def test_retrieve_jwk_optional_alg(self, mock_requests):
"""Test retrieving jwk with optional alg"""
get_json_mock = Mock()
get_json_mock.json.return_value = {
"keys": [
{
"kid": "kid",
}
]
}
mock_requests.get.return_value = get_json_mock
header = force_bytes(json.dumps({'alg': 'HS256', 'typ': 'JWT', 'kid': 'kid'}))
payload = force_bytes(json.dumps({'foo': 'bar'}))
# Compute signature
key = b'mysupersecuretestkey'
h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
msg = '{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload)))
h.update(force_bytes(msg))
signature = b64encode(h.finalize())
token = '{}.{}.{}'.format(
smart_text(b64encode(header)),
smart_text(b64encode(payload)),
smart_text(signature)
)
jwk_key = self.backend.retrieve_matching_jwk(force_bytes(token))
self.assertEqual(jwk_key, get_json_mock.json.return_value['keys'][0])
def test_retrieve_mismatcing_jwk_kid(self, mock_requests):
"""Test retrieving mismatching jwk kid"""
get_json_mock = Mock()
get_json_mock.json.return_value = {
"keys": [
{
"alg": "HS256",
"kid": "foobar",
}
]
}
mock_requests.get.return_value = get_json_mock
header = force_bytes(json.dumps({'alg': 'HS256', 'typ': 'JWT', 'kid': 'bar'}))
payload = force_bytes(json.dumps({'foo': 'bar'}))
# Compute signature
key = b'mysupersecuretestkey'
h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
msg = '{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload)))
h.update(force_bytes(msg))
signature = b64encode(h.finalize())
token = '{}.{}.{}'.format(
smart_text(b64encode(header)),
smart_text(b64encode(payload)),
smart_text(signature)
)
with self.assertRaises(SuspiciousOperation) as ctx:
self.backend.retrieve_matching_jwk(force_bytes(token))
self.assertEqual(ctx.exception.args[0], 'Could not find a valid JWKS.')
def test_disallowed_unsecured_token(self):
"""Test payload data from unsecured token (disallowed)."""
header = force_bytes(json.dumps({'alg': 'none'}))
payload = force_bytes(json.dumps({'foo': 'bar'}))
signature = ''
token = force_bytes('{}.{}.{}'.format(smart_text(b64encode(header)),
smart_text(b64encode(payload)),
signature))
with self.assertRaises(KeyError):
self.backend.get_payload_data(token, None)
def test_allowed_unsecured_token(self):
"""Test payload data from unsecured token (allowed)."""
header = force_bytes(json.dumps({'alg': 'none'}))
payload = force_bytes(json.dumps({'foo': 'bar'}))
signature = ''
token = force_bytes('{}.{}.{}'.format(smart_text(b64encode(header)),
smart_text(b64encode(payload)),
signature))
extracted_payload = self.backend.get_payload_data(token, None)
self.assertEqual(payload, extracted_payload)
def to_compact(self):
"""Compact serialization.
:rtype: bytes
"""
assert len(self.signatures) == 1
assert 'alg' not in self.signature.header.not_omitted()
# ... it must be in protected
return (b64.b64encode(self.signature.protected.encode('utf-8')) +
b'.' + b64.b64encode(self.payload) + b'.' +
b64.b64encode(self.signature.signature))
def to_compact(self):
"""Compact serialization.
:rtype: bytes
"""
assert len(self.signatures) == 1
assert 'alg' not in self.signature.header.not_omitted()
# ... it must be in protected
return (
b64.b64encode(self.signature.protected.encode('utf-8')) +
b'.' +
b64.b64encode(self.payload) +
b'.' +
b64.b64encode(self.signature.signature))
def encode_b64jose(data):
"""Encode JOSE Base-64 field.
:param bytes data:
:rtype: `unicode`
"""
# b64encode produces ASCII characters only
return b64.b64encode(data).decode('ascii')
def encode_b64jose(data: bytes) -> str:
"""Encode JOSE Base-64 field.
:param bytes data:
:rtype: `str`
"""
# b64encode produces ASCII characters only
return b64.b64encode(data).decode('ascii')
def test_disallowed_unsecured_valid_token(self):
"""Test payload data from valid secure token (unsecured disallowed)."""
header = force_bytes(json.dumps({'alg': 'HS256', 'typ': 'JWT'}))
payload = force_bytes(json.dumps({'foo': 'bar'}))
# Compute signature
key = b'mysupersecuretestkey'
h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
msg = '{}.{}'.format(smart_text(b64encode(header)),
smart_text(b64encode(payload)))
h.update(force_bytes(msg))
signature = b64encode(h.finalize())
token = '{}.{}.{}'.format(smart_text(b64encode(header)),
smart_text(b64encode(payload)),
smart_text(signature))
token_bytes = force_bytes(token)
key_text = smart_text(key)
output = self.backend.get_payload_data(token_bytes, key_text)
self.assertEqual(output, payload)
def test_retrieve_matching_jwk_same_kid(self, mock_requests):
"""Test retrieving valid jwk from a list of keys with the same kid"""
get_json_mock = Mock()
get_json_mock.json.return_value = {
"keys": [{
"alg": "RS512",
"kid": "foobar",
}, {
"alg": "RS384",
"kid": "foobar",
}, {
"alg": "RS256",
"kid": "foobar",
}]
}
mock_requests.get.return_value = get_json_mock
header = force_bytes(
json.dumps({
'alg': 'RS256',
'typ': 'JWT',
'kid': 'foobar'
}))
payload = force_bytes(json.dumps({'foo': 'bar'}))
# Compute signature
key = b'mysupersecuretestkey'
h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
msg = '{}.{}'.format(smart_str(b64encode(header)),
smart_str(b64encode(payload)))
h.update(force_bytes(msg))
signature = b64encode(h.finalize())
token = '{}.{}.{}'.format(smart_str(b64encode(header)),
smart_str(b64encode(payload)),
smart_str(signature))
jwk_key = self.backend.retrieve_matching_jwk(force_bytes(token))
self.assertEqual(jwk_key, get_json_mock.json.return_value['keys'][2])
def test_disallowed_unsecured_invalid_token(self):
"""Test payload data from invalid secure token (unsecured disallowed)."""
header = force_bytes(json.dumps({'alg': 'HS256', 'typ': 'JWT'}))
payload = force_bytes(json.dumps({'foo': 'bar'}))
# Compute signature
key = b'mysupersecuretestkey'
fake_key = b'mysupersecurefaketestkey'
h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
msg = '{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload)))
h.update(force_bytes(msg))
signature = b64encode(h.finalize())
token = '{}.{}.{}'.format(
smart_text(b64encode(header)),
smart_text(b64encode(payload)),
smart_text(signature)
)
token_bytes = force_bytes(token)
key_text = smart_text(fake_key)
with self.assertRaises(SuspiciousOperation) as ctx:
self.backend.get_payload_data(token_bytes, key_text)
self.assertEqual(ctx.exception.args[0], 'JWS token verification failed.')
def _validation(response):
"""
Get the validation value for a challenge response.
"""
h = hashlib.sha256(response.key_authorization.encode("utf-8"))
return b64encode(h.digest()).decode()
def _msg(cls, protected, payload):
return (b64.b64encode(protected.encode('utf-8')) + b'.' +
b64.b64encode(payload))
def _msg(cls, protected: str, payload: bytes) -> bytes:
return (b64.b64encode(protected.encode('utf-8')) + b'.' +
b64.b64encode(payload))
def _call(cls, data):
from josepy.b64 import b64encode
return b64encode(data)
def _msg(cls, protected, payload):
return (b64.b64encode(protected.encode('utf-8')) + b'.' +
b64.b64encode(payload))
def _call(cls, data):
from josepy.b64 import b64encode
return b64encode(data)
def _validation(response):
"""
Get the validation value for a challenge response.
"""
h = hashlib.sha256(response.key_authorization.encode("utf-8"))
return b64encode(h.digest()).decode()
