def test_validate_recently_expired_with_clock_skew_success(self):
recently_expired = (datetime.datetime.now(tz=datetime.timezone.utc) -
datetime.timedelta(minutes=1))
token = jwt.new_raw_jwt(expiration=recently_expired)
validator = jwt.new_validator(clock_skew=datetime.timedelta(minutes=2))
# because of clock_skew, the recently expired token is valid
_jwt_validator.validate(validator, token)
def test_validate_expired_fails(self):
expired = (datetime.datetime.now(tz=datetime.timezone.utc) -
datetime.timedelta(minutes=1))
token = jwt.new_raw_jwt(expiration=expired)
validator = jwt.new_validator()
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_validate_with_fixed_now_valid_success(self): fixed_now = datetime.datetime.fromtimestamp(12345, datetime.timezone.utc) validator = jwt.new_validator(fixed_now=fixed_now) expiration = fixed_now + datetime.timedelta(minutes=1) not_before = fixed_now - datetime.timedelta(minutes=1) token = jwt.new_raw_jwt(expiration=expiration, not_before=not_before) _jwt_validator.validate(validator, token)
def test_validate_not_before_in_the_future_fails(self):
in_the_future = (datetime.datetime.now(tz=datetime.timezone.utc) +
datetime.timedelta(minutes=1))
token = jwt.new_raw_jwt(not_before=in_the_future)
validator = jwt.new_validator()
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_validate_not_before_almost_reached_with_clock_skew_success(self):
in_one_minute = (datetime.datetime.now(tz=datetime.timezone.utc)
+ datetime.timedelta(minutes=1))
token = jwt.new_raw_jwt(not_before=in_one_minute, without_expiration=True)
validator = jwt.new_validator(
allow_missing_expiration=True, clock_skew=datetime.timedelta(minutes=2))
_jwt_validator.validate(validator, token)
def test_validate_with_fixed_now_expired_fails(self):
in_two_minutes = (datetime.datetime.now(tz=datetime.timezone.utc) +
datetime.timedelta(minutes=2))
in_one_minute = in_two_minutes - datetime.timedelta(minutes=1)
token = jwt.new_raw_jwt(expiration=in_one_minute)
validator = jwt.new_validator(fixed_now=in_two_minutes)
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_validate_with_fixed_now_not_yet_valid_fails(self):
two_minutes_ago = (datetime.datetime.now(tz=datetime.timezone.utc) -
datetime.timedelta(minutes=2))
one_minute_ago = two_minutes_ago + datetime.timedelta(minutes=1)
token = jwt.new_raw_jwt(not_before=one_minute_ago)
validator = jwt.new_validator(fixed_now=two_minutes_ago)
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_ignore_audiences_success(self):
validator = jwt.new_validator(
ignore_audiences=True, allow_missing_expiration=True)
token_without_audience = jwt.new_raw_jwt(without_expiration=True)
_jwt_validator.validate(validator, token_without_audience)
token_with_audience = jwt.new_raw_jwt(
audiences=['audience'], without_expiration=True)
_jwt_validator.validate(validator, token_with_audience)
def test_ignore_issuer_success(self):
validator = jwt.new_validator(
ignore_issuer=True, allow_missing_expiration=True)
token_without_issuer = jwt.new_raw_jwt(without_expiration=True)
_jwt_validator.validate(validator, token_without_issuer)
token_with_issuer = jwt.new_raw_jwt(
issuer='issuer', without_expiration=True)
_jwt_validator.validate(validator, token_with_issuer)
def test_ignore_subject_success(self):
validator = jwt.new_validator(
ignore_subject=True, allow_missing_expiration=True)
token_without_subject = jwt.new_raw_jwt(without_expiration=True)
_jwt_validator.validate(validator, token_without_subject)
token_with_subject = jwt.new_raw_jwt(
subject='subject', without_expiration=True)
_jwt_validator.validate(validator, token_with_subject)
def verify_mac_and_decode(
self, compact: Text,
validator: _jwt_validator.JwtValidator) -> _verified_jwt.VerifiedJwt:
"""Verifies, validates and decodes a MACed compact JWT token."""
parts = _jwt_format.split_signed_compact(compact)
unsigned_compact, json_header, json_payload, mac = parts
self._verify_mac(mac, unsigned_compact)
_jwt_format.validate_header(json_header, self._algorithm)
raw_jwt = _raw_jwt.RawJwt.from_json_payload(json_payload)
_jwt_validator.validate(validator, raw_jwt)
return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def verify_mac_and_decode_with_kid(
self, compact: str, validator: _jwt_validator.JwtValidator,
kid: Optional[str]) -> _verified_jwt.VerifiedJwt:
"""Verifies, validates and decodes a MACed compact JWT token."""
parts = _jwt_format.split_signed_compact(compact)
unsigned_compact, json_header, json_payload, mac = parts
self._verify_mac(mac, unsigned_compact)
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header=header,
algorithm=self._algorithm,
tink_kid=kid,
custom_kid=self._custom_kid)
raw_jwt = _raw_jwt.raw_jwt_from_json(
_jwt_format.get_type_header(header), json_payload)
_jwt_validator.validate(validator, raw_jwt)
return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def test_validate_issued_at_with_clock_skew(self):
in_one_minute = (datetime.datetime.now(tz=datetime.timezone.utc)
+ datetime.timedelta(minutes=1))
token_one_minute_in_the_future = jwt.new_raw_jwt(
issued_at=in_one_minute, without_expiration=True)
validator_without_clock_skew = jwt.new_validator(
expect_issued_in_the_past=True, allow_missing_expiration=True)
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator_without_clock_skew,
token_one_minute_in_the_future)
validator_with_clock_skew = jwt.new_validator(
expect_issued_in_the_past=True,
allow_missing_expiration=True,
clock_skew=datetime.timedelta(minutes=2))
_jwt_validator.validate(validator_with_clock_skew,
token_one_minute_in_the_future)
def verify_mac_and_decode(
self, compact: Text, validator: _jwt_validator.JwtValidator
) -> _verified_jwt.VerifiedJwt:
"""Verifies, validates and decodes a MACed compact JWT token."""
encoded = compact.encode('utf8')
try:
unsigned_compact, encoded_signature = encoded.rsplit(b'.', 1)
except ValueError:
raise _jwt_error.JwtInvalidError('invalid token')
signature = _jwt_format.decode_signature(encoded_signature)
self._verify_mac(signature, unsigned_compact)
try:
encoded_header, encoded_payload = unsigned_compact.split(b'.')
except ValueError:
raise _jwt_error.JwtInvalidError('invalid token')
_jwt_format.validate_header(encoded_header, self._algorithm)
json_payload = _jwt_format.decode_payload(encoded_payload)
raw_jwt = _raw_jwt.RawJwt.from_json_payload(json_payload)
_jwt_validator.validate(validator, raw_jwt)
return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def test_dont_check_subject_success(self):
validator = jwt.new_validator()
token_without_subject = jwt.new_raw_jwt()
_jwt_validator.validate(validator, token_without_subject)
token_with_subject = jwt.new_raw_jwt(subject='subject')
_jwt_validator.validate(validator, token_with_subject)
def test_validate_not_before_in_the_past_success(self):
in_the_past = (datetime.datetime.now(tz=datetime.timezone.utc) -
datetime.timedelta(minutes=1))
token = jwt.new_raw_jwt(not_before=in_the_past)
validator = jwt.new_validator()
_jwt_validator.validate(validator, token)
def test_requires_issuer_but_no_issuer_set_fails(self):
token = jwt.new_raw_jwt()
validator = jwt.new_validator(issuer='issuer')
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_invalid_issuer_fails(self):
token = jwt.new_raw_jwt(issuer='unknown')
validator = jwt.new_validator(issuer='issuer')
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_validate_not_before_is_now_success(self): now = datetime.datetime.fromtimestamp(12345, datetime.timezone.utc) token = jwt.new_raw_jwt(not_before=now) validator = jwt.new_validator() _jwt_validator.validate(validator, token)
def test_correct_issuer_success(self):
token = jwt.new_raw_jwt(issuer='issuer')
validator = jwt.new_validator(issuer='issuer')
_jwt_validator.validate(validator, token)
def test_validate_not_expired_success(self):
still_valid = (datetime.datetime.now(tz=datetime.timezone.utc) +
datetime.timedelta(minutes=1))
token = jwt.new_raw_jwt(expiration=still_valid)
validator = jwt.new_validator()
_jwt_validator.validate(validator, token)
def test_requires_subject_but_no_subject_set_fails(self):
token = jwt.new_raw_jwt()
validator = jwt.new_validator(subject='subject')
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_dont_check_issuer_success(self):
validator = jwt.new_validator()
token_without_issuer = jwt.new_raw_jwt()
_jwt_validator.validate(validator, token_without_issuer)
token_with_issuer = jwt.new_raw_jwt(issuer='issuer')
_jwt_validator.validate(validator, token_with_issuer)
def test_audience_in_token_but_not_in_validator_fails(self):
validator = jwt.new_validator()
token_with_audience = jwt.new_raw_jwt(audiences=['audience'])
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token_with_audience)
def test_no_audience_success(self):
validator = jwt.new_validator()
token = jwt.new_raw_jwt()
_jwt_validator.validate(validator, token)
def test_correct_audience_success(self):
token = jwt.new_raw_jwt(audiences=['you', 'me'])
validator = jwt.new_validator(audience='me')
_jwt_validator.validate(validator, token)
def test_wrong_audience_fails(self):
token = jwt.new_raw_jwt(audiences=['unknown'])
validator = jwt.new_validator(audience='audience')
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_requires_audience_but_no_audience_set_fails(self):
token = jwt.new_raw_jwt()
validator = jwt.new_validator(audience='audience')
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_invalid_subject_fails(self):
token = jwt.new_raw_jwt(subject='unknown')
validator = jwt.new_validator(subject='subject')
with self.assertRaises(jwt.JwtInvalidError):
_jwt_validator.validate(validator, token)
def test_correct_subject_success(self):
token = jwt.new_raw_jwt(subject='subject')
validator = jwt.new_validator(subject='subject')
_jwt_validator.validate(validator, token)
