Make client secret expiration configurable.

rohe · rohe · commit 9788d8ce32ae · 2020-02-26T10:13:17.000+01:00
diff --git a/setup.py b/setup.py
@@ -66,8 +66,7 @@ def run_tests(self):
         'quality': ['pylama', 'isort', 'eradicate', 'mypy', 'black', 'bandit'],
     },
     install_requires=[
-        "oidcmsg>=0.6.6",
-        "cryptojwt>=0.7.13",
+        "oidcmsg>=0.6.7",
         "jinja2",
         "pyyaml",
         "requests",
diff --git a/src/oidcendpoint/oidc/registration.py b/src/oidcendpoint/oidc/registration.py
@@ -84,15 +84,6 @@ def verify_url(url, urlset):
     return False
 
 
-def client_secret_expiration_time(delta=86400):
-    """
-    Returns client_secret expiration time.
-
-    Split for easy customization.
-    """
-    return utc_time_sans_frac() + delta
-
-
 def secret(seed, sid):
     msg = "{}{:.6f}{}".format(time.time(), random(), sid).encode("utf-8")
     csum = hmac.new(seed, msg, hashlib.sha224)
@@ -128,7 +119,7 @@ class Registration(Endpoint):
     name = "registration"
 
     # default
-    # response_placement = 'body'dcfr
+    # response_placement = 'body'
 
     def match_client_request(self, request):
         _context = self.endpoint_context
@@ -143,7 +134,7 @@ def match_client_request(self, request):
                             raise CapabilitiesMisMatch(_pref)
                     else:
                         if not set(request[_pref]).issubset(
-                            set(_context.provider_info[_prov])
+                                set(_context.provider_info[_prov])
                         ):
                             raise CapabilitiesMisMatch(_pref)
 
@@ -165,8 +156,8 @@ def do_client_registration(self, request, client_id, ignore=None):
                     err = ClientRegistrationErrorResponse(
                         error="invalid_configuration_parameter",
                         error_description="post_logout_redirect_uris "
-                        "contains "
-                        "fragment",
+                                          "contains "
+                                          "fragment",
                     )
                     return err
                 base, query = splitquery(uri)
@@ -338,16 +329,22 @@ def add_registration_api(self, cinfo, client_id, context):
 
         context.registration_access_token[_rat] = client_id
 
+    def client_secret_expiration_time(self):
+        """
+        Returns client_secret expiration time.
+        """
+        if not self.kwargs.get("client_secret_expires", True):
+            return 0
+
+        _expiration_time = self.kwargs.get("client_secret_expires_in", 2592000)
+        return utc_time_sans_frac() + _expiration_time
+
     def add_client_secret(self, cinfo, client_id, context):
-        delta_int = int(self.kwargs.get("client_secret_expiration_time", 0))
-        args = {"delta": delta_int} if delta_int else {}
         client_secret = secret(context.seed, client_id)
-        cinfo.update(
-            {
-                "client_secret": client_secret,
-                "client_secret_expires_at": client_secret_expiration_time(**args),
-            }
-        )
+        cinfo["client_secret"] = client_secret
+        _eat = self.client_secret_expiration_time()
+        if _eat:
+            cinfo["client_secret_expires_at"] = _eat
 
         return client_secret
 
diff --git a/tests/test_23_oidc_registration_endpoint.py b/tests/test_23_oidc_registration_endpoint.py
@@ -218,6 +218,12 @@ def test_incorrect_request(self):
         with pytest.raises(ValueError):
             self.endpoint.parse_request(RegistrationRequest(**_msg).to_json())
 
+    def test_no_client_expiration_time(self):
+        self.endpoint.kwargs["client_secret_expires"] = False
+        _req = self.endpoint.parse_request(CLI_REQ.to_json())
+        _resp = self.endpoint.process_request(request=_req)
+        assert _resp
+
 
 def test_match_sp_sep():
     assert match_sp_sep("foo bar", "bar foo")
