Merge branch 'assemble' into dev

Author: rayluo

.gitignore

@@ -53,3 +53,6 @@ src/build
 # vim files
 *.swp
 
+# The test configuration file(s) could potentially contain credentials
+tests/config.json
+

msal/application.py

@@ -7,11 +7,10 @@
 from base64 import b64encode
 import sys
 
-from oauth2cli import Client
+from .oauth2cli import Client, JwtSigner
 from .authority import Authority
-from oauth2cli.assertion import JwtSigner
-import mex
-import wstrust_request
+from .mex import send_request as mex_send_request
+from .wstrust_request import send_request as wst_send_request
 from .wstrust_response import SAML_TOKEN_TYPE_V1, SAML_TOKEN_TYPE_V2
 from .token_cache import TokenCache
 
@@ -299,10 +298,10 @@ def _acquire_token_by_username_password_federated(
             self, user_realm_result, username, password, scopes=None, **kwargs):
         wstrust_endpoint = {}
         if user_realm_result.get("federation_metadata_url"):
-            wstrust_endpoint = mex.send_request(
+            wstrust_endpoint = mex_send_request(
                 user_realm_result["federation_metadata_url"])
         logger.debug("wstrust_endpoint = %s", wstrust_endpoint)
-        wstrust_result = wstrust_request.send_request(
+        wstrust_result = wst_send_request(
             username, password, user_realm_result.get("cloud_audience_urn"),
             wstrust_endpoint.get("address",
                 # Fallback to an AAD supplied endpoint

msal/assertion.py

@@ -0,0 +1,5 @@
+__version__ = "0.1.0"
+
+from .oauth2 import Client
+from .assertion import JwtSigner
+

msal/oauth2.py

@@ -0,0 +1,70 @@
+import time
+import binascii
+import base64
+import uuid
+import logging
+
+import jwt
+
+
+logger = logging.getLogger(__file__)
+
+class Signer(object):
+    def sign_assertion(
+            self, audience, issuer, subject, expires_at,
+            issued_at=None, assertion_id=None, **kwargs):
+        # Names are defined in https://tools.ietf.org/html/rfc7521#section-5
+        raise NotImplementedError("Will be implemented by sub-class")
+
+
+class JwtSigner(Signer):
+    def __init__(self, key, algorithm, sha1_thumbprint=None, headers=None):
+        """Create a signer.
+
+        Args:
+
+            key (str): The key for signing, e.g. a base64 encoded private key.
+            algorithm (str):
+                "RS256", etc.. See https://pyjwt.readthedocs.io/en/latest/algorithms.html
+                RSA and ECDSA algorithms require "pip install cryptography".
+            sha1_thumbprint (str): The x5t aka X.509 certificate SHA-1 thumbprint.
+            headers (dict): Additional headers, e.g. "kid" or "x5c" etc.
+        """
+        self.key = key
+        self.algorithm = algorithm
+        self.headers = headers or {}
+        if sha1_thumbprint:  # https://tools.ietf.org/html/rfc7515#section-4.1.7
+            self.headers["x5t"] = base64.urlsafe_b64encode(
+                binascii.a2b_hex(sha1_thumbprint)).decode()
+
+    def sign_assertion(
+            self, audience, issuer, subject=None, expires_at=None,
+            issued_at=None, assertion_id=None, not_before=None,
+            additional_claims=None, **kwargs):
+        """Sign a JWT Assertion.
+
+        Parameters are defined in https://tools.ietf.org/html/rfc7523#section-3
+        Key-value pairs in additional_claims will be added into payload as-is.
+        """
+        now = time.time()
+        payload = {
+            'aud': audience,
+            'iss': issuer,
+            'sub': subject or issuer,
+            'exp': expires_at or (now + 10*60),  # 10 minutes
+            'iat': issued_at or now,
+            'jti': assertion_id or str(uuid.uuid4()),
+            }
+        if not_before:
+            payload['nbf'] = not_before
+        payload.update(additional_claims or {})
+        try:
+            return jwt.encode(
+                payload, self.key, algorithm=self.algorithm, headers=self.headers)
+        except:
+            if self.algorithm.startswith("RS") or self.algorithm.starswith("ES"):
+                logger.exception(
+                    'Some algorithms requires "pip install cryptography". '
+                    'See https://pyjwt.readthedocs.io/en/latest/installation.html#cryptographic-dependencies-optional')
+            raise
+