def test_authentication_tag_corrupted(self):
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), tag=b'adssadsadsadsadasdasdasads')
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
def test_authentication_tag_corrupted(self):
encoder = Encoder()
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
tag=b'adssadsadsadsadasdasdasads')
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException):
decoder.decrypt_jwt_token(jwe.decode())
def assertInDecryptException(self, jwe, error):
decoder = JWTDecryptor(*self.decryptor_args)
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe, self.leeway)
if error not in ite.exception.value:
raise AssertionError(
'"{}" not found in decrypt exception'.format(error))
def test_authentication_tag_not_128_bits(self):
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), tag=os.urandom(10))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("'Authentication tag must be 16 bytes or longer", ite.exception.value)
def test_invalid_algorithm(self):
jwe_protected_header = b'{"alg":"PBES2_HS256_A128KW","enc":"A256GCM"}'
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("Invalid Algorithm", ite.exception.value)
def test_jwe_header_only_contains_alg_and_enc(self):
jwe_protected_header = b'{"alg":"RSA-OAEP","enc":"A256GCM", "test":"test"}'
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("InvalidTag", ite.exception.value)
def test_enc_missing(self):
jwe_protected_header = b'{"alg":"RSA-OAEP"}'
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("Missing Encoding", ite.exception.value)
def test_cek_not_256_bits(self):
cek = os.urandom(24)
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), cek=cek)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("CEK incorrect length", ite.exception.value)
def test_authentication_tag_not_128_bits(self):
encoder = Encoder()
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
tag=os.urandom(10))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("'Authentication tag must be 16 bytes or longer",
ite.exception.value)
def test_iv_not_96_bits(self):
iv = os.urandom(45)
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), iv=iv)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("IV incorrect length", ite.exception.value)
def test_iv_not_96_bits(self):
iv = os.urandom(45)
encoder = Encoder()
encoder.iv = iv
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode())
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("IV incorrect length", ite.exception.value)
def test_jwe_header_only_contains_alg_and_enc(self):
jwe_protected_header = b'{"alg":"RSA-OAEP","enc":"A256GCM", "test":"test"}'
encoder = Encoder()
jwe = encoder.encrypt_token(
VALID_SIGNED_JWT.encode(),
jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) # pylint: disable=protected-access
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("InvalidTag", ite.exception.value)
def test_invalid_algorithm(self):
jwe_protected_header = b'{"alg":"PBES2_HS256_A128KW","enc":"A256GCM"}'
encoder = Encoder()
jwe = encoder.encrypt_token(
VALID_SIGNED_JWT.encode(),
jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) # pylint: disable=protected-access
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("Invalid Algorithm", ite.exception.value)
def test_cek_not_256_bits(self):
cek = os.urandom(24)
encoder = Encoder()
encoder.cek = cek
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode())
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("CEK incorrect length", ite.exception.value)
def test_enc_missing(self):
jwe_protected_header = b'{"alg":"RSA-OAEP"}'
encoder = Encoder()
jwe = encoder.encrypt_token(
VALID_SIGNED_JWT.encode(),
jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) # pylint: disable=protected-access
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("Missing Encoding", ite.exception.value)
def test_jwe_key_not_2048_bits(self):
cek = os.urandom(32)
encoder = Encoder()
encrypted_key = encoder._encrypted_key(cek)
encrypted_key = encrypted_key[0:len(encrypted_key) - 2]
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), cek=cek, encrypted_key=encrypted_key)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("ValueError", ite.exception.value)
def test_jwe_key_not_2048_bits(self):
cek = os.urandom(32)
encoder = Encoder()
encoder.cek = cek
encrypted_key = encoder._encrypted_key(cek) # pylint: disable=protected-access
encrypted_key = encrypted_key[0:len(encrypted_key) - 2]
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
encrypted_key=encrypted_key)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("ValueError", ite.exception.value)
def flush_data():
if session:
session.clear()
encrypted_token = request.args.get('token')
if encrypted_token is None:
return Response(status=403)
decoder = JWTDecryptor(
current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY'],
current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD'],
current_app.config['EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY'],
)
decrypted_token = decoder.decrypt_jwt_token(
encrypted_token,
current_app.config['EQ_JWT_LEEWAY_IN_SECONDS'],
)
roles = decrypted_token.get('roles')
if roles and 'flusher' in roles:
user = _get_user(decrypted_token)
if _submit_data(user):
return Response(status=200)
else:
return Response(status=404)
else:
return Response(status=403)
def test_cipher_text_corrupted(self):
encoder = Encoder()
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode())
tokens = jwe.decode().split('.')
jwe_protected_header = tokens[0]
encrypted_key = tokens[1]
encoded_iv = tokens[2]
encoded_cipher_text = tokens[3]
encoded_tag = tokens[4]
corrupted_cipher = encoded_cipher_text[0:len(encoded_cipher_text) - 1]
reassembled = jwe_protected_header + "." + encrypted_key + "." + encoded_iv + "." + corrupted_cipher + "." + encoded_tag
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException):
decoder.decrypt_jwt_token(reassembled)
def test_cipher_text_corrupted(self):
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode())
tokens = jwe.decode().split('.')
jwe_protected_header = tokens[0]
encrypted_key = tokens[1]
encoded_iv = tokens[2]
encoded_cipher_text = tokens[3]
encoded_tag = tokens[4]
corrupted_cipher = encoded_cipher_text[0:len(encoded_cipher_text) - 1]
reassembled = jwe_protected_header + "." + encrypted_key + "." + encoded_iv + "." + corrupted_cipher + "." + encoded_tag
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(reassembled)
def decrypt_token(encrypted_token):
logger.debug("decrypting token")
if encrypted_token is None:
raise NoTokenException("Please provide a token")
decoder = JWTDecryptor(
current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY'],
current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD'],
current_app.config['EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY'],
)
decrypted_token = decoder.decrypt_jwt_token(
encrypted_token,
current_app.config['EQ_JWT_LEEWAY_IN_SECONDS'],
)
valid, field = is_valid_metadata(decrypted_token)
if not valid:
raise InvalidTokenException("Missing value {}".format(field))
logger.debug("token decrypted")
return decrypted_token
def _jwt_decrypt(self, request):
encrypted_token = request.args.get(EQ_URL_QUERY_STRING_JWT_FIELD_NAME)
decoder = JWTDecryptor()
token = decoder.decrypt_jwt_token(encrypted_token)
return token
def test_does_not_contain_four_instances_of_full_stop(self):
jwe = VALID_JWE.replace('.', '', 1)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe)
self.assertIn("Incorrect size", ite.exception.value)
def test_does_not_contain_four_instances_of_full_stop(self):
jwe = VALID_JWE.replace('.', '', 1)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe)
self.assertIn("Incorrect size", ite.exception.value)
def test_valid_jwe(self):
decoder = JWTDecryptor()
token = decoder.decrypt_jwt_token(VALID_JWE)
self.assertEqual("jimmy", token.get("user"))
def test_decrypt_jwt_token(self):
decoder = JWTDecryptor(*self.good_args)
token = decoder.decrypt_jwt_token(VALID_JWE, 120)
self.assertEqual("jimmy", token.get("user"))
def test_decrypt_jwt_token(self):
decoder = JWTDecryptor()
token = decoder.decrypt_jwt_token(VALID_JWE)
self.assertEquals("jimmy", token.get("user"))
def _jwt_decrypt(request):
encrypted_token = request.args.get('token')
decoder = JWTDecryptor()
token = decoder.decrypt_jwt_token(encrypted_token)
return token
