def make_assertion(email,
audience,
issuer=None,
exp=None,
assertion_sig=None,
certificate_sig=None,
new_style=True,
email_keypair=None,
issuer_keypair=None):
"""Generate a new dummy assertion for the given email address.
This method lets you generate BrowserID assertions using dummy private
keys. Called with just an email and audience it will generate an assertion
from login.persona.org.
By specifying the "exp", "assertion_sig" or "certificate_sig" arguments
it is possible generate invalid assertions for testing purposes.
"""
if issuer is None:
issuer = "login.persona.org"
if exp is None:
exp = int((time.time() + 60) * 1000)
# Get private key for the email address itself.
if email_keypair is None:
email_keypair = get_keypair(email)
email_pub, email_priv = email_keypair
# Get private key for the hostname so we can sign it.
if issuer_keypair is None:
issuer_keypair = get_keypair(issuer)
iss_pub, iss_priv = issuer_keypair
# Generate the assertion, signed with email's public key.
assertion = {
"exp": exp,
"aud": audience,
}
assertion = jwt.generate(assertion, email_priv)
if assertion_sig is not None:
assertion = ".".join(
assertion.split(".")[:-1] + [encode_bytes(assertion_sig)])
# Generate the certificate signing the email's public key
# with the issuer's public key.
certificate = {
"iss": issuer,
"exp": exp,
"principal": {
"email": email
},
"public-key": email_pub,
}
certificate = jwt.generate(certificate, iss_priv)
if certificate_sig is not None:
certificate = ".".join(
certificate.split(".")[:-1] + [encode_bytes(certificate_sig)])
# Combine them into a BrowserID bundled assertion.
return bundle_certs_and_assertion([certificate], assertion, new_style)
def test_encode_decode_json_bytes(self):
obj = {"hello": "world"}
self.assertEquals(obj, decode_json_bytes(encode_json_bytes(obj)))
self.assertRaises(ValueError, decode_json_bytes,
encode_bytes("NOJSON4U"))
self.assertRaises(ValueError, decode_json_bytes, encode_bytes("42"))
self.assertRaises(ValueError, decode_json_bytes,
encode_bytes("[1, 2, 3]"))
self.assertRaises(ValueError, encode_json_bytes, 42)
self.assertRaises(ValueError, encode_json_bytes, [1, 3, 3])
def test_encode_decode_json_bytes(self):
obj = {"hello": "world"}
self.assertEquals(obj, decode_json_bytes(encode_json_bytes(obj)))
self.assertRaises(ValueError,
decode_json_bytes, encode_bytes("NOJSON4U"))
self.assertRaises(ValueError,
decode_json_bytes, encode_bytes("42"))
self.assertRaises(ValueError,
decode_json_bytes, encode_bytes("[1, 2, 3]"))
self.assertRaises(ValueError, encode_json_bytes, 42)
self.assertRaises(ValueError, encode_json_bytes, [1, 3, 3])
def make_assertion(email, audience, issuer=None, exp=None,
assertion_sig=None, certificate_sig=None,
new_style=True, email_keypair=None, issuer_keypair=None,
idp_claims=None, user_claims=None):
"""Generate a new dummy assertion for the given email address.
This method lets you generate BrowserID assertions using dummy private
keys. Called with just an email and audience it will generate an assertion
from login.persona.org.
By specifying the "exp", "assertion_sig" or "certificate_sig" arguments
it is possible generate invalid assertions for testing purposes.
"""
if issuer is None:
issuer = "login.persona.org"
if exp is None:
exp = int((time.time() + 60) * 1000)
# Get private key for the email address itself.
if email_keypair is None:
email_keypair = get_keypair(email)
email_pub, email_priv = email_keypair
# Get private key for the hostname so we can sign it.
if issuer_keypair is None:
issuer_keypair = get_keypair(issuer)
iss_pub, iss_priv = issuer_keypair
# Generate the assertion, signed with email's public key.
assertion = {
"exp": exp,
"aud": audience,
}
if user_claims:
assertion.update(user_claims)
assertion = jwt.generate(assertion, email_priv)
if assertion_sig is not None:
assertion = ".".join(assertion.split(".")[:-1] +
[encode_bytes(assertion_sig)])
# Generate the certificate signing the email's public key
# with the issuer's public key.
certificate = {
"iss": issuer,
"exp": exp,
"principal": {"email": email},
"public-key": email_pub,
}
if idp_claims:
certificate.update(idp_claims)
certificate = jwt.generate(certificate, iss_priv)
if certificate_sig is not None:
certificate = ".".join(certificate.split(".")[:-1] +
[encode_bytes(certificate_sig)])
# Combine them into a BrowserID bundled assertion.
return bundle_certs_and_assertion([certificate], assertion, new_style)
def test_error_jwt_with_no_algorithm(self):
token = ".".join((
encode_json_bytes({}),
encode_json_bytes({}),
encode_bytes("signature"),
))
self.assertRaises(ValueError, jwt.parse, token)
def generate(payload, key):
"""Generate and sign a JWT for a dict payload."""
alg = key.__class__.__name__[:-3]
algorithm = encode_json_bytes({"alg": alg})
payload = encode_json_bytes(payload)
signature = encode_bytes(key.sign(".".join((algorithm, payload))))
return ".".join((algorithm, payload, signature))
def generate(payload, key):
"""Generate and sign a JWT for a dict payload."""
alg = key.__class__.__name__[:-3]
algorithm = encode_json_bytes({"alg": alg})
payload = encode_json_bytes(payload)
signature = encode_bytes(key.sign(".".join((algorithm, payload))))
return ".".join((algorithm, payload, signature))
def test_error_jwt_with_no_algorithm(self):
token = ".".join((
encode_json_bytes({}),
encode_json_bytes({}),
encode_bytes("signature"),
))
self.assertRaises(ValueError, jwt.parse, token)
def test_encode_decode_bytes(self):
self.assertEquals("HELLO", decode_bytes(encode_bytes("HELLO")))
self.assertEquals("HELLO", decode_bytes(encode_bytes(u"HELLO")))
self.assertRaises(ValueError, decode_bytes, u"\N{SNOWMAN}")
self.assertRaises(ValueError, decode_bytes, "A===")
def test_encode_decode_bytes(self):
self.assertEquals("HELLO", decode_bytes(encode_bytes("HELLO")))
self.assertEquals("HELLO", decode_bytes(encode_bytes(u"HELLO")))
self.assertRaises(ValueError, decode_bytes, u"\N{SNOWMAN}")
self.assertRaises(ValueError, decode_bytes, "A===")
