def test_validate_aud(self):
id_token = jwt.encode({'alg': 'HS256'}, {'aud': 'foo'}, 'k')
claims_options = {
'aud': {
'essential': True,
'value': 'foo'
}
}
claims = jwt.decode(id_token, 'k', claims_options=claims_options)
claims.validate()
claims.options = {
'aud': {'values': ['bar']}
}
self.assertRaises(
errors.InvalidClaimError,
claims.validate
)
id_token = jwt.encode({'alg': 'HS256'}, {'aud': ['foo', 'bar']}, 'k')
claims = jwt.decode(id_token, 'k', claims_options=claims_options)
claims.validate()
# no validate
claims.options = {'aud': {'values': []}}
claims.validate()
def test_encode_sensitive_data(self):
# check=False won't raise error
jwt.encode({'alg': 'HS256'}, {'password': ''}, 'k', check=False)
self.assertRaises(errors.InsecureClaimError, jwt.encode,
{'alg': 'HS256'}, {'password': ''}, 'k')
self.assertRaises(errors.InsecureClaimError, jwt.encode,
{'alg': 'HS256'}, {'text': '4242424242424242'}, 'k')
def test_validate_exp(self):
id_token = jwt.encode({'alg': 'HS256'}, {'exp': 'invalid'}, 'k')
claims = jwt.decode(id_token, 'k')
self.assertRaises(errors.InvalidClaimError, claims.validate)
id_token = jwt.encode({'alg': 'HS256'}, {'exp': 1234}, 'k')
claims = jwt.decode(id_token, 'k')
self.assertRaises(errors.ExpiredTokenError, claims.validate)
def test_validate_nbf(self):
id_token = jwt.encode({'alg': 'HS256'}, {'nbf': 'invalid'}, 'k')
claims = jwt.decode(id_token, 'k')
self.assertRaises(errors.InvalidClaimError, claims.validate)
id_token = jwt.encode({'alg': 'HS256'}, {'nbf': 1234}, 'k')
claims = jwt.decode(id_token, 'k')
claims.validate()
id_token = jwt.encode({'alg': 'HS256'}, {'nbf': 1234}, 'k')
claims = jwt.decode(id_token, 'k')
self.assertRaises(errors.InvalidTokenError, claims.validate, 123)
def generate_resource_token(requester, file_path, duration: int,
requested_permissions):
duration = int(duration)
subject = file_path
issuer = requester
audience = "public"
permissions = requested_permissions
issued_at = int(time())
expires_at = issued_at + timedelta(seconds=duration).total_seconds()
token_id = str(uuid4())
secret = current_app.config["JWT_KEY"]
token = jwt.encode(
{
"alg": "HS256",
"typ": "JWT"
},
{
"sub": subject,
"iss": issuer,
"aud": audience,
"permissions": permissions,
"iat": issued_at,
"exp": expires_at,
"jti": token_id,
},
secret,
).decode("utf-8")
return token
def no_claims_token(header, pem):
"""Returns a token, with no claims"""
claims = {}
token = jwt.encode(header, claims, pem)
return token.decode("utf-8")
def auth():
site = session.get('site')
location = session.get('location')
if not site:
abort(400)
if site not in config['sites']:
abort(404)
token = oauth.azuread.authorize_access_token()
user = oauth.azuread.parse_id_token(token)
preferred_username = user["preferred_username"].lower()
usergroup_set = set(user['groups'] or [])
sitegroup_set = set(config['sites'][site]['groups'] or [])
allowed_users = config['sites'][site]['users'] or []
if not (len(usergroup_set.intersection(sitegroup_set)) > 0
or preferred_username in allowed_users):
abort(403,
description=
f"User {preferred_username} has no read access to space {site}.")
header = {'alg': 'HS256'}
payload = {
'iss': 'Gitbook Visitor Authenticator',
'exp': user['exp'], # Use AzureAD token expiry & issuing date
'iat': user['iat'] #
}
key = config['sites'][site]['key']
gitbooktoken = jwt.encode(header, payload, key).decode("utf-8")
redirecturl = f"{config['sites'][site]['url']}{location}?jwt_token={gitbooktoken}"
return redirect(redirecturl)
def generate(self,
grant_type,
client,
user=None,
scope=None,
expires_in=None):
"""Generate a bearer token for OAuth 2.0 authorization token endpoint.
:param client: the client that making the request.
:param grant_type: current requested grant_type.
:param user: current authorized user.
:param expires_in: if provided, use this value as expires_in.
:param scope: current requested scope.
:return: Token dict
"""
token_data = self.get_token_data(grant_type, client, user, scope,
expires_in)
access_token = jwt.encode({'alg': self.alg},
token_data,
key=self.secret_key,
check=False)
token = {
'token_type': 'Bearer',
'access_token': to_native(access_token),
'expires_in': expires_in
}
if scope:
token['scope'] = scope
return token
def auth_token(app) -> str:
"""
{
"sub": "1",
"name": "test",
"permissions": ["read: files", "write: files"],
"iat": 1516239022
}
"""
username = "******"
permissions = [
"read: files",
"write: files",
"read: disk_storage",
"write: disk_storage",
]
token = jwt.encode(
{
"alg": "HS256"
},
{
"sub": 2,
"name": username,
"permissions": permissions
},
app.config["JWT_KEY"],
).decode("utf-8")
return token
def create_jwt_claim(priv_key, payload, alg=None):
if alg is None:
alg = 'RS256'
header = {'alg': alg}
return jwt.encode(header, payload, priv_key)
def generate_token(self, scopes=None, write=False, azp=False, add_claims=True, overrides=None):
if scopes is None:
scopes = []
header = {"typ": "JWT", "alg": "RS512"}
payload = {"iss": "{}".format(CONFIG.AUTH_TOKEN_ISSUER),
"sub": "*****@*****.**",
"aud": ["https://*.{}".format(CONFIG.DNS_DOMAIN), "https://*.local"],
"exp": int(time.time() + 3600),
"iat": int(time.time()),
"scope": " ".join(scopes)}
if azp:
payload["azp"] = str(uuid.uuid4())
else:
payload["client_id"] = str(uuid.uuid4())
nmos_claims = {}
if add_claims:
for api in scopes:
nmos_claims["x-nmos-{}".format(api)] = {"read": ["*"]}
if write:
nmos_claims["x-nmos-{}".format(api)]["write"] = ["*"]
payload.update(nmos_claims)
if overrides:
payload.update(overrides)
key = open(CONFIG.AUTH_TOKEN_PRIVKEY).read()
token = jwt.encode(header, payload, key).decode()
return token
def issue_jwt(filename='../keys/fit.private.key'):
"""
issue_jwt: create jwt based on rsa key file
@input: filename
@output: jwt string
"""
encoded_jwt = None
iat_time = int(time.time()) #when was this jwt issued
nbf_time = iat_time + 1 #valid in one second
exp_time = nbf_time + 60 * 60 * 24 # expires in a day
header = {'alg': 'RS256'}
payload = {
#custom fields
'name': 'John Doe',
'classes': ['BI-HWB', 'BI-PST', 'BI-SI1.2', 'BI-SSB'],
#standard fields
'iss': 'FIT CVUT',
'sub': 'SSB Demo',
'aud': 'https://bi.ssb/demo',
'exp': exp_time,
'nbf': nbf_time,
'iat': iat_time,
'jti': 'JWT ID'
}
with open(filename, 'r') as f:
key = f.read()
encoded_jwt = jwt.encode(header, payload, key)
return encoded_jwt
def create_auth_token(login, auth_data, private_key):
header = {'alg': 'RS256'}
payload = {
'login': login,
'access': auth_data['access'],
}
return jwt.encode(header, payload, private_key)
def gen_access_token():
header = {
"alg": "RS512",
"typ": "JWT"
}
payload = {
"iss": "ap-z420-5.rd.bbc.co.uk",
"sub": "demo",
"nbf": 1581420052,
"exp": 2581420052, # Expires in Year 2051
"aud": "*.rd.bbc.co.uk",
"client_id": "my_client",
"x-nmos-connection": {
"read": ["*"]
},
"x-nmos-registration": {
"read": ["*"],
"write": ["*"]
},
"scope": "connection registration",
"iat": 1581420052
}
return jwt.encode(
header,
payload,
TEST_PRIV_KEY
).decode('utf-8')
def _create_token(
self,
type_token: str,
exp_time: Optional[int],
*,
custom_claims,
) -> str:
# Data section
claims = {
"iat": timezone.now(),
"nbf": timezone.now(),
"jti": str(uuid.uuid4()),
"type": type_token,
**custom_claims,
}
if exp_time:
claims["exp"] = exp_time
if self.issuer:
claims["iss"] = self.issuer
if self.audience:
claims["aud"] = self.audience
key = JsonWebKey.import_key(self.private_key)
headers = {"alg": "RS256", "kid": key.thumbprint()}
return jwt.encode(header=headers, payload=claims, key=key)
def generate_token(self, subject):
"""
Return a tuple of the generated token and its expiration
:param subject:
:return:
"""
if not self.signing_key:
raise OauthNotConfiguredError('SP not configured')
else:
header = {'alg': self.signing_alg}
ts = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc)
expiration_ts = ts + datetime.timedelta(seconds=self.expiration_seconds)
payload = {
'iss': self.issuer,
'sub': subject,
'exp': expiration_ts,
'iat': ts,
'jti': uuid.uuid4().hex
}
return jwt.encode(header=header, payload=payload, key=self.signing_key), expiration_ts
async def token(req: web.Request) -> web.Response:
"""Auth endpoint."""
global nonce, user_eppn, user_family_name, user_given_name
id_token = {
"at_hash": "fSi3VUa5i2o2SgY5gPJZgg",
"sub": "smth",
"eduPersonAffiliation": "member;staff",
"eppn": user_eppn,
"displayName": f"{user_given_name} {user_family_name}",
"iss": "http://*****:*****@test.what;[email protected]",
"auth_time": 1606579533,
"name": f"{user_given_name} {user_family_name}",
"schacHomeOrganization": "test.what",
"exp": 9999999999,
"iat": 1561621913,
"family_name": user_family_name,
"email": user_eppn,
}
data = {
"access_token": "test",
"id_token": jwt.encode(header, id_token, jwk_pair[1]).decode("utf-8")
}
logging.info(data)
return web.json_response(data)
def login():
username = request.json["username"]
password = request.json["password"]
user = service.find_user(username)
successful_login = user is not None and service.does_password_match(
password, user["password"])
if successful_login:
header = {"alg": "HS256"}
payload = {
"sub": user["id"],
"name": user["username"],
"permissions": service.get_user_permissions(user["id"]),
"iat": int(time()),
"exp": int(time()) + timedelta(hours=1).total_seconds(),
}
key = current_app.config["JWT_KEY"]
token = jwt.encode(header, payload, key).decode("utf-8")
current_app.logger.info("User successfully logged in. " +
str({"username": username}))
return {"JWT": token}
current_app.logger.info("User failed to log in. " +
str({"username": username}))
return make_response("Incorrect username or password.", 400)
def generate_id_token(
token, user_info, key, iss, aud, alg='RS256', exp=3600,
nonce=None, auth_time=None, code=None):
now = int(time.time())
if auth_time is None:
auth_time = now
payload = {
'iss': iss,
'aud': aud,
'iat': now,
'exp': now + exp,
'auth_time': auth_time,
}
if nonce:
payload['nonce'] = nonce
if code:
payload['c_hash'] = to_native(create_half_hash(code, alg))
access_token = token.get('access_token')
if access_token:
payload['at_hash'] = to_native(create_half_hash(access_token, alg))
payload.update(user_info)
return to_native(jwt.encode({'alg': alg}, payload, key))
async def send_wrapper(message: Message) -> None:
if message["type"] == "http.response.start":
if scope["session"]:
if "exp" not in scope["session"]:
scope["session"]["exp"] = int(
time.time()) + self.max_age
data = jwt.encode(self.jwt_header, scope["session"],
str(self.jwt_secret.encode))
headers = MutableHeaders(scope=message)
header_value = "%s=%s; path=/; Max-Age=%d; %s" % (
self.session_cookie,
data.decode("utf-8"),
self.max_age,
self.security_flags,
)
if self.domain: # pragma: no cover
header_value += f"; domain={self.domain}"
headers.append("Set-Cookie", header_value)
elif not initial_session_was_empty:
# The session has been cleared.
headers = MutableHeaders(scope=message)
header_value = "%s=%s; %s" % (
self.session_cookie,
"null; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;",
self.security_flags,
)
if self.domain: # pragma: no cover
header_value += f"; domain={self.domain}"
headers.append("Set-Cookie", header_value)
await send(message)
def test_getIdPClients():
"""Try to load external identity provider settings"""
# Try to get identity provider by name
result = idps.getIdProvider("SomeIdP", jwks="my_jwks")
assert result["OK"], result["Message"]
assert result["Value"].jwks == "my_jwks"
assert result["Value"].issuer == "https://idp.url/"
assert result["Value"].client_id == "IdP_client_id"
assert result["Value"].client_secret == "IdP_client_secret"
assert result["Value"].get_metadata("jwks_uri") == "https://idp.url/jwk"
# Try to get identity provider for token issued by it
result = idps.getIdProviderForToken(
jwt.encode(
{
"alg": "HS256"
},
dict(
sub="user",
iss=result["Value"].issuer,
iat=int(time.time()),
exp=int(time.time()) + (12 * 3600),
),
"secret",
).decode("utf-8"))
assert result["OK"], result["Message"]
assert result["Value"].issuer == "https://idp.url/"
def encode_server_token(server):
"""
Generates the Auth Token
:return: string
"""
try:
payload = {
"sub":
server["hostname"],
"aud":
"deployment-api",
"authorization": {
"roles": ["server"]
},
"server_id":
server["id"],
"hostname":
server["hostname"],
"ip":
server["ip"],
"exp":
datetime.datetime.utcnow() +
datetime.timedelta(days=1000, seconds=5),
"iat":
datetime.datetime.utcnow(),
}
return jwt.encode({"alg": "HS256"}, payload, Config.SECRET_KEY)
except:
return None
def genereate_access_token(client, grant_type, user, scope):
"""Generate an access token give a JWT Bearer Grant Token.
OAuth2 has no requirements about what the access token should be.
Since we want the access token to be a JWT we are going to return a
JWT Access Token as described in https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-10
"""
provider_account = get_provider_account()
provider_jwk = account_to_jwk(provider_account)
header = {
"typ": "at+JWT",
"alg": "ES256K",
}
claims = {
"iss": provider_account.address,
"client_id": client.address,
"aud": client.resource,
}
if client.service_agreement_id is not None:
claims.update({"sub": client.service_agreement_id})
if client.did is not None:
claims.update({"did": client.did})
if client.execution_id is not None:
claims.update({"execution_id": client.execution_id})
return jwt.encode(header, claims, provider_jwk).decode()
def generate_refresh_token(email: str) -> str:
"""Generate and return a JWT refresh token.
Parameters
----------
email : str
The email address of the user
Returns
-------
str
The generated token
"""
time = datetime.utcnow() + \
timedelta(hours=settings.REFRESH_TOKEN_EXP_TIME)
header = {'alg': 'RS256'}
refresh_token_payload = {
"token_type": "refresh",
'email': email,
'exp': int(time.strftime('%s')),
'iat': datetime.utcnow(),
'jti': make_unique_uuid4_code(),
}
key = read_file(settings.PRIV_REFRESH_TOKEN_KEY)
refresh_token = jwt.encode(
header, refresh_token_payload, key).decode('utf-8')
return refresh_token
def test_post_request_invalid_token_signature(mock_app, pem, monkeypatch, basic_query):
"""test receiving a POST request containing a token that triggers the InvalidTokenError"""
# generate a random token not using the test public key
wrong_token = jwt.encode({"alg": "HS256"}, {"aud": ["foo", "bar"]}, "k").decode(
"utf-8"
)
assert wrong_token
# Monkeypatch Elixir JWT server public key
def mock_public_server(*args, **kwargs):
return pem
# Elixir key is not collected from elixir server, but mocked
monkeypatch.setattr(auth, "elixir_key", mock_public_server)
headers = copy.deepcopy(HEADERS)
headers["Authorization"] = "Bearer " + wrong_token
# When a POST request with the wrong token is sent
response = mock_app.test_client().post(
"/apiv1.0/query?", headers=headers, data=json.dumps(basic_query)
)
data = json.loads(response.data)
# it should return bad signature error
assert response.status_code == 403
assert "bad_signature" in data["errorMessage"]
def generate_access_token(email: str) -> str:
"""Generate and return a JWT access token.
Example: TODO
-------
>>> generate_access_token('*****@*****.**')
>>> "ffer"
Parameters
----------
email : str
The email address of the user
Returns
-------
str
The JWT generated token
"""
time = datetime.utcnow() + \
timedelta(minutes=settings.ACCESS_TOKEN_EXP_TIME)
header = {'alg': 'RS256'}
access_token_payload = {
"token_type": "access",
'email': email,
'exp': int(time.strftime('%s')),
'iat': datetime.utcnow(),
'jti': make_unique_uuid4_code(),
}
key = read_file(settings.PRIV_ACCESS_TOKEN_KEY)
access_token = jwt.encode(
header, access_token_payload, key).decode('utf-8')
return access_token
def test_validate_iat(self):
id_token = jwt.encode({'alg': 'HS256'}, {'iat': 'invalid'}, 'k')
claims = jwt.decode(id_token, 'k')
self.assertRaises(
errors.InvalidClaimError,
claims.validate
)
async def authenticate_user(request):
data = await request.json()
try:
user_name, user_pass = data["user_name"], data["user_pass"]
except KeyError:
raise web.HTTPUnprocessableEntity(text="Not all keys provided!")
users = request.app["user_pass"]
if user_name in users and users[user_name] == user_pass:
private_key = request.app["private_key"]
current_datetime = datetime.utcnow()
expiration_delta = timedelta(seconds=15)
payload = {
'iss': 'Project Agora',
'exp': current_datetime + expiration_delta
}
header = {'alg': 'RS256'}
return web.Response(
text=jwt.encode(header, payload, private_key).decode())
else:
raise web.HTTPUnprocessableEntity(
text="Invalid username/password combination")
def generate_token(self, subject):
"""
Return a tuple of the generated token and its expiration
:param subject:
:return:
"""
if not self.signing_key:
raise OauthNotConfiguredError("SP not configured")
else:
header = {"alg": self.signing_alg}
ts = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc)
expiration_ts = ts + datetime.timedelta(seconds=self.expiration_seconds)
payload = {
"iss": self.issuer,
"sub": subject,
"exp": expiration_ts,
"iat": ts,
"jti": uuid.uuid4().hex,
}
return (
jwt.encode(header=header, payload=payload, key=self.signing_key),
expiration_ts,
)
def jwtCreater(pl='',
secret='xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6',
header={
"alg": "HS256",
"typ": "JWT"
}) -> str:
return jwt.encode(header, pl, secret).decode('utf-8')
