "redirect_endpoint"] == base_url + "/consent/handle_consent"
        assert consent_args["requester_name"] == requester_name
        assert consent_args["locked_attrs"] == [USER_ID_ATTR]
        assert "id" in consent_args
示例#35
0
 def plugin_enable(self) -> None:
     # pylint: disable=attribute-defined-outside-init
     self.signing_key = RSAKey(key=rsa_load("signing_key.pem"),
                               use="sig",
                               alg="RS256")
     # pylint: disable=attribute-defined-outside-init
     self.oidc_configuration_information = {
         "issuer":
         self.app.config["URL_BASE"].replace("http://", "https://"),
         "authorization_endpoint":
         self.app.config["URL_BASE"] + "/oidc/authorization",
         "jwks_uri":
         self.app.config["URL_BASE"] + "/oidc/jwks",
         "token_endpoint":
         self.app.config["URL_BASE"] + "/oidc/token",
         "userinfo_endpoint":
         self.app.config["URL_BASE"] + "/oidc/userinfo",
         "response_types_supported": ["code"],
         "id_token_signing_alg_values_supported": [self.signing_key.alg],
         "response_modes_supported": ["fragment", "query"],
         "subject_types_supported": ["public", "pairwise"],
         "grant_types_supported": ["authorization_code", "implicit"],
         "claim_types_supported": ["normal"],
         "claims_parameter_supported":
         True,
         "claims_supported":
         ["sub", "name", "given_name", "family_name", "email", "profile"],
         "scopes_supported": ["openid", "email", "profile"]
     }
     subject_id_factory = HashBasedSubjectIdentifierFactory(
         self.app.config["SECRET_KEY"])
     # pylint: disable=attribute-defined-outside-init
     self.provider = Provider(
         self.signing_key, self.oidc_configuration_information,
         AuthorizationState(
             subject_id_factory,
             SQLWrapper(self.storage, 'authz_codes'),
             SQLWrapper(self.storage, 'access_tokens'),
             SQLWrapper(self.storage, 'refresh_tokens'),
             SQLWrapper(self.storage, 'subject_identifiers', True),
         ), SQLWrapper(self.storage, 'clients'),
         Userinfo(PersonWrapper(self.storage)))
示例#36
0
    def test_existing_account_linking_with_known_known_uuid(self, account_linking_config, internal_response, context):
        uuid = "uuid"
        data = {
            "idp": internal_response.auth_info.issuer,
            "id": internal_response.user_id,
            "redirect_endpoint": self.account_linking.base_url + "/account_linking/handle_account_linking"
        }
        key = RSAKey(key=rsa_load(account_linking_config["sign_key"]), use="sig", alg="RS256")
        jws = JWS(json.dumps(data), alg=key.alg).sign_compact([key])
        responses.add(
            responses.GET,
            "%s/get_id?jwt=%s" % (account_linking_config["api_url"], jws),
            status=200,
            body=uuid,
            content_type="text/html",
            match_querystring=True
        )

        self.account_linking.process(context, internal_response)
        assert internal_response.user_id == uuid
示例#37
0
文件: consent.py 项目: borgand/SATOSA
    def __init__(self, config, callback_func):
        self.callback_func = callback_func
        self.enabled = \
            "CONSENT" in config and ("enable" not in config.CONSENT or config.CONSENT["enable"])
        if self.enabled:
            self.proxy_base = config.BASE
            self.consent_uri = config.CONSENT["rest_uri"]
            self.consent_redirect_url = config.CONSENT["redirect"]
            self.endpoint = config.CONSENT["endpoint"]
            self.verify_ssl = config.CONSENT["verify_ssl"]
            self.locked_attr = None
            if "user_id_to_attr" in config.INTERNAL_ATTRIBUTES:
                self.locked_attr = config.INTERNAL_ATTRIBUTES["user_id_to_attr"]

            _bkey = rsa_load(config.CONSENT["sign_key"])
            self.sign_key = RSAKey().load_key(_bkey)
            self.sign_key.use = "sig"
            LOGGER.info("Consent flow is active")
        else:
            LOGGER.info("Consent flow is not active")
示例#38
0
    def do_local_der(self, filename, keytype, keyusage=None):
        """
        Load a DER encoded file amd create a key from it.
         
        :param filename: 
        :param keytype: Presently only 'rsa' supported
        :param keyusage: encryption ('enc') or signing ('sig') or both
        """
        _bkey = rsa_load(filename)

        if keytype.lower() != 'rsa':
            raise NotImplemented('No support for DER decoding of that key type')

        if not keyusage:
            keyusage = ["enc", "sig"]
        else:
            keyusage = harmonize_usage(keyusage)

        for use in keyusage:
            _key = RSAKey().load_key(_bkey)
            _key.use = use
            self._keys.append(_key)

        self.last_updated = time.time()
示例#39
0
                        help="File containing a RSA key")
    parser.add_argument('-p', dest="rsa_pub_file",
                        help="File containing a public RSA key")
    parser.add_argument('-k', dest="hmac_key",
                        help="If using a HMAC algorithm this is the key")
    parser.add_argument('-x', dest="x509_file",
                        help="File containing a X509 certificate")
    parser.add_argument("message", nargs="?",
                        help="The message to verify signature on")


    args = parser.parse_args()

    keys = {}
    if args.rsa_file:
        keys = {"rsa": [rsa_load(args.rsa_file)]}
    elif args.hmac_key:
        keys = {"hmac": [args.hmac_key]}
    elif args.x509_file:
        keys = {"rsa": [x509_rsa_loads(open(args.x509_file).read())]}
    elif args.rsa_pub_file:
        keys = {"rsa": [rsa_pub_load(args.rsa_pub_file)]}

    if args.message == "-":
        message = sys.stdin.read()
    else:
        message = args.message

    if keys:
        print verify(message, keys)
    else:
示例#40
0
文件: idp.py 项目: HaToHo/IdPproxy
    _parser = argparse.ArgumentParser()
    _parser.add_argument('-d', dest='debug', action='store_true',
                         help="Print debug information")
    _parser.add_argument('-v', dest='verbose', action='store_true',
                         help="Print runtime information")
    _parser.add_argument('-r', dest="rsa_file",
                         help="A file containing a RSA key")
    _parser.add_argument('-p', dest="rsa_public_file",
                         help="A file containing a public RSA key")
    _parser.add_argument("config", nargs="?", help="Server configuration")

    args = _parser.parse_args()

    if args.rsa_file:
        key = rsa_load(args.rsa_file)
    else:
        key = None

    if args.rsa_file:
        _key = rsa_priv_to_pub(args.rsa_file)
    elif args.rsa_public_file:
        _key = rsa_pub_load(args.rsa_public_file)
    else:
        _key = None
    idp_conf = import_module(args.config)
    metadata = idp_conf.CONFIG["metadata"]
    if _key:
        generateMetadata = MetadataGeneration(idp_conf.CONFIG,
            logger, idp_proxy_conf.SERVICE, publicKey=_key, privateKey=key,
            metadataList=[metadata])
示例#41
0
import json
import os
import argparse
from jwkest.jwk import RSAKey, rsa_load, dump_jwks

__author__ = 'rolandh'

parser = argparse.ArgumentParser()
parser.add_argument('-n', dest="name", default="pyoidc",
                    help="file names")
parser.add_argument('-p', dest="path", default=".",
                    help="Path to the directory for the files")
parser.add_argument('-k', dest="key", help="Key file")

args = parser.parse_args()

key = rsa_load(args.key)
rsa_key = RSAKey(key=key)
rsa_key.serialize()

# This will create JWK from the public RSA key
jwk_spec = json.dumps(rsa_key.to_dict(), "enc")

keyfile = os.path.join(args.path, args.name)

_out = dump_jwks([{"key":key, "use":"enc"}])

f = open(keyfile + ".jwk", "w")
f.write(_out)
f.close()
示例#42
0
                        help="File containing a public RSA key")
    parser.add_argument('-k',
                        dest="hmac_key",
                        help="If using a HMAC algorithm this is the key")
    parser.add_argument('-x',
                        dest="x509_file",
                        help="File containing a X509 certificate")
    parser.add_argument("message",
                        nargs="?",
                        help="The message to verify signature on")

    args = parser.parse_args()

    keys = {}
    if args.rsa_file:
        keys = {"rsa": [rsa_load(args.rsa_file)]}
    elif args.hmac_key:
        keys = {"hmac": [args.hmac_key]}
    elif args.x509_file:
        keys = {"rsa": [x509_rsa_loads(open(args.x509_file).read())]}
    elif args.rsa_pub_file:
        keys = {"rsa": [rsa_pub_load(args.rsa_pub_file)]}

    if args.message == "-":
        message = sys.stdin.read()
    else:
        message = args.message

    if keys:
        print verify(message, keys)
    else:
示例#43
0
from oic.extension.oidc_fed import ClientMetadataStatement
from oic.extension.oidc_fed import Operator
from oic.utils.authn.authn_context import AuthnBroker
from oic.utils.authn.client import CLIENT_AUTHN_METHOD
from oic.utils.authn.client import verify_client
from oic.utils.authn.user import UserAuthnMethod
from oic.utils.authz import AuthzHandling
from oic.utils.keyio import build_keyjar
from oic.utils.keyio import KeyBundle
from oic.utils.keyio import KeyJar
from oic.utils.sdb import SessionDB
from oic.utils.userinfo import UserInfo

BASE_PATH = os.path.abspath(
    os.path.join(os.path.dirname(__file__), "data/keys"))
_key = rsa_load(os.path.join(BASE_PATH, "rsa.key"))
KC_RSA = KeyBundle({"key": _key, "kty": "RSA", "use": "sig"})

CLIENT_ID = "client_1"

KEYDEFS = [
    {"type": "RSA", "key": '', "use": ["sig"]},
    {"type": "EC", "crv": "P-256", "use": ["sig"]}
]

CONSUMER_CONFIG = {
    "authz_page": "/authz",
    "scope": ["openid"],
    "response_type": ["code"],
    "user_info": {
        "name": None,
示例#44
0
#!/usr/bin/env python
import os
import argparse
from jwkest.jwk import RSAKey
from jwkest.jwk import rsa_load
from jwkest.jwk import dump_jwks

__author__ = 'rolandh'

parser = argparse.ArgumentParser()
parser.add_argument('-n', dest="name", default="pyoidc",
                    help="file names")
parser.add_argument('-p', dest="path", default=".",
                    help="Path to the directory for the files")
parser.add_argument('-k', dest="key", help="Key file")

args = parser.parse_args()

rsa_key = RSAKey(key=rsa_load(args.key))

keyfile = os.path.join(args.path, args.name)

f = open(keyfile + ".jwk", "w")
f.write(dump_jwks([rsa_key]))
f.close()
示例#45
0
    elif args.jwk_file:
        keys = load_jwks(open(args.jwk_file).read())
    elif args.x509_url:
        # load_x509_cert returns list of 2-tuples
        keys = [
            RSAKey(key=x) for x, y in load_x509_cert(lrequest, args.x509_url)
        ]
        for key in keys:
            key.serialize()
    elif args.x509_file:
        # import_rsa_key_from_file returns RSA key instance
        _key = RSAKey(key=import_rsa_key_from_file(args.x509_file))
        _key.serialize()
        keys = [_key]
    elif args.rsa_file:
        _key = RSAKey(key=rsa_load(args.rsa_file))
        _key.serialize()
        keys = [_key]
    else:
        print >> sys.stderr, "Needs encryption key"
        exit()

    if not args.enc or not args.alg:
        print >> sys.stderr, "There are no default encryption methods"
        exit()

    if args.enc not in SUPPORTED["enc"]:
        print >> sys.stderr, "Encryption method %s not supported" % args.enc
        print >> sys.stderr, "Methods supported: %s" % SUPPORTED["enc"]
        exit()
示例#46
0
    def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url, name):
        self._validate_config(conf)
        super().__init__(auth_req_callback_func, internal_attributes, base_url, name)

        self.config = conf
        self.signing_key = RSAKey(key=rsa_load(conf["signing_key_path"]), use="sig", alg="RS256")
    app._mako_lookup = TemplateLookup(
        directories=["templates"],
        input_encoding='utf-8',
        output_encoding='utf-8',
        imports=["from flask.ext.babel import gettext as _"])
    context = None
    if app.config['SSL']:
        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        context.load_cert_chain(app.config["SERVER_CERT"],
                                app.config["SERVER_KEY"])
    global keys
    global stat_service
    global base
    keys = []
    for key in app.config["JWT_PUB_KEY"]:
        _bkey = rsa_load(key)
        pub_key = RSAKey().load_key(_bkey)
        keys.append(pub_key)
    # salt = app.config["SALT"]

    # message = open(app.config["MESSAGE_TEMPLATE"], "r").read()
    # message_from = app.config["MESSAGE_FROM"]
    # message_subject = app.config["MESSAGE_SUBJECT"]
    # smtp_server = app.config["SMTP_SERVER"]

    # verify_url = "%s://%s:%s/verify_token" % ("https" if context else "http",
    #                                           app.config['HOST'],
    #                                           app.config['PORT'])

    base = "%s://%s:%s" % ("https" if context else "http", app.config['HOST'],
                           app.config['PORT'])
示例#48
0
    LOGGER.setLevel(logging.DEBUG)
    mako = MakoTemplates()
    mako.init_app(app)
    app._mako_lookup = TemplateLookup(directories=["templates"],
                                      input_encoding='utf-8', output_encoding='utf-8',
                                      imports=["from flask.ext.babel import gettext as _"])
    context = None
    if app.config['SSL']:
        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        context.load_cert_chain(app.config["SERVER_CERT"], app.config["SERVER_KEY"])
    global keys
    global stat_service
    global base
    keys = []
    for key in app.config["JWT_PUB_KEY"]:
        _bkey = rsa_load(key)
        pub_key = RSAKey().load_key(_bkey)
        keys.append(pub_key)
    # salt = app.config["SALT"]

    # message = open(app.config["MESSAGE_TEMPLATE"], "r").read()
    # message_from = app.config["MESSAGE_FROM"]
    # message_subject = app.config["MESSAGE_SUBJECT"]
    # smtp_server = app.config["SMTP_SERVER"]

    # verify_url = "%s://%s:%s/verify_token" % ("https" if context else "http",
    #                                           app.config['HOST'],
    #                                           app.config['PORT'])

    base = "%s://%s:%s" % ("https" if context else "http", app.config['HOST'], app.config['PORT'])
示例#49
0
        keys = load_jwks_from_url(args.jwk_url, {})
    elif args.jwk_file:
        keys = load_jwks(open(args.jwk_file).read())
    elif args.x509_url:
        # load_x509_cert returns list of 2-tuples
        keys = [RSAKey(key=x) for x, y in load_x509_cert(lrequest,
                                                         args.x509_url)]
        for key in keys:
            key.serialize()
    elif args.x509_file:
        # import_rsa_key_from_file returns RSA key instance
        _key = RSAKey(key=import_rsa_key_from_file(args.x509_file))
        _key.serialize()
        keys = [_key]
    elif args.rsa_file:
        _key = RSAKey(key=rsa_load(args.rsa_file))
        _key.serialize()
        keys = [_key]
    else:
        print >> sys.stderr, "Needs encryption key"
        exit()

    if not args.enc or not args.alg:
        print >> sys.stderr, "There are no default encryption methods"
        exit()

    if args.enc not in SUPPORTED["enc"]:
        print >> sys.stderr, "Encryption method %s not supported" % args.enc
        print >> sys.stderr, "Methods supported: %s" % SUPPORTED["enc"]
        exit()
示例#50
0
    parser.add_argument("-f", dest="file", help="File with the message")
    parser.add_argument("message", nargs="?", help="The message to encrypt")

    args = parser.parse_args()

    keys = {}
    if args.jwk_url:
        keys = assign(load_jwks_from_url(lrequest, args.jwk_url))
    elif args.jwk_file:
        keys = load_jwks(open(args.jwk_file).read())
    elif args.x509_url:
        keys = load_x509_cert(lrequest, args.x509_url)
    elif args.x509_file:
        keys = [import_rsa_key_from_file(args.x509_file)]
    elif args.rsa_file:
        key = rsa_load(args.rsa_file)
        rsa_key = RSAKey(key=key)
        rsa_key.serialize()
        keys = [rsa_key]
    else:
        print("Needs encryption key")
        exit()

    if args.file:
        msg = open(args.file).read()
        msg = msg.strip("\n\r")
    else:
        msg = args.message

    jwe = JWE()
    print(jwe.decrypt(msg, keys))
示例#51
0
def signing_key(cert_and_key):
    return RSAKey(key=rsa_load(cert_and_key[1]), alg="RS256")
示例#52
0
 def create_test_client(self, app_config, cert_and_key):
     self.app = create_app(config=app_config).test_client()
     self.signing_key = RSAKey(key=rsa_load(cert_and_key[1]), alg='RS256')
示例#53
0
from oic import rndstr

from oic.federation import ClientMetadataStatement
from oic.federation.operator import Operator

from oic.utils.authn.authn_context import AuthnBroker
from oic.utils.authn.user import UserAuthnMethod
from oic.utils.authz import AuthzHandling
from oic.utils.keyio import KeyBundle
from oic.utils.keyio import KeyJar
from oic.utils.keyio import build_keyjar
from oic.utils.userinfo import UserInfo

BASE_PATH = os.path.abspath(
    os.path.join(os.path.dirname(__file__), "data/keys"))
_key = rsa_load(os.path.join(BASE_PATH, "rsa.key"))
KC_RSA = KeyBundle({"key": _key, "kty": "RSA", "use": "sig"})

CLIENT_ID = "client_1"

KEYDEFS = [{
    "type": "RSA",
    "key": '',
    "use": ["sig"]
}, {
    "type": "EC",
    "crv": "P-256",
    "use": ["sig"]
}]

CONSUMER_CONFIG = {
示例#54
0
#!/home/vinicius/Área de Trabalho/App-Flask-React/backend-flask/venv/bin/python3
import os
import argparse
from jwkest.jwk import RSAKey
from jwkest.jwk import rsa_load
from jwkest.jwk import dump_jwks

__author__ = 'rolandh'

parser = argparse.ArgumentParser()
parser.add_argument('-n', dest="name", default="pyoidc", help="file names")
parser.add_argument('-p',
                    dest="path",
                    default=".",
                    help="Path to the directory for the files")
parser.add_argument('-k', dest="key", help="Key file")

args = parser.parse_args()

rsa_key = RSAKey(key=rsa_load(args.key))

keyfile = os.path.join(args.path, args.name)

f = open(keyfile + ".jwk", "w")
f.write(dump_jwks([rsa_key]))
f.close()
示例#55
0
import os
import argparse
from jwkest.jwk import RSAKey, rsa_load, dump_jwks

__author__ = 'rolandh'

parser = argparse.ArgumentParser()
parser.add_argument('-n', dest="name", default="pyoidc", help="file names")
parser.add_argument('-p',
                    dest="path",
                    default=".",
                    help="Path to the directory for the files")
parser.add_argument('-k', dest="key", help="Key file")

args = parser.parse_args()

key = rsa_load(args.key)
rsa_key = RSAKey(key=key)
rsa_key.serialize()

# This will create JWK from the public RSA key
jwk_spec = json.dumps(rsa_key.to_dict(), "enc")

keyfile = os.path.join(args.path, args.name)

_out = dump_jwks([{"key": key, "use": "enc"}])

f = open(keyfile + ".jwk", "w")
f.write(_out)
f.close()
示例#56
0
    parser.add_argument("-f", dest="file", help="File to be encrypted")
    parser.add_argument("message", nargs="?", help="The message to encrypt")

    args = parser.parse_args()

    keys = {}
    if args.jwk_url:
        keys = assign(load_jwks_from_url(args.jwk_url, {}))
    elif args.jwk_file:
        keys = assign(load_jwks(open(args.jwk_file).read()))
    elif args.x509_url:
        keys = assign(load_x509_cert(lrequest, args.x509_url))
    elif args.x509_file:
        keys = {"RSA": [import_rsa_key_from_file(args.x509_file)]}
    elif args.rsa_file:
        keys = {"RSA": [rsa_load(args.rsa_file)]}
        mode = ""
    else:
        print >> sys.stderr, "Needs encryption key"
        exit()

    if not args.enc or not args.alg:
        print >> sys.stderr, "There are no default encryption methods"
        exit()

    if args.enc not in SUPPORTED["enc"]:
        print >> sys.stderr, "Encryption method %s not supported" % args.enc
        print >> sys.stderr, "Methods supported: %s" % SUPPORTED["enc"]
        exit()

    if args.alg not in SUPPORTED["alg"]:
示例#57
0
 def create_test_client(self, app_config, cert_and_key):
     self.app = create_app(config=app_config).test_client()
     self.signing_key = RSAKey(key=rsa_load(cert_and_key[1]), alg='RS256')
示例#58
0
 def create_test_client(self, app, cert_and_key):
     self.app = app.test_client()
     self.signing_key = RSAKey(key=rsa_load(cert_and_key[1]), alg="RS256")