Added more logging.

rohe · rohe · commit 5c1ead1a9baa · 2024-08-25T15:58:35.000+02:00
Depending on web framework the dpop header may come under different names.
Improved the dump method to allow dictionary representation beside a Message instance.
diff --git a/example/flask_op/private/cookie_jwks.json b/example/flask_op/private/cookie_jwks.json
@@ -1 +1 @@
-{"keys": [{"kty": "oct", "use": "enc", "kid": "enc", "k": "GEmhZ9UKLSq60zECQRyAtmMLG5smRpCl"}, {"kty": "oct", "use": "sig", "kid": "sig", "k": "Px8EGB-oWk-DfMlYWXBHTjED372mvtBt"}]}
+{"keys": [{"kty": "oct", "use": "enc", "kid": "enc", "k": "HqZu6WO7HyvyCfAwfCdzwSLUuEeVPiIv"}, {"kty": "oct", "use": "sig", "kid": "sig", "k": "Y3sPFaO2qJuG-Q2O-UzpRIYk-I1KLPZo"}]}
diff --git a/src/idpyoidc/claims.py b/src/idpyoidc/claims.py
@@ -1,3 +1,4 @@
+import logging
 from typing import Callable
 from typing import Optional
 
@@ -10,6 +11,7 @@
 from idpyoidc.util import add_path
 from idpyoidc.util import qualified_name
 
+logger = logging.getLogger(__name__)
 
 def claims_dump(info, exclude_attributes):
     return {qualified_name(info.__class__): info.dump(exclude_attributes=exclude_attributes)}
@@ -138,6 +140,7 @@ def handle_keys(self,
                     configuration: dict,
                     keyjar: Optional[KeyJar] = None,
                     entity_id: Optional[str] = ""):
+        logger.debug(f"configuration: {configuration}")
         _jwks = _jwks_uri = None
         _id = self.get_id(configuration)
         keyjar, uri_path = self._keyjar(keyjar, configuration, entity_id=_id)
diff --git a/src/idpyoidc/client/oauth2/add_on/par.py b/src/idpyoidc/client/oauth2/add_on/par.py
@@ -76,10 +76,7 @@ def push_authorization(request_args, service, **kwargs):
             _req[param] = request_args.get(param)
         request_args = _req
     else:
-        raise ConnectionError(
-            f"Could not connect to "
-            f'{_context.provider_info["pushed_authorization_request_endpoint"]}'
-        )
+        raise ConnectionError(f"Could not connect to {_par_endpoint}")
 
     return request_args
 
diff --git a/src/idpyoidc/impexp.py b/src/idpyoidc/impexp.py
@@ -1,4 +1,6 @@
 import base64
+import inspect
+import logging
 from typing import Any
 from typing import List
 from typing import Optional
@@ -10,6 +12,7 @@
 from idpyoidc.message import Message
 from idpyoidc.storage import DictType
 
+logger = logging.getLogger(__name__)
 
 def fully_qualified_name(cls):
     return cls.__module__ + "." + cls.__class__.__name__
@@ -41,6 +44,7 @@ def __init__(self):
         pass
 
     def dump_attr(self, cls, item, exclude_attributes: Optional[List[str]] = None) -> dict:
+        logger.debug(f"dump_attr:: cls: {cls}, item: {item}")
         if cls in [None, 0, "", bool]:
             val = item
         elif cls == b"":
@@ -74,9 +78,29 @@ def dump_attr(self, cls, item, exclude_attributes: Optional[List[str]] = None) -
             val = qualified_name(item)
         elif isinstance(cls, list):
             val = [self.dump_attr(cls[0], v, exclude_attributes) for v in item]
+        elif inspect.isclass(cls):
+            logger.debug(f"class instance: {cls}")
+            _dump = getattr(cls, "dump", None)
+            if _dump:
+                val = _dump(item, exclude_attributes=exclude_attributes)
+            else:
+                if isinstance(item, cls):
+                    val = {qualified_name(cls): item.to_dict()}
+                elif isinstance(item, dict):
+                    val = {qualified_name(cls): item}
+                else:
+                    logger.error(f"Can't dump {item} as {cls}")
         else:
-            val = item.dump(exclude_attributes=exclude_attributes)
+            _dump = getattr(item, "dump", None)
+            if _dump:
+                val = _dump(exclude_attributes=exclude_attributes)
+            elif isinstance(item, dict):
+                val = item
+            else:
+                logger.error(f"Do not know how to dump: {item}")
+                raise AttributeError()
 
+        logger.debug(f"-> {val}")
         return val
 
     def dump(self, exclude_attributes: Optional[List[str]] = None) -> dict:
@@ -154,7 +178,11 @@ def load_attr(
             val = [_cls(**_args).load(v, **_kwargs) for v in item]
         elif issubclass(cls, Message):
             _cls_name = list(item.keys())[0]
-            _cls = importer(_cls_name)
+            try:
+                _cls = importer(_cls_name)
+            except Exception as err:
+                logger.error(f"Could not import {item}: {err}")
+                raise
             val = _cls().from_dict(item[_cls_name])
         else:
             if issubclass(cls, ImpExp) and init_args:
diff --git a/src/idpyoidc/server/claims/oidc.py b/src/idpyoidc/server/claims/oidc.py
@@ -1,6 +1,7 @@
 from typing import Optional
 
 from idpyoidc import metadata
+from idpyoidc.message import Message
 from idpyoidc.message.oidc import ProviderConfigurationResponse
 from idpyoidc.message.oidc import RegistrationRequest
 from idpyoidc.message.oidc import RegistrationResponse
@@ -91,7 +92,7 @@ def verify_rules(self, supports):
             self.set_preference("id_token_encryption_alg_values_supported", [])
             self.set_preference("id_token_encryption_enc_values_supported", [])
 
-    def provider_info(self, supports):
+    def provider_info(self, supports, schema: Optional[Message] = None):
         _info = {}
         for key in ProviderConfigurationResponse.c_param.keys():
             _val = self.get_preference(key, supports.get(key, None))
diff --git a/src/idpyoidc/server/client_authn.py b/src/idpyoidc/server/client_authn.py
@@ -488,6 +488,8 @@ def verify_client(
     if not allowed_methods:
         allowed_methods = list(methods.keys())  # If not specific for this endpoint then all
 
+    logger.info(f"Allowed client authentication methods: {allowed_methods}")
+
     _method = None
     _cdb = _cinfo = None
     _tested = []
@@ -504,8 +506,8 @@ def verify_client(
                 endpoint=endpoint,
                 get_client_id_from_token=get_client_id_from_token,
             )
-        except (BearerTokenAuthenticationError, ClientAuthenticationError):
-            raise
+        # except (BearerTokenAuthenticationError, ClientAuthenticationError):
+        #     raise
         except Exception as err:
             logger.info("Verifying auth using {} failed: {}".format(_method.tag, err))
             continue
@@ -534,7 +536,7 @@ def verify_client(
                 _auto_reg = getattr(endpoint, "automatic_registration", None)
                 if _auto_reg:
                     _cinfo = {"client_id": client_id}
-                    _auto_reg.set(client_id, _cinfo)
+                    _cdb[client_id] = _cinfo
                 else:
                     raise UnknownClient("Unknown Client ID")
 
diff --git a/src/idpyoidc/server/endpoint.py b/src/idpyoidc/server/endpoint.py
@@ -196,7 +196,9 @@ def parse_request(
         :return:
         """
         LOGGER.debug("- {} -".format(self.endpoint_name))
-        LOGGER.info("Request: %s" % sanitize(request))
+        LOGGER.info(f"Request: {sanitize(request)}")
+        if http_info:
+            LOGGER.info(f"HTTP info: {http_info}")
 
         _context = self.upstream_get("context")
         _keyjar = self.upstream_get("attribute", "keyjar")
diff --git a/src/idpyoidc/server/endpoint_context.py b/src/idpyoidc/server/endpoint_context.py
@@ -241,7 +241,10 @@ def __init__(
             conf = conf.conf
         _supports = self.supports()
         self.keyjar = self.claims.load_conf(conf, supports=_supports, keyjar=keyjar)
-        metadata_schema = conf.conf.get("metadata_schema", None)
+        if isinstance(conf, dict):
+            metadata_schema = conf.get("metadata_schema", None)
+        else:
+            metadata_schema = conf.conf.get("metadata_schema", None)
         if metadata_schema:
             metadata_schema = importer(metadata_schema)
         self.provider_info = self.get_provider_info(_supports, schema=metadata_schema)
diff --git a/src/idpyoidc/server/oauth2/add_on/dpop.py b/src/idpyoidc/server/oauth2/add_on/dpop.py
@@ -107,7 +107,14 @@ def token_post_parse_request(request, client_id, context, **kwargs):
     if not _http_info:
         return request
 
-    _dpop = DPoPProof().verify_header(_http_info["headers"]["dpop"])
+    _headers = _http_info['headers']
+    logger.debug(f"http headers: {_headers}")
+
+    _dpop_header = _headers.get("dpop", _headers.get("http_dpop", None))
+    if not _dpop_header:
+        raise ValueError("Missing DPoP header")
+
+    _dpop = DPoPProof().verify_header(_dpop_header)
 
     # The signature of the JWS is verified, now for checking the
     # content
diff --git a/src/idpyoidc/server/session/grant.py b/src/idpyoidc/server/session/grant.py
@@ -377,7 +377,6 @@ def mint_token(
             )
 
             logger.debug(f"token_payload: {token_payload}")
-
             item.value = token_handler(
                 session_id=session_id, usage_rules=usage_rules, **token_payload
             )
diff --git a/src/idpyoidc/server/token/jwt_token.py b/src/idpyoidc/server/token/jwt_token.py
@@ -1,3 +1,4 @@
+import logging
 from typing import Callable
 from typing import Optional
 from typing import Union
@@ -7,30 +8,32 @@
 from cryptojwt.utils import importer
 
 from idpyoidc.server.exception import ToOld
-
-from ...message import Message
-from ...message.oauth2 import JWTAccessToken
-from ..constant import DEFAULT_TOKEN_LIFETIME
-from . import Token
 from . import is_expired
+from . import Token
 from .exception import UnknownToken
 from .exception import WrongTokenClass
+from ..constant import DEFAULT_TOKEN_LIFETIME
+from ...message import Message
+from ...message.oauth2 import JWTAccessToken
+
+logger = logging.getLogger(__name__)
 
 
 class JWTToken(Token):
+
     def __init__(
-        self,
-        token_class,
-        # keyjar: KeyJar = None,
-        issuer: str = None,
-        aud: Optional[list] = None,
-        alg: str = "ES256",
-        lifetime: int = DEFAULT_TOKEN_LIFETIME,
-        upstream_get: Callable = None,
-        token_type: str = "Bearer",
-        profile: Optional[Union[Message, str]] = JWTAccessToken,
-        with_jti: Optional[bool] = False,
-        **kwargs
+            self,
+            token_class,
+            # keyjar: KeyJar = None,
+            issuer: str = None,
+            aud: Optional[list] = None,
+            alg: str = "ES256",
+            lifetime: int = DEFAULT_TOKEN_LIFETIME,
+            upstream_get: Callable = None,
+            token_type: str = "Bearer",
+            profile: Optional[Union[Message, str]] = JWTAccessToken,
+            with_jti: Optional[bool] = False,
+            **kwargs
     ):
         Token.__init__(self, token_class, **kwargs)
         self.token_type = token_type
@@ -59,13 +62,13 @@ def load_custom_claims(self, payload: dict = None):
         return payload
 
     def __call__(
-        self,
-        session_id: Optional[str] = "",
-        token_class: Optional[str] = "",
-        usage_rules: Optional[dict] = None,
-        profile: Optional[Message] = None,
-        with_jti: Optional[bool] = None,
-        **payload
+            self,
+            session_id: Optional[str] = "",
+            token_class: Optional[str] = "",
+            usage_rules: Optional[dict] = None,
+            profile: Optional[Message] = None,
+            with_jti: Optional[bool] = None,
+            **payload
     ) -> str:
         """
         Return a token.
@@ -89,8 +92,10 @@ def __call__(
             lifetime = usage_rules.get("expires_in")
         else:
             lifetime = self.lifetime
+        _keyjar = self.upstream_get("attribute", "keyjar")
+        logger.info(f"Key owners in the keyjar: {_keyjar.owners()}")
         signer = JWT(
-            key_jar=self.upstream_get("attribute", "keyjar"),
+            key_jar=_keyjar,
             iss=self.issuer,
             lifetime=lifetime,
             sign_alg=self.alg,
diff --git a/tests/test_11_impexp.py b/tests/test_11_impexp.py
@@ -94,3 +94,27 @@ def test_flush():
     assert len(b.bundles) == 2
     for kb in b.bundles:
         assert isinstance(kb, KeyBundle)
+
+
+def test_dict():
+    b = ImpExpTest()
+    b.string = "foo"
+    b.list = ["a", "b", "c"]
+    b.dict = {"a": 1, "b": 2}
+    b.message = {
+        "scope": "openid",
+        "redirect_uri": "https://example.com/cb",
+        "response_type": "code",
+        "client_id": "abcdefg",
+    }
+
+    dump = b.dump()
+
+    b.flush()
+
+    b.load(dump)
+
+    assert b.string == "foo"
+    assert b.list == ["a", "b", "c"]
+    assert b.dict == {"a": 1, "b": 2}
+    assert isinstance(b.message, AuthorizationRequest)

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"keys": [{"kty": "oct", "use": "enc", "kid": "enc", "k": "GEmhZ9UKLSq60zECQRyAtmMLG5smRpCl"}, {"kty": "oct", "use": "sig", "kid": "sig", "k": "Px8EGB-oWk-DfMlYWXBHTjED372mvtBt"}]}`
	`1`	`+{"keys": [{"kty": "oct", "use": "enc", "kid": "enc", "k": "HqZu6WO7HyvyCfAwfCdzwSLUuEeVPiIv"}, {"kty": "oct", "use": "sig", "kid": "sig", "k": "Y3sPFaO2qJuG-Q2O-UzpRIYk-I1KLPZo"}]}`
Original file line number	Diff line number	Diff line change
`@@ -377,7 +377,6 @@ def mint_token(`
`377`	`377`	`)`
`378`	`378`
`379`	`379`	`logger.debug(f"token_payload: {token_payload}")`
`380`		`-`
`381`	`380`	`item.value = token_handler(`
`382`	`381`	`session_id=session_id, usage_rules=usage_rules, **token_payload`
`383`	`382`	`)`