def test_token_with_ext_cxt(self): ''' valid user token with "ext_cxt" property ''' sec_context = xssec.create_security_context( sign(jwt_payloads.TOKEN_NEW_FORMAT), uaa_configs.VALID['uaa_new_token_structure']) self._check_hdb_token(sec_context) jobsheduler_token = sec_context.get_token(xssec.constants.SYSTEM, xssec.constants.JOBSCHEDULER) self.assertEqual(jobsheduler_token, sign(jwt_payloads.TOKEN_NEW_FORMAT)) self.assertNotEqual(sec_context.get_hdb_token(), jobsheduler_token)
def test_valid_end_user_token_no_attr(self): ''' Test valid end-user token no attributes ''' sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN_NO_ATTR), uaa_configs.VALID['uaa']) self._check_user_token(sec_context) self.assertFalse(sec_context.has_attributes()) self.assertIsNone(sec_context.get_clone_service_instance_id())
def test_token_with_ext_cxt_invalid_validation_key(self): ''' valid user token with "ext_cxt" property, invalid validation key ''' with self.assertRaises(RuntimeError) as ctx: xssec.create_security_context( sign(jwt_payloads.TOKEN_NEW_FORMAT), uaa_configs.INVALID['uaa_verificationkey_invalid']) self.assertTrue('Error in offline validation of access token:' in str( ctx.exception))
def test_expired_end_user_token(self): ''' Test expired end-user token ''' with self.assertRaises(RuntimeError) as ctx: xssec.create_security_context( sign(jwt_payloads.USER_TOKEN_EXPIRED), uaa_configs.VALID['uaa']) self.assertTrue('Error in offline validation of access token:' in str( ctx.exception) and 'expired' in str(ctx.exception))
def test_valid_client_credentials_token_no_attributes(self): ''' valid client credentials token (no attributes) ''' sec_context = xssec.create_security_context( sign(jwt_payloads.CLIENT_CREDENTIALS_TOKEN_NO_ATTR), uaa_configs.VALID['uaa_cc']) self._check_client_credentials_token(sec_context) self.assertIsNone( sec_context.get_additional_auth_attribute('external_group'))
def test_valid_end_user_token_with_ext_attr(self): ''' Test valid end-user token (given_name/family_name in ext_attr) ''' sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN_NAMES_IN_EXT_ATTR), uaa_configs.VALID['uaa']) self.assertEqual(sec_context.get_given_name(), 'NodetestFirstNameExtAttr') self.assertEqual(sec_context.get_family_name(), 'NodetestLastNameExtAttr')
def test_req_client_for_user_401_error(self): sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN_SCOPE_UAA_USER), uaa_configs.VALID['uaa']) expected_message = \ 'Bearer token invalid, requesting client does'\ ' not have grant_type=user_token or no scopes were granted.' self._request_token_for_client_error( sec_context, flask_url + '/401', expected_message)
def test_req_client_for_user(self): sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN_SCOPE_UAA_USER), uaa_configs.VALID['uaa']) service_credentials = { 'clientid': 'clientid', 'clientsecret': 'clientsecret', 'url': flask_url + '/correct' } token = sec_context.request_token_for_client(service_credentials, None) self.assertEqual(token, 'access_token')
def test_get_token_with_invalid_parameters(self): ''' valid user token with "ext_cxt" property ''' sec_context = xssec.create_security_context( sign(jwt_payloads.TOKEN_NEW_FORMAT), uaa_configs.VALID['uaa_new_token_structure']) self._check_hdb_token(sec_context) self.assertIsNone( sec_context.get_token('invalid', xssec.constants.JOBSCHEDULER)) self.assertIsNone( sec_context.get_token(xssec.constants.SYSTEM, 'invalid'))
def test_invalid_signature_end_user_token(self): ''' Test invalid signature end-user token ''' token_parts = sign(jwt_payloads.USER_TOKEN).split('.') token_parts[2] = 'aW52YWxpZAo' invalid_token = '.'.join(token_parts) with self.assertRaises(RuntimeError) as ctx: xssec.create_security_context(invalid_token, uaa_configs.VALID['uaa']) self.assertTrue('Error in offline validation of access token:' in str( ctx.exception))
def test_request_token_for_client_missing_uaa_user_scope(self): ''' Test valid end-user token no attributes. request_token_for_client failure, scope uaa.user missing ''' sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN_NO_ATTR), uaa_configs.VALID['uaa']) self._request_token_for_client_error( sec_context, flask_url + '/500', 'JWT token does not include scope "uaa.user"')
def test_valid_client_credentials_token_attributes(self): ''' valid client credentials token (with attributes) ''' sec_context = xssec.create_security_context( sign(jwt_payloads.CLIENT_CREDENTIALS_TOKEN), uaa_configs.VALID['uaa_cc']) self._check_client_credentials_token(sec_context) self.assertEqual( sec_context.get_additional_auth_attribute('external_group'), 'domaingroup1') self.assertEqual(sec_context.get_clone_service_instance_id(), 'abcd1234')
def test_not_trusted_jku(self): with self.assertRaises(RuntimeError) as e: xssec.create_security_context( sign(jwt_payloads.USER_TOKEN), uaa_configs.VALID['uaa_no_verification_key_other_domain']) self.assertEqual( "JKU of token is not trusted", str(e.exception), )
def _check_token_in_foreign_mode_error(self, cid, idz, uaa_config_name): environ['SAP_JWT_TRUST_ACL'] = json.dumps([{ 'clientid': cid, 'identityzone': idz }]) with self.assertRaises(RuntimeError) as ctx: xssec.create_security_context( sign(jwt_payloads.USER_TOKEN_NO_ATTR), uaa_configs.VALID[uaa_config_name]) self.assertTrue( str(ctx.exception).startswith( 'No match found in JWT trust ACL (SAP_JWT_TRUST_ACL)'))
def test_valid_end_user_token_with_attr(self): ''' Test valid end-user token with attributes ''' sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN), uaa_configs.VALID['uaa']) self._check_user_token(sec_context) self.assertTrue(sec_context.has_attributes()) self.assertEqual(sec_context.get_attribute('country'), ['USA']) self.assertEqual(sec_context.get_clone_service_instance_id(), 'abcd1234') self.assertEqual( sec_context.get_additional_auth_attribute('external_group'), 'domaingroup1')
def test_valid_application_plan_with_trustedclientidsuffix(self): ''' valid application plan with shared tenant mode, defined via SAP_JWT_TRUST_ACL ''' environ['SAP_JWT_TRUST_ACL'] = json.dumps([{ 'clientid': '*', 'identityzone': '*' }]) sec_context = xssec.create_security_context( sign(jwt_payloads.INVALID_TRUSTED_APPLICATION_PLAN_TOKEN), uaa_configs.INVALID['uaa_broker_plan_wrong_suffix']) self.assertEqual('sb-tenant-test!t13', sec_context.get_clientid()) self.assertEqual('api', sec_context.get_identity_zone()) self.assertEqual('api', sec_context.get_zone_id())
def test_valid_client_credentials_broker_plan_token_with_wrong_trustedclientidsuffix( self): ''' valid client credentials broker plan token with wrong trustedclientidsuffix ''' with self.assertRaises(RuntimeError) as ctx: xssec.create_security_context( sign(jwt_payloads.CLIENT_CREDENTIALS_BROKER_PLAN_TOKEN), uaa_configs.INVALID['uaa_broker_plan_wrong_suffix']) self.assertEqual( 'Missmatch of client id and/or identityzone id. No JWT trust ACL (SAP_JWT_TRUST_ACL) specified in environment. ' 'Client id of the access token: "sb-xssectestclone!b4|sb-xssectest!b4", identity zone of the access token: ' '"test-idz", OAuth client id: "sb-xssectest!t4", application identity zone: "test-idz".', str(ctx.exception))
def test_invalid_application_plan_with_trustedclientidsuffix(self): ''' invalid application plan with SAP_JWT_TRUST_ACL ''' environ['SAP_JWT_TRUST_ACL'] = json.dumps([{ 'clientid': 'wrong-tenant', 'identityzone': 'api' }]) with self.assertRaises(RuntimeError) as ctx: xssec.create_security_context( sign(jwt_payloads.INVALID_TRUSTED_APPLICATION_PLAN_TOKEN), uaa_configs.INVALID['uaa_broker_plan_wrong_suffix']) self.assertTrue( str(ctx.exception).startswith( 'No match found in JWT trust ACL (SAP_JWT_TRUST_ACL)'))
def test_valid_end_user_token_in_foreign_mode_idz(self): ''' valid end-user token in foreign mode (idz - correct SAP_JWT_TRUST_ACL) ''' environ[ 'SAP_JWT_TRUST_ACL'] = '[{"clientid":"sb-xssectest","identityzone":"test-idz"}]' sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN), uaa_configs.VALID['uaa_foreign_idz']) self.assertTrue(sec_context.is_in_foreign_mode()) self.assertEqual( sec_context.get_additional_auth_attribute('external_group'), 'domaingroup1') self.assertIsNone(sec_context.get_additional_auth_attribute('hugo')) self.assertIsNone(sec_context.get_hdb_token()) self.assertIsNotNone(sec_context.get_app_token())
def _check_token_in_foreign_mode(self, cid, idz, uaa_config_name): environ['SAP_JWT_TRUST_ACL'] = json.dumps([{ 'clientid': 'other-clientid', 'identityzone': 'other-idz' }, { 'clientid': cid, 'identityzone': idz }]) sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN_NO_ATTR), uaa_configs.VALID[uaa_config_name]) self.assertTrue(sec_context.is_in_foreign_mode()) self.assertIsNotNone(sec_context.get_hdb_token()) self.assertIsNotNone(sec_context.get_app_token())
def test_valid_end_user_saml_bearer_token(self): ''' valid end-user saml bearer token ''' sec_context = xssec.create_security_context( sign(jwt_payloads.USER_SAML_BEARER_TOKEN), uaa_configs.VALID['uaa_bearer']) self.assertTrue(sec_context.check_scope('openid')) self._check_user_info(sec_context) self._check_hdb_token(sec_context) self.assertEqual(sec_context.get_grant_type(), xssec.constants.GRANTTYPE_SAML2BEARER) self.assertEqual(sec_context.get_identity_zone(), 'test-idz') self.assertEqual(sec_context.get_zone_id(), 'test-idz') self.assertEqual(sec_context.get_subaccount_id(), 'test-idz') self.assertIsNone(sec_context.get_subdomain()) self.assertFalse(sec_context.is_in_foreign_mode())
def test_invalid_jku_in_token_header(self): uaa_config = uaa_configs.VALID['uaa'] token = sign(jwt_payloads.USER_TOKEN, headers={ "jku": 'http://ana.ondemandh.com\\\\\\\\\\\\\\\\@' + uaa_config['uaadomain'], "kid": "key-id-0" }) with self.assertRaises(RuntimeError) as e: xssec.create_security_context(token, uaa_config) self.assertEqual( "JKU of token is not trusted", str(e.exception), )
def _check_client_credentials_broker_plan(self): sec_context = xssec.create_security_context( sign(jwt_payloads.CLIENT_CREDENTIALS_BROKER_PLAN_TOKEN), uaa_configs.VALID['uaa_broker_plan']) self.assertTrue(sec_context.check_scope('$XSAPPNAME.resource')) self.assertTrue(sec_context.check_scope('uaa.resource')) self._check_hdb_token(sec_context) self.assertIsNone(sec_context.has_attributes()) self.assertIsNone(sec_context.get_attribute('country')) self.assertEqual(sec_context.get_grant_type(), xssec.constants.GRANTTYPE_CLIENTCREDENTIAL) self.assertEqual(sec_context.get_identity_zone(), 'test-idz') self.assertEqual(sec_context.get_zone_id(), 'test-idz') self.assertEqual(sec_context.get_subaccount_id(), 'test-idz') self.assertEqual(sec_context.get_clientid(), 'sb-xssectestclone!b4|sb-xssectest!b4') self.assertIsNone(sec_context.get_subdomain()) self.assertFalse(sec_context.is_in_foreign_mode())
def test_get_verification_key_from_uaa(self, mock_requests): from sap.xssec.key_cache import KeyCache xssec.SecurityContext.verificationKeyCache = KeyCache() mock = MagicMock() mock_requests.return_value = mock mock.json.return_value = HTTP_SUCCESS sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN), uaa_configs.VALID['uaa_no_verification_key']) self._check_user_token(sec_context) self.assertTrue(sec_context.has_attributes()) self.assertEqual(sec_context.get_attribute('country'), ['USA']) self.assertEqual(sec_context.get_clone_service_instance_id(), 'abcd1234') self.assertEqual( sec_context.get_additional_auth_attribute('external_group'), 'domaingroup1') mock_requests.assert_called_once_with( "https://api.cf.test.com", timeout=constants.HTTP_TIMEOUT_IN_SECONDS)
def test_valid_end_user_application_plan_token(self): ''' valid end-user application plan token ''' sec_context = xssec.create_security_context( sign(jwt_payloads.USER_APPLICATION_PLAN_TOKEN), uaa_configs.VALID['uaa_application_plan']) self.assertTrue(sec_context.check_scope('openid')) self.assertTrue(sec_context.check_scope('$XSAPPNAME.resource')) self.assertFalse( sec_context.check_scope('cloud_controller.nonexistingscope')) self.assertTrue(sec_context.check_local_scope('resource')) self.assertFalse(sec_context.check_local_scope('nonexistingscope')) self._check_user_info(sec_context) self._check_hdb_token(sec_context) self.assertIsNone(sec_context.get_attribute('hugo')) self.assertIsNone(sec_context.get_additional_auth_attribute('hugo')) self.assertEqual(sec_context.get_grant_type(), xssec.constants.GRANTTYPE_PASSWORD) self.assertEqual(sec_context.get_identity_zone(), 'test-idz') self.assertEqual(sec_context.get_zone_id(), 'test-idz') self.assertEqual(sec_context.get_subaccount_id(), 'test-idz') self.assertIsNone(sec_context.get_subdomain()) self.assertFalse(sec_context.is_in_foreign_mode())
def test_req_client_for_user_500_error(self): sec_context = xssec.create_security_context( sign(jwt_payloads.USER_TOKEN_SCOPE_UAA_USER), uaa_configs.VALID['uaa']) self._request_token_for_client_error( sec_context, flask_url + '/500', 'HTTP status code: 500')
def test_valid_xsa_token_with_newlines(self): ''' valid client credentials token (with attributes) ''' sec_context = xssec.create_security_context( sign(jwt_payloads.TOKEN_XSA_FORMAT), uaa_configs.VALID['uaa_xsa_with_newlines']) self.assertEqual(sec_context.get_logon_name(), 'ADMIN')