class AccessToken: """ Access Token Util Class""" def __init__(self): self.__instance = JWT() self.__algorithm = "RS256" with open(get_root() + 'auth' + os.sep + 'jwtRS256_private.pem', 'rb') as fh: self.__signing_key = jwk_from_pem(fh.read()) with open(get_root() + 'auth' + os.sep + 'jwtRS256_public.pem', 'rb') as fh: self.__verifying_key = jwk_from_pem(fh.read()) def create_access_token(self, *, data: dict, expires_delta: timedelta = None) -> str: """Create Access Token Using JWT with RSA256 Encryption""" to_encode = data.copy() if expires_delta: expire = datetime.utcnow() + expires_delta else: expire = datetime.utcnow() + timedelta(minutes=15) to_encode.update({"ist": get_int_from_datetime(datetime.utcnow())}) to_encode.update({"exp": get_int_from_datetime(expire)}) encoded_jwt = self.__instance.encode(to_encode, self.__signing_key, self.__algorithm) return encoded_jwt def decode_access_token(self, *, token: str) -> Dict: """ Decode Access Token """ return self.__instance.decode(token, self.__verifying_key, do_time_check=False) def generate_password_reset_token(self, email: str) -> str: """ Generate Access Token for password Reset email""" delta = timedelta(hours=EmailSettings.EMAIL_RESET_TOKEN_EXPIRE_HOURS) now = datetime.utcnow() expires = now + delta encoded_jwt = self.__instance.encode( { "exp": get_int_from_datetime(expires), "ist": get_int_from_datetime(now), "sub": email }, self.__signing_key, alg=self.__algorithm, ) return encoded_jwt def verify_password_reset_token(self, token: str) -> Dict: """ Decode Access Token """ return self.__instance.decode(token, self.__verifying_key, do_time_check=False)
def decorated_function(*args, **kwargs): token = request.headers.get('token') responseUnauthorized = make_response(jsonify({ 'status': 'ng', 'data': {} }), 401) if token == None: #Return unauthorize response return responseUnauthorized try: with open('rsa_public_key.pem', 'rb') as fh: verifying_key = jwk_from_pem(fh.read()) jwt = JWT() data = jwt.decode(token, verifying_key) logging.info(data) user_id = data['data']['user_id'] user = User.query.filter_by(id = user_id).first() user = user_schema.dump(user).data if user == {}: return responseUnauthorized request.user = user except: #Return unauthorize response return responseUnauthorized return f(*args, **kwargs)
def verify_token(token): jwt = JWT() with open('public.pem', 'rb') as fh: public_key = jwk_from_pem(fh.read()) payload = jwt.decode(token, public_key) return payload
def token_validate(jwt): # create jwt instance and get all daily public keys jwt_object = JWT() pub_keys = get_microsoft_pub_keys() # get kid from header in jwt real_kid = get_kid(jwt) # default username and dec_msg username = None dec_msg = ValidationMsg.NO_KEY_FOUND # check every public key looking for one used for signing this jwt for p_key in pub_keys.get('keys'): if p_key.get('kid') == real_kid: # assemble jwk jwk_dict = { 'kty': p_key['kty'], 'e': p_key['e'], 'n': p_key['n'] } jwk = jwk_from_dict(jwk_dict) try: # perform decoding of the jwt while verifying integrity, authenticity and expiration dec_payload = jwt_object.decode(jwt, jwk, do_time_check=True) dec_msg = ValidationMsg.SUCCESS username = dec_payload['preferred_username'] except: # an error occurred while validating the jwt dec_msg = ValidationMsg.FAILED return username, dec_msg
def index(): access_token = oidc.get_access_token() if access_token != None: jwt = JWT() info = jwt.decode(access_token, do_verify=False) return jsonify(info) else: return "uh oh"
def check_jwt_token(self, value): obj = JWT() data = None try: data = obj.decode(value, key=self.verifying_key) except Exception as e: print(e) return data
class TokenDecoder: def __init__(self): self.key_number = None self.keys = None self.jwt = JWT() self.last_key_fetch = 0 self.min_key_fetch_time_range = 300.0 def decode(self, token): logger.info("Checking token: {}".format(token)) if not self.keys: self.keys = get_keys_from_dex() self.last_key_fetch = time.time() logger.info("Fetched keys from dex") if self.key_number: try: logger.debug("Trying to decode key number {}".format( self.key_number)) return self.jwt.decode(token, self.keys[self.key_number]) except Exception as e: logger.info("Failed to decode token with default key") logger.debug(e) pass for idx, key in enumerate(self.keys): try: logger.info("Trying key number : {}".format(idx)) decoded = self.jwt.decode(token, key) self.key_number = idx logger.info("Decoded") return decoded except Exception as e: logger.info("Failed to decode token, reason: {}".format( str(e))) stacktrace = traceback.format_exc() logger.debug(stacktrace) pass logger.info("Failed to verify token with any available key") if self.last_key_fetch < time.time() - self.min_key_fetch_time_range: logger.info("Fetching new keys from dex and trying again") self.keys = None return self.decode(token) return None
def get_exp(token): jwt = JWT() keys_cache = KeyCache(OAUTH_PROVIDERS, datetime.timedelta(minutes=10)) keys = keys_cache.get_keys() for key in keys: try: user_info = jwt.decode(token, key['key']) return datetime.datetime.utcfromtimestamp(user_info['exp']) except Exception as e: # todo catch only corresponding exceptions here pass return None
def get_jwt(): if "auth" not in request.cookies: return False jwt = JWT() try: if "none" not in base64.urlsafe_b64decode(request.cookies["auth"].split(".")[0] + "========").decode("utf-8").lower(): msg = jwt.decode(request.cookies["auth"], jwk.OctetJWK(bytes(JWT_SECRET, "utf-8"))) else: msg = json.loads(base64.urlsafe_b64decode(request.cookies["auth"].split(".")[1] + "========").decode("utf-8")) except Exception as e: print(e) return False return msg
def validate_access_token(self): error = "" instance = JWT() for key in self._openid_conf["signing_keys"]: try: # Validate token and return claims verifying_key = jwk_from_dict(key) return instance.decode( self.token["access_token"], verifying_key, do_time_check=True ) except JWTDecodeError as exc: error = str(exc) raise OAuth2Error(error)
def get_system_user_ticket(self, sys_token, context_id): """ returns Ticket credential string. Attributes ---------- sys_token : str the tenant-specific system user token. context_id : str the customer identifier, i.e. Cust12345. """ time_utc = datetime.utcnow() time_formatted = datetime.strftime(time_utc, "%Y%m%d%H%M") system_token = sys_token + '.' + time_formatted key = crypto.load_privatekey(crypto.FILETYPE_PEM, self.private_key) signature = crypto.sign(key, system_token, 'sha256') signed_system_token = system_token + "." + \ b64encode(signature).decode('UTF-8') headers = OrderedDict([('ApplicationToken', self.application_token), ('ContextIdentifier', context_id)]) client = Client('file:%s' % self.wsdl_path) client.set_options(soapheaders=headers) client.set_options( location='https://{env}.superoffice.com/{endpoint}'.format( env=self.environment, endpoint=self.login_endpoint)) token_type = client.factory.create('TokenType')['Jwt'] response = client.service.Authenticate(signed_system_token, token_type) if response.IsSuccessful == True: jwt_token = response.Token print('Reponse: ' + str(response)) jwt = JWT() jwksResponse = requests.get( 'https://{env}.superoffice.com/login/.well-known/jwks'.format( env=self.environment)) jwks = json.loads(jwksResponse.text) verifying_key = jwk_from_dict(jwks['keys'][0]) message_received = jwt.decode(jwt_token, verifying_key) return str(message_received[ 'http://schemes.superoffice.net/identity/ticket']) return 'Failed!'
def verify_token(token): region = 'eu-west-2' userpool_id = 'eu-west-2_6Mn0M2i9C' keys_url = 'https://cognito-idp.{}.amazonaws.com/{}/.well-known/jwks.json'.format( region, userpool_id) response = requests.get(keys_url).json() try: for key in response["keys"]: verifying_key = jwk_from_dict(key) jwt = JWT() return jwt.decode(token, verifying_key) except Exception as e: print(e) return None
def loadCredentials(config): if not config["tokenfile"]: quit("You have to provide a token file.") logging.CRITICAL("You have to provide a token file.") else: logging.debug(f"Reading token info from: <{config['tokenfile']}>") with open(config["tokenfile"], "r") as f: token = json.load(f) config["access_token"] = token["access_token"] config["refresh_token"] = token["refresh_token"] token = JWT() decoded_token = token.decode(config["access_token"], do_verify=False, algorithms="HS256") config["user_id"] = decoded_token["user_id"]
class TokenHandler: def __init__(self): self.jwt = JWT() self.key = get_key() def generate_token(self, user): payload = { 'id': user.id, 'username': user.username, 'admin': user.is_staff } return {'token': self.jwt.encode(payload, self.key, 'RS256')} def decode_token(self, token): return self.jwt.decode(token, self.key, 'RS256') def get_user_id_token(self, token): payload = self.decode_token(token) return payload["id"]
def get_user_from_req(): auth_header = request.headers.get('Authorization') if auth_header: auth_token = auth_header.split(" ")[1] else: auth_token = '' if auth_token: jwt = JWT() m = jwt.decode(auth_token, jwt_key_pub) user_id = m['sub'] user = datastore.find_user_by_id(user_id) now = datetime.now() exp = datetime.utcfromtimestamp(m['exp']) if m['iss'] == 'dc_games' and user and exp > now: return user else: return None else: return None
def obtainCredentials(config): logger.info("Getting auth token") if config["verbose"]: logging.info("Getting auth token") if (config["clientid"] and config["clientsecret"] and config["username"] and config["password"]): if config["verbose"]: logging.info("All required parameters passed for auth token") url = "https://api.flumetech.com/oauth/token" payload = ('{"grant_type":"password","client_id":"' + config["clientid"] + '","client_secret":"' + config["clientsecret"] + '","username":"******"username"] + '","password":"******"password"] + '"}') headers = {"content-type": "application/json"} resp = requests.request("POST", url, data=payload, headers=headers) logging.info(f"Response from server: {resp.text}") dataJSON = json.loads(resp.text) if dataJSON["http_code"] == 200: logging.info("Got 200 response from auth token request.") config["access_token"] = dataJSON["data"][0]["access_token"] token = JWT() decoded_token = token.decode(config["access_token"], do_verify=False, algorithms="HS256") config["user_id"] = decoded_token["user_id"] config["refresh_token"] = dataJSON["data"][0]["refresh_token"] if config["tokenfile"]: outline = {} outline["access_token"] = config["access_token"] outline["refresh_token"] = config["refresh_token"] logging.info("Saving access and refresh token to : " + config["tokenfile"]) logging.debug(outline) f = open(config["tokenfile"], "w") f.write(json.dumps(outline)) f.close() else: logging.CRITICAL("ERROR: Failed to obtain credentials")
def login(self, email, password): r = self.post('/auth/login', {'email': email, 'password': password}) r_json = json.loads(r.text) if 'status' in r_json and r_json['status'] == 'success': if r_json['auth_token']: self.auth_token = r_json['auth_token'] jwt = JWT() decoded_payload = JWT.decode(jwt, self.auth_token, do_verify=False) self.sub = decoded_payload['sub'] self.team_name = decoded_payload['team_name'] self.team_researcher = decoded_payload['team_researcher'] self.admin = decoded_payload['admin'] self.session.headers.update( {'Authorization': 'Bearer ' + self.auth_token}) return True return False
def set_request(self, request, action=None): log_date = datetime.now() user_ip = request.remote_addr action_detail = request.json instance = JWT() username = None if 'token' in action_detail: token = action_detail['token'] decode = instance.decode(token, self.signing_key) username = decode['user_name'] del action_detail['token'] if 'action' in action_detail: action = action_detail['action'] module_ip = check_output(['hostname', '--all-ip-addresses' ]).decode("utf-8").strip() system_name = check_output(['hostname']).decode("utf-8").strip() try: PostGre().set_user_log(self.get_serial(), system_name, username, user_ip, log_date, action, json.dumps(action_detail), module_ip) except Exception as e: print(e)
def verify_jwt(token) -> object: signing_key = get_signing_key() instance = JWT() return instance.decode(token, signing_key)
def check_auth(self, token, allowed_roles, resource, method): # TODO: konami code!! Remove when release # TODO:____________KONAMI CODE START______________________ sub = None issuer = None role = None if token == "UUDDLRLRBA1": role = "prosumer" sub = "11111111-1111-1111-1111-111111111111" issuer = "http://217.182.160.171:9042" if token == "UUDDLRLRBA11": role = "prosumer" sub = "11111111-1111-1111-1111-111111111112" issuer = "http://217.182.160.171:9043" if token == "UUDDLRLRBA2": role = "aggregator" sub = "22222222-2222-2222-2222-222222222222" issuer = "http://217.182.160.171:9043" if token == "UUDDLRLRBA3": role = "service" sub = "33333333-3333-3333-3333-333333333333" issuer = "" # TODO:____________KONAMI CODE END______________________ if sub is None: mw_oauth = OAUTH_PROVIDERS[CLIENT_OAUTH]['url'] jwt = JWT() keys_cache = KeyCache(OAUTH_PROVIDERS, timedelta(minutes=10)) keys = keys_cache.get_keys() user_info = None key = None for key in keys: try: user_info = jwt.decode(token, key['key']) key = key break except Exception as e: # todo catch only corresponding exceptions here pass if not user_info: return False else: issuer = user_info['iss'] expiration = datetime.utcfromtimestamp(user_info['exp']) if 'role' in user_info: role = user_info['role'] if 'sub' in user_info: sub = user_info['sub'] if role == 'service' and 'clientId' in user_info: sub = user_info['clientId'] now_time = datetime.utcnow() if expiration < now_time: return False if issuer != key['iss']: return False # Roles different to prosumer or aggregator (like 'service' or 'admin') are only accepted # if issued by the middleware's oAuth server if role != 'prosumer' and role != 'aggregator' and issuer != mw_oauth: return False if sub is None: raise AuthenticationException( "No sub was detected, this should not happen") if issuer is None: # make sure the code above has catched all conditions raise AuthenticationException( "No issuer was detected, this should not happen") if role is None: raise AuthenticationException( "No role was detected, this should not happen") request.role = role request.account_id = sub request.aggregator_id = urlsplit(issuer).netloc return True
def check_auth(self, token): # TODO: konami code!! Remove when release # TODO:____________KONAMI CODE START______________________ sub = None issuer = None role = None if token == "UUDDLRLRBA1": role = "prosumer" sub = "11111111-1111-1111-1111-111111111111" issuer = "http://217.182.160.171:9042" if token == "UUDDLRLRBA11": role = "prosumer" sub = "11111111-1111-1111-1111-111111111112" issuer = "http://217.182.160.171:9043" if token == "UUDDLRLRBA2": role = "aggregator" sub = "22222222-2222-2222-2222-222222222222" issuer = "http://217.182.160.171:9043" if token == "UUDDLRLRBA3": role = "service" sub = "33333333-3333-3333-3333-333333333333" issuer = "" # TODO:____________KONAMI CODE END______________________ if sub is None: jwt = JWT() keys_cache = KeyCache(OAUTH_PROVIDERS, timedelta(minutes=10)) keys = keys_cache.get_keys() user_info = None key = None for key in keys: try: user_info = jwt.decode(token, key['key']) key = key break except Exception as e: # todo catch only corresponding exceptions here pass if not user_info: return False else: issuer = user_info['iss'] expiration = datetime.utcfromtimestamp(user_info['exp']) role = user_info['role'] sub = user_info['sub'] now_time = datetime.utcnow() if expiration < now_time: return False if issuer != key['iss']: return False if sub is None: raise AuthenticationException( "No role was detected, this should not happen") if issuer is None: # make sure the code above has catched all conditions raise AuthenticationException( "No issuer was detected, this should not happen") if role is None: raise AuthenticationException( "No role was detected, this should not happen") request.role = role request.account_id = sub request.aggregator_id = urlsplit(issuer).netloc return True