def test_retrieve_jwk_optional_alg(self, mock_requests): """Test retrieving jwk with optional alg""" get_json_mock = Mock() get_json_mock.json.return_value = { "keys": [ { "kid": "kid", } ] } mock_requests.get.return_value = get_json_mock header = force_bytes(json.dumps({'alg': 'HS256', 'typ': 'JWT', 'kid': 'kid'})) payload = force_bytes(json.dumps({'foo': 'bar'})) # Compute signature key = b'mysupersecuretestkey' h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend()) msg = '{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload))) h.update(force_bytes(msg)) signature = b64encode(h.finalize()) token = '{}.{}.{}'.format( smart_text(b64encode(header)), smart_text(b64encode(payload)), smart_text(signature) ) jwk_key = self.backend.retrieve_matching_jwk(force_bytes(token)) self.assertEqual(jwk_key, get_json_mock.json.return_value['keys'][0])
def test_retrieve_mismatcing_jwk_kid(self, mock_requests): """Test retrieving mismatching jwk kid""" get_json_mock = Mock() get_json_mock.json.return_value = { "keys": [ { "alg": "HS256", "kid": "foobar", } ] } mock_requests.get.return_value = get_json_mock header = force_bytes(json.dumps({'alg': 'HS256', 'typ': 'JWT', 'kid': 'bar'})) payload = force_bytes(json.dumps({'foo': 'bar'})) # Compute signature key = b'mysupersecuretestkey' h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend()) msg = '{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload))) h.update(force_bytes(msg)) signature = b64encode(h.finalize()) token = '{}.{}.{}'.format( smart_text(b64encode(header)), smart_text(b64encode(payload)), smart_text(signature) ) with self.assertRaises(SuspiciousOperation) as ctx: self.backend.retrieve_matching_jwk(force_bytes(token)) self.assertEqual(ctx.exception.args[0], 'Could not find a valid JWKS.')
def test_disallowed_unsecured_token(self): """Test payload data from unsecured token (disallowed).""" header = force_bytes(json.dumps({'alg': 'none'})) payload = force_bytes(json.dumps({'foo': 'bar'})) signature = '' token = force_bytes('{}.{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload)), signature)) with self.assertRaises(KeyError): self.backend.get_payload_data(token, None)
def test_allowed_unsecured_token(self): """Test payload data from unsecured token (allowed).""" header = force_bytes(json.dumps({'alg': 'none'})) payload = force_bytes(json.dumps({'foo': 'bar'})) signature = '' token = force_bytes('{}.{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload)), signature)) extracted_payload = self.backend.get_payload_data(token, None) self.assertEqual(payload, extracted_payload)
def to_compact(self): """Compact serialization. :rtype: bytes """ assert len(self.signatures) == 1 assert 'alg' not in self.signature.header.not_omitted() # ... it must be in protected return (b64.b64encode(self.signature.protected.encode('utf-8')) + b'.' + b64.b64encode(self.payload) + b'.' + b64.b64encode(self.signature.signature))
def to_compact(self): """Compact serialization. :rtype: bytes """ assert len(self.signatures) == 1 assert 'alg' not in self.signature.header.not_omitted() # ... it must be in protected return ( b64.b64encode(self.signature.protected.encode('utf-8')) + b'.' + b64.b64encode(self.payload) + b'.' + b64.b64encode(self.signature.signature))
def encode_b64jose(data): """Encode JOSE Base-64 field. :param bytes data: :rtype: `unicode` """ # b64encode produces ASCII characters only return b64.b64encode(data).decode('ascii')
def encode_b64jose(data: bytes) -> str: """Encode JOSE Base-64 field. :param bytes data: :rtype: `str` """ # b64encode produces ASCII characters only return b64.b64encode(data).decode('ascii')
def test_disallowed_unsecured_valid_token(self): """Test payload data from valid secure token (unsecured disallowed).""" header = force_bytes(json.dumps({'alg': 'HS256', 'typ': 'JWT'})) payload = force_bytes(json.dumps({'foo': 'bar'})) # Compute signature key = b'mysupersecuretestkey' h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend()) msg = '{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload))) h.update(force_bytes(msg)) signature = b64encode(h.finalize()) token = '{}.{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload)), smart_text(signature)) token_bytes = force_bytes(token) key_text = smart_text(key) output = self.backend.get_payload_data(token_bytes, key_text) self.assertEqual(output, payload)
def test_retrieve_matching_jwk_same_kid(self, mock_requests): """Test retrieving valid jwk from a list of keys with the same kid""" get_json_mock = Mock() get_json_mock.json.return_value = { "keys": [{ "alg": "RS512", "kid": "foobar", }, { "alg": "RS384", "kid": "foobar", }, { "alg": "RS256", "kid": "foobar", }] } mock_requests.get.return_value = get_json_mock header = force_bytes( json.dumps({ 'alg': 'RS256', 'typ': 'JWT', 'kid': 'foobar' })) payload = force_bytes(json.dumps({'foo': 'bar'})) # Compute signature key = b'mysupersecuretestkey' h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend()) msg = '{}.{}'.format(smart_str(b64encode(header)), smart_str(b64encode(payload))) h.update(force_bytes(msg)) signature = b64encode(h.finalize()) token = '{}.{}.{}'.format(smart_str(b64encode(header)), smart_str(b64encode(payload)), smart_str(signature)) jwk_key = self.backend.retrieve_matching_jwk(force_bytes(token)) self.assertEqual(jwk_key, get_json_mock.json.return_value['keys'][2])
def test_disallowed_unsecured_invalid_token(self): """Test payload data from invalid secure token (unsecured disallowed).""" header = force_bytes(json.dumps({'alg': 'HS256', 'typ': 'JWT'})) payload = force_bytes(json.dumps({'foo': 'bar'})) # Compute signature key = b'mysupersecuretestkey' fake_key = b'mysupersecurefaketestkey' h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend()) msg = '{}.{}'.format(smart_text(b64encode(header)), smart_text(b64encode(payload))) h.update(force_bytes(msg)) signature = b64encode(h.finalize()) token = '{}.{}.{}'.format( smart_text(b64encode(header)), smart_text(b64encode(payload)), smart_text(signature) ) token_bytes = force_bytes(token) key_text = smart_text(fake_key) with self.assertRaises(SuspiciousOperation) as ctx: self.backend.get_payload_data(token_bytes, key_text) self.assertEqual(ctx.exception.args[0], 'JWS token verification failed.')
def _validation(response): """ Get the validation value for a challenge response. """ h = hashlib.sha256(response.key_authorization.encode("utf-8")) return b64encode(h.digest()).decode()
def _msg(cls, protected, payload): return (b64.b64encode(protected.encode('utf-8')) + b'.' + b64.b64encode(payload))
def _msg(cls, protected: str, payload: bytes) -> bytes: return (b64.b64encode(protected.encode('utf-8')) + b'.' + b64.b64encode(payload))
def _call(cls, data): from josepy.b64 import b64encode return b64encode(data)
def _msg(cls, protected, payload): return (b64.b64encode(protected.encode('utf-8')) + b'.' + b64.b64encode(payload))
def _call(cls, data): from josepy.b64 import b64encode return b64encode(data)
def _validation(response): """ Get the validation value for a challenge response. """ h = hashlib.sha256(response.key_authorization.encode("utf-8")) return b64encode(h.digest()).decode()