Merge branch 'jul/oidc' into 'master'

Jeremy T · Jeremy T · commit 523eeea464db · 2022-04-06T11:14:49.000Z
Jul/oidc

See merge request TankerHQ/sdk-python!225
diff --git a/build_tanker.py b/build_tanker.py
@@ -82,7 +82,7 @@ def on_import() -> None:
         ]
         # macOS system libs + compiler flags are already in the env
         # thanks to the virtualenv generated by conan in setup.py
-        system_libs = []
+        system_libs: List[str] = []
 
     tanker_ext.set_source(
         "_tanker",
diff --git a/cffi_defs.h b/cffi_defs.h
@@ -398,6 +398,10 @@ tanker_future_t* tanker_verify_identity(
 
 tanker_future_t* tanker_stop(tanker_t* tanker);
 
+tanker_future_t* tanker_create_oidc_nonce(tanker_t* tanker);
+
+tanker_future_t* tanker_set_oidc_test_nonce(tanker_t* tanker, char const* nonce);
+
 enum tanker_status tanker_status(tanker_t* tanker);
 
 tanker_future_t* tanker_device_id(tanker_t* session);
diff --git a/tankersdk/tanker.py b/tankersdk/tanker.py
@@ -720,6 +720,21 @@ async def stop(self) -> None:
         c_future = tankerlib.tanker_stop(self.c_tanker)
         await ffihelpers.handle_tanker_future(c_future)
 
+    async def create_oidc_nonce(self) -> str:
+        """Create a nonce to use in oidc authorization code flow"""
+        c_future = tankerlib.tanker_create_oidc_nonce(self.c_tanker)
+        c_voidp = await ffihelpers.handle_tanker_future(c_future)
+        c_str = ffi.cast("char*", c_voidp)
+        res = ffihelpers.c_string_to_str(c_str)
+        tankerlib.tanker_free_buffer(c_str)
+        return res
+
+    async def _set_oidc_test_nonce(self, nonce: str) -> None:
+        """Set the oidc nonce to use during the next verification operation"""
+        c_nonce = ffihelpers.str_to_c_string(nonce)
+        c_future = tankerlib.tanker_set_oidc_test_nonce(self.c_tanker, c_nonce)
+        await ffihelpers.handle_tanker_future(c_future)
+
     async def encrypt(
         self, clear_data: bytes, options: Optional[EncryptionOptions] = None
     ) -> bytes:
diff --git a/test/test_tanker.py b/test/test_tanker.py
@@ -1203,7 +1203,9 @@ async def test_oidc_verification(
         app["id"], app["secret"], str(uuid.uuid4())
     )
 
+    nonce = await martine_phone.create_oidc_nonce()
     await martine_phone.start(identity)
+    await martine_phone._set_oidc_test_nonce(nonce)
     await martine_phone.register_identity(OidcIdTokenVerification(oidc_id_token))
     await martine_phone.stop()
 
@@ -1213,6 +1215,8 @@ async def test_oidc_verification(
     await martine_laptop.start(identity)
 
     assert martine_laptop.status == TankerStatus.IDENTITY_VERIFICATION_NEEDED
+    nonce = await martine_laptop.create_oidc_nonce()
+    await martine_laptop._set_oidc_test_nonce(nonce)
     await martine_laptop.verify_identity(OidcIdTokenVerification(oidc_id_token))
     assert martine_laptop.status == TankerStatus.READY
 
@@ -1223,44 +1227,6 @@ async def test_oidc_verification(
     await martine_laptop.stop()
 
 
-@pytest.mark.asyncio
-async def test_oidc_preshare(tmp_path: Path, app: Dict[str, str], admin: Admin) -> None:
-    email, oidc_id_token = set_up_oidc(app, admin, "martine")
-    alice = await create_user_session(tmp_path, app)
-
-    provisional_identity = tankersdk_identity.create_provisional_identity(
-        app["id"], email
-    )
-    public_provisional_identity = tankersdk_identity.get_public_identity(
-        provisional_identity
-    )
-
-    message = b"hello OIDC user"
-    encrypted = await alice.session.encrypt(
-        message, EncryptionOptions(share_with_users=[public_provisional_identity])
-    )
-
-    martine_phone = create_tanker(app["id"], persistent_path=tmp_path)
-    identity = tankersdk_identity.create_identity(
-        app["id"], app["secret"], str(uuid.uuid4())
-    )
-
-    status = await martine_phone.start(identity)
-    assert status == TankerStatus.IDENTITY_REGISTRATION_NEEDED
-    await martine_phone.register_identity(OidcIdTokenVerification(oidc_id_token))
-    attach_result = await martine_phone.attach_provisional_identity(
-        provisional_identity
-    )
-    assert attach_result.status == TankerStatus.IDENTITY_VERIFICATION_NEEDED
-    await martine_phone.verify_provisional_identity(
-        OidcIdTokenVerification(oidc_id_token)
-    )
-    clear_data = await alice.session.decrypt(encrypted)
-    assert clear_data == message
-    await martine_phone.stop()
-    await alice.session.stop()
-
-
 @pytest.mark.asyncio
 async def test_register_fails_with_preverified_email(
     tmp_path: Path, app: Dict[str, str], admin: Admin

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ def on_import() -> None:`
`82`	`82`	`]`
`83`	`83`	`# macOS system libs + compiler flags are already in the env`
`84`	`84`	`# thanks to the virtualenv generated by conan in setup.py`
`85`		`- system_libs = []`
	`85`	`+ system_libs: List[str] = []`
`86`	`86`
`87`	`87`	`tanker_ext.set_source(`
`88`	`88`	`"_tanker",`