def test_get_assertion_info(self): assertion = """ eyJjZXJ0aWZpY2F0ZXMiOlsiZXlKaGJHY2lPaUpTVXpFeU9DSjkuZXlKcGMzTWlPaUppY 205M2MyVnlhV1F1YjNKbklpd2laWGh3SWpveE16SXhPVFF4T1Rnek1EVXdMQ0p3ZFdKc2 FXTXRhMlY1SWpwN0ltRnNaMjl5YVhSb2JTSTZJbEpUSWl3aWJpSTZJamd4TmpreE5UQTB OVGswTkRVek5EVTFPREF4TlRreU5Ea3hNemsyTkRFNE56RTJNVFUwTkRNNE5EWXdPREl6 TXpBMU1USXlPRGN3TURRNE56TTFNREk1TURrek16a3lNRFkzTURFMU1qQTBORGd6TWpVM U56WXdOREE1TnpFeU9EYzNNVGswT1RVek1UQXdNVFEyTkRVek56TTJOakU0TlRVek5EY3 hNakkxT0RreU16TTFPRFV4TWpZNU1EQXdOREF5TVRrMk9ERTBNRGtpTENKbElqb2lOalU xTXpjaWZTd2ljSEpwYm1OcGNHRnNJanA3SW1WdFlXbHNJam9pY25saGJrQnlabXN1YVdR dVlYVWlmWDAua19oaEtYMFRCVnUyX2szbV9uRDVOVWJfTktwX19PLTY1MW1CRUl3S1NZZ GlOenQwQm9WRkNEVEVueEhQTWJCVjJaejk0WDgtLVRjVXJidEV0MWV1S1dWdjMtNTFUOU xBZnV6SEhfekNCUXJVbmxkMVpXSmpBM185ZEhQeTMwZzRMSU9YZTJWWmd0T1Nva3MyZFE 4ZDNvazlSUTJQME5ERzB1MDBnN3lGejE4Il0sImFzc2VydGlvbiI6ImV5SmhiR2NpT2lK U1V6WTBJbjAuZXlKbGVIQWlPakV6TWpFNU1qazBOelU0TWprc0ltRjFaQ0k2SW1oMGRIQ TZMeTl0ZVdaaGRtOXlhWFJsWW1WbGNpNXZjbWNpZlEuQWhnS2Q0eXM0S3FnSGJYcUNSS3 hHdlluVmFJOUwtb2hYSHk0SVBVWDltXzI0TWdfYlU2aGRIMTNTNnFnQy1vSHBpS3BfTGl 6cDRGRjlUclBjNjBTRXcifQ """.replace(" ", "").replace("\n", "").strip() data = get_assertion_info(assertion) self.assertEquals(data["principal"]["email"], "*****@*****.**") self.assertEquals(data["audience"], "http://myfavoritebeer.org") self.assertRaises(ValueError, get_assertion_info, "JUNK") self.assertRaises(ValueError, get_assertion_info, "X") self.assertRaises(ValueError, get_assertion_info, "\x00\x01\x02") bad_assertion = encode_json_bytes({"fake": "assertion"}) self.assertRaises(ValueError, get_assertion_info, bad_assertion)
def _process_vep_assertion(self, request): """Exhange a VEP assertion for some session credentials. This method extracts a submitted VEP assertion, validates it and establishes a new session token and secret. These are returned to the user so that they can sign subsequent requests as belonging to this session. """ # Make sure they're using a GET request. if request.method != "GET": resp = Response() resp.status = 405 resp.content_type = "text/plain" resp.body = "token requests must get GET" request.environ["repoze.who.application"] = resp return None # Make sure they're sending an Authorization header. if not request.authorization: msg = "you must provide an authorization header" return self._respond_unauthorized(request, msg) # Grab the assertion from the Authorization header. scheme, assertion = request.authorization if scheme.lower() != "browser-id": msg = "The auth scheme \"%s\" is not supported" % (scheme, ) return self._respond_bad_request(request, msg.encode("utf8")) # Extract the audience, so we can check against wildcards. try: audience = get_assertion_info(assertion)["audience"] except (ValueError, KeyError): return self._respond_bad_request(request, "invalid assertion") if not self._check_audience(request, audience): msg = "The audience \"%s\" is not acceptable" % (audience, ) return self._respond_bad_request(request, msg.encode("utf8")) # Verify the assertion and find out who they are. try: data = self.verifier.verify(assertion) except Exception, e: msg = "Invalid BrowserID assertion: " + str(e) return self._respond_bad_request(request, msg)
def _process_vep_assertion(self, request): """Exhange a VEP assertion for some session credentials. This method extracts a submitted VEP assertion, validates it and establishes a new session token and secret. These are returned to the user so that they can sign subsequent requests as belonging to this session. """ # Make sure they're using a GET request. if request.method != "GET": resp = Response() resp.status = 405 resp.content_type = "text/plain" resp.body = "token requests must get GET" request.environ["repoze.who.application"] = resp return None # Make sure they're sending an Authorization header. if not request.authorization: msg = "you must provide an authorization header" return self._respond_unauthorized(request, msg) # Grab the assertion from the Authorization header. scheme, assertion = request.authorization if scheme.lower() != "browser-id": msg = "The auth scheme \"%s\" is not supported" % (scheme,) return self._respond_bad_request(request, msg.encode("utf8")) # Extract the audience, so we can check against wildcards. try: audience = get_assertion_info(assertion)["audience"] except (ValueError, KeyError): return self._respond_bad_request(request, "invalid assertion") if not self._check_audience(request, audience): msg = "The audience \"%s\" is not acceptable" % (audience,) return self._respond_bad_request(request, msg.encode("utf8")) # Verify the assertion and find out who they are. try: data = self.verifier.verify(assertion) except Exception, e: msg = "Invalid BrowserID assertion: " + str(e) return self._respond_bad_request(request, msg)