Merge pull request #17 from AzureAD/full-support-for-verify-and-proxies

Full support for verify and proxies

Author: rayluo

msal/application.py

@@ -92,14 +92,14 @@ def __init__(
         """
         self.client_id = client_id
         self.client_credential = client_credential
+        self.verify = verify
+        self.proxies = proxies
+        self.timeout = timeout
         self.authority = Authority(
                 authority or "https://login.microsoftonline.com/common/",
-                validate_authority)
+                validate_authority, verify=verify, proxies=proxies, timeout=timeout)
             # Here the self.authority is not the same type as authority in input
         self.token_cache = token_cache or TokenCache()
-        self.verify = verify
-        self.proxies = proxies
-        self.timeout = timeout
         self.client = self._build_client(client_credential, self.authority)
 
     def _build_client(self, client_credential, authority):
@@ -166,7 +166,10 @@ def get_authorization_request_url(
             (Under the hood, we simply merge scope and additional_scope before
             sending them on the wire.)
         """
-        the_authority = Authority(authority) if authority else self.authority
+        the_authority = Authority(
+            authority,
+            verify=self.verify, proxies=self.proxies, timeout=self.timeout,
+            ) if authority else self.authority
         client = Client(
             {"authorization_endpoint": the_authority.authorization_endpoint},
             self.client_id)
@@ -272,7 +275,10 @@ def acquire_token_silent(
             - None when cache lookup does not yield anything.
         """
         assert isinstance(scopes, list), "Invalid parameter type"
-        the_authority = Authority(authority) if authority else self.authority
+        the_authority = Authority(
+            authority,
+            verify=self.verify, proxies=self.proxies, timeout=self.timeout,
+            ) if authority else self.authority
 
         if not force_refresh:
             matches = self.token_cache.find(
@@ -383,17 +389,20 @@ def acquire_token_by_username_password(
 
     def _acquire_token_by_username_password_federated(
             self, user_realm_result, username, password, scopes=None, **kwargs):
+        verify = kwargs.pop("verify", self.verify)
+        proxies = kwargs.pop("proxies", self.proxies)
         wstrust_endpoint = {}
         if user_realm_result.get("federation_metadata_url"):
             wstrust_endpoint = mex_send_request(
-                user_realm_result["federation_metadata_url"])
+                user_realm_result["federation_metadata_url"],
+                verify=verify, proxies=proxies)
         logger.debug("wstrust_endpoint = %s", wstrust_endpoint)
         wstrust_result = wst_send_request(
             username, password, user_realm_result.get("cloud_audience_urn"),
             wstrust_endpoint.get("address",
                 # Fallback to an AAD supplied endpoint
                 user_realm_result.get("federation_active_auth_url")),
-            wstrust_endpoint.get("action"), **kwargs)
+            wstrust_endpoint.get("action"), verify=verify, proxies=proxies)
         if not ("token" in wstrust_result and "type" in wstrust_result):
             raise RuntimeError("Unsuccessful RSTR. %s" % wstrust_result)
         grant_type = {

msal/authority.py

@@ -21,7 +21,9 @@ class Authority(object):
     Once constructed, it contains members named "*_endpoint" for this instance.
     TODO: It will also cache the previously-validated authority instances.
     """
-    def __init__(self, authority_url, validate_authority=True):
+    def __init__(self, authority_url, validate_authority=True,
+            verify=True, proxies=None, timeout=None,
+            ):
         """Creates an authority instance, and also validates it.
 
         :param validate_authority:
@@ -30,24 +32,31 @@ def __init__(self, authority_url, validate_authority=True):
             This parameter only controls whether an instance discovery will be
             performed.
         """
+        self.verify = verify
+        self.proxies = proxies
+        self.timeout = timeout
         canonicalized, self.instance, tenant = canonicalize(authority_url)
         tenant_discovery_endpoint = (  # Hard code a V2 pattern as default value
             'https://{}/{}/v2.0/.well-known/openid-configuration'
             .format(WORLD_WIDE, tenant))
         if validate_authority and self.instance not in WELL_KNOWN_AUTHORITY_HOSTS:
             tenant_discovery_endpoint = instance_discovery(
-                canonicalized + "/oauth2/v2.0/authorize")
-        openid_config = tenant_discovery(tenant_discovery_endpoint)
+                canonicalized + "/oauth2/v2.0/authorize",
+                verify=verify, proxies=proxies, timeout=timeout)
+        openid_config = tenant_discovery(
+            tenant_discovery_endpoint,
+            verify=verify, proxies=proxies, timeout=timeout)
         self.authorization_endpoint = openid_config['authorization_endpoint']
         self.token_endpoint = openid_config['token_endpoint']
         _, _, self.tenant = canonicalize(self.token_endpoint)  # Usually a GUID
         self.is_adfs = self.tenant.lower() == 'adfs'
 
-    def user_realm_discovery(self, username, **kwargs):
+    def user_realm_discovery(self, username):
         resp = requests.get(
             "https://{netloc}/common/userrealm/{username}?api-version=1.0".format(
                 netloc=self.instance, username=username),
-            headers={'Accept':'application/json'}, **kwargs)
+            headers={'Accept':'application/json'},
+            verify=self.verify, proxies=self.proxies, timeout=self.timeout)
         resp.raise_for_status()
         return resp.json()
         # It will typically contain "ver", "account_type",
@@ -64,17 +73,20 @@ def canonicalize(url):
             "https://login.microsoftonline.com/<tenant_name>" % url)
     return match_object.group(0), match_object.group(1), match_object.group(2)
 
-def instance_discovery(url, response=None):  # Returns tenant discovery endpoint
+def instance_discovery(url, response=None, **kwargs):
+    # Returns tenant discovery endpoint
     resp = requests.get(  # Note: This URL seemingly returns V1 endpoint only
         'https://{}/common/discovery/instance'.format(WORLD_WIDE),
-        params={'authorization_endpoint': url, 'api-version': '1.0'})
+        params={'authorization_endpoint': url, 'api-version': '1.0'},
+        **kwargs)
     payload = response or resp.json()
     if 'tenant_discovery_endpoint' not in payload:
         raise MsalServiceError(status_code=resp.status_code, **payload)
     return payload['tenant_discovery_endpoint']
 
-def tenant_discovery(tenant_discovery_endpoint):  # Returns Openid Configuration
-    resp = requests.get(tenant_discovery_endpoint)
+def tenant_discovery(tenant_discovery_endpoint, **kwargs):
+    # Returns Openid Configuration
+    resp = requests.get(tenant_discovery_endpoint, **kwargs)
     payload = resp.json()
     if 'authorization_endpoint' in payload and 'token_endpoint' in payload:
         return payload

tests/test_authority.py

@@ -94,6 +94,6 @@ def test_instance_discovery_with_unknown_instance(self):
     def test_instance_discovery_with_mocked_response(self):
         mock_response = {'tenant_discovery_endpoint': 'http://a.com/t/openid'}
         endpoint = instance_discovery(
-            "https://login.microsoftonline.in/tenant.com", mock_response)
+            "https://login.microsoftonline.in/tenant.com", response=mock_response)
         self.assertEqual(endpoint, mock_response['tenant_discovery_endpoint'])