def test_authtoken_rs256_verification(self):
# Verify that the auth token (signed by Bouncer's private key)
# can be validated using Bouncer's public key. Obtain/construct
# Bouncer's public key from it's JSON Web Key Set (jwks) entpoint
# Obtain authentication token.
token, _ = self.test_authtoken_rs256_anatomy()
# Obtain the JSON Web Key Set.
r = requests.get(Url('/auth/jwks'))
keys = r.json()['keys'][0]
# Extract the public modulus and exponent from the data.
exponent_bytes = base64url_decode(keys['e'].encode('ascii'))
exponent_int = bytes_to_number(exponent_bytes)
modulus_bytes = base64url_decode(keys['n'].encode('ascii'))
modulus_int = bytes_to_number(modulus_bytes)
# Generate a public key instance from these numbers.
public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int)
public_key = public_numbers.public_key(backend=cryptography_backend)
# Verify token signature using that public key.
payload = jwt.decode(token, public_key, algorithms='RS256')
assert payload['uid'] == self.user1_uid
def verify_token(masterUrl, authToken):
keys = requests.get('https://' + masterUrl + '/acs/api/v1/auth/jwks',
verify=False).json()['keys'][0]
exponent_bytes = base64url_decode(keys['e'].encode('ascii'))
exponent_int = bytes_to_number(exponent_bytes)
modulus_bytes = base64url_decode(keys['n'].encode('ascii'))
modulus_int = bytes_to_number(modulus_bytes)
public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int)
public_key = public_numbers.public_key(backend=default_backend())
payload = jwt.decode(authToken, public_key, algorithm='RS256')
print payload
print "expiration is: " + time.strftime('%Y-%m-%d %H:%M:%S',
time.localtime(payload['exp']))
def dcos_adminrouter(b, opts):
b.cluster_id()
# Require the IAM to already be up and running. The IAM contains logic for
# achieving consensus about a key pair, and exposes the public key
# information via its JWKS endpoint. Talk directly to the local IAM instance
# which is reachable via the local network interface.
r = requests.get('http://127.0.0.1:8101/acs/api/v1/auth/jwks')
if r.status_code != 200:
log.info('JWKS retrieval failed. Got %s with body: %s', r, r.text)
sys.exit(1)
jwks = r.json()
# The first key in the JSON Web Key Set corresponds to the current private
# key used for signing authentiction tokens.
key = jwks['keys'][0]
exponent_bytes = base64url_decode(key['e'].encode('ascii'))
exponent_int = bytes_to_number(exponent_bytes)
modulus_bytes = base64url_decode(key['n'].encode('ascii'))
modulus_int = bytes_to_number(modulus_bytes)
# Generate a `cryptography` public key object instance from these numbers.
public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int)
public_key = public_numbers.public_key(
backend=cryptography.hazmat.backends.default_backend())
# Serialize public key into the OpenSSL PEM public key format RFC 5280).
pubkey_pem_bytes = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
rundir = utils.dcos_run_path / 'dcos-adminrouter'
rundir.mkdir(parents=True, exist_ok=True)
pubkey_path = rundir / 'auth-token-verification-key'
utils.write_public_file(pubkey_path, pubkey_pem_bytes)
utils.chown(pubkey_path, user='******')
def dcos_adminrouter(b, opts):
b.cluster_id()
# Require the IAM to already be up and running. The IAM contains logic for
# achieving consensus about a key pair, and exposes the public key
# information via its JWKS endpoint. Talk directly to the local IAM instance
# which is reachable via the local network interface.
r = requests.get('http://127.0.0.1:8101/acs/api/v1/auth/jwks')
if r.status_code != 200:
log.info('JWKS retrieval failed. Got %s with body: %s', r, r.text)
sys.exit(1)
jwks = r.json()
# The first key in the JSON Web Key Set corresponds to the current private
# key used for signing authentiction tokens.
key = jwks['keys'][0]
exponent_bytes = base64url_decode(key['e'].encode('ascii'))
exponent_int = bytes_to_number(exponent_bytes)
modulus_bytes = base64url_decode(key['n'].encode('ascii'))
modulus_int = bytes_to_number(modulus_bytes)
# Generate a `cryptography` public key object instance from these numbers.
public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int)
public_key = public_numbers.public_key(
backend=cryptography.hazmat.backends.default_backend())
# Serialize public key into the OpenSSL PEM public key format RFC 5280).
pubkey_pem_bytes = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
os.makedirs('/run/dcos/dcos-adminrouter', exist_ok=True)
pubkey_path = '/run/dcos/dcos-adminrouter/auth-token-verification-key'
_write_file_bytes(pubkey_path, pubkey_pem_bytes, 0o644)
shutil.chown(pubkey_path, user='******')
