| 37 |
37 |
|
| 38 |
38 |
from django_rbac.utils import get_ou_model
|
| 39 |
39 |
|
| 40 |
|
from authentic2_auth_oidc.utils import (parse_id_token, IDToken, get_providers,
|
| 41 |
|
has_providers, register_issuer, IDTokenError)
|
|
40 |
from authentic2_auth_oidc.utils import (
|
|
41 |
parse_id_token, IDToken, get_providers, has_providers, register_issuer,
|
|
42 |
IDTokenError)
|
| 42 |
43 |
from authentic2_auth_oidc.models import OIDCProvider, OIDCClaimMapping
|
| 43 |
44 |
from authentic2.models import AttributeValue
|
| 44 |
45 |
from authentic2.utils import timestamp_from_datetime, last_authentication_event
|
| ... | ... | |
| 195 |
196 |
key = oidc_provider.jwkset.get_key(kid='1e9gdk7')
|
| 196 |
197 |
header_decoded = header_rsa_decoded
|
| 197 |
198 |
elif oidc_provider.idtoken_algo == OIDCProvider.ALGO_HMAC:
|
| 198 |
|
key = JWK(kty='oct', k=base64url_encode(
|
| 199 |
|
oidc_provider.client_secret.encode('utf-8')))
|
|
199 |
key = JWK(kty='oct',
|
|
200 |
k=base64url_encode(
|
|
201 |
oidc_provider.client_secret.encode('utf-8')))
|
| 200 |
202 |
header_decoded = header_hmac_decoded
|
| 201 |
203 |
jws = JWS(payload=json_encode(payload_decoded))
|
| 202 |
204 |
jws.add_signature(key=key, protected=header_decoded)
|
| ... | ... | |
| 397 |
399 |
with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, nonce=nonce):
|
| 398 |
400 |
response = app.get(login_callback_url, params={'code': code, 'state': query['state']})
|
| 399 |
401 |
assert len(hooks.auth_oidc_backend_modify_user) == 1
|
| 400 |
|
assert set(hooks.auth_oidc_backend_modify_user[0]['kwargs']) >= set(['user', 'provider', 'user_info', 'id_token', 'access_token'])
|
|
402 |
assert set(hooks.auth_oidc_backend_modify_user[0]['kwargs']) >= set(
|
|
403 |
['user', 'provider', 'user_info', 'id_token', 'access_token'])
|
| 401 |
404 |
assert urlparse.urlparse(response['Location']).path == '/admin/'
|
| 402 |
405 |
assert User.objects.count() == 1
|
| 403 |
406 |
user = User.objects.get()
|
| ... | ... | |
| 526 |
529 |
return oidc_provider_jwkset.export()
|
| 527 |
530 |
|
| 528 |
531 |
with HTTMock(jwks_mock):
|
| 529 |
|
provider = register_issuer(
|
| 530 |
|
name='test_issuer',
|
| 531 |
|
issuer='https://default.issuer',
|
| 532 |
|
openid_configuration=oidc_conf)
|
|
532 |
register_issuer(
|
|
533 |
name='test_issuer',
|
|
534 |
issuer='https://default.issuer',
|
|
535 |
openid_configuration=oidc_conf)
|
| 533 |
536 |
|
| 534 |
537 |
oidc_conf['id_token_signing_alg_values_supported'] = ['HS256']
|
| 535 |
538 |
with HTTMock(jwks_mock):
|
| 536 |
|
provider = register_issuer(
|
| 537 |
|
name='test_issuer_hmac_only',
|
| 538 |
|
issuer='https://hmac_only.issuer',
|
| 539 |
|
openid_configuration=oidc_conf)
|
|
539 |
register_issuer(
|
|
540 |
name='test_issuer_hmac_only',
|
|
541 |
issuer='https://hmac_only.issuer',
|
|
542 |
openid_configuration=oidc_conf)
|
| 540 |
543 |
|
| 541 |
544 |
|
| 542 |
545 |
def test_required_keys(db, oidc_provider, header, signature, caplog):
|
| ... | ... | |
| 544 |
547 |
'sub': '248289761001',
|
| 545 |
548 |
'iss': 'http://server.example.com',
|
| 546 |
549 |
'iat': 1311280970,
|
| 547 |
|
'exp': 1311281970, # Missing 'aud' and 'nonce' required claims
|
| 548 |
|
'extra_stuff': 'hi there', # Wrong claim
|
|
550 |
'exp': 1311281970, # Missing 'aud' and 'nonce' required claims
|
|
551 |
'extra_stuff': 'hi there', # Wrong claim
|
| 549 |
552 |
}))
|
| 550 |
553 |
|
| 551 |
554 |
with pytest.raises(IDTokenError):
|
| 552 |
|
-
|