Merge branch 'master' of github.com:IdentityPython/oidcendpoint

Author: rohe

src/oidcendpoint/endpoint.py

@@ -35,14 +35,14 @@
             - _parse_args
             - post_construct (*)
     - update_http_args
-    
+
 do_response returns a dictionary that can look like this:
 {
-  'response': 
-    _response as a string or as a Message instance_ 
+  'response':
+    _response as a string or as a Message instance_
   'http_headers': [
-    ('Content-type', 'application/json'), 
-    ('Pragma', 'no-cache'), 
+    ('Content-type', 'application/json'),
+    ('Pragma', 'no-cache'),
     ('Cache-Control', 'no-store')
   ],
   'cookie': _list of cookies_,
@@ -51,8 +51,8 @@
 
 "response" MUST be present
 "http_headers" MAY be present
-"cookie": MAY be present 
-"response_placement": If absent defaults to the endpoints response_placement 
+"cookie": MAY be present
+"response_placement": If absent defaults to the endpoints response_placement
     parameter value or if that is also missing 'url'
 """
 

src/oidcendpoint/jwt_token.py

@@ -14,7 +14,6 @@ class JWTToken(Token):
     def __init__(
         self,
         typ,
-        black_list=None,
         keyjar=None,
         issuer=None,
         aud=None,
@@ -24,7 +23,7 @@ def __init__(
         token_type="Bearer",
         **kwargs
     ):
-        Token.__init__(self, typ, black_list, **kwargs)
+        Token.__init__(self, typ, **kwargs)
         self.token_type = token_type
         self.lifetime = lifetime
         self.args = kwargs
@@ -105,7 +104,6 @@ def info(self, token):
             "type": _payload["ttype"],
             "exp": _payload["exp"],
             "handler": self,
-            "black_listed": self.is_black_listed(token),
         }
         return _res
 

src/oidcendpoint/oauth2/introspection.py

@@ -18,7 +18,7 @@ class Introspection(Endpoint):
     response_cls = oauth2.TokenIntrospectionResponse
     request_format = "urlencoded"
     response_format = "json"
-    endpoint_name = "introspection"
+    endpoint_name = "introspection_endpoint"
     name = "introspection"
 
     def get_client_id_from_token(self, endpoint_context, token, request=None):

src/oidcendpoint/oidc/token.py

@@ -111,7 +111,7 @@ def _access_token(self, req, **kwargs):
                 return resp
 
             _sdb.update_by_token(_access_code, id_token=_idtoken)
-            _info = _sdb[_access_code]
+            _info = _sdb[_info['sid']]
 
         return by_schema(AccessTokenResponse, **_info)
 
@@ -155,6 +155,8 @@ def process_request(self, request=None, **kwargs):
         :param kwargs:
         :return: Dictionary with response information
         """
+        if isinstance(request, self.error_cls):
+            return request
         try:
             response_args = self._access_token(request, **kwargs)
         except JWEException as err:
@@ -163,9 +165,9 @@ def process_request(self, request=None, **kwargs):
         if isinstance(response_args, ResponseMessage):
             return response_args
 
-        _access_code = request["code"].replace(" ", "+")
+        _access_token = response_args["access_token"]
         _cookie = new_cookie(
-            self.endpoint_context, sub=self.endpoint_context.sdb[_access_code]["sub"]
+            self.endpoint_context, sub=self.endpoint_context.sdb[_access_token]["sub"]
         )
         _headers = [("Content-type", "application/json")]
         resp = {"response_args": response_args, "http_headers": _headers}

src/oidcendpoint/oidc/token_coop.py

@@ -126,7 +126,7 @@ def _access_token(self, req, **kwargs):
                 return resp
 
             _sdb.update_by_token(_access_code, id_token=_idtoken)
-            _info = _sdb[_access_code]
+            _info = _sdb[_info['sid']]
 
         return by_schema(AccessTokenResponse, **_info)
 
@@ -212,6 +212,8 @@ def process_request(self, request=None, **kwargs):
         :param kwargs:
         :return: Dictionary with response information
         """
+        if isinstance(request, self.error_cls):
+            return request
         try:
             if request["grant_type"] == "authorization_code":
                 logger.debug("Access Token Request")
@@ -234,8 +236,9 @@ def process_request(self, request=None, **kwargs):
         else:
             _token = request["refresh_token"].replace(" ", "+")
 
+        _access_token = response_args["access_token"]
         _cookie = new_cookie(
-            self.endpoint_context, sub=self.endpoint_context.sdb[_token]["sub"]
+            self.endpoint_context, sub=self.endpoint_context.sdb[_access_token]["sub"]
         )
 
         _headers = [("Content-type", "application/json")]

src/oidcendpoint/session.py

@@ -7,6 +7,7 @@
 from oidcmsg.message import OPTIONAL_LIST_OF_STRINGS
 from oidcmsg.message import SINGLE_OPTIONAL_STRING
 from oidcmsg.message import SINGLE_REQUIRED_STRING
+from oidcmsg.message import SINGLE_OPTIONAL_JSON
 from oidcmsg.message import msg_ser
 from oidcmsg.oidc import AuthorizationRequest
 
@@ -144,12 +145,16 @@ def __getitem__(self, item):
         if _info is None:
             sid = self.handler.sid(item)
             _info = self._db.get(sid)
-
-        if _info:
+            if _info:
+                _si = SessionInfo().from_json(_info)
+                if any(item == val for val in _si.values()):
+                    _si['sid'] = sid
+                    return _si
+        else:
             _si = SessionInfo().from_json(_info)
+            _si['sid'] = item
             return _si
-        else:
-            return None
+        raise KeyError
 
     def __setitem__(self, sid, instance):
         try:
@@ -268,9 +273,9 @@ def do_sub(
 
         return sub
 
-    def is_valid(self, item):
+    def is_valid(self, typ, item):
         try:
-            return not self.handler.is_black_listed(item)
+            return typ in self[item]
         except KeyError:
             return False
 
@@ -295,9 +300,8 @@ def replace_token(self, sid, sinfo, token_type):
 
         if token_type in self.handler:
             refresh_token = self.handler[token_type](sid, sinfo=sinfo)
-            # blacklist the old is there is one
-            if sinfo.get(token_type):
-                self.handler[token_type].black_list(sinfo[token_type])
+            # blacklist the old
+            self.revoke_token(sid, token_type, sinfo)
 
             sinfo[token_type] = refresh_token
         return sinfo
@@ -333,25 +337,17 @@ def upgrade_to_token(
         :return: The session information as a SessionInfo instance
         """
         if grant:
+            # The caller is responsible for checking if the access code exists.
             _tinfo = self.handler["code"].info(grant)
 
-            session_info = self[_tinfo["sid"]]
-
-            if self.handler["code"].is_black_listed(grant):
-                # invalidate the released access token and refresh token
-                for item in ["access_token", "refresh_token"]:
-                    try:
-                        self.handler[item].black_list(session_info[item])
-                    except KeyError:
-                        pass
-                raise AccessCodeUsed(grant)
+            key = _tinfo["sid"]
+            session_info = self[key]
 
             # mint a new access token
             _at = self._make_at(_tinfo["sid"], session_info)
 
             # make sure the code can't be used again
-            self.handler["code"].black_list(grant)
-            key = _tinfo["sid"]
+            self.revoke_token(key, "code", session_info)
         else:
             session_info = self[key]
             _at = self._make_at(key, session_info)
@@ -386,17 +382,15 @@ def refresh_token(self, token, new_refresh=False):
         :raises: ExpiredToken for invalid refresh token
                  WrongTokenType for wrong token type
         """
-
         try:
             _tinfo = self.handler["refresh_token"].info(token)
         except KeyError:
             return False
 
-        if is_expired(int(_tinfo["exp"])) or _tinfo["black_listed"]:
-            raise ExpiredToken()
-
         _sid = _tinfo["sid"]
         session_info = self[_sid]
+        if is_expired(int(_tinfo["exp"])):
+            raise ExpiredToken()
 
         session_info = self.replace_token(_sid, session_info, "access_token")
 
@@ -420,11 +414,10 @@ def is_token_valid(self, token):
         except KeyError:
             return False
 
-        if is_expired(int(_tinfo["exp"])) or _tinfo["black_listed"]:
-            return False
-
         # Dependent on what state the session is in.
         session_info = self[_tinfo["sid"]]
+        if is_expired(int(_tinfo["exp"])):
+            return False
 
         if session_info["oauth_state"] == "authz":
             if _tinfo["handler"] != self.handler["code"]:
@@ -435,22 +428,25 @@ def is_token_valid(self, token):
 
         return True
 
-    def revoke_token(self, token, token_type=""):
+    def revoke_token(self, sid, token_type, session_info=None):
         """
-        Revokes access token
+        Revokes token
 
-        :param token: access token
+        :param sid: session id
+        :param token_type: token type, one of "code", "access_token" or
+            "refresh_token"
         """
-        if token_type:
-            self.handler[token_type].black_list(token)
-        else:
-            self.handler.black_list(token)
+        if not session_info:
+            session_info = self[sid]
+        session_info.pop(token_type, None)
+        self[sid] = session_info
 
     def revoke_all_tokens(self, token):
-        _sinfo = self[token]
-        for typ in self.handler.keys():
-            if _sinfo.get(typ):
-                self.revoke_token(_sinfo[typ], typ)
+        sid = self.handler.sid(token)
+        _sinfo = self[sid]
+        for token_type in self.handler.keys():
+            _sinfo.pop(token_type, None)
+        self[sid] = _sinfo
 
     def revoke_session(self, sid="", token=""):
         """
@@ -465,11 +461,9 @@ def revoke_session(self, sid="", token=""):
             else:
                 raise ValueError('Need one of "sid" or "token"')
 
-        for typ in ["access_token", "refresh_token", "code"]:
-            try:
-                self.revoke_token(self[sid][typ], typ)
-            except KeyError:  # If no such token has been issued
-                pass
+        _sinfo = self[sid]
+        for token_type in self.handler.keys():
+            _sinfo.pop(token_type, None)
 
         self.update(sid, revoked=True)
 

src/oidcendpoint/token_handler.py

@@ -69,11 +69,10 @@ def decrypt(self, ciphertext):
 
 
 class Token(object):
-    def __init__(self, typ, black_list=None, lifetime=300, **kwargs):
+    def __init__(self, typ, lifetime=300, **kwargs):
         self.type = typ
         self.lifetime = lifetime
         self.args = kwargs
-        self.blist = [] if black_list is None else black_list
 
     def __call__(self, sid, *args, **kwargs):
         """
@@ -113,19 +112,12 @@ def is_expired(self, token, when=0):
     def gather_args(self, *args, **kwargs):
         return {}
 
-    def black_list(self, token):
-        if token:
-            self.blist.append(token)
-
-    def is_black_listed(self, token):
-        return token in self.blist
-
 
 class DefaultToken(Token):
     def __init__(
-        self, password, typ="", black_list=None, token_type="Bearer", **kwargs
+        self, password, typ="", token_type="Bearer", **kwargs
     ):
-        Token.__init__(self, typ, black_list, **kwargs)
+        Token.__init__(self, typ, **kwargs)
         self.crypt = Crypt(password)
         self.token_type = token_type
 
@@ -189,7 +181,6 @@ def info(self, token):
             raise WrongTokenType(_res["type"])
         else:
             _res["handler"] = self
-            _res["black_listed"] = self.is_black_listed(token)
             return _res
 
     def is_expired(self, token, when=0):
@@ -239,10 +230,6 @@ def sid(self, token, order=None):
     def type(self, token, order=None):
         return self.info(token, order)["type"]
 
-    def is_black_listed(self, token, order=None):
-        _handler = self.get_handler(token, order)
-        return _handler.is_black_listed(token)
-
     def get_handler(self, token, order=None):
         if order is None:
             order = self.handler_order
@@ -257,10 +244,6 @@ def get_handler(self, token, order=None):
 
         return None
 
-    def black_list(self, token, order=None):
-        _handler = self.get_handler(token, order)
-        _handler.black_list(token)
-
     def keys(self):
         return self.handler.keys()
 

tests/test_04_token_handler.py

@@ -83,10 +83,8 @@ def test_default_token_info(self):
             "sid",
             "exp",
             "handler",
-            "black_listed",
         }
         assert _info["handler"] == self.th
-        assert _info["black_listed"] is False
 
     def test_is_expired(self):
         _token = self.th("another_id")
@@ -95,14 +93,6 @@ def test_is_expired(self):
         when = time.time() + 900
         assert self.th.is_expired(_token, when)
 
-    def test_blacklist(self):
-        _token = self.th("another_id")
-        self.th.black_list(_token)
-        assert self.th.is_black_listed(_token)
-
-        _info = self.th.info(_token)
-        assert _info["black_listed"] is True
-
 
 class TestTokenHandler(object):
     @pytest.fixture(autouse=True)
@@ -160,11 +150,5 @@ def test_get_handler(self):
         th = self.handler.get_handler(_token)
         assert th.type == "A"
 
-    def test_blacklist(self):
-        _token = self.handler["code"]("another_id")
-        self.handler.black_list(_token)
-        _info = self.handler.info(_token)
-        assert _info["black_listed"]
-
     def test_keys(self):
         assert set(self.handler.keys()) == {"access_token", "code", "refresh_token"}