def verify_authentication(resolver_client: ResolverClient, token: str) -> dict: """ Verify if the authentication token is allowed for authentication. :param resolver_client: resolver client interface :param token: jwt authentication token :return: decoded verified authentication token :raises: IdentityAuthenticationFailed: if not allowed for authentication """ try: unverified_token = JwtTokenHelper.decode_token(token) for field in ('iss', 'sub', 'aud', 'iat', 'exp'): if field not in unverified_token: raise IdentityValidationError(f'Invalid token, missing {field} field') issuer = Issuer.from_string(unverified_token['iss']) doc = resolver_client.get_document(issuer.did) get_controller_doc = resolver_client.get_document issuer_key = RegisterDocumentHelper.get_valid_issuer_key_for_auth(doc, issuer.name, get_controller_doc) if not issuer_key: raise IdentityInvalidRegisterIssuerError(f'Invalid issuer {issuer}') verified_token = JwtTokenHelper.decode_and_verify_token(token, issuer_key.public_key_base58, unverified_token['aud']) IdentityAuthValidation.validate_allowed_for_auth(resolver_client, issuer_key.issuer, verified_token['sub']) return {'iss': verified_token['iss'], 'sub': verified_token['sub'], 'aud': verified_token['aud'], 'iat': verified_token['iat'], 'exp': verified_token['exp']} except (IdentityValidationError, IdentityResolverError, IdentityInvalidRegisterIssuerError, IdentityNotAllowed) as err: raise IdentityAuthenticationFailed('Not authenticated') from err
def test_get_valid_issuer_for_auth_returns_none_if_not_found( issuer_name, register_doc_and_deleg_doc): def get_ctrl_doc(did: str): assert did.startswith(did) return deleg_doc doc, deleg_doc = register_doc_and_deleg_doc issuer_key = RegisterDocumentHelper.get_valid_issuer_key_for_auth( doc, issuer_name, get_ctrl_doc) assert not issuer_key
def test_can_get_valid_issuer_for_auth(issuer_name, register_doc_and_deleg_doc): doc, deleg_doc = register_doc_and_deleg_doc def get_ctrl_doc(did: str): assert did.startswith(did) return deleg_doc all_keys = list(doc.public_keys) + list(doc.auth_keys) + list( deleg_doc.public_keys) + list(deleg_doc.auth_keys) assert issuer_name in all_keys issuer_key = RegisterDocumentHelper.get_valid_issuer_key_for_auth( doc, issuer_name, get_ctrl_doc) assert issuer_key.issuer == Issuer.build(doc.did, issuer_name) exp_base58 = doc.public_keys.get(issuer_name, doc.auth_keys.get(issuer_name)) exp_base58 = exp_base58 or deleg_doc.public_keys.get( issuer_name, deleg_doc.auth_keys.get(issuer_name)) assert exp_base58, f'test setup error, {issuer_name} should be in one of the docs public or auth keys' assert issuer_key.public_key_base58 == exp_base58.base58