From a640a2abc91013dfa9b68305d915e756584407fb Mon Sep 17 00:00:00 2001 From: Roland Hedberg Date: Fri, 2 Jul 2021 09:46:41 +0200 Subject: [PATCH 1/2] Old Default tokens had clear text sids. This takes care of that. --- src/oidcop/session/manager.py | 6 ++++++ tests/test_35_oidc_token_endpoint.py | 21 ++++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/src/oidcop/session/manager.py b/src/oidcop/session/manager.py index 6ac4dd74..c0653a4b 100644 --- a/src/oidcop/session/manager.py +++ b/src/oidcop/session/manager.py @@ -76,6 +76,7 @@ def __init__( self, handler: TokenHandler, conf: Optional[dict] = None, sub_func: Optional[dict] = None, ): + super(SessionManager, self).__init__() self.conf = conf or {} # these won't change runtime @@ -467,6 +468,11 @@ def get_session_info_by_token( if not sid: raise WrongTokenClass + # To be backward compatible is this an oldtime sid + p = self.unpack_session_key(sid) + if len(p) == 3: + sid = self.encrypted_session_id(*p) + return self.get_session_info( sid, user_session_info=user_session_info, diff --git a/tests/test_35_oidc_token_endpoint.py b/tests/test_35_oidc_token_endpoint.py index 054602cd..b6bdad7f 100755 --- a/tests/test_35_oidc_token_endpoint.py +++ b/tests/test_35_oidc_token_endpoint.py @@ -2,7 +2,6 @@ import json import os -import pytest from cryptojwt import JWT from cryptojwt.key_jar import build_keyjar from oidcmsg.oidc import AccessTokenRequest @@ -10,6 +9,7 @@ from oidcmsg.oidc import RefreshAccessTokenRequest from oidcmsg.oidc import TokenErrorResponse from oidcmsg.time_util import utc_time_sans_frac +import pytest from oidcop import JWT_BEARER from oidcop.authn_event import create_authn_event @@ -813,6 +813,25 @@ def test_old_default_token(self): _info = self.session_manager.token_handler.info(_old_type_value) assert _info["token_class"] == "authorization_code" + def test_old_default_token_sid_unencrypted(self): + session_id = self._create_session(AUTH_REQ) + grant = self.session_manager[session_id] + code = self._mint_code(grant, AUTH_REQ["client_id"]) + + # pack and unpack + _handler = self.session_manager.token_handler.handler["authorization_code"] + _res = dict(zip(["_id", "token_class", "sid", "exp"], _handler.split_token(code.value))) + + _clear_txt_sid = self.session_manager.session_key( + *self.session_manager.decrypt_session_id(_res["sid"])) + + _old_type_token = base64.b64encode( + _handler.crypt.encrypt(lv_pack(_res["_id"], "A", _clear_txt_sid, _res["exp"]).encode()) + ).decode("utf-8") + + _session_info = self.session_manager.get_session_info_by_token(_old_type_token) + assert _session_info["user_id"] == "diana" + def test_old_jwt_token(self): session_id = self._create_session(AUTH_REQ) grant = self.session_manager[session_id] From beaa4b3e63423fb3cf73104a25bf0496be2cf8d7 Mon Sep 17 00:00:00 2001 From: Roland Hedberg Date: Fri, 2 Jul 2021 12:42:21 +0200 Subject: [PATCH 2/2] Old Default tokens had clear text sids. This takes care of that. --- src/oidcop/session/manager.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/oidcop/session/manager.py b/src/oidcop/session/manager.py index c0653a4b..b8129904 100644 --- a/src/oidcop/session/manager.py +++ b/src/oidcop/session/manager.py @@ -452,6 +452,13 @@ def get_session_info( return res + def _compatible_sid(self, sid): + # To be backward compatible is this an old time sid + p = self.unpack_session_key(sid) + if len(p) == 3: + sid = self.encrypted_session_id(*p) + return sid + def get_session_info_by_token( self, token_value: str, @@ -468,10 +475,8 @@ def get_session_info_by_token( if not sid: raise WrongTokenClass - # To be backward compatible is this an oldtime sid - p = self.unpack_session_key(sid) - if len(p) == 3: - sid = self.encrypted_session_id(*p) + # To be backward compatible is this an old time sid + sid = self._compatible_sid(sid) return self.get_session_info( sid, @@ -484,7 +489,8 @@ def get_session_info_by_token( def get_session_id_by_token(self, token_value: str) -> str: _token_info = self.token_handler.info(token_value) - return _token_info["sid"] + sid = _token_info.get("sid") + return self._compatible_sid(sid) def add_grant(self, user_id: str, client_id: str, **kwargs) -> Grant: """