Configuration args should be collected under kwargs header.

rohe · rohe · commit 5532cd54e588 · 2020-03-31T16:42:29.000+02:00
Make both possible for a while.
Deprecation warning if you don't have kwargs.
diff --git a/src/oidcendpoint/token_handler.py b/src/oidcendpoint/token_handler.py
@@ -1,6 +1,7 @@
 import base64
 import hashlib
 import logging
+import warnings
 
 from cryptography.fernet import Fernet
 from cryptography.fernet import InvalidToken
@@ -258,7 +259,28 @@ def init_token_handler(ec, spec, typ):
     else:
         cls = importer(_cls)
 
-    return cls(typ=typ, ec=ec, **spec)
+    _kwargs = spec.get('kwargs')
+    if _kwargs is None:
+        if cls != DefaultToken:
+            warnings.warn(
+                "Token initialisation arguments should be grouped under 'kwargs'.",
+                DeprecationWarning,
+                stacklevel=2,
+            )
+        _kwargs = spec
+
+    return cls(typ=typ, ec=ec, **_kwargs)
+
+
+def _add_passwd(keyjar, conf, kid):
+    if keyjar:
+        _keys = keyjar.get_encrypt_key(key_type="oct", kid=kid)
+        if _keys:
+            pw = as_unicode(_keys[0].k)
+            if "kwargs" in conf:
+                conf["kwargs"]["password"] = pw
+            else:
+                conf["password"] = pw
 
 
 def factory(ec, code=None, token=None, refresh=None, jwks_def=None, **kwargs):
@@ -282,26 +304,15 @@ def factory(ec, code=None, token=None, refresh=None, jwks_def=None, **kwargs):
     args = {}
 
     if code:
-        if kj:
-            _keys = kj.get_encrypt_key(key_type="oct", kid="code")
-            if _keys:
-                code["password"] = as_unicode(_keys[0].k)
+        _add_passwd(kj, code, "code")
         args["code_handler"] = init_token_handler(ec, code, TTYPE["code"])
 
     if token:
-        if kj:
-            _keys = kj.get_encrypt_key(key_type="oct", kid="token")
-            if _keys:
-                token["password"] = as_unicode(_keys[0].k)
+        _add_passwd(kj, token, "token")
         args["access_token_handler"] = init_token_handler(ec, token, TTYPE["token"])
 
     if refresh:
-        if kj:
-            _keys = kj.get_encrypt_key(key_type="oct", kid="refresh")
-            if _keys:
-                refresh["password"] = as_unicode(_keys[0].k)
-        args["refresh_token_handler"] = init_token_handler(
-            ec, refresh, TTYPE["refresh"]
-        )
+        _add_passwd(kj, refresh, "refresh")
+        args["refresh_token_handler"] = init_token_handler(ec, refresh, TTYPE["refresh"])
 
     return TokenHandler(**args)
diff --git a/tests/test_27_jwt_token.py b/tests/test_27_jwt_token.py
@@ -4,6 +4,9 @@
 from cryptojwt.jwt import JWT
 from cryptojwt.jwt import utc_time_sans_frac
 from cryptojwt.key_jar import init_key_jar
+from oidcmsg.oidc import AccessTokenRequest
+from oidcmsg.oidc import AuthorizationRequest
+
 from oidcendpoint import user_info
 from oidcendpoint.client_authn import verify_client
 from oidcendpoint.endpoint_context import EndpointContext
@@ -15,8 +18,6 @@
 from oidcendpoint.oidc.token import AccessToken
 from oidcendpoint.session import setup_session
 from oidcendpoint.user_authn.authn_context import INTERNETPROTOCOLPASSWORD
-from oidcmsg.oidc import AccessTokenRequest
-from oidcmsg.oidc import AuthorizationRequest
 
 KEYDEFS = [
     {"type": "RSA", "key": "", "use": ["sig"]},
@@ -109,15 +110,17 @@ def create_endpoint(self):
                 "code": {"lifetime": 600},
                 "token": {
                     "class": "oidcendpoint.jwt_token.JWTToken",
-                    "lifetime": 3600,
-                    "add_claims": [
-                        "email",
-                        "email_verified",
-                        "phone_number",
-                        "phone_number_verified",
-                    ],
-                    "add_claim_by_scope": True,
-                    "aud": ["https://example.org/appl"],
+                    "kwargs": {
+                        "lifetime": 3600,
+                        "add_claims": [
+                            "email",
+                            "email_verified",
+                            "phone_number",
+                            "phone_number_verified",
+                        ],
+                        "add_claim_by_scope": True,
+                        "aud": ["https://example.org/appl"],
+                    }
                 },
             },
             "endpoint": {
@@ -217,6 +220,6 @@ def test_is_expired(self):
         assert handler.is_expired(_dic["access_token"]) is False
 
         assert (
-            handler.is_expired(_dic["access_token"], utc_time_sans_frac() + 4000)
-            is True
+                handler.is_expired(_dic["access_token"], utc_time_sans_frac() + 4000)
+                is True
         )
diff --git a/tests/test_31_introspection.py b/tests/test_31_introspection.py
@@ -165,8 +165,10 @@ def create_endpoint(self, jwt_token):
             "template_dir": "template",
         }
         if jwt_token:
-            conf["token_handler_args"]["token"]["class"] = \
-                "oidcendpoint.jwt_token.JWTToken"
+            conf["token_handler_args"]["token"] = {
+                "class": "oidcendpoint.jwt_token.JWTToken",
+                "kwargs": {}
+            }
         endpoint_context = EndpointContext(conf)
         endpoint_context.cdb["client_1"] = {
             "client_secret": "hemligt",
diff --git a/tests/test_40_oauth2_pushed_authorization.py b/tests/test_40_oauth2_pushed_authorization.py
@@ -5,15 +5,16 @@
 from cryptojwt import JWT
 from cryptojwt.jwt import remove_jwt_parameters
 from cryptojwt.key_jar import init_key_jar
+from oidcmsg.message import Message
+from oidcmsg.oauth2 import AuthorizationRequest
+
 from oidcendpoint.cookie import CookieDealer
 from oidcendpoint.endpoint_context import EndpointContext
 from oidcendpoint.id_token import IDToken
 from oidcendpoint.oauth2.authorization import Authorization
 from oidcendpoint.oauth2.pushed_authorization import PushedAuthorization
 from oidcendpoint.oidc.provider_config import ProviderConfiguration
 from oidcendpoint.oidc.registration import Registration
-from oidcmsg.message import Message
-from oidcmsg.oauth2 import AuthorizationRequest
 
 CAPABILITIES = {
     "subject_types_supported": ["public", "pairwise"],
@@ -83,15 +84,17 @@ def create_endpoint(self):
                 "code": {"lifetime": 600},
                 "token": {
                     "class": "oidcendpoint.jwt_token.JWTToken",
-                    "lifetime": 3600,
-                    "add_claims": [
-                        "email",
-                        "email_verified",
-                        "phone_number",
-                        "phone_number_verified",
-                    ],
-                    "add_claim_by_scope": True,
-                    "aud": ["https://example.org/appl"],
+                    "kwargs":{
+                        "lifetime": 3600,
+                        "add_claims": [
+                            "email",
+                            "email_verified",
+                            "phone_number",
+                            "phone_number_verified",
+                        ],
+                        "add_claim_by_scope": True,
+                        "aud": ["https://example.org/appl"]
+                    },
                 },
                 "refresh": {"lifetime": 86400},
             },
