Merge pull request #145 from IdentityPython/develop

peppelinux · web-flow · commit ff3ce22d7c24 · 2021-10-27T11:24:54.000+02:00
v2.2.1
diff --git a/docs/source/contents/conf.rst b/docs/source/contents/conf.rst
@@ -571,7 +571,7 @@ An example::
                 "phone_number",
                 "phone_number_verified"
               ],
-              "add_claim_by_scope": true,
+              "add_claims_by_scope": true,
               "aud": ["https://example.org/appl"]
            }
         },
diff --git a/example/flask_op/config.json b/example/flask_op/config.json
@@ -311,7 +311,7 @@
               "phone_number",
               "phone_number_verified"
             ],
-            "add_claim_by_scope": true,
+            "add_claims_by_scope": true,
             "aud": [
               "https://example.org/appl"
             ]
diff --git a/example/flask_op/config.yaml b/example/flask_op/config.yaml
@@ -88,7 +88,7 @@ op:
           - email_verified
           - phone_number
           - phone_number_verified
-        add_claim_by_scope: True
+        add_claims_by_scope: True
         aud:
           - https://example.org/appl
       refresh:
diff --git a/src/oidcop/__init__.py b/src/oidcop/__init__.py
@@ -1,6 +1,6 @@
 import secrets
 
-__version__ = "2.2.0"
+__version__ = "2.2.1"
 
 DEF_SIGN_ALG = {
     "id_token": "RS256",
diff --git a/src/oidcop/configure.py b/src/oidcop/configure.py
@@ -13,6 +13,9 @@
 from oidcop.scopes import SCOPE2CLAIMS
 from oidcop.utils import load_yaml_config
 
+logger = logging.getLogger(__name__)
+
+
 DEFAULT_FILE_ATTRIBUTE_NAMES = [
     "server_key",
     "server_cert",
@@ -84,7 +87,8 @@
 
 AS_DEFAULT_CONFIG = copy.deepcopy(OP_DEFAULT_CONFIG)
 AS_DEFAULT_CONFIG["claims_interface"] = {
-    "class": "oidcop.session.claims.OAuth2ClaimsInterface", "kwargs": {}}
+    "class": "oidcop.session.claims.OAuth2ClaimsInterface", "kwargs": {}
+}
 
 
 def add_base_path(conf: Union[dict, str], base_path: str, file_attributes: List[str]):
@@ -203,12 +207,10 @@ class EntityConfiguration(Base):
         "httpc_params": {},
         "issuer": "",
         "keys": None,
-        "session_key": None,
+        "session_params": None,
         "template_dir": None,
         "token_handler_args": {},
         "userinfo": None,
-        "password": None,
-        "salt": None,
     }
 
     def __init__(
@@ -243,6 +245,15 @@ def __init__(
                 else:
                     continue
 
+            if key not in DEFAULT_EXTENDED_CONF:
+                logger.warning(
+                    f"{key} not seems to be a valid configuration parameter"
+                )
+            elif not _val:
+                logger.warning(
+                        f"{key} not configured, using default configuration values"
+                    )
+
             if key == "template_dir":
                 _val = os.path.abspath(_val)
 
@@ -585,4 +596,23 @@ def __init__(
         },
     },
     "userinfo": {"class": "oidcop.user_info.UserInfo", "kwargs": {"db_file": "users.json"}, },
+    "scopes_to_claims": SCOPE2CLAIMS,
+    "session_params": {
+      "password": "ses_key",
+      "salt": "ses_salt",
+      "sub_func": {
+        "public": {
+          "class": "oidcop.session.manager.PublicID",
+          "kwargs": {
+            "salt": "mysalt"
+          }
+        },
+        "pairwise": {
+          "class": "oidcop.session.manager.PairWiseID",
+          "kwargs": {
+            "salt": "mysalt"
+          }
+        }
+     }
+    },
 }
diff --git a/tests/op_config.json b/tests/op_config.json
@@ -269,19 +269,19 @@
     }
   },
   "session_params": {
-      "password": "__password_used_to_encrypt_access_token_sid_value",
-      "salt": "salt involved in session sub hash ",
+      "password": "ses_key",
+      "salt": "ses_salt",
       "sub_func": {
         "public": {
           "class": "oidcop.session.manager.PublicID",
           "kwargs": {
-            "salt": "sdfsdfdsf"
+            "salt": "mysalt"
           }
         },
         "pairwise": {
           "class": "oidcop.session.manager.PairWiseID",
           "kwargs": {
-            "salt": "sdfsdfsdf"
+            "salt": "mysalt"
           }
         }
      }
@@ -325,7 +325,7 @@
           "phone_number",
           "phone_number_verified"
         ],
-        "add_claim_by_scope": true,
+        "add_claims_by_scope": true,
         "aud": [
           "https://example.org/appl"
         ]
diff --git a/tests/op_config_defaults.py b/tests/op_config_defaults.py
@@ -133,7 +133,7 @@
             "kwargs": {
                 "lifetime": 3600,
                 "add_claims": ["email", "email_verified", "phone_number", "phone_number_verified",],
-                "add_claim_by_scope": True,
+                "add_claims_by_scope": True,
                 "aud": ["https://example.org/appl"],
             },
         },
diff --git a/tests/srv_config.yaml b/tests/srv_config.yaml
@@ -96,7 +96,7 @@ op:
           - email_verified
           - phone_number
           - phone_number_verified
-        add_claim_by_scope: True
+        add_claims_by_scope: True
         aud:
           - https://example.org/appl
       refresh:
diff --git a/tests/test_00_configure.py b/tests/test_00_configure.py
@@ -37,6 +37,8 @@ def test_op_configure():
     args = dict(configuration.items())
     assert "add_on" in args
 
+    assert "session_params" in configuration
+
 
 def test_op_configure_from_file():
     configuration = create_from_config_file(
diff --git a/tests/test_00_server.py b/tests/test_00_server.py
@@ -36,8 +36,7 @@ def full_path(local_file):
 
 CONF = {
     "issuer": "https://example.com/",
-    "password": "mycket hemligt",
-    "verify_ssl": False,
+    "httpc_params": {"verify": False, "timeout": 1},
     "capabilities": {},
     "keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS, "read_only": True},
     "endpoint": {
diff --git a/tests/test_01_util.py b/tests/test_01_util.py
@@ -12,11 +12,10 @@
 
 conf = {
     "issuer": "https://example.com/",
-    "password": "mycket hemligt",
+    "httpc_params": {"verify": False, "timeout": 1},
     "token_expires_in": 600,
     "grant_expires_in": 300,
     "refresh_token_expires_in": 86400,
-    "verify_ssl": False,
     "capabilities": {},
     "jwks_uri": "https://example.com/jwks.json",
     "keys": {"private_path": "own/jwks.json", "key_defs": KEYDEFS, "uri_path": "static/jwks.json",},
diff --git a/tests/test_02_client_authn.py b/tests/test_02_client_authn.py
@@ -36,9 +36,10 @@
 
 CONF = {
     "issuer": "https://example.com/",
-    "password": "mycket hemligt",
     "grant_expires_in": 300,
-    "verify_ssl": False,
+    "httpc_params": {
+        "verify": False
+    },
     "endpoint": {
         "token": {
             "path": "token",
diff --git a/tests/test_05_id_token.py b/tests/test_05_id_token.py
@@ -64,8 +64,7 @@ def full_path(local_file):
 
 conf = {
     "issuer": "https://example.com/",
-    "password": "mycket hemligt",
-    "verify_ssl": False,
+    "httpc_params": {"verify": False, "timeout": 1},
     "keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"},
     "token_handler_args": {
         "jwks_def": {
diff --git a/tests/test_05_jwt_token.py b/tests/test_05_jwt_token.py
@@ -99,8 +99,7 @@ class TestEndpoint(object):
     def create_endpoint(self):
         conf = {
             "issuer": ISSUER,
-            "password": "mycket hemligt",
-            "verify_ssl": False,
+            "httpc_params": {"verify": False, "timeout": 1},
             "capabilities": CAPABILITIES,
             "keys": {"uri_path": "jwks.json", "key_defs": KEYDEFS},
             "token_handler_args": {
diff --git a/tests/test_06_session_manager.py b/tests/test_06_session_manager.py
@@ -37,11 +37,10 @@ class TestSessionManager:
     def create_session_manager(self):
         conf = {
             "issuer": "https://example.com/",
-            "password": "mycket hemligt",
+            "httpc_params": {"verify": False, "timeout": 1},
             "token_expires_in": 600,
             "grant_expires_in": 300,
             "refresh_token_expires_in": 86400,
-            "verify_ssl": False,
             "keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"},
             "jwks_uri": "https://example.com/jwks.json",
             "token_handler_args": {
@@ -56,7 +55,7 @@ def create_session_manager(self):
                     "kwargs": {
                         "lifetime": 3600,
                         "add_claims": True,
-                        "add_claim_by_scope": True,
+                        "add_claims_by_scope": True,
                         "aud": ["https://example.org/appl"],
                     },
                 },
@@ -73,6 +72,10 @@ def create_session_manager(self):
                 },
                 "token_endpoint": {"path": "{}/token", "class": Token, "kwargs": {}},
             },
+            "session_params": {
+              "password": "ses_key",
+              "salt": "ses_salt"
+            },
             "template_dir": "template",
             "claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
             "userinfo": {
@@ -104,6 +107,11 @@ def _create_session(self, auth_req, sub_type="public", sector_identifier=""):
             ae, authz_req, USER_ID, client_id=client_id, sub_type=sub_type
         )
 
+    def test_session_manager_salt_key(self):
+        sman = self.session_manager
+        assert sman.key == "ses_key"
+        assert sman.salt == "ses_salt"
+
     @pytest.mark.parametrize(
         "sub_type, sector_identifier",
         [("pairwise", "https://all.example.com"), ("public", ""), ("ephemeral", "")],
diff --git a/tests/test_08_session_life.py b/tests/test_08_session_life.py
@@ -30,11 +30,10 @@ def setup_token_handler(self):
         password = "The longer the better. Is this close to enough ?"
         conf = {
             "issuer": "https://example.com/",
-            "password": "mycket hemligt",
+            "httpc_params": {"verify": False, "timeout": 1},
             "token_expires_in": 600,
             "grant_expires_in": 300,
             "refresh_token_expires_in": 86400,
-            "verify_ssl": False,
             "keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"},
             "jwks_uri": "https://example.com/jwks.json",
             "token_handler_args": {
@@ -249,11 +248,10 @@ class TestSessionJWTToken:
     def setup_session_manager(self):
         conf = {
             "issuer": ISSUER,
-            "password": "mycket hemligt",
+            "httpc_params": {"verify": False, "timeout": 1},
             "token_expires_in": 600,
             "grant_expires_in": 300,
             "refresh_token_expires_in": 86400,
-            "verify_ssl": False,
             "capabilities": CAPABILITIES,
             "keys": {"uri_path": "jwks.json", "key_defs": KEYDEFS},
             "token_handler_args": {
@@ -269,7 +267,7 @@ def setup_session_manager(self):
                             "phone_number",
                             "phone_number_verified",
                         ],
-                        "add_claim_by_scope": True,
+                        "add_claims_by_scope": True,
                         "aud": ["https://example.org/appl"],
                     },
                 },
diff --git a/tests/test_09_cookie_handler.py b/tests/test_09_cookie_handler.py
@@ -249,7 +249,7 @@ def test_compute_session_state():
 #
 # conf = {
 #     "issuer": "https://example.com/",
-#     "password": "mycket hemligt",
+#     "httpc_params": {"verify": False, "timeout": 1},
 #     "token_expires_in": 600,
 #     "grant_expires_in": 300,
 #     "refresh_token_expires_in": 86400,
diff --git a/tests/test_12_user_authn.py b/tests/test_12_user_authn.py
@@ -30,9 +30,8 @@ class TestUserAuthn(object):
     def create_endpoint_context(self):
         conf = {
             "issuer": "https://example.com/",
-            "password": "mycket hemligt",
+            "httpc_params": {"verify": False, "timeout": 1},
             "grant_expires_in": 300,
-            "verify_ssl": False,
             "endpoint": {
                 "authorization": {
                     "path": "{}/authorization",
diff --git a/tests/test_20_endpoint.py b/tests/test_20_endpoint.py
@@ -43,11 +43,10 @@ class TestEndpoint(object):
     def create_endpoint(self):
         conf = {
             "issuer": "https://example.com/",
-            "password": "mycket hemligt",
+            "httpc_params": {"verify": False, "timeout": 1},
             "token_expires_in": 600,
             "grant_expires_in": 300,
             "refresh_token_expires_in": 86400,
-            "verify_ssl": False,
             "endpoint": {"endpoint": {"path": "endpoint", "class": Endpoint, "kwargs": {}},},
             "keys": {
                 "public_path": "jwks.json",
diff --git a/tests/test_21_oidc_discovery_endpoint.py b/tests/test_21_oidc_discovery_endpoint.py
@@ -21,11 +21,10 @@ class TestEndpoint(object):
     def create_endpoint(self):
         conf = {
             "issuer": "https://example.com/",
-            "password": "mycket hemligt",
             "token_expires_in": 600,
             "grant_expires_in": 300,
             "refresh_token_expires_in": 86400,
-            "verify_ssl": False,
+            "httpc_params": {"verify": False, "timeout": 1},
             "endpoint": {
                 "webfinger": {
                     "path": ".well-known/webfinger",
diff --git a/tests/test_22_oidc_provider_config_endpoint.py b/tests/test_22_oidc_provider_config_endpoint.py
@@ -54,8 +54,9 @@ class TestEndpoint(object):
     def conf(self):
         return {
             "issuer": "https://example.com/",
-            "password": "mycket hemligt",
-            "verify_ssl": False,
+            "httpc_params": {
+              "verify": False
+            },
             "capabilities": CAPABILITIES,
             "keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
             "endpoint": {
diff --git a/tests/test_23_oidc_registration_endpoint.py b/tests/test_23_oidc_registration_endpoint.py
@@ -76,8 +76,7 @@ class TestEndpoint(object):
     def create_endpoint(self):
         conf = {
             "issuer": "https://example.com/",
-            "password": "mycket hemligt",
-            "verify_ssl": False,
+            "httpc_params": {"verify": False, "timeout": 1},
             "capabilities": {
                 "subject_types_supported": ["public", "pairwise", "ephemeral"],
                 "grant_types_supported": [
diff --git a/tests/test_24_oauth2_token_endpoint.py b/tests/test_24_oauth2_token_endpoint.py
@@ -80,8 +80,9 @@ def full_path(local_file):
 def conf():
     return {
         "issuer": "https://example.com/",
-        "password": "mycket hemligt",
-        "verify_ssl": False,
+        "httpc_params": {
+        "verify": False
+        },
         "capabilities": CAPABILITIES,
         "keys": {"uri_path": "jwks.json", "key_defs": KEYDEFS},
         "token_handler_args": {
diff --git a/tests/test_24_oidc_authorization_endpoint.py b/tests/test_24_oidc_authorization_endpoint.py
@@ -1226,11 +1226,11 @@ class TestUserAuthn(object):
     def create_endpoint_context(self):
         conf = {
             "issuer": "https://example.com/",
-            "password": "mycket hemligt",
+            "httpc_params": {"verify": False, "timeout": 1},
             "token_expires_in": 600,
             "grant_expires_in": 300,
             "refresh_token_expires_in": 86400,
-            "verify_ssl": False,
+            "httpc_params": {"verify": False, "timeout": 1},
             "endpoint": {
                 "authorization": {
                     "path": "{}/authorization",
diff --git a/tests/test_26_oidc_userinfo_endpoint.py b/tests/test_26_oidc_userinfo_endpoint.py
diff --git a/tests/test_31_oauth2_introspection.py b/tests/test_31_oauth2_introspection.py
diff --git a/tests/test_32_oidc_read_registration.py b/tests/test_32_oidc_read_registration.py
diff --git a/tests/test_34_oidc_sso.py b/tests/test_34_oidc_sso.py
diff --git a/tests/test_35_oidc_token_endpoint.py b/tests/test_35_oidc_token_endpoint.py
diff --git a/tests/test_36_oauth2_token_exchange.py b/tests/test_36_oauth2_token_exchange.py
diff --git a/tests/test_40_oauth2_pushed_authorization.py b/tests/test_40_oauth2_pushed_authorization.py
diff --git a/tests/test_50_persistence.py b/tests/test_50_persistence.py
diff --git a/tests/test_60_dpop.py b/tests/test_60_dpop.py

Original file line number	Diff line number	Diff line change
`@@ -571,7 +571,7 @@ An example::`
`571`	`571`	`"phone_number",`
`572`	`572`	`"phone_number_verified"`
`573`	`573`	`],`
`574`		`- "add_claim_by_scope": true,`
	`574`	`+ "add_claims_by_scope": true,`
`575`	`575`	`"aud": ["https://example.org/appl"]`
`576`	`576`	`}`
`577`	`577`	`},`
Original file line number	Diff line number	Diff line change
`@@ -311,7 +311,7 @@`
`311`	`311`	`"phone_number",`
`312`	`312`	`"phone_number_verified"`
`313`	`313`	`],`
`314`		`- "add_claim_by_scope": true,`
	`314`	`+ "add_claims_by_scope": true,`
`315`	`315`	`"aud": [`
`316`	`316`	`"https://example.org/appl"`
`317`	`317`	`]`
Original file line number	Diff line number	Diff line change
`@@ -269,19 +269,19 @@`
`269`	`269`	`}`
`270`	`270`	`},`
`271`	`271`	`"session_params": {`
`272`		`- "password": "__password_used_to_encrypt_access_token_sid_value",`
`273`		`- "salt": "salt involved in session sub hash ",`
	`272`	`+ "password": "ses_key",`
	`273`	`+ "salt": "ses_salt",`
`274`	`274`	`"sub_func": {`
`275`	`275`	`"public": {`
`276`	`276`	`"class": "oidcop.session.manager.PublicID",`
`277`	`277`	`"kwargs": {`
`278`		`- "salt": "sdfsdfdsf"`
	`278`	`+ "salt": "mysalt"`
`279`	`279`	`}`
`280`	`280`	`},`
`281`	`281`	`"pairwise": {`
`282`	`282`	`"class": "oidcop.session.manager.PairWiseID",`
`283`	`283`	`"kwargs": {`
`284`		`- "salt": "sdfsdfsdf"`
	`284`	`+ "salt": "mysalt"`
`285`	`285`	`}`
`286`	`286`	`}`
`287`	`287`	`}`
`@@ -325,7 +325,7 @@`
`325`	`325`	`"phone_number",`
`326`	`326`	`"phone_number_verified"`
`327`	`327`	`],`
`328`		`- "add_claim_by_scope": true,`
	`328`	`+ "add_claims_by_scope": true,`
`329`	`329`	`"aud": [`
`330`	`330`	`"https://example.org/appl"`
`331`	`331`	`]`