def then_the_token_is_authorized_for_authentication(context: Context):
token = context.when_ret_values
assert token, 'The authentication token should be created'
try:
IdentityAuthValidation.verify_authentication(RESOLVER_CLIENT, token)
except IdentityAuthenticationFailed as err:
assert False, f'The authentication should be valid for authentication: {err}'
def test_verify_authentication_raises_auth_error_if_resolver_error(
valid_auth_token):
# doc not provided so will raise not found
resolver_client = ResolverClientTest(docs={})
with pytest.raises(IdentityAuthenticationFailed) as err_wrapper:
IdentityAuthValidation.verify_authentication(resolver_client,
token=valid_auth_token)
assert isinstance(err_wrapper.value.__cause__, IdentityResolverError)
def test_verify_authentication_raises_auth_error_if_invalid_token(
authentication_subject_doc):
resolver_client = ResolverClientTest(
docs={authentication_subject_doc.did: authentication_subject_doc})
with pytest.raises(IdentityAuthenticationFailed) as err_wrapper:
IdentityAuthValidation.verify_authentication(resolver_client,
token='not a token')
assert isinstance(err_wrapper.value.__cause__, IdentityValidationError)
def test_verify_authentication_raises_auth_error_if_token_with_missing_data(
authentication_subject_doc, valid_private_key):
token_with_missing_data = jwt.encode({'plop': 'data'},
valid_private_key,
algorithm=TOKEN_ALGORITHM)
resolver_client = ResolverClientTest(
docs={authentication_subject_doc.did: authentication_subject_doc})
with pytest.raises(IdentityAuthenticationFailed) as err_wrapper:
IdentityAuthValidation.verify_authentication(
resolver_client, token=token_with_missing_data)
assert isinstance(err_wrapper.value.__cause__, IdentityValidationError)
def test_verify_authentication_raises_auth_error_if_token_invalid_signature(
authentication_subject_doc, allowed_issuer, other_private_key):
token_signed_with_an_other_private_key = JwtTokenHelper.create_auth_token(
iss=str(allowed_issuer),
sub=authentication_subject_doc.did,
aud='http://audience/',
duration=360,
private_key=other_private_key)
resolver_client = ResolverClientTest(
docs={authentication_subject_doc.did: authentication_subject_doc})
with pytest.raises(IdentityAuthenticationFailed) as err_wrapper:
IdentityAuthValidation.verify_authentication(
resolver_client, token=token_signed_with_an_other_private_key)
assert isinstance(err_wrapper.value.__cause__, IdentityValidationError)
def then_the_twin_is_created_and_registered_with_delegation(context: Context):
twin_registered_identity = context.when_ret_values
twin_doc = REGULAR_API.get_register_document(twin_registered_identity.did)
assert_new_doc_and_identity(twin_doc, twin_registered_identity,
context.given.twin)
control_delegation_proof = twin_doc.control_delegation_proof.get(
context.given.control_delegation_name)
assert control_delegation_proof, f'control delegation proof {control_delegation_proof} ' \
f'should be added to the twin document'
assert not control_delegation_proof.revoked, \
f'Control delegation proof {control_delegation_proof} should not be revoked'
assert control_delegation_proof.controller == context.given.registered_agent.issuer, \
f'Control delegation proof {control_delegation_proof} controller should be equal to the agent issuer'
IdentityAuthValidation.validate_allowed_for_control(
RESOLVER_CLIENT, context.given.registered_agent.issuer, twin_doc.did)
def test_verify_authentication_raises_auth_error_if_issuer_not_in_doc_keys_or_deleg(
authentication_subject_doc, valid_private_key):
not_auth_issuer = Issuer.build(authentication_subject_doc.did,
'#OtherIssuer')
token_from_not_auth_issuer = JwtTokenHelper.create_auth_token(
iss=str(not_auth_issuer),
sub=authentication_subject_doc.did,
aud='http://audience/',
duration=360,
private_key=valid_private_key)
resolver_client = ResolverClientTest(
docs={authentication_subject_doc.did: authentication_subject_doc})
with pytest.raises(IdentityAuthenticationFailed) as err_wrapper:
IdentityAuthValidation.verify_authentication(
resolver_client, token=token_from_not_auth_issuer)
assert isinstance(err_wrapper.value.__cause__,
IdentityInvalidRegisterIssuerError)
def then_the_user_document_is_updated_with_the_agent_authentication_delegation(context: Context):
given_ctx: RegUserAndAgentAndDelegNameCtx = context.given
assert_single_owner_doc_is_valid(given_ctx.user.registered_identity, DIDType.USER,
given_ctx.user.registered_identity.name)
assert_single_owner_doc_is_valid(given_ctx.agent.registered_identity, DIDType.AGENT,
given_ctx.agent.registered_identity.name)
user_doc = REGULAR_API.get_register_document(given_ctx.user.registered_identity.did)
auth_delegation_proof = user_doc.auth_delegation_proof.get(given_ctx.delegation_name)
assert auth_delegation_proof, f'Auth delegation proof {auth_delegation_proof} should be added to the user document'
assert not auth_delegation_proof.revoked, f'Auth delegation proof {auth_delegation_proof} should not be revoked'
assert auth_delegation_proof.controller == given_ctx.agent.registered_identity.issuer, \
f'Auth delegation proof {auth_delegation_proof} controller should be equal to the agent issuer'
try:
IdentityAuthValidation.validate_allowed_for_auth(RESOLVER_CLIENT,
issuer=given_ctx.agent.registered_identity.issuer,
subject_id=given_ctx.user.registered_identity.did)
except IdentityNotAllowed as err:
assert False, f'Agent should be allowed for authentication in behalf of the user: {err}'
def then_the_twin_document_is_updated_with_the_agent_authentication_delegation(context: Context):
given_ctx: RegTwinAndAgentAndDelegNameCtx = context.given
assert_single_owner_doc_is_valid(given_ctx.twin.registered_identity, DIDType.TWIN,
given_ctx.twin.registered_identity.name)
assert_single_owner_doc_is_valid(given_ctx.agent.registered_identity, DIDType.AGENT,
given_ctx.agent.registered_identity.name)
twin_doc = REGULAR_API.get_register_document(given_ctx.twin.registered_identity.did)
ctrl_delegation_proof = twin_doc.control_delegation_proof.get(given_ctx.delegation_name)
assert ctrl_delegation_proof, f'Control delegation proof {ctrl_delegation_proof} ' \
f'should be added to the twin document'
assert not ctrl_delegation_proof.revoked, f'Control delegation proof {ctrl_delegation_proof} should not be revoked'
assert ctrl_delegation_proof.controller == given_ctx.agent.registered_identity.issuer, \
f'Control delegation proof {ctrl_delegation_proof} controller should be equal to the agent issuer'
try:
IdentityAuthValidation.validate_allowed_for_control(RESOLVER_CLIENT,
issuer=given_ctx.agent.registered_identity.issuer,
subject_id=given_ctx.twin.registered_identity.did)
except IdentityNotAllowed as err:
assert False, f'Agent should be allowed for control in behalf of the twin: {err}'
def test_can_verify_authentication(allowed_issuer, valid_auth_token,
authentication_subject_doc):
resolver_client = ResolverClientTest(
docs={authentication_subject_doc.did: authentication_subject_doc})
claim = IdentityAuthValidation.verify_authentication(
resolver_client, valid_auth_token)
assert claim['iss'] == str(allowed_issuer)
assert claim['aud'] == 'http://audience/'
assert claim['sub'] == authentication_subject_doc.did
assert claim['iat']
assert claim['exp']
def test_verify_authentication_raises_auth_error_if_token_not_allowed(
authentication_subject_doc, allowed_issuer, valid_private_key):
other_doc_with_auth_or_delegation_link = get_valid_document(
new_seed(), '#OtherDoc')
token_signed_with_an_other_private_key = JwtTokenHelper.create_auth_token(
iss=str(allowed_issuer),
sub=other_doc_with_auth_or_delegation_link.did,
aud='http://audience/',
duration=360,
private_key=valid_private_key)
resolver_docs = {
authentication_subject_doc.did:
authentication_subject_doc,
other_doc_with_auth_or_delegation_link.did:
other_doc_with_auth_or_delegation_link
}
resolver_client = ResolverClientTest(docs=resolver_docs)
with pytest.raises(IdentityAuthenticationFailed) as err_wrapper:
IdentityAuthValidation.verify_authentication(
resolver_client, token=token_signed_with_an_other_private_key)
assert isinstance(err_wrapper.value.__cause__, IdentityNotAllowed)
def then_an_authorized_token_is_created(context: Context):
token = context.when_ret_values
IdentityAuthValidation.verify_authentication(RESOLVER_CLIENT, token)
def then_the_token_is_not_authorized_for_authentication(context: Context):
token = context.when_ret_values
assert token, 'The authentication token should be created'
with pytest.raises(IdentityAuthenticationFailed):
IdentityAuthValidation.verify_authentication(RESOLVER_CLIENT, token)