Fixed so all examples have a start.sh script and that all are working.
This commit is contained in:
parent
1306a7ecde
commit
806b600fc4
|
@ -0,0 +1 @@
|
|||
{"client_1":{"client_secret": "hemlig"}}
|
|
@ -4,12 +4,11 @@
|
|||
baseurl = "https://localhost"
|
||||
#baseurl = "https://lingon.ladok.umu.se"
|
||||
issuer = "%s:%%d" % baseurl
|
||||
keys = {
|
||||
"RSA": {
|
||||
"key": "cp_keys/key.pem",
|
||||
"usage": ["enc", "sig"]
|
||||
}
|
||||
}
|
||||
keys = [
|
||||
{"type": "RSA", "key": "cp_keys/key.pem", "use": ["enc", "sig"]},
|
||||
{"type": "EC", "crv": "P-256", "use": ["sig"]},
|
||||
{"type": "EC", "crv": "P-256", "use": ["enc"]}
|
||||
]
|
||||
|
||||
CAS_SERVER = "https://cas.umu.se"
|
||||
SERVICE_URL = "%s/verify" % issuer
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
#!/usr/bin/env python
|
||||
# -*- coding: utf-8 -*-
|
||||
import json
|
||||
import sys
|
||||
import os
|
||||
import traceback
|
||||
|
@ -14,7 +15,7 @@ from urlparse import parse_qs
|
|||
from oic.utils.authn.client import verify_client
|
||||
|
||||
from oic.utils.authz import AuthzHandling
|
||||
from oic.utils.keyio import KeyBundle, dump_jwks
|
||||
from oic.utils.keyio import KeyBundle, dump_jwks, keyjar_init
|
||||
from oic.utils.userinfo import UserInfo
|
||||
from oic.utils.webfinger import WebFinger
|
||||
from oic.utils.webfinger import OIC_ISSUER
|
||||
|
@ -592,28 +593,19 @@ if __name__ == '__main__':
|
|||
OAS.baseurl += "/"
|
||||
|
||||
try:
|
||||
OAS.keyjar[""] = []
|
||||
kbl = []
|
||||
for typ, info in config.keys.items():
|
||||
typ = typ.upper()
|
||||
LOGGER.info("OC server key init: %s, %s" % (typ, info))
|
||||
kb = KeyBundle(source="file://%s" % info["key"], fileformat="der",
|
||||
keytype=typ)
|
||||
OAS.keyjar.add_kb("", kb)
|
||||
kbl.append(kb)
|
||||
|
||||
try:
|
||||
new_name = "static/jwks.json"
|
||||
dump_jwks(kbl, new_name)
|
||||
OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name))
|
||||
except KeyError:
|
||||
pass
|
||||
|
||||
for b in OAS.keyjar[""]:
|
||||
LOGGER.info("OC3 server keys: %s" % b)
|
||||
jwks = keyjar_init(OAS, config.keys)
|
||||
except Exception, err:
|
||||
LOGGER.error("Key setup failed: %s" % err)
|
||||
OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
|
||||
else:
|
||||
new_name = "static/jwks.json"
|
||||
f = open(new_name, "w")
|
||||
f.write(json.dumps(jwks))
|
||||
f.close()
|
||||
OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name))
|
||||
|
||||
for b in OAS.keyjar[""]:
|
||||
LOGGER.info("OC3 server keys: %s" % b)
|
||||
|
||||
if config.USERINFO == "LDAP":
|
||||
from oic.utils.userinfo.ldap_info import UserInfoLDAP
|
||||
|
|
|
@ -1,3 +1,2 @@
|
|||
#!/bin/sh
|
||||
./claims_provider.py -p 8093 -d cp_config.json &
|
||||
./oc_server.py -p 8092 -d oc_config &
|
||||
|
|
|
@ -3,12 +3,11 @@
|
|||
baseurl = "https://localhost"
|
||||
issuer = "%s:%%d" % baseurl
|
||||
|
||||
keys = {
|
||||
"RSA": {
|
||||
"key": "cp_keys/key.pem",
|
||||
"usage": ["enc", "sig"]
|
||||
}
|
||||
}
|
||||
keys = [
|
||||
{"type": "RSA", "key": "cp_keys/key.pem", "use": ["enc", "sig"]},
|
||||
{"type": "EC", "crv": "P-256", "use": ["sig"]},
|
||||
{"type": "EC", "crv": "P-256", "use": ["enc"]}
|
||||
]
|
||||
|
||||
SERVICE_URL = "%s/verify" % issuer
|
||||
|
||||
|
|
|
@ -553,16 +553,17 @@ if __name__ == '__main__':
|
|||
if not OAS.baseurl.endswith("/"):
|
||||
OAS.baseurl += "/"
|
||||
|
||||
jwks = keyjar_init(OAS, config.keys)
|
||||
|
||||
try:
|
||||
jwks = keyjar_init(OAS, config.keys)
|
||||
except Exception, err:
|
||||
LOGGER.error("Key setup failed: %s" % err)
|
||||
OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
|
||||
else:
|
||||
new_name = "static/jwks.json"
|
||||
f = open(new_name, "w")
|
||||
f.write(json.dumps(jwks))
|
||||
f.close()
|
||||
OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name))
|
||||
except KeyError:
|
||||
pass
|
||||
|
||||
for b in OAS.keyjar[""]:
|
||||
LOGGER.info("OC3 server keys: %s" % b)
|
||||
|
|
|
@ -1,175 +0,0 @@
|
|||
import os
|
||||
from saml2 import saml
|
||||
from saml2 import BINDING_HTTP_REDIRECT
|
||||
from saml2 import BINDING_HTTP_POST
|
||||
from saml2.extension.idpdisc import BINDING_DISCO
|
||||
from saml2.saml import NAME_FORMAT_URI
|
||||
from saml2.entity_category.edugain import COC
|
||||
from saml2.entity_category.swamid import RESEARCH_AND_EDUCATION
|
||||
from saml2.entity_category.swamid import HEI
|
||||
from saml2.entity_category.swamid import SFS_1993_1153
|
||||
from saml2.entity_category.swamid import NREN
|
||||
from saml2.entity_category.swamid import EU
|
||||
|
||||
try:
|
||||
from saml2.sigver import get_xmlsec_binary
|
||||
except ImportError:
|
||||
get_xmlsec_binary = None
|
||||
if get_xmlsec_binary:
|
||||
xmlsec_path = get_xmlsec_binary(["/opt/local/bin", "/usr/local/bin"])
|
||||
else:
|
||||
xmlsec_path = '/usr/local/bin/xmlsec1'
|
||||
|
||||
#Url to a discovery server for SAML. None implies not using one.
|
||||
DISCOSRV = None
|
||||
#DISCOSRV = "http://localhost/idp.ds"
|
||||
|
||||
#Url to a wayf for SAML. None implies not using one.
|
||||
WAYF = None
|
||||
|
||||
#Full URL to the SP. You must have the same base as the OP.
|
||||
BASE = "https://localhost:8092"#"%s"
|
||||
|
||||
#Discovery endpoint
|
||||
DISCOENDPOINT = "saml_verify_disco"
|
||||
|
||||
#The BASE url where the Idp performs the redirect after a authn request from the SP.
|
||||
#For the cookies to work do not use subfolders.
|
||||
ASCREDIRECT = 'saml_verify_redirect'
|
||||
#The BASE url where the Idp performs a post after a authn request from the SP.
|
||||
#For the cookies to work do not use subfolders.
|
||||
ASCPOST = 'saml_verify_post'
|
||||
|
||||
MULTI_AUTH_POST = "multi_saml_pass_verify"
|
||||
MULTI_AUTH_DISCO_END_POINT = "multi_saml_pass_disco"
|
||||
MULTI_ASC_REDIRECT = "multi_saml_pass_redirect"
|
||||
|
||||
#Must point to the complete path on disk to this file!
|
||||
#Needed by the script create_metadata.sh and the SP to find all configurations.
|
||||
#No need to change this!
|
||||
FULL_PATH = os.path.dirname(os.path.abspath(__file__))
|
||||
|
||||
#This is the directory for the SP.
|
||||
WORKING_DIR = FULL_PATH + "/"
|
||||
|
||||
#This is a map for Open Id connect to Saml2.
|
||||
#The proxy will give the same response for OAuth2.
|
||||
OPENID2SAMLMAP = {
|
||||
"sub": "uid",
|
||||
"name": "displayName",
|
||||
"given_name": "givenname",
|
||||
"family_name": "sn",
|
||||
"middle_name": "",
|
||||
"nickname": "eduPersonNickname",
|
||||
"preferred_username": "uid",
|
||||
"profile": "member",
|
||||
#STUDENTNESS example for studentness
|
||||
#"profile": "eduPersonScopedAffiliation",
|
||||
"picture": "jpegPhoto",
|
||||
"website": "labeledURI",
|
||||
"email": "email",
|
||||
#"email_verified": "Missing
|
||||
"gender": "",
|
||||
"birthdate": "norEduPersonNIN",
|
||||
#zoneinfo timezone
|
||||
"locale": "c",
|
||||
"phone_number": "telephoneNumber",
|
||||
#phone_number_verified
|
||||
"address": "registeredAddress",
|
||||
"updated_at": "" # When information was updated
|
||||
}
|
||||
|
||||
#Traditional pysaml2 configuration for a SP. View more documentation for pysaml2.
|
||||
CONFIG = {
|
||||
"entityid": "%s/testpyoidcsp.xml" % BASE,
|
||||
"description": "Test pyoidc SP",
|
||||
"entity_category": [COC, RESEARCH_AND_EDUCATION, HEI, SFS_1993_1153, NREN, EU],
|
||||
"service": {
|
||||
"sp": {
|
||||
"name": "Test pyoidc SP",
|
||||
"authn_requests_signed": "true",
|
||||
"want_response_signed": "true",
|
||||
"endpoints": {
|
||||
"assertion_consumer_service": [
|
||||
(BASE + "/" + ASCREDIRECT, BINDING_HTTP_REDIRECT, 0),
|
||||
(BASE + "/" + MULTI_ASC_REDIRECT, BINDING_HTTP_REDIRECT, 1),
|
||||
|
||||
(BASE + "/" + ASCPOST, BINDING_HTTP_POST, 0),
|
||||
(BASE + "/" + MULTI_AUTH_POST, BINDING_HTTP_POST, 1),
|
||||
],
|
||||
"required_attributes": ["uid"],
|
||||
"discovery_response": [
|
||||
("%s/%s" % (BASE, DISCOENDPOINT), BINDING_DISCO),
|
||||
("%s/%s" % (BASE, MULTI_AUTH_DISCO_END_POINT), BINDING_DISCO)
|
||||
],
|
||||
}
|
||||
},
|
||||
},
|
||||
"key_file": WORKING_DIR+"sp_cert/localhost.key",
|
||||
"cert_file": WORKING_DIR+"sp_cert/localhost.crt",
|
||||
"xmlsec_binary": xmlsec_path,
|
||||
"metadata": {
|
||||
"local": ["[..]/pysaml2/example/idp2/idp.xml"],
|
||||
#"remote": [{"url": "http://localhost/idp.xml", "cert": None}],
|
||||
},
|
||||
"name_form": NAME_FORMAT_URI,
|
||||
"organization": {
|
||||
"name": "Test pyoidc SP",
|
||||
"display_name": [("Test pyoidc SP", "en")],
|
||||
"url": BASE,
|
||||
},
|
||||
"contact_person": [
|
||||
{
|
||||
"contact_type": "technical",
|
||||
"given_name": "Test",
|
||||
"sur_name": "Testsson",
|
||||
"email_address": "test.testsson@test.se"
|
||||
},
|
||||
],
|
||||
"logger": {
|
||||
"rotating": {
|
||||
"filename": "sp.log",
|
||||
"maxBytes": 100000,
|
||||
"backupCount": 5,
|
||||
},
|
||||
"loglevel": "debug",
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
#Cache for transferring information between SAML authn and user info AA
|
||||
SAML_CACHE = {}
|
||||
|
||||
# If AA_ATTRIBUTE_SAML_IDP is true the AA attributes and the IDP attributes will be concatenated. Else only the
|
||||
# attributes listed in AA_ATTRIBUTE_SAML_IDP_WHITELIST will be returned. If AA_ATTRIBUTE_SAML_IDP_WHITELIST is None all
|
||||
# attributes will be returned
|
||||
AA_ATTRIBUTE_SAML_IDP = True
|
||||
AA_ATTRIBUTE_SAML_IDP_WHITELIST = None
|
||||
#STUDENTNESS example for studentness
|
||||
#AA_ATTRIBUTE_SAML_IDP_WHITELIST = ["eduPersonScopedAffiliation"]
|
||||
|
||||
AA_REQUEST_ATTRIBUTES = None
|
||||
|
||||
#Contains all valid attributes and valid values for that attribute.
|
||||
VALID_ATTRIBUTE_RESPONSE=None
|
||||
#STUDENTNESS example configuration for studentness
|
||||
#VALID_ATTRIBUTE_RESPONSE = {
|
||||
# "eduPersonScopedAffiliation": ["student"]
|
||||
#}
|
||||
|
||||
#Contains all attributes that will be returned.
|
||||
#Only value that contains the values in the value list will be returned. If None will all values be returned.
|
||||
ATTRIBUTE_WHITELIST=None
|
||||
#STUDENTNESS example configuration for studentness
|
||||
#ATTRIBUTE_WHITELIST = {
|
||||
# "eduPersonScopedAffiliation": ["student"]
|
||||
#}
|
||||
|
||||
#Attribute authority only used if USERINFO = "AA" in config.py
|
||||
AA_ENTITY_ID = None
|
||||
|
||||
# If None name id is used otherwise the first value for the given attribute name in the SAML response will be used.
|
||||
AA_NAMEID_ATTRIBUTE = None
|
||||
#AA_NAMEID_ATTRIBUTE = "eduPersonTargetedID"
|
||||
|
||||
AA_NAMEID_FORMAT = saml.NAMEID_FORMAT_PERSISTENT
|
|
@ -0,0 +1,2 @@
|
|||
#!/bin/sh
|
||||
./server.py -p 8092 -d config &
|
|
@ -13,8 +13,6 @@ from oic.oic.message import AuthorizationRequest
|
|||
from oic.oic.message import AccessTokenResponse
|
||||
from oic.utils.webfinger import WebFinger
|
||||
|
||||
|
||||
|
||||
__author__ = 'rolandh'
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
@ -57,13 +55,13 @@ class OpenIDConnect(object):
|
|||
self.authn_method = None
|
||||
self.registration_info = registration_info
|
||||
|
||||
def dynamic(self, server_env, callback, logoutCallback, session, key):
|
||||
def dynamic(self, server_env, callback, logout_callback, session, key):
|
||||
try:
|
||||
client = server_env["OIC_CLIENT"][key]
|
||||
except KeyError:
|
||||
client = self.client_cls(client_authn_method=CLIENT_AUTHN_METHOD)
|
||||
client.redirect_uris = [callback]
|
||||
client.post_logout_redirect_uris = [logoutCallback]
|
||||
client.post_logout_redirect_uris = [logout_callback]
|
||||
|
||||
_me = self.registration_info.copy()
|
||||
_me["redirect_uris"] = [callback]
|
||||
|
@ -86,14 +84,14 @@ class OpenIDConnect(object):
|
|||
server_env["OIC_CLIENT"] = {key: client}
|
||||
return client
|
||||
|
||||
def static(self, server_env, callback, logoutCallback, key):
|
||||
def static(self, server_env, callback, logout_callback, key):
|
||||
try:
|
||||
client = server_env["OIC_CLIENT"][key]
|
||||
logger.debug("Static client: %s" % server_env["OIC_CLIENT"])
|
||||
except KeyError:
|
||||
client = self.client_cls(client_authn_method=CLIENT_AUTHN_METHOD)
|
||||
client.redirect_uris = [callback]
|
||||
client.post_logout_redirect_uris = [logoutCallback]
|
||||
client.post_logout_redirect_uris = [logout_callback]
|
||||
for typ in ["authorization", "token", "userinfo"]:
|
||||
endpoint = "%s_endpoint" % typ
|
||||
setattr(client, endpoint, self.extra[endpoint])
|
||||
|
@ -130,13 +128,17 @@ class OpenIDConnect(object):
|
|||
if not resp.ok and resp.status_code == 400:
|
||||
client = None
|
||||
server_env["OIC_CLIENT"].pop(key, None)
|
||||
|
||||
_state = ""
|
||||
if client is None:
|
||||
callback = server_env["base_url"] + key
|
||||
logoutCallback = server_env["base_url"]
|
||||
logout_callback = server_env["base_url"]
|
||||
if self.srv_discovery_url:
|
||||
client = self.dynamic(server_env, callback, logoutCallback, session, key)
|
||||
client = self.dynamic(server_env, callback, logout_callback,
|
||||
session, key)
|
||||
else:
|
||||
client = self.static(server_env, callback, logoutCallback, key)
|
||||
client = self.static(server_env, callback, logout_callback,
|
||||
key)
|
||||
_state = session.getState()
|
||||
session.setClient(client)
|
||||
|
||||
|
@ -144,10 +146,11 @@ class OpenIDConnect(object):
|
|||
try:
|
||||
acr_values = client.provider_info["acr_values_supported"]
|
||||
session.set_acr_values(acr_values)
|
||||
except:
|
||||
except KeyError:
|
||||
acr_values = None
|
||||
|
||||
if acr_value is None and acr_values is not None and len(acr_values) > 1:
|
||||
if acr_value is None and acr_values is not None and \
|
||||
len(acr_values) > 1:
|
||||
resp_headers = [("Location", str("/rpAcr"))]
|
||||
start_response("302 Found", resp_headers)
|
||||
return []
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
#!/bin/bash
|
||||
./rp2.py &
|
|
@ -0,0 +1,2 @@
|
|||
#!/bin/bash
|
||||
./rp3.py conf &
|
Reference in New Issue