Replace trust_anchor_id claim with trust_anchor

src/fedservice/appclient/oauth2/registration.py

@@ -117,8 +117,8 @@ def parse_response(self, info, sformat="", state="", **kwargs):
 
         return resp
 
-    def _get_trust_anchor_id(self, entity_statement):
-        return entity_statement.get('trust_anchor_id')
+    def _get_trust_anchor(self, entity_statement):
+        return entity_statement.get('trust_anchor')
 
     def _signature_verifies(self, entity_id, trust_anchor, federation_entity):
         _chains, _ = collect_trust_chains(self.upstream_get('unit'),
@@ -143,9 +143,9 @@ def parse_federation_registration_response(self, resp, **kwargs):
 
         payload = verify_self_signed_signature(resp)
         # Do I trust the TA the OP chose ?
-        logger.debug(f"trust_anchor_id: {payload['trust_anchor_id']}")
+        logger.debug(f"trust_anchor: {payload['trust_anchor']}")
         if (payload[
-            'trust_anchor_id'] not in
+            'trust_anchor'] not in
                 _federation_entity.function.trust_chain_collector.trust_anchors):
             raise ValueError("Trust anchor I don't trust")
 
@@ -160,7 +160,7 @@ def parse_federation_registration_response(self, resp, **kwargs):
                 return _verifier_response
         else:
             # verify the signature on the response from the OP
-            if not self._signature_verifies(payload["iss"], payload['trust_anchor_id'],
+            if not self._signature_verifies(payload["iss"], payload['trust_anchor'],
                                             _federation_entity):
                 raise SignatureFailure("Could not verify signature")
 
@@ -170,7 +170,7 @@ def parse_federation_registration_response(self, resp, **kwargs):
 
             # should only be one chain
             if len(_trust_chains) != 1:
-                raise SystemError(f"More then one chain ending in {payload['trust_anchor_id']}")
+                raise SystemError(f"More then one chain ending in {payload['trust_anchor']}")
 
             _metadata = payload.get("metadata")
             if _metadata:

src/fedservice/appclient/oidc/registration.py

@@ -96,8 +96,8 @@ def parse_response(self, info, sformat="", state="", **kwargs):
 
         return resp
 
-    def _get_trust_anchor_id(self, entity_statement):
-        return entity_statement.get('trust_anchor_id')
+    def _get_trust_anchor(self, entity_statement):
+        return entity_statement.get('trust_anchor')
 
     def _signature_verifies(self, entity_id, trust_anchor, federation_entity):
         _chains, _ = collect_trust_chains(self.upstream_get('unit'),
@@ -122,9 +122,9 @@ def parse_federation_registration_response(self, resp, **kwargs):
 
         payload = verify_self_signed_signature(resp)
         # Do I trust the TA the OP chose ?
-        logger.debug(f"trust_anchor_id: {payload['trust_anchor_id']}")
+        logger.debug(f"trust_anchor: {payload['trust_anchor']}")
         if payload[
-            'trust_anchor_id'] not in _federation_entity.function.trust_chain_collector.trust_anchors:
+            'trust_anchor'] not in _federation_entity.function.trust_chain_collector.trust_anchors:
             raise ValueError("Trust anchor I don't trust")
 
         # This is where I should decide to use the metadata verification service or do it
@@ -138,18 +138,18 @@ def parse_federation_registration_response(self, resp, **kwargs):
                 return _verifier_response
         else:
             # verify the signature on the response from the OP
-            if not self._signature_verifies(payload["iss"], payload['trust_anchor_id'],
+            if not self._signature_verifies(payload["iss"], payload['trust_anchor'],
                                             _federation_entity):
                 raise SignatureFailure("Could not verify signature")
 
             # This is the trust chain from the RP to the TA
             _chains, _ = collect_trust_chains(self.upstream_get('unit'),
                                               entity_id=self.upstream_get('attribute', 'entity_id'),
-                                              stop_at=payload['trust_anchor_id'])
+                                              stop_at=payload['trust_anchor'])
             _trust_chains = verify_trust_chains(_federation_entity, _chains, resp)
             # should only be one chain
             if len(_trust_chains) != 1:
-                raise SystemError(f"More then one chain ending in {payload['trust_anchor_id']}")
+                raise SystemError(f"More then one chain ending in {payload['trust_anchor']}")
             _metadata = payload.get("metadata")
             if _metadata:
                 _trust_chains[0].verified_chain[-1]['metadata'] = _metadata

src/fedservice/appserver/oauth2/authorization.py

@@ -126,5 +126,5 @@ def extra_response_args(self, aresp, **kwargs):
         if _client_id:
             _tcs = _fe.trust_chain.get(_client_id, {})
             if _tcs:
-                aresp['trust_anchor_id'] = _tcs[0].anchor
+                aresp['trust_anchor'] = _tcs[0].anchor
         return aresp

src/fedservice/appserver/oauth2/pushed_authorization.py

@@ -119,5 +119,5 @@ def extra_response_args(self, aresp, **kwargs):
         if _client_id:
             _tcs = _fe.trust_chain.get(_client_id, {})
             if _tcs:
-                aresp['trust_anchor_id'] = _tcs[0].anchor
+                aresp['trust_anchor'] = _tcs[0].anchor
         return aresp

src/fedservice/appserver/oauth2/registration.py

@@ -87,7 +87,7 @@ def process_request(self, request=None, **kwargs):
             entity_statement = _context.create_entity_statement(
                 _federation_entity.upstream_get('attribute', 'entity_id'),
                 payload['iss'],
-                trust_anchor_id=trust_chain.anchor,
+                trust_anchor=trust_chain.anchor,
                 metadata={opponent_entity_type: _policy_metadata},
                 aud=payload['iss'],
             )

src/fedservice/appserver/oidc/authorization.py

@@ -135,5 +135,5 @@ def extra_response_args(self, aresp, **kwargs):
         if _client_id:
             _tcs = _fe.trust_chain.get(_client_id, {})
             if _tcs:
-                aresp['trust_anchor_id'] = _tcs[0].anchor
+                aresp['trust_anchor'] = _tcs[0].anchor
         return aresp

src/fedservice/appserver/oidc/registration.py

@@ -76,7 +76,7 @@ def process_request(self, request=None, **kwargs):
             entity_statement = _context.create_entity_statement(
                 _federation_entity.upstream_get('attribute', 'entity_id'),
                 payload['iss'],
-                trust_anchor_id=trust_chain.anchor,
+                trust_anchor=trust_chain.anchor,
                 metadata={opponent_entity_type: _policy_metadata},
                 aud=payload['iss'],
                 authority_hints=_federation_entity.get_authority_hints()

src/fedservice/entity/function/trust_mark_verifier.py

@@ -137,11 +137,11 @@ def __call__(self,
         else:
             return _mark
 
-    def verify_delegation(self, trust_mark, trust_anchor_id):
+    def verify_delegation(self, trust_mark, trust_anchor):
         _federation_entity = get_federation_entity(self)
         _collector = _federation_entity.function.trust_chain_collector
         # Deal with the delegation
-        _entity_configuration = _collector.get_verified_self_signed_entity_configuration(trust_anchor_id)
+        _entity_configuration = _collector.get_verified_self_signed_entity_configuration(trust_anchor)
 
         if trust_mark['trust_mark_id'] not in _entity_configuration['trust_mark_issuers']:
             return None

src/fedservice/message.py

@@ -504,7 +504,7 @@ class EntityStatement(JsonWebToken):
         'trust_mark_owners': SINGLE_OPTIONAL_JSON,
         'trust_mark_issuers': SINGLE_OPTIONAL_JSON,
         #
-        'trust_anchor_id': SINGLE_OPTIONAL_STRING
+        'trust_anchor': SINGLE_OPTIONAL_STRING
     })
 
     def verify(self, **kwargs):

tests/x_test_12_oidc_registration.py

@@ -118,7 +118,7 @@ def test_registration_verification(self):
         _payload = _jws.jwt.payload()
         assert _payload['iss'] == self.op.entity_id
         assert _payload['sub'] == self.rp.entity_id
-        assert _payload['trust_anchor_id'] == self.ta.entity_id
+        assert _payload['trust_anchor'] == self.ta.entity_id
         assert _payload['aud'] == self.rp.entity_id
 
         ###########################################################################

tests/xtest_13_explicit_registration_oauth.py

@@ -250,7 +250,7 @@ def test_registration_verification(self):
         _payload = _jws.jwt.payload()
         assert _payload['iss'] == self.oauth_serv.entity_id
         assert _payload['sub'] == self.rp.entity_id
-        assert _payload['trust_anchor_id'] == self.ta.entity_id
+        assert _payload['trust_anchor'] == self.ta.entity_id
         assert _payload['aud'] == self.rp.entity_id
 
         ###########################################################################

tests/xtest_57_metadata_verification.py

@@ -260,7 +260,7 @@ def test_registration_verification(self):
         _payload = _jws.jwt.payload()
         assert _payload['iss'] == self.op.entity_id
         assert _payload['sub'] == self.rp.entity_id
-        assert _payload['trust_anchor_id'] == self.ta.entity_id
+        assert _payload['trust_anchor'] == self.ta.entity_id
         assert _payload['aud'] == self.rp.entity_id
 
         ###########################################################################

unused/server_metadata_verification.py

@@ -34,23 +34,23 @@ def process_request(self, request=None, **kwargs):
         _federation_entity = get_federation_entity(self)
         payload = verify_self_signed_signature(request['registration_response'])
         # Do I trust the TA the OP chose ?
-        logger.debug(f"trust_anchor_id: {payload['trust_anchor_id']}")
+        logger.debug(f"trust_anchor: {payload['trust_anchor']}")
         if payload[
-            'trust_anchor_id'] not in _federation_entity.function.trust_chain_collector.trust_anchors:
+            'trust_anchor'] not in _federation_entity.function.trust_chain_collector.trust_anchors:
             raise ValueError("Trust anchor I don't trust")
 
         # Verify that I can collect a trust chain from the subject to a trust anchor
         _chains, _ = collect_trust_chains(self.upstream_get('unit'),
                                           entity_id=payload['sub'],
-                                          stop_at=payload['trust_anchor_id'])
+                                          stop_at=payload['trust_anchor'])
         _trust_chains = verify_trust_chains(_federation_entity, _chains,
                                             request['registration_response'])
         # should only be one chain
         if _trust_chains == []:
             raise SystemError(
-                f"Could not verify any trust chain ending in {payload['trust_anchor_id']}")
+                f"Could not verify any trust chain ending in {payload['trust_anchor']}")
         if len(_trust_chains) != 1:
-            raise SystemError(f"More then one chain ending in {payload['trust_anchor_id']}")
+            raise SystemError(f"More then one chain ending in {payload['trust_anchor']}")
 
         _trust_chains[0].verified_chain[-1]['metadata'] = payload['metadata']
         _trust_chains = apply_policies(_federation_entity, _trust_chains)