def verify_authentication(resolver_client: ResolverClient, token: str) -> dict:
"""
Verify if the authentication token is allowed for authentication.
:param resolver_client: resolver client interface
:param token: jwt authentication token
:return: decoded verified authentication token
:raises:
IdentityAuthenticationFailed: if not allowed for authentication
"""
try:
unverified_token = JwtTokenHelper.decode_token(token)
for field in ('iss', 'sub', 'aud', 'iat', 'exp'):
if field not in unverified_token:
raise IdentityValidationError(f'Invalid token, missing {field} field')
issuer = Issuer.from_string(unverified_token['iss'])
doc = resolver_client.get_document(issuer.did)
get_controller_doc = resolver_client.get_document
issuer_key = RegisterDocumentHelper.get_valid_issuer_key_for_auth(doc, issuer.name, get_controller_doc)
if not issuer_key:
raise IdentityInvalidRegisterIssuerError(f'Invalid issuer {issuer}')
verified_token = JwtTokenHelper.decode_and_verify_token(token, issuer_key.public_key_base58,
unverified_token['aud'])
IdentityAuthValidation.validate_allowed_for_auth(resolver_client, issuer_key.issuer, verified_token['sub'])
return {'iss': verified_token['iss'],
'sub': verified_token['sub'],
'aud': verified_token['aud'],
'iat': verified_token['iat'],
'exp': verified_token['exp']}
except (IdentityValidationError, IdentityResolverError,
IdentityInvalidRegisterIssuerError, IdentityNotAllowed) as err:
raise IdentityAuthenticationFailed('Not authenticated') from err
def test_get_valid_issuer_for_auth_returns_none_if_not_found(
issuer_name, register_doc_and_deleg_doc):
def get_ctrl_doc(did: str):
assert did.startswith(did)
return deleg_doc
doc, deleg_doc = register_doc_and_deleg_doc
issuer_key = RegisterDocumentHelper.get_valid_issuer_key_for_auth(
doc, issuer_name, get_ctrl_doc)
assert not issuer_key
def test_can_get_valid_issuer_for_auth(issuer_name,
register_doc_and_deleg_doc):
doc, deleg_doc = register_doc_and_deleg_doc
def get_ctrl_doc(did: str):
assert did.startswith(did)
return deleg_doc
all_keys = list(doc.public_keys) + list(doc.auth_keys) + list(
deleg_doc.public_keys) + list(deleg_doc.auth_keys)
assert issuer_name in all_keys
issuer_key = RegisterDocumentHelper.get_valid_issuer_key_for_auth(
doc, issuer_name, get_ctrl_doc)
assert issuer_key.issuer == Issuer.build(doc.did, issuer_name)
exp_base58 = doc.public_keys.get(issuer_name,
doc.auth_keys.get(issuer_name))
exp_base58 = exp_base58 or deleg_doc.public_keys.get(
issuer_name, deleg_doc.auth_keys.get(issuer_name))
assert exp_base58, f'test setup error, {issuer_name} should be in one of the docs public or auth keys'
assert issuer_key.public_key_base58 == exp_base58.base58
