Merge pull request #2 from openid/master

merge

Author: peppelinux

README.md

@@ -1,4 +1,4 @@
-# oicrp
+# oidcrp
 High level interface to the OIDC RP library
 
 oidcrp represents the 4th layer in the

flask_rp/application.py

@@ -1,5 +1,6 @@
 import os
 
+from cryptojwt import KeyJar
 from cryptojwt.key_jar import init_key_jar
 from flask.app import Flask
 from oidcop.utils import load_yaml_config
@@ -10,19 +11,28 @@
 
 
 def init_oidc_rp_handler(app):
-    oidc_keys_conf = app.config.get('OIDC_KEYS')
-    verify_ssl = app.config.get('VERIFY_SSL')
+    rp_keys_conf = app.config.get('RP_KEYS')
+    if rp_keys_conf is None:
+        rp_keys_conf = app.config.get('OIDC_KEYS')
 
-    _kj = init_key_jar(**oidc_keys_conf)
+    verify_ssl = app.config.get('VERIFY_SSL')
+    hash_seed = app.config.get('HASH_SEED')
+    if not hash_seed:
+        hash_seed = "BabyHoldOn"
+
+    if rp_keys_conf:
+        _kj = init_key_jar(**rp_keys_conf)
+        _path = rp_keys_conf['public_path']
+        if _path.startswith('./'):
+            _path = _path[2:]
+        elif _path.startswith('/'):
+            _path = _path[1:]
+    else:
+        _kj = KeyJar()
+        _path = ''
     _kj.verify_ssl = verify_ssl
 
-    _path = oidc_keys_conf['public_path']
-    if _path.startswith('./'):
-        _path = _path[2:]
-    elif _path.startswith('/'):
-        _path = _path[1:]
-
-    rph = RPHandler(base_url=app.config.get('BASEURL'), hash_seed="BabyHoldOn",
+    rph = RPHandler(base_url=app.config.get('BASEURL'), hash_seed=hash_seed,
                     keyjar=_kj, jwks_path=_path,
                     client_configs=app.config.get('CLIENTS'),
                     services=app.config.get('SERVICES'),
@@ -41,6 +51,8 @@ def oidc_provider_init_app(config_file, name=None, **kwargs):
     else:
         raise ValueError('Unknown configuration format')
 
+    app.config['SECRET_KEY'] = os.urandom(12).hex()
+
     app.users = {'test_user': {'name': 'Testing Name'}}
 
     try:

flask_rp/conf.yaml

@@ -24,16 +24,13 @@ SECRET_KEY: 'secret_key'
 SESSION_COOKIE_NAME: 'rp_session'
 PREFERRED_URL_SCHEME: 'https'
 
-OIDC_KEYS:
+RP_KEYS:
     'private_path': './private/jwks.json'
     'key_defs': *keydef
     'public_path': './static/jwks.json'
-    # this will create the jwks files if they absent
+    # this will create the jwks files if they are absent
     'read_only': False
 
-# PUBLIC_JWKS_PATH: 'https://127.0.0.1:8090/static/jwks.json'
-# PRIVATE_JWKS_PATH: './private/jwks.json'
-
 client_preferences: &id001
     application_name: rphandler
     application_type: web

flask_rp/example_conf.yaml

@@ -11,16 +11,21 @@ VERIFY_SSL: False
 
 KEYDEFS: &keydef
   -
-    "type: "RSA"
-    "key: ''
-    "use: ["sig"]
+    "type": "RSA"
+    "key": ''
+    "use": ["sig"]
   -
-    "type: "EC"
-    "crv: "P-256"
-    "use: ["sig"]
+    "type": "EC"
+    "crv": "P-256"
+    "use": ["sig"]
+
+RP_KEYS:
+    'private_path': 'jwks_dir/jwks.json'
+    'key_defs': *keydef
+    'public_path': 'static/jwks.json'
+    # this will create the jwks files if they absent
+    'read_only': False
 
-PRIVATE_JWKS_PATH: "jwks_dir/jwks.json"
-PUBLIC_JWKS_PATH: 'static/jwks.json'
 # information used when registering the client, this may be the same for all OPs
 
 services: &services

setup.py

@@ -66,7 +66,8 @@ def run_tests(self):
     install_requires=[
         'cryptojwt>=0.7.0',
         'oidcservice>=0.6.3',
-        'oidcmsg>=0.6.3'
+        'oidcmsg>=0.6.3',
+        'pyyaml'
     ],
     tests_require=[
         'pytest',

src/oidcrp/__init__.py

@@ -2,16 +2,19 @@
 import logging
 import sys
 import traceback
-from importlib import import_module
 
-from cryptojwt.utils import as_bytes, as_unicode
-from oidcmsg.exception import MessageException, NotForMe
+from cryptojwt.key_bundle import keybundle_from_local_file
+from cryptojwt.utils import as_bytes
+from cryptojwt.utils import as_unicode
+from oidcmsg.exception import MessageException
+from oidcmsg.exception import NotForMe
 from oidcmsg.oauth2 import ResponseMessage
 from oidcmsg.oauth2 import is_error_message
-from oidcmsg.oidc import AccessTokenResponse, verified_claim_name
+from oidcmsg.oidc import AccessTokenResponse
 from oidcmsg.oidc import AuthorizationRequest
 from oidcmsg.oidc import AuthorizationResponse
 from oidcmsg.oidc import OpenIDSchema
+from oidcmsg.oidc import verified_claim_name
 from oidcmsg.oidc.session import BackChannelLogoutRequest
 from oidcmsg.time_util import time_sans_frac
 from oidcservice import rndstr
@@ -24,7 +27,7 @@
 from oidcrp import provider
 
 __author__ = 'Roland Hedberg'
-__version__ = '0.6.1'
+__version__ = '0.6.3'
 
 logger = logging.getLogger(__name__)
 
@@ -237,6 +240,22 @@ def do_provider_info(self, client=None, state=''):
                         if _srv.endpoint_name == key:
                             _srv.endpoint = val
 
+            if 'keys' in _pi:
+                _kj = client.service_context.keyjar
+                for typ, _spec in _pi['keys'].items():
+                    if typ == 'url':
+                        for _iss, _url in _spec.items():
+                            _kj.add_url(_iss, _url)
+                    elif typ == 'file':
+                        for kty, _name in _spec.items():
+                            if kty == 'jwks':
+                                _kj.import_jwks_from_file(_name,
+                                                          client.service_context.issuer)
+                            elif kty == 'rsa':  # PEM file
+                                _kb = keybundle_from_local_file(_name, "der", ["sig"])
+                                _kj.add_kb(client.service_context.issuer, _kb)
+                    else:
+                        raise ValueError('Unknown provider JWKS type: {}'.format(typ))
             try:
                 return client.service_context.provider_info['issuer']
             except KeyError:
@@ -903,46 +922,3 @@ def backchannel_logout(client, request='', request_args=None):
         _state = client.session_interface.get_state_by_sub(sub)
 
     return _state
-
-
-# def get_provider_specific_service(service_provider, service, **kwargs):
-#     """
-#     Get a class instance of a :py:class:`oidcservice.service.Service` subclass
-#     specific to a specified service provider.
-#
-#     :param service_provider: The name of the service provider
-#     :param service: The name of the service
-#     :param kwargs: Arguments provided when initiating the class
-#     :return: An initiated subclass of :py:class:`oidcservice.service.Service`
-#         or None if the service or the service provider could not be found.
-#     """
-#     if service_provider in provider.__all__:
-#         mod = import_module('oidcrp.provider.' + service_provider)
-#         cls = getattr(mod, service)
-#         return cls(**kwargs)
-#
-#     return None
-#
-#
-# def factory(service_name, ignore, **kwargs):
-#     """
-#     A factory the given a service name will return a
-#     :py:class:`oidcservice.service.Service` instance if a service matching the
-#     name could be found.
-#
-#     :param service_name: A service name, could be either of the format
-#         'group.name' or 'name'.
-#     :param kwargs: A set of key word arguments to be used when initiating the
-#         Service class
-#     :return: A :py:class:`oidcservice.service.Service` instance or None
-#     """
-#     if '.' in service_name:
-#         group, name = service_name.split('.')
-#         if group == 'oauth2':
-#             service_factory(service_name[1], ['oauth2'], **kwargs)
-#         elif group == 'oidc':
-#             service_factory(service_name[1], ['oidc'], **kwargs)
-#         else:
-#             return get_provider_specific_service(group, name, **kwargs)
-#     else:
-#         return service_factory(service_name, ['oidc', 'oauth2'], **kwargs)

tests/test_11_oauth2.py

@@ -16,6 +16,7 @@
 from oidcmsg.oauth2 import ResponseMessage
 from oidcmsg.oidc import IdToken
 from oidcmsg.time_util import utc_time_sans_frac
+from oidcservice.exception import OidcServiceError
 from oidcservice.exception import ParseError
 
 from oidcrp.oauth2 import Client
@@ -163,7 +164,7 @@ def test_error_response_2(self):
             400, err.to_json(),
             headers={'content-type': 'application/x-www-form-urlencoded'})
 
-        with pytest.raises(HTTPError):
+        with pytest.raises(OidcServiceError):
             self.client.parse_request_response(
                 self.client.service['authorization'], http_resp)