def assertion_jwt(cli, keys, audience, algorithm): _now = utc_now() at = AuthnToken(iss=cli.client_id, sub=cli.client_id, aud=audience, jti=rndstr(8), exp=_now + 600, iat=_now) return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm): _now = utc_now() at = AuthnToken(iss = cli.client_id, sub = cli.client_id, aud = audience, jti = rndstr(8), exp = _now+600, iat = _now) return at.to_jwt(key=keys, algorithm=algorithm)
def authenticated_as(self, cookie=None, authorization="", **kwargs): """ :param cookie: A HTTP Cookie :param authorization: The HTTP Authorization header :param args: extra args :param kwargs: extra key word arguments :return: """ return {"uid": self.user}, utc_now()
def test_sub_to_authn_event(): sdb = SessionDB(BASE_URL) ae2 = AuthnEvent("sub", time_stamp=utc_now()) sid = sdb.create_authz_session(ae2, AREQ) sub = sdb.do_sub(sid) # given the sub find out weather the authn event is still valid sids = sdb.sub2sid[sub] ae = sdb[sids[0]]["authn_event"] assert ae.valid()
def __init__(self, uid, valid=3600, authn_info=None, time_stamp=0): """ Creates a representation of an authentication event. :param uid: The local user identifier :param valid: How long the authentication is expected to be valid :param authn_info: Info about the authentication event :return: """ self.uid = uid self.authn_time = int(time_stamp) or utc_now() self.valid_until = self.authn_time + int(valid) self.authn_info = authn_info
def authenticated_as(self, cookie=None, authorization="", **kwargs): """ :param cookie: A HTTP Cookie :param authorization: The HTTP Authorization header :param args: extra args :param kwargs: extra key word arguments :return: """ (encmsg, iv) = base64.b64decode(authorization).split(":") try: user = aes.decrypt(self.symkey, encmsg, iv) except (AssertionError, KeyError): raise FailedAuthentication("Decryption failed") return {"uid": user}, utc_now()
def authenticated_as(self, cookie=None, authorization="", **kwargs): """ :param cookie: A HTTP Cookie :param authorization: The HTTP Authorization header :param args: extra args :param kwargs: extra key word arguments :return: """ if authorization.startswith("Basic"): authorization = authorization[6:] (user, pwd) = base64.b64decode(authorization).split(":") user = urllib.unquote(user) self.verify_password(user, pwd) return {"uid": user}, utc_now()
def make_id_token(self, session, loa="2", issuer="", alg="RS256", code=None, access_token=None, user_info=None): """ :param session: Session information :param loa: Level of Assurance/Authentication context :param issuer: My identifier :param alg: Which signing algorithm to use for the IdToken :param code: Access grant :param access_token: Access Token :param user_info: If user info are to be part of the IdToken :return: IDToken instance """ #defaults inawhile = {"days": 1} # Handle the idtoken_claims extra = {} itc = self.id_token_claims(session) if itc: try: inawhile = {"seconds": itc["max_age"]} except KeyError: inawhile = {} if "claims" in itc: for key, val in itc["claims"].items(): if key == "auth_time": extra["auth_time"] = time_util.utc_time_sans_frac() elif key == "acr": #["2","http://id.incommon.org/assurance/bronze"] extra["acr"] = verify_acr_level(val, loa) if user_info is None: _args = {} else: _args = user_info.to_dict() # Make sure that there are no name clashes for key in ["iss", "sub", "aud", "exp", "acr", "nonce", "auth_time"]: try: del _args[key] except KeyError: pass halg = "HS%s" % alg[-3:] if code: _args["c_hash"] = jws.left_hash(code, halg) if access_token: _args["at_hash"] = jws.left_hash(access_token, halg) idt = IdToken(iss=issuer, sub=session["sub"], aud = session["client_id"], exp = time_util.epoch_in_a_while(**inawhile), acr=loa, iat = time_util.utc_now(), **_args) for key, val in extra.items(): idt[key] = val if "nonce" in session: idt.nonce = session["nonce"] return idt
def authenticated_as(self, cookie=None, **kwargs): if cookie == "FAIL": return None, 0 else: return {"uid": self.user}, utc_now()
def make_id_token(self, session, loa="2", issuer="", alg="RS256", code=None, access_token=None, user_info=None, auth_time=0): """ :param session: Session information :param loa: Level of Assurance/Authentication context :param issuer: My identifier :param alg: Which signing algorithm to use for the IdToken :param code: Access grant :param access_token: Access Token :param user_info: If user info are to be part of the IdToken :return: IDToken instance """ #defaults inawhile = {"days": 1} # Handle the idtoken_claims extra = {} itc = self.id_token_claims(session) if itc: try: inawhile = {"seconds": itc["max_age"]} except KeyError: inawhile = {} for key, val in itc.items(): if key == "auth_time": extra["auth_time"] = auth_time elif key == "acr": #["2","http://id.incommon.org/assurance/bronze"] extra["acr"] = verify_acr_level(val, loa) if user_info is None: _args = {} else: try: _args = user_info.to_dict() except AttributeError: _args = user_info # Make sure that there are no name clashes for key in ["iss", "sub", "aud", "exp", "acr", "nonce", "auth_time"]: try: del _args[key] except KeyError: pass halg = "HS%s" % alg[-3:] if code: _args["c_hash"] = jws.left_hash(code, halg) if access_token: _args["at_hash"] = jws.left_hash(access_token, halg) idt = IdToken(iss=issuer, sub=session["sub"], aud=session["client_id"], exp=time_util.epoch_in_a_while(**inawhile), acr=loa, iat=time_util.utc_now(), **_args) for key, val in extra.items(): idt[key] = val if "nonce" in session: idt["nonce"] = session["nonce"] return idt
def set_cookie(self, kaka): """PLaces a cookie (a cookielib.Cookie based on a set-cookie header line) in the cookie jar. Always chose the shortest expires time. """ # default rfc2109=False # max-age, httponly for cookie_name, morsel in kaka.items(): std_attr = ATTRS.copy() std_attr["name"] = cookie_name _tmp = morsel.coded_value if _tmp.startswith('"') and _tmp.endswith('"'): std_attr["value"] = _tmp[1:-1] else: std_attr["value"] = _tmp std_attr["version"] = 0 attr = "" # copy attributes that have values try: for attr in morsel.keys(): if attr in ATTRS: if morsel[attr]: if attr == "expires": _expires = _since_epoch(morsel[attr]) if std_attr["expires"] > _expires: std_attr["expires"] = _expires else: std_attr["expires"] = _expires else: std_attr[attr] = morsel[attr] elif attr == "max-age": if morsel[attr]: # max-age is in seconds since received now = utc_now() _expires = now + int(morsel[attr]) if std_attr["expires"] > _expires: std_attr["expires"] = _expires else: std_attr["expires"] = _expires except TimeFormatError: # Ignore cookie logger.info( "Time format error on %s parameter in received cookie" % ( attr,)) continue for att, spec in PAIRS.items(): if std_attr[att]: std_attr[spec] = True if std_attr["domain"] and std_attr["domain"].startswith("."): std_attr["domain_initial_dot"] = True if morsel["max-age"] is 0: try: self.cookiejar.clear(domain=std_attr["domain"], path=std_attr["path"], name=std_attr["name"]) except ValueError: pass else: # Fix for Microsoft cookie error if "version" in std_attr: try: std_attr["version"] = std_attr["version"].split(",")[0] except (TypeError, AttributeError): pass new_cookie = cookielib.Cookie(**std_attr) self.cookiejar.set_cookie(new_cookie)
def authenticated_as(self, cookie=None, **kwargs): return {"uid": self.user}, utc_now()
def assertion_jwt(cli, keys, audience, algorithm=OIC_DEF_SIGN_ALG): at = AuthnToken(iss = cli.client_id, prn = cli.client_id, aud = audience, jti = rndstr(8), exp = int(epoch_in_a_while(minutes=10)), iat = utc_now()) return at.to_jwt(key=keys, algorithm=algorithm)