def test_authentication_tag_corrupted(self): encoder = Encoder() jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), tag=b'adssadsadsadsadasdasdasads') decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode())
def test_authentication_tag_corrupted(self): encoder = Encoder() jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(), tag=b'adssadsadsadsadasdasdasads') decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException): decoder.decrypt_jwt_token(jwe.decode())
def assertInDecryptException(self, jwe, error): decoder = JWTDecryptor(*self.decryptor_args) with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe, self.leeway) if error not in ite.exception.value: raise AssertionError( '"{}" not found in decrypt exception'.format(error))
def test_authentication_tag_not_128_bits(self): encoder = Encoder() jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), tag=os.urandom(10)) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("'Authentication tag must be 16 bytes or longer", ite.exception.value)
def test_invalid_algorithm(self): jwe_protected_header = b'{"alg":"PBES2_HS256_A128KW","enc":"A256GCM"}' encoder = Encoder() jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("Invalid Algorithm", ite.exception.value)
def test_jwe_header_only_contains_alg_and_enc(self): jwe_protected_header = b'{"alg":"RSA-OAEP","enc":"A256GCM", "test":"test"}' encoder = Encoder() jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("InvalidTag", ite.exception.value)
def test_enc_missing(self): jwe_protected_header = b'{"alg":"RSA-OAEP"}' encoder = Encoder() jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("Missing Encoding", ite.exception.value)
def test_cek_not_256_bits(self): cek = os.urandom(24) encoder = Encoder() jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), cek=cek) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("CEK incorrect length", ite.exception.value)
def test_authentication_tag_not_128_bits(self): encoder = Encoder() jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(), tag=os.urandom(10)) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("'Authentication tag must be 16 bytes or longer", ite.exception.value)
def test_iv_not_96_bits(self): iv = os.urandom(45) encoder = Encoder() jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), iv=iv) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("IV incorrect length", ite.exception.value)
def test_iv_not_96_bits(self): iv = os.urandom(45) encoder = Encoder() encoder.iv = iv jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode()) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("IV incorrect length", ite.exception.value)
def test_jwe_header_only_contains_alg_and_enc(self): jwe_protected_header = b'{"alg":"RSA-OAEP","enc":"A256GCM", "test":"test"}' encoder = Encoder() jwe = encoder.encrypt_token( VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) # pylint: disable=protected-access decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("InvalidTag", ite.exception.value)
def test_invalid_algorithm(self): jwe_protected_header = b'{"alg":"PBES2_HS256_A128KW","enc":"A256GCM"}' encoder = Encoder() jwe = encoder.encrypt_token( VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) # pylint: disable=protected-access decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("Invalid Algorithm", ite.exception.value)
def test_cek_not_256_bits(self): cek = os.urandom(24) encoder = Encoder() encoder.cek = cek jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode()) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("CEK incorrect length", ite.exception.value)
def test_enc_missing(self): jwe_protected_header = b'{"alg":"RSA-OAEP"}' encoder = Encoder() jwe = encoder.encrypt_token( VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) # pylint: disable=protected-access decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("Missing Encoding", ite.exception.value)
def test_jwe_key_not_2048_bits(self): cek = os.urandom(32) encoder = Encoder() encrypted_key = encoder._encrypted_key(cek) encrypted_key = encrypted_key[0:len(encrypted_key) - 2] jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), cek=cek, encrypted_key=encrypted_key) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("ValueError", ite.exception.value)
def test_jwe_key_not_2048_bits(self): cek = os.urandom(32) encoder = Encoder() encoder.cek = cek encrypted_key = encoder._encrypted_key(cek) # pylint: disable=protected-access encrypted_key = encrypted_key[0:len(encrypted_key) - 2] jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(), encrypted_key=encrypted_key) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe.decode()) self.assertIn("ValueError", ite.exception.value)
def flush_data(): if session: session.clear() encrypted_token = request.args.get('token') if encrypted_token is None: return Response(status=403) decoder = JWTDecryptor( current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY'], current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD'], current_app.config['EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY'], ) decrypted_token = decoder.decrypt_jwt_token( encrypted_token, current_app.config['EQ_JWT_LEEWAY_IN_SECONDS'], ) roles = decrypted_token.get('roles') if roles and 'flusher' in roles: user = _get_user(decrypted_token) if _submit_data(user): return Response(status=200) else: return Response(status=404) else: return Response(status=403)
def test_cipher_text_corrupted(self): encoder = Encoder() jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode()) tokens = jwe.decode().split('.') jwe_protected_header = tokens[0] encrypted_key = tokens[1] encoded_iv = tokens[2] encoded_cipher_text = tokens[3] encoded_tag = tokens[4] corrupted_cipher = encoded_cipher_text[0:len(encoded_cipher_text) - 1] reassembled = jwe_protected_header + "." + encrypted_key + "." + encoded_iv + "." + corrupted_cipher + "." + encoded_tag decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException): decoder.decrypt_jwt_token(reassembled)
def test_cipher_text_corrupted(self): encoder = Encoder() jwe = encoder.encrypt(VALID_SIGNED_JWT.encode()) tokens = jwe.decode().split('.') jwe_protected_header = tokens[0] encrypted_key = tokens[1] encoded_iv = tokens[2] encoded_cipher_text = tokens[3] encoded_tag = tokens[4] corrupted_cipher = encoded_cipher_text[0:len(encoded_cipher_text) - 1] reassembled = jwe_protected_header + "." + encrypted_key + "." + encoded_iv + "." + corrupted_cipher + "." + encoded_tag decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(reassembled)
def decrypt_token(encrypted_token): logger.debug("decrypting token") if encrypted_token is None: raise NoTokenException("Please provide a token") decoder = JWTDecryptor( current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY'], current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD'], current_app.config['EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY'], ) decrypted_token = decoder.decrypt_jwt_token( encrypted_token, current_app.config['EQ_JWT_LEEWAY_IN_SECONDS'], ) valid, field = is_valid_metadata(decrypted_token) if not valid: raise InvalidTokenException("Missing value {}".format(field)) logger.debug("token decrypted") return decrypted_token
def _jwt_decrypt(self, request): encrypted_token = request.args.get(EQ_URL_QUERY_STRING_JWT_FIELD_NAME) decoder = JWTDecryptor() token = decoder.decrypt_jwt_token(encrypted_token) return token
def test_does_not_contain_four_instances_of_full_stop(self): jwe = VALID_JWE.replace('.', '', 1) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe) self.assertIn("Incorrect size", ite.exception.value)
def test_does_not_contain_four_instances_of_full_stop(self): jwe = VALID_JWE.replace('.', '', 1) decoder = JWTDecryptor() with self.assertRaises(InvalidTokenException) as ite: decoder.decrypt_jwt_token(jwe) self.assertIn("Incorrect size", ite.exception.value)
def test_valid_jwe(self): decoder = JWTDecryptor() token = decoder.decrypt_jwt_token(VALID_JWE) self.assertEqual("jimmy", token.get("user"))
def test_decrypt_jwt_token(self): decoder = JWTDecryptor(*self.good_args) token = decoder.decrypt_jwt_token(VALID_JWE, 120) self.assertEqual("jimmy", token.get("user"))
def test_decrypt_jwt_token(self): decoder = JWTDecryptor() token = decoder.decrypt_jwt_token(VALID_JWE) self.assertEquals("jimmy", token.get("user"))
def _jwt_decrypt(request): encrypted_token = request.args.get('token') decoder = JWTDecryptor() token = decoder.decrypt_jwt_token(encrypted_token) return token