Fix OIDC frontend.

Now supports all flows (Authorization Code, Implicit and Hybrid),
through use of the pyop library.
Supports storing state by using a MongoDB instance, with pyop's
bundled MongoWrapper.

Author: Rebecka Gulliksson

doc/README.md

@@ -301,15 +301,23 @@ The OpenID Connect frontend acts as and OpenID Connect Provider (OP), accepting
 Connect Relying Parties (RPs). The default configuration file can be found
 [here](../example/plugins/frontends/oidc_frontend.yaml.example).
 
+As opposed to the other plugins, this plugin is NOT stateless (due to the nature of OpenID Connect using any other
+flow than "Implicit Flow"). However, the frontend supports using a MongoDB instance as its backend storage, so as long
+that's reachable from all machines it should not be a problem.
+
 The configuration parameters available:
 * `signing_key_path`: path to a RSA Private Key file (PKCS#1). MUST be configured.
-* `client_db_path`: path to where the client (RP) database will be stored.
-The other parameters should be left with their default values.
+* `db_uri`: connection URI to MongoDB instance where the data will be persisted, if it's not specified all data will only
+   be stored in-memory (not suitable for production use).
+* `provider`: provider configuration information. MUST be configured, the following configuration are supported:
+    * `response_types_supported` (default: `[id_token]`): list of all supported response types, see [Section 3 of OIDC Core](http://openid.net/specs/openid-connect-core-1_0.html#Authentication).
+    * `subject_types_supported` (default: `[pairwise]`): list of all supported subject identifier types, see [Section 8 of OIDC Core](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes)
+    * `scopes_supported` (default: `[openid]`): list of all supported scopes, see [Section 5.4 of OIDC Core](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
+    * `client_registration_supported` (default: `No`): boolean whether [dynamic client registration is supported](https://openid.net/specs/openid-connect-registration-1_0.html).
+        If dynamic client registration is not supported all clients must exist in the MongoDB instance configured by the `db_uri` in the `"clients"` collection of the `"satosa"` database.
+        The registration info must be stored using the client id as a key, and use the parameter names of a [OIDC Registration Response](https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse).
 
-As opposed to the other plugins, this plugin is NOT stateless (due to the client database). This
-makes it impossible to run multiple instances of the SATOSA proxy on different machines (for the
-purpose of load balancing) unless the client database file is also distributed among those machines
-by some external process.
+The other parameters should be left with their default values.
 
 ### <a name="social_plugins" style="color:#000000">Social login plugins</a>
 The social login plugins can be used as backends for the proxy, allowing the

example/plugins/frontends/openid_connect_frontend.yaml.example

@@ -2,4 +2,9 @@ module: satosa.frontends.openid_connect.OpenIDConnectFrontend
 name: OIDC
 config:
   signing_key_path: frontend.key
-  client_db_path: ./client_db # optional: will default to in-memory storage if not specified
+  db_uri: mongodb://db.example.com # optional: only support MongoDB, will default to in-memory storage if not specified
+  provider:
+    client_registration_supported: Yes
+    response_types_supported: ["code", "id_token token"]
+    subject_types_supported: ["pairwise"]
+    scopes_supported: ["openid", "email"]

setup.py

@@ -16,6 +16,7 @@
     package_dir={'': 'src'},
     install_requires=[
         "oic==0.8.4.0",
+        "pyop==1.0.0",
         "pyjwkest==1.1.5",
         "pysaml2==4.0.3",
         "requests==2.9.1",

src/satosa/frontends/openid_connect.py

@@ -102,8 +102,8 @@ def __call__(self, environ, start_response, debug=False):
         context.request = unpack_request(environ, content_length)
         environ['wsgi.input'].seek(0)
 
-        context.wsgi_environ = environ
         context.cookie = environ.get("HTTP_COOKIE", "")
+        context.request_authorization = environ.get("HTTP_AUTHORIZATION", "")
 
         try:
             resp = self.run(context)

src/satosa/proxy_server.py

@@ -98,3 +98,18 @@ class NotFound(Response):
 
 class ServiceError(Response):
     _status = "500 Internal Service Error"
+
+
+class BadRequest(Response):
+    _status = "400 Bad Request"
+
+
+class Created(Response):
+    _status = "201 Created"
+
+
+class Unauthorized(Response):
+    _status = "401 Unauthorized"
+
+    def __init__(self, message, headers=None, content=None):
+        super().__init__(message, headers=headers, content=content)

src/satosa/response.py

@@ -331,3 +331,89 @@ def oidc_backend_config():
     }
 
     return data
+
+
+import atexit
+import random
+import shutil
+import subprocess
+import tempfile
+import time
+
+import pymongo
+import pytest
+
+
+class MongoTemporaryInstance(object):
+    """Singleton to manage a temporary MongoDB instance
+
+    Use this for testing purpose only. The instance is automatically destroyed
+    at the end of the program.
+
+    """
+    _instance = None
+
+    @classmethod
+    def get_instance(cls):
+        if cls._instance is None:
+            cls._instance = cls()
+            atexit.register(cls._instance.shutdown)
+        return cls._instance
+
+    def __init__(self):
+        self._tmpdir = tempfile.mkdtemp()
+        self._port = random.randint(40000, 50000)
+        self._process = subprocess.Popen(['mongod', '--bind_ip', 'localhost',
+                                          '--port', str(self._port),
+                                          '--dbpath', self._tmpdir,
+                                          '--nojournal', '--nohttpinterface',
+                                          '--noauth', '--smallfiles',
+                                          '--syncdelay', '0',
+                                          '--nssize', '1', ],
+                                         stdout=open('/tmp/mongo-temp.log', 'wb'),
+                                         stderr=subprocess.STDOUT)
+
+        # XXX: wait for the instance to be ready
+        #      Mongo is ready in a glance, we just wait to be able to open a
+        #      Connection.
+        for i in range(10):
+            time.sleep(0.2)
+            try:
+                self._conn = pymongo.MongoClient('localhost', self._port)
+            except pymongo.errors.ConnectionFailure:
+                continue
+            else:
+                break
+        else:
+            self.shutdown()
+            assert False, 'Cannot connect to the mongodb test instance'
+
+    @property
+    def conn(self):
+        return self._conn
+
+    @property
+    def port(self):
+        return self._port
+
+    def shutdown(self):
+        if self._process:
+            self._process.terminate()
+            self._process.wait()
+            self._process = None
+            shutil.rmtree(self._tmpdir, ignore_errors=True)
+
+    def get_uri(self):
+        """
+        Convenience function to get a mongodb URI to the temporary database.
+
+        :return: URI
+        """
+        return 'mongodb://localhost:{port!s}'.format(port=self.port)
+
+
+@pytest.yield_fixture
+def mongodb_instance():
+    tmp_db = MongoTemporaryInstance()
+    yield tmp_db
+    tmp_db.shutdown()

tests/conftest.py

@@ -1,12 +1,11 @@
 import json
-import os
 from urllib.parse import urlparse, urlencode, parse_qsl
 
 import pytest
 from jwkest.jwk import rsa_load, RSAKey
 from jwkest.jws import JWS
 from oic.oic.message import ClaimsRequest, Claims
-from oic.utils import shelve_wrapper
+from pyop.storage import MongoWrapper
 from saml2 import BINDING_HTTP_REDIRECT
 from saml2.config import IdPConfig
 from werkzeug.test import Client
@@ -23,23 +22,25 @@
 
 
 @pytest.fixture
-def oidc_frontend_config(signing_key_path, tmpdir):
-    client_db_path = os.path.join(str(tmpdir), "client_db")
-    cdb = shelve_wrapper.open(client_db_path)
-    cdb[CLIENT_ID] = {
-        "redirect_uris": [(REDIRECT_URI, None)],
-        "response_types": ["id_token"]
-    }
-
+def oidc_frontend_config(signing_key_path, mongodb_instance):
     data = {
         "module": "satosa.frontends.openid_connect.OpenIDConnectFrontend",
         "name": "OIDCFrontend",
         "config": {
             "issuer": "https://proxy-op.example.com",
             "signing_key_path": signing_key_path,
-            "client_db_path": client_db_path
+            "provider": {"response_types_supported": ["id_token"]},
+            "db_uri": mongodb_instance.get_uri()  # use mongodb for integration testing
         }
     }
+
+    # insert client in mongodb
+    cdb = MongoWrapper(mongodb_instance.get_uri(), "satosa", "clients")
+    cdb[CLIENT_ID] = {
+        "redirect_uris": [REDIRECT_URI],
+        "response_types": ["id_token"]
+    }
+
     return data