def test_example_1(self):
_symkey = KC_SYM_S.get(alg2keytype("HS256"))
csr = CheckSessionRequest(id_token=IDTOKEN.to_jwt(
key=_symkey, algorithm="HS256", lifetime=300))
keyjar = KeyJar()
keyjar.add_kb(ISS, KC_SYM_S)
assert csr.verify(keyjar=keyjar)
def test_dump_issuer_keys(self):
kb = keybundle_from_local_file("file://%s/jwk.json" % BASE_PATH,
"jwks", ["sig"])
assert len(kb) == 1
kj = KeyJar()
kj.add_kb("", kb)
_jwks_dict = kj.export_jwks()
_info = _jwks_dict["keys"][0]
assert _info == {
"use":
"sig",
"e":
"AQAB",
"kty":
"RSA",
"alg":
"RS256",
"n":
"pKybs0WaHU_y4cHxWbm8Wzj66HtcyFn7Fh3n"
"-99qTXu5yNa30MRYIYfSDwe9JVc1JUoGw41yq2StdGBJ40HxichjE"
"-Yopfu3B58Q"
"lgJvToUbWD4gmTDGgMGxQxtv1En2yedaynQ73sDpIK-12JJDY55pvf"
"-PCiSQ9OjxZLiVGKlClDus44_uv2370b9IN2JiEOF-a7JB"
"qaTEYLPpXaoKWDSnJNonr79tL0T7iuJmO1l705oO3Y0TQ"
"-INLY6jnKG_RpsvyvGNnwP9pMvcP1phKsWZ10ofuuhJGRp8IxQL9Rfz"
"T87OvF0RBSO1U73h09YP-corWDsnKIi6TbzRpN5YDw",
"kid":
"abc",
}
def test_get_decrypt_keys():
kj = KeyJar()
kj['Alice'] = [KeyBundle(JWK0['keys'])]
kj[''] = [KeyBundle(JWK1['keys'])]
kj['C'] = [KeyBundle(JWK2['keys'])]
kb = rsa_init({
'use': ['enc', 'sig'],
'size': 1024,
'name': 'rsa',
'path': 'keys'
})
kj.add_kb('', kb)
jwt = JWEnc()
jwt.headers = {'alg': 'RS256'}
jwt.part = [{
'alg': 'RS256'
}, '{"aud": "Bob", "iss": "Alice"}', 'aksjdhaksjbd']
keys = kj.get_jwt_decrypt_keys(jwt)
assert keys
jwt.part = [{'alg': 'RS256'}, '{"iss": "Alice"}', 'aksjdhaksjbd']
keys = kj.get_jwt_decrypt_keys(jwt)
assert keys
keys = kj.get_jwt_decrypt_keys(jwt, aud='Bob')
assert keys
def test_update_keyjar():
_path = full_path("jwk_private_key.json")
kb = KeyBundle(source="file://{}".format(_path))
kj = KeyJar()
kj.add_kb("Alice", kb)
kj.update()
def test_construct(self, entity):
token_service = entity.client_get("service", 'accesstoken')
kb_rsa = KeyBundle(source='file://{}'.format(
os.path.join(BASE_PATH, "data/keys/rsa.key")),
fileformat='der')
for key in kb_rsa:
key.add_kid()
_context = token_service.client_get("service_context")
_context.keyjar.add_kb('', kb_rsa)
_context.provider_info = {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
}
_context.registration_response = {
'token_endpoint_auth_signing_alg': 'RS256'
}
token_service.endpoint = "https://example.com/token"
request = AccessTokenRequest()
pkj = PrivateKeyJWT()
http_args = pkj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
assert http_args == {}
cas = request["client_assertion"]
_kj = KeyJar()
_kj.add_kb(_context.client_id, kb_rsa)
jso = JWT(key_jar=_kj).unpack(cas)
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
# assert _jwt.headers == {'alg': 'RS256'}
assert jso['aud'] == [_context.provider_info['token_endpoint']]
def test_update_keyjar():
_path = full_path('jwk_private_key.json')
kb = KeyBundle(source='file://{}'.format(_path))
kj = KeyJar()
kj.add_kb('Alice', kb)
update_keyjar(kj)
def test_str():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
desc = "{}".format(kj)
_cont = json.loads(desc)
assert set(_cont.keys()) == {"Alice"}
def test_construct(self, services):
_service = services['accesstoken']
kb_rsa = KeyBundle(source='file://{}'.format(
os.path.join(BASE_PATH, "data/keys/rsa.key")),
fileformat='der')
for key in kb_rsa:
key.add_kid()
_service.service_context.keyjar.add_kb('', kb_rsa)
_service.service_context.set(
'provider_info', {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
})
services['accesstoken'].endpoint = "https://example.com/token"
request = AccessTokenRequest()
pkj = PrivateKeyJWT()
http_args = pkj.construct(request,
service=_service,
algorithm="RS256",
authn_endpoint='token_endpoint')
assert http_args == {}
cas = request["client_assertion"]
_kj = KeyJar()
_kj.add_kb(_service.service_context.get('client_id'), kb_rsa)
jso = JWT(key_jar=_kj).unpack(cas)
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
# assert _jwt.headers == {'alg': 'RS256'}
assert jso['aud'] == [
_service.service_context.get('provider_info')['token_endpoint']
]
def test_example(self):
_symkey = KC_SYM_S.get(alg2keytype("HS256"))
csr = CheckSessionRequest(id_token=IDTOKEN.to_jwt(
key=_symkey, algorithm="HS256", lifetime=300))
keyjar = KeyJar()
keyjar.add_kb('', KC_SYM_S)
with pytest.raises(ValueError):
assert csr.verify(keyjar=keyjar)
def test_find():
_path = full_path("jwk_private_key.json")
kb = KeyBundle(source="file://{}".format(_path))
kj = KeyJar()
kj.add_kb("Alice", kb)
assert kj.find("{}".format(_path), "Alice")
assert kj.find("https://example.com", "Alice") == []
assert kj.find("{}".format(_path), "Bob") is None
def test_find():
_path = full_path('jwk_private_key.json')
kb = KeyBundle(source='file://{}'.format(_path))
kj = KeyJar()
kj.add_kb('Alice', kb)
assert kj.find('{}'.format(_path), 'Alice')
assert kj.find('https://example.com', 'Alice') is None
assert kj.find('{}'.format(_path), 'Bob') is None
def test_similar():
ISSUER = "xyzzy"
kj = KeyJar()
kb = KeyBundle(JWK2)
kj.add_kb(issuer=ISSUER, kb=kb)
keys1 = kj.get_issuer_keys(ISSUER)
keys2 = kj[ISSUER].all_keys()
assert keys1 == keys2
def test_jwt_pack_and_unpack_unknown_key():
alice = JWT(key_jar=ALICE_KEY_JAR, iss=ALICE, sign_alg="RS256")
payload = {"sub": "sub"}
_jwt = alice.pack(payload=payload)
kj = KeyJar()
kj.add_kb(ALICE, KeyBundle())
bob = JWT(key_jar=kj, iss=BOB, allowed_sign_algs=["RS256"])
with pytest.raises(NoSuitableSigningKeys):
info = bob.unpack(_jwt)
def test_get_decrypt_keys():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("", KeyBundle(JWK1["keys"]))
kj.add_kb("C", KeyBundle(JWK2["keys"]))
kb = rsa_init({
"use": ["enc", "sig"],
"size": 1024,
"name": "rsa",
"path": "keys"
})
kj.add_kb("", kb)
jwt = JWEnc()
jwt.headers = {"alg": "RS256"}
jwt.part = [{
"alg": "RS256"
}, '{"aud": "Bob", "iss": "Alice"}', "aksjdhaksjbd"]
keys = kj.get_jwt_decrypt_keys(jwt)
assert keys
jwt.part = [{"alg": "RS256"}, '{"iss": "Alice"}', "aksjdhaksjbd"]
keys = kj.get_jwt_decrypt_keys(jwt)
assert keys
with pytest.raises(IssuerNotFound):
keys = kj.get_jwt_decrypt_keys(jwt, aud="Bob")
def test_issuer_extra_slash(self):
ks = KeyJar()
ks.add_kb(
"",
KeyBundle(
[
{"kty": "oct", "key": "abcdefghijklmnop", "use": "sig"},
{"kty": "oct", "key": "ABCDEFGHIJKLMNOP", "use": "enc"},
]
),
)
ks.add_kb(
"http://www.example.org",
KeyBundle(
[
{"kty": "oct", "key": "0123456789012345", "use": "sig"},
{"kty": "oct", "key": "1234567890123456", "use": "enc"},
]
),
)
ks.add_kb(
"http://www.example.org",
keybundle_from_local_file(RSAKEY, "der", ["ver", "sig"]),
)
assert ks.get("sig", "RSA", "http://www.example.org/")
def test_get_enc_not_mine(self):
ks = KeyJar()
ks.add_kb(
"",
KeyBundle(
[
{"kty": "oct", "key": "a1b2c3d4e5f6g7h8", "use": "sig"},
{"kty": "oct", "key": "a1b2c3d4e5f6g7h8", "use": "enc"},
]
),
)
ks.add_kb(
"http://www.example.org/",
KeyBundle(
[
{"kty": "oct", "key": "1a2b3c4d5e6f7g8h", "use": "sig"},
{"kty": "oct", "key": "1a2b3c4d5e6f7g8h", "use": "enc"},
]
),
)
ks.add_kb(
"http://www.example.org/",
keybundle_from_local_file(RSAKEY, "der", ["ver", "sig"]),
)
assert ks.get("enc", "oct", "http://www.example.org/")
def test_items(self):
ks = KeyJar()
ks.add_kb(
"",
KeyBundle(
[
{"kty": "oct", "key": "abcdefghijklmnop", "use": "sig"},
{"kty": "oct", "key": "ABCDEFGHIJKLMNOP", "use": "enc"},
]
),
)
ks.add_kb(
"http://www.example.org",
KeyBundle(
[
{"kty": "oct", "key": "0123456789012345", "use": "sig"},
{"kty": "oct", "key": "1234567890123456", "use": "enc"},
]
),
)
ks.add_kb(
"http://www.example.org",
keybundle_from_local_file(RSAKEY, "der", ["ver", "sig"]),
)
assert len(ks.items()) == 2
def test_key_summary():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("Bob", KeyBundle(JWK1["keys"]))
kj.add_kb("C", KeyBundle(JWK2["keys"]))
out = kj.key_summary("Alice")
assert out
def test_dump_json():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("Bob", KeyBundle(JWK1["keys"]))
kj.add_kb("C", KeyBundle(JWK2["keys"]))
res = kj.dump()
assert json.dumps(res)
def test_contains():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("Bob", KeyBundle(JWK1["keys"]))
kj.add_kb("C", KeyBundle(JWK2["keys"]))
assert "Bob" in kj
assert "David" not in kj
def test_repr():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("Bob", KeyBundle(JWK1["keys"]))
kj.add_kb("C", KeyBundle(JWK2["keys"]))
txt = kj.__repr__()
assert "<KeyJar(issuers=[" in txt
_d = eval(txt[16:-2])
assert set(_d) == {"Alice", "Bob", "C"}
def __init__(self,
srv,
iss='',
signer=None,
self_signer=None,
fo_bundle=None,
mdss_endpoint='',
context='',
entity_id='',
fo_priority=None,
mdss_owner='',
verify_ssl=True,
mdss_keys=''):
FederationEntity.__init__(self,
srv,
iss,
signer=signer,
self_signer=self_signer,
fo_bundle=fo_bundle,
context=context,
entity_id=entity_id,
fo_priority=fo_priority,
verify_ssl=verify_ssl)
self.mdss_endpoint = mdss_endpoint
self.mdss_owner = mdss_owner
kj = KeyJar(verify_ssl=verify_ssl)
if mdss_keys.startswith('http'):
kj.add_url(mdss_owner, self.mdss_keys)
else:
kb = KeyBundle(source=mdss_keys, fileformat='jwks')
kj.add_kb(mdss_owner, kb=kb)
self.mdss_keys = kj
self.verify_ssl = verify_ssl
def test_match_owner():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("Bob", KeyBundle(JWK1["keys"]))
kj.add_kb("https://delphi.example.com/path", KeyBundle(JWK2["keys"]))
a = kj.match_owner("https://delphi.example.com")
assert a == "https://delphi.example.com/path"
with pytest.raises(KeyError):
kj.match_owner("https://example.com")
def test_dump():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("Bob", KeyBundle(JWK1["keys"]))
kj.add_kb("C", KeyBundle(JWK2["keys"]))
res = kj.dump()
nkj = KeyJar().load(res)
assert set(nkj.owners()) == {"Alice", "Bob", "C"}
assert nkj.get_signing_key("rsa", "Alice", kid="abc")
assert nkj.get_signing_key("rsa", "C", kid="MnC_VZcATfM5pOYiJHMba9goEKY")
def test_get_wrong_owner():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("Bob", KeyBundle(JWK1["keys"]))
kj.add_kb("C", KeyBundle(JWK2["keys"]))
assert kj.get("sig", "rsa", "https://delphi.example.com/") == []
assert kj.get("sig", "rsa", "https://delphi.example.com") == []
assert kj.get("sig", "rsa") == []
assert "https://delphi.example.com" not in kj
with pytest.raises(KeyError):
kj["https://delphi.example.com"]
def test_dump():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("Bob", KeyBundle(JWK1["keys"]))
kj.add_kb("C", KeyBundle(JWK2["keys"]))
res = kj.dump()
nkj = KeyJar().load(res)
assert set(nkj.owners()) == {"Alice", "Bob", "C"}
assert nkj.get_signing_key("rsa", "Alice", kid="abc")
assert nkj.get_signing_key(
"rsa", "C", kid="R3NJRW1EVHRsaUcwSXVydi14cVVoTmxhaU4zckU1MlFPa05NWGNpUUZtcw"
)
def test_copy():
kj = KeyJar()
kj.add_kb("Alice", KeyBundle(JWK0["keys"]))
kj.add_kb("Bob", KeyBundle(JWK1["keys"]))
kj.add_kb("C", KeyBundle(JWK2["keys"]))
kjc = kj.copy()
assert set(kjc.owners()) == {"Alice", "Bob", "C"}
assert len(kjc.get("sig", "oct", "Alice")) == 0
assert len(kjc.get("sig", "rsa", "Alice")) == 1
assert len(kjc.get("sig", "oct", "Bob")) == 1
assert len(kjc.get("sig", "rsa", "Bob")) == 1
assert len(kjc.get("sig", "oct", "C")) == 0
assert len(kjc.get("sig", "rsa", "C")) == 4
def test_no_use(self):
kb = KeyBundle(JWK0["keys"])
kj = KeyJar()
kj.add_kb("abcdefgh", kb)
enc_key = kj.get_encrypt_key("RSA", "abcdefgh")
assert enc_key != []
def test_keyjar_add(self):
kj = KeyJar()
kb = keybundle_from_local_file(RSAKEY, "der", ["ver", "sig"])
kj.add_kb('https://issuer.example.com', kb)
assert list(kj.owners()) == ['https://issuer.example.com']
def test_setitem(self):
kj = KeyJar()
kb = keybundle_from_local_file(RSAKEY, "der", ["ver", "sig"])
kj.add_kb("https://issuer.example.com", kb)
assert list(kj.owners()) == ["https://issuer.example.com"]
