Fixed fetch_distributed_claims.

Updated to work with cryptojwt=0.4.4, oidcmsg=0.6.1 and
oidcservice=0.5.13

Author: rohe

.pytest_cache/v/cache/lastfailed

@@ -1,4 +1,5 @@
 {
+  "tests/test_14_oidc.py::TestClient::()::test_service_request": true,
   "tests/test_20_rp_handler.py::TestRPHandler::()::test_get_accesstoken": true,
   "tests/test_20_rp_handler.py::TestRPHandler::()::test_get_userinfo": true
 }

CONTRIBUTING.md

@@ -1,4 +1,4 @@
-# Contributing to JwtConnect
+# Contributing to JwtConnect-Python
 
 All contributions to the Python JwtConnect packages are welcome!
 

src/oidcrp/__init__.py

@@ -4,7 +4,7 @@
 import traceback
 from importlib import import_module
 
-from cryptojwt import as_bytes
+from cryptojwt.utils import as_bytes
 from oidcmsg.oauth2 import is_error_message
 from oidcmsg.oauth2 import ResponseMessage
 from oidcmsg.oidc import AccessTokenResponse
@@ -22,7 +22,7 @@
 from oidcrp import provider
 
 __author__ = 'Roland Hedberg'
-__version__ = '0.4.9'
+__version__ = '0.5.0'
 
 logger = logging.getLogger(__name__)
 
@@ -494,7 +494,8 @@ def get_access_token(self, state, client=None):
                 state=state
             )
         except Exception as err:
-            logger.error("%s", err)
+            message = traceback.format_exception(*sys.exc_info())
+            logger.error(message)
             raise
         else:
             if is_error_message(tokenresp):
@@ -529,7 +530,8 @@ def refresh_access_token(self, state, client=None, scope=''):
                 state=state, request_args=req_args
             )
         except Exception as err:
-            logger.error("%s", err)
+            message = traceback.format_exception(*sys.exc_info())
+            logger.error(message)
             raise
         else:
             if is_error_message(tokenresp):
@@ -596,6 +598,8 @@ def finalize_auth(self, client, issuer, response):
                                                          sformat='dict')
         except Exception as err:
             logger.error('Parsing authorization_response: {}'.format(err))
+            message = traceback.format_exception(*sys.exc_info())
+            logger.error(message)
             raise
         else:
             logger.debug(

src/oidcrp/cookie.py

@@ -9,11 +9,10 @@
 
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 
-from cryptojwt import as_bytes
-from cryptojwt import as_unicode
-from cryptojwt import safe_str_cmp
-from cryptojwt.jwe import JWEException
-from cryptojwt.jwe import split_ctx_and_tag
+from cryptojwt.utils import as_bytes
+from cryptojwt.utils import as_unicode
+from cryptojwt.jwe.exception import JWEException
+from cryptojwt.jwe.utils import split_ctx_and_tag
 
 from oidcservice import rndstr
 from oidcservice.exception import ImproperlyConfigured
@@ -35,6 +34,16 @@ class InvalidCookieSign(Exception):
     pass
 
 
+# 'Stolen' from Werkzeug
+def safe_str_cmp(a, b):
+    """Compare two strings in constant time."""
+    if len(a) != len(b):
+        return False
+    r = 0
+    for c, d in zip(a, b):
+        r |= ord(c) ^ ord(d)
+    return r == 0
+
 def _expiration(timeout, time_format=None):
     """
     Return an expiration time

src/oidcrp/http.py

@@ -6,7 +6,7 @@
 
 import requests
 
-from oidcmsg.key_jar import KeyJar
+from cryptojwt.key_jar import KeyJar
 
 from oidcservice import sanitize
 from oidcservice.exception import NonFatalException

src/oidcrp/oauth2/__init__.py

@@ -1,7 +1,9 @@
 import logging
 
 import cherrypy
-from oidcmsg.key_jar import KeyJar
+
+from cryptojwt.key_jar import KeyJar
+
 from oidcservice.client_auth import factory as ca_factory
 from oidcservice.exception import OidcServiceError
 from oidcservice.exception import ParseError
@@ -10,6 +12,7 @@
 from oidcservice.service import SUCCESSFUL
 from oidcservice.service import build_services
 from oidcservice.service_context import ServiceContext
+from oidcservice.state_interface import StateInterface
 
 from oidcrp.http import HTTPLib
 from oidcrp.util import get_deserialization_method
@@ -59,7 +62,7 @@ def __init__(self, state_db, ca_certs=None, client_authn_factory=None,
         :return: Client instance
         """
 
-        self.state_db = state_db
+        self.session_interface = StateInterface(state_db)
         self.http = httplib or HTTPLib(ca_certs=ca_certs,
                                        verify_ssl=verify_ssl,
                                        client_cert=client_cert,

src/oidcrp/oidc/__init__.py

@@ -1,5 +1,8 @@
+import json
 import logging
 
+from oidcservice.client_auth import BearerHeader
+
 try:
     from json import JSONDecodeError
 except ImportError:  # Only works for >= 3.5
@@ -62,6 +65,10 @@
 }
 
 
+class FetchException(Exception):
+    pass
+
+
 class RP(oauth2.Client):
     def __init__(self, state_db, ca_certs=None, client_authn_factory=None,
                  keyjar=None, verify_ssl=True, config=None, client_cert=None,
@@ -76,12 +83,11 @@ def __init__(self, state_db, ca_certs=None, client_authn_factory=None,
                                httplib=httplib, services=_srvs,
                                service_factory=service_factory)
 
-    def fetch_distributed_claims(self, userinfo, service, callback=None):
+    def fetch_distributed_claims(self, userinfo, callback=None):
         """
 
-        :param userinfo: A :py:class:`oidcmsg.message.Message` sub class instance
-        :param service: Possibly an instance of the
-            :py:class:`oidcservice.oidc.service.UserInfo` class
+        :param userinfo: A :py:class:`oidcmsg.message.Message` sub class
+            instance
         :param callback: A function that can be used to fetch things
         :return: Updated userinfo instance
         """
@@ -93,27 +99,41 @@ def fetch_distributed_claims(self, userinfo, service, callback=None):
             for csrc, spec in _csrc.items():
                 if "endpoint" in spec:
                     if "access_token" in spec:
-                        _uinfo = self.service_request(
-                            service, spec["endpoint"], method='GET',
-                            token=spec["access_token"])
+                        cauth = BearerHeader()
+                        http_args = cauth.construct(
+                            service=self.service['userinfo'],
+                            access_token= spec['access_token'])
+                        _resp = self.http.send(spec["endpoint"], 'GET',
+                                                **http_args)
                     else:
                         if callback:
-                            _uinfo = self.service_request(
-                                service, spec["endpoint"], method='GET',
-                                token=callback(spec['endpoint']))
+                            token = callback(spec['endpoint'])
+                            cauth = BearerHeader()
+                            http_args = cauth.construct(
+                                service=self.service['userinfo'],
+                                access_token=token)
+                            _resp = self.http.send(
+                                spec["endpoint"], 'GET', **http_args)
                         else:
-                            _uinfo = self.service_request(
-                                service, spec["endpoint"], method='GET')
+                            _resp = self.http.send(spec["endpoint"], 'GET')
+
+                    if _resp.status_code == 200:
+                        _uinfo = json.loads(_resp.text)
+                    else:  # There shouldn't be any redirect
+                        raise FetchException(
+                            'HTTP error {}: {}'.format(_resp.status_code,
+                                                       _resp.reason))
 
                     claims = [value for value, src in
                               userinfo["_claim_names"].items() if src == csrc]
 
-                    if set(claims) != set(list(_uinfo.keys())):
+                    if set(claims) != set(_uinfo.keys()):
                         logger.warning(
                             "Claims from claim source doesn't match what's in "
                             "the userinfo")
 
-                    for key, vals in _uinfo.items():
-                        userinfo[key] = vals
+                    # only add those I expected
+                    for key in claims:
+                        userinfo[key] = _uinfo[key]
 
         return userinfo

tests/test_11_oauth2.py

@@ -3,17 +3,17 @@
 import sys
 import time
 
-from cryptojwt.jwk import rsa_load
+from cryptojwt.jwk.rsa import rsa_load
+from cryptojwt.key_bundle import KeyBundle
 
-from oidcmsg.key_bundle import KeyBundle
-from oidcmsg.oauth2 import AccessTokenRequest, AuthorizationResponse
+from oidcmsg.oauth2 import AccessTokenRequest
 from oidcmsg.oauth2 import AccessTokenResponse
 from oidcmsg.oauth2 import AuthorizationRequest
+from oidcmsg.oauth2 import AuthorizationResponse
 from oidcmsg.oauth2 import RefreshAccessTokenRequest
 from oidcmsg.oidc import IdToken
 from oidcmsg.time_util import utc_time_sans_frac
 
-from oidcservice.client_auth import CLIENT_AUTHN_METHOD
 from oidcservice.state_interface import State
 
 from oidcrp.oauth2 import Client
@@ -60,7 +60,7 @@ def test_construct_authorization_request(self):
                     'redirect_uri': 'https://example.com/auth_cb',
                     'response_type': ['code']}
 
-        self.client.state_db.set('ABCDE', State(iss='issuer').to_json())
+        self.client.session_interface.create_state('issuer',key='ABCDE')
         msg = self.client.service['authorization'].construct(
             request_args=req_args)
         assert isinstance(msg, AuthorizationRequest)
@@ -71,17 +71,24 @@ def test_construct_accesstoken_request(self):
         # Bind access code to state
         req_args = {}
 
+        self.client.session_interface.create_state('issuer', 'ABCDE')
+
         auth_request = AuthorizationRequest(
             redirect_uri='https://example.com/cli/authz_cb',
             state='state'
         )
+
+        self.client.session_interface.store_item(auth_request, 'auth_request',
+                                                 'ABCDE')
+
         auth_response = AuthorizationResponse(code='access_code')
-        _state = State(auth_response=auth_response.to_json(),
-                       auth_request=auth_request.to_json())
-        self.client.state_db.set('ABCDE', _state.to_json())
+
+        self.client.session_interface.store_item(auth_response,
+                                                 'auth_response', 'ABCDE')
 
         msg = self.client.service['accesstoken'].construct(
             request_args=req_args, state='ABCDE')
+
         assert isinstance(msg, AccessTokenRequest)
         assert msg.to_dict() == {'client_id': 'client_1',
                                  'code': 'access_code',
@@ -92,18 +99,28 @@ def test_construct_accesstoken_request(self):
                                  'state': 'state'}
 
     def test_construct_refresh_token_request(self):
+
+        self.client.session_interface.create_state('issuer', 'ABCDE')
+
         auth_request = AuthorizationRequest(
             redirect_uri='https://example.com/cli/authz_cb',
             state='state'
         )
+
+        self.client.session_interface.store_item(auth_request, 'auth_request',
+                                                 'ABCDE')
+
         auth_response = AuthorizationResponse(code='access_code')
+
+        self.client.session_interface.store_item(auth_response,
+                                                 'auth_response', 'ABCDE')
+
         token_response = AccessTokenResponse(refresh_token="refresh_with_me",
                                              access_token="access")
-        _state = State(auth_response=auth_response.to_json(),
-                       auth_request=auth_request.to_json(),
-                       token_response=token_response.to_json())
 
-        self.client.state_db.set('ABCDE', _state.to_json())
+        self.client.session_interface.store_item(token_response,
+                                                 'token_response', 'ABCDE')
+
         req_args = {}
         msg = self.client.service['refresh_token'].construct(
             request_args=req_args, state='ABCDE')