summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorManuel Jeckelmann <Manuel.Jeckelmann@swisscom.com>2014-11-24 15:10:23 (GMT)
committerManuel Jeckelmann <Manuel.Jeckelmann@swisscom.com>2014-11-24 15:10:23 (GMT)
commit7bd5fed021b84ae6e8e2f541062f89bd1b1959d9 (patch)
tree6e85f187f41c32ec9afaef1ce7ab6213e7054b81
parent2a00c96ea9340c087fb4431d41fbf40ad15326b7 (diff)
parent18b4df490a7e6e12cc290ffb2f699771c06cbab5 (diff)
downloadpyoidc-ozwillo-7bd5fed021b84ae6e8e2f541062f89bd1b1959d9.zip
pyoidc-ozwillo-7bd5fed021b84ae6e8e2f541062f89bd1b1959d9.tar.gz
pyoidc-ozwillo-7bd5fed021b84ae6e8e2f541062f89bd1b1959d9.tar.bz2
Merge remote-tracking branch 'rohe/master' into ci_testing
Conflicts: setup.py src/oic/oauth2/provider.py src/oic/oic/provider.py src/oic/utils/sdb.py
-rw-r--r--oidc_example/op1/certs/server.crt14
-rw-r--r--oidc_example/op1/certs/server.key15
-rwxr-xr-xoidc_example/op1/oc_server.py4
-rwxr-xr-xoidc_example/op2/server.py4
-rw-r--r--oidc_example/rp3/oidc.py4
-rwxr-xr-xoidc_example/rp3/rp3.py1
-rwxr-xr-xsetup.py6
-rw-r--r--src/oic/oauth2/__init__.py9
-rw-r--r--src/oic/oauth2/message.py5
-rw-r--r--src/oic/oauth2/provider.py6
-rw-r--r--src/oic/oic/provider.py88
-rw-r--r--src/oic/utils/keyio.py3
-rw-r--r--src/oic/utils/sdb.py126
-rw-r--r--tests/fakeoicsrv.py9
-rw-r--r--tests/pinit.py3
-rw-r--r--tests/test_oauth2_provider.py27
-rw-r--r--tests/test_oic_consumer.py16
-rw-r--r--tests/test_oic_provider.py59
-rw-r--r--tests/test_sdb.py114
-rw-r--r--tests/test_x_claims.py3
-rw-r--r--tests/test_x_dynreg.py25
21 files changed, 359 insertions, 182 deletions
diff --git a/oidc_example/op1/certs/server.crt b/oidc_example/op1/certs/server.crt
new file mode 100644
index 0000000..d9b5bb5
--- /dev/null
+++ b/oidc_example/op1/certs/server.crt
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGTCCAYICCQCIs8fF+AnxUzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJT
+RTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoGA1UEChMDVW1VMQwwCgYDVQQLEwNJ
+VFMxETAPBgNVBAMTCHJvaGUwMDAyMB4XDTExMDkwNzA4MjMwOFoXDTEyMDkwNjA4
+MjMwOFowUTELMAkGA1UEBhMCU0UxEzARBgNVBAgTClNvbWUtU3RhdGUxDDAKBgNV
+BAoTA1VtVTEMMAoGA1UECxMDSVRTMREwDwYDVQQDEwhyb2hlMDAwMjCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEA5zbNbHIYIkGGJ3RGdRKkYmF4gOorv5eDuUKT
+Vtuu3VvxrpOWvwnFV+NY0LgqkQSMMyVzodJE3SUuwQTUHPXXY5784vnkFqzPRx6b
+HgPxKz7XfwQjEBTafQTMmOeYI8wFIOIHY5i0RWR+gxDbh/D5TXuUqScOOqR47vSp
+IbUH+ncCAwEAATANBgkqhkiG9w0BAQUFAAOBgQDP9PE53utRqocZpFRxrhL+4vcI
+vlQd3XonE7vMJwdl9FUW7QRMon19dpYKQ6LTCOBA4ZCwh2z/Om2X97zogMLKFPcE
+LVqxzBVlrzuqAgOErEalYv9pCBzoFHGUHP6kTAUOCsoO9ZdQWgA6YkK2hYRSlLNX
+Z0wHIHGaHe5xnFFpyQ==
+-----END CERTIFICATE-----
diff --git a/oidc_example/op1/certs/server.key b/oidc_example/op1/certs/server.key
new file mode 100644
index 0000000..50906ab
--- /dev/null
+++ b/oidc_example/op1/certs/server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDnNs1schgiQYYndEZ1EqRiYXiA6iu/l4O5QpNW267dW/Guk5a/
+CcVX41jQuCqRBIwzJXOh0kTdJS7BBNQc9ddjnvzi+eQWrM9HHpseA/ErPtd/BCMQ
+FNp9BMyY55gjzAUg4gdjmLRFZH6DENuH8PlNe5SpJw46pHju9KkhtQf6dwIDAQAB
+AoGAKuSxy1KHQ6OgPaWGhKWGtXGbp17J6usy1qWRK+XpVMt/1IEw0BQB9kII8f+Y
+dfq//6UNBJI7kEMbn1dD+nNpF4ncO9QWHE5oqacHgaZOl6+MF3ePy8aXkADhwiel
+L7CtZjhwbcjGt5PI6AIcpFfmBAbu5Pf4gidr6bR+MoJGlhECQQDzfMaRqruJkqsz
+Z5b9boIr08orx1xPoHTmE5g0ET9+UJy/BBgx7DNv+AQhJ2UC1ZaKcgqwetOwJhQs
+u8Cbrct9AkEA8xiQSwqlM7ltpNl6L2VvSxzTd897it+FJElXbD6u80RvzMuo3Xw3
++M+F0kDobM4vsyBuZRw418/yOpnOv8x4AwJATj5WgRDgWwEqysYLGz2bzwGsAg16
+eIwThKvfSTwRr0GwXSGvtLs2fFCy4wSJzTNdwPeMv9F4nS5fZVCgQGbE8QJAMZBG
+iyZGfH9H/Z5hrRwvTs83xmvFMpFUIgvaCTXWkb7YVJcJfO8AsngNPssBGH4Jd6ob
+F/5jEI1TQ+NsJerYZQJBAJdqDlnPQyqek4kdBvwh2hYo9EwOrgOchmruMOeP5lE6
+2TLIyjYC3uVMPJj+ESayVcAMrgj4Enk4qh/WKVeMJ7c=
+-----END RSA PRIVATE KEY-----
diff --git a/oidc_example/op1/oc_server.py b/oidc_example/op1/oc_server.py
index f34b09d..e525f5b 100755
--- a/oidc_example/op1/oc_server.py
+++ b/oidc_example/op1/oc_server.py
@@ -373,6 +373,7 @@ def application(environ, start_response):
request is done
:return: The response as a list of lines
"""
+
global OAS
#user = environ.get("REMOTE_USER", "")
@@ -382,9 +383,8 @@ def application(environ, start_response):
if path == "robots.txt":
return static(environ, start_response, logger, "static/robots.txt")
-
environ["oic.oas"] = OAS
-
+
#remote = environ.get("REMOTE_ADDR")
#kaka = environ.get("HTTP_COOKIE", '')
diff --git a/oidc_example/op2/server.py b/oidc_example/op2/server.py
index 4e2e0c5..5c0099d 100755
--- a/oidc_example/op2/server.py
+++ b/oidc_example/op2/server.py
@@ -526,8 +526,8 @@ if __name__ == '__main__':
else:
kwargs["verify_ssl"] = True
- OAS = Provider(config.issuer, SessionDB(), cdb, ac, None, authz,
- verify_client, config.SYM_KEY, **kwargs)
+ OAS = Provider(config.issuer, SessionDB(config.baseurl), cdb, ac, None,
+ authz, verify_client, config.SYM_KEY, **kwargs)
for authn in ac:
authn.srv = OAS
diff --git a/oidc_example/rp3/oidc.py b/oidc_example/rp3/oidc.py
index 75e6194..45ca159 100644
--- a/oidc_example/rp3/oidc.py
+++ b/oidc_example/rp3/oidc.py
@@ -202,7 +202,9 @@ class OIDCClients(object):
return client
def dynamic_client(self, userid):
- client = self.client_cls(client_authn_method=CLIENT_AUTHN_METHOD, verify_ssl=self.config.VERIFY_SSL)
+ client = self.client_cls(client_authn_method=CLIENT_AUTHN_METHOD,
+ verify_ssl=self.config.VERIFY_SSL)
+
issuer = client.wf.discovery_query(userid)
if issuer in self.client:
return self.client[issuer]
diff --git a/oidc_example/rp3/rp3.py b/oidc_example/rp3/rp3.py
index 0cc8f8a..229d187 100755
--- a/oidc_example/rp3/rp3.py
+++ b/oidc_example/rp3/rp3.py
@@ -108,7 +108,6 @@ def clear_session(session):
def application(environ, start_response):
session = environ['beaker.session']
-
path = environ.get('PATH_INFO', '').lstrip('/')
if path == "robots.txt":
return static(environ, start_response, LOGGER, "static/robots.txt")
diff --git a/setup.py b/setup.py
index 12067fb..f3a35f2 100755
--- a/setup.py
+++ b/setup.py
@@ -37,7 +37,7 @@ class PyTest(TestCommand):
setup(
name="oic",
- version="0.6.gamma",
+ version="0.6.0",
description="Python implementation of OAuth2 and OpenID Connect",
author = "Roland Hedberg",
author_email = "roland.hedberg@adm.umu.se",
@@ -50,8 +50,8 @@ setup(
"License :: OSI Approved :: Apache Software License",
"Topic :: Software Development :: Libraries :: Python Modules"],
install_requires = ['requests', "pycrypto>=2.6.1", "cherrypy==3.2.4",
- "mako", "pyjwkest", "beaker", "alabaster", "importlib",
- "argparse", "pyOpenSSL", "python-ldap"],
+ "mako", "pyjwkest>=0.5.1", "beaker", "alabaster",
+ "importlib", "argparse", "pyOpenSSL", "python-ldap"],
tests_require=['pytest'],
zip_safe=False,
cmdclass={'test': PyTest},
diff --git a/src/oic/oauth2/__init__.py b/src/oic/oauth2/__init__.py
index cfb19aa..c150326 100644
--- a/src/oic/oauth2/__init__.py
+++ b/src/oic/oauth2/__init__.py
@@ -7,12 +7,12 @@ import requests
import random
import string
import cookielib
-import logging
from Cookie import SimpleCookie
from oic.utils.keyio import KeyJar
from oic.utils.time_util import utc_time_sans_frac
from oic.exception import UnSupported
+import logging
logger = logging.getLogger(__name__)
@@ -667,8 +667,9 @@ class Client(PBase):
request_args["access_token"] = token.access_token
return self.construct_request(request, request_args, extra_args)
- def get_or_post(self, uri, method, req,
- content_type=DEFAULT_POST_CONTENT_TYPE, accept=None, **kwargs):
+ @staticmethod
+ def get_or_post(uri, method, req, content_type=DEFAULT_POST_CONTENT_TYPE,
+ accept=None, **kwargs):
if method == "GET":
_qp = req.to_urlencoded()
if _qp:
@@ -687,7 +688,7 @@ class Client(PBase):
"Unsupported content type: '%s'" % content_type)
header_ext = {"Content-type": content_type}
- if (accept):
+ if accept:
header_ext = {"Accept": accept}
if "headers" in kwargs.keys():
diff --git a/src/oic/oauth2/message.py b/src/oic/oauth2/message.py
index 49cb338..dcfadb8 100644
--- a/src/oic/oauth2/message.py
+++ b/src/oic/oauth2/message.py
@@ -558,6 +558,11 @@ class Message(object):
if required:
raise MissingRequiredAttribute("%s" % attribute)
continue
+ else:
+ if not val:
+ if required:
+ raise MissingRequiredAttribute("%s" % attribute)
+ continue
if attribute not in _allowed:
continue
diff --git a/src/oic/oauth2/provider.py b/src/oic/oauth2/provider.py
index 6fd70a8..9e36aa7 100644
--- a/src/oic/oauth2/provider.py
+++ b/src/oic/oauth2/provider.py
@@ -3,8 +3,7 @@ import traceback
import sys
import urllib
import urlparse
-
-from oic.utils.sdb import AccessCodeUsed
+from oic.utils.sdb import AccessCodeUsed, AuthnEvent
__author__ = 'rohe0002'
@@ -485,6 +484,7 @@ class Provider(object):
return _authn(**authn_args)
else:
user = identity["uid"]
+ aevent = AuthnEvent(user, authn_info=acr)
# If I get this far the person is already authenticated
logger.debug("- authenticated -")
@@ -495,7 +495,7 @@ class Provider(object):
except KeyError:
oidc_req = None
- skey = self.sdb.create_authz_session(user, areq, oidreq=oidc_req)
+ skey = self.sdb.create_authz_session(aevent, areq, oidreq=oidc_req)
# Now about the authorization step.
try:
diff --git a/src/oic/oic/provider.py b/src/oic/oic/provider.py
index d4b36df..b9a920d 100644
--- a/src/oic/oic/provider.py
+++ b/src/oic/oic/provider.py
@@ -5,13 +5,11 @@ import urllib
import sys
from jwkest.jwe import JWE
from requests import ConnectionError
-from jwkest import jws, jwe
-from jwkest.jws import alg2keytype
-from oic.utils import time_util
from oic.utils.authn.user import NoSuchAuthentication
from oic.utils.authn.user import ToOld
from oic.utils.authn.user import TamperAllert
+from oic.utils.sdb import AuthnEvent
from oic.utils.time_util import utc_time_sans_frac
from oic.utils.keyio import KeyBundle, dump_jwks
from oic.utils.keyio import key_export
@@ -373,6 +371,11 @@ class Provider(AProvider):
req_user = areq["id_token"]["sub"]
except KeyError:
pass
+ else:
+ try:
+ assert areq["client_id"] in areq["id_token"]["aud"]
+ except AssertionError:
+ req_user = "" # Not allow to use
return req_user
@@ -542,6 +545,23 @@ class Provider(AProvider):
kwargs["cookie"] = cookie
return authn.verify(_req, **kwargs)
+ def setup_session(self, areq, authn_event, cinfo):
+ try:
+ oidc_req = areq["request"]
+ except KeyError:
+ oidc_req = None
+
+ sid = self.sdb.create_authz_session(authn_event, areq, oidreq=oidc_req)
+ kwargs = {}
+ for param in ["sector_id", "preferred_id_type"]:
+ try:
+ kwargs[param] = cinfo[param]
+ except KeyError:
+ pass
+
+ self.sdb.do_sub(sid, **kwargs)
+ return sid
+
def authorization_endpoint(self, request="", cookie=None, **kwargs):
""" The AuthorizationRequest endpoint
@@ -590,7 +610,20 @@ class Provider(AProvider):
return areq
logger.debug("AuthzRequest+oidc_request: %s" % (areq.to_dict(),))
+ cinfo = self.cdb[areq["client_id"]]
req_user = self.required_user(areq)
+ if req_user:
+ try:
+ sids = self.sdb.sub2sid[req_user]
+ except KeyError:
+ pass
+ else:
+ # anyone will do
+ authn_event = self.sdb[sids[0]]["authn_event"]
+ # Is the authentication event to be regarded as valid ?
+ if authn_event.valid():
+ sid = self.setup_session(areq, authn_event, cinfo)
+ return self.authz_part2(authn_event.uid, areq, sid)
authn, authn_class_ref = self.pick_auth(areq)
if not authn:
@@ -598,7 +631,6 @@ class Provider(AProvider):
if not authn:
authn, authn_class_ref = self.pick_auth(areq, "any")
- logger.debug("Cookie: %s" % cookie)
try:
try:
_auth_info = kwargs["authn"]
@@ -607,7 +639,6 @@ class Provider(AProvider):
identity = authn.authenticated_as(cookie,
authorization=_auth_info,
max_age=self.max_age(areq))
- auth_time = time_util.utc_now()
except (NoSuchAuthentication, ToOld, TamperAllert):
identity = None
@@ -616,7 +647,6 @@ class Provider(AProvider):
"as_user": req_user,
"authn_class_ref": authn_class_ref}
- cinfo = self.cdb[areq["client_id"]]
for attr in ["policy_uri", "logo_uri"]:
try:
authn_args[attr] = cinfo[attr]
@@ -647,16 +677,12 @@ class Provider(AProvider):
else:
return authn(**authn_args)
+ authn_event = AuthnEvent(identity["uid"], authn_info=authn_class_ref)
+
logger.debug("- authenticated -")
logger.debug("AREQ keys: %s" % areq.keys())
- try:
- oidc_req = areq["request"]
- except KeyError:
- oidc_req = None
-
- sid = self.sdb.create_authz_session(user, areq, oidreq=oidc_req,
- auth_time=auth_time)
+ sid = self.setup_session(areq, authn_event, cinfo)
return self.authz_part2(user, areq, sid)
def userinfo_in_id_token_claims(self, session):
@@ -776,7 +802,7 @@ class Provider(AProvider):
try:
_idtoken = self.sign_encrypt_id_token(
_info, client_info, req, user_info=userinfo,
- auth_time=_info["auth_time"])
+ auth_time=_info["authn_event"].authn_time)
except (JWEException, NoSuitableSigningKeys) as err:
logger.warning(str(err))
return self._error(error="access_denied",
@@ -804,9 +830,9 @@ class Provider(AProvider):
if "openid" in _info["scope"]:
userinfo = self.userinfo_in_id_token_claims(_info)
- _idtoken = self.sign_encrypt_id_token(_info, client_info, req,
- user_info=userinfo,
- auth_time=_info["auth_time"])
+ _idtoken = self.sign_encrypt_id_token(
+ _info, client_info, req, user_info=userinfo,
+ auth_time=_info["authn_event"].authn_time)
sid = _sdb.token.get_key(rtoken)
_sdb.update(sid, "id_token", _idtoken)
@@ -893,7 +919,7 @@ class Provider(AProvider):
logger.debug("userinfo_claim: %s" % userinfo_claims.to_dict())
logger.debug("Session info: %s" % session)
- info = self.userinfo(session["local_sub"], userinfo_claims)
+ info = self.userinfo(session["authn_event"].uid, userinfo_claims)
info["sub"] = session["sub"]
logger.debug("user_info_response: %s" % (info,))
@@ -914,11 +940,15 @@ class Provider(AProvider):
except KeyError: # Fall back to default
algo = self.jwx_def["sign_alg"]["userinfo"]
- # Use my key for signing
- key = self.keyjar.get_signing_key(alg2keytype(algo), "", alg=algo)
- if not key:
- return self._error(error="access_denied",
- descr="Missing signing key")
+ if algo == "none":
+ key = []
+ else:
+ # Use my key for signing
+ key = self.keyjar.get_signing_key(alg2keytype(algo), "", alg=algo)
+ if not key:
+ return self._error(error="access_denied",
+ descr="Missing signing key")
+
jinfo = userinfo.to_jwt(key, algo)
if "userinfo_encrypted_response_alg" in client_info:
# encrypt with clients public key
@@ -1175,16 +1205,18 @@ class Provider(AProvider):
"invalid_configuration_parameter",
descr="%s pointed to illegal URL" % item)
- # necessary keys ?
+ # Do I have the necessary keys
for item in ["id_token_signed_response_alg",
"userinfo_signed_response_alg"]:
if item in request:
if request[item] in self.capabilities[PREFERENCE2PROVIDER[item]]:
ktyp = jws.alg2keytype(request[item])
# do I have this ktyp and for EC type keys the curve
- _k = self.keyjar.get_signing_key(ktyp, alg=request[item])
- if not _k:
- del _cinfo[item]
+ if ktyp not in ["none", "OCT"]:
+ _k = self.keyjar.get_signing_key(ktyp,
+ alg=request[item])
+ if not _k:
+ del _cinfo[item]
try:
self.keyjar.load_keys(request, client_id)
@@ -1619,7 +1651,7 @@ class Provider(AProvider):
# or 'code id_token'
id_token = self.sign_encrypt_id_token(
_sinfo, client_info, areq, user_info=user_info,
- auth_time=_sinfo["auth_time"], **hargs)
+ auth_time=_sinfo["authn_event"].authn_time, **hargs)
aresp["id_token"] = id_token
_sinfo["id_token"] = id_token
diff --git a/src/oic/utils/keyio.py b/src/oic/utils/keyio.py
index dc1c0ed..a38d5eb 100644
--- a/src/oic/utils/keyio.py
+++ b/src/oic/utils/keyio.py
@@ -333,6 +333,9 @@ class KeyJar(object):
:param url: Where can the key/-s be found
"""
+ if not url:
+ raise KeyError("No jwks_uri")
+
if "/localhost:" in url or "/localhost/" in url:
kc = KeyBundle(source=url, verify_ssl=False)
else:
diff --git a/src/oic/utils/sdb.py b/src/oic/utils/sdb.py
index 400faf4..44ba43e 100644
--- a/src/oic/utils/sdb.py
+++ b/src/oic/utils/sdb.py
@@ -1,6 +1,7 @@
import copy
import uuid
+import time
from oic.oic import AuthorizationRequest
@@ -125,10 +126,33 @@ class Token(object):
return self._split_token(token)[0]
+class AuthnEvent(object):
+ def __init__(self, uid, valid=3600, authn_info=None):
+ """
+ Creates a representation of an authentication event.
+
+ :param uid: The local user identifier
+ :param valid: How long the authentication is expected to be valid
+ :param authn_info: Info about the authentication event
+ :return:
+ """
+ self.uid = uid
+ self.authn_time = int(time.time())
+ self.valid_until = self.authn_time + int(valid)
+ self.authn_info = authn_info
+
+ def valid(self):
+ return self.valid_until > int(time.time())
+
+ def valid_for(self):
+ return self.valid_until - int(time.time())
+
+
class SessionDB(object):
- def __init__(self, db=None, secret="Ab01FG65", token_expires_in=3600,
- password="4-amino-1H-pyrimidine-2-one",
+ def __init__(self, base_url, db=None, secret="Ab01FG65",
+ token_expires_in=3600, password="4-amino-1H-pyrimidine-2-one",
grant_expires_in=600, seed=""):
+ self.base_url = base_url
if db:
self._db = db
else:
@@ -136,7 +160,7 @@ class SessionDB(object):
self.token = Token(secret, password)
self.token_expires_in = token_expires_in
self.grant_expires_in = grant_expires_in
- self.uid2sid = {}
+ self.sub2sid = {}
self.seed = seed or secret
def __getitem__(self, item):
@@ -189,52 +213,67 @@ class SessionDB(object):
(typ, key) = self.token.type_and_key(token)
return self.update(key, attribute, value)
- def do_userid(self, sid, sub, sector_id, preferred_id_type):
+ def do_sub(self, sid, sector_id="", preferred_id_type="public"):
+ """
+ Construct a sub (subject identifier)
+
+ :param sid: Session identifier
+ :param uid: The local user identifier
+ :param sector_id: Possible sector identifier
+ :param preferred_id_type: 'public'/'pairwise'
+ :return:
+ """
+ uid = self._db[sid]["authn_event"].uid
+
old = [""]
if preferred_id_type == "public":
- uid = sub
+ sub = "%x" % hash(uid+self.base_url)
else:
- uid = pairwise_id(sub, sector_id, self.seed)
+ sub = pairwise_id(uid, sector_id, self.seed)
old.append(sub)
- logger.debug("uid: %s, old: %s" % (uid, old))
- self.uid2sid[uid] = sid
+ logger.debug("sub: %s, old: %s" % (sub, old))
+
+ # since sub can be public, there can be more then one session
+ # that uses the same subject identifier
+ try:
+ self.sub2sid[sub].append(sid)
+ except KeyError:
+ self.sub2sid[sub] = [sid]
for old_id in old:
try:
- del self.uid2sid[old_id]
+ del self.sub2sid[old_id]
except KeyError:
pass
- logger.debug("uid2sid: %s" % self.uid2sid)
- self._db[sid]["local_sub"] = sub
- self._db[sid]["sub"] = uid
+ logger.debug("sub2sid: %s" % self.sub2sid)
+ self._db[sid]["sub"] = sub
- return uid
+ return sub
- def create_authz_session(self, sub, areq, id_token=None, oidreq=None,
+ def create_authz_session(self, aevent, areq, id_token=None, oidreq=None,
**kwargs):
"""
- :param sub: Identifier for the user, this is the real identifier
+ :param aevent: An AuthnEvent instance
:param areq: The AuthorizationRequest instance
:param id_token: An IDToken instance
:param oidreq: An OpenIDRequest instance
:return: The session identifier, which is the database key
"""
- sid = self.token.key(user=sub, areq=areq)
+ sid = self.token.key(user=aevent.uid, areq=areq)
access_grant = self.token(sid=sid)
_dic = {
"oauth_state": "authz",
- "local_sub": sub,
- "sub": sub,
"code": access_grant,
"code_used": False,
"authzreq": areq.to_json(),
"client_id": areq["client_id"],
"revoked": False,
+ "authn_event": aevent
}
_dic.update(kwargs)
@@ -258,9 +297,12 @@ class SessionDB(object):
_dic["oidreq"] = oidreq.to_json()
self._db[sid] = _dic
- self.uid2sid[sub] = sid
+
return sid
+ def get_authentication_event(self, sid):
+ return self._db[sid]["authn_event"]
+
def get_token(self, key):
if self._db[key]["oauth_state"] == "authz":
return self._db[key]["code"]
@@ -338,7 +380,8 @@ class SessionDB(object):
else:
raise WrongTokenType("Not a refresh token!")
- def is_expired(self, sess):
+ @staticmethod
+ def is_expired(sess):
if "token_expires_at" in sess:
if sess["token_expires_at"] < utc_time_sans_frac():
return True
@@ -377,12 +420,6 @@ class SessionDB(object):
except KeyError:
return False
- # def set_oir(self, key, oir):
- # self._db[key] = oir.dictionary()
- #
- # def get_oir(self, key):
- # return OpenIDRequest(**self._db[key])
-
def revoke_token(self, token):
# revokes either the refresh token or the access token
@@ -405,32 +442,39 @@ class SessionDB(object):
self._db[sid]["revoked"] = True
- def get_client_id(self, uid):
- _dict = self._db[self.uid2sid[uid]]
+ def get_client_id(self, sub):
+ _dict = self._db[self.sub2sid[sub]]
return _dict["client_id"]
- def get_verified_Logout(self, uid):
- _dict = self._db[self.uid2sid[uid]]
+ def get_verified_Logout(self, sub):
+ _dict = self._db[self.sub2sid[sub]]
if "verified_logout" not in _dict:
return None
return _dict["verified_logout"]
- def set_verify_logout(self, uid):
- _dict = self._db[self.uid2sid[uid]]
+ def set_verify_logout(self, sub):
+ _dict = self._db[self.sub2sid[sub]]
_dict["verified_logout"] = uuid.uuid4().urn
- def get_token_id(self, uid):
- _dict = self._db[self.uid2sid[uid]]
+ def get_token_id(self, sub):
+ _dict = self._db[self.sub2sid[sub]]
return _dict["id_token"]
- def is_revoke_uid(self, uid):
- return self._db[self.uid2sid[uid]]["revoked"]
+ def is_revoke_uid(self, sub):
+ return self._db[self.sub2sid[sub]]["revoked"]
+
+ def revoke_uid(self, sub):
+ self._db[self.sub2sid[sub]]["revoked"] = True
- def revoke_uid(self, uid):
- self._db[self.uid2sid[uid]]["revoked"] = True
+ def get_sids_from_sub(self, sub):
+ """
+ Returns list of identifiers for sessions that are connected to this
+ subject identifier
- def get_sid_from_userid(self, uid):
- return self.uid2sid[uid]
+ :param sub: subject identifier
+ :return: list of session identifiers
+ """
+ return self.sub2sid[sub]
def duplicate(self, sinfo):
_dic = copy.copy(sinfo)
@@ -450,7 +494,7 @@ class SessionDB(object):
pass
self._db[sid] = _dic
- self.uid2sid[_dic["sub"]] = sid
+ self.sub2sid[_dic["sub"]] = sid
return sid
def read(self, token):
diff --git a/tests/fakeoicsrv.py b/tests/fakeoicsrv.py
index 441787b..6f0f1f0 100644
--- a/tests/fakeoicsrv.py
+++ b/tests/fakeoicsrv.py
@@ -6,7 +6,7 @@ from oic.utils.webfinger import WebFinger
__author__ = 'rohe0002'
-from oic.utils.sdb import SessionDB
+from oic.utils.sdb import SessionDB, AuthnEvent
from oic.utils.time_util import utc_time_sans_frac
from oic.oic import Server
@@ -43,7 +43,7 @@ ENDPOINT = {
class MyFakeOICServer(Server):
def __init__(self, name=""):
Server.__init__(self)
- self.sdb = SessionDB()
+ self.sdb = SessionDB(name)
self.name = name
self.client = {}
self.registration_expires_in = 3600
@@ -96,9 +96,10 @@ class MyFakeOICServer(Server):
def authorization_endpoint(self, query):
req = self.parse_authorization_request(query=query)
- sid = self.sdb.create_authz_session(sub="user", areq=req)
+ aevent = AuthnEvent("user", authn_info="acr")
+ sid = self.sdb.create_authz_session(aevent, areq=req)
+ sub = self.sdb.do_sub(sid)
_info = self.sdb[sid]
- _info["sub"] = _info["local_sub"]
if "code" in req["response_type"]:
if "token" in req["response_type"]:
diff --git a/tests/pinit.py b/tests/pinit.py
index 803a120..31ce04b 100644
--- a/tests/pinit.py
+++ b/tests/pinit.py
@@ -109,6 +109,7 @@ AUTHZ = AuthzHandling()
SYMKEY = "symmetric key used to encrypt cookie info"
USERINFO = UserInfo(USERDB)
-provider_init = Provider("pyoicserv", SessionDB(), CDB, AUTHN_BROKER, USERINFO,
+provider_init = Provider("pyoicserv", SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, USERINFO,
AUTHZ, verify_client, SYMKEY, urlmap=URLMAP,
keyjar=KEYJAR)
diff --git a/tests/test_oauth2_provider.py b/tests/test_oauth2_provider.py
index 8faa9f3..6f56a41 100644
--- a/tests/test_oauth2_provider.py
+++ b/tests/test_oauth2_provider.py
@@ -89,21 +89,21 @@ def _eq(l1, l2):
def test_provider_init():
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client)
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ, verify_client)
assert provider
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client,
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ, verify_client,
urlmap={"client1": ["https://example.com/authz"]})
assert provider.urlmap["client1"] == ["https://example.com/authz"]
def test_provider_authorization_endpoint():
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client)
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ, verify_client)
bib = {"scope": ["openid"],
"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
@@ -121,8 +121,8 @@ def test_provider_authorization_endpoint():
def test_provider_authenticated():
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client, symkey=rndstr(16))
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ, verify_client, symkey=rndstr(16))
_session_db = {}
cons = Consumer(_session_db, client_config=CLIENT_CONFIG,
server_info=SERVER_INFO, **CONSUMER_CONFIG)
@@ -154,8 +154,8 @@ def test_provider_authenticated():
def test_provider_authenticated_token():
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client, symkey=rndstr(16))
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ, verify_client, symkey=rndstr(16))
_session_db = {}
cons = Consumer(_session_db, client_config=CLIENT_CONFIG,
server_info=SERVER_INFO, **CONSUMER_CONFIG)
@@ -176,8 +176,8 @@ def test_provider_authenticated_token():
def test_token_endpoint():
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client, symkey=rndstr(16))
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ, verify_client, symkey=rndstr(16))
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
@@ -212,7 +212,8 @@ def test_token_endpoint():
def test_token_endpoint_unauth():
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ,
verify_client, symkey=rndstr(16))
authreq = AuthorizationRequest(state="state",
diff --git a/tests/test_oic_consumer.py b/tests/test_oic_consumer.py
index 9728ed0..6374e75 100644
--- a/tests/test_oic_consumer.py
+++ b/tests/test_oic_consumer.py
@@ -115,8 +115,8 @@ AUTHZ_ORG_URL = "http://example.org/authorization"
class TestOICConsumer():
def setup_class(self):
- self.consumer = Consumer(SessionDB(), CONFIG, CLIENT_CONFIG,
- SERVER_INFO)
+ self.consumer = Consumer(SessionDB(SERVER_INFO["issuer"]),
+ CONFIG, CLIENT_CONFIG, SERVER_INFO)
self.consumer.client_secret = CLIENT_SECRET
def test_init(self):
@@ -306,7 +306,8 @@ class TestOICConsumer():
def test_complete_secret_auth():
- consumer = Consumer(SessionDB(), CONFIG, CLIENT_CONFIG, SERVER_INFO)
+ consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
+ CLIENT_CONFIG, SERVER_INFO)
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
@@ -343,7 +344,8 @@ def test_complete_secret_auth():
def test_complete_auth_token():
- consumer = Consumer(SessionDB(), CONFIG, CLIENT_CONFIG, SERVER_INFO)
+ consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
+ CLIENT_CONFIG, SERVER_INFO)
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
@@ -386,7 +388,8 @@ def test_complete_auth_token():
def test_complete_auth_token_idtoken():
- consumer = Consumer(SessionDB(), CONFIG, CLIENT_CONFIG, SERVER_INFO)
+ consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
+ CLIENT_CONFIG, SERVER_INFO)
consumer.keyjar = CLIKEYS
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
@@ -427,7 +430,8 @@ def test_complete_auth_token_idtoken():
def test_userinfo():
- consumer = Consumer(SessionDB(), CONFIG, CLIENT_CONFIG, SERVER_INFO)
+ consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
+ CLIENT_CONFIG, SERVER_INFO)
consumer.keyjar = CLIKEYS
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
diff --git a/tests/test_oic_provider.py b/tests/test_oic_provider.py
index 36f40cb..51111b8 100644
--- a/tests/test_oic_provider.py
+++ b/tests/test_oic_provider.py
@@ -8,6 +8,7 @@ from oic.utils.authn.authn_context import AuthnBroker
from oic.utils.authn.client import verify_client
from oic.utils.authn.user import UserAuthnMethod
from oic.utils.authz import AuthzHandling
+from oic.utils.http_util import Response
from oic.utils.userinfo import UserInfo
from oic.exception import RedirectURIError
@@ -28,7 +29,7 @@ from oic.oic.message import CheckSessionRequest
from oic.oic.message import RegistrationRequest
from oic.oic.message import IdToken
-from oic.utils.sdb import SessionDB
+from oic.utils.sdb import SessionDB, AuthnEvent
from oic.oic import Client
from oic.oic import make_openid_request
@@ -105,8 +106,8 @@ CDB = {
},
CLIENT_ID: {
"client_secret": CLIENT_SECRET,
+ "redirect_uris": [("http://localhost:8087/authz", None)]
}
-
}
USERDB = {
@@ -142,7 +143,11 @@ class DummyAuthn(UserAuthnMethod):
self.user = user
def authenticated_as(self, cookie=None, **kwargs):
- return {"uid": self.user}
+ if cookie == "FAIL":
+ return None
+ else:
+ return {"uid": self.user}
+
#AUTHN = UsernamePasswordMako(None, "login.mako", tl, PASSWD, "authenticated")
AUTHN_BROKER = AuthnBroker()
@@ -153,7 +158,8 @@ AUTHZ = AuthzHandling()
SYMKEY = rndstr(16) # symmetric key used to encrypt cookie info
USERINFO = UserInfo(USERDB)
-provider_init = Provider("pyoicserv", SessionDB(), CDB, AUTHN_BROKER, USERINFO,
+provider_init = Provider("pyoicserv", SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, USERINFO,
AUTHZ, verify_client, SYMKEY, urlmap=URLMAP,
keyjar=KEYJAR)
@@ -230,10 +236,13 @@ def test_server_authorization_endpoint_id_token():
redirect_uri="http://example.com/authz",
scope=["openid"], state="state000")
- sdb = SessionDB()
- sid = sdb.create_authz_session("userX", AREQ)
-
+ sdb = provider.sdb
+ ae = AuthnEvent("userX")
+ sid = sdb.create_authz_session(ae, AREQ)
+ sdb.do_sub(sid)
_info = sdb[sid]
+ # All this is jut removed when the id_token is constructed
+ # The proper information comes from the session information
_user_info = IdToken(iss="https://foo.example.om", sub="foo",
aud=bib["client_id"], exp=epoch_in_a_while(minutes=10),
acr="2", nonce=bib["nonce"])
@@ -244,14 +253,23 @@ def test_server_authorization_endpoint_id_token():
user_info=_user_info)
req["id_token"] = idt
+ query_string = req.to_urlencoded()
- QUERY_STRING = req.to_urlencoded()
-
- resp = provider.authorization_endpoint(request=QUERY_STRING)
+ # client_id not in id_token["aud"] so login required
+ resp = provider.authorization_endpoint(request=query_string, cookie="FAIL")
print resp
assert "error=login_required" in resp.message
+ req["client_id"] = "client_1"
+ query_string = req.to_urlencoded()
+
+ # client_id is in id_token["aud"] so no login required
+ resp = provider.authorization_endpoint(request=query_string, cookie="FAIL")
+
+ print resp.message
+ assert resp.message.startswith("http://localhost:8087/authz")
+
def test_server_authenticated():
server = provider_init
@@ -409,17 +427,18 @@ def test_token_endpoint():
_sdb = server.sdb
sid = _sdb.token.key(user="sub", areq=authreq)
access_grant = _sdb.token(sid=sid)
+ ae = AuthnEvent("user")
_sdb[sid] = {
"oauth_state": "authz",
- "sub": "sub",
+ "authn_event": ae,
"authzreq": authreq.to_json(),
"client_id": CLIENT_ID,
"code": access_grant,
"code_used": False,
"scope": ["openid"],
"redirect_uri": "http://example.com/authz",
- "auth_time": 1000000
}
+ _sdb.do_sub(sid)
# Construct Access token request
areq = AccessTokenRequest(code=access_grant, client_id=CLIENT_ID,
@@ -446,9 +465,10 @@ def test_token_endpoint_unauth():
_sdb = server.sdb
sid = _sdb.token.key(user="sub", areq=authreq)
access_grant = _sdb.token(sid=sid)
+ ae = AuthnEvent("user")
_sdb[sid] = {
+ "authn_event": ae,
"oauth_state": "authz",
- "sub": "sub",
"authzreq": "",
"client_id": "client_1",
"code": access_grant,
@@ -456,6 +476,7 @@ def test_token_endpoint_unauth():
"scope": ["openid"],
"redirect_uri": "http://example.com/authz"
}
+ _sdb.do_sub(sid)
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
@@ -495,7 +516,9 @@ def test_idtoken():
redirect_uri="http://example.com/authz",
scope=["openid"], state="state000")
- sid = server.sdb.create_authz_session("sub", AREQ)
+ ae = AuthnEvent("sub")
+ sid = server.sdb.create_authz_session(ae, AREQ)
+ server.sdb.do_sub(sid)
session = server.sdb[sid]
id_token = server.id_token_as_signed_jwt(session)
@@ -531,7 +554,7 @@ def test_userinfo_endpoint():
ident = OpenIDSchema().deserialize(resp3.message, "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
- assert ident["sub"] == USERDB["username"]["sub"]
+ assert ident["sub"] == hash(USERDB["username"]["sub"]+server.sdb.base_url)
def test_check_session_endpoint():
@@ -577,8 +600,8 @@ def test_registration_endpoint():
def test_provider_key_setup():
- provider = Provider("pyoicserv", SessionDB(), None, None, None, None, None,
- "")
+ provider = Provider("pyoicserv", SessionDB(SERVER_INFO["issuer"]), None,
+ None, None, None, None, "")
provider.baseurl = "http://www.example.com/"
provider.key_setup("static", sig={"format": "jwk", "alg": "RSA"})
@@ -714,4 +737,4 @@ def test_key_rollover():
assert len(provider2.keyjar.issuer_keys[""]) == 2
if __name__ == "__main__":
- test_key_rollover()
+ test_server_authorization_endpoint_id_token()
diff --git a/tests/test_sdb.py b/tests/test_sdb.py
index 8b490ad..f7b967e 100644
--- a/tests/test_sdb.py
+++ b/tests/test_sdb.py
@@ -6,7 +6,7 @@ import time
from pytest import raises
-from oic.utils.sdb import SessionDB
+from oic.utils.sdb import SessionDB, AuthnEvent
from oic.utils.sdb import ExpiredToken
from oic.oic.message import AuthorizationRequest
from oic.oic.message import OpenIDRequest
@@ -31,23 +31,25 @@ OAUTH2_AREQ = AuthorizationRequest(response_type="code",
redirect_uri="http://example.com/authz",
scope=["openid"], state="state000")
+BASE_URL = "https://exampl.com/"
+
def _eq(l1, l2):
return set(l1) == set(l2)
def test_token():
- sdb = SessionDB()
+ sdb = SessionDB(BASE_URL)
sid = sdb.token.key(areq=AREQ)
assert len(sid) == 56
- sdb = SessionDB({"a": "b"})
+ sdb = SessionDB(BASE_URL, {"a": "b"})
sid = sdb.token.key(areq=AREQ)
assert len(sid) == 56
def test_new_token():
- sdb = SessionDB()
+ sdb = SessionDB(BASE_URL)
sid = sdb.token.key(areq=AREQ)
assert len(sid) == 56
@@ -63,7 +65,7 @@ def test_new_token():
def test_type_and_key():
- sdb = SessionDB()
+ sdb = SessionDB(BASE_URL)
sid = sdb.token.key(areq=AREQ)
code = sdb.token(sid=sid)
print sid
@@ -74,7 +76,7 @@ def test_type_and_key():
def test_setitem():
- sdb = SessionDB()
+ sdb = SessionDB(BASE_URL)
sid = sdb.token.key(areq=AREQ)
code = sdb.token(sid=sid)
@@ -90,7 +92,7 @@ def test_setitem():
def test_update():
- sdb = SessionDB()
+ sdb = SessionDB(BASE_URL)
sid = sdb.token.key(areq=AREQ)
code = sdb.token(sid=sid)
@@ -111,33 +113,37 @@ def test_update():
def test_create_authz_session():
- sdb = SessionDB()
- sid = sdb.create_authz_session("sub", AREQ)
+ sdb = SessionDB(BASE_URL)
+ ae = AuthnEvent("uid")
+ sid = sdb.create_authz_session(ae, AREQ)
+ sdb.do_sub(sid)
info = sdb[sid]
print info
assert info["oauth_state"] == "authz"
- sdb = SessionDB()
+ sdb = SessionDB(BASE_URL)
+ ae = AuthnEvent("sub")
# Missing nonce property
- sid = sdb.create_authz_session("sub", OAUTH2_AREQ)
+ sid = sdb.create_authz_session(ae, OAUTH2_AREQ)
info = sdb[sid]
print info
assert info["oauth_state"] == "authz"
- sid2 = sdb.create_authz_session("sub", AREQN)
+ ae = AuthnEvent("sub")
+ sid2 = sdb.create_authz_session(ae, AREQN)
info = sdb[sid2]
print info
assert info["nonce"] == "something"
- sid3 = sdb.create_authz_session("sub", AREQN, id_token="id_token")
+ sid3 = sdb.create_authz_session(ae, AREQN, id_token="id_token")
info = sdb[sid3]
print info
assert info["id_token"] == "id_token"
- sid4 = sdb.create_authz_session("sub", AREQN, oidreq=OIDR)
+ sid4 = sdb.create_authz_session(ae, AREQN, oidreq=OIDR)
info = sdb[sid4]
print info
@@ -146,10 +152,10 @@ def test_create_authz_session():
def test_create_authz_session_with_sector_id():
- sdb = SessionDB(seed="foo")
- uid = "sub"
- sid5 = sdb.create_authz_session(uid, AREQN, oidreq=OIDR)
- sdb.do_userid(sid5, uid, "http://example.com/si.jwt", "pairwise")
+ sdb = SessionDB(BASE_URL, seed="foo")
+ ae = AuthnEvent("sub")
+ sid5 = sdb.create_authz_session(ae, AREQN, oidreq=OIDR)
+ sdb.do_sub(sid5, "http://example.com/si.jwt", "pairwise")
info_1 = sdb[sid5]
print info_1
@@ -158,7 +164,7 @@ def test_create_authz_session_with_sector_id():
assert info_1["sub"] != "sub"
user_id1 = info_1["sub"]
- sdb.do_userid(sid5, uid, "http://example.net/si.jwt", "pairwise")
+ sdb.do_sub(sid5, "http://example.net/si.jwt", "pairwise")
info_2 = sdb[sid5]
print info_2
@@ -167,34 +173,35 @@ def test_create_authz_session_with_sector_id():
def test_upgrade_to_token():
- sdb = SessionDB()
- sid = sdb.create_authz_session("sub", AREQ)
+ sdb = SessionDB(BASE_URL)
+ ae1 = AuthnEvent("sub")
+ sid = sdb.create_authz_session(ae1, AREQ)
grant = sdb[sid]["code"]
_dict = sdb.upgrade_to_token(grant)
print _dict.keys()
- assert _eq(_dict.keys(), ['code', 'authzreq', 'token_type', 'local_sub',
- 'client_id', 'oauth_state', 'refresh_token',
- 'revoked', 'sub', 'access_token',
- 'token_expires_at', 'expires_in', 'state',
- 'redirect_uri', 'code_used', 'scope',
- 'access_token_scope'])
+ assert _eq(_dict.keys(), ['authn_event', 'code', 'authzreq', 'revoked',
+ 'access_token', 'token_expires_at', 'expires_in',
+ 'token_type', 'state', 'redirect_uri',
+ 'code_used', 'client_id', 'scope', 'oauth_state',
+ 'refresh_token', 'access_token_scope'])
raises(Exception, 'sdb.upgrade_to_token(grant)')
raises(Exception, 'sdb.upgrade_to_token(_dict["access_token"]')
- sdb = SessionDB()
- sid = sdb.create_authz_session("another_user_id", AREQ)
+ sdb = SessionDB(BASE_URL)
+ ae2 = AuthnEvent("another_user_id")
+ sid = sdb.create_authz_session(ae2, AREQ)
grant = sdb[sid]["code"]
_dict = sdb.upgrade_to_token(grant, id_token="id_token", oidreq=OIDR)
print _dict.keys()
- assert _eq(_dict.keys(), ['code', 'authzreq', 'id_token', 'token_type',
- 'local_sub', 'client_id', 'oauth_state',
- 'refresh_token', 'revoked', 'sub', 'oidreq',
- 'access_token', 'token_expires_at', 'expires_in',
- 'state', 'redirect_uri', 'code_used', 'scope',
+ assert _eq(_dict.keys(), ['authn_event', 'code', 'authzreq', 'revoked',
+ 'oidreq', 'access_token', 'id_token',
+ 'token_expires_at', 'expires_in', 'token_type',
+ 'state', 'redirect_uri', 'code_used', 'client_id',
+ 'scope', 'oauth_state', 'refresh_token',
'access_token_scope'])
assert _dict["id_token"] == "id_token"
@@ -204,8 +211,9 @@ def test_upgrade_to_token():
def test_refresh_token():
- sdb = SessionDB()
- sid = sdb.create_authz_session("sub", AREQ)
+ sdb = SessionDB(BASE_URL)
+ ae = AuthnEvent("sub")
+ sid = sdb.create_authz_session(ae, AREQ)
grant = sdb[sid]["code"]
_dict = sdb.upgrade_to_token(grant)
dict1 = _dict.copy()
@@ -222,8 +230,9 @@ def test_refresh_token():
def test_is_valid():
- sdb = SessionDB()
- sid = sdb.create_authz_session("sub", AREQ)
+ sdb = SessionDB(BASE_URL)
+ ae1 = AuthnEvent("sub")
+ sid = sdb.create_authz_session(ae1, AREQ)
grant = sdb[sid]["code"]
assert sdb.is_valid(grant)
@@ -255,7 +264,8 @@ def test_is_valid():
dict2["access_token"] = token1
assert sdb.is_valid(token2) is False
- sid = sdb.create_authz_session("another:user", AREQ)
+ ae = AuthnEvent("another:user")
+ sid = sdb.create_authz_session(ae, AREQ)
grant = sdb[sid]["code"]
gdict = sdb[grant]
@@ -264,8 +274,9 @@ def test_is_valid():
def test_revoke_token():
- sdb = SessionDB()
- sid = sdb.create_authz_session("sub", AREQ)
+ sdb = SessionDB(BASE_URL)
+ ae1 = AuthnEvent("sub")
+ sid = sdb.create_authz_session(ae1, AREQ)
grant = sdb[sid]["code"]
_dict = sdb.upgrade_to_token(grant)
@@ -291,9 +302,26 @@ def test_revoke_token():
# --- new token ----
- sdb = SessionDB()
- sid = sdb.create_authz_session("sub", AREQ)
+ sdb = SessionDB(BASE_URL)
+ ae2 = AuthnEvent("sub")
+ sid = sdb.create_authz_session(ae2, AREQ)
grant = sdb[sid]["code"]
sdb.revoke_token(grant)
assert sdb.is_valid(grant) is False
+
+
+def test_sub_to_authn_event():
+ sdb = SessionDB(BASE_URL)
+ ae2 = AuthnEvent("sub")
+ sid = sdb.create_authz_session(ae2, AREQ)
+ sub = sdb.do_sub(sid)
+
+ # given the sub find out weather the authn event is still valid
+
+ sids = sdb.sub2sid[sub]
+ ae = sdb[sids[0]]["authn_event"]
+ assert ae.valid()
+
+if __name__ == "__main__":
+ test_sub_to_authn_event()
diff --git a/tests/test_x_claims.py b/tests/test_x_claims.py
index bd56334..2c843bc 100644
--- a/tests/test_x_claims.py
+++ b/tests/test_x_claims.py
@@ -144,7 +144,8 @@ def test_srv2():
req = cc.construct_UserClaimsRequest(
request_args={"sub": "diana", "claims_names": ["gender", "birthdate"]})
- srv = ClaimsServer("pyoicserv", SessionDB(), CDB, USERINFO, verify_client,
+ srv = ClaimsServer("pyoicserv", SessionDB("https://example.com"), CDB,
+ USERINFO, verify_client,
keyjar=KEYJAR, dist_claims_mode=ClaimsMode(USER2MODE))
srv.keyjar[""] = keybundle_from_local_file("%s/rsa.key" % BASE_PATH, "rsa", ["ver", "sig"])
diff --git a/tests/test_x_dynreg.py b/tests/test_x_dynreg.py
index dd4ec2f..9467927 100644
--- a/tests/test_x_dynreg.py
+++ b/tests/test_x_dynreg.py
@@ -89,14 +89,16 @@ def _eq(l1, l2):
def test_provider_init():
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ,
verify_client, client_info_url="https://example.com/as")
assert provider
def test_client_registration():
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ,
verify_client,
client_info_url="https://example.com/as/")
@@ -125,8 +127,8 @@ def test_client_registration_uri_error():
"jwks_uri": "https://client.example.org/my_public_keys.jwks"
}
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client,
+ provider = Provider("pyoicserv", sdb.SessionDB("https://example.org/"),
+ CDB, AUTHN_BROKER, AUTHZ, verify_client,
client_info_url="https://example.com/as/")
request = RegistrationRequest(**args)
@@ -152,8 +154,8 @@ def test_client_registration_2():
"scope": "read write dolphin",
}
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client,
+ provider = Provider("pyoicserv", sdb.SessionDB("https://example.org/"),
+ CDB, AUTHN_BROKER, AUTHZ, verify_client,
client_info_url="https://example.com/as/",
client_authn_methods={
"client_secret_post": ClientSecretPost,
@@ -183,8 +185,8 @@ def test_client_user_info_get():
"scope": "read write dolphin",
}
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client,
+ provider = Provider("pyoicserv", sdb.SessionDB("https://example.org/"),
+ CDB, AUTHN_BROKER, AUTHZ, verify_client,
client_info_url="https://example.com/as/",
client_authn_methods={
"client_secret_post": ClientSecretPost,
@@ -225,8 +227,8 @@ def test_client_registration_update():
"scope": "read write dolphin",
}
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
- verify_client,
+ provider = Provider("pyoicserv", sdb.SessionDB("https://example.org/"),
+ CDB, AUTHN_BROKER, AUTHZ, verify_client,
client_info_url="https://example.com/as/",
client_authn_methods={
"client_secret_post": ClientSecretPost,
@@ -283,7 +285,8 @@ def test_client_registration_delete():
"scope": "read write dolphin",
}
- provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ,
+ provider = Provider("pyoicserv", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
+ AUTHN_BROKER, AUTHZ,
verify_client,
client_info_url="https://example.com/as/",
client_authn_methods={