def test_token_expiration(self):
token30sec = AttestationToken(body={
"exp": time()+30, # Expires in 30 seconds
"iat": time(),
"nbf": time() # Not valid before now.
})
assert token30sec.validate_token() is True
expired_token=AttestationToken(body={
"exp": time()-30, # Expired 30 seconds ago
"iat": time(),
"nbf": time()+5 # Not valid for 5 seconds.
})
with pytest.raises(AttestationTokenValidationException):
assert expired_token.validate_token() is False
early_token=AttestationToken(body={
"exp": time()+30, # Expires in 30 seconds
"iat": time(),
"nbf": time()+5 # Not valid for 5 seconds.
})
with pytest.raises(AttestationTokenValidationException):
assert early_token.validate_token() is False
# Specify 40 seconds of slack, so we're within the slack.
# Token validation should start succeeding now because the slack
# lets it work.
token_options=TokenValidationOptions(validation_slack=40)
assert expired_token.validate_token(token_options) is True
assert early_token.validate_token(token_options) is True
async def attest_open_enclave_shared_with_options(self):
"""
Demonstrates calling into the attest_open_enclave API using an attestation
token validation callback to perform validation of the attestation collateral
received from the server.
"""
write_banner("attest_open_enclave_shared_with_options")
oe_report = base64.urlsafe_b64decode(sample_open_enclave_report)
runtime_data = base64.urlsafe_b64decode(sample_runtime_data)
print()
print('Attest Open enclave using ', self.shared_url)
# [START attest_open_enclave_shared_with_options]
def validate_token(token, signer):
#type(AttestationToken, AttestationSigner) -> bool
"""
Perform minimal validation of the issued SGX token.
The token validation logic will have checked the issuance_time
and expiration_time, but this shows accessing those fields.
The validation logic also checks the subject of the certificate to verify
that the issuer of the certificate is the expected instance of the service.
"""
print("In validation callback, checking token...")
print(" Token issuer: ", token.issuer)
print(" Token was issued at: ", token.issuance_time)
print(" Token expires at: ", token.expiration_time)
if token.issuer != self.shared_url:
print(
"Token issuer {} does not match expected issuer {}".format(
token.issuer, self.shared_url))
return False
# Check the subject of the signing certificate used to validate the token.
certificate = cryptography.x509.load_der_x509_certificate(
signer.certificates[0], backend=default_backend())
if certificate.subject != x509.Name(
[x509.NameAttribute(NameOID.COMMON_NAME, self.shared_url)]):
print(
"Certificate subject {} does not match expected subject {}"
.format(certificate.subject, self.shared_url))
return False
print("Token passes validation checks.")
return True
async with self._create_client(
self.shared_url,
token_validation_options=TokenValidationOptions(
validation_callback=validate_token)) as attest_client:
response = await attest_client.attest_open_enclave(
oe_report,
runtime_data=AttestationData(runtime_data, is_json=False))
print("Issuer of token is: ", response.value.issuer)
def create_client(self, base_uri, **kwargs):
#type:(str, Any) -> AttestationClient
"""
docstring
"""
credential = self.get_credential(AttestationClient)
attest_client = self.create_client_from_credential(AttestationClient,
credential=credential,
instance_url=base_uri,
token_validation_options = TokenValidationOptions(
validate_token=True,
validate_signature=True,
validate_issuer=self.is_live,
issuer=base_uri,
validate_expiration=self.is_live))
return attest_client
def create_admin_client(
self, base_uri): #type() -> AttestationAdministrationClient:
"""
docstring
"""
credential = self.get_credential(AttestationAdministrationClient,
is_async=True)
attest_client = self.create_client_from_credential(
AttestationAdministrationClient,
credential=credential,
instance_url=base_uri,
token_validation_options=TokenValidationOptions(
validate_token=True,
validate_signature=True,
validate_issuer=self.is_live,
issuer=base_uri,
validate_expiration=self.is_live))
return attest_client
def test_token_callback_rejected(self):
key = self._create_rsa_key()
cert = self._create_x509_certificate(key, u'test certificate')
token_signer = AttestationSigningKey(key, cert)
token = AttestationToken(body={"val1": [1, 2, 3]}, signer=token_signer)
assert token.get_body()== {"val1": [1, 2, 3]}
global callback_invoked
callback_invoked = False
def callback(token, signer):
assert signer.certificates[0]==cert
return False
options = TokenValidationOptions(validation_callback = callback)
with pytest.raises(AttestationTokenValidationException):
assert token.validate_token(options) is False
