def assertion_jwt(cli, keys, audience, algorithm):
_now = utc_now()
at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
aud=audience, jti=rndstr(8),
exp=_now + 600, iat=_now)
return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm):
_now = utc_now()
at = AuthnToken(iss = cli.client_id, sub = cli.client_id,
aud = audience, jti = rndstr(8),
exp = _now+600, iat = _now)
return at.to_jwt(key=keys, algorithm=algorithm)
def authenticated_as(self, cookie=None, authorization="", **kwargs):
"""
:param cookie: A HTTP Cookie
:param authorization: The HTTP Authorization header
:param args: extra args
:param kwargs: extra key word arguments
:return:
"""
return {"uid": self.user}, utc_now()
def test_sub_to_authn_event():
sdb = SessionDB(BASE_URL)
ae2 = AuthnEvent("sub", time_stamp=utc_now())
sid = sdb.create_authz_session(ae2, AREQ)
sub = sdb.do_sub(sid)
# given the sub find out weather the authn event is still valid
sids = sdb.sub2sid[sub]
ae = sdb[sids[0]]["authn_event"]
assert ae.valid()
def __init__(self, uid, valid=3600, authn_info=None, time_stamp=0):
"""
Creates a representation of an authentication event.
:param uid: The local user identifier
:param valid: How long the authentication is expected to be valid
:param authn_info: Info about the authentication event
:return:
"""
self.uid = uid
self.authn_time = int(time_stamp) or utc_now()
self.valid_until = self.authn_time + int(valid)
self.authn_info = authn_info
def authenticated_as(self, cookie=None, authorization="", **kwargs):
"""
:param cookie: A HTTP Cookie
:param authorization: The HTTP Authorization header
:param args: extra args
:param kwargs: extra key word arguments
:return:
"""
(encmsg, iv) = base64.b64decode(authorization).split(":")
try:
user = aes.decrypt(self.symkey, encmsg, iv)
except (AssertionError, KeyError):
raise FailedAuthentication("Decryption failed")
return {"uid": user}, utc_now()
def authenticated_as(self, cookie=None, authorization="", **kwargs):
"""
:param cookie: A HTTP Cookie
:param authorization: The HTTP Authorization header
:param args: extra args
:param kwargs: extra key word arguments
:return:
"""
if authorization.startswith("Basic"):
authorization = authorization[6:]
(user, pwd) = base64.b64decode(authorization).split(":")
user = urllib.unquote(user)
self.verify_password(user, pwd)
return {"uid": user}, utc_now()
def make_id_token(self, session, loa="2", issuer="",
alg="RS256", code=None, access_token=None,
user_info=None):
"""
:param session: Session information
:param loa: Level of Assurance/Authentication context
:param issuer: My identifier
:param alg: Which signing algorithm to use for the IdToken
:param code: Access grant
:param access_token: Access Token
:param user_info: If user info are to be part of the IdToken
:return: IDToken instance
"""
#defaults
inawhile = {"days": 1}
# Handle the idtoken_claims
extra = {}
itc = self.id_token_claims(session)
if itc:
try:
inawhile = {"seconds": itc["max_age"]}
except KeyError:
inawhile = {}
if "claims" in itc:
for key, val in itc["claims"].items():
if key == "auth_time":
extra["auth_time"] = time_util.utc_time_sans_frac()
elif key == "acr":
#["2","http://id.incommon.org/assurance/bronze"]
extra["acr"] = verify_acr_level(val, loa)
if user_info is None:
_args = {}
else:
_args = user_info.to_dict()
# Make sure that there are no name clashes
for key in ["iss", "sub", "aud", "exp", "acr", "nonce",
"auth_time"]:
try:
del _args[key]
except KeyError:
pass
halg = "HS%s" % alg[-3:]
if code:
_args["c_hash"] = jws.left_hash(code, halg)
if access_token:
_args["at_hash"] = jws.left_hash(access_token, halg)
idt = IdToken(iss=issuer, sub=session["sub"],
aud = session["client_id"],
exp = time_util.epoch_in_a_while(**inawhile), acr=loa,
iat = time_util.utc_now(),
**_args)
for key, val in extra.items():
idt[key] = val
if "nonce" in session:
idt.nonce = session["nonce"]
return idt
def authenticated_as(self, cookie=None, **kwargs):
if cookie == "FAIL":
return None, 0
else:
return {"uid": self.user}, utc_now()
def make_id_token(self,
session,
loa="2",
issuer="",
alg="RS256",
code=None,
access_token=None,
user_info=None,
auth_time=0):
"""
:param session: Session information
:param loa: Level of Assurance/Authentication context
:param issuer: My identifier
:param alg: Which signing algorithm to use for the IdToken
:param code: Access grant
:param access_token: Access Token
:param user_info: If user info are to be part of the IdToken
:return: IDToken instance
"""
#defaults
inawhile = {"days": 1}
# Handle the idtoken_claims
extra = {}
itc = self.id_token_claims(session)
if itc:
try:
inawhile = {"seconds": itc["max_age"]}
except KeyError:
inawhile = {}
for key, val in itc.items():
if key == "auth_time":
extra["auth_time"] = auth_time
elif key == "acr":
#["2","http://id.incommon.org/assurance/bronze"]
extra["acr"] = verify_acr_level(val, loa)
if user_info is None:
_args = {}
else:
try:
_args = user_info.to_dict()
except AttributeError:
_args = user_info
# Make sure that there are no name clashes
for key in ["iss", "sub", "aud", "exp", "acr", "nonce", "auth_time"]:
try:
del _args[key]
except KeyError:
pass
halg = "HS%s" % alg[-3:]
if code:
_args["c_hash"] = jws.left_hash(code, halg)
if access_token:
_args["at_hash"] = jws.left_hash(access_token, halg)
idt = IdToken(iss=issuer,
sub=session["sub"],
aud=session["client_id"],
exp=time_util.epoch_in_a_while(**inawhile),
acr=loa,
iat=time_util.utc_now(),
**_args)
for key, val in extra.items():
idt[key] = val
if "nonce" in session:
idt["nonce"] = session["nonce"]
return idt
def set_cookie(self, kaka):
"""PLaces a cookie (a cookielib.Cookie based on a set-cookie header
line) in the cookie jar.
Always chose the shortest expires time.
"""
# default rfc2109=False
# max-age, httponly
for cookie_name, morsel in kaka.items():
std_attr = ATTRS.copy()
std_attr["name"] = cookie_name
_tmp = morsel.coded_value
if _tmp.startswith('"') and _tmp.endswith('"'):
std_attr["value"] = _tmp[1:-1]
else:
std_attr["value"] = _tmp
std_attr["version"] = 0
attr = ""
# copy attributes that have values
try:
for attr in morsel.keys():
if attr in ATTRS:
if morsel[attr]:
if attr == "expires":
_expires = _since_epoch(morsel[attr])
if std_attr["expires"] > _expires:
std_attr["expires"] = _expires
else:
std_attr["expires"] = _expires
else:
std_attr[attr] = morsel[attr]
elif attr == "max-age":
if morsel[attr]:
# max-age is in seconds since received
now = utc_now()
_expires = now + int(morsel[attr])
if std_attr["expires"] > _expires:
std_attr["expires"] = _expires
else:
std_attr["expires"] = _expires
except TimeFormatError:
# Ignore cookie
logger.info(
"Time format error on %s parameter in received cookie" % (
attr,))
continue
for att, spec in PAIRS.items():
if std_attr[att]:
std_attr[spec] = True
if std_attr["domain"] and std_attr["domain"].startswith("."):
std_attr["domain_initial_dot"] = True
if morsel["max-age"] is 0:
try:
self.cookiejar.clear(domain=std_attr["domain"],
path=std_attr["path"],
name=std_attr["name"])
except ValueError:
pass
else:
# Fix for Microsoft cookie error
if "version" in std_attr:
try:
std_attr["version"] = std_attr["version"].split(",")[0]
except (TypeError, AttributeError):
pass
new_cookie = cookielib.Cookie(**std_attr)
self.cookiejar.set_cookie(new_cookie)
def authenticated_as(self, cookie=None, **kwargs):
return {"uid": self.user}, utc_now()
def assertion_jwt(cli, keys, audience, algorithm=OIC_DEF_SIGN_ALG):
at = AuthnToken(iss = cli.client_id, prn = cli.client_id,
aud = audience, jti = rndstr(8),
exp = int(epoch_in_a_while(minutes=10)), iat = utc_now())
return at.to_jwt(key=keys, algorithm=algorithm)
