def test_valid(self):
def always_accept(value):
if value or not value:
return True
validator = scitokens.Validator()
validator.add_validator("foo", always_accept)
token = scitokens.SciToken()
token["foo"] = "bar"
self.assertTrue(validator.validate(token))
self.assertTrue(validator(token))
def test_valid(self):
"""
Basic unit test coverage of the Validator object.
"""
def always_accept(value):
"""
A validator that accepts any value.
"""
if value or not value:
return True
validator = scitokens.Validator()
validator.add_validator("foo", always_accept)
token = scitokens.SciToken()
token["foo"] = "bar"
self.assertTrue(validator.validate(token))
self.assertTrue(validator(token))
def generate_acls(header):
"""
Generate a list of ACLs and the ACL timeut
"""
orig_header = urllib.unquote(header)
if not orig_header.startswith("Bearer "):
return 60, [], ""
token = orig_header[7:]
try:
scitoken = scitokens.SciToken.deserialize(token)
except Exception as e:
# Uncomment below to test ACLs even when valid tokens aren't available.
#print "Token deserialization failed", str(e)
#return 60, [(_scitokens_xrootd.AccessOperation.Read, "/home/cse496/bbockelm")], "bbockelm"
raise
claims = dict(scitoken.claims())
issuer = claims['iss']
if issuer not in g_authorized_issuers:
print "Token issuer (%s) not configured." % issuer
return 60, [], ""
base_path = g_authorized_issuers[issuer]['base_path']
ag = AclGenerator(base_path)
validator = scitokens.Validator()
validator.add_validator("authz", ag.validate_authz)
validator.add_validator("path", ag.validate_path)
validator.add_validator("exp", ag.validate_exp)
validator.add_validator("sub", ag.validate_sub)
validator.add_validator("iss", ag.validate_iss)
validator.add_validator("iat", ag.validate_iss)
validator.add_validator("nbf", ag.validate_iss)
validator.validate(scitoken)
subject = ""
if g_authorized_issuers[issuer].get('map_subject'):
subject = ag.subject
return int(ag.cache_expiry), list(ag.generate_acls()), str(subject)
def wrapper(*args, **kwargs):
if 'Authorization' not in request.headers:
headers = {'WWW-Authenticate': 'Bearer'}
return ("No Authentication Header", 401, headers)
bearer = request.headers.get("Authorization")
if len(bearer.split()) != 2:
headers = {'WWW-Authenticate': 'Bearer'}
return ("Authentication header incorrect format", 401, headers)
serialized_token = bearer.split()[1]
try:
# Read in the private key environment variable
private_key = serialization.load_pem_private_key(
base64.b64decode(os.environ['PRIVATE_KEY']),
password=None,
backend=default_backend())
# Get the public numbers
public_key = private_key.public_key()
public_pem = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
token = scitokens.SciToken.deserialize(
serialized_token,
audience=outer_kwargs['audience'],
public_key=public_pem)
except Exception as e:
print(str(e))
traceback.print_exc()
headers = {'WWW-Authenticate': 'Bearer'}
return ("Unable to deserialize: %{}".format(str(e)), 401,
headers)
def check_scope(value):
if value == outer_kwargs['scp']:
return True
else:
return False
def check_iss(value):
if value == "https://demo.scitokens.org":
return True
else:
return False
def return_true(value):
return True
validator = scitokens.Validator()
validator.add_validator('scp', check_scope)
validator.add_validator('iss', check_iss)
# the jwt library already validates the below in the deserialization
validator.add_validator('iat', return_true)
validator.add_validator('exp', return_true)
validator.add_validator('nbf', return_true)
validator.add_validator('aud', return_true)
validator.add_validator('jti', return_true)
try:
validator.validate(token)
except scitokens.scitokens.ClaimInvalid as ce:
headers = {'WWW-Authenticate': 'Bearer'}
return ("Validation incorrect", 403, headers)
return some_function(*args, **kwargs)