def test_fetch_x509_bundles_success(mocker):
bundles = dict()
bundles['example.org'] = _BUNDLE
bundles['domain.test'] = _FEDERATED_BUNDLE
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509Bundles = mocker.Mock(
return_value=iter(
[
workload_pb2.X509BundlesResponse(
bundles=bundles,
)
]
)
)
bundle_set = WORKLOAD_API_CLIENT.fetch_x509_bundles()
bundle = bundle_set.get_x509_bundle_for_trust_domain(TrustDomain('example.org'))
assert bundle
assert len(bundle.x509_authorities()) == 1
federated_bundle = bundle_set.get_x509_bundle_for_trust_domain(
TrustDomain('domain.test')
)
assert federated_bundle
assert len(federated_bundle.x509_authorities()) == 1
def test_fetch_x509_context_success(mocker):
federated_bundles = dict()
federated_bundles['domain.test'] = _FEDERATED_BUNDLE
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter(
[
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=_CHAIN1,
x509_svid_key=_KEY1,
bundle=_BUNDLE,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=_CHAIN2,
x509_svid_key=_KEY2,
bundle=_BUNDLE,
),
],
federated_bundles=federated_bundles,
)
]
)
)
x509_context = WORKLOAD_API_CLIENT.fetch_x509_context()
svids = x509_context.x509_svids()
bundle_set = x509_context.x509_bundle_set()
assert len(svids) == 2
svid1 = x509_context.default_svid()
assert svid1.spiffe_id() == SpiffeId.parse('spiffe://example.org/service')
assert len(svid1.cert_chain()) == 2
assert isinstance(svid1.leaf(), Certificate)
assert isinstance(svid1.private_key(), ec.EllipticCurvePrivateKey)
svid2 = x509_context.x509_svids()[1]
assert svid2.spiffe_id() == SpiffeId.parse('spiffe://example.org/service2')
assert len(svid2.cert_chain()) == 1
assert isinstance(svid2.leaf(), Certificate)
assert isinstance(svid2.private_key(), ec.EllipticCurvePrivateKey)
bundle = bundle_set.get_x509_bundle_for_trust_domain(TrustDomain('example.org'))
assert bundle
assert len(bundle.x509_authorities()) == 1
federated_bundle = bundle_set.get_x509_bundle_for_trust_domain(
TrustDomain('domain.test')
)
assert federated_bundle
assert len(federated_bundle.x509_authorities()) == 1
def test_create_new_x509_bundle_set():
bundle_bytes = read_bytes(_TEST_CERTS_PATH.format('cert.der'))
bundle_1 = X509Bundle.parse_raw(trust_domain_1, bundle_bytes)
bundle_2 = X509Bundle.parse_raw(trust_domain_2, bundle_bytes)
bundles = {trust_domain_1: bundle_1, trust_domain_2: bundle_2}
x509_bundle_set = X509BundleSet(bundles)
assert len(x509_bundle_set._bundles) == 2
# check that the bundle map was copied
assert x509_bundle_set._bundles is not bundles
found_bundle = x509_bundle_set.get_x509_bundle_for_trust_domain(
trust_domain_1)
assert found_bundle == bundle_1
found_bundle = x509_bundle_set.get_x509_bundle_for_trust_domain(
trust_domain_2)
assert found_bundle == bundle_2
found_bundle = x509_bundle_set.get_x509_bundle_for_trust_domain(
TrustDomain('other.test'))
assert found_bundle is None
def _create_bundle_set(self,
resp_bundles: Mapping[str, bytes]) -> X509BundleSet:
x509_bundles = [
self._create_x509_bundle(TrustDomain(td), resp_bundles[td])
for td in resp_bundles
]
return X509BundleSet.of(x509_bundles)
def test_exceeds_maximum_length():
name = "a" * 256
with pytest.raises(ArgumentError) as exception:
TrustDomain("{}".format(name))
assert str(exception.value) == 'Trust domain cannot be longer than 255 bytes.'
def parse(cls, spiffe_id: str) -> 'SpiffeId':
"""Parses a SPIFFE ID from a string into a SpiffeId type instance.
Args:
spiffe_id: A string representing the SPIFFE ID.
Returns:
An instance of a compliant SPIFFE ID (SpiffeId type).
Raises:
ArgumentError: If the string spiffe_id doesn't comply the the SPIFFE standard.
Examples:
>>> spiffe_id = SpiffeId.parse('spiffe://domain.test/path/element')
>>> print(spiffe_id.trust_domain())
domain.test
>>> print(spiffe_id.path())
/path/element
"""
if not spiffe_id:
raise ArgumentError('SPIFFE ID cannot be empty.')
uri = cls.parse_and_validate_uri(spiffe_id)
result = SpiffeId()
result.__set_path(uri['path'])
result.__set_trust_domain(TrustDomain(uri['authority']))
return result
def test_create_x509_bundle_set_from_list_of_bundles():
bundle_bytes = read_bytes(_TEST_CERTS_PATH.format('certs.der'))
bundle_1 = X509Bundle.parse_raw(trust_domain_1, bundle_bytes)
bundle_2 = X509Bundle.parse_raw(trust_domain_2, bundle_bytes)
bundles = [bundle_1, bundle_2]
x509_bundle_set = X509BundleSet.of(bundles)
assert len(x509_bundle_set._bundles) == 2
found_bundle = x509_bundle_set.get_x509_bundle_for_trust_domain(
trust_domain_1)
assert found_bundle == bundle_1
found_bundle = x509_bundle_set.get_x509_bundle_for_trust_domain(
trust_domain_2)
assert found_bundle == bundle_2
found_bundle = x509_bundle_set.get_x509_bundle_for_trust_domain(
TrustDomain('other.test'))
assert found_bundle is None
def test_maximum_length():
name = "a" * 255
trust_domain = TrustDomain('{}'.format(name))
assert trust_domain.name() == name
def test_as_str_id():
trust_domain = TrustDomain('example.org')
assert trust_domain.as_str_id() == 'spiffe://example.org'
def test_not_equal_when_different_objects():
trust_domain = TrustDomain('domain.test')
td_list = list([trust_domain])
assert trust_domain != td_list
def test_not_equal_spiffe_ids():
trust_domain = TrustDomain('domain.test')
spiffeid_1 = SpiffeId.of(trust_domain, 'path1')
spiffeid_2 = SpiffeId.of(trust_domain, 'path2')
assert spiffeid_1 != spiffeid_2
def test_compare_multiple_equal_trust_domains():
trust_domain1 = TrustDomain('domain.test')
trust_domain2 = TrustDomain('domain.test')
assert trust_domain1 == trust_domain2
def test_compare_different_trust_domains():
trust_domain1 = TrustDomain('domain.test')
trust_domain2 = TrustDomain('other.test')
assert not trust_domain1 == trust_domain2
def test_equal_spiffe_id_with_multiple_paths():
trust_domain = TrustDomain('example.org')
spiffeid_1 = SpiffeId.of(trust_domain, ['PATH1', 'PATH2'])
spiffeid_2 = SpiffeId.of(trust_domain, ['/PATH1', '/PATH2'])
assert spiffeid_1 == spiffeid_2
def test_not_equal_when_different_objects():
trust_domain = TrustDomain('domain.test')
spiffeid_1 = SpiffeId.of(trust_domain, 'path1')
assert spiffeid_1 != trust_domain
import pytest
from pyspiffe.spiffe_id.trust_domain import TrustDomain
from pyspiffe.spiffe_id.spiffe_id import SpiffeId
from pyspiffe.exceptions import ArgumentError
@pytest.mark.parametrize(
'trust_domain,path_segments,expected_spiffe_id',
[
(
TrustDomain('example.org'),
['path', 'element'],
'spiffe://example.org/path/element',
),
(
TrustDomain('example.org'),
['/path', '/element'],
'spiffe://example.org/path/element',
),
# path case should be preserved
(
TrustDomain('domain.test'),
[' pAth1 ', ' pATH2 '],
'spiffe://domain.test/pAth1/pATH2',
),
(
TrustDomain('domain.test'),
' pAth1/pATH2 ',
'spiffe://domain.test/pAth1/pATH2',
),
def test_valid_trust_domain(test_input, expected):
result = TrustDomain(test_input).name()
assert result == expected
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
public_key = private_key.public_key()
public_key_pem = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
return private_key_pem, public_key_pem
DEFAULT_TRUST_DOMAIN = TrustDomain('test.com')
"""Default Trust Domain to be used when creating a default test JWT. Trust Domain=test.com/"""
DEFAULT_SPIFFE_ID = 'spiffe://test.com/'
"""Default SPIFFE ID to be used when creating a default test JWT. SPIFFE ID=spiffe://test.com/"""
DEFAULT_ALG = 'RS256'
"""Default algorithm to be used when creating a default test JWT. Alg=RS256."""
DEFAULT_KEY_ID = 'kid1'
"""Default Key ID to be used when creating a default test JWT. kid=kid1."""
DEFAULT_AUDIENCE: List[str] = ['spire', 'test', 'valid']
"""Default audience to be used when creating a default test JWT. Audience=['spire', 'test', 'valid']."""
DEFAULT_KEY = rsa.generate_private_key(public_exponent=65537, key_size=2048)
def test_is_not_member_of():
spiffe_id = SpiffeId.parse('spiffe://domain.test/path/element')
trust_domain = TrustDomain('other.test')
assert not spiffe_id.is_member_of(trust_domain)
def test_maximum_length():
path = 'a' * 2027
spiffe_id = SpiffeId.parse('spiffe://example.org/{}'.format(path))
assert spiffe_id.trust_domain() == TrustDomain('example.org')
assert spiffe_id.path() == '/' + path
def test_invalid_trust_domain(test_input, expected):
with pytest.raises(ArgumentError) as exception:
TrustDomain(test_input)
assert str(exception.value) == expected
def test_equal_spiffe_id():
trust_domain = TrustDomain('domain.test')
spiffeid_1 = SpiffeId.of(trust_domain, 'path1') # path1 is normalized as /path1
spiffeid_2 = SpiffeId.of(trust_domain, '/path1')
assert spiffeid_1 == spiffeid_2
from pyspiffe.bundle.x509_bundle.x509_bundle import X509Bundle
from pyspiffe.bundle.x509_bundle.x509_bundle_set import X509BundleSet
from pyspiffe.spiffe_id.trust_domain import TrustDomain
_TEST_CERTS_PATH = 'test/bundle/x509bundle/certs/{}'
trust_domain_1 = TrustDomain('domain.test')
trust_domain_2 = TrustDomain('example.org')
def test_create_new_x509_bundle_set():
bundle_bytes = read_bytes(_TEST_CERTS_PATH.format('cert.der'))
bundle_1 = X509Bundle.parse_raw(trust_domain_1, bundle_bytes)
bundle_2 = X509Bundle.parse_raw(trust_domain_2, bundle_bytes)
bundles = {trust_domain_1: bundle_1, trust_domain_2: bundle_2}
x509_bundle_set = X509BundleSet(bundles)
assert len(x509_bundle_set._bundles) == 2
# check that the bundle map was copied
assert x509_bundle_set._bundles is not bundles
found_bundle = x509_bundle_set.get_x509_bundle_for_trust_domain(
trust_domain_1)
assert found_bundle == bundle_1
found_bundle = x509_bundle_set.get_x509_bundle_for_trust_domain(
trust_domain_2)
assert found_bundle == bundle_2
def test_get_name():
trust_domain = TrustDomain('example.org')
assert trust_domain.name() == 'example.org'
def test_to_string():
trust_domain = TrustDomain('domain.test')
assert str(trust_domain) == 'domain.test'
import pytest
from cryptography.hazmat.primitives.asymmetric import rsa, ec
from cryptography.hazmat.backends import default_backend
from pyspiffe.bundle.jwt_bundle.jwt_bundle import JwtBundle
from pyspiffe.spiffe_id.trust_domain import TrustDomain
from pyspiffe.bundle.jwt_bundle.exceptions import JwtBundleError
from pyspiffe.exceptions import ArgumentError
# Default trust domain to run test cases.
trust_domain = TrustDomain("spiffe://any.domain")
# Default authorities to run test cases.
ec_key = ec.generate_private_key(ec.SECP384R1(), default_backend())
rsa_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
authorities = {
'kid1': ec_key,
'kid2': rsa_key,
}
def test_create_jwt_bundle():
jwt_bundle = JwtBundle(trust_domain, authorities)
assert jwt_bundle.trust_domain() == trust_domain
assert len(jwt_bundle.jwt_authorities().keys()) == len(authorities.keys())
def test_create_jwt_bundle_no_trust_domain():
with pytest.raises(JwtBundleError) as exc_info:
JwtBundle(None, authorities)