def test_put_replace_bundle_for_trust_domain():
jwt_bundle = JwtBundle(trust_domain_1, authorities)
jwt_bundle_set = JwtBundleSet({trust_domain_1: jwt_bundle})
assert len(jwt_bundle_set._bundles) == 1
assert jwt_bundle_set._bundles[trust_domain_1] == jwt_bundle
new_jwt_bundle = JwtBundle(trust_domain_1, authorities)
jwt_bundle_set.put(new_jwt_bundle)
assert len(jwt_bundle_set._bundles) == 1
assert jwt_bundle_set._bundles[trust_domain_1] == new_jwt_bundle
def test_create_jwt_bundle_set():
jwt_bundle_1 = JwtBundle(trust_domain_1, authorities)
jwt_bundle_2 = JwtBundle(trust_domain_2, authorities)
fake_bundles = {trust_domain_1: jwt_bundle_1, trust_domain_2: jwt_bundle_2}
jwt_bundle_set = JwtBundleSet(fake_bundles)
# check that the bundle was copied
assert jwt_bundle_set._bundles is not fake_bundles
assert len(jwt_bundle_set._bundles) == len(fake_bundles.keys())
assert list(jwt_bundle_set._bundles.keys())[0].name() == trust_domain_1.name()
assert jwt_bundle_set._bundles[trust_domain_1] == jwt_bundle_1
assert list(jwt_bundle_set._bundles.keys())[1].name() == trust_domain_2.name()
assert jwt_bundle_set._bundles[trust_domain_2] == jwt_bundle_2
def test_get_non_existing_trust_domain():
jwt_bundle = JwtBundle(trust_domain_1, authorities)
jwt_bundle_set = JwtBundleSet({trust_domain_1: jwt_bundle})
res = jwt_bundle_set.get(trust_domain_2)
assert res is None
def test_get_jwt_authority_invalid_input():
jwt_bundle = JwtBundle(trust_domain, authorities)
with pytest.raises(ArgumentError) as exception:
jwt_bundle.get_jwt_authority('')
assert str(exception.value) == 'key_id cannot be empty.'
def test_get_jwt_authority_empty_authority_dict():
invalid_authorities = None
jwt_bundle = JwtBundle(trust_domain, invalid_authorities)
response = jwt_bundle.get_jwt_authority(key_id='p1')
assert response is None
def test_get():
jwt_bundle = JwtBundle(trust_domain_1, authorities)
jwt_bundle_set = JwtBundleSet({trust_domain_1: jwt_bundle})
res = jwt_bundle_set.get(trust_domain_1)
assert res == jwt_bundle
assert res.trust_domain() == jwt_bundle.trust_domain()
def test_put_bundle_on_empty_set():
jwt_bundle_set = JwtBundleSet({})
assert len(jwt_bundle_set._bundles) == 0
jwt_bundle = JwtBundle(trust_domain_1, authorities)
jwt_bundle_set.put(jwt_bundle)
assert len(jwt_bundle_set._bundles) == 1
assert list(jwt_bundle_set._bundles.keys())[0].name() == trust_domain_1.name()
def test_parse_and_validate_valid_token_EC():
ec_key = ec.generate_private_key(ec.SECP384R1(), default_backend())
jwt_bundle = JwtBundle(DEFAULT_TRUST_DOMAIN,
{'kid_ec': ec_key.public_key()})
ec_key_pem, _ = get_keys_pems(ec_key)
token = create_jwt(ec_key_pem, 'kid_ec', alg='ES512')
jwt_svid = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire'])
assert jwt_svid.audience == DEFAULT_AUDIENCE
assert str(jwt_svid.spiffe_id) == DEFAULT_SPIFFE_ID
assert jwt_svid.expiry == DEFAULT_EXPIRY
assert jwt_svid.token == token
def test_parse_and_validate_invalid_kid_mismatch():
rsa_key2 = rsa.generate_private_key(public_exponent=65537, key_size=2048)
jwt_bundle = JwtBundle(
DEFAULT_TRUST_DOMAIN,
{
'kid1': DEFAULT_KEY.public_key(),
'kid10': rsa_key2.public_key()
},
)
token = create_jwt(kid='kid10')
with pytest.raises(InvalidTokenError) as exception:
JwtSvid.parse_and_validate(token, jwt_bundle, ['spire'])
assert str(exception.value) == 'Signature verification failed.'
def test_parse_and_validate_valid_token_multiple_keys_bundle():
ec_key = ec.generate_private_key(ec.SECP521R1(), default_backend())
jwt_bundle = JwtBundle(
DEFAULT_TRUST_DOMAIN,
{
'kid_rsa': DEFAULT_KEY.public_key(),
'kid_ec': ec_key.public_key()
},
)
ec_key_pem, _ = get_keys_pems(ec_key)
token = create_jwt(ec_key_pem, kid='kid_ec', alg='ES512')
jwt_svid1 = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire'])
assert jwt_svid1.audience == DEFAULT_AUDIENCE
assert str(jwt_svid1.spiffe_id) == DEFAULT_SPIFFE_ID
assert jwt_svid1.expiry == DEFAULT_EXPIRY
assert jwt_svid1.token == token
token2 = create_jwt(kid='kid_rsa')
jwt_svid2 = JwtSvid.parse_and_validate(token2, jwt_bundle, ['spire'])
assert jwt_svid2.audience == DEFAULT_AUDIENCE
assert str(jwt_svid2.spiffe_id) == DEFAULT_SPIFFE_ID
assert jwt_svid2.expiry == DEFAULT_EXPIRY
assert jwt_svid2.token == token2
JwtSvidError,
InvalidTokenError,
MissingClaimError,
)
from pyspiffe.bundle.jwt_bundle.exceptions import AuthorityNotFoundError
from test.svid.test_utils import (
get_keys_pems,
create_jwt,
DEFAULT_SPIFFE_ID,
DEFAULT_AUDIENCE,
DEFAULT_KEY,
DEFAULT_TRUST_DOMAIN,
DEFAULT_EXPIRY,
)
JWT_BUNDLE = JwtBundle(DEFAULT_TRUST_DOMAIN,
{'kid1': DEFAULT_KEY.public_key()})
"""
parse_insecure tests
"""
@pytest.mark.parametrize(
'test_input_token,test_input_audience, expected',
[
('', [], INVALID_INPUT_ERROR.format('token cannot be empty.')),
('', None, INVALID_INPUT_ERROR.format('token cannot be empty.')),
(None, [], INVALID_INPUT_ERROR.format('token cannot be empty.')),
(None, None, INVALID_INPUT_ERROR.format('token cannot be empty.')),
],
)
def test_parse_insecure_invalid_input(test_input_token, test_input_audience,
def test_get_jwt_authority_invalid_key_id_not_found():
jwt_bundle = JwtBundle(trust_domain, authorities)
response = jwt_bundle.get_jwt_authority('p0')
assert response is None
def test_get_jwt_authority_valid_input():
jwt_bundle = JwtBundle(trust_domain, authorities)
authority_key = jwt_bundle.get_jwt_authority('kid2')
assert rsa_key == authority_key
def test_create_jwt_bundle_no_authorities():
jwt_bundle = JwtBundle(trust_domain, None)
assert jwt_bundle.trust_domain() == trust_domain
assert isinstance(jwt_bundle.jwt_authorities(), dict)
assert len(jwt_bundle.jwt_authorities().keys()) == 0
def test_create_jwt_bundle_no_trust_domain():
with pytest.raises(JwtBundleError) as exc_info:
JwtBundle(None, authorities)
assert str(exc_info.value) == 'Trust domain cannot be empty.'
def test_create_jwt_bundle():
jwt_bundle = JwtBundle(trust_domain, authorities)
assert jwt_bundle.trust_domain() == trust_domain
assert len(jwt_bundle.jwt_authorities().keys()) == len(authorities.keys())
