Allow Fernet crypto to be used with CookieHandler.

Author: rohe

src/idpyoidc/server/__init__.py

@@ -7,7 +7,6 @@
 from cryptojwt import KeyJar
 
 from idpyoidc.impexp import ImpExp
-from idpyoidc.message.oidc import RegistrationRequest
 from idpyoidc.server import authz
 from idpyoidc.server.client_authn import client_auth_setup
 from idpyoidc.server.configure import ASConfiguration

src/idpyoidc/server/cookie_handler.py

@@ -15,7 +15,9 @@
 from cryptojwt.jws.hmac import HMACSigner
 from cryptojwt.jwt import utc_time_sans_frac
 from cryptojwt.key_jar import init_key_jar
+from cryptojwt.utils import as_bytes
 
+from idpyoidc.encrypter import init_encrypter
 from idpyoidc.server.util import lv_pack
 from idpyoidc.server.util import lv_unpack
 from idpyoidc.time_util import epoch_in_a_while
@@ -37,10 +39,12 @@ def __init__(
         keys: Optional[dict] = None,
         sign_alg: [str] = "SHA256",
         name: Optional[dict] = None,
+        crypt_config: Optional[dict] = None,
         **kwargs,
     ):
         self.sign_key = None
         self.enc_key = None
+        self.crypt = None
 
         if keys:
             key_jar = init_key_jar(**keys)
@@ -50,6 +54,10 @@ def __init__(
             _keys = key_jar.get_encrypt_key(key_type="oct")
             if _keys:
                 self.enc_key = _keys[0]
+        elif crypt_config:
+            _crypt = init_encrypter(crypt_config)
+            self.crypt = _crypt["encrypter"]
+            self.crypt_config = _crypt["conf"]
         else:
             if sign_key:
                 if isinstance(sign_key, SYMKey):
@@ -134,6 +142,11 @@ def _sign_enc_payload(self, payload: str, timestamp: Optional[Union[int, str]] =
                 base64.b64encode(ctx),
                 base64.b64encode(tag),
             ]
+        elif self.crypt:
+            msg = lv_pack(timestamp, payload)
+            cookie_payload = [
+                bytes_timestamp,
+                base64.b64encode(self.crypt.encrypt(msg.encode()))]
         else:
             cookie_payload = [bytes_timestamp, bytes_load, base64.b64encode(mac)]
 
@@ -149,6 +162,15 @@ def _ver_dec_content(self, parts):
 
         if parts is None:
             return None
+        elif len(parts) == 2:
+            t0, enc_payload = parts
+            if not self.crypt:
+                raise VerificationError("Can not decrypt")
+            msg = self.crypt.decrypt(base64.b64decode(as_bytes(enc_payload)))
+            t1, payload = lv_unpack(msg.decode("utf-8"))
+            if t0 != t1:
+                raise VerificationError('Suspicious timestamp')
+            return payload, t1
         elif len(parts) == 3:
             # verify the cookie signature
             timestamp, payload, b64_mac = parts

tests/private/cookie_jwks.json

@@ -1 +1 @@
-{"keys": [{"kty": "oct", "use": "enc", "kid": "enc", "k": "XlZGhRrHFOQwgIJZSV8g23cxVoL27xyv"}, {"kty": "oct", "use": "sig", "kid": "sig", "k": "TD6UZ7GmkUeC1oejdCGTf2YAp7FHeGfd"}]}
+{"keys": [{"kty": "oct", "use": "enc", "kid": "enc", "k": "G6JN24md0JKKBD16Aq02wPpvW6QrlgzI"}, {"kty": "oct", "use": "sig", "kid": "sig", "k": "8YmUB_TM3eW3-uZHUqgsuiXSkMpgboUk"}]}

tests/test_server_20g_cookie_handler.py

@@ -3,6 +3,7 @@
 
 from idpyoidc.server.cookie_handler import CookieHandler
 from idpyoidc.server.cookie_handler import compute_session_state
+from tests import CRYPT_CONFIG
 
 KEYDEFS = [
     {"type": "OCT", "kid": "sig", "use": ["sig"]},
@@ -233,3 +234,56 @@ def test_mult_cookie(self):
 def test_compute_session_state():
     hv = compute_session_state("state", "salt", "client_id", "https://example.com/redirect")
     assert hv == "d21113fbe4b54661ae45f3a3233b0f865ccc646af248274b6fa5664267540e29.salt"
+
+
+class TestCookieHandlerFernetEnc(object):
+    @pytest.fixture(autouse=True)
+    def make_cookie_content_handler(self):
+        cookie_conf = {
+            "crypt_config": CRYPT_CONFIG,
+        }
+
+        self.cookie_handler = CookieHandler(**cookie_conf)
+
+    def test_make_cookie_content(self):
+        _cookie_info = self.cookie_handler.make_cookie_content("idpyoidc.server", "value", "sso")
+        assert _cookie_info
+        assert set(_cookie_info.keys()) == {"name", "value", "samesite", "httponly", "secure"}
+        assert len(_cookie_info["value"].split("|")) == 2
+
+    def test_make_cookie_content_max_age(self):
+        _cookie_info = self.cookie_handler.make_cookie_content(
+            "idpyoidc.server", "value", "sso", max_age=3600
+        )
+        assert _cookie_info
+        assert set(_cookie_info.keys()) == {
+            "name",
+            "value",
+            "max-age",
+            "samesite",
+            "httponly",
+            "secure",
+        }
+        assert len(_cookie_info["value"].split("|")) == 2
+
+    def test_read_cookie_info(self):
+        _cookie_info = [self.cookie_handler.make_cookie_content("idpyoidc.server", "value", "sso")]
+        returned = [{"name": c["name"], "value": c["value"]} for c in _cookie_info]
+        _info = self.cookie_handler.parse_cookie("idpyoidc.server", returned)
+        assert len(_info) == 1
+        assert set(_info[0].keys()) == {"value", "type", "timestamp"}
+        assert _info[0]["value"] == "value"
+        assert _info[0]["type"] == "sso"
+
+    def test_mult_cookie(self):
+        _cookie = [
+            self.cookie_handler.make_cookie_content("idpyoidc.server", "value", "sso"),
+            self.cookie_handler.make_cookie_content("idpyoidc.server", "session_state", "session"),
+        ]
+        assert len(_cookie) == 2
+        _c_info = self.cookie_handler.parse_cookie("idpyoidc.server", _cookie)
+        assert len(_c_info) == 2
+        assert _c_info[0]["value"] == "value"
+        assert _c_info[0]["type"] == "sso"
+        assert _c_info[1]["value"] == "session_state"
+        assert _c_info[1]["type"] == "session"