Refactored handling of authority_hints, trust_roots and trust_marks.

edu_federation/openid_provider/conf.json

@@ -73,7 +73,7 @@
       }
     },
     "trust_anchors": {
-      "class": "idpyoidc.storage.abfile.AbstractFileSystem",
+      "class": "idpyoidc.storage.abfile_no_cache.AbstractFileSystemNoCache",
       "kwargs": {
         "fdir": "openid_provider/trust_anchors",
         "key_conv": "idpyoidc.util.Base64",
@@ -135,7 +135,16 @@
                 ]
               },
               "code": {
-                "lifetime": 1200
+                "lifetime": 600,
+                "kwargs": {
+                  "crypt_conf": {
+                    "kwargs": {
+                      "key": "0987654321abcdefghijklmnop...---",
+                      "salt": "abcdefghijklmnop",
+                      "iterations": 1
+                    }
+                  }
+                }
               },
               "token": {
                 "class": "idpyoidc.server.token.jwt_token.JWTToken",

edu_federation/relying_party_explicit/conf.json

@@ -60,7 +60,7 @@
       }
     },
     "trust_anchors": {
-      "class": "idpyoidc.storage.abfile.AbstractFileSystem",
+      "class": "idpyoidc.storage.abfile_no_cache.AbstractFileSystemNoCache",
       "kwargs": {
         "fdir": "relying_party_explicit/trust_anchors",
         "key_conv": "idpyoidc.util.Base64",

edu_federation/relying_party_explicit/views.py

@@ -77,7 +77,7 @@ def wkof():
                                   sub=_fed_entity.entity_id,
                                   key_jar=_fed_entity.get_attribute('keyjar'),
                                   metadata=_metadata,
-                                  authority_hints=_fed_entity.context.authority_hints,
+                                  authority_hints=_fed_entity.get_authority_hints(),
                                   **args
                                   )
 

edu_federation/trust_anchor/conf.json

@@ -64,15 +64,15 @@
       "resolve"
     ],
     "subordinate": {
-      "class": "idpyoidc.storage.abfile.AbstractFileSystem",
+      "class": "idpyoidc.storage.abfile_no_cache.AbstractFileSystemNoCache",
       "kwargs": {
         "fdir": "trust_anchor/subordinates",
         "key_conv": "idpyoidc.util.Base64",
         "value_conv": "idpyoidc.util.JSON"
       }
     },
     "trust_mark_issuers": {
-      "class": "idpyoidc.storage.abfile.AbstractFileSystem",
+      "class": "idpyoidc.storage.abfile_no_cache.AbstractFileSystemNoCache",
       "kwargs": {
         "fdir": "trust_anchor/trust_mark_issuers",
         "key_conv": "idpyoidc.util.Base64",

edu_federation/trust_mark_issuer/conf.json

@@ -64,7 +64,7 @@
       }
     },
     "trust_anchors": {
-      "class": "idpyoidc.storage.abfile.AbstractFileSystem",
+      "class": "idpyoidc.storage.abfile_no_cache.AbstractFileSystemNoCache",
       "kwargs": {
         "fdir": "trust_mark_issuer/trust_anchors",
         "key_conv": "idpyoidc.util.Base64",

src/fedservice/appclient/oauth2/registration.py

@@ -84,7 +84,7 @@ def create_entity_statement(self, request_args: Optional[dict] = None, **kwargs)
 
         kwargs = {}
         if _context.trust_marks:
-            kwargs["trust_marks"] = _context.trust_marks
+            kwargs["trust_marks"] = _context.get_trust_marks()
 
         _jws = _context.create_entity_statement(
             iss=_entity_id,
@@ -173,7 +173,7 @@ def parse_federation_registration_response(self, resp, **kwargs):
             return _resp
 
     def _add_client_secret_to_keyjar(self, context, client_id, metadata):
-        _client_secret = context.get_usage("client_secret")
+        _client_secret = context.claims.get_usage("client_secret")
         if _client_secret:
             _keyjar = getattr(context, "keyjar", None)
             if not _keyjar:
@@ -195,7 +195,7 @@ def update_service_context(self, resp, **kwargs):
             _context = item.context
             _context.map_preferred_to_registered(resp[guise])
 
-            _client_id = _context.get_usage("client_id")
+            _client_id = _context.claims.get_usage("client_id")
             if _client_id:
                 _context.client_id = _client_id
             # _fe = self.upstream_get("context").federation_entity

src/fedservice/appclient/stand_alone_client_entity.py

@@ -146,7 +146,7 @@ def do_client_registration(
                 _params = RegistrationRequest().parameters()
                 request_args.update({k: v for k, v in behaviour_args.items() if k in _params})
 
-            root = topmost_unit(_federation_entity)
+            # root = topmost_unit(_federation_entity)
             _endpoint_name = _federation_entity.client.get_service("registration").endpoint_name
             endpoint = self.context.provider_info[_endpoint_name]
             load_registration_response(_federation_entity, request_args=request_args,
@@ -281,7 +281,7 @@ def get_client_authn_method(self, endpoint):
         :return: The client authentication method
         """
         if endpoint == "token_endpoint":
-            auth_method = self.get_context().get_usage("token_endpoint_auth_method")
+            auth_method = self.get_context().claims.get_usage("token_endpoint_auth_method")
             if not auth_method:
                 return ""
             else:

src/fedservice/appserver/oidc/registration.py

@@ -72,7 +72,7 @@ def process_request(self, request=None, **kwargs):
                 trust_anchor_id=trust_chain.anchor,
                 metadata={opponent_entity_type: _policy_metadata},
                 aud=payload['iss'],
-                authority_hints=_federation_entity.context.authority_hints
+                authority_hints=_federation_entity.get_authority_hints()
             )
             response_info["response_msg"] = entity_statement
             del response_info["response_args"]

src/fedservice/build_entity.py

@@ -1,4 +1,6 @@
+from typing import Callable
 from typing import Optional
+from typing import Union
 
 from fedservice.defaults import DEFAULT_FEDERATION_ENTITY_FUNCTIONS
 from fedservice.defaults import federation_endpoints
@@ -16,7 +18,7 @@ def __init__(self,
                  entity_id: Optional[str] = '',
                  preference: Optional[dict] = None,
                  key_conf: Optional[dict] = None,
-                 authority_hints: Optional[list] = None
+                 authority_hints: Optional[Union[list, str, Callable]] = None
                  ):
         self.conf = {
             "entity_id": entity_id,

src/fedservice/entity/__init__.py

@@ -1,6 +1,7 @@
 import logging
 from typing import Callable
 from typing import Optional
+from typing import Union
 
 from cryptojwt import as_unicode
 from cryptojwt import KeyJar
@@ -42,7 +43,7 @@ def __init__(self,
                  httpc: Optional[object] = None,
                  httpc_params: Optional[dict] = None,
                  preference: Optional[dict] = None,
-                 authority_hints: Optional[list] = None,
+                 authority_hints: Optional[Union[list, str, Callable]] = None,
                  persistence: Optional[dict] = None,
                  client_authn_methods: Optional[list] = None,
                  **kwargs
@@ -183,10 +184,10 @@ def get_all_services(self, *args):
         return list(self.client.service.db.keys())
 
     def get_authority_hints(self, *args):
-        if isinstance(self.context.authority_hints, list):
-            return self.context.authority_hints
-        else:
-            return list(self.context.authority_hints)
+        return self.context.get_authority_hints()
+
+    def get_trusted_roots(self, *args):
+        return self.context.get_trusted_roots()
 
     def get_context_attribute(self, attr, *args):
         _val = getattr(self.context, attr, None)

src/fedservice/entity/context.py

@@ -38,8 +38,8 @@ def __init__(self,
                  default_lifetime: Optional[int] = 86400,
                  priority: Optional[list] = None,
                  trust_marks: Optional[list] = None,
-                 trusted_roots: Optional[dict] = None,
-                 authority_hints: Optional[list] = None,
+                 trusted_roots: Optional[Union[str, dict, Callable]] = None,
+                 authority_hints: Optional[Union[list, str, Callable]] = None,
                  keyjar: Optional[KeyJar] = None,
                  preference: Optional[dict] = None,
                  **kwargs
@@ -55,39 +55,22 @@ def __init__(self,
         self.entity_id = entity_id or config.get("entity_id",
                                                  self.upstream_get("attribute", "entity_id"))
         self.default_lifetime = default_lifetime or config.get("default_lifetime", 0)
+
         self.trust_marks = trust_marks or config.get('trust_marks', [])
+        self.trusted_roots = trusted_roots or config.get('trusted_roots', {})
+        self.authority_hints = authority_hints or config.get('authority_hints', [])
+
         self.trust_chain = {}
         # self.issuer = self.entity_id
 
         self.claims = FederationEntityClaims(prefer=preference)
 
-        if trusted_roots:
-            _trusted_roots = trusted_roots
-        else:
-            _trusted_roots = config.get("trusted_roots")
-
-        if _trusted_roots is None:
-            # Must be trust anchor then
-            self.trusted_roots = {}
-        elif isinstance(_trusted_roots, str):
-            self.trusted_roots = json.loads(open(_trusted_roots).read())
-        else:
-            self.trusted_roots = _trusted_roots
-
         if priority:
             self.tr_priority = priority
         elif 'priority' in config:
             self.tr_priority = config["priority"]
         else:
-            self.tr_priority = sorted(set(self.trusted_roots.keys()))
-
-        if authority_hints:
-            if isinstance(authority_hints, str):  # Allow it to be a file name
-                self.authority_hints = json.loads(open(authority_hints).read())
-            else:
-                self.authority_hints = authority_hints
-        else:
-            self.authority_hints = []
+            self.tr_priority = sorted(set(self.get_trusted_roots().keys()))
 
         for param, default in self.parameter.items():
             _val = kwargs.get(param)
@@ -136,8 +119,9 @@ def create_entity_statement(self, iss, sub, key_jar=None, metadata=None, metadat
         if not lifetime:
             lifetime = self.default_lifetime
 
-        if self.trust_marks:
-            kwargs["trust_marks"] = self.trust_marks
+        _trust_marks = self.get_trust_marks()
+        if _trust_marks:
+            kwargs["trust_marks"] = _trust_marks
 
         return create_entity_statement(iss, sub, key_jar=key_jar, metadata=metadata,
                                        metadata_policy=metadata_policy,
@@ -152,6 +136,42 @@ def map_preferred_to_registered(self, registration_response: Optional[dict] = No
 
         return self.claims.use
 
+    def get_authority_hints(self, *args) -> list:
+        _hints = self.authority_hints
+        if isinstance(_hints, list):
+            return _hints
+        elif isinstance(_hints, str):
+            return json.loads(open(_hints, "r").read())
+        elif isinstance(_hints, Callable):
+            return _hints()
+        else:
+            raise ValueError("authority_hints")
+
+    def get_trusted_roots(self) -> dict:
+        if self.trusted_roots is None:
+            # Must be trust anchor then
+            return {}
+        elif isinstance(self.trusted_roots, str):
+            return json.loads(open(self.trusted_roots).read())
+        elif isinstance(self.trusted_roots, dict):
+            return self.trusted_roots
+        elif isinstance(self.trusted_roots, Callable):
+            return self.trusted_roots()
+        else:
+            raise ValueError("trusted_roots")
+
+    def get_trust_marks(self)-> Optional[list]:
+        if self.trust_marks == None:
+            return []
+        elif isinstance(self.trust_marks, str):
+            return json.loads(open(self.trust_marks).read())
+        elif isinstance(self.trust_marks, list):
+            return self.trust_marks
+        elif isinstance(self.trust_marks, Callable):
+            return self.trust_marks()
+        else:
+            raise ValueError("trust_marks")
+
 
 class FederationServerContext(FederationContext):
 

src/fedservice/entity/server/entity_configuration.py

@@ -40,7 +40,7 @@ def process_request(self, request=None, **kwargs):
 
         if _fed_entity.context.trust_marks:
             if isinstance(_fed_entity.context.trust_marks, Callable):
-                args = {"trust_marks": _fed_entity.context.trust_marks()}
+                args = {"trust_marks": _fed_entity.context.get_trust_marks()}
             else:
                 args = {"trust_marks": _fed_entity.context.trust_marks}
         else:

src/fedservice/utils.py

@@ -1,6 +1,7 @@
 import json
 import logging
 import os
+from typing import Callable
 from typing import List
 from typing import Optional
 from typing import Union
@@ -34,7 +35,7 @@ def statement_is_expired(item):
 
 def build_entity_config(entity_id: str,
                         key_config: Optional[dict] = None,
-                        authority_hints: Optional[List[str]] = None,
+                        authority_hints: Optional[Union[List[str], str, Callable]] = None,
                         preference: Optional[dict] = None,
                         endpoints: Optional[list] = None,
                         services: Optional[list] = None,
@@ -48,7 +49,7 @@ def build_entity_config(entity_id: str,
                         ) -> dict:
     _key_conf = key_config or {"key_defs": DEFAULT_KEY_DEFS}
 
-    if authority_hints:
+    if isinstance(authority_hints, dict):
         if "class" in authority_hints and "kwargs" in authority_hints:
             authority_hints = execute(authority_hints)