def test_get_user_pubkeys(self, mock_to_dict, mock_models, mock_get_session): session = mock_get_session.return_value actual_keys = db.get_user_pubkeys('user_id') keys = session \ .query.return_value \ .filter_by.return_value \ .all.return_value session.query.assert_called_once_with(mock_models.PubKey) session.query.return_value.filter_by.assert_called_once_with( openid='user_id') self.assertEqual(keys, actual_keys)
def decode_token(request): """Validate request signature. ValidationError rises if request is not valid. """ if not request.headers.get(const.JWT_TOKEN_HEADER): return try: auth_schema, token = request.headers.get(const.JWT_TOKEN_HEADER).split( ' ', 1) except ValueError: raise api_exc.ValidationError("Token is not valid") if auth_schema != 'Bearer': raise api_exc.ValidationError( "Authorization schema 'Bearer' should be used") try: token_data = jwt.decode(token, algorithms='RS256', verify=False) except jwt.InvalidTokenError: raise api_exc.ValidationError("Token is not valid") openid = token_data.get(const.USER_OPENID) if not openid: raise api_exc.ValidationError("Token does not contain user's openid") pubkeys = db.get_user_pubkeys(openid) for pubkey in pubkeys: try: pubkey_string = '%s %s' % (pubkey['format'], pubkey['pubkey']) pubkey_obj = serialization.load_ssh_public_key( pubkey_string.encode('utf-8'), backend=backends.default_backend()) pem_pubkey = pubkey_obj.public_bytes( serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo) except (ValueError, IndexError, TypeError, binascii.Error): pass else: try: token_data = jwt.decode(token, key=pem_pubkey, options={ 'verify_signature': True, 'verify_exp': True, 'require_exp': True }, leeway=const.JWT_VALIDATION_LEEWAY) # NOTE(sslipushenko) If at least one key is valid, let # the validation pass return token_data except jwt.InvalidTokenError: pass # NOTE(sslipushenko) If all user's keys are not valid, the validation fails raise api_exc.ValidationError("Token is not valid")
def decode_token(request): """Validate request signature. ValidationError rises if request is not valid. """ if not request.headers.get(const.JWT_TOKEN_HEADER): return try: auth_schema, token = request.headers.get( const.JWT_TOKEN_HEADER).split(' ', 1) except ValueError: raise api_exc.ValidationError("Token is not valid") if auth_schema != 'Bearer': raise api_exc.ValidationError( "Authorization schema 'Bearer' should be used") try: token_data = jwt.decode(token, algorithms='RS256', verify=False) except jwt.InvalidTokenError: raise api_exc.ValidationError("Token is not valid") openid = token_data.get(const.USER_OPENID) if not openid: raise api_exc.ValidationError("Token does not contain user's openid") pubkeys = db.get_user_pubkeys(openid) for pubkey in pubkeys: try: pubkey_string = '%s %s' % (pubkey['format'], pubkey['pubkey']) pubkey_obj = serialization.load_ssh_public_key( pubkey_string.encode('utf-8'), backend=backends.default_backend() ) pem_pubkey = pubkey_obj.public_bytes( serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo) except (ValueError, IndexError, TypeError, binascii.Error): pass else: try: token_data = jwt.decode( token, key=pem_pubkey, options={'verify_signature': True, 'verify_exp': True, 'require_exp': True}, leeway=const.JWT_VALIDATION_LEEWAY) # NOTE(sslipushenko) If at least one key is valid, let # the validation pass return token_data except jwt.InvalidTokenError: pass # NOTE(sslipushenko) If all user's keys are not valid, the validation fails raise api_exc.ValidationError("Token is not valid")
def parse_input_params(expected_input_params): """Parse input parameters from request. :param expecred_params: (array) Expected input params specified in constants. """ raw_filters = _get_input_params_from_request(expected_input_params) filters = copy.deepcopy(raw_filters) date_fmt = CONF.api.input_date_format for key, value in filters.items(): if key == const.START_DATE or key == const.END_DATE: try: filters[key] = timeutils.parse_strtime(value, date_fmt) except (ValueError, TypeError) as exc: raise api_exc.ParseInputsError( 'Invalid date format: %(exc)s' % {'exc': exc}) start_date = filters.get(const.START_DATE) end_date = filters.get(const.END_DATE) if start_date and end_date: if start_date > end_date: raise api_exc.ParseInputsError( 'Invalid dates: %(start)s more than %(end)s' '' % {'start': const.START_DATE, 'end': const.END_DATE}) if const.SIGNED in filters: if is_authenticated(): uid = get_user_id() filters[const.OPENID] = uid filters[const.USER_PUBKEYS] = [ ' '.join((pk['format'], pk['pubkey'])) for pk in db.get_user_pubkeys(uid) ] else: raise api_exc.ParseInputsError( 'To see signed test results you need to authenticate') return filters
def get_user_public_keys(): """Return public keys for authenticated user.""" return db.get_user_pubkeys(get_user_id())