Changes as a result of Ali's testing.

rohe · c00kiemon5ter · commit f0f38af3fd1b · 2023-07-10T22:12:15.000+03:00
diff --git a/src/satosa/backends/idpy_oidc.py b/src/satosa/backends/idpy_oidc.py
@@ -1,51 +1,50 @@
 """
-OIDC backend module.
+OIDC/OAuth2 backend module.
 """
 import logging
 from datetime import datetime
 
+from idpyoidc.client.oauth2.stand_alone_client import StandAloneClient
 from idpyoidc.server.user_authn.authn_context import UNSPECIFIED
 
 import satosa.logging_util as lu
 from satosa.backends.base import BackendModule
-from satosa.exception import SATOSAAuthenticationError
 from satosa.internal import AuthenticationInformation
 from satosa.internal import InternalData
+from ..exception import SATOSAAuthenticationError
+from ..response import Redirect
 
 logger = logging.getLogger(__name__)
 
-"""
-OIDC/OAuth2 backend module.
-"""
-from idpyoidc.client.oauth2.stand_alone_client import StandAloneClient
-
 
 class IdpyOIDCBackend(BackendModule):
     """
     Backend module for OIDC and OAuth 2.0, can be directly used.
     """
 
-    def __init__(self, outgoing, internal_attributes, config, base_url, name):
+    def __init__(self, auth_callback_func, internal_attributes, config, base_url, name):
         """
-        :type outgoing:
+        OIDC backend module.
+        :param auth_callback_func: Callback should be called by the module after the authorization
+        in the backend is done.
+        :param internal_attributes: Mapping dictionary between SATOSA internal attribute names and
+        the names returned by underlying IdP's/OP's as well as what attributes the calling SP's and
+        RP's expects namevice.
+        :param config: Configuration parameters for the module.
+        :param base_url: base url of the service
+        :param name: name of the plugin
+
+        :type auth_callback_func:
         (satosa.context.Context, satosa.internal.InternalData) -> satosa.response.Response
-        :type internal_attributes: dict[str, dict[str, list[str] | str]]
-        :type config: dict[str, Any]
+        :type internal_attributes: dict[string, dict[str, str | list[str]]]
+        :type config: dict[str, dict[str, str] | list[str]]
         :type base_url: str
         :type name: str
-
-        :param outgoing: Callback should be called by the module after
-                                   the authorization in the backend is done.
-        :param internal_attributes: Internal attribute map
-        :param config: The module config
-        :param base_url: base url of the service
-        :param name: name of the plugin
         """
-        super().__init__(outgoing, internal_attributes, base_url, name)
-
-        self.client = StandAloneClient(config=config["client_config"],
-                                       client_type=config["client_config"]['client_type'])
-        # Deal with provider discovery and client registration
+        super().__init__(auth_callback_func, internal_attributes, base_url, name)
+        # self.auth_callback_func = auth_callback_func
+        # self.config = config
+        self.client = StandAloneClient(config=config["client"], client_type="oidc")
         self.client.do_provider_info()
         self.client.do_client_registration()
 
@@ -57,7 +56,8 @@ def start_auth(self, context, internal_request):
         :type internal_request: satosa.internal.InternalData
         :rtype satosa.response.Redirect
         """
-        return self.client.init_authorization()
+        login_url = self.client.init_authorization()
+        return Redirect(login_url)
 
     def register_endpoints(self):
         """
@@ -67,8 +67,56 @@ def register_endpoints(self):
         :rtype: Sequence[(str, Callable[[satosa.context.Context], satosa.response.Response]]
         :return: A list that can be used to map the request to SATOSA to this endpoint.
         """
+        return self.client.context.claims.get_usage('redirect_uris')
+
+    def response_endpoint(self, context, *args):
+        """
+        Handles the authentication response from the OP.
+        :type context: satosa.context.Context
+        :type args: Any
+        :rtype: satosa.response.Response
 
-        return self.client.context.claims.get_usage('authorization_endpoint')
+        :param context: SATOSA context
+        :param args: None
+        :return:
+        """
+
+        _info = self.client.finalize(context.request)
+        self._check_error_response(_info, context)
+        userinfo = _info.get('userinfo')
+        id_token = _info.get('id_token')
+
+        if not id_token and not userinfo:
+            msg = "No id_token or userinfo, nothing to do.."
+            logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
+            logger.error(logline)
+            raise SATOSAAuthenticationError(context.state, "No user info available.")
+
+        all_user_claims = dict(list(userinfo.items()) + list(id_token.items()))
+        msg = "UserInfo: {}".format(all_user_claims)
+        logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
+        logger.debug(logline)
+        internal_resp = self._translate_response(all_user_claims, _info["issuer"])
+        return self.auth_callback_func(context, internal_resp)
+
+    def _translate_response(self, response, issuer):
+        """
+        Translates oidc response to SATOSA internal response.
+        :type response: dict[str, str]
+        :type issuer: str
+        :type subject_type: str
+        :rtype: InternalData
+
+        :param response: Dictioary with attribute name as key.
+        :param issuer: The oidc op that gave the repsonse.
+        :param subject_type: public or pairwise according to oidc standard.
+        :return: A SATOSA internal response.
+        """
+        auth_info = AuthenticationInformation(UNSPECIFIED, str(datetime.now()), issuer)
+        internal_resp = InternalData(auth_info=auth_info)
+        internal_resp.attributes = self.converter.to_internal("openid", response)
+        internal_resp.subject_id = response["sub"]
+        return internal_resp
 
     def _check_error_response(self, response, context):
         """
@@ -86,46 +134,3 @@ def _check_error_response(self, response, context):
             logline = lu.LOG_FMT.format(id=lu.get_session_id(context.state), message=msg)
             logger.debug(logline)
             raise SATOSAAuthenticationError(context.state, "Access denied")
-
-    def _authn_response(self, context):
-        """
-        Handles the authentication response from the AS.
-
-        :type context: satosa.context.Context
-        :rtype: satosa.response.Response
-        :param context: The context in SATOSA
-        :return: A SATOSA response. This method is only responsible to call the callback function
-        which generates the Response object.
-        """
-
-        _info = self.client.finalize(context.request)
-        self._check_error_response(_info, context)
-
-        try:
-            auth_info = self.auth_info(context.request)
-        except NotImplementedError:
-            auth_info = AuthenticationInformation(auth_class_ref=UNSPECIFIED,
-                                                  timestamp=str(datetime.now()),
-                                                  issuer=_info["issuer"])
-
-        attributes = self.converter.to_internal(
-            self.client.client_type, _info['userinfo'],
-        )
-
-        internal_response = InternalData(
-            auth_info=auth_info,
-            attributes=attributes,
-            subject_id=_info['userinfo']['sub']
-        )
-        return internal_response
-
-    def auth_info(self, request):
-        """
-        Creates the SATOSA authentication information object.
-        :type request: dict[str, str]
-        :rtype: AuthenticationInformation
-
-        :param request: The request parameters in the authentication response sent by the AS.
-        :return: How, who and when the authentication took place.
-        """
-        raise NotImplementedError("Method 'auth_info' must be implemented in the subclass!")
