def test_token_with_ext_cxt(self):
''' valid user token with "ext_cxt" property '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.TOKEN_NEW_FORMAT),
uaa_configs.VALID['uaa_new_token_structure'])
self._check_hdb_token(sec_context)
jobsheduler_token = sec_context.get_token(xssec.constants.SYSTEM,
xssec.constants.JOBSCHEDULER)
self.assertEqual(jobsheduler_token,
sign(jwt_payloads.TOKEN_NEW_FORMAT))
self.assertNotEqual(sec_context.get_hdb_token(), jobsheduler_token)
def test_valid_end_user_token_no_attr(self):
''' Test valid end-user token no attributes '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN_NO_ATTR), uaa_configs.VALID['uaa'])
self._check_user_token(sec_context)
self.assertFalse(sec_context.has_attributes())
self.assertIsNone(sec_context.get_clone_service_instance_id())
def test_token_with_ext_cxt_invalid_validation_key(self):
''' valid user token with "ext_cxt" property, invalid validation key '''
with self.assertRaises(RuntimeError) as ctx:
xssec.create_security_context(
sign(jwt_payloads.TOKEN_NEW_FORMAT),
uaa_configs.INVALID['uaa_verificationkey_invalid'])
self.assertTrue('Error in offline validation of access token:' in str(
ctx.exception))
def test_expired_end_user_token(self):
''' Test expired end-user token '''
with self.assertRaises(RuntimeError) as ctx:
xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN_EXPIRED),
uaa_configs.VALID['uaa'])
self.assertTrue('Error in offline validation of access token:' in str(
ctx.exception) and 'expired' in str(ctx.exception))
def test_valid_client_credentials_token_no_attributes(self):
''' valid client credentials token (no attributes) '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.CLIENT_CREDENTIALS_TOKEN_NO_ATTR),
uaa_configs.VALID['uaa_cc'])
self._check_client_credentials_token(sec_context)
self.assertIsNone(
sec_context.get_additional_auth_attribute('external_group'))
def test_valid_end_user_token_with_ext_attr(self):
''' Test valid end-user token (given_name/family_name in ext_attr) '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN_NAMES_IN_EXT_ATTR),
uaa_configs.VALID['uaa'])
self.assertEqual(sec_context.get_given_name(),
'NodetestFirstNameExtAttr')
self.assertEqual(sec_context.get_family_name(),
'NodetestLastNameExtAttr')
def test_req_client_for_user_401_error(self):
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN_SCOPE_UAA_USER), uaa_configs.VALID['uaa'])
expected_message = \
'Bearer token invalid, requesting client does'\
' not have grant_type=user_token or no scopes were granted.'
self._request_token_for_client_error(
sec_context, flask_url + '/401', expected_message)
def test_req_client_for_user(self):
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN_SCOPE_UAA_USER), uaa_configs.VALID['uaa'])
service_credentials = {
'clientid': 'clientid',
'clientsecret': 'clientsecret',
'url': flask_url + '/correct'
}
token = sec_context.request_token_for_client(service_credentials, None)
self.assertEqual(token, 'access_token')
def test_get_token_with_invalid_parameters(self):
''' valid user token with "ext_cxt" property '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.TOKEN_NEW_FORMAT),
uaa_configs.VALID['uaa_new_token_structure'])
self._check_hdb_token(sec_context)
self.assertIsNone(
sec_context.get_token('invalid', xssec.constants.JOBSCHEDULER))
self.assertIsNone(
sec_context.get_token(xssec.constants.SYSTEM, 'invalid'))
def test_invalid_signature_end_user_token(self):
''' Test invalid signature end-user token '''
token_parts = sign(jwt_payloads.USER_TOKEN).split('.')
token_parts[2] = 'aW52YWxpZAo'
invalid_token = '.'.join(token_parts)
with self.assertRaises(RuntimeError) as ctx:
xssec.create_security_context(invalid_token,
uaa_configs.VALID['uaa'])
self.assertTrue('Error in offline validation of access token:' in str(
ctx.exception))
def test_request_token_for_client_missing_uaa_user_scope(self):
'''
Test valid end-user token no attributes.
request_token_for_client failure, scope uaa.user missing
'''
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN_NO_ATTR), uaa_configs.VALID['uaa'])
self._request_token_for_client_error(
sec_context, flask_url + '/500',
'JWT token does not include scope "uaa.user"')
def test_valid_client_credentials_token_attributes(self):
''' valid client credentials token (with attributes) '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.CLIENT_CREDENTIALS_TOKEN),
uaa_configs.VALID['uaa_cc'])
self._check_client_credentials_token(sec_context)
self.assertEqual(
sec_context.get_additional_auth_attribute('external_group'),
'domaingroup1')
self.assertEqual(sec_context.get_clone_service_instance_id(),
'abcd1234')
def test_not_trusted_jku(self):
with self.assertRaises(RuntimeError) as e:
xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN),
uaa_configs.VALID['uaa_no_verification_key_other_domain'])
self.assertEqual(
"JKU of token is not trusted",
str(e.exception),
)
def _check_token_in_foreign_mode_error(self, cid, idz, uaa_config_name):
environ['SAP_JWT_TRUST_ACL'] = json.dumps([{
'clientid': cid,
'identityzone': idz
}])
with self.assertRaises(RuntimeError) as ctx:
xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN_NO_ATTR),
uaa_configs.VALID[uaa_config_name])
self.assertTrue(
str(ctx.exception).startswith(
'No match found in JWT trust ACL (SAP_JWT_TRUST_ACL)'))
def test_valid_end_user_token_with_attr(self):
''' Test valid end-user token with attributes '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN), uaa_configs.VALID['uaa'])
self._check_user_token(sec_context)
self.assertTrue(sec_context.has_attributes())
self.assertEqual(sec_context.get_attribute('country'), ['USA'])
self.assertEqual(sec_context.get_clone_service_instance_id(),
'abcd1234')
self.assertEqual(
sec_context.get_additional_auth_attribute('external_group'),
'domaingroup1')
def test_valid_application_plan_with_trustedclientidsuffix(self):
''' valid application plan with shared tenant mode, defined via SAP_JWT_TRUST_ACL '''
environ['SAP_JWT_TRUST_ACL'] = json.dumps([{
'clientid': '*',
'identityzone': '*'
}])
sec_context = xssec.create_security_context(
sign(jwt_payloads.INVALID_TRUSTED_APPLICATION_PLAN_TOKEN),
uaa_configs.INVALID['uaa_broker_plan_wrong_suffix'])
self.assertEqual('sb-tenant-test!t13', sec_context.get_clientid())
self.assertEqual('api', sec_context.get_identity_zone())
self.assertEqual('api', sec_context.get_zone_id())
def test_valid_client_credentials_broker_plan_token_with_wrong_trustedclientidsuffix(
self):
''' valid client credentials broker plan token with wrong trustedclientidsuffix '''
with self.assertRaises(RuntimeError) as ctx:
xssec.create_security_context(
sign(jwt_payloads.CLIENT_CREDENTIALS_BROKER_PLAN_TOKEN),
uaa_configs.INVALID['uaa_broker_plan_wrong_suffix'])
self.assertEqual(
'Missmatch of client id and/or identityzone id. No JWT trust ACL (SAP_JWT_TRUST_ACL) specified in environment. '
'Client id of the access token: "sb-xssectestclone!b4|sb-xssectest!b4", identity zone of the access token: '
'"test-idz", OAuth client id: "sb-xssectest!t4", application identity zone: "test-idz".',
str(ctx.exception))
def test_invalid_application_plan_with_trustedclientidsuffix(self):
''' invalid application plan with SAP_JWT_TRUST_ACL '''
environ['SAP_JWT_TRUST_ACL'] = json.dumps([{
'clientid': 'wrong-tenant',
'identityzone': 'api'
}])
with self.assertRaises(RuntimeError) as ctx:
xssec.create_security_context(
sign(jwt_payloads.INVALID_TRUSTED_APPLICATION_PLAN_TOKEN),
uaa_configs.INVALID['uaa_broker_plan_wrong_suffix'])
self.assertTrue(
str(ctx.exception).startswith(
'No match found in JWT trust ACL (SAP_JWT_TRUST_ACL)'))
def test_valid_end_user_token_in_foreign_mode_idz(self):
''' valid end-user token in foreign mode (idz - correct SAP_JWT_TRUST_ACL) '''
environ[
'SAP_JWT_TRUST_ACL'] = '[{"clientid":"sb-xssectest","identityzone":"test-idz"}]'
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN),
uaa_configs.VALID['uaa_foreign_idz'])
self.assertTrue(sec_context.is_in_foreign_mode())
self.assertEqual(
sec_context.get_additional_auth_attribute('external_group'),
'domaingroup1')
self.assertIsNone(sec_context.get_additional_auth_attribute('hugo'))
self.assertIsNone(sec_context.get_hdb_token())
self.assertIsNotNone(sec_context.get_app_token())
def _check_token_in_foreign_mode(self, cid, idz, uaa_config_name):
environ['SAP_JWT_TRUST_ACL'] = json.dumps([{
'clientid': 'other-clientid',
'identityzone': 'other-idz'
}, {
'clientid': cid,
'identityzone': idz
}])
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN_NO_ATTR),
uaa_configs.VALID[uaa_config_name])
self.assertTrue(sec_context.is_in_foreign_mode())
self.assertIsNotNone(sec_context.get_hdb_token())
self.assertIsNotNone(sec_context.get_app_token())
def test_valid_end_user_saml_bearer_token(self):
''' valid end-user saml bearer token '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_SAML_BEARER_TOKEN),
uaa_configs.VALID['uaa_bearer'])
self.assertTrue(sec_context.check_scope('openid'))
self._check_user_info(sec_context)
self._check_hdb_token(sec_context)
self.assertEqual(sec_context.get_grant_type(),
xssec.constants.GRANTTYPE_SAML2BEARER)
self.assertEqual(sec_context.get_identity_zone(), 'test-idz')
self.assertEqual(sec_context.get_zone_id(), 'test-idz')
self.assertEqual(sec_context.get_subaccount_id(), 'test-idz')
self.assertIsNone(sec_context.get_subdomain())
self.assertFalse(sec_context.is_in_foreign_mode())
def test_invalid_jku_in_token_header(self):
uaa_config = uaa_configs.VALID['uaa']
token = sign(jwt_payloads.USER_TOKEN,
headers={
"jku":
'http://ana.ondemandh.com\\\\\\\\\\\\\\\\@' +
uaa_config['uaadomain'],
"kid":
"key-id-0"
})
with self.assertRaises(RuntimeError) as e:
xssec.create_security_context(token, uaa_config)
self.assertEqual(
"JKU of token is not trusted",
str(e.exception),
)
def _check_client_credentials_broker_plan(self):
sec_context = xssec.create_security_context(
sign(jwt_payloads.CLIENT_CREDENTIALS_BROKER_PLAN_TOKEN),
uaa_configs.VALID['uaa_broker_plan'])
self.assertTrue(sec_context.check_scope('$XSAPPNAME.resource'))
self.assertTrue(sec_context.check_scope('uaa.resource'))
self._check_hdb_token(sec_context)
self.assertIsNone(sec_context.has_attributes())
self.assertIsNone(sec_context.get_attribute('country'))
self.assertEqual(sec_context.get_grant_type(),
xssec.constants.GRANTTYPE_CLIENTCREDENTIAL)
self.assertEqual(sec_context.get_identity_zone(), 'test-idz')
self.assertEqual(sec_context.get_zone_id(), 'test-idz')
self.assertEqual(sec_context.get_subaccount_id(), 'test-idz')
self.assertEqual(sec_context.get_clientid(),
'sb-xssectestclone!b4|sb-xssectest!b4')
self.assertIsNone(sec_context.get_subdomain())
self.assertFalse(sec_context.is_in_foreign_mode())
def test_get_verification_key_from_uaa(self, mock_requests):
from sap.xssec.key_cache import KeyCache
xssec.SecurityContext.verificationKeyCache = KeyCache()
mock = MagicMock()
mock_requests.return_value = mock
mock.json.return_value = HTTP_SUCCESS
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN),
uaa_configs.VALID['uaa_no_verification_key'])
self._check_user_token(sec_context)
self.assertTrue(sec_context.has_attributes())
self.assertEqual(sec_context.get_attribute('country'), ['USA'])
self.assertEqual(sec_context.get_clone_service_instance_id(),
'abcd1234')
self.assertEqual(
sec_context.get_additional_auth_attribute('external_group'),
'domaingroup1')
mock_requests.assert_called_once_with(
"https://api.cf.test.com",
timeout=constants.HTTP_TIMEOUT_IN_SECONDS)
def test_valid_end_user_application_plan_token(self):
''' valid end-user application plan token '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_APPLICATION_PLAN_TOKEN),
uaa_configs.VALID['uaa_application_plan'])
self.assertTrue(sec_context.check_scope('openid'))
self.assertTrue(sec_context.check_scope('$XSAPPNAME.resource'))
self.assertFalse(
sec_context.check_scope('cloud_controller.nonexistingscope'))
self.assertTrue(sec_context.check_local_scope('resource'))
self.assertFalse(sec_context.check_local_scope('nonexistingscope'))
self._check_user_info(sec_context)
self._check_hdb_token(sec_context)
self.assertIsNone(sec_context.get_attribute('hugo'))
self.assertIsNone(sec_context.get_additional_auth_attribute('hugo'))
self.assertEqual(sec_context.get_grant_type(),
xssec.constants.GRANTTYPE_PASSWORD)
self.assertEqual(sec_context.get_identity_zone(), 'test-idz')
self.assertEqual(sec_context.get_zone_id(), 'test-idz')
self.assertEqual(sec_context.get_subaccount_id(), 'test-idz')
self.assertIsNone(sec_context.get_subdomain())
self.assertFalse(sec_context.is_in_foreign_mode())
def test_req_client_for_user_500_error(self):
sec_context = xssec.create_security_context(
sign(jwt_payloads.USER_TOKEN_SCOPE_UAA_USER), uaa_configs.VALID['uaa'])
self._request_token_for_client_error(
sec_context, flask_url + '/500', 'HTTP status code: 500')
def test_valid_xsa_token_with_newlines(self):
''' valid client credentials token (with attributes) '''
sec_context = xssec.create_security_context(
sign(jwt_payloads.TOKEN_XSA_FORMAT),
uaa_configs.VALID['uaa_xsa_with_newlines'])
self.assertEqual(sec_context.get_logon_name(), 'ADMIN')
