Permalink
Browse files

[project @ pape5.Response: start using auth_level.XXX throughout to r…

…eplace nist_auth_level]
  • Loading branch information...
1 parent 424d546 commit bc0ac506489285f8b216a98348894ee58f29f444 tailor committed Oct 13, 2008
Showing with 79 additions and 36 deletions.
  1. +68 −22 openid/extensions/draft/pape5.py
  2. +11 −14 openid/test/test_pape_draft5.py
@@ -268,23 +268,65 @@ def preferredTypes(self, supported_types):
Request.ns_uri = ns_uri
-class Response(Extension):
+class Response(PAPEExtension):
"""A Provider Authentication Policy response, sent from a provider
to a relying party
"""
ns_alias = 'pape'
def __init__(self, auth_policies=None, auth_time=None,
- nist_auth_level=None):
- super(Response, self).__init__(self)
+ auth_levels=None):
+ super(Response, self).__init__()
if auth_policies:
self.auth_policies = auth_policies
else:
self.auth_policies = []
self.auth_time = auth_time
- self.nist_auth_level = nist_auth_level
+ self.auth_levels = {}
+
+ if auth_levels is None:
+ auth_levels = {}
+
+ for uri, level in auth_levels.iteritems():
+ self.setAuthLevel(uri, level)
+
+ def setAuthLevel(self, level_uri, level, alias=None):
+ """Set the value for the given auth level type.
+
+ @param level: string representation of an authentication level
+ valid for level_uri
+
+ @param alias: An optional namespace alias for the given auth
+ level URI. May be omitted if the alias is not
+ significant. The library will use a reasonable default for
+ widely-used auth level types.
+ """
+ self._addAuthLevelAlias(level_uri, alias)
+ self.auth_levels[level_uri] = level
+
+ def getAuthLevel(self, level_uri):
+ """Return the auth level for the specified auth level
+ identifier
+
+ @returns: A string that should map to the auth levels defined
+ for the auth level type
+
+ @raises KeyError: If the auth level type is not present in
+ this message
+ """
+ return self.auth_levels[level_uri]
+
+ def _getNISTAuthLevel(self):
+ try:
+ return int(self.getAuthLevel(LEVELS_NIST))
+ except KeyError:
+ return None
+
+ nist_auth_level = property(
+ _getNISTAuthLevel,
+ doc="Backward-compatibility accessor for the NIST auth level")
def addPolicyURI(self, policy_uri):
"""Add a authentication policy to this response
@@ -343,19 +385,24 @@ def parseExtensionArgs(self, args, strict=False):
if policies_str and policies_str != 'none':
self.auth_policies = policies_str.split(' ')
- nist_level_str = args.get('nist_auth_level')
- if nist_level_str:
- try:
- nist_level = int(nist_level_str)
- except ValueError:
- if strict:
- raise ValueError('nist_auth_level must be an integer '
- 'between zero and four, inclusive')
- else:
- self.nist_auth_level = None
- else:
- if 0 <= nist_level < 5:
- self.nist_auth_level = nist_level
+ for (key, val) in args.iteritems():
+ if key.startswith('auth_level.'):
+ alias = key[11:]
+
+ # skip the already-processed namespace declarations
+ if alias.startswith('ns.'):
+ continue
+
+ try:
+ uri = args['auth_level.ns.%s' % (alias,)]
+ except KeyError:
+ if strict:
+ raise ValueError(
+ 'Undefined auth level alias: %r' % (alias,))
+ else:
+ continue # Skip this auth level declaration
+
+ self.setAuthLevel(uri, val, alias)
auth_time = args.get('auth_time')
if auth_time:
@@ -378,11 +425,10 @@ def getExtensionArgs(self):
'auth_policies':' '.join(self.auth_policies),
}
- if self.nist_auth_level is not None:
- if self.nist_auth_level not in range(0, 5):
- raise ValueError('nist_auth_level must be an integer between '
- 'zero and four, inclusive')
- ns_args['nist_auth_level'] = str(self.nist_auth_level)
+ for level_type, level in self.auth_levels.iteritems():
+ alias = self._getAlias(level_type)
+ ns_args['auth_level.ns.%s' % (alias,)] = level_type
+ ns_args['auth_level.%s' % (alias,)] = str(level)
if self.auth_time is not None:
if not TIME_VALIDATOR.match(self.auth_time):
@@ -226,7 +226,7 @@ def test_construct(self):
self.failUnlessEqual(None, self.req.nist_auth_level)
req2 = pape.Response([pape.AUTH_MULTI_FACTOR],
- "2004-12-11T10:30:44Z", 3)
+ "2004-12-11T10:30:44Z", {pape.LEVELS_NIST: 3})
self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], req2.auth_policies)
self.failUnlessEqual("2004-12-11T10:30:44Z", req2.auth_time)
self.failUnlessEqual(3, req2.nist_auth_level)
@@ -260,25 +260,18 @@ def test_getExtensionArgs(self):
{'auth_policies': 'http://uri http://zig',
'auth_time': "1776-07-04T14:43:12Z"},
self.req.getExtensionArgs())
- self.req.nist_auth_level = 3
+ self.req.setAuthLevel(pape.LEVELS_NIST, '3')
self.failUnlessEqual(
{'auth_policies': 'http://uri http://zig',
'auth_time': "1776-07-04T14:43:12Z",
- 'nist_auth_level': '3'},
+ 'auth_level.nist': '3',
+ 'auth_level.ns.nist': pape.LEVELS_NIST},
self.req.getExtensionArgs())
def test_getExtensionArgs_error_auth_age(self):
self.req.auth_time = "long ago"
self.failUnlessRaises(ValueError, self.req.getExtensionArgs)
- def test_getExtensionArgs_error_nist_auth_level(self):
- self.req.nist_auth_level = "high as a kite"
- self.failUnlessRaises(ValueError, self.req.getExtensionArgs)
- self.req.nist_auth_level = 5
- self.failUnlessRaises(ValueError, self.req.getExtensionArgs)
- self.req.nist_auth_level = -1
- self.failUnlessRaises(ValueError, self.req.getExtensionArgs)
-
def test_parseExtensionArgs(self):
args = {'auth_policies': 'http://foo http://bar',
'auth_time': '1970-01-01T00:00:00Z'}
@@ -298,17 +291,21 @@ def test_parseExtensionArgs_strict_bogus1(self):
self.failUnlessRaises(ValueError, self.req.parseExtensionArgs,
args, True)
- def test_parseExtensionArgs_strict_bogus2(self):
+ def test_parseExtensionArgs_strict_no_namespace_decl_openid2(self):
+ # Test the case where the namespace is not declared for an
+ # auth level.
args = {'auth_policies': 'http://foo http://bar',
'auth_time': '1970-01-01T00:00:00Z',
- 'nist_auth_level': 'some'}
+ 'auth_level.nist': 'some',
+ }
self.failUnlessRaises(ValueError, self.req.parseExtensionArgs,
args, True)
def test_parseExtensionArgs_strict_good(self):
args = {'auth_policies': 'http://foo http://bar',
'auth_time': '1970-01-01T00:00:00Z',
- 'nist_auth_level': '0'}
+ 'auth_level.nist': '0',
+ 'auth_level.ns.nist': pape.LEVELS_NIST}
self.req.parseExtensionArgs(args, True)
self.failUnlessEqual(['http://foo','http://bar'],
self.req.auth_policies)

0 comments on commit bc0ac50

Please sign in to comment.