def test_validate_recently_expired_with_clock_skew_success(self): recently_expired = (datetime.datetime.now(tz=datetime.timezone.utc) - datetime.timedelta(minutes=1)) token = jwt.new_raw_jwt(expiration=recently_expired) validator = jwt.new_validator(clock_skew=datetime.timedelta(minutes=2)) # because of clock_skew, the recently expired token is valid _jwt_validator.validate(validator, token)
def test_validate_expired_fails(self): expired = (datetime.datetime.now(tz=datetime.timezone.utc) - datetime.timedelta(minutes=1)) token = jwt.new_raw_jwt(expiration=expired) validator = jwt.new_validator() with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_validate_with_fixed_now_valid_success(self): fixed_now = datetime.datetime.fromtimestamp(12345, datetime.timezone.utc) validator = jwt.new_validator(fixed_now=fixed_now) expiration = fixed_now + datetime.timedelta(minutes=1) not_before = fixed_now - datetime.timedelta(minutes=1) token = jwt.new_raw_jwt(expiration=expiration, not_before=not_before) _jwt_validator.validate(validator, token)
def test_validate_not_before_in_the_future_fails(self): in_the_future = (datetime.datetime.now(tz=datetime.timezone.utc) + datetime.timedelta(minutes=1)) token = jwt.new_raw_jwt(not_before=in_the_future) validator = jwt.new_validator() with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_validate_not_before_almost_reached_with_clock_skew_success(self): in_one_minute = (datetime.datetime.now(tz=datetime.timezone.utc) + datetime.timedelta(minutes=1)) token = jwt.new_raw_jwt(not_before=in_one_minute, without_expiration=True) validator = jwt.new_validator( allow_missing_expiration=True, clock_skew=datetime.timedelta(minutes=2)) _jwt_validator.validate(validator, token)
def test_validate_with_fixed_now_expired_fails(self): in_two_minutes = (datetime.datetime.now(tz=datetime.timezone.utc) + datetime.timedelta(minutes=2)) in_one_minute = in_two_minutes - datetime.timedelta(minutes=1) token = jwt.new_raw_jwt(expiration=in_one_minute) validator = jwt.new_validator(fixed_now=in_two_minutes) with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_validate_with_fixed_now_not_yet_valid_fails(self): two_minutes_ago = (datetime.datetime.now(tz=datetime.timezone.utc) - datetime.timedelta(minutes=2)) one_minute_ago = two_minutes_ago + datetime.timedelta(minutes=1) token = jwt.new_raw_jwt(not_before=one_minute_ago) validator = jwt.new_validator(fixed_now=two_minutes_ago) with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_ignore_audiences_success(self): validator = jwt.new_validator( ignore_audiences=True, allow_missing_expiration=True) token_without_audience = jwt.new_raw_jwt(without_expiration=True) _jwt_validator.validate(validator, token_without_audience) token_with_audience = jwt.new_raw_jwt( audiences=['audience'], without_expiration=True) _jwt_validator.validate(validator, token_with_audience)
def test_ignore_issuer_success(self): validator = jwt.new_validator( ignore_issuer=True, allow_missing_expiration=True) token_without_issuer = jwt.new_raw_jwt(without_expiration=True) _jwt_validator.validate(validator, token_without_issuer) token_with_issuer = jwt.new_raw_jwt( issuer='issuer', without_expiration=True) _jwt_validator.validate(validator, token_with_issuer)
def test_ignore_subject_success(self): validator = jwt.new_validator( ignore_subject=True, allow_missing_expiration=True) token_without_subject = jwt.new_raw_jwt(without_expiration=True) _jwt_validator.validate(validator, token_without_subject) token_with_subject = jwt.new_raw_jwt( subject='subject', without_expiration=True) _jwt_validator.validate(validator, token_with_subject)
def verify_mac_and_decode( self, compact: Text, validator: _jwt_validator.JwtValidator) -> _verified_jwt.VerifiedJwt: """Verifies, validates and decodes a MACed compact JWT token.""" parts = _jwt_format.split_signed_compact(compact) unsigned_compact, json_header, json_payload, mac = parts self._verify_mac(mac, unsigned_compact) _jwt_format.validate_header(json_header, self._algorithm) raw_jwt = _raw_jwt.RawJwt.from_json_payload(json_payload) _jwt_validator.validate(validator, raw_jwt) return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def verify_mac_and_decode_with_kid( self, compact: str, validator: _jwt_validator.JwtValidator, kid: Optional[str]) -> _verified_jwt.VerifiedJwt: """Verifies, validates and decodes a MACed compact JWT token.""" parts = _jwt_format.split_signed_compact(compact) unsigned_compact, json_header, json_payload, mac = parts self._verify_mac(mac, unsigned_compact) header = _json_util.json_loads(json_header) _jwt_format.validate_header(header=header, algorithm=self._algorithm, tink_kid=kid, custom_kid=self._custom_kid) raw_jwt = _raw_jwt.raw_jwt_from_json( _jwt_format.get_type_header(header), json_payload) _jwt_validator.validate(validator, raw_jwt) return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def test_validate_issued_at_with_clock_skew(self): in_one_minute = (datetime.datetime.now(tz=datetime.timezone.utc) + datetime.timedelta(minutes=1)) token_one_minute_in_the_future = jwt.new_raw_jwt( issued_at=in_one_minute, without_expiration=True) validator_without_clock_skew = jwt.new_validator( expect_issued_in_the_past=True, allow_missing_expiration=True) with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator_without_clock_skew, token_one_minute_in_the_future) validator_with_clock_skew = jwt.new_validator( expect_issued_in_the_past=True, allow_missing_expiration=True, clock_skew=datetime.timedelta(minutes=2)) _jwt_validator.validate(validator_with_clock_skew, token_one_minute_in_the_future)
def verify_mac_and_decode( self, compact: Text, validator: _jwt_validator.JwtValidator ) -> _verified_jwt.VerifiedJwt: """Verifies, validates and decodes a MACed compact JWT token.""" encoded = compact.encode('utf8') try: unsigned_compact, encoded_signature = encoded.rsplit(b'.', 1) except ValueError: raise _jwt_error.JwtInvalidError('invalid token') signature = _jwt_format.decode_signature(encoded_signature) self._verify_mac(signature, unsigned_compact) try: encoded_header, encoded_payload = unsigned_compact.split(b'.') except ValueError: raise _jwt_error.JwtInvalidError('invalid token') _jwt_format.validate_header(encoded_header, self._algorithm) json_payload = _jwt_format.decode_payload(encoded_payload) raw_jwt = _raw_jwt.RawJwt.from_json_payload(json_payload) _jwt_validator.validate(validator, raw_jwt) return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def test_dont_check_subject_success(self): validator = jwt.new_validator() token_without_subject = jwt.new_raw_jwt() _jwt_validator.validate(validator, token_without_subject) token_with_subject = jwt.new_raw_jwt(subject='subject') _jwt_validator.validate(validator, token_with_subject)
def test_validate_not_before_in_the_past_success(self): in_the_past = (datetime.datetime.now(tz=datetime.timezone.utc) - datetime.timedelta(minutes=1)) token = jwt.new_raw_jwt(not_before=in_the_past) validator = jwt.new_validator() _jwt_validator.validate(validator, token)
def test_requires_issuer_but_no_issuer_set_fails(self): token = jwt.new_raw_jwt() validator = jwt.new_validator(issuer='issuer') with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_invalid_issuer_fails(self): token = jwt.new_raw_jwt(issuer='unknown') validator = jwt.new_validator(issuer='issuer') with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_validate_not_before_is_now_success(self): now = datetime.datetime.fromtimestamp(12345, datetime.timezone.utc) token = jwt.new_raw_jwt(not_before=now) validator = jwt.new_validator() _jwt_validator.validate(validator, token)
def test_correct_issuer_success(self): token = jwt.new_raw_jwt(issuer='issuer') validator = jwt.new_validator(issuer='issuer') _jwt_validator.validate(validator, token)
def test_validate_not_expired_success(self): still_valid = (datetime.datetime.now(tz=datetime.timezone.utc) + datetime.timedelta(minutes=1)) token = jwt.new_raw_jwt(expiration=still_valid) validator = jwt.new_validator() _jwt_validator.validate(validator, token)
def test_requires_subject_but_no_subject_set_fails(self): token = jwt.new_raw_jwt() validator = jwt.new_validator(subject='subject') with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_dont_check_issuer_success(self): validator = jwt.new_validator() token_without_issuer = jwt.new_raw_jwt() _jwt_validator.validate(validator, token_without_issuer) token_with_issuer = jwt.new_raw_jwt(issuer='issuer') _jwt_validator.validate(validator, token_with_issuer)
def test_audience_in_token_but_not_in_validator_fails(self): validator = jwt.new_validator() token_with_audience = jwt.new_raw_jwt(audiences=['audience']) with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token_with_audience)
def test_no_audience_success(self): validator = jwt.new_validator() token = jwt.new_raw_jwt() _jwt_validator.validate(validator, token)
def test_correct_audience_success(self): token = jwt.new_raw_jwt(audiences=['you', 'me']) validator = jwt.new_validator(audience='me') _jwt_validator.validate(validator, token)
def test_wrong_audience_fails(self): token = jwt.new_raw_jwt(audiences=['unknown']) validator = jwt.new_validator(audience='audience') with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_requires_audience_but_no_audience_set_fails(self): token = jwt.new_raw_jwt() validator = jwt.new_validator(audience='audience') with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_invalid_subject_fails(self): token = jwt.new_raw_jwt(subject='unknown') validator = jwt.new_validator(subject='subject') with self.assertRaises(jwt.JwtInvalidError): _jwt_validator.validate(validator, token)
def test_correct_subject_success(self): token = jwt.new_raw_jwt(subject='subject') validator = jwt.new_validator(subject='subject') _jwt_validator.validate(validator, token)