Added httpc_params.

rohe · rohe · commit 3a677897ef4d · 2020-02-11T12:09:31.000+01:00
diff --git a/flask_rp/application.py b/flask_rp/application.py
@@ -12,31 +12,38 @@
 
 
 def init_oidc_rp_handler(app):
-    rp_keys_conf = app.config.get('RP_KEYS')
-    if rp_keys_conf is None:
-        rp_keys_conf = app.config.get('OIDC_KEYS')
-
     verify_ssl = app.config.get('VERIFY_SSL')
+    httpc_params = {"verify": verify_ssl}
+
+    _cert = app.config.get("CLIENT_CERT")
+    _key = app.config.get("CLIENT_KEY")
+    if _cert and _key:
+        httpc_params["cert"] = (_cert, _key)
+    elif _cert:
+        httpc_params["cert"] = _cert
+
     hash_seed = app.config.get('HASH_SEED')
     if not hash_seed:
         hash_seed = "BabyHoldOn"
 
+    rp_keys_conf = app.config.get('RP_KEYS')
+    if rp_keys_conf is None:
+        rp_keys_conf = app.config.get('OIDC_KEYS')
+
     if rp_keys_conf:
         _kj = init_key_jar(**rp_keys_conf)
         _path = rp_keys_conf['public_path']
-        # replaces ./ and / from the begin of the string
+        # removes ./ and / from the begin of the string
         _path = re.sub('^(.)/', '', _path)
     else:
         _kj = KeyJar()
         _path = ''
-    _kj.verify_ssl = verify_ssl
+    _kj.httpc_params = httpc_params
 
     rph = RPHandler(base_url=app.config.get('BASEURL'),
-                    hash_seed=hash_seed,
-                    keyjar=_kj, jwks_path=_path,
+                    hash_seed=hash_seed, keyjar=_kj, jwks_path=_path,
                     client_configs=app.config.get('CLIENTS'),
-                    services=app.config.get('SERVICES'),
-                    verify_ssl=verify_ssl)
+                    services=app.config.get('SERVICES'), httpc_params=httpc_params)
 
     return rph
 
diff --git a/flask_rp/conf.yaml b/flask_rp/conf.yaml
@@ -5,10 +5,16 @@ BASEURL: "https://127.0.0.1:8090"
 SERVER_CERT: "certs/cert.pem"
 SERVER_KEY: "certs/key.pem"
 CA_BUNDLE: ''
+# If you want the clients cert to be verified
+#VERIFY_USER: optional
 
 # This is just for testing an local usage. In all other cases it MUST be True
 VERIFY_SSL: false
 
+# Client side
+#CLIENT_CERT: "certs/client.crt"
+#CLIENT_KEY: "certs/client.key"
+
 KEYDEFS: &keydef
   -
     "type": "RSA"
@@ -63,12 +69,13 @@ SERVICES: &id002
     kwargs: {}
 
 CLIENTS:
+  "":
+    client_preferences: *id001
+    redirect_uris: None
+    services: *id002
   flop:
     client_preferences: *id001
     issuer: https://127.0.0.1:5000/
-    # keys:
-      # url:
-        # 'https://127.0.0.1:5000' : https://127.0.0.1:5000/static/jwks.json
     jwks_uri: https://127.0.0.1:8090/static/jwks.json
     redirect_uris: ['https://127.0.0.1:8090/authz_cb/flop']
     services: *id002
@@ -79,5 +86,6 @@ CLIENTS:
           code_challenge_length: 64
           code_challenge_method: S256
 
+
 # Whether an attempt to fetch the userinfo should be made
 USERINFO: true
diff --git a/src/oidcrp/__init__.py b/src/oidcrp/__init__.py
@@ -114,10 +114,11 @@ def dynamic_provider_info_discovery(client):
 class RPHandler(object):
     def __init__(self, base_url='', hash_seed="", keyjar=None, verify_ssl=True,
                  services=None, client_configs=None, client_authn_factory=None,
-                 client_cls=None, state_db=None, http_lib=None, **kwargs):
+                 client_cls=None, state_db=None, http_lib=None, httpc_params=None,
+                 **kwargs):
+
         self.base_url = base_url
         self.hash_seed = as_bytes(hash_seed)
-        self.verify_ssl = verify_ssl
         self.keyjar = keyjar
 
         if state_db:
@@ -143,6 +144,13 @@ def __init__(self, base_url='', hash_seed="", keyjar=None, verify_ssl=True,
         self.issuer2rp = {}
         self.hash2issuer = {}
         self.httplib = http_lib
+        if not httpc_params:
+            self.httpc_params = {'verify': verify_ssl}
+        else:
+            self.httpc_params = httpc_params
+
+        if not self.keyjar.httpc_params:
+            self.keyjar.httpc_params = self.httpc_params
 
     def state2issuer(self, state):
         """
@@ -192,10 +200,9 @@ def init_client(self, issuer):
 
         try:
             client = self.client_cls(
-                state_db=self.state_db,
-                client_authn_factory=self.client_authn_factory,
-                verify_ssl=self.verify_ssl, services=_services,
-                config=_cnf, httplib=self.httplib)
+                state_db=self.state_db, client_authn_factory=self.client_authn_factory,
+                services=_services, config=_cnf, httplib=self.httplib,
+                httpc_params=self.httpc_params)
         except Exception as err:
             logger.error('Failed initiating client: {}'.format(err))
             message = traceback.format_exception(*sys.exc_info())
diff --git a/src/oidcrp/http.py b/src/oidcrp/http.py
@@ -17,48 +17,21 @@
 
 
 class HTTPLib(object):
-    def __init__(self, ca_certs=None, verify_ssl=True, client_cert=None):
+    def __init__(self, httpc_params=None):
         """
         A base class for OAuth2 clients and servers
 
-        :param ca_certs: the path to a CA_BUNDLE file or directory with
-            certificates of trusted CAs
-        :param verify_ssl: If True then the server SSL certificate is not
-            verfied
-        :param client_cert: local cert to use as client side certificate, as a
-            single file (containing the private key and the certificate) or as
-            a tuple of both file's path
+        :param httpc_params: Default arguments to be used for HTTP requests
         """
 
         self.request_args = {"allow_redirects": False}
+        if httpc_params:
+            self.request_args.update(httpc_params)
 
         self.cookiejar = FileCookieJar()
-        self.ca_certs = ca_certs
-
-        if ca_certs:
-            if verify_ssl is False:
-                raise ValueError(
-                    'conflict: ca_certs defined, but verify_ssl is False')
-
-            # Instruct requests to verify certificate against the CA cert
-            # bundle located at the path given by `ca_certs`.
-            self.request_args["verify"] = ca_certs
-
-        elif verify_ssl:
-            # Instruct requests to verify server certificates against the
-            # default CA bundle provided by 'certifi'. See
-            # http://docs.python-requests.org/en/master/user/advanced/#ca
-            # -certificates
-            self.request_args["verify"] = True
-
-        else:
-            # Instruct requests to not perform server cert verification.
-            self.request_args["verify"] = False
 
         self.events = None
         self.req_callback = None
-        if client_cert:
-            self.request_args['cert'] = client_cert
 
     def _cookies(self):
         """
diff --git a/src/oidcrp/oauth2/__init__.py b/src/oidcrp/oauth2/__init__.py
@@ -18,6 +18,8 @@
 
 __author__ = 'Roland Hedberg'
 
+from oidcrp.util import has_method
+
 logger = logging.getLogger(__name__)
 
 Version = "2.0"
@@ -31,38 +33,35 @@ class ExpiredToken(Exception):
 
 
 class Client(object):
-    def __init__(self, state_db, ca_certs=None, client_authn_factory=None,
-                 keyjar=None, verify_ssl=True, config=None, client_cert=None,
-                 httplib=None, services=None, jwks_uri=''):
+    def __init__(self, state_db, client_authn_factory=None,
+                 keyjar=None, verify_ssl=True, config=None,
+                 httplib=None, services=None, jwks_uri='', httpc_params=None):
         """
 
-        :param ca_certs: Certificates used to verify HTTPS certificates
         :param client_authn_factory: Factory that this client can use to
             initiate a client authentication class.
         :param keyjar: A py:class:`oidcmsg.key_jar.KeyJar` instance
-        :param verify_ssl: Whether the SSL certificate should be verified.
         :param config: Configuration information passed on to the
             :py:class:`oidcservice.service_context.ServiceContext`
             initialization
-        :param client_cert: Certificate used by the HTTP client
         :param httplib: A HTTP client to use
         :param services: A list of service definitions
         :param jwks_uri: A jwks_uri
+        :param httpc_params: HTTP request arguments
         :return: Client instance
         """
 
         self.session_interface = StateInterface(state_db)
-        self.http = httplib or HTTPLib(ca_certs=ca_certs,
-                                       verify_ssl=verify_ssl,
-                                       client_cert=client_cert)
+        self.http = httplib or HTTPLib(httpc_params)
 
         if not keyjar:
             keyjar = KeyJar()
             keyjar.verify_ssl = verify_ssl
 
         self.events = None
         self.service_context = ServiceContext(keyjar, config=config,
-                                              jwks_uri=jwks_uri)
+                                              jwks_uri=jwks_uri,
+                                              httpc_params=httpc_params)
         if self.service_context.client_id:
             self.client_id = self.service_context.client_id
 
@@ -77,7 +76,6 @@ def __init__(self, state_db, ca_certs=None, client_authn_factory=None,
             do_add_ons(config['add_ons'], self.service)
 
         self.service_context.service = self.service
-
         self.verify_ssl = verify_ssl
 
     def do_request(self, request_type, response_body_type="", request_args=None,
@@ -149,7 +147,7 @@ def service_request(self, service, url, method="GET", body=None,
         :param body: A message body if any
         :param response_body_type: The expected format of the body of the
             return message
-        :param http_args: Arguments for the HTTP client
+        :param httpc_params: Arguments for the HTTP client
         :return: A cls or ResponseMessage instance or the HTTP response
             instance if no response body was expected.
         """
@@ -159,8 +157,12 @@ def service_request(self, service, url, method="GET", body=None,
 
         logger.debug(REQUEST_INFO.format(url, method, body, headers))
 
-        response = self.get_response(service, url, method, body, response_body_type, headers,
-                                     **kwargs)
+        if has_method(service, "get_response"):
+            response = service.get_response(url, method, body, response_body_type, headers,
+                                            **kwargs)
+        else:
+            response = self.get_response(service, url, method, body, response_body_type, headers,
+                                         **kwargs)
 
         if 'error' in response:
             pass
diff --git a/src/oidcrp/oidc/__init__.py b/src/oidcrp/oidc/__init__.py
@@ -61,17 +61,15 @@ class FetchException(Exception):
 
 
 class RP(oauth2.Client):
-    def __init__(self, state_db, ca_certs=None, client_authn_factory=None,
-                 keyjar=None, verify_ssl=True, config=None, client_cert=None,
-                 httplib=None, services=None):
+    def __init__(self, state_db, client_authn_factory=None,
+                 keyjar=None, verify_ssl=True, config=None,
+                 httplib=None, services=None, httpc_params=None):
 
         _srvs = services or DEFAULT_SERVICES
 
-        oauth2.Client.__init__(self, state_db, ca_certs,
-                               client_authn_factory=client_authn_factory,
-                               keyjar=keyjar, verify_ssl=verify_ssl,
-                               config=config, client_cert=client_cert,
-                               httplib=httplib, services=_srvs)
+        oauth2.Client.__init__(self, state_db, client_authn_factory=client_authn_factory,
+                               keyjar=keyjar, verify_ssl=verify_ssl, config=config,
+                               httplib=httplib, services=_srvs, httpc_params=httpc_params)
 
     def fetch_distributed_claims(self, userinfo, callback=None):
         """
@@ -90,20 +88,20 @@ def fetch_distributed_claims(self, userinfo, callback=None):
                 if "endpoint" in spec:
                     if "access_token" in spec:
                         cauth = BearerHeader()
-                        http_args = cauth.construct(
+                        httpc_params = cauth.construct(
                             service=self.service['userinfo'],
-                            access_token= spec['access_token'])
+                            access_token=spec['access_token'])
                         _resp = self.http.send(spec["endpoint"], 'GET',
-                                               **http_args)
+                                               **httpc_params)
                     else:
                         if callback:
                             token = callback(spec['endpoint'])
                             cauth = BearerHeader()
-                            http_args = cauth.construct(
+                            httpc_params = cauth.construct(
                                 service=self.service['userinfo'],
                                 access_token=token)
                             _resp = self.http.send(
-                                spec["endpoint"], 'GET', **http_args)
+                                spec["endpoint"], 'GET', **httpc_params)
                         else:
                             _resp = self.http.send(spec["endpoint"], 'GET')
 
