Allow the functions used to mint subject identifiers to be configurable.

rohe · rohe · commit d7d1ac37db5b · 2019-05-24T09:29:54.000+02:00
diff --git a/src/oidcendpoint/__init__.py b/src/oidcendpoint/__init__.py
@@ -5,7 +5,7 @@
 except ImportError:
     import random as rnd
 
-__version__ = '0.8.3'
+__version__ = '0.8.4'
 
 
 DEF_SIGN_ALG = {"id_token": "RS256",
diff --git a/src/oidcendpoint/endpoint_context.py b/src/oidcendpoint/endpoint_context.py
@@ -189,6 +189,21 @@ def __init__(self, conf, keyjar=None, client_db=None, session_db=None,
                 raise ValueError('Cookie Dealer already defined')
             self.cookie_dealer = init_service(_conf)
 
+        try:
+            _conf = conf['sub_func']
+        except KeyError:
+            sub_func = None
+        else:
+            sub_func = {}
+            for key, args in _conf.items():
+                if 'class' in args:
+                    sub_func[key] = init_service(args)
+                elif 'function' in args:
+                    if isinstance(args['function'], str):
+                        sub_func[key] = util.importer(args['function'])
+                    else:
+                        sub_func[key] = args['function']
+
         if session_db:
             self.sdb = session_db
         else:
@@ -212,7 +227,7 @@ def __init__(self, conf, keyjar=None, client_db=None, session_db=None,
                     _th_args[typ] = {'lifetime': tid}
 
             self.sdb = create_session_db(self, _th_args, db=None,
-                                         sso_db=SSODb())
+                                         sso_db=SSODb(), sub_func=sub_func)
 
         self.endpoint = build_endpoints(conf['endpoint'],
                                         endpoint_context=self,
diff --git a/src/oidcendpoint/session.py b/src/oidcendpoint/session.py
@@ -84,9 +84,14 @@ class SessionInfo(Message):
     }
 
 
-def pairwise_id(sub, sector_identifier, seed):
+def pairwise_id(uid, sector_identifier, client_salt, **kwargs):
     return hashlib.sha256(
-        ("%s%s%s" % (sub, sector_identifier, seed)).encode("utf-8")).hexdigest()
+        ("%s%s%s" % (uid, sector_identifier, client_salt)).encode("utf-8")).hexdigest()
+
+
+def public_id(uid, user_salt='', **kwargs):
+    return hashlib.sha256(
+        "{}{}".format(uid, user_salt).encode("utf-8")).hexdigest()
 
 
 def dict_match(a, b):
@@ -106,35 +111,28 @@ def dict_match(a, b):
     return all(res)
 
 
-def mint_sub(client_salt, sector_id="", subject_type="public",
-             uid='', user_salt=''):
-    """
-    Mint a new sub (subject identifier)
-
-    :param authn_event: Authentication event information
-    :param client_salt: client specific salt - used in pairwise
-    :param sector_id: Possible sector identifier
-    :param subject_type: 'public'/'pairwise'
-    :return: Subject identifier
-    """
-
-    if subject_type == "public":
-        sub = hashlib.sha256(
-            "{}{}".format(uid, user_salt).encode("utf-8")).hexdigest()
-    else:
-        sub = pairwise_id(uid, sector_id,
-                          "{}{}".format(client_salt, user_salt))
-    return sub
-
-
 class SessionDB(object):
-    def __init__(self, db, handler, sso_db, userinfo=None):
+    def __init__(self, db, handler, sso_db, userinfo=None, sub_func=None):
         # db must implement the InMemoryStateDataBase interface
         self._db = db
         self.handler = handler
         self.sso_db = sso_db
         self.userinfo = userinfo
 
+        # this allows the subject identifier minters to be defined by someone
+        # else then me.
+        if sub_func is None:
+            self.sub_func = {
+                'public': public_id,
+                'pairwise': pairwise_id
+            }
+        else:
+            self.sub_func = sub_func
+            if 'public' not in sub_func:
+                self.sub_func['public'] = public_id
+            if 'pairwise' not in sub_func:
+                self.sub_func['pairwise'] = pairwise_id
+
     def __getitem__(self, item):
         _info = self._db.get(item)
 
@@ -242,7 +240,20 @@ def get_token(self, sid):
 
     def do_sub(self, sid, uid, client_salt, sector_id='', subject_type='public',
                user_salt=''):
-        sub = mint_sub(client_salt, sector_id, subject_type, uid, user_salt)
+        """
+        Create and store a subject identifier
+
+        :param sid: Session ID
+        :param uid: User ID
+        :param client_salt:
+        :param sector_id: For pairwise identifiers, an Identifier for the RP group
+        :param subject_type: 'pairwaise'/'public'
+        :param user_salt:
+        :return:
+        """
+        sub = self.sub_func[subject_type](uid, user_salt=user_salt,
+                                          client_salt=client_salt,
+                                          sector_identifier=sector_id)
 
         self.sso_db.map_sid2uid(sid, uid)
         self.update(sid, sub=sub)
@@ -292,11 +303,14 @@ def replace_token(self, sid, sinfo, token_type):
 
     def _make_at(self, sid, session_info, aud = None, client_id_aud = True):
         uid = self.sso_db.get_uid_by_sid(sid)
-        uinfo = self.userinfo(uid, session_info['client_id'])
+
+        uinfo = self.userinfo(uid, session_info['client_id']) or {}
         at_aud = aud or []
+
         if client_id_aud:
             at_aud.append(session_info['client_id'])
-        return self.handler['access_token'](sid=sid, sinfo=session_info, uinfo=uinfo, aud=at_aud)
+        return self.handler['access_token'](sid=sid, sinfo=session_info,
+                                            uinfo=uinfo, aud=at_aud)
 
     def upgrade_to_token(self, grant=None, issue_refresh=False, id_token="",
                          oidreq=None, key=None, scope=None):
@@ -539,10 +553,11 @@ def get_authentication_event(self, sid):
                 raise ValueError('No Authn event info')
 
 
-def create_session_db(ec, token_handler_args, db=None, sso_db=SSODb()):
+def create_session_db(ec, token_handler_args, db=None, sso_db=SSODb(),
+                      sub_func=None):
     _token_handler = token_handler.factory(ec, **token_handler_args)
 
     if not db:
         db = InMemoryDataBase()
 
-    return SessionDB(db, _token_handler, sso_db)
+    return SessionDB(db, _token_handler, sso_db, sub_func=sub_func)
diff --git a/tests/test_08_session.py b/tests/test_08_session.py
@@ -403,3 +403,44 @@ def test_setup_session_upgrade_to_token():
 
     endpoint_context.sdb.revoke_uid('_user_')
     assert endpoint_context.sdb.is_session_revoked(sid)
+
+
+def make_sub_uid(uid, **kwargs):
+    return uid
+
+
+def test_sub_minting_function():
+    conf['sub_func'] = {
+        'public': {
+            'function': make_sub_uid
+        }
+    }
+
+    endpoint_context = EndpointContext(conf)
+    uid = '_user_'
+    client_id = 'EXTERNAL'
+    areq = None
+    acr = None
+    sid = setup_session(endpoint_context, areq, uid, client_id, acr, salt='salt')
+    assert endpoint_context.sdb[sid]['sub'] == uid
+
+
+class SubMinter(object):
+    def __call__(self, *args, **kwargs):
+        return args[0]
+
+
+def test_sub_minting_class():
+    conf['sub_func'] = {
+        'public': {
+            'class': SubMinter
+        }
+    }
+
+    endpoint_context = EndpointContext(conf)
+    uid = '_user_'
+    client_id = 'EXTERNAL'
+    areq = None
+    acr = None
+    sid = setup_session(endpoint_context, areq, uid, client_id, acr, salt='salt')
+    assert endpoint_context.sdb[sid]['sub'] == uid
