def test_cant_be_used_after_exp(self):
past = utils.time_time() - tokens.ALLOWED_CLOCK_DRIFT_SEC - 1
_, _, jwt = self.make_good_jwt(iat=past - 3600, exp=past)
with self.assertRaises(tokens.InvalidTokenError) as err:
tokens.verify_jwt(jwt, self.mock_certs_bundle())
self.assertIn('Bad JWT: expired (now 1514768461 > exp 1514768430)',
err.exception.message)
def test_iat_and_exp_are_numbers(self):
for key in ('iat', 'exp'):
_, _, jwt = self.make_good_jwt(**{key: 'z'})
with self.assertRaises(tokens.InvalidTokenError) as err:
tokens.verify_jwt(jwt, self.mock_certs_bundle())
self.assertIn("'%s' (u'z') is not a number" % key,
err.exception.message)
def test_cant_be_used_before_iat(self):
future = utils.time_time() + tokens.ALLOWED_CLOCK_DRIFT_SEC + 1
_, _, jwt = self.make_good_jwt(iat=future, exp=future + 3600)
with self.assertRaises(tokens.InvalidTokenError) as err:
tokens.verify_jwt(jwt, self.mock_certs_bundle())
self.assertIn('Bad JWT: too early (now 1514768461 < nbf 1514768492)',
err.exception.message)
def test_alg_not_rs256(self):
with self.assertRaises(tokens.InvalidTokenError) as err:
tokens.verify_jwt(
self.make_jwt({
'alg': 'NOTRS256',
'kid': self.KEY
}, {}), self.mock_certs_bundle())
self.assertIn('Only RS256 tokens are supported', err.exception.message)
def test_happy_path(self):
hdr, payload, jwt = self.make_good_jwt()
bundle = self.mock_certs_bundle(
expected_blob='%s.%s' % (to_json_b64(hdr), to_json_b64(payload)))
verified_hdr, verified_payload = tokens.verify_jwt(jwt, bundle)
self.assertEqual(verified_hdr, hdr)
self.assertEqual(verified_payload, payload)
def test_iat_and_exp_are_required(self):
for key in ('iat', 'exp'):
_, _, jwt = self.make_good_jwt(**{key: self.OMIT})
with self.assertRaises(tokens.InvalidTokenError) as err:
tokens.verify_jwt(jwt, self.mock_certs_bundle())
self.assertIn("has no '%s' field" % key, err.exception.message)
def test_bad_signature(self):
_, _, jwt = self.make_good_jwt()
with self.assertRaises(tokens.InvalidSignatureError) as err:
tokens.verify_jwt(
jwt, self.mock_certs_bundle(valid_sig='some-other-sig'))
self.assertIn('invalid signature', err.exception.message)
def test_unknown_key(self):
_, _, jwt = self.make_good_jwt()
with self.assertRaises(signature.CertificateError) as err:
tokens.verify_jwt(
jwt, self.mock_certs_bundle(valid_key='some-other-key'))
self.assertIn('No such key', err.exception.message)
def test_kid_is_required(self):
with self.assertRaises(tokens.InvalidTokenError) as err:
tokens.verify_jwt(self.make_jwt({'alg': 'RS256'}, {}),
self.mock_certs_bundle())
self.assertIn('Key ID is not specified', err.exception.message)
def test_header_not_a_dict(self):
with self.assertRaises(tokens.InvalidTokenError) as err:
tokens.verify_jwt(
'%s.%s.aaaa' % (to_json_b64([]), to_json_b64({})),
self.mock_certs_bundle())
self.assertIn('not a dict', err.exception.message)
def test_bad_base64(self):
with self.assertRaises(tokens.InvalidTokenError) as err:
tokens.verify_jwt('x.x.x', self.mock_certs_bundle())
self.assertIn('not valid base64', err.exception.message)
def test_wrong_number_of_segments(self):
_, _, jwt = self.make_good_jwt()
with self.assertRaises(tokens.InvalidTokenError) as err:
tokens.verify_jwt(jwt + '.aaaa', self.mock_certs_bundle())
self.assertIn('should have 3 segments', err.exception.message)
