def test_encrypt_invalid_compression_error(self): try: jose.spec_compliant_encrypt(claims, rsa_pub_key, add_header={'zip':'BAD'}) self.fail() except jose.Error: pass
def test_jwe(self): bad_key = {'k': RSA.generate(2048).exportKey('PEM')} for (alg, jwk), enc in product(self.algs, self.encs): jwe = jose.spec_compliant_encrypt(claims, rsa_pub_key, enc=enc, alg=alg) # make sure the body can't be loaded as json (should be encrypted) try: json.loads(jose.b64decode_url(jwe.ciphertext)) self.fail() except ValueError: pass token = jose.serialize_compact(jwe) jwt = jose.spec_compliant_decrypt(jose.deserialize_compact(token), rsa_priv_key) self.assertNotIn(jose._TEMP_VER_KEY, claims) self.assertEqual(jwt.claims, claims) # invalid key try: jose.spec_compliant_decrypt(jose.deserialize_compact(token), bad_key) self.fail() except jose.Error as e: self.assertEqual(e.message, 'Incorrect decryption.')
def test_jwe_decrypt_compliant_not_before(self): # not valid for another hour. claim_not_before = int(time()) + 3600 claims = {jose.CLAIM_NOT_BEFORE: claim_not_before} jwe = jose.spec_compliant_encrypt(claims, rsa_pub_key) legacy_patch = mock.patch.object( jose, 'legacy_decrypt', wraps=jose.legacy_decrypt ) spec_patch = mock.patch.object( jose, 'spec_compliant_decrypt', wraps=jose.spec_compliant_decrypt ) with legacy_patch as legacy_mock, spec_patch as spec_mock: with self.assertRaises(jose.NotYetValid) as not_valid_error: jose.decrypt(jwe, rsa_priv_key) # when the error is expiry, we should not fall back to legacy. self.assertEqual(legacy_mock.call_count, 1) self.assertEqual(spec_mock.call_count, 1) self.assertEqual( not_valid_error.exception.message, 'Token not valid until {}'.format( jose._format_timestamp(claim_not_before) ) )
def test_jwe_decrypt_compliant_expiry(self): expiry_seconds = 10 claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} jwe = jose.spec_compliant_encrypt(claims, rsa_pub_key) legacy_patch = mock.patch.object( jose, 'legacy_decrypt', wraps=jose.legacy_decrypt ) spec_patch = mock.patch.object( jose, 'spec_compliant_decrypt', wraps=jose.spec_compliant_decrypt ) with legacy_patch as legacy_mock, spec_patch as spec_mock: with self.assertRaises(jose.Expired) as expiry_error: jose.decrypt(jwe, rsa_priv_key, expiry_seconds=expiry_seconds) expiration_time = claims[jose.CLAIM_ISSUED_AT] + expiry_seconds # when the error is expiry, we should not fall back to legacy. self.assertEqual(legacy_mock.call_count, 1) self.assertEqual(spec_mock.call_count, 1) self.assertEqual( expiry_error.exception.message, 'Token expired at {}'.format( jose._format_timestamp(expiration_time) ) )
def test_jwe_ignores_expired_token_if_validate_claims_is_false(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, validate_claims=False)
def test_jwe_no_error_with_iat_claim(self): claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=20)
def test_jwe_add_header(self): add_header = {'foo': 'bar'} for (alg, jwk), enc in product(self.algs, self.encs): et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key, add_header=add_header)) jwt = jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.assertEqual(jwt.header['foo'], add_header['foo'])
def test_decrypt_invalid_compression_error(self): with mock.patch.dict(jose.COMPRESSION, {'BAD': jose.COMPRESSION['DEF']}): jwe = jose.spec_compliant_encrypt(claims, rsa_pub_key, add_header={'zip': 'BAD'}) try: jose.spec_compliant_decrypt(jwe, rsa_priv_key) self.fail() except jose.Error as e: self.assertEqual( e.message, 'Unsupported compression algorithm: BAD')
def test_jwe_compression(self): local_claims = copy(claims) for v in xrange(1000): local_claims['dummy_' + str(v)] = '0' * 100 jwe = jose.serialize_compact( jose.spec_compliant_encrypt(local_claims, rsa_pub_key)) _, _, _, uncompressed_ciphertext, _ = jwe.split('.') jwe = jose.serialize_compact( jose.spec_compliant_encrypt(local_claims, rsa_pub_key, add_header={'zip': 'DEF'})) _, _, _, compressed_ciphertext, _ = jwe.split('.') self.assertTrue( len(compressed_ciphertext) < len(uncompressed_ciphertext)) jwt = jose.spec_compliant_decrypt(jose.deserialize_compact(jwe), rsa_priv_key) self.assertEqual(jwt.claims, local_claims)
def test_jwe_compression(self): local_claims = copy(claims) for v in xrange(1000): local_claims['dummy_' + str(v)] = '0' * 100 jwe = jose.serialize_compact( jose.spec_compliant_encrypt(local_claims, rsa_pub_key) ) _, _, _, uncompressed_ciphertext, _ = jwe.split('.') jwe = jose.serialize_compact( jose.spec_compliant_encrypt(local_claims, rsa_pub_key, add_header={'zip': 'DEF'}) ) _, _, _, compressed_ciphertext, _ = jwe.split('.') self.assertTrue(len(compressed_ciphertext) < len(uncompressed_ciphertext)) jwt = jose.spec_compliant_decrypt(jose.deserialize_compact(jwe), rsa_priv_key) self.assertEqual(jwt.claims, local_claims)
def test_jwe_not_yet_valid_error_with_nbf_claim(self): claims = {jose.CLAIM_NOT_BEFORE: int(time()) + 5} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting not valid yet except jose.NotYetValid as e: pass self.assertEqual( e.args[0], 'Token not valid until {}'.format( jose._format_timestamp(claims[jose.CLAIM_NOT_BEFORE])))
def test_jwe_expired_error_with_exp_claim(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting expired token except jose.Expired as e: pass self.assertEqual( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(claims[jose.CLAIM_EXPIRATION_TIME])))
def test_jwe_not_yet_valid_error_with_nbf_claim(self): claims = {jose.CLAIM_NOT_BEFORE: int(time()) + 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting not valid yet except jose.NotYetValid as e: pass self.assertEquals( e.args[0], 'Token not valid until {}'.format( jose._format_timestamp(claims[jose.CLAIM_NOT_BEFORE]) ) )
def test_jwe_expired_error_with_exp_claim(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key) self.fail() # expecting expired token except jose.Expired as e: pass self.assertEquals( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(claims[jose.CLAIM_EXPIRATION_TIME]) ) )
def test_jwe_expired_error_with_iat_claim(self): expiry_seconds = 10 claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact( jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=expiry_seconds) self.fail() # expecting expired token except jose.Expired as e: pass expiration_time = claims[jose.CLAIM_ISSUED_AT] + expiry_seconds self.assertEqual( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(expiration_time)))
def test_jwe_expired_error_with_iat_claim(self): expiry_seconds = 10 claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) try: jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=expiry_seconds) self.fail() # expecting expired token except jose.Expired as e: pass expiration_time = claims[jose.CLAIM_ISSUED_AT] + expiry_seconds self.assertEquals( e.args[0], 'Token expired at {}'.format( jose._format_timestamp(expiration_time) ) )
def test_jwe_no_error_with_nbf_claim(self): claims = {jose.CLAIM_NOT_BEFORE: int(time()) - 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key)
def test_jwe_ignores_expired_token_if_validate_claims_is_false(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) - 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, validate_claims=False)
def test_jwe_no_error_with_exp_claim(self): claims = {jose.CLAIM_EXPIRATION_TIME: int(time()) + 5} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key)
def test_jwe_no_error_with_iat_claim(self): claims = {jose.CLAIM_ISSUED_AT: int(time()) - 15} et = jose.serialize_compact(jose.spec_compliant_encrypt(claims, rsa_pub_key)) jose.spec_compliant_decrypt(jose.deserialize_compact(et), rsa_priv_key, expiry_seconds=20)