def setup_multi_auth(auth_broker, urls, auth_modules): """ :param auth_broker: auth broker :param urls: list of (callback) endpoint URLS and their associated callback functions :param auth_modules: list of auth modules specifying the order of the multi auth chain :return: a multi auth object which must be added to the list of callback endpoints """ multi_auth = MultiAuthnMethod(auth_modules[0][0]) for i, module_pair in enumerate(auth_modules): (module_instance, callback_regexp) = module_pair auth_broker.add("", module_instance, 0, "") next_module_instance = None if i < len(auth_modules) - 1: next_module_instance = auth_modules[i + 1][0] urls.append((callback_regexp, make_auth_verify(module_instance.verify, next_module_instance))) return multi_auth
def saml_login(self, info): from saml2 import BINDING_HTTP_REDIRECT, BINDING_HTTP_POST if self.saml_authn is None: self.init_mako() self.saml_authn = SAMLAuthnMethod(None, self.lookup, self.config.SAML, self.config.SP_CONFIG, self.issuer, "{}authorization".format( self.issuer), userinfo=self.config.USERINFO) self.ac.add("", self.saml_authn, "", "") SAML_END_POINT_INDEX = 0 end_point = info["END_POINTS"][SAML_END_POINT_INDEX] end_point_indexes = { BINDING_HTTP_REDIRECT: 0, BINDING_HTTP_POST: 0, "disco_end_point_index": 0 } authn = AuthnIndexedEndpointWrapper(self.saml_authn, end_point_indexes) self.urls.append((r'^' + end_point, make_auth_verify(authn.verify))) return authn
def setup(): with open("config.yaml", 'r') as f: config = yaml.load(f) issuer = config["baseurl"] ac = AuthnBroker() authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, "{}/authorization".format(issuer)) ac.add("password", authn) URLS.append((r'^verify', make_auth_verify(authn.verify))) authz = AuthzHandling() client_db_path = os.environ.get("OIDC_CLIENT_DB", "client_db") LOGGER.info("Using db: {}".format(client_db_path)) cdb = shelve_wrapper.open(client_db_path) global OAS OAS = CourseProvider(issuer, SessionDB(issuer), cdb, ac, None, authz, verify_client, rndstr(16)) OAS.baseurl = issuer OAS.userinfo = UserInfo(config["userdb"]) # Additional endpoints the OpenID Connect Provider should answer on add_endpoints(ENDPOINTS, ENDPOINT_FUNCS) OAS.endpoints = ENDPOINTS authn.srv = OAS try: OAS.cookie_ttl = config["cookie_ttl"] except KeyError: pass try: OAS.cookie_name = config["cookie_name"] except KeyError: pass keyjar_init(OAS, config["keys"]) public_keys = [] for keybundle in OAS.keyjar[""]: for key in keybundle.keys(): public_keys.append(key.serialize()) public_jwks = {"keys": public_keys} filename = "static/jwks.json" with open(filename, "w") as f: f.write(json.dumps(public_jwks)) OAS.jwks_uri = "{}/{}".format(OAS.baseurl, filename) return config
def setup(): with open("config.yaml", 'r') as f: config = yaml.load(f) issuer = config["baseurl"] ac = AuthnBroker() authn = UsernamePasswordMako( None, "login.mako", LOOKUP, PASSWD, "{}/authorization".format(issuer)) ac.add("password", authn) URLS.append((r'^verify', make_auth_verify(authn.verify))) authz = AuthzHandling() client_db_path = os.environ.get("OIDC_CLIENT_DB", "client_db") LOGGER.info("Using db: {}".format(client_db_path)) cdb = shelve_wrapper.open(client_db_path) global OAS OAS = CourseProvider(issuer, SessionDB(issuer), cdb, ac, None, authz, verify_client, rndstr(16)) OAS.baseurl = issuer OAS.userinfo = UserInfo(config["userdb"]) # Additional endpoints the OpenID Connect Provider should answer on add_endpoints(ENDPOINTS, ENDPOINT_FUNCS) OAS.endpoints = ENDPOINTS authn.srv = OAS try: OAS.cookie_ttl = config["cookie_ttl"] except KeyError: pass try: OAS.cookie_name = config["cookie_name"] except KeyError: pass keyjar_init(OAS, config["keys"]) public_keys = [] for keybundle in OAS.keyjar[""]: for key in keybundle.keys(): public_keys.append(key.serialize()) public_jwks = {"keys": public_keys} filename = "static/jwks.json" with open(filename, "w") as f: f.write(json.dumps(public_jwks)) OAS.jwks_uri = "{}/{}".format(OAS.baseurl, filename) return config
def user_password(self, info): self.init_mako() self.username_password_authn = UsernamePasswordMako( None, "login.mako", self.lookup, self.config.PASSWD, "%sauthorization" % self.issuer, None, self.full_end_point_paths) PASSWORD_END_POINT_INDEX = 0 end_point = info["END_POINTS"][PASSWORD_END_POINT_INDEX] authn = AuthnIndexedEndpointWrapper(self.username_password_authn, PASSWORD_END_POINT_INDEX) self.urls.append((r'^' + end_point, make_auth_verify(authn.verify))) return authn
def javascript_login(self, info): if self.javascript_login_authn is None: self.init_mako() end_points = self.config.AUTHENTICATION[ "JavascriptLogin"]["END_POINTS"] full_end_point_paths = [ "{}{}".format(self.issuer, ep) for ep in end_points] self.javascript_login_authn = JavascriptFormMako( None, "javascript_login.mako", self.lookup, self.config.PASSWD, "{}authorization".format(self.issuer), None, full_end_point_paths) self.ac.add("", self.javascript_login_authn, "", "") JAVASCRIPT_END_POINT_INDEX = 0 end_point = info["END_POINTS"][JAVASCRIPT_END_POINT_INDEX] authn = AuthnIndexedEndpointWrapper(self.javascript_login_authn, JAVASCRIPT_END_POINT_INDEX) self.urls.append((r'^' + end_point, make_auth_verify(authn.verify))) return authn
end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"] full_end_point_paths = ["%s%s" % (config.issuer, ep) for ep in end_points] username_password_authn = UsernamePasswordMako( None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % config.issuer, None, full_end_point_paths) for authkey, value in config.AUTHENTICATION.items(): authn = None if "UserPassword" == authkey: PASSWORD_END_POINT_INDEX = 0 end_point = config.AUTHENTICATION[authkey]["END_POINTS"][ PASSWORD_END_POINT_INDEX] authn = AuthnIndexedEndpointWrapper(username_password_authn, PASSWORD_END_POINT_INDEX) URLS.append((r'^' + end_point, make_auth_verify(authn.verify))) # Ensure javascript_login_authn to be defined try: javascript_login_authn except NameError: javascript_login_authn = None if "JavascriptLogin" == authkey: if not javascript_login_authn: end_points = config.AUTHENTICATION["JavascriptLogin"][ "END_POINTS"] full_end_point_paths = [ "%s/%s" % (config.issuer, ep) for ep in end_points ] javascript_login_authn = JavascriptFormMako(
username_password_authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % _issuer, None, full_end_point_paths) _urls = [] for authkey, value in config.AUTHENTICATION.items(): authn = None if "UserPassword" == authkey: PASSWORD_END_POINT_INDEX = 0 end_point = config.AUTHENTICATION[authkey]["END_POINTS"][ PASSWORD_END_POINT_INDEX] authn = AuthnIndexedEndpointWrapper(username_password_authn, PASSWORD_END_POINT_INDEX) _urls.append((r'^' + end_point, make_auth_verify(authn.verify))) # Ensure javascript_login_authn to be defined try: javascript_login_authn except NameError: javascript_login_authn = None if "JavascriptLogin" == authkey: if not javascript_login_authn: end_points = config.AUTHENTICATION["JavascriptLogin"][ "END_POINTS"] full_end_point_paths = [ "{}{}".format(_issuer, ep) for ep in end_points ] javascript_login_authn = JavascriptFormMako(
full_end_point_paths = ["%s%s" % (_issuer, ep) for ep in end_points] username_password_authn = UsernamePasswordMako( None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % _issuer, None, full_end_point_paths) _urls = [] for authkey, value in config.AUTHENTICATION.items(): authn = None if "UserPassword" == authkey: PASSWORD_END_POINT_INDEX = 0 end_point = config.AUTHENTICATION[authkey]["END_POINTS"][ PASSWORD_END_POINT_INDEX] authn = AuthnIndexedEndpointWrapper(username_password_authn, PASSWORD_END_POINT_INDEX) _urls.append((r'^' + end_point, make_auth_verify(authn.verify))) # Ensure javascript_login_authn to be defined try: javascript_login_authn except NameError: javascript_login_authn = None if "JavascriptLogin" == authkey: if not javascript_login_authn: end_points = config.AUTHENTICATION[ "JavascriptLogin"]["END_POINTS"] full_end_point_paths = [ "{}{}".format(_issuer, ep) for ep in end_points] javascript_login_authn = JavascriptFormMako( None, "javascript_login.mako", LOOKUP, PASSWD,
end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"] full_end_point_paths = ["%s%s" % (config.issuer, ep) for ep in end_points] username_password_authn = UsernamePasswordMako( None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % config.issuer, None, full_end_point_paths) for authkey, value in config.AUTHENTICATION.items(): authn = None if "UserPassword" == authkey: PASSWORD_END_POINT_INDEX = 0 end_point = config.AUTHENTICATION[authkey]["END_POINTS"][ PASSWORD_END_POINT_INDEX] authn = AuthnIndexedEndpointWrapper(username_password_authn, PASSWORD_END_POINT_INDEX) URLS.append((r'^' + end_point, make_auth_verify(authn.verify))) # Ensure javascript_login_authn to be defined try: javascript_login_authn except NameError: javascript_login_authn = None if "JavascriptLogin" == authkey: if not javascript_login_authn: end_points = config.AUTHENTICATION[ "JavascriptLogin"]["END_POINTS"] full_end_point_paths = [ "%s/%s" % (config.issuer, ep) for ep in end_points] javascript_login_authn = JavascriptFormMako( None, "javascript_login.mako", LOOKUP, PASSWD,
provider.jwks_uri = "%s%s" % (provider.baseurl, jwksFileName) # for b in OAS.keyjar[""]: # LOGGER.info("OC3 server keys: %s" % b) # TODO: Questions: # END_POINT is defined as a dictionary in the configuration file, # why not defining it as string with "verify" value? # after all, we have only one end point. # can we have multiple end points for password? why? endPoint = config.AUTHENTICATION["UserPassword"]["EndPoints"][ passwordEndPointIndex] _urls = [] _urls.append((r'^' + endPoint, make_auth_verify(authnIndexedEndPointWrapper.verify))) _app = Application(provider, _urls) # Setup the web server server = wsgiserver.CherryPyWSGIServer(('0.0.0.0', config.PORT), _app.application) server.ssl_adapter = BuiltinSSLAdapter(config.SERVER_CERT, config.SERVER_KEY) print "OIDC Provider server started (issuer={}, port={})".format( config.ISSUER, config.PORT) try: server.start() except KeyboardInterrupt:
f = open(jwksFileName, "w") f.write(json.dumps(jwks)) f.close() provider.jwks_uri = "%s%s" % (provider.baseurl, jwksFileName) # for b in OAS.keyjar[""]: # LOGGER.info("OC3 server keys: %s" % b) # TODO: Questions: # END_POINT is defined as a dictionary in the configuration file, # why not defining it as string with "verify" value? # after all, we have only one end point. # can we have multiple end points for password? why? endPoint = config.AUTHENTICATION["UserPassword"]["EndPoints"][passwordEndPointIndex] _urls = [] _urls.append((r'^' + endPoint, make_auth_verify(authnIndexedEndPointWrapper.verify))) _app = Application(provider, _urls) # Setup the web server server = wsgiserver.CherryPyWSGIServer(('0.0.0.0', config.PORT), _app.application) # nosec server.ssl_adapter = BuiltinSSLAdapter(config.SERVER_CERT, config.SERVER_KEY) print("OIDC Provider server started (issuer={}, port={})".format(config.ISSUER, config.PORT)) try: server.start() except KeyboardInterrupt: server.stop()
f = open(jwksFileName, "w") f.write(json.dumps(jwks)) f.close() provider.jwks_uri = "%s%s" % (provider.baseurl, jwksFileName) # for b in OAS.keyjar[""]: # LOGGER.info("OC3 server keys: %s" % b) # TODO: Questions: # END_POINT is defined as a dictionary in the configuration file, # why not defining it as string with "verify" value? # after all, we have only one end point. # can we have multiple end points for password? why? endPoint = config.AUTHENTICATION["UserPassword"]["EndPoints"][passwordEndPointIndex] _urls = [] _urls.append((r'^' + endPoint, make_auth_verify(authnIndexedEndPointWrapper.verify))) _app = Application(provider, _urls) # Setup the web server server = wsgiserver.CherryPyWSGIServer(('0.0.0.0', config.PORT), _app.application) server.ssl_adapter = BuiltinSSLAdapter(config.SERVER_CERT, config.SERVER_KEY) print "OIDC Provider server started (issuer={}, port={})".format(config.ISSUER, config.PORT) try: server.start() except KeyboardInterrupt: server.stop()