Created a httpc_params attribute to keep some of the HTTP client parameters, like verify and cert, in one place.

rohe · rohe · commit bccb108f698e · 2020-02-09T10:52:07.000+01:00
diff --git a/src/oidcendpoint/endpoint_context.py b/src/oidcendpoint/endpoint_context.py
@@ -111,7 +111,6 @@ def __init__(
         self.endpoint = {}
         self.issuer = ""
         self.httpc = httpc or requests
-        self.verify_ssl = True
         self.jwks_uri = None
         self.sso_ttl = 14400  # 4h
         self.symkey = rndstr(24)
@@ -161,7 +160,6 @@ def __init__(
             }
 
         for param in [
-            "verify_ssl",
             "issuer",
             "sso_ttl",
             "symkey",
@@ -233,6 +231,17 @@ def __init__(
         # client registration access tokens
         self.registration_access_token = {}
 
+        # The HTTP clients request arguments
+        _verify = conf.get('verify_ssl', True)
+        self.httpc_params= {'verify': _verify}
+
+        _cli_cert = conf.get("client_cert")
+        _cli_key = conf.get("client_key")
+        if _cli_cert and _cli_key:
+            self.httpc_params["cert"] = (_cli_cert, _cli_key)
+        elif _cli_cert:  # The file contains both the certificate and the key
+            self.httpc_params["cert"] = _cli_cert
+
     def set_session_db(self, sso_db=None, db=None):
         sso_db = sso_db or SSODb()
         self.do_session_db(sso_db, db)
diff --git a/src/oidcendpoint/oauth2/authorization.py b/src/oidcendpoint/oauth2/authorization.py
@@ -188,7 +188,8 @@ def _do_request_uri(self, request, client_id, endpoint_context, **kwargs):
                 if _p[0] not in _registered:
                     raise ValueError("A request_uri outside the registered")
             # Fetch the request
-            _resp = endpoint_context.httpc.get(_request_uri)
+            _resp = endpoint_context.httpc.get(_request_uri,
+                                               **endpoint_context.httpc_params)
             if _resp.status_code == 200:
                 args = {"keyjar": endpoint_context.keyjar}
                 request = AuthorizationRequest().from_jwt(_resp.text, **args)
diff --git a/src/oidcendpoint/oidc/authorization.py b/src/oidcendpoint/oidc/authorization.py
@@ -136,10 +136,13 @@ def proposed_user(request):
 
 
 def acr_claims(request):
-    if request["claims"].get("id_token"):
-        acrdef = request["claims"]["id_token"].get("acr")
-    else:
-        acrdef = None
+    acrdef = None
+
+    _claims = request.get('claims')
+    if _claims:
+        _id_token_claim = _claims.get("id_token")
+        if _id_token_claim:
+            acrdef = _id_token_claim.get("acr")
 
     if isinstance(acrdef, dict):
         if acrdef.get("value"):
@@ -251,7 +254,8 @@ def _do_request_uri(self, request, client_id, endpoint_context, **kwargs):
                 if _p[0] not in _registered:
                     raise ValueError("A request_uri outside the registered")
             # Fetch the request
-            _resp = endpoint_context.httpc.get(_request_uri)
+            _resp = endpoint_context.httpc.get(_request_uri,
+                                               **endpoint_context.httpc_params)
             if _resp.status_code == 200:
                 args = {"keyjar": endpoint_context.keyjar}
                 request = AuthorizationRequest().from_jwt(_resp.text, **args)
diff --git a/src/oidcendpoint/oidc/registration.py b/src/oidcendpoint/oidc/registration.py
@@ -303,7 +303,8 @@ def _verify_sector_identifier(self, request):
         """
         si_url = request["sector_identifier_uri"]
         try:
-            res = self.endpoint_context.httpc.get(si_url)
+            res = self.endpoint_context.httpc.get(si_url,
+                                                  **self.endpoint_context.httpc_params)
             logger.debug("sector_identifier_uri => %s", sanitize(res.text))
         except Exception as err:
             logger.error(err)
diff --git a/src/oidcendpoint/oidc/session.py b/src/oidcendpoint/oidc/session.py
@@ -391,7 +391,7 @@ def do_verified_logout(self, sid, client_id, alla=False, **kwargs):
                 res = self.endpoint_context.httpc.post(
                     _url,
                     data="logout_token={}".format(sjwt),
-                    verify=self.endpoint_context.verify_ssl,
+                    **self.endpoint_context.httpc_params
                 )
 
                 if res.status_code < 300:
diff --git a/tests/test_40_oauth2_pushed_authorization.py b/tests/test_40_oauth2_pushed_authorization.py
@@ -119,7 +119,7 @@ def create_endpoint(self):
                     "kwargs": {},
                 },
                 "authorization": {
-                    "path": "{}/pushed_authorization",
+                    "path": "{}/authorization",
                     "class": Authorization,
                     "kwargs": {
                         "response_types_supported": [
@@ -132,7 +132,7 @@ def create_endpoint(self):
                     },
                 },
                 "pushed_authorization": {
-                    "path": "{}/pushed_authorization",
+                    "path": "pushed_authorization",
                     "class": PushedAuthorization,
                     "kwargs": {
                         "client_authn_method": [

Original file line number	Diff line number	Diff line change
`@@ -391,7 +391,7 @@ def do_verified_logout(self, sid, client_id, alla=False, **kwargs):`
`391`	`391`	`res = self.endpoint_context.httpc.post(`
`392`	`392`	`_url,`
`393`	`393`	`data="logout_token={}".format(sjwt),`
`394`		`- verify=self.endpoint_context.verify_ssl,`
	`394`	`+ **self.endpoint_context.httpc_params`
`395`	`395`	`)`
`396`	`396`
`397`	`397`	`if res.status_code < 300:`