def test_encode_jwt(self):
self.test_generate_jwk()
self.payload = {'hello': 'world'}
self.encoded = JWTUtil.encode(self.payload, self.prv_jwk)
print(f'encoded: {self.encoded}')
extracted = JWTUtil.unverified_decode(self.encoded)
print(f'payload: {extracted}')
self.assertDictEqual(self.payload, extracted)
def test_refresh_token(self):
self.test_issue_token()
decoded = JWTUtil.unverified_decode(self.token.access_token)
user_id = decoded['aud']
self.token = self.identity_v1.Token.refresh(
{}, metadata=(('token', self.token.refresh_token), ))
decoded = JWTUtil.unverified_decode(self.token.access_token)
self.assertIsNotNone(self.token.access_token)
self.assertEqual(user_id, decoded['aud'])
def test_generate_jwk(self):
self.prv_jwk, self.pub_jwk = JWTUtil.generate_jwk()
print(f'pub_jwk: {self.pub_jwk}')
print(f'prv_jwk: {self.prv_jwk}')
self.assertEqual(self.pub_jwk['n'], self.prv_jwk['n'])
def test_exceeded_maximum_refresh_count(self):
self.test_issue_token()
decoded = JWTUtil.unverified_decode(self.token.refresh_token)
refresh_limit = decoded['ttl']
for i in range(refresh_limit):
self.token = self.identity_v1.Token.refresh(
{}, metadata=(('token', self.token.refresh_token), ))
with self.assertRaisesRegex(Exception, 'ERROR_AUTHENTICATE_FAILURE'):
self.identity_v1.Token.refresh(
{}, metadata=(('token', self.token.refresh_token), ))
def validate(self, token):
if not self._key:
raise ERROR_AUTHENTICATE_FAILURE(message='Decode key is not set.')
if not isinstance(token, (str, bytes)):
raise ERROR_AUTHENTICATE_FAILURE(message='Invalid token format.')
try:
payload = JWTUtil.decode(token, self._key)
except Exception:
raise ERROR_AUTHENTICATE_FAILURE(message='UnKnown Exception.')
return payload
def test_exceeded_maximum_refresh_count(self):
self.test_issue_token()
decoded = JWTUtil.unverified_decode(self.token.refresh_token)
refresh_limit = decoded['ttl']
for i in range(refresh_limit):
self.token = self.identity_v1.Token.refresh(
{}, metadata=(('token', self.token.refresh_token), ))
with self.assertRaises(Exception) as e:
self.identity_v1.Token.refresh(
{}, metadata=(('token', self.token.refresh_token), ))
self.assertIn("ERROR_REFRESH_COUNT", str(e.exception))
def issue_access_token(self, user_type, user_id, domain_id, **kwargs):
private_jwk = self._get_private_jwk(kwargs)
timeout = kwargs.get('timeout', self.CONST_TOKEN_TIMEOUT)
payload = {
'cat': 'ACCESS_TOKEN',
'user_type': user_type,
'did': domain_id,
'aud': user_id,
'iat': int(time.time()),
'exp': int(time.time() + timeout)
}
encoded = JWTUtil.encode(payload, private_jwk)
return encoded
def validate(self, token, options=None):
if not self._key:
raise ERROR_AUTHENTICATE_FAILURE(message='Decode key is not set.')
if not isinstance(token, (str, bytes)):
raise ERROR_AUTHENTICATE_FAILURE(message='Invalid token format.')
if options is None:
options = {}
try:
payload = JWTUtil.decode(token, self._key, options=options)
except Exception:
raise ERROR_AUTHENTICATE_FAILURE(
message='Token is invalid or expired.')
return payload
def __init__(self, transaction, config, **kwargs):
super().__init__(transaction, config, **kwargs)
""" Overwrite configuration
Remote Repository has different authentication.
So do not use your token at meta.
Use another authentication algorithm like token
Args:
conn: dict (endpoint, version, ...)
"""
#_LOGGER.debug("[RemoteRepositoryConnector] meta: %s" % self.transaction.meta)
#_LOGGER.debug("[RemoteRepositoryConnector] self.conn: %s" % self.conn)
e = parse_grpc_endpoint(self.conn['endpoint'])
self.client = pygrpc.client(endpoint=e['endpoint'],
ssl_enabled=e['ssl_enabled'])
# Update meta (like domain_id)
# TODO: change meta to marketplace token
meta = self.transaction.get_connection_meta()
new_meta = []
if 'credential' in self.conn:
credential = self.conn['credential']
if 'token' in credential:
# self.meta = [('token',credential['token'])]
self._token = credential['token']
else:
# TODO: raise ERROR
raise ERROR_CONFIGURATION(key='credential')
for (k, v) in meta:
if k != 'token' and v is not None:
new_meta.append((k, v))
elif k == 'token':
new_meta.append(('token', self._token))
self.meta = new_meta
# Update domain_id
# This repository is not our domain.
# find domain_id from token
decoded_token = JWTUtil.unverified_decode(self._token)
self.domain_id = decoded_token['did']
def test_issue_token(self):
token_param = {
'credentials': {
'user_id': self.user.user_id,
'password': self.pw
},
'domain_id': self.domain.domain_id
}
issue_token = self.identity_v1.Token.issue(token_param)
self.token = issue_token
print(f'issued_token: {issue_token}')
self.assertIsNotNone(issue_token.access_token)
self.assertIsNotNone(issue_token.refresh_token)
decoded = JWTUtil.unverified_decode(issue_token.access_token)
self.assertEqual(self.user.user_id, decoded['aud'])
def issue_refresh_token(self, user_type, user_id, domain_id, **kwargs):
refresh_private_jwk = self._get_refresh_private_jwk(kwargs)
ttl = kwargs.get('ttl', self.CONST_REFRESH_TTL)
timeout = kwargs.get('timeout', self.CONST_REFRESH_TIMEOUT)
refresh_key = self._generate_refresh_key()
payload = {
'cat': 'REFRESH_TOKEN',
'user_type': user_type,
'did': domain_id,
'aud': user_id,
'iat': int(time.time()),
'exp': int(time.time() + timeout),
"key": refresh_key,
'ttl': ttl
}
encoded = JWTUtil.encode(payload, refresh_private_jwk)
if self.CONST_REFRESH_ONCE:
self._set_refresh_token_cache(refresh_key)
return encoded
def test_create_api_key(self, domain_id=None):
param = {
'user_id':
self.user.user_id,
'domain_id':
domain_id if domain_id is not None else self.domain.domain_id
}
api_key_vo = self.identity_v1.APIKey.create(param)
self.api_key = api_key_vo
self.api_keys.append(self.api_key)
self.assertEqual(api_key_vo.user_id, param['user_id'])
api_key = api_key_vo.api_key
print(f'api_key: {api_key}')
decoded = JWTUtil.unverified_decode(api_key)
print(f'api_key(decoded): {decoded}')
self.assertEqual(api_key_vo.user_id, param['user_id'])
self.assertIn(decoded['ver'], self.versions)
self.assertIsNotNone(decoded['key'])
def generate_api_key(self) -> Tuple[str, Any]:
key = utils.random_string()
payload = {
'cat': 'API_KEY',
'user_type': 'USER',
'did': self.domain_id,
'aud': self.aud_id,
'iat': int(time.time()),
'key': key,
'ver': '2020-03-04'
}
encoded = JWTUtil.encode(payload, self.prv_jwk)
_LOGGER.debug(f'[KeyGenerator] Generated payload. ( '
f'cat: {payload.get("cat")}, '
f'ver: {payload.get("ver")}, '
f'key(masked): {payload.get("key")[0:8]}*****, '
f'aud: {payload.get("aud")}, '
f'did: {payload.get("did")} )')
return key, encoded
def generate_api_key(self,
api_key_id: str,
user_type: str = 'USER') -> Tuple[str, Any]:
payload = {
'cat': 'API_KEY',
'user_type': user_type,
'did': self.domain_id,
'aud': self.audience,
'iat': int(time.time()),
'api_key_id': api_key_id,
'ver': '2020-12-07'
}
encoded = JWTUtil.encode(payload, self.prv_jwk)
_LOGGER.debug(f'[KeyGenerator] Generated payload. ( '
f'cat: {payload.get("cat")}, '
f'user_type: {payload.get("user_type")}, '
f'did: {payload.get("did")}, '
f'aud: {payload.get("aud")}, '
f'api_key_id: {payload.get("api_key_id")}, '
f'version: {payload.get("version")} )')
return encoded
def test_create_api_key(self, domain_id=None):
params = {
'user_id':
self.user.user_id,
'domain_id':
domain_id if domain_id is not None else self.domain.domain_id
}
self.api_key = self.identity_v1.APIKey.create(
params, metadata=(('token', self.owner_token), ))
self.api_keys.append(self.api_key)
self.assertEqual(self.api_key.user_id, params['user_id'])
api_key = self.api_key.api_key
print(f'api_key: {api_key}')
decoded = JWTUtil.unverified_decode(api_key)
print(f'api_key(decoded): {decoded}')
self.assertEqual(self.api_key.user_id, params['user_id'])
self.assertIn(decoded['ver'], self.versions)
self.assertIsNotNone(decoded['api_key_id'])
def test_decode_jwt(self):
self.test_encode_jwt()
decoded = JWTUtil.decode(self.encoded, self.pub_jwk)
print(f'decoded: {decoded}')
self.assertDictEqual(self.payload, decoded)
def _get_domain_id_from_token(token):
decoded_token = JWTUtil.unverified_decode(token)
return decoded_token['did']
