Merge pull request #27 from IdentityPython/develop

Merging develop into master

Author: rohe

.travis.yml

@@ -9,7 +9,8 @@ python:
 addons:
   apt:
     packages:
-    -
+      - rustc
+      - cargo
 install:
 - pip install codecov
 - pip install isort

Makefile

@@ -40,10 +40,10 @@ test:
 .PHONY: test
 
 isort:
-	@pipenv run isort --recursive $(OICDIR) $(TESTDIR)
+	@pipenv run isort $(OICDIR) $(TESTDIR)
 
 check-isort:
-	@pipenv run isort --recursive --diff --check-only $(OICDIR) $(TESTDIR)
+	@pipenv run isort --diff --check-only $(OICDIR) $(TESTDIR)
 .PHONY: isort check-isort
 
 check-pylama:

src/oidcmsg/__init__.py

@@ -1,5 +1,7 @@
 __author__ = 'Roland Hedberg'
-__version__ = '1.1.2'
+__version__ = '1.1.4'
+
+import os
 
 VERIFIED_CLAIM_PREFIX = '__verified'
 

src/oidcmsg/oidc/__init__.py

@@ -824,6 +824,11 @@ def verify(self, **kwargs):
         else:
             if (_iat + _storage_time) < (_now - _skew):
                 raise IATError('Issued too long ago')
+            elif _iat > _now + _skew:
+                raise IATError('Issued sometime in the future')
+
+        if _exp < _iat:
+            raise IATError('Expiration time can not be earlier the issued at')
 
         if 'nonce' in kwargs and 'nonce' in self:
             if kwargs['nonce'] != self['nonce']:
@@ -925,6 +930,14 @@ def verify(self, **kwargs):
         elif parts.scheme != "https":
             raise SchemeError("Not HTTPS")
 
+        # The parameter is optional
+        if "token_endpoint_auth_signing_alg_values_supported" in self and "none" in self[
+                "token_endpoint_auth_signing_alg_values_supported"]:
+            raise ValueError(
+                "The value none must not be used for "
+                "token_endpoint_auth_signing_alg_values_supported"
+            )
+
         if "RS256" not in self["id_token_signing_alg_values_supported"]:
             raise ValueError('RS256 missing from id_token_signing_alg_values_supported')
 
@@ -934,7 +947,7 @@ def verify(self, **kwargs):
             raise ValueError('Issuer ID invalid')
 
         if any("code" in rt for rt in self[
-            "response_types_supported"]) and "token_endpoint" not in self:
+                "response_types_supported"]) and "token_endpoint" not in self:
             raise MissingRequiredAttribute("token_endpoint")
 
         return True

src/oidcmsg/oidc/session.py

@@ -2,6 +2,7 @@
 
 from cryptojwt.exception import UnsupportedAlgorithm
 
+from oidcmsg.message import OPTIONAL_LIST_OF_SP_SEP_STRINGS
 from oidcmsg.time_util import utc_time_sans_frac
 
 from ..exception import MessageException
@@ -50,7 +51,8 @@ class EndSessionRequest(Message):
     c_param = {
         "id_token_hint": SINGLE_OPTIONAL_IDTOKEN,
         "post_logout_redirect_uri": SINGLE_OPTIONAL_STRING,
-        "state": SINGLE_OPTIONAL_STRING
+        "state": SINGLE_OPTIONAL_STRING,
+        "ui_locales": OPTIONAL_LIST_OF_SP_SEP_STRINGS
     }
 
     def verify(self, **kwargs):

src/oidcmsg/storage/abfile.py

@@ -87,14 +87,16 @@ def __getitem__(self, item):
         :return:
         """
         item = self.key_conv.serialize(item)
-
-        if self.is_changed(item):
-            logger.info("File content change in {}".format(item))
-            fname = os.path.join(self.fdir, item)
-            self.storage[item] = self._read_info(fname)
-
-        logger.debug('Read from "%s"', item)
-        return self.storage[item]
+        if self._is_file(item):
+            if self.is_changed(item):
+                logger.info("File content change in {}".format(item))
+                fname = os.path.join(self.fdir, item)
+                self.storage[item] = self._read_info(fname)
+
+            logger.debug('Read from "%s"', item)
+            return self.storage[item]
+        else:
+            raise KeyError(item)
 
     def __setitem__(self, key, value):
         """
@@ -163,31 +165,32 @@ def get_mtime(fname):
 
         return mtime
 
+    def _is_file(self, item):
+        fname = os.path.join(self.fdir, item)
+        return os.path.isfile(fname)
+
     def is_changed(self, item):
         """
-        Find out if this item has been modified since last
+        Find out if this item has been modified since last.
+        When I get here I know that item points to an existing file.
 
         :param item: A key
         :return: True/False
         """
         fname = os.path.join(self.fdir, item)
-        if os.path.isfile(fname):
-            mtime = self.get_mtime(fname)
+        mtime = self.get_mtime(fname)
 
-            try:
-                _ftime = self.fmtime[item]
-            except KeyError:  # Never been seen before
-                self.fmtime[item] = mtime
-                return True
-
-            if mtime > _ftime:  # has changed
-                self.fmtime[item] = mtime
-                return True
-            else:
-                return False
+        try:
+            _ftime = self.fmtime[item]
+        except KeyError:  # Never been seen before
+            self.fmtime[item] = mtime
+            return True
+
+        if mtime > _ftime:  # has changed
+            self.fmtime[item] = mtime
+            return True
         else:
-            logger.error('Could not access {}'.format(fname))
-            raise KeyError(item)
+            return False
 
     def _read_info(self, fname):
         if os.path.isfile(fname):

src/oidcmsg/storage/absqlalchemy.py

@@ -2,77 +2,54 @@
 import json
 
 import sqlalchemy as alchemy_db
+from sqlalchemy.orm import scoped_session
 from sqlalchemy.orm import sessionmaker
 
-from oidcmsg.storage.db_setup import Base
-
+PlainDict = dict
 
 class AbstractStorageSQLAlchemy:
     def __init__(self, conf_dict):
         self.engine = alchemy_db.create_engine(conf_dict['url'])
         self.connection = self.engine.connect()
-        Base.metadata.create_all(self.engine)
         self.metadata = alchemy_db.MetaData()
         self.table = alchemy_db.Table(conf_dict['params']['table'],
                                       self.metadata, autoload=True,
                                       autoload_with=self.engine)
         Session = sessionmaker(bind=self.engine)
-        self.session = Session()
+        self.session = scoped_session(Session)
 
     def get(self, k):
-        entries = self.session.query(self.table).filter_by(owner=k).all()
-        result = self._data_from_db(entries)
-        return result
-
-    def _data_from_db(self, entries):
-        result = []
-        for entry in entries:
-            try:
-                data = json.loads(entry.data)
-                if isinstance(data, list):
-                    result.extend(data)
-                else:
-                    result.append(data)
-            except:
-                result.append(entry.data)
-        return result
-
-    def _data_to_db(self, v):
-        if isinstance(v, dict) or isinstance(v, list):
-            value = json.dumps(v)
-        else:
-            value = v
-        return value
+        entry = self.session.query(self.table).filter_by(owner=k).first()
+        if entry is None:
+            return None
+        return entry.data
 
     def set(self, k, v):
-        value = self._data_to_db(v)
+        self.delete(k)
         ins = self.table.insert().values(owner=k,
-                                         data=value)
+                                         data=v)
         self.session.execute(ins)
         self.session.commit()
         return 1
 
-    def update(self, k, v, col_match='owner', col_value='data'):
+    def update(self, k, v):
         """
             k = value_to_match
             v = value_to_be_substituted
         """
-        value = self._data_to_db(v)
-        table_column = getattr(self.table.c, col_match)
         upquery = self.table.update(). \
-            where(table_column == k). \
-            values(**{col_value: value})
+            where(self.table.c.owner == k). \
+            values(**{'data': v})
         self.session.execute(upquery)
         self.session.commit()
         return 1
 
-    def delete(self, v, k='owner'):
+    def delete(self, v):
         """
         return the count of deleted objects
         """
-        table_column = getattr(self.table.c, k)
-        delquery = self.table.delete().where(table_column == v)
-        n_entries = self.session.query(self.table).filter(table_column == v).count()
+        delquery = self.table.delete().where(self.table.c.owner == v)
+        n_entries = self.session.query(self.table).filter(self.table.c.owner == v).count()
         self.session.execute(delquery)
         return n_entries
 
@@ -108,3 +85,6 @@ def flush(self):
         except:
             self.session.rollback()
             self.session.flush()
+
+    def __setitem__(self, k, v):
+        return self.set(k, v)

tests/test_06_oidc.py

@@ -35,6 +35,8 @@
 from oidcmsg.oidc import CHashError
 from oidcmsg.oidc import Claims
 from oidcmsg.oidc import DiscoveryRequest
+from oidcmsg.oidc import EXPError
+from oidcmsg.oidc import IATError
 from oidcmsg.oidc import IdToken
 from oidcmsg.oidc import Link
 from oidcmsg.oidc import OpenIDSchema
@@ -929,6 +931,68 @@ def test_id_token():
     idt.verify()
 
 
+def test_id_token_expired():
+    _now = time_util.utc_time_sans_frac()
+
+    idt = IdToken(**{
+        "sub": "553df2bcf909104751cfd8b2",
+        "aud": [
+            "5542958437706128204e0000",
+            "554295ce3770612820620000"
+        ],
+        "auth_time": 1441364872,
+        "azp": "554295ce3770612820620000",
+        "at_hash": "L4Ign7TCAD_EppRbHAuCyw",
+        "iat": _now - 200,
+        "exp": _now - 100,
+        "iss": "https://sso.qa.7pass.ctf.prosiebensat1.com"
+    })
+
+    with pytest.raises(EXPError):
+        idt.verify()
+
+
+def test_id_token_iat_in_the_future():
+    _now = time_util.utc_time_sans_frac()
+
+    idt = IdToken(**{
+        "sub": "553df2bcf909104751cfd8b2",
+        "aud": [
+            "5542958437706128204e0000",
+            "554295ce3770612820620000"
+        ],
+        "auth_time": 1441364872,
+        "azp": "554295ce3770612820620000",
+        "at_hash": "L4Ign7TCAD_EppRbHAuCyw",
+        "iat": _now + 600,
+        "exp": _now + 1200,
+        "iss": "https://sso.qa.7pass.ctf.prosiebensat1.com"
+    })
+
+    with pytest.raises(IATError):
+        idt.verify()
+
+
+def test_id_token_exp_before_iat():
+    _now = time_util.utc_time_sans_frac()
+
+    idt = IdToken(**{
+        "sub": "553df2bcf909104751cfd8b2",
+        "aud": [
+            "5542958437706128204e0000",
+            "554295ce3770612820620000"
+        ],
+        "auth_time": 1441364872,
+        "azp": "554295ce3770612820620000",
+        "at_hash": "L4Ign7TCAD_EppRbHAuCyw",
+        "iat": _now + 50,
+        "exp": _now,
+        "iss": "https://sso.qa.7pass.ctf.prosiebensat1.com"
+    })
+
+    with pytest.raises(IATError):
+        idt.verify(skew=100)
+
 class TestAccessTokenRequest(object):
     def test_example(self):
         _txt = 'grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA' \

tox.ini

@@ -4,7 +4,7 @@ envlist = py{36,37,38},docs,quality
 [testenv]
 passenv = CI TRAVIS TRAVIS_*
 commands =
-    py.test --cov-report= --cov=oicmsg tests/ -m "not network" {posargs}
+    py.test --cov-report= --cov=oidcmsg tests/ -m "not network" {posargs}
     codecov
 extras = testing
 deps =
@@ -20,7 +20,7 @@ commands = sphinx-build -b html doc/ doc/_build/html -W
 ignore_errors = True
 extras = quality
 commands =
-    isort --recursive --diff --check-only src/ tests/
+    isort --diff --check-only src/ tests/
     pylama src/ tests/
 
 [pep8]