def test_ec_prepare_key_should_be_idempotent(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
with open(key_path('testkey_ec.pub'), 'r') as keyfile:
jwt_pub_key_first = algo.prepare_key(keyfile.read())
jwt_pub_key_second = algo.prepare_key(jwt_pub_key_first)
self.assertEqual(jwt_pub_key_first, jwt_pub_key_second)
def test_ec_prepare_key_should_be_idempotent(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
with open(key_path("testkey_ec.pub")) as keyfile:
jwt_pub_key_first = algo.prepare_key(keyfile.read())
jwt_pub_key_second = algo.prepare_key(jwt_pub_key_first)
assert jwt_pub_key_first == jwt_pub_key_second
def test_ec_prepare_key_should_be_idempotent(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
with open(key_path('testkey_ec.pub'), 'r') as keyfile:
jwt_pub_key_first = algo.prepare_key(keyfile.read())
jwt_pub_key_second = algo.prepare_key(jwt_pub_key_first)
assert jwt_pub_key_first == jwt_pub_key_second
def include_package(config):
"""Pyramid package include"""
# add translations
config.add_translation_dirs('pyams_auth_jwt:locales')
# add configuration directives
config.add_request_method(create_jwt_token, 'create_jwt_token')
config.add_request_method(get_jwt_claims, 'jwt_claims', reify=True)
# add route predicate
config.add_view_predicate('jwt_object', JWTTokenObjectPredicate)
# register new REST API routes
config.add_route(
REST_TOKEN_ROUTE,
config.registry.settings.get('pyams.jwt.rest_token_route',
'/api/auth/jwt/token'))
config.add_route(
REST_VERIFY_ROUTE,
config.registry.settings.get('pyams.jwt.rest_verify_route',
'/api/auth/jwt/verify'))
# update JWT algorithms
try:
import pycrypto # pylint: disable=import-outside-toplevel,unused-import
except ImportError:
pass
else:
from jwt.contrib.algorithms.pycrypto import RSAAlgorithm # pylint: disable=import-outside-toplevel
jwt.unregister_algorithm('RS256')
jwt.register_algorithm('RS256', RSAAlgorithm(RSAAlgorithm.SHA256))
jwt.unregister_algorithm('RS512')
jwt.register_algorithm('RS512', RSAAlgorithm(RSAAlgorithm.SHA512))
try:
import ecdsa # pylint: disable=import-outside-toplevel,unused-import
except ImportError:
pass
else:
from jwt.contrib.algorithms.py_ecdsa import ECAlgorithm # pylint: disable=import-outside-toplevel
jwt.unregister_algorithm('ES256')
jwt.register_algorithm('ES256', ECAlgorithm(ECAlgorithm.SHA256))
jwt.unregister_algorithm('ES512')
jwt.register_algorithm('ES512', ECAlgorithm(ECAlgorithm.SHA512))
try:
import pyams_zmi # pylint: disable=import-outside-toplevel,unused-import
config.scan()
except ImportError:
config.scan(ignore='pyams_auth_jwt.zmi')
def test_ec_verify_should_return_true_if_signature_valid(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
jwt_message = ensure_bytes('Hello World!')
jwt_sig = base64.b64decode(ensure_bytes(
'AC+m4Jf/xI3guAC6w0w37t5zRpSCF6F4udEz5LiMiTIjCS4vcVe6dDOxK+M'
'mvkF8PxJuvqxP2CO3TR3okDPCl/NjATTO1jE+qBZ966CRQSSzcCM+tzcHzw'
'LZS5kbvKu0Acd/K6Ol2/W3B1NeV5F/gjvZn/jOwaLgWEUYsg0o4XVrAg65'))
with open(key_path('testkey_ec.pub'), 'r') as keyfile:
jwt_pub_key = algo.prepare_key(keyfile.read())
result = algo.verify(jwt_message, jwt_pub_key, jwt_sig)
assert result
def test_ec_verify_should_return_true_if_signature_valid(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
jwt_message = ensure_bytes('Hello World!')
jwt_sig = base64.b64decode(ensure_bytes(
'MIGIAkIB9vYz+inBL8aOTA4auYz/zVuig7TT1bQgKROIQX9YpViHkFa4DT5'
'5FuFKn9XzVlk90p6ldEj42DC9YecXHbC2t+cCQgCicY+8f3f/KCNtWK7cif'
'6vdsVwm6Lrjs0Ag6ZqCf+olN11hVt1qKBC4lXppqB1gNWEmNQaiz1z2QRyc'
'zJ8hSJmbw=='))
with open(key_path('testkey_ec.pub'), 'r') as keyfile:
jwt_pub_key = algo.prepare_key(keyfile.read())
result = algo.verify(jwt_message, jwt_pub_key, jwt_sig)
self.assertTrue(result)
def test_ec_verify_should_return_true_if_signature_valid(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
jwt_message = force_bytes("Hello World!")
jwt_sig = base64.b64decode(
force_bytes(
"AC+m4Jf/xI3guAC6w0w37t5zRpSCF6F4udEz5LiMiTIjCS4vcVe6dDOxK+M"
"mvkF8PxJuvqxP2CO3TR3okDPCl/NjATTO1jE+qBZ966CRQSSzcCM+tzcHzw"
"LZS5kbvKu0Acd/K6Ol2/W3B1NeV5F/gjvZn/jOwaLgWEUYsg0o4XVrAg65"))
with open(key_path("testkey_ec.pub")) as keyfile:
jwt_pub_key = algo.prepare_key(keyfile.read())
result = algo.verify(jwt_message, jwt_pub_key, jwt_sig)
assert result
def test_ec_verify_should_return_true_if_signature_valid(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
jwt_message = ensure_bytes('Hello World!')
jwt_sig = base64.b64decode(
ensure_bytes(
'MIGIAkIB9vYz+inBL8aOTA4auYz/zVuig7TT1bQgKROIQX9YpViHkFa4DT5'
'5FuFKn9XzVlk90p6ldEj42DC9YecXHbC2t+cCQgCicY+8f3f/KCNtWK7cif'
'6vdsVwm6Lrjs0Ag6ZqCf+olN11hVt1qKBC4lXppqB1gNWEmNQaiz1z2QRyc'
'zJ8hSJmbw=='))
with open(key_path('testkey_ec.pub'), 'r') as keyfile:
jwt_pub_key = algo.prepare_key(keyfile.read())
result = algo.verify(jwt_message, jwt_pub_key, jwt_sig)
assert result
def test_ec_verify_should_return_false_if_signature_invalid(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
jwt_message = force_bytes('Hello World!')
jwt_sig = base64.b64decode(
force_bytes(
'AC+m4Jf/xI3guAC6w0w37t5zRpSCF6F4udEz5LiMiTIjCS4vcVe6dDOxK+M'
'mvkF8PxJuvqxP2CO3TR3okDPCl/NjATTO1jE+qBZ966CRQSSzcCM+tzcHzw'
'LZS5kbvKu0Acd/K6Ol2/W3B1NeV5F/gjvZn/jOwaLgWEUYsg0o4XVrAg65'))
jwt_sig += force_bytes('123') # Signature is now invalid
with open(key_path('testkey_ec.pub'), 'r') as keyfile:
jwt_pub_key = algo.prepare_key(keyfile.read())
result = algo.verify(jwt_message, jwt_pub_key, jwt_sig)
assert not result
def test_ec_sign_should_generate_correct_signature_value(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
jwt_message = force_bytes('Hello World!')
expected_sig = base64.b64decode(
force_bytes(
'AC+m4Jf/xI3guAC6w0w37t5zRpSCF6F4udEz5LiMiTIjCS4vcVe6dDOxK+M'
'mvkF8PxJuvqxP2CO3TR3okDPCl/NjATTO1jE+qBZ966CRQSSzcCM+tzcHzw'
'LZS5kbvKu0Acd/K6Ol2/W3B1NeV5F/gjvZn/jOwaLgWEUYsg0o4XVrAg65'))
with open(key_path('testkey_ec'), 'r') as keyfile:
jwt_key = algo.prepare_key(keyfile.read())
with open(key_path('testkey_ec.pub'), 'r') as keyfile:
jwt_pub_key = algo.prepare_key(keyfile.read())
algo.sign(jwt_message, jwt_key)
result = algo.verify(jwt_message, jwt_pub_key, expected_sig)
assert result
def test_ec_should_accept_unicode_key(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
with open(key_path('testkey_ec'), 'r') as ec_key:
algo.prepare_key(ensure_unicode(ec_key.read()))
def test_ec_should_reject_non_string_key(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
with pytest.raises(TypeError):
algo.prepare_key(None)
import urllib
import datetime
import jwt
try:
from jwt.contrib.algorithms.py_ecdsa import ECAlgorithm
jwt.register_algorithm('ES256', ECAlgorithm(
ECAlgorithm.SHA256)) # Legacy encryption for Google app Engine
except BaseException:
pass # Cpython supported by this system
from models import Secret
class JWTError(Exception):
pass
def get_token_from_header(headers):
auth = headers.get('Authorization', '')
try:
standard, token = auth.split(' ')
except:
standard = token = None
if standard != 'Bearer':
raise JWTError('Authorization header must be "Bearer {Token}"')
return token
def verify_jwt(headers):
token = get_token_from_header(headers)
def test_ec_should_accept_unicode_key(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
with open(key_path("testkey_ec")) as ec_key:
algo.prepare_key(force_unicode(ec_key.read()))
def test_ec_should_reject_non_string_key(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
with pytest.raises(TypeError):
algo.prepare_key(None)
def test_ec_should_accept_unicode_key(self):
algo = ECAlgorithm(ECAlgorithm.SHA256)
with open(key_path('testkey_ec'), 'r') as ec_key:
algo.prepare_key(ensure_unicode(ec_key.read()))
import TCLconfigs
import boto3
# JWT stuff
# TODO: find a way to include native cryptography library
# Need to include cryptography wheels in the Lambda layer
# Right now I am just falling back to python library (slow)
import jwt
import requests
from TCLconfigs.logger import Logger
from jwt.contrib.algorithms.py_ecdsa import ECAlgorithm
# The public key corresponding to the private key used to encode the token
PUBLIC_KEY = TCLconfigs.public_key
jwt.unregister_algorithm('ES256')
jwt.register_algorithm('ES256', ECAlgorithm(ECAlgorithm.SHA256))
# Configure logger
logger = Logger().get_logger()
# dynamodb
dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table(TCLconfigs.dynamo_table_names('user_info'))
# def build_iam_policy(principal_id, effect, resource, context):
# """
# 构建权限策略
# :param principal_id: 这里使用ssoId
# :param effect: Allow or Deny
# :param resource: 需要访问的函数资源 methodArn
# :param context: 传递到下一个函数的数据(ssoId、lang、appId、expired)
# """
