def _transform_raw_key(raw):
if isinstance(raw, str) and \
raw.startswith('{') and raw.endswith('}'):
return json_loads(raw)
elif isinstance(raw, (tuple, list)):
return {'keys': raw}
return raw
def client_metadata(self):
if 'client_metadata' in self.__dict__:
return self.__dict__['client_metadata']
if self._client_metadata:
data = json_loads(self._client_metadata)
self.__dict__['client_metadata'] = data
return data
return {}
def decode_payload(bytes_payload):
try:
payload = json_loads(to_unicode(bytes_payload))
except ValueError:
raise DecodeError('Invalid payload value')
if not isinstance(payload, dict):
raise DecodeError('Invalid payload type')
return payload
def _load_jwk(key, header):
if not key and 'jwk' in header:
key = header['jwk']
if isinstance(key, (tuple, list, dict)):
return jwk.loads(key, header.get('kid'))
if isinstance(key, text_types) and \
key.startswith('{') and key.endswith('}'):
return jwk.loads(json_loads(key), header.get('kid'))
return key
def get_client(self): csp = CloudServiceProvider.query.get(self.csp_id) client = oauth.create_client(csp.name + "_" + self.scope) if not client: client = register_oauth_client(self, csp.name) db_token = Oauth2Token.query.filter_by(client_id=self.id).first() if db_token: client.token = json_loads(db_token.token) return client
def prepare_raw_key(raw):
if isinstance(raw, KeySet):
return raw
if isinstance(raw, str) and \
raw.startswith('{') and raw.endswith('}'):
raw = json_loads(raw)
elif isinstance(raw, (tuple, list)):
raw = {'keys': raw}
return raw
def extract_header(header_segment, error_cls):
header_data = extract_segment(header_segment, error_cls, 'header')
try:
header = json_loads(header_data.decode('utf-8'))
except ValueError as e:
raise error_cls('Invalid header string: {}'.format(e))
if not isinstance(header, dict):
raise error_cls('Header must be a json object')
return header
def _ensure_dict(s):
if not isinstance(s, dict):
try:
s = json_loads(to_unicode(s))
except (ValueError, TypeError):
raise DecodeError('Invalid JWS')
if not isinstance(s, dict):
raise DecodeError('Invalid JWS')
return s
def ensure_dict(s, structure_name):
if not isinstance(s, dict):
try:
s = json_loads(to_unicode(s))
except (ValueError, TypeError):
raise DecodeError('Invalid {}'.format(structure_name))
if not isinstance(s, dict):
raise DecodeError('Invalid {}'.format(structure_name))
return s
def get_oauth2_client(csp_name, user):
csp = CloudServiceProvider.query.filter_by(name=csp_name).first()
user = current_user()
if not user:
return render_template('login.html', message="Login failed")
scope = user.get_plan().get_scope(csp.name)
client = OAuth2Client.query.filter_by(csp_id=csp.id, scope=scope).first()
db_token = Oauth2Token.query.filter_by(user_id=user.id,
client_id=client.id).first()
token = json_loads(db_token.token)
client.token = token
return client
def import_key_set(cls, raw):
if isinstance(raw, text_types) and \
raw.startswith('{') and raw.endswith('}'):
raw = json_loads(raw)
keys = raw.get('keys')
elif isinstance(raw, dict) and 'keys' in raw:
keys = raw.get('keys')
elif isinstance(raw, (tuple, list)):
keys = raw
else:
return None
return KeySet([cls.import_key(k) for k in keys])
def create_oauth_request(request, request_cls, use_json=False):
if isinstance(request, request_cls):
return request
if request.method == 'POST':
if use_json:
body = json_loads(request.body)
else:
body = request.POST.dict()
else:
body = None
url = request.get_raw_uri()
return request_cls(request.method, url, body, request.headers)
def import_key_set(cls, raw):
"""Import KeySet from string, dict or a list of keys.
:return: KeySet instance
"""
if isinstance(raw, str) and \
raw.startswith('{') and raw.endswith('}'):
raw = json_loads(raw)
keys = raw.get('keys')
elif isinstance(raw, dict) and 'keys' in raw:
keys = raw.get('keys')
elif isinstance(raw, (tuple, list)):
keys = raw
else:
return None
return KeySet([cls.import_key(k) for k in keys])
def prepare_raw_key(raw, header):
if isinstance(raw, KeySet):
return raw.find_by_kid(header.get('kid'))
if isinstance(raw, str) and \
raw.startswith('{') and raw.endswith('}'):
raw = json_loads(raw)
elif isinstance(raw, (tuple, list)):
raw = {'keys': raw}
if isinstance(raw, dict) and 'keys' in raw:
keys = raw['keys']
kid = header.get('kid')
for k in keys:
if k.get('kid') == kid:
return k
raise ValueError('Invalid JSON Web Key Set')
return raw
def parse_response_token(self, status_code, text):
if status_code >= 400:
message = ("Token request failed with code {}, "
"response was '{}'.").format(status_code, text)
self.handle_error('fetch_token_denied', message)
try:
text = text.strip()
if text.startswith('{'):
token = json_loads(text)
else:
token = dict(url_decode(text))
except (TypeError, ValueError) as e:
error = ("Unable to decode token from token response. "
"This is commonly caused by an unsuccessful request where"
" a non urlencoded error message is returned. "
"The decoding error was {}").format(e)
raise ValueError(error)
return token
def client_metadata(self):
if self._client_metadata:
return json_loads(self._client_metadata)
return {}
def test_keys():
"""Try to store/get/remove keys"""
# JWS
jws = JsonWebSignature(algorithms=["RS256"])
code_payload = {
"user_id": "user",
"scope": "scope",
"client_id": "client",
"redirect_uri": "redirect_uri",
"code_challenge": "code_challenge",
}
# Token metadata
header = {"alg": "RS256"}
payload = {
"sub": "user",
"iss": "issuer",
"scope": "scope",
"setup": "setup",
"group": "my_group"
}
# Remove all keys
result = db.removeKeys()
assert result["OK"], result["Message"]
# Check active keys
result = db.getActiveKeys()
assert result["OK"], result["Message"]
assert result["Value"] == []
# Create new one
result = db.getPrivateKey()
assert result["OK"], result["Message"]
private_key = result["Value"]
assert isinstance(private_key, RSAKey)
# Sign token
header["kid"] = private_key.thumbprint()
# Find key by KID
result = db.getPrivateKey(header["kid"])
assert result["OK"], result["Message"]
# as_dict has no arguments for authlib < 1.0.0
# for authlib >= 1.0.0:
assert result["Value"].as_dict(True) == private_key.as_dict(True)
# Sign token
token = jwt.encode(header, payload, private_key)
# Sign auth code
code = jws.serialize_compact(header, json_b64encode(code_payload),
private_key)
# Get public key set
result = db.getKeySet()
keyset = result["Value"]
assert result["OK"], result["Message"]
# as_dict has no arguments for authlib < 1.0.0
# for authlib >= 1.0.0:
assert bool([
key for key in keyset.as_dict(True)["keys"]
if key["kid"] == header["kid"]
])
# Read token
_payload = jwt.decode(token, JsonWebKey.import_key_set(keyset.as_dict()))
assert _payload == payload
# Read auth code
data = jws.deserialize_compact(code, keyset.keys[0])
_code_payload = json_loads(urlsafe_b64decode(data["payload"]))
assert _code_payload == code_payload
def jwt_decode(s: str) -> dict:
from authlib.common.encoding import urlsafe_b64decode, json_loads
return json_loads(urlsafe_b64decode(s.encode('ascii')))
def get_scope(self, csp): return json_loads(self.oauth2_scopes)[csp]
def add_scope(self, csp, scope): scopes = json_loads(self.oauth2_scopes) scopes[csp] = scope self.oauth2_scopes = json_dumps(scopes)
