def test_delete_chained_service_key(self):
# No Authorization header should yield a 400
self.deleteResponse('key_server.delete_service_key',
expected_code=400,
service='sample_service',
kid='kid1')
# Generate two keys.
private_key, _ = model.service_keys.generate_service_key(
'sample_service', None, kid='kid123')
model.service_keys.generate_service_key('sample_service',
None,
kid='kid321')
# Mint a JWT with our test payload
token = jwt.encode(self._get_test_jwt_payload(),
private_key.exportKey('PEM'),
'RS256',
headers={'kid': 'kid123'})
# Using the credentials of our second key, attempt tp delete our unapproved key
self.deleteResponse('key_server.delete_service_key',
headers={'Authorization': 'Bearer %s' % token},
expected_code=403,
service='sample_service',
kid='kid321')
# Approve the second key.
model.service_keys.approve_service_key(
'kid123', ServiceKeyApprovalType.SUPERUSER, approver=1)
# Using the credentials of our approved key, delete our unapproved key
with assert_action_logged('service_key_delete'):
self.deleteEmptyResponse(
'key_server.delete_service_key',
headers={'Authorization': 'Bearer %s' % token},
expected_code=204,
service='sample_service',
kid='kid321')
# Attempt to delete a key signed by a key from a different service
bad_token = jwt.encode(self._get_test_jwt_payload(),
private_key.exportKey('PEM'),
'RS256',
headers={'kid': 'kid5'})
self.deleteResponse('key_server.delete_service_key',
headers={'Authorization': 'Bearer %s' % bad_token},
expected_code=403,
service='sample_service',
kid='kid123')
# Delete a self-signed, approved key
with assert_action_logged('service_key_delete'):
self.deleteEmptyResponse(
'key_server.delete_service_key',
headers={'Authorization': 'Bearer %s' % token},
expected_code=204,
service='sample_service',
kid='kid123')
def test_delete_unapproved_service_key(self):
# No Authorization header should yield a 400
self.deleteResponse(
"key_server.delete_service_key", expected_code=400, service="sample_service", kid="kid1"
)
# Generate an unapproved key.
private_key, _ = model.service_keys.generate_service_key(
"sample_service", None, kid="unapprovedkeyhere"
)
# Mint a JWT with our test payload
token = jwt.encode(
self._get_test_jwt_payload(),
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
),
"RS256",
headers={"kid": "unapprovedkeyhere"},
)
# Delete our unapproved key with itself.
with assert_action_logged("service_key_delete"):
self.deleteEmptyResponse(
"key_server.delete_service_key",
headers={"Authorization": "Bearer %s" % token.decode("ascii")},
expected_code=204,
service="sample_service",
kid="unapprovedkeyhere",
)
def test_delete_unapproved_service_key(self):
# No Authorization header should yield a 400
self.deleteResponse('key_server.delete_service_key',
expected_code=400,
service='sample_service',
kid='kid1')
# Generate an unapproved key.
private_key, _ = model.service_keys.generate_service_key(
'sample_service', None, kid='unapprovedkeyhere')
# Mint a JWT with our test payload
token = jwt.encode(self._get_test_jwt_payload(),
private_key.exportKey('PEM'),
'RS256',
headers={'kid': 'unapprovedkeyhere'})
# Delete our unapproved key with itself.
with assert_action_logged('service_key_delete'):
self.deleteEmptyResponse(
'key_server.delete_service_key',
headers={'Authorization': 'Bearer %s' % token},
expected_code=204,
service='sample_service',
kid='unapprovedkeyhere')
def test_delete_unapproved_service_key(self):
# No Authorization header should yield a 400
self.deleteResponse("key_server.delete_service_key",
expected_code=400,
service="sample_service",
kid="kid1")
# Generate an unapproved key.
private_key, _ = model.service_keys.generate_service_key(
"sample_service", None, kid="unapprovedkeyhere")
# Mint a JWT with our test payload
token = jwt.encode(
self._get_test_jwt_payload(),
private_key.exportKey("PEM"),
"RS256",
headers={"kid": "unapprovedkeyhere"},
)
# Delete our unapproved key with itself.
with assert_action_logged("service_key_delete"):
self.deleteEmptyResponse(
"key_server.delete_service_key",
headers={"Authorization": "Bearer %s" % token.decode("ascii")},
expected_code=204,
service="sample_service",
kid="unapprovedkeyhere",
)
def test_attempt_delete_service_key_with_expired_key(self):
# Generate two keys, approving the first.
private_key, _ = model.service_keys.generate_service_key(
"sample_service", None, kid="first"
)
model.service_keys.approve_service_key(
"first", ServiceKeyApprovalType.SUPERUSER, approver=1
)
model.service_keys.generate_service_key("sample_service", None, kid="second")
# Mint a JWT with our test payload
token = jwt.encode(
self._get_test_jwt_payload(),
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
),
"RS256",
headers={"kid": "first"},
)
# Set the expiration of the first to now - some time.
model.service_keys.set_key_expiration("first", datetime.utcnow() - timedelta(seconds=100))
# Using the credentials of our second key, attempt to delete our unapproved key
self.deleteResponse(
"key_server.delete_service_key",
headers={"Authorization": "Bearer %s" % token.decode("ascii")},
expected_code=403,
service="sample_service",
kid="second",
)
# Set the expiration to the future and delete the key.
model.service_keys.set_key_expiration("first", datetime.utcnow() + timedelta(seconds=100))
with assert_action_logged("service_key_delete"):
self.deleteEmptyResponse(
"key_server.delete_service_key",
headers={"Authorization": "Bearer %s" % token.decode("ascii")},
expected_code=204,
service="sample_service",
kid="second",
)
def test_attempt_delete_service_key_with_expired_key(self):
# Generate two keys, approving the first.
private_key, _ = model.service_keys.generate_service_key(
'sample_service', None, kid='first')
model.service_keys.approve_service_key(
'first', ServiceKeyApprovalType.SUPERUSER, approver=1)
model.service_keys.generate_service_key('sample_service',
None,
kid='second')
# Mint a JWT with our test payload
token = jwt.encode(self._get_test_jwt_payload(),
private_key.exportKey('PEM'),
'RS256',
headers={'kid': 'first'})
# Set the expiration of the first to now - some time.
model.service_keys.set_key_expiration(
'first',
datetime.utcnow() - timedelta(seconds=100))
# Using the credentials of our second key, attempt to delete our unapproved key
self.deleteResponse('key_server.delete_service_key',
headers={'Authorization': 'Bearer %s' % token},
expected_code=403,
service='sample_service',
kid='second')
# Set the expiration to the future and delete the key.
model.service_keys.set_key_expiration(
'first',
datetime.utcnow() + timedelta(seconds=100))
with assert_action_logged('service_key_delete'):
self.deleteEmptyResponse(
'key_server.delete_service_key',
headers={'Authorization': 'Bearer %s' % token},
expected_code=204,
service='sample_service',
kid='second')
def test_put_service_key(self):
# No Authorization header should yield a 400
self.putResponse('key_server.put_service_key',
service='sample_service',
kid='kid420',
expected_code=400)
# Mint a JWT with our test payload
private_key = RSA.generate(2048)
jwk = RSAKey(key=private_key.publickey()).serialize()
payload = self._get_test_jwt_payload()
token = jwt.encode(payload, private_key.exportKey('PEM'), 'RS256')
# Invalid service name should yield a 400.
self.putResponse('key_server.put_service_key',
service='sample service',
kid='kid420',
headers={
'Authorization': 'Bearer %s' % token,
'Content-Type': 'application/json',
},
data=jwk,
expected_code=400)
# Publish a new key
with assert_action_logged('service_key_create'):
self.putResponse('key_server.put_service_key',
service='sample_service',
kid='kid420',
headers={
'Authorization': 'Bearer %s' % token,
'Content-Type': 'application/json',
},
data=jwk,
expected_code=202)
# Ensure that the key exists but is unapproved.
self.getResponse('key_server.get_service_key',
service='sample_service',
kid='kid420',
expected_code=409)
# Attempt to rotate the key. Since not approved, it will fail.
token = jwt.encode(payload,
private_key.exportKey('PEM'),
'RS256',
headers={'kid': 'kid420'})
self.putResponse('key_server.put_service_key',
service='sample_service',
kid='kid6969',
headers={
'Authorization': 'Bearer %s' % token,
'Content-Type': 'application/json',
},
data=jwk,
expected_code=403)
# Approve the key.
model.service_keys.approve_service_key(
'kid420', ServiceKeyApprovalType.SUPERUSER, approver=1)
# Rotate that new key
with assert_action_logged('service_key_rotate'):
token = jwt.encode(payload,
private_key.exportKey('PEM'),
'RS256',
headers={'kid': 'kid420'})
self.putResponse('key_server.put_service_key',
service='sample_service',
kid='kid6969',
headers={
'Authorization': 'Bearer %s' % token,
'Content-Type': 'application/json',
},
data=jwk,
expected_code=200)
# Rotation should only work when signed by the previous key
private_key = RSA.generate(2048)
jwk = RSAKey(key=private_key.publickey()).serialize()
token = jwt.encode(payload,
private_key.exportKey('PEM'),
'RS256',
headers={'kid': 'kid420'})
self.putResponse('key_server.put_service_key',
service='sample_service',
kid='kid6969',
headers={
'Authorization': 'Bearer %s' % token,
'Content-Type': 'application/json',
},
data=jwk,
expected_code=403)
def test_delete_chained_service_key(self):
# No Authorization header should yield a 400
self.deleteResponse(
"key_server.delete_service_key", expected_code=400, service="sample_service", kid="kid1"
)
# Generate two keys.
private_key, _ = model.service_keys.generate_service_key(
"sample_service", None, kid="kid123"
)
model.service_keys.generate_service_key("sample_service", None, kid="kid321")
# Mint a JWT with our test payload
token = jwt.encode(
self._get_test_jwt_payload(),
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
),
"RS256",
headers={"kid": "kid123"},
)
# Using the credentials of our second key, attempt tp delete our unapproved key
self.deleteResponse(
"key_server.delete_service_key",
headers={"Authorization": "Bearer %s" % token.decode("ascii")},
expected_code=403,
service="sample_service",
kid="kid321",
)
# Approve the second key.
model.service_keys.approve_service_key(
"kid123", ServiceKeyApprovalType.SUPERUSER, approver=1
)
# Using the credentials of our approved key, delete our unapproved key
with assert_action_logged("service_key_delete"):
self.deleteEmptyResponse(
"key_server.delete_service_key",
headers={"Authorization": "Bearer %s" % token.decode("ascii")},
expected_code=204,
service="sample_service",
kid="kid321",
)
# Attempt to delete a key signed by a key from a different service
bad_token = jwt.encode(
self._get_test_jwt_payload(),
private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
),
"RS256",
headers={"kid": "kid5"},
)
self.deleteResponse(
"key_server.delete_service_key",
headers={"Authorization": "Bearer %s" % bad_token.decode("ascii")},
expected_code=403,
service="sample_service",
kid="kid123",
)
# Delete a self-signed, approved key
with assert_action_logged("service_key_delete"):
self.deleteEmptyResponse(
"key_server.delete_service_key",
headers={"Authorization": "Bearer %s" % token.decode("ascii")},
expected_code=204,
service="sample_service",
kid="kid123",
)
def test_put_service_key(self):
# No Authorization header should yield a 400
self.putResponse(
"key_server.put_service_key", service="sample_service", kid="kid420", expected_code=400
)
# Mint a JWT with our test payload
jwk = JsonWebKey.generate_key("RSA", 2048, is_private=True)
private_pem = jwk.get_private_key().private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
payload = self._get_test_jwt_payload()
token = jwt.encode(payload, private_pem, "RS256")
# Invalid service name should yield a 400.
self.putResponse(
"key_server.put_service_key",
service="sample service",
kid="kid420",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk.as_dict(),
expected_code=400,
)
# Publish a new key
with assert_action_logged("service_key_create"):
self.putResponse(
"key_server.put_service_key",
service="sample_service",
kid="kid420",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk.as_dict(),
expected_code=202,
)
# Ensure that the key exists but is unapproved.
self.getResponse(
"key_server.get_service_key", service="sample_service", kid="kid420", expected_code=409
)
# Attempt to rotate the key. Since not approved, it will fail.
token = jwt.encode(payload, private_pem, "RS256", headers={"kid": "kid420"})
self.putResponse(
"key_server.put_service_key",
service="sample_service",
kid="kid6969",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk.as_dict(),
expected_code=403,
)
# Approve the key.
model.service_keys.approve_service_key(
"kid420", ServiceKeyApprovalType.SUPERUSER, approver=1
)
# Rotate that new key
with assert_action_logged("service_key_rotate"):
token = jwt.encode(payload, private_pem, "RS256", headers={"kid": "kid420"})
self.putResponse(
"key_server.put_service_key",
service="sample_service",
kid="kid6969",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk.as_dict(),
expected_code=200,
)
# Rotation should only work when signed by the previous key
jwk = JsonWebKey.generate_key("RSA", 2048, is_private=True)
private_pem = jwk.get_private_key().private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption(),
)
token = jwt.encode(payload, private_pem, "RS256", headers={"kid": "kid420"})
self.putResponse(
"key_server.put_service_key",
service="sample_service",
kid="kid6969",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk.as_dict(),
expected_code=403,
)
def test_put_service_key(self):
# No Authorization header should yield a 400
self.putResponse("key_server.put_service_key",
service="sample_service",
kid="kid420",
expected_code=400)
# Mint a JWT with our test payload
private_key = RSA.generate(2048)
jwk = RSAKey(key=private_key.publickey()).serialize()
payload = self._get_test_jwt_payload()
token = jwt.encode(payload, private_key.exportKey("PEM"), "RS256")
# Invalid service name should yield a 400.
self.putResponse(
"key_server.put_service_key",
service="sample service",
kid="kid420",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk,
expected_code=400,
)
# Publish a new key
with assert_action_logged("service_key_create"):
self.putResponse(
"key_server.put_service_key",
service="sample_service",
kid="kid420",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk,
expected_code=202,
)
# Ensure that the key exists but is unapproved.
self.getResponse("key_server.get_service_key",
service="sample_service",
kid="kid420",
expected_code=409)
# Attempt to rotate the key. Since not approved, it will fail.
token = jwt.encode(payload,
private_key.exportKey("PEM"),
"RS256",
headers={"kid": "kid420"})
self.putResponse(
"key_server.put_service_key",
service="sample_service",
kid="kid6969",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk,
expected_code=403,
)
# Approve the key.
model.service_keys.approve_service_key(
"kid420", ServiceKeyApprovalType.SUPERUSER, approver=1)
# Rotate that new key
with assert_action_logged("service_key_rotate"):
token = jwt.encode(payload,
private_key.exportKey("PEM"),
"RS256",
headers={"kid": "kid420"})
self.putResponse(
"key_server.put_service_key",
service="sample_service",
kid="kid6969",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk,
expected_code=200,
)
# Rotation should only work when signed by the previous key
private_key = RSA.generate(2048)
jwk = RSAKey(key=private_key.publickey()).serialize()
token = jwt.encode(payload,
private_key.exportKey("PEM"),
"RS256",
headers={"kid": "kid420"})
self.putResponse(
"key_server.put_service_key",
service="sample_service",
kid="kid6969",
headers={
"Authorization": "Bearer %s" % token.decode("ascii"),
"Content-Type": "application/json",
},
data=jwk,
expected_code=403,
)
