def test_jwe_ignores_expired_token_if_validate_claims_is_false(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, validate_claims=False)
def test_jwe(self): bad_key = {'k': RSA.generate(2048).exportKey('PEM')} for (alg, jwk), enc in product(self.algs, self.encs): jwe = jose.spec_compliant_encrypt(claims, rsa_pub_key, enc=enc, alg=alg) # make sure the body can't be loaded as json (should be encrypted) try: json.loads(jose.b64decode_url(jwe.ciphertext)) self.fail() except ValueError: pass token = jose.serialize_compact(jwe) jwt = jose.spec_compliant_decrypt(jose.deserialize_compact(token), rsa_priv_key) self.assertNotIn(jose._TEMP_VER_KEY, claims) self.assertEqual(jwt.claims, claims) # invalid key try: jose.spec_compliant_decrypt(jose.deserialize_compact(token), bad_key) self.fail() except jose.Error as e: self.assertEqual(e.message, 'Incorrect decryption.')
def test_jwe_no_error_with_iat_claim(self): claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=20)
def test_jwe_invalid_base64(self): try: jose.spec_compliant_decrypt('aaa', rsa_priv_key) self.fail() # expecting error due to invalid base64 except jose.Error as e: pass self.assertEqual(e.args[0], 'Unable to decode base64: Incorrect padding')
def test_jwe_invalid_base64(self): try: jose.spec_compliant_decrypt('aaa', rsa_priv_key) self.fail() # expecting error due to invalid base64 except jose.Error as e: pass self.assertEquals( e.args[0], 'Unable to decode base64: Incorrect padding' )
def test_decrypt_invalid_compression_error(self): with mock.patch.dict(jose.COMPRESSION, {'BAD': jose.COMPRESSION['DEF']}): jwe = jose.spec_compliant_encrypt(claims, rsa_pub_key, add_header={'zip': 'BAD'}) try: jose.spec_compliant_decrypt(jwe, rsa_priv_key) self.fail() except jose.Error as e: self.assertEqual( e.message, 'Unsupported compression algorithm: BAD')
def test_jwe_expired_error_with_exp_claim(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting expired token except jose.Expired as e: pass self.assertEqual( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(claims[jose.CLAIM_EXPIRATION_TIME])))
def test_jwe_not_yet_valid_error_with_nbf_claim(self): claims = {jose.CLAIM_NOT_BEFORE: int(time()) + 5} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting not valid yet except jose.NotYetValid as e: pass self.assertEqual( e.args[0], 'Token not valid until {}'.format( jose._format_timestamp(claims[jose.CLAIM_NOT_BEFORE])))
def test_jwe_not_yet_valid_error_with_nbf_claim(self): claims = {jose.CLAIM_NOT_BEFORE: int(time()) + 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting not valid yet except jose.NotYetValid as e: pass self.assertEquals( e.args[0], 'Token not valid until {}'.format( jose._format_timestamp(claims[jose.CLAIM_NOT_BEFORE]) ) )
def test_jwe_expired_error_with_exp_claim(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting expired token except jose.Expired as e: pass self.assertEquals( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(claims[jose.CLAIM_EXPIRATION_TIME]) ) )
def test_jwe_expired_error_with_iat_claim(self): expiry_seconds = 10 claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=expiry_seconds) self.fail() # expecting expired token except jose.Expired as e: pass expiration_time = claims[jose.CLAIM_ISSUED_AT] + expiry_seconds self.assertEqual( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(expiration_time)))
def test_jwe_add_header(self): add_header = {'foo': 'bar'} for (alg, jwk), enc in product(self.algs, self.encs): et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key, add_header=add_header)) jwt = jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.assertEqual(jwt.header['foo'], add_header['foo'])
def test_jwe_expired_error_with_iat_claim(self): expiry_seconds = 10 claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=expiry_seconds) self.fail() # expecting expired token except jose.Expired as e: pass expiration_time = claims[jose.CLAIM_ISSUED_AT] + expiry_seconds self.assertEquals( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(expiration_time) ) )
def test_jwe_compression(self): local_claims = copy(claims) for v in xrange(1000): local_claims['dummy_' + str(v)] = '0' * 100 jwe = jose.serialize_compact( jose.spec_compliant_encrypt(local_claims, rsa_pub_key)) _, _, _, uncompressed_ciphertext, _ = jwe.split('.') jwe = jose.serialize_compact( jose.spec_compliant_encrypt(local_claims, rsa_pub_key, add_header={'zip': 'DEF'})) _, _, _, compressed_ciphertext, _ = jwe.split('.') self.assertTrue( len(compressed_ciphertext) < len(uncompressed_ciphertext)) jwt = jose.spec_compliant_decrypt(jose.deserialize_compact(jwe), rsa_priv_key) self.assertEqual(jwt.claims, local_claims)
def test_jwe_compression(self): local_claims = copy(claims) for v in xrange(1000): local_claims['dummy_' + str(v)] = '0' * 100 jwe = jose.serialize_compact( jose.spec_compliant_encrypt(local_claims, rsa_pub_key) ) _, _, _, uncompressed_ciphertext, _ = jwe.split('.') jwe = jose.serialize_compact( jose.spec_compliant_encrypt(local_claims, rsa_pub_key, add_header={'zip': 'DEF'}) ) _, _, _, compressed_ciphertext, _ = jwe.split('.') self.assertTrue(len(compressed_ciphertext) < len(uncompressed_ciphertext)) jwt = jose.spec_compliant_decrypt(jose.deserialize_compact(jwe), rsa_priv_key) self.assertEqual(jwt.claims, local_claims)
def test_jwe_no_error_with_iat_claim(self): claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=20)
def test_jwe_no_error_with_nbf_claim(self): claims = {jose.CLAIM_NOT_BEFORE: int(time()) - 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key)
def test_jwe_no_error_with_exp_claim(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) + 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key)
def test_jwe_ignores_expired_token_if_validate_claims_is_false(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, validate_claims=False)