def test_kid_header_not_present_when_not_provided(self):
enc = ALGORITHMS.A256CBC_HS512
alg = ALGORITHMS.RSA_OAEP_256
encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg)
header = json.loads(
six.ensure_str(base64url_decode(encrypted.split(".")[0])))
assert "kid" not in header
def test_alg_enc_headers(self):
enc = ALGORITHMS.A256CBC_HS512
alg = ALGORITHMS.RSA_OAEP_256
encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg)
header = json.loads(base64url_decode(encrypted.split(b".")[0]))
assert header["enc"] == enc
assert header["alg"] == alg
def test_zip_header_present_when_provided(self):
enc = ALGORITHMS.A256CBC_HS512
alg = ALGORITHMS.RSA_OAEP_256
encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg, zip=ZIPS.DEF)
header = json.loads(
six.ensure_str(base64url_decode(encrypted.split(".")[0])))
assert header["zip"] == ZIPS.DEF
def test_zip_header_not_present_when_none(self):
enc = ALGORITHMS.A256CBC_HS512
alg = ALGORITHMS.RSA_OAEP_256
encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg,
zip=ZIPS.NONE)
header = json.loads(six.ensure_str(base64url_decode(encrypted.split(b".")[0])))
assert "zip" not in header
def test_cty_header_present_when_provided(self):
enc = ALGORITHMS.A256CBC_HS512
alg = ALGORITHMS.RSA_OAEP_256
encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg,
cty="expected")
header = json.loads(six.ensure_str(base64url_decode(encrypted.split(b".")[0])))
assert header["cty"] == "expected"
def test_encrypt_decrypt_aes_kw(self, alg, enc, zip):
if alg == ALGORITHMS.A128KW:
key = OCT_128_BIT_KEY
elif alg == ALGORITHMS.A192KW:
key = OCT_192_BIT_KEY
elif alg == ALGORITHMS.A256KW:
key = OCT_256_BIT_KEY
else:
pytest.fail(f"I don't know how to handle enc {alg}")
expected = b"Live long and prosper."
jwe_value = jwe.encrypt(expected[:], key, enc, alg, zip)
actual = jwe.decrypt(jwe_value, key)
assert actual == expected
def test_rfc7516_appendix_b_direct(self, monkeypatch):
algorithm = ALGORITHMS.DIR
encryption = ALGORITHMS.A128CBC_HS256
key = bytes(
bytearray(
[
4,
211,
31,
197,
84,
157,
252,
254,
11,
100,
157,
250,
63,
170,
106,
206,
107,
124,
212,
45,
111,
107,
9,
219,
200,
177,
0,
240,
143,
156,
44,
207,
]
)
)
plain_text = b"Live long and prosper."
expected_iv = bytes(bytearray([3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 101]))
for backend in backends:
monkeypatch.setattr(backend, "get_random_bytes", lambda x: expected_iv if x == 16 else key)
expected = b"eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..AxY8DCtDaGlsbGljb3RoZQ.KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.BIiCkt8mWOVyJOqDMwNqaQ"
actual = jwe.encrypt(plain_text, key, encryption, algorithm)
assert actual == expected
def test_encrypt_decrypt_dir_kw(self, enc, zip):
if enc == ALGORITHMS.A128GCM:
key = OCT_128_BIT_KEY
elif enc == ALGORITHMS.A192GCM:
key = OCT_192_BIT_KEY
elif enc in (ALGORITHMS.A128CBC_HS256, ALGORITHMS.A256GCM):
key = OCT_256_BIT_KEY
elif enc == ALGORITHMS.A192CBC_HS384:
key = OCT_384_BIT_KEY
elif enc == ALGORITHMS.A256CBC_HS512:
key = OCT_512_BIT_KEY
else:
pytest.fail(f"I don't know how to handle enc {enc}")
expected = b"Live long and prosper."
jwe_value = jwe.encrypt(expected[:], key, enc, ALGORITHMS.DIR, zip)
actual = jwe.decrypt(jwe_value, key)
assert actual == expected
def generate_password_reset_token(email: str, password: str) -> str:
delta = timedelta(hours=settings.EMAIL_RESET_TOKEN_EXPIRE_HOURS)
now = datetime.utcnow()
expires = now + delta
exp = expires.timestamp()
encoded_password = jwe.encrypt(
password,
settings.SECRET_KEY,
encryption=constants.Algorithms.A256CBC_HS512)
encoded_jwt = jwt.encode(
{
"exp": exp,
"nbf": now,
"sub": email,
"password": encoded_password.decode("utf-8"),
},
settings.SECRET_KEY,
algorithm="HS256",
)
return encoded_jwt
async def login(credentials: Credentials, request: Request):
if credentials.username is not None and credentials.password is not None:
authentication_api_hosts = \
await get_authentication_endpoint(credentials.username)
for authentication_api_host in authentication_api_hosts:
if authentication_api_host:
headers = {'content-type': 'application/json'}
authentication_response = requests.post(
authentication_api_host,
data=credentials.json(),
headers=headers)
if authentication_response.status_code == 200:
exp: datetime = \
datetime.now(tz=pytz.UTC) + timedelta(days=1)
token = jwe.encrypt(plaintext=Token(
username=credentials.username,
password=credentials.password,
exp=exp.timestamp()).json(),
key=request.state.secret_key,
algorithm='dir',
encryption='A256GCM')
return token
raise HTTPException(detail='authentication failed', status_code=403)
def test_encrypt_decrypt_rsa_kw(self, alg, enc, zip):
expected = b"Live long and prosper."
jwe_value = jwe.encrypt(expected[:], PUBLIC_KEY_PEM, enc, alg, zip)
actual = jwe.decrypt(jwe_value, PRIVATE_KEY_PEM)
assert actual == expected