def __init__(self, config, callback_func): """ :type config: satosa.satosa_config.SATOSAConfig :type callback_func: (satosa.context.Context, satosa.internal_data.InternalResponse) -> satosa.response.Response :param config: The SATOSA proxy config :param callback_func: Callback function when the linking is done """ self.config = config self.callback_func = callback_func self.enabled = \ "ACCOUNT_LINKING" in config and ("enable" not in config.ACCOUNT_LINKING or config.ACCOUNT_LINKING["enable"]) if self.enabled: self.proxy_base = config.BASE self.al_rest_uri = config.ACCOUNT_LINKING["rest_uri"] self.al_redirect = config.ACCOUNT_LINKING["redirect"] self.endpoint = config.ACCOUNT_LINKING["endpoint"] self.verify_ssl = True if "verify_ssl" not in config.ACCOUNT_LINKING else \ config.ACCOUNT_LINKING["verify_ssl"] _bkey = rsa_load(config.ACCOUNT_LINKING["sign_key"]) self.sign_key = RSAKey().load_key(_bkey) self.sign_key.use = "sig" LOGGER.info("Account linking is active") else: LOGGER.info("Account linking is not active")
def test_handle_authn_response_returns_id_token_for_verified_affiliation( self, signing_key_path, context, scope_value, affiliation): authn_req = AuthorizationRequest( scope='openid ' + scope_value, client_id='client1', redirect_uri='https://client.example.com', response_type='id_token') context.state[self.frontend.name] = { 'oidc_request': authn_req.to_urlencoded() } internal_response = InternalResponse( AuthenticationInformation(None, str(datetime.now()), 'https://idp.example.com')) internal_response.attributes['affiliation'] = [affiliation] internal_response.user_id = 'user1' resp = self.frontend.handle_authn_response(context, internal_response) auth_resp = AuthorizationResponse().from_urlencoded( urlparse(resp.message).fragment) id_token = IdToken().from_jwt( auth_resp['id_token'], key=[RSAKey(key=rsa_load(signing_key_path))]) assert id_token['iss'] == self.frontend.base_url assert id_token['aud'] == ['client1'] assert id_token['auth_time'] == internal_response.auth_info.timestamp
def test_full_flow(self, account_linking_config, internal_response, context): ticket = "ticket" with responses.RequestsMock() as rsps: rsps.add( responses.GET, "%s/get_id" % account_linking_config["api_url"], status=404, body=ticket, content_type="text/html" ) result = self.account_linking.process(context, internal_response) assert isinstance(result, Redirect) assert result.message.startswith(account_linking_config["redirect_url"]) data = { "idp": internal_response.auth_info.issuer, "id": internal_response.user_id, "redirect_endpoint": self.account_linking.base_url + "/account_linking/handle_account_linking" } key = RSAKey(key=rsa_load(account_linking_config["sign_key"]), use="sig", alg="RS256") jws = JWS(json.dumps(data), alg=key.alg).sign_compact([key]) uuid = "uuid" with responses.RequestsMock() as rsps: # account is linked, 200 OK rsps.add( responses.GET, "%s/get_id?jwt=%s" % (account_linking_config["api_url"], jws), status=200, body=uuid, content_type="text/html", match_querystring=True ) internal_response = self.account_linking._handle_al_response(context) assert internal_response.user_id == uuid
def init_oidc_provider(app): with app.app_context(): issuer = url_for('oidc_provider.index')[:-1] authentication_endpoint = url_for('oidc_provider.authentication_endpoint') jwks_uri = url_for('oidc_provider.jwks_uri') token_endpoint = url_for('oidc_provider.token_endpoint') userinfo_endpoint = url_for('oidc_provider.userinfo_endpoint') registration_endpoint = url_for('oidc_provider.registration_endpoint') end_session_endpoint = url_for('oidc_provider.end_session_endpoint') userinfo_ldap = LdapUserInfo() configuration_information = { 'issuer': issuer, 'authorization_endpoint': authentication_endpoint, 'jwks_uri': jwks_uri, 'token_endpoint': token_endpoint, 'userinfo_endpoint': userinfo_endpoint, 'registration_endpoint': registration_endpoint, 'end_session_endpoint': end_session_endpoint, 'scopes_supported': ['openid', 'profile'], 'response_types_supported': ['code', 'code id_token', 'code token', 'code id_token token'], # code and hybrid 'response_modes_supported': ['query', 'fragment'], 'grant_types_supported': ['authorization_code', 'implicit'], 'subject_types_supported': ['pairwise'], 'token_endpoint_auth_methods_supported': ['client_secret_basic'], 'claims_parameter_supported': True } signing_key = RSAKey(key=rsa_load('signing_key.pem'), alg='RS256') provider = Provider(signing_key, configuration_information, AuthorizationState(HashBasedSubjectIdentifierFactory(app.config['SUBJECT_ID_HASH_SALT'])), {}, userinfo_ldap) return provider
def __init__(self, patch, config={}): Server.__init__(self) self.patch = patch self.session = None self.config = { 'issuer': 'https://example.com', } self.config.update(config) self.authz_codes = {} self.access_tokens = {} self.client = { 'test-client': { 'client_name': 'Test Client', 'client_secret': 'test-secret', 'post_logout_redirect_uris': [ 'http://localhost:5000/sign-out', ], 'redirect_uris': [ 'http://localhost:5000/oidc_callback', ], 'response_types': ['code'], } } self.access_token_lifetime = 3600 self.authorization_code_lifetime = 600 self.id_token_lifetime = 3600 self.registration_expires_in = 3600 self.host = '' self.userinfo_signed_response_alg = '' self.signing_key = RSAKey(key=rsa_load('signing_key.pem'), alg='RS256') self.urls = []
def test_construct(self, client): _key = rsa_load(os.path.join(BASE_PATH, "data/keys/rsa.key")) kc_rsa = KeyBundle([{ "key": _key, "kty": "RSA", "use": "ver" }, { "key": _key, "kty": "RSA", "use": "sig" }]) client.keyjar[""] = kc_rsa client.token_endpoint = "https://example.com/token" client.provider_info = { 'issuer': 'https://example.com/', 'token_endpoint': "https://example.com/token" } cis = AccessTokenRequest() pkj = PrivateKeyJWT(client) http_args = pkj.construct(cis, algorithm="RS256", authn_endpoint='token') assert http_args == {} cas = cis["client_assertion"] _jwt = JWT().unpack(cas) jso = _jwt.payload() assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"]) assert _jwt.headers == {'alg': 'RS256'} assert jso['aud'] == [client.provider_info['token_endpoint']]
def key_setup(vault, **kwargs): """ :param vault: Where the keys are kept :return: 2-tuple: result of urlsplit and a dictionary with parameter name as key and url and value """ vault_path = proper_path(vault) if not os.path.exists(vault_path): os.makedirs(vault_path) kb = KeyBundle() kid = 1 for usage in ["sig", "enc"]: if usage in kwargs: if kwargs[usage] is None: continue _args = kwargs[usage] if _args["alg"] == "RSA": try: _key = rsa_load('%s%s' % (vault_path, "pyoidc")) except Exception: devnull = open(os.devnull, 'w') with RedirectStdStreams(stdout=devnull, stderr=devnull): _key = create_and_store_rsa_key_pair( path=vault_path) kb.append(RSAKey(key=_key, use=usage, kid=kid)) kid += 1 if usage == "sig" and "enc" not in kwargs: kb.append(RSAKey(key=_key, use="enc", kid=kid)) kid += 1 return kb
def test_existing_account_linking_with_known_known_uuid( self, account_linking_config, internal_response, context): uuid = "uuid" data = { "idp": internal_response.auth_info.issuer, "id": internal_response.subject_id, "redirect_endpoint": self.account_linking.base_url + "/account_linking/handle_account_linking" } key = RSAKey(key=rsa_load(account_linking_config["sign_key"]), use="sig", alg="RS256") jws = JWS(json.dumps(data), alg=key.alg).sign_compact([key]) responses.add(responses.GET, "%s/get_id?jwt=%s" % (account_linking_config["api_url"], jws), status=200, body=uuid, content_type="text/html", match_querystring=True) self.account_linking.process(context, internal_response) assert internal_response.subject_id == uuid
def key_setup(vault, **kwargs): """ :param vault: Where the keys are kept :return: 2-tuple: result of urlsplit and a dictionary with parameter name as key and url and value """ vault_path = proper_path(vault) if not os.path.exists(vault_path): os.makedirs(vault_path) kb = KeyBundle() for usage in ["sig", "enc"]: if usage in kwargs: if kwargs[usage] is None: continue _args = kwargs[usage] if _args["alg"].upper() == "RSA": try: _key = rsa_load('%s%s' % (vault_path, "pyoidc")) except Exception: devnull = open(os.devnull, 'w') with RedirectStdStreams(stdout=devnull, stderr=devnull): _key = create_and_store_rsa_key_pair(path=vault_path) k = RSAKey(key=_key, use=usage) k.add_kid() kb.append(k) return kb
def test_rsa_load(): _ckey = rsa_load(KEY) assert isinstance(_ckey, M2Crypto.RSA.RSA) jwk = dump_jwk(_ckey) print jwk assert _eq(jwk.keys(), ["kty", "e", "n"]) assert jwk["n"] == '5zbNbHIYIkGGJ3RGdRKkYmF4gOorv5eDuUKTVtuu3VvxrpOWvwnFV-NY0LgqkQSMMyVzodJE3SUuwQTUHPXXY5784vnkFqzPRx6bHgPxKz7XfwQjEBTafQTMmOeYI8wFIOIHY5i0RWR-gxDbh_D5TXuUqScOOqR47vSpIbUH-nc' assert jwk['e'] == 'AQAB'
def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_config, idp_conf): subject_id = "testuser1" # proxy config satosa_config_dict["FRONTEND_MODULES"] = [oidc_frontend_config] satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config] satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {attr_name: {"openid": [attr_name], "saml": [attr_name]} for attr_name in USERS[subject_id]} _, backend_metadata = create_entity_descriptors(SATOSAConfig(satosa_config_dict)) # application test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), Response) # get frontend OP config info provider_config = json.loads(test_client.get("/.well-known/openid-configuration").data.decode("utf-8")) # create auth req claims_request = ClaimsRequest(id_token=Claims(**{k: None for k in USERS[subject_id]})) req_args = {"scope": "openid", "response_type": "id_token", "client_id": CLIENT_ID, "redirect_uri": REDIRECT_URI, "nonce": "nonce", "claims": claims_request.to_json()} auth_req = urlparse(provider_config["authorization_endpoint"]).path + "?" + urlencode(req_args) # make auth req to proxy proxied_auth_req = test_client.get(auth_req) assert proxied_auth_req.status == "303 See Other" # config test IdP backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0]) idp_conf["metadata"]["inline"].append(backend_metadata_str) fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf)) # create auth resp req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query)) url, authn_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, subject_id, response_binding=BINDING_HTTP_REDIRECT) # make auth resp to proxy authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp) authn_resp = test_client.get(authn_resp_req) assert authn_resp.status == "303 See Other" # verify auth resp from proxy resp_dict = dict(parse_qsl(urlparse(authn_resp.data.decode("utf-8")).fragment)) signing_key = RSAKey(key=rsa_load(oidc_frontend_config["config"]["signing_key_path"]), use="sig", alg="RS256") id_token_claims = JWS().verify_compact(resp_dict["id_token"], keys=[signing_key]) assert all( (name, values) in id_token_claims.items() for name, values in OIDC_USERS[subject_id].items() )
def init_oidc_provider(app): with app.app_context(): issuer = url_for("oidc_provider.index")[:-1] authentication_endpoint = url_for("oidc_provider.authentication_endpoint") jwks_uri = url_for("oidc_provider.jwks_uri") token_endpoint = url_for("oidc_provider.token_endpoint") userinfo_endpoint = url_for("oidc_provider.userinfo_endpoint") registration_endpoint = url_for("oidc_provider.registration_endpoint") end_session_endpoint = url_for("oidc_provider.end_session_endpoint") configuration_information = { "issuer": issuer, "authorization_endpoint": authentication_endpoint, "jwks_uri": jwks_uri, "token_endpoint": token_endpoint, "userinfo_endpoint": userinfo_endpoint, "registration_endpoint": registration_endpoint, "end_session_endpoint": end_session_endpoint, "scopes_supported": ["openid", "profile"], "response_types_supported": [ "code", "code id_token", "code token", "code id_token token", ], # code and hybrid "response_modes_supported": ["query", "fragment"], "grant_types_supported": ["authorization_code", "implicit"], "subject_types_supported": ["pairwise"], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic", ], "claims_parameter_supported": True, } clients = { "sample": { "client_secret": "sample", "redirect_uris": ["http://localhost:5000/test_auth_callback",], "response_types": ["code"], } } userinfo_db = Userinfo(app.users) signing_key = RSAKey(key=rsa_load("signing_key.pem"), alg="RS256") provider = Provider( signing_key, configuration_information, AuthorizationState( HashBasedSubjectIdentifierFactory(app.config["SUBJECT_ID_HASH_SALT"]) ), clients, userinfo_db, ) return provider
def init_consent_manager(app: Flask): consent_db = ConsentDatasetDB(app.config['CONSENT_SALT'], app.config['MAX_CONSENT_EXPIRATION_MONTH'], app.config.get('CONSENT_DATABASE_URL')) consent_request_db = ConsentRequestDatasetDB(app.config['CONSENT_SALT'], app.config.get('CONSENT_REQUEST_DATABASE_URL')) trusted_keys = [RSAKey(key=rsa_load(key)) for key in app.config['TRUSTED_KEYS']] cm = ConsentManager(consent_db, consent_request_db, trusted_keys, app.config['TICKET_TTL'], app.config['MAX_CONSENT_EXPIRATION_MONTH']) return cm
def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url, name): self._validate_config(conf) super().__init__(auth_req_callback_func, internal_attributes, base_url, name) self.config = conf self.signing_key = RSAKey(key=rsa_load(conf["signing_key_path"]), use="sig", alg="RS256")
def do_local_der(self, filename, keytype, keyusage): # This is only for RSA keys _bkey = rsa_load(filename) if not keyusage: keyusage = ["enc", "sig"] for use in keyusage: _key = RSAKey().load_key(_bkey) _key.use = use self._keys.append(_key)
def __init__(self, config, *args, **kwargs): """ :type config: satosa.satosa_config.SATOSAConfig :param config: The SATOSA proxy config """ super().__init__(*args, **kwargs) self.api_url = config["api_url"] self.redirect_url = config["redirect_url"] self.signing_key = RSAKey(key=rsa_load(config["sign_key"]), use="sig", alg="RS256") self.endpoint = "/handle_account_linking" logger.info("Account linking is active")
def __init__(self, config, internal_attributes, *args, **kwargs): super().__init__(*args, **kwargs) self.name = "consent" self.api_url = config["api_url"] self.redirect_url = config["redirect_url"] self.locked_attr = None if "user_id_to_attr" in internal_attributes: self.locked_attr = internal_attributes["user_id_to_attr"] self.signing_key = RSAKey(key=rsa_load(config["sign_key"]), use="sig", alg="RS256") self.endpoint = "/handle_consent" logger.info("Consent flow is active")
def __init__(self, config, *args, **kwargs): """ :type config: satosa.satosa_config.SATOSAConfig :param config: The SATOSA proxy config """ super().__init__(*args, **kwargs) self.api_url = config["api_url"] self.redirect_url = config["redirect_url"] self.signing_key = RSAKey(key=rsa_load(config["sign_key"]), use="sig", alg="RS256") self.endpoint = "/handle_account_linking" self.id_to_attr = config.get("id_to_attr", None) logger.info("Account linking is active")
def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_config, idp_conf): user_id = "testuser1" # proxy config satosa_config_dict["FRONTEND_MODULES"] = [oidc_frontend_config] satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config] satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {attr_name: {"openid": [attr_name], "saml": [attr_name]} for attr_name in USERS[user_id]} _, backend_metadata = create_entity_descriptors(SATOSAConfig(satosa_config_dict)) # application test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), BaseResponse) # get frontend OP config info provider_config = json.loads(test_client.get("/.well-known/openid-configuration").data.decode("utf-8")) # create auth req claims_request = ClaimsRequest(id_token=Claims(**{k: None for k in USERS[user_id]})) req_args = {"scope": "openid", "response_type": "id_token", "client_id": CLIENT_ID, "redirect_uri": REDIRECT_URI, "nonce": "nonce", "claims": claims_request.to_json()} auth_req = urlparse(provider_config["authorization_endpoint"]).path + "?" + urlencode(req_args) # make auth req to proxy proxied_auth_req = test_client.get(auth_req) assert proxied_auth_req.status == "303 See Other" # config test IdP backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0]) idp_conf["metadata"]["inline"].append(backend_metadata_str) fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) # create auth resp req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query)) url, authn_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, user_id, response_binding=BINDING_HTTP_REDIRECT) # make auth resp to proxy authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp) authn_resp = test_client.get("/" + authn_resp_req) assert authn_resp.status == "303 See Other" # verify auth resp from proxy resp_dict = dict(parse_qsl(urlparse(authn_resp.data.decode("utf-8")).fragment)) signing_key = RSAKey(key=rsa_load(oidc_frontend_config["config"]["signing_key_path"]), use="sig", alg="RS256") id_token_claims = JWS().verify_compact(resp_dict["id_token"], keys=[signing_key]) assert all((k, v[0]) in id_token_claims.items() for k, v in USERS[user_id].items())
def __init__(self, config: dict) -> None: """ :param config: service config """ super(StatisticsService, self).__init__() self.config = config self.stat_uri = config["rest_uri"] self.verify_ssl = config["verify_ssl"] if "verify_ssl" in config else False _bkey = rsa_load(config["signing_key"]) self.sign_key = RSAKey().load_key(_bkey) self.sign_key.use = "sig"
def do_local_der(self, filename, keytype, keyusage): _bkey = None if keytype == "RSA": _bkey = rsa_load(filename) if not keyusage: keyusage = ["enc", "sig"] for use in keyusage: _key = K2C[keytype]() _key.key = _bkey _key.decomp() _key.use = use self._keys.append(_key)
def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url, name): _validate_config(conf) super().__init__(auth_req_callback_func, internal_attributes, base_url, name) self.config = conf provider_config = self.config["provider"] provider_config["issuer"] = base_url self.signing_key = RSAKey( key=rsa_load(self.config["signing_key_path"]), use="sig", alg="RS256", kid=self.config.get("signing_key_id", ""), ) db_uri = self.config.get("db_uri") self.stateless = StorageBase.type(db_uri) == "stateless" self.user_db = (StorageBase.from_uri( db_uri, db_name="satosa", collection="authz_codes") if db_uri and not self.stateless else {}) sub_hash_salt = self.config.get("sub_hash_salt", rndstr(16)) authz_state = _init_authorization_state(provider_config, db_uri, sub_hash_salt) client_db_uri = self.config.get("client_db_uri") cdb_file = self.config.get("client_db_path") if client_db_uri: cdb = StorageBase.from_uri(client_db_uri, db_name="satosa", collection="clients", ttl=None) elif cdb_file: with open(cdb_file) as f: cdb = json.loads(f.read()) else: cdb = {} self.endpoint_baseurl = "{}/{}".format(self.base_url, self.name) self.provider = _create_provider( provider_config, self.endpoint_baseurl, self.internal_attributes, self.signing_key, authz_state, self.user_db, cdb, )
def init_consent_manager(app: Flask): consent_db = ConsentDatasetDB(app.config['CONSENT_SALT'], app.config['MAX_CONSENT_EXPIRATION_MONTH'], app.config.get('CONSENT_DATABASE_URL')) consent_request_db = ConsentRequestDatasetDB( app.config['CONSENT_SALT'], app.config.get('CONSENT_REQUEST_DATABASE_URL')) trusted_keys = [ RSAKey(key=rsa_load(key)) for key in app.config['TRUSTED_KEYS'] ] cm = ConsentManager(consent_db, consent_request_db, trusted_keys, app.config['TICKET_TTL'], app.config['MAX_CONSENT_EXPIRATION_MONTH']) return cm
def __init__(self, config, *args, **kwargs): super().__init__(*args, **kwargs) self.redirect_url = config["redirect_url"] self.api_url = config["api_url"] self.exclude = config["exclude"] self.user_id = config["user_identificator"] self.conflict_compatibility = config["conflict_compatibility"] self.included_requesters = config["included_requesters"] or [] self.excluded_requesters = config["excluded_requesters"] or [] self.signing_key = RSAKey(key=rsa_load(config["private_key"]), use="sig", alg="RS256") self.endpoint = "/process" self.id_to_attr = config.get("id_to_attr", None) logger.info("Webauthn is active")
def assert_registration_req(self, request, internal_response, sign_key_path, base_url, requester_name): split_path = request.path_url.lstrip("/").split("/") assert len(split_path) == 2 jwks = split_path[1] # Verify signature sign_key = RSAKey(key=rsa_load(sign_key_path), use="sig") jws = JWS() jws.verify_compact(jwks, [sign_key]) consent_args = jws.msg assert consent_args["attr"] == internal_response.attributes assert consent_args["redirect_endpoint"] == base_url + "/consent/handle_consent" assert consent_args["requester_name"] == requester_name assert consent_args["locked_attrs"] == [USER_ID_ATTR] assert "id" in consent_args
def do_local_der(self, filename, keytype, keyusage): _bkey = None if keytype == "RSA": _bkey = rsa_load(filename) if not keyusage: keyusage = ["enc", "sig"] for use in keyusage: _key = K2C[keytype]() _key.key = _bkey if _bkey: _key.serialize() _key.use = use self._keys.append(_key)
def test_construct(self, client): _key = rsa_load( os.path.join(BASE_PATH, "data/keys/rsa.key")) kc_rsa = KeyBundle([{"key": _key, "kty": "RSA", "use": "ver"}, {"key": _key, "kty": "RSA", "use": "sig"}]) client.keyjar[""] = kc_rsa client.token_endpoint = "https://example.com/token" cis = AccessTokenRequest() pkj = PrivateKeyJWT(client) http_args = pkj.construct(cis, algorithm="RS256") assert http_args == {} cas = cis["client_assertion"] _jwt = JWT().unpack(cas) jso = _jwt.payload() assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"]) assert _jwt.headers == {'alg': 'RS256'}
def init_account_linking(app: Flask, mail_client: Email = None): trusted_keys = [RSAKey(key=rsa_load(path)) for path in app.config["JWT_PUB_KEY"]] salt = app.config["SALT"] with open(app.config["MESSAGE_TEMPLATE"]) as f: message = f.read() message_from = app.config["MESSAGE_FROM"] message_subject = app.config["MESSAGE_SUBJECT"] smtp_server = app.config["SMTP_SERVER"] email_sender = mail_client or EmailSmtp(message_subject, message, message_from, smtp_server) database = ALDatasetDatabase(app.config.get("DATABASE_URL")) al = AccountLinking(trusted_keys, database, salt, email_sender, pin_verify=app.config["PIN_CHECK"], pin_empty=app.config["PIN_EMPTY"]) return al
def test_handle_authn_response_returns_id_token_for_verified_affiliation( self, signing_key_path, context, scope_value, affiliation): authn_req = AuthorizationRequest(scope='openid ' + scope_value, client_id='client1', redirect_uri='https://client.example.com', response_type='id_token') context.state[self.frontend.name] = {'oidc_request': authn_req.to_urlencoded()} internal_response = InternalResponse(AuthenticationInformation(None, str(datetime.now()), 'https://idp.example.com')) internal_response.attributes['affiliation'] = [affiliation] internal_response.user_id = 'user1' resp = self.frontend.handle_authn_response(context, internal_response) auth_resp = AuthorizationResponse().from_urlencoded(urlparse(resp.message).fragment) id_token = IdToken().from_jwt(auth_resp['id_token'], key=[RSAKey(key=rsa_load(signing_key_path))]) assert id_token['iss'] == self.frontend.base_url assert id_token['aud'] == ['client1'] assert id_token['auth_time'] == internal_response.auth_info.timestamp
def assert_registration_req(self, request, internal_response, sign_key_path, base_url, requester_name): split_path = request.path_url.lstrip("/").split("/") assert len(split_path) == 2 jwks = split_path[1] # Verify signature sign_key = RSAKey(key=rsa_load(sign_key_path), use="sig") jws = JWS() jws.verify_compact(jwks, [sign_key]) consent_args = jws.msg assert consent_args["attr"] == internal_response.attributes assert consent_args[ "redirect_endpoint"] == base_url + "/consent/handle_consent" assert consent_args["requester_name"] == requester_name assert consent_args["locked_attrs"] == [USER_ID_ATTR] assert "id" in consent_args
def plugin_enable(self) -> None: # pylint: disable=attribute-defined-outside-init self.signing_key = RSAKey(key=rsa_load("signing_key.pem"), use="sig", alg="RS256") # pylint: disable=attribute-defined-outside-init self.oidc_configuration_information = { "issuer": self.app.config["URL_BASE"].replace("http://", "https://"), "authorization_endpoint": self.app.config["URL_BASE"] + "/oidc/authorization", "jwks_uri": self.app.config["URL_BASE"] + "/oidc/jwks", "token_endpoint": self.app.config["URL_BASE"] + "/oidc/token", "userinfo_endpoint": self.app.config["URL_BASE"] + "/oidc/userinfo", "response_types_supported": ["code"], "id_token_signing_alg_values_supported": [self.signing_key.alg], "response_modes_supported": ["fragment", "query"], "subject_types_supported": ["public", "pairwise"], "grant_types_supported": ["authorization_code", "implicit"], "claim_types_supported": ["normal"], "claims_parameter_supported": True, "claims_supported": ["sub", "name", "given_name", "family_name", "email", "profile"], "scopes_supported": ["openid", "email", "profile"] } subject_id_factory = HashBasedSubjectIdentifierFactory( self.app.config["SECRET_KEY"]) # pylint: disable=attribute-defined-outside-init self.provider = Provider( self.signing_key, self.oidc_configuration_information, AuthorizationState( subject_id_factory, SQLWrapper(self.storage, 'authz_codes'), SQLWrapper(self.storage, 'access_tokens'), SQLWrapper(self.storage, 'refresh_tokens'), SQLWrapper(self.storage, 'subject_identifiers', True), ), SQLWrapper(self.storage, 'clients'), Userinfo(PersonWrapper(self.storage)))
def test_existing_account_linking_with_known_known_uuid(self, account_linking_config, internal_response, context): uuid = "uuid" data = { "idp": internal_response.auth_info.issuer, "id": internal_response.user_id, "redirect_endpoint": self.account_linking.base_url + "/account_linking/handle_account_linking" } key = RSAKey(key=rsa_load(account_linking_config["sign_key"]), use="sig", alg="RS256") jws = JWS(json.dumps(data), alg=key.alg).sign_compact([key]) responses.add( responses.GET, "%s/get_id?jwt=%s" % (account_linking_config["api_url"], jws), status=200, body=uuid, content_type="text/html", match_querystring=True ) self.account_linking.process(context, internal_response) assert internal_response.user_id == uuid
def __init__(self, config, callback_func): self.callback_func = callback_func self.enabled = \ "CONSENT" in config and ("enable" not in config.CONSENT or config.CONSENT["enable"]) if self.enabled: self.proxy_base = config.BASE self.consent_uri = config.CONSENT["rest_uri"] self.consent_redirect_url = config.CONSENT["redirect"] self.endpoint = config.CONSENT["endpoint"] self.verify_ssl = config.CONSENT["verify_ssl"] self.locked_attr = None if "user_id_to_attr" in config.INTERNAL_ATTRIBUTES: self.locked_attr = config.INTERNAL_ATTRIBUTES["user_id_to_attr"] _bkey = rsa_load(config.CONSENT["sign_key"]) self.sign_key = RSAKey().load_key(_bkey) self.sign_key.use = "sig" LOGGER.info("Consent flow is active") else: LOGGER.info("Consent flow is not active")
def do_local_der(self, filename, keytype, keyusage=None): """ Load a DER encoded file amd create a key from it. :param filename: :param keytype: Presently only 'rsa' supported :param keyusage: encryption ('enc') or signing ('sig') or both """ _bkey = rsa_load(filename) if keytype.lower() != 'rsa': raise NotImplemented('No support for DER decoding of that key type') if not keyusage: keyusage = ["enc", "sig"] else: keyusage = harmonize_usage(keyusage) for use in keyusage: _key = RSAKey().load_key(_bkey) _key.use = use self._keys.append(_key) self.last_updated = time.time()
help="File containing a RSA key") parser.add_argument('-p', dest="rsa_pub_file", help="File containing a public RSA key") parser.add_argument('-k', dest="hmac_key", help="If using a HMAC algorithm this is the key") parser.add_argument('-x', dest="x509_file", help="File containing a X509 certificate") parser.add_argument("message", nargs="?", help="The message to verify signature on") args = parser.parse_args() keys = {} if args.rsa_file: keys = {"rsa": [rsa_load(args.rsa_file)]} elif args.hmac_key: keys = {"hmac": [args.hmac_key]} elif args.x509_file: keys = {"rsa": [x509_rsa_loads(open(args.x509_file).read())]} elif args.rsa_pub_file: keys = {"rsa": [rsa_pub_load(args.rsa_pub_file)]} if args.message == "-": message = sys.stdin.read() else: message = args.message if keys: print verify(message, keys) else:
_parser = argparse.ArgumentParser() _parser.add_argument('-d', dest='debug', action='store_true', help="Print debug information") _parser.add_argument('-v', dest='verbose', action='store_true', help="Print runtime information") _parser.add_argument('-r', dest="rsa_file", help="A file containing a RSA key") _parser.add_argument('-p', dest="rsa_public_file", help="A file containing a public RSA key") _parser.add_argument("config", nargs="?", help="Server configuration") args = _parser.parse_args() if args.rsa_file: key = rsa_load(args.rsa_file) else: key = None if args.rsa_file: _key = rsa_priv_to_pub(args.rsa_file) elif args.rsa_public_file: _key = rsa_pub_load(args.rsa_public_file) else: _key = None idp_conf = import_module(args.config) metadata = idp_conf.CONFIG["metadata"] if _key: generateMetadata = MetadataGeneration(idp_conf.CONFIG, logger, idp_proxy_conf.SERVICE, publicKey=_key, privateKey=key, metadataList=[metadata])
import json import os import argparse from jwkest.jwk import RSAKey, rsa_load, dump_jwks __author__ = 'rolandh' parser = argparse.ArgumentParser() parser.add_argument('-n', dest="name", default="pyoidc", help="file names") parser.add_argument('-p', dest="path", default=".", help="Path to the directory for the files") parser.add_argument('-k', dest="key", help="Key file") args = parser.parse_args() key = rsa_load(args.key) rsa_key = RSAKey(key=key) rsa_key.serialize() # This will create JWK from the public RSA key jwk_spec = json.dumps(rsa_key.to_dict(), "enc") keyfile = os.path.join(args.path, args.name) _out = dump_jwks([{"key":key, "use":"enc"}]) f = open(keyfile + ".jwk", "w") f.write(_out) f.close()
help="File containing a public RSA key") parser.add_argument('-k', dest="hmac_key", help="If using a HMAC algorithm this is the key") parser.add_argument('-x', dest="x509_file", help="File containing a X509 certificate") parser.add_argument("message", nargs="?", help="The message to verify signature on") args = parser.parse_args() keys = {} if args.rsa_file: keys = {"rsa": [rsa_load(args.rsa_file)]} elif args.hmac_key: keys = {"hmac": [args.hmac_key]} elif args.x509_file: keys = {"rsa": [x509_rsa_loads(open(args.x509_file).read())]} elif args.rsa_pub_file: keys = {"rsa": [rsa_pub_load(args.rsa_pub_file)]} if args.message == "-": message = sys.stdin.read() else: message = args.message if keys: print verify(message, keys) else:
from oic.extension.oidc_fed import ClientMetadataStatement from oic.extension.oidc_fed import Operator from oic.utils.authn.authn_context import AuthnBroker from oic.utils.authn.client import CLIENT_AUTHN_METHOD from oic.utils.authn.client import verify_client from oic.utils.authn.user import UserAuthnMethod from oic.utils.authz import AuthzHandling from oic.utils.keyio import build_keyjar from oic.utils.keyio import KeyBundle from oic.utils.keyio import KeyJar from oic.utils.sdb import SessionDB from oic.utils.userinfo import UserInfo BASE_PATH = os.path.abspath( os.path.join(os.path.dirname(__file__), "data/keys")) _key = rsa_load(os.path.join(BASE_PATH, "rsa.key")) KC_RSA = KeyBundle({"key": _key, "kty": "RSA", "use": "sig"}) CLIENT_ID = "client_1" KEYDEFS = [ {"type": "RSA", "key": '', "use": ["sig"]}, {"type": "EC", "crv": "P-256", "use": ["sig"]} ] CONSUMER_CONFIG = { "authz_page": "/authz", "scope": ["openid"], "response_type": ["code"], "user_info": { "name": None,
#!/usr/bin/env python import os import argparse from jwkest.jwk import RSAKey from jwkest.jwk import rsa_load from jwkest.jwk import dump_jwks __author__ = 'rolandh' parser = argparse.ArgumentParser() parser.add_argument('-n', dest="name", default="pyoidc", help="file names") parser.add_argument('-p', dest="path", default=".", help="Path to the directory for the files") parser.add_argument('-k', dest="key", help="Key file") args = parser.parse_args() rsa_key = RSAKey(key=rsa_load(args.key)) keyfile = os.path.join(args.path, args.name) f = open(keyfile + ".jwk", "w") f.write(dump_jwks([rsa_key])) f.close()
elif args.jwk_file: keys = load_jwks(open(args.jwk_file).read()) elif args.x509_url: # load_x509_cert returns list of 2-tuples keys = [ RSAKey(key=x) for x, y in load_x509_cert(lrequest, args.x509_url) ] for key in keys: key.serialize() elif args.x509_file: # import_rsa_key_from_file returns RSA key instance _key = RSAKey(key=import_rsa_key_from_file(args.x509_file)) _key.serialize() keys = [_key] elif args.rsa_file: _key = RSAKey(key=rsa_load(args.rsa_file)) _key.serialize() keys = [_key] else: print >> sys.stderr, "Needs encryption key" exit() if not args.enc or not args.alg: print >> sys.stderr, "There are no default encryption methods" exit() if args.enc not in SUPPORTED["enc"]: print >> sys.stderr, "Encryption method %s not supported" % args.enc print >> sys.stderr, "Methods supported: %s" % SUPPORTED["enc"] exit()
app._mako_lookup = TemplateLookup( directories=["templates"], input_encoding='utf-8', output_encoding='utf-8', imports=["from flask.ext.babel import gettext as _"]) context = None if app.config['SSL']: context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context.load_cert_chain(app.config["SERVER_CERT"], app.config["SERVER_KEY"]) global keys global stat_service global base keys = [] for key in app.config["JWT_PUB_KEY"]: _bkey = rsa_load(key) pub_key = RSAKey().load_key(_bkey) keys.append(pub_key) # salt = app.config["SALT"] # message = open(app.config["MESSAGE_TEMPLATE"], "r").read() # message_from = app.config["MESSAGE_FROM"] # message_subject = app.config["MESSAGE_SUBJECT"] # smtp_server = app.config["SMTP_SERVER"] # verify_url = "%s://%s:%s/verify_token" % ("https" if context else "http", # app.config['HOST'], # app.config['PORT']) base = "%s://%s:%s" % ("https" if context else "http", app.config['HOST'], app.config['PORT'])
LOGGER.setLevel(logging.DEBUG) mako = MakoTemplates() mako.init_app(app) app._mako_lookup = TemplateLookup(directories=["templates"], input_encoding='utf-8', output_encoding='utf-8', imports=["from flask.ext.babel import gettext as _"]) context = None if app.config['SSL']: context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context.load_cert_chain(app.config["SERVER_CERT"], app.config["SERVER_KEY"]) global keys global stat_service global base keys = [] for key in app.config["JWT_PUB_KEY"]: _bkey = rsa_load(key) pub_key = RSAKey().load_key(_bkey) keys.append(pub_key) # salt = app.config["SALT"] # message = open(app.config["MESSAGE_TEMPLATE"], "r").read() # message_from = app.config["MESSAGE_FROM"] # message_subject = app.config["MESSAGE_SUBJECT"] # smtp_server = app.config["SMTP_SERVER"] # verify_url = "%s://%s:%s/verify_token" % ("https" if context else "http", # app.config['HOST'], # app.config['PORT']) base = "%s://%s:%s" % ("https" if context else "http", app.config['HOST'], app.config['PORT'])
keys = load_jwks_from_url(args.jwk_url, {}) elif args.jwk_file: keys = load_jwks(open(args.jwk_file).read()) elif args.x509_url: # load_x509_cert returns list of 2-tuples keys = [RSAKey(key=x) for x, y in load_x509_cert(lrequest, args.x509_url)] for key in keys: key.serialize() elif args.x509_file: # import_rsa_key_from_file returns RSA key instance _key = RSAKey(key=import_rsa_key_from_file(args.x509_file)) _key.serialize() keys = [_key] elif args.rsa_file: _key = RSAKey(key=rsa_load(args.rsa_file)) _key.serialize() keys = [_key] else: print >> sys.stderr, "Needs encryption key" exit() if not args.enc or not args.alg: print >> sys.stderr, "There are no default encryption methods" exit() if args.enc not in SUPPORTED["enc"]: print >> sys.stderr, "Encryption method %s not supported" % args.enc print >> sys.stderr, "Methods supported: %s" % SUPPORTED["enc"] exit()
parser.add_argument("-f", dest="file", help="File with the message") parser.add_argument("message", nargs="?", help="The message to encrypt") args = parser.parse_args() keys = {} if args.jwk_url: keys = assign(load_jwks_from_url(lrequest, args.jwk_url)) elif args.jwk_file: keys = load_jwks(open(args.jwk_file).read()) elif args.x509_url: keys = load_x509_cert(lrequest, args.x509_url) elif args.x509_file: keys = [import_rsa_key_from_file(args.x509_file)] elif args.rsa_file: key = rsa_load(args.rsa_file) rsa_key = RSAKey(key=key) rsa_key.serialize() keys = [rsa_key] else: print("Needs encryption key") exit() if args.file: msg = open(args.file).read() msg = msg.strip("\n\r") else: msg = args.message jwe = JWE() print(jwe.decrypt(msg, keys))
def signing_key(cert_and_key): return RSAKey(key=rsa_load(cert_and_key[1]), alg="RS256")
def create_test_client(self, app_config, cert_and_key): self.app = create_app(config=app_config).test_client() self.signing_key = RSAKey(key=rsa_load(cert_and_key[1]), alg='RS256')
from oic import rndstr from oic.federation import ClientMetadataStatement from oic.federation.operator import Operator from oic.utils.authn.authn_context import AuthnBroker from oic.utils.authn.user import UserAuthnMethod from oic.utils.authz import AuthzHandling from oic.utils.keyio import KeyBundle from oic.utils.keyio import KeyJar from oic.utils.keyio import build_keyjar from oic.utils.userinfo import UserInfo BASE_PATH = os.path.abspath( os.path.join(os.path.dirname(__file__), "data/keys")) _key = rsa_load(os.path.join(BASE_PATH, "rsa.key")) KC_RSA = KeyBundle({"key": _key, "kty": "RSA", "use": "sig"}) CLIENT_ID = "client_1" KEYDEFS = [{ "type": "RSA", "key": '', "use": ["sig"] }, { "type": "EC", "crv": "P-256", "use": ["sig"] }] CONSUMER_CONFIG = {
#!/home/vinicius/Área de Trabalho/App-Flask-React/backend-flask/venv/bin/python3 import os import argparse from jwkest.jwk import RSAKey from jwkest.jwk import rsa_load from jwkest.jwk import dump_jwks __author__ = 'rolandh' parser = argparse.ArgumentParser() parser.add_argument('-n', dest="name", default="pyoidc", help="file names") parser.add_argument('-p', dest="path", default=".", help="Path to the directory for the files") parser.add_argument('-k', dest="key", help="Key file") args = parser.parse_args() rsa_key = RSAKey(key=rsa_load(args.key)) keyfile = os.path.join(args.path, args.name) f = open(keyfile + ".jwk", "w") f.write(dump_jwks([rsa_key])) f.close()
import os import argparse from jwkest.jwk import RSAKey, rsa_load, dump_jwks __author__ = 'rolandh' parser = argparse.ArgumentParser() parser.add_argument('-n', dest="name", default="pyoidc", help="file names") parser.add_argument('-p', dest="path", default=".", help="Path to the directory for the files") parser.add_argument('-k', dest="key", help="Key file") args = parser.parse_args() key = rsa_load(args.key) rsa_key = RSAKey(key=key) rsa_key.serialize() # This will create JWK from the public RSA key jwk_spec = json.dumps(rsa_key.to_dict(), "enc") keyfile = os.path.join(args.path, args.name) _out = dump_jwks([{"key": key, "use": "enc"}]) f = open(keyfile + ".jwk", "w") f.write(_out) f.close()
parser.add_argument("-f", dest="file", help="File to be encrypted") parser.add_argument("message", nargs="?", help="The message to encrypt") args = parser.parse_args() keys = {} if args.jwk_url: keys = assign(load_jwks_from_url(args.jwk_url, {})) elif args.jwk_file: keys = assign(load_jwks(open(args.jwk_file).read())) elif args.x509_url: keys = assign(load_x509_cert(lrequest, args.x509_url)) elif args.x509_file: keys = {"RSA": [import_rsa_key_from_file(args.x509_file)]} elif args.rsa_file: keys = {"RSA": [rsa_load(args.rsa_file)]} mode = "" else: print >> sys.stderr, "Needs encryption key" exit() if not args.enc or not args.alg: print >> sys.stderr, "There are no default encryption methods" exit() if args.enc not in SUPPORTED["enc"]: print >> sys.stderr, "Encryption method %s not supported" % args.enc print >> sys.stderr, "Methods supported: %s" % SUPPORTED["enc"] exit() if args.alg not in SUPPORTED["alg"]:
def create_test_client(self, app, cert_and_key): self.app = app.test_client() self.signing_key = RSAKey(key=rsa_load(cert_and_key[1]), alg="RS256")