def test_authentication_tag_corrupted(self):
        encoder = Encoder()
        jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), tag=b'adssadsadsadsadasdasdasads')

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
Beispiel #2
0
    def test_authentication_tag_corrupted(self):
        encoder = Encoder()
        jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
                                    tag=b'adssadsadsadsadasdasdasads')

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException):
            decoder.decrypt_jwt_token(jwe.decode())
Beispiel #3
0
    def assertInDecryptException(self, jwe, error):
        decoder = JWTDecryptor(*self.decryptor_args)
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe, self.leeway)

        if error not in ite.exception.value:
            raise AssertionError(
                '"{}" not found in decrypt exception'.format(error))
    def test_authentication_tag_not_128_bits(self):
        encoder = Encoder()
        jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), tag=os.urandom(10))

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("'Authentication tag must be 16 bytes or longer", ite.exception.value)
    def test_invalid_algorithm(self):
        jwe_protected_header = b'{"alg":"PBES2_HS256_A128KW","enc":"A256GCM"}'
        encoder = Encoder()
        jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header))

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("Invalid Algorithm", ite.exception.value)
    def test_jwe_header_only_contains_alg_and_enc(self):
        jwe_protected_header = b'{"alg":"RSA-OAEP","enc":"A256GCM", "test":"test"}'
        encoder = Encoder()
        jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header))

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("InvalidTag", ite.exception.value)
    def test_enc_missing(self):
        jwe_protected_header = b'{"alg":"RSA-OAEP"}'

        encoder = Encoder()
        jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header))

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("Missing Encoding", ite.exception.value)
    def test_cek_not_256_bits(self):
        cek = os.urandom(24)

        encoder = Encoder()
        jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), cek=cek)

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("CEK incorrect length", ite.exception.value)
Beispiel #9
0
    def test_authentication_tag_not_128_bits(self):
        encoder = Encoder()
        jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
                                    tag=os.urandom(10))

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("'Authentication tag must be 16 bytes or longer",
                      ite.exception.value)
Beispiel #10
0
    def test_iv_not_96_bits(self):
        iv = os.urandom(45)

        encoder = Encoder()
        jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), iv=iv)

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
            self.assertIn("IV incorrect length", ite.exception.value)
Beispiel #11
0
    def test_iv_not_96_bits(self):
        iv = os.urandom(45)

        encoder = Encoder()
        encoder.iv = iv
        jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode())

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
            self.assertIn("IV incorrect length", ite.exception.value)
Beispiel #12
0
    def test_jwe_header_only_contains_alg_and_enc(self):
        jwe_protected_header = b'{"alg":"RSA-OAEP","enc":"A256GCM", "test":"test"}'
        encoder = Encoder()
        jwe = encoder.encrypt_token(
            VALID_SIGNED_JWT.encode(),
            jwe_protected_header=encoder._base_64_encode(jwe_protected_header))  # pylint: disable=protected-access

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("InvalidTag", ite.exception.value)
Beispiel #13
0
    def test_invalid_algorithm(self):
        jwe_protected_header = b'{"alg":"PBES2_HS256_A128KW","enc":"A256GCM"}'
        encoder = Encoder()
        jwe = encoder.encrypt_token(
            VALID_SIGNED_JWT.encode(),
            jwe_protected_header=encoder._base_64_encode(jwe_protected_header))  # pylint: disable=protected-access

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("Invalid Algorithm", ite.exception.value)
Beispiel #14
0
    def test_cek_not_256_bits(self):
        cek = os.urandom(24)

        encoder = Encoder()
        encoder.cek = cek
        jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode())

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("CEK incorrect length", ite.exception.value)
Beispiel #15
0
    def test_enc_missing(self):
        jwe_protected_header = b'{"alg":"RSA-OAEP"}'

        encoder = Encoder()
        jwe = encoder.encrypt_token(
            VALID_SIGNED_JWT.encode(),
            jwe_protected_header=encoder._base_64_encode(jwe_protected_header))  # pylint: disable=protected-access

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("Missing Encoding", ite.exception.value)
Beispiel #16
0
    def test_jwe_key_not_2048_bits(self):
        cek = os.urandom(32)

        encoder = Encoder()
        encrypted_key = encoder._encrypted_key(cek)
        encrypted_key = encrypted_key[0:len(encrypted_key) - 2]
        jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), cek=cek, encrypted_key=encrypted_key)

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("ValueError", ite.exception.value)
Beispiel #17
0
    def test_jwe_key_not_2048_bits(self):
        cek = os.urandom(32)

        encoder = Encoder()
        encoder.cek = cek
        encrypted_key = encoder._encrypted_key(cek)  # pylint: disable=protected-access
        encrypted_key = encrypted_key[0:len(encrypted_key) - 2]
        jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
                                    encrypted_key=encrypted_key)

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(jwe.decode())
        self.assertIn("ValueError", ite.exception.value)
Beispiel #18
0
def flush_data():

    if session:
        session.clear()

    encrypted_token = request.args.get('token')

    if encrypted_token is None:
        return Response(status=403)

    decoder = JWTDecryptor(
        current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY'],
        current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD'],
        current_app.config['EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY'],
    )

    decrypted_token = decoder.decrypt_jwt_token(
        encrypted_token,
        current_app.config['EQ_JWT_LEEWAY_IN_SECONDS'],
    )

    roles = decrypted_token.get('roles')

    if roles and 'flusher' in roles:
        user = _get_user(decrypted_token)
        if _submit_data(user):
            return Response(status=200)
        else:
            return Response(status=404)
    else:
        return Response(status=403)
Beispiel #19
0
    def test_cipher_text_corrupted(self):
        encoder = Encoder()
        jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode())

        tokens = jwe.decode().split('.')
        jwe_protected_header = tokens[0]
        encrypted_key = tokens[1]
        encoded_iv = tokens[2]
        encoded_cipher_text = tokens[3]
        encoded_tag = tokens[4]

        corrupted_cipher = encoded_cipher_text[0:len(encoded_cipher_text) - 1]
        reassembled = jwe_protected_header + "." + encrypted_key + "." + encoded_iv + "." + corrupted_cipher + "." + encoded_tag

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException):
            decoder.decrypt_jwt_token(reassembled)
Beispiel #20
0
    def test_cipher_text_corrupted(self):
        encoder = Encoder()
        jwe = encoder.encrypt(VALID_SIGNED_JWT.encode())

        tokens = jwe.decode().split('.')
        jwe_protected_header = tokens[0]
        encrypted_key = tokens[1]
        encoded_iv = tokens[2]
        encoded_cipher_text = tokens[3]
        encoded_tag = tokens[4]

        corrupted_cipher = encoded_cipher_text[0:len(encoded_cipher_text) - 1]
        reassembled = jwe_protected_header + "." + encrypted_key + "." + encoded_iv + "." + corrupted_cipher + "." + encoded_tag

        decoder = JWTDecryptor()
        with self.assertRaises(InvalidTokenException) as ite:
            decoder.decrypt_jwt_token(reassembled)
Beispiel #21
0
def decrypt_token(encrypted_token):
    logger.debug("decrypting token")
    if encrypted_token is None:
        raise NoTokenException("Please provide a token")

    decoder = JWTDecryptor(
        current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY'],
        current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD'],
        current_app.config['EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY'],
    )

    decrypted_token = decoder.decrypt_jwt_token(
        encrypted_token,
        current_app.config['EQ_JWT_LEEWAY_IN_SECONDS'],
    )

    valid, field = is_valid_metadata(decrypted_token)
    if not valid:
        raise InvalidTokenException("Missing value {}".format(field))

    logger.debug("token decrypted")
    return decrypted_token
 def _jwt_decrypt(self, request):
     encrypted_token = request.args.get(EQ_URL_QUERY_STRING_JWT_FIELD_NAME)
     decoder = JWTDecryptor()
     token = decoder.decrypt_jwt_token(encrypted_token)
     return token
Beispiel #23
0
 def test_does_not_contain_four_instances_of_full_stop(self):
     jwe = VALID_JWE.replace('.', '', 1)
     decoder = JWTDecryptor()
     with self.assertRaises(InvalidTokenException) as ite:
         decoder.decrypt_jwt_token(jwe)
     self.assertIn("Incorrect size", ite.exception.value)
Beispiel #24
0
 def test_does_not_contain_four_instances_of_full_stop(self):
     jwe = VALID_JWE.replace('.', '', 1)
     decoder = JWTDecryptor()
     with self.assertRaises(InvalidTokenException) as ite:
         decoder.decrypt_jwt_token(jwe)
     self.assertIn("Incorrect size", ite.exception.value)
Beispiel #25
0
 def test_valid_jwe(self):
     decoder = JWTDecryptor()
     token = decoder.decrypt_jwt_token(VALID_JWE)
     self.assertEqual("jimmy", token.get("user"))
 def test_decrypt_jwt_token(self):
     decoder = JWTDecryptor(*self.good_args)
     token = decoder.decrypt_jwt_token(VALID_JWE, 120)
     self.assertEqual("jimmy", token.get("user"))
 def test_decrypt_jwt_token(self):
     decoder = JWTDecryptor()
     token = decoder.decrypt_jwt_token(VALID_JWE)
     self.assertEquals("jimmy", token.get("user"))
Beispiel #28
0
def _jwt_decrypt(request):
    encrypted_token = request.args.get('token')
    decoder = JWTDecryptor()
    token = decoder.decrypt_jwt_token(encrypted_token)
    return token