コード例 #1
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_input_validation_invalid_token(self):
     ''' input validation: invalid token '''
     with self.assertRaises(ValueError) as ctx:
         xssec.create_security_context('invalid', uaa_configs.VALID['uaa'])
     self.assertEqual(
         'Failed to decode provided token',
         str(ctx.exception))
コード例 #2
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_invalid_signature_end_user_token(self):
     ''' Test invalid signature end-user token '''
     with self.assertRaises(RuntimeError) as ctx:
         xssec.create_security_context(
             jwt_tokens.INVALID_SIGNATURE_END_USER_TOKEN, uaa_configs.VALID['uaa'])
     self.assertTrue(
         'Error in offline validation of access token:' in str(ctx.exception))
コード例 #3
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_token_with_ext_cxt_invalid_validation_key(self):
     ''' valid user token with "ext_cxt" property, invalid validation key '''
     with self.assertRaises(RuntimeError) as ctx:
         xssec.create_security_context(
             jwt_tokens.TOKEN_NEW_FORMAT,
             uaa_configs.INVALID['uaa_verificationkey_invalid'])
     self.assertTrue(
         'Error in offline validation of access token:' in str(ctx.exception))
コード例 #4
0
 def test_expired_end_user_token(self):
     ''' Test expired end-user token '''
     with self.assertRaises(RuntimeError) as ctx:
         xssec.create_security_context(
             sign(jwt_payloads.USER_TOKEN_EXPIRED),
             uaa_configs.VALID['uaa'])
     self.assertTrue('Error in offline validation of access token:' in str(
         ctx.exception) and 'expired' in str(ctx.exception))
コード例 #5
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def _check_token_in_foreign_mode_error(self, cid, idz, uaa_config_name):
     environ['SAP_JWT_TRUST_ACL'] = json.dumps([{
         'clientid': cid,
         'identityzone': idz
     }])
     with self.assertRaises(RuntimeError) as ctx:
         xssec.create_security_context(
             jwt_tokens.CORRECT_END_USER_TOKEN_NO_ATTR, uaa_configs.VALID[uaa_config_name])
     self.assertTrue(str(ctx.exception).startswith(
         'No match found in JWT trust ACL (SAP_JWT_TRUST_ACL)'))
コード例 #6
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_invalid_jku_in_token_header(self):
     uaa_config = uaa_configs.VALID['uaa']
     header = get_unverified_header(jwt_tokens.CORRECT_END_USER_TOKEN)
     header['jku'] = 'http://ana.ondemandh.com\\\\\\\\\\\\\\\\@' + uaa_config['uaadomain']
     token_parts = jwt_tokens.CORRECT_END_USER_TOKEN.split(".")
     token_parts[0] = base64url_encode(json.dumps(header).encode('utf-8')).decode()
     token = '.'.join(token_parts)
     with self.assertRaises(RuntimeError) as e:
         xssec.create_security_context(token, uaa_config)
     self.assertEqual("JKU of token is not trusted", str(e.exception),)
コード例 #7
0
 def test_invalid_signature_end_user_token(self):
     ''' Test invalid signature end-user token '''
     token_parts = sign(jwt_payloads.USER_TOKEN).split('.')
     token_parts[2] = 'aW52YWxpZAo'
     invalid_token = '.'.join(token_parts)
     with self.assertRaises(RuntimeError) as ctx:
         xssec.create_security_context(invalid_token,
                                       uaa_configs.VALID['uaa'])
     self.assertTrue('Error in offline validation of access token:' in str(
         ctx.exception))
コード例 #8
0
    def test_not_trusted_jku(self):

        with self.assertRaises(RuntimeError) as e:
            xssec.create_security_context(
                sign(jwt_payloads.USER_TOKEN),
                uaa_configs.VALID['uaa_no_verification_key_other_domain'])

        self.assertEqual(
            "JKU of token is not trusted",
            str(e.exception),
        )
コード例 #9
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_client_credentials_broker_plan_token_with_wrong_trustedclientidsuffix(self):
     ''' valid client credentials broker plan token with wrong trustedclientidsuffix '''
     with self.assertRaises(RuntimeError) as ctx:
         xssec.create_security_context(
             jwt_tokens.CORRECT_CLIENT_CREDENTIALS_BROKER_PLAN_TOKEN,
             uaa_configs.INVALID['uaa_broker_plan_wrong_suffix'])
     self.assertEqual(
         'Missmatch of client id and/or identityzone id. No JWT trust ACL (SAP_JWT_TRUST_ACL) specified in environment. '
         'Client id of the access token: "sb-xssectestclone!b4|sb-xssectest!b4", identity zone of the access token: '
         '"test-idz", OAuth client id: "sb-xssectest!t4", application identity zone: "test-idz".'
         , str(ctx.exception))
コード例 #10
0
 def test_invalid_application_plan_with_trustedclientidsuffix(self):
     ''' invalid application plan with SAP_JWT_TRUST_ACL '''
     environ['SAP_JWT_TRUST_ACL'] = json.dumps([{
         'clientid': 'wrong-tenant',
         'identityzone': 'api'
     }])
     with self.assertRaises(RuntimeError) as ctx:
         xssec.create_security_context(
             sign(jwt_payloads.INVALID_TRUSTED_APPLICATION_PLAN_TOKEN),
             uaa_configs.INVALID['uaa_broker_plan_wrong_suffix'])
     self.assertTrue(
         str(ctx.exception).startswith(
             'No match found in JWT trust ACL (SAP_JWT_TRUST_ACL)'))
コード例 #11
0
 def test_invalid_jku_in_token_header(self):
     uaa_config = uaa_configs.VALID['uaa']
     token = sign(jwt_payloads.USER_TOKEN,
                  headers={
                      "jku":
                      'http://ana.ondemandh.com\\\\\\\\\\\\\\\\@' +
                      uaa_config['uaadomain'],
                      "kid":
                      "key-id-0"
                  })
     with self.assertRaises(RuntimeError) as e:
         xssec.create_security_context(token, uaa_config)
     self.assertEqual(
         "JKU of token is not trusted",
         str(e.exception),
     )
コード例 #12
0
ファイル: server.py プロジェクト: princeneil/conciletime
def test_message(message):
    print("test_message: " + str(message))
    # https://github.com/SAP/cloud-pysec/wiki Docs
    uaa_service = env.get_service(label='xsuaa').credentials
    access_token = request.headers.get('authorization')[7:]
    #print("access_token: " + str(access_token))
    security_context = xssec.create_security_context(access_token, uaa_service)
    print("security_context: " + str(security_context))
    isAuthorized = security_context.check_scope('openid')
    if isAuthorized:
        print("Authorized")
        print('get_logon_name: ' + security_context.get_logon_name())
        print('get_given_name: ' + security_context.get_given_name())
        print('get_family_name: ' + security_context.get_family_name())
        print('get_email: ' + security_context.get_email())
        print('get_origin: ' + security_context.get_origin())
        print('get_subdomain: ' + security_context.get_subdomain())
        print('get_subaccount_id: ' + security_context.get_subaccount_id())
    else:
        print("Unauthorized")

    session['receive_count'] = session.get('receive_count', 0) + 1
    emit('my_response', {
        'data': message['data'],
        'count': session['receive_count']
    })
コード例 #13
0
ファイル: server.py プロジェクト: andrewlunde/module_headless
def auth_check():
    output = 'Python Authorized DB Validated Request. \n'
    output += '\n'
    output += 'Receiving module should check that it came from our approuter and verify or abort if otherwise.\n'
    output += '\n'
    svcs_json = str(os.getenv("VCAP_SERVICES", 0))
    svcs = json.loads(svcs_json)

    uaa_service = env.get_service(label='xsuaa').credentials
    access_token = request.headers.get('authorization')[7:]

    security_context = xssec.create_security_context(access_token, uaa_service)
    isAuthorized = security_context.check_scope('openid')
    if not isAuthorized:
        abort(403)

    output += 'get_logon_name: ' + security_context.get_logon_name() + '\n'
    #    output += 'get_given_name: ' + security_context.get_given_name() + '\n'
    #    output += 'get_family_name: ' + security_context.get_family_name() + '\n'
    output += 'get_email: ' + security_context.get_email() + '\n'
    output += 'get_subdomain: ' + security_context.get_subdomain() + '\n'
    #    output += 'get_clientid: ' + security_context.get_clientid() + '\n'
    output += 'get_identity_zone: ' + security_context.get_identity_zone(
    ) + '\n'
    output += 'get_grant_type: ' + security_context.get_grant_type() + '\n'

    return output
コード例 #14
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_end_user_token_no_attr(self):
     ''' Test valid end-user token no attributes '''
     sec_context = xssec.create_security_context(
         jwt_tokens.CORRECT_END_USER_TOKEN_NO_ATTR, uaa_configs.VALID['uaa'])
     self._check_user_token(sec_context)
     self.assertFalse(sec_context.has_attributes())
     self.assertIsNone(sec_context.get_clone_service_instance_id())
コード例 #15
0
def domath():

    logger = logging.getLogger('route.logger')
    logger.info('Someone accessed us')

    average = 0
    jokecount = 0

    if 'authorization' not in request.headers:
        abort(403)
    access_token = request.headers.get('authorization')[7:]
    security_context = xssec.create_security_context(access_token, uaa_service)
    isAuthorized = security_context.check_scope('$XSAPPNAME.access')
    if not isAuthorized:
        abort(403)
    
    logger.info('Authorization successful')

    conn = dbapi.connect(address=hana.credentials['host'], port=int(hana.credentials['port']), user=hana.credentials['user'], password=hana.credentials['password'],CURRENTSCHEMA=hana.credentials['schema'])
    cursor = conn.cursor()
    try:
        cursor.execute("SELECT REVIEW FROM DB_JOKES")
        result =  [i[0] for i in cursor.fetchall()]
        average = round(s.mean(result),1)
        jokecount = len(result)
        cursor.close()
        conn.close()
        return jsonify(reviews=average,resultcount=jokecount)
    
    except:
        logger.error('DB read error')
        return jsonify(reviews=0,resultcount=0)
コード例 #16
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_xsa_token_with_newlines(self):
     ''' valid client credentials token (with attributes) '''
     sec_context = xssec.create_security_context(
         jwt_tokens.TOKEN_XSA_FORMAT,
         uaa_configs.VALID['uaa_xsa_with_newlines'])
     self.assertEqual(
         sec_context.get_logon_name(), 'ADMIN')
コード例 #17
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_get_token_with_invalid_parameters(self):
     ''' valid user token with "ext_cxt" property '''
     sec_context = xssec.create_security_context(
         jwt_tokens.TOKEN_NEW_FORMAT,
         uaa_configs.VALID['uaa_new_token_structure'])
     self._check_hdb_token(sec_context)
     self.assertIsNone(sec_context.get_token('invalid', xssec.constants.JOBSCHEDULER))
     self.assertIsNone(sec_context.get_token(xssec.constants.SYSTEM, 'invalid'))
コード例 #18
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_client_credentials_token_no_attributes(self):
     ''' valid client credentials token (no attributes) '''
     sec_context = xssec.create_security_context(
         jwt_tokens.CORRECT_CLIENT_CREDENTIALS_TOKEN_NO_ATTR,
         uaa_configs.VALID['uaa_cc'])
     self._check_client_credentials_token(sec_context)
     self.assertIsNone(
         sec_context.get_additional_auth_attribute('external_group'))
コード例 #19
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_end_user_token_with_ext_attr(self):
     ''' Test valid end-user token (given_name/family_name in ext_attr) '''
     sec_context = xssec.create_security_context(
         jwt_tokens.CORRECT_END_USER_TOKEN_NAMES_IN_EXT_ATTR, uaa_configs.VALID['uaa'])
     self.assertEqual(
         sec_context.get_given_name(), 'NodetestFirstNameExtAttr')
     self.assertEqual(
         sec_context.get_family_name(), 'NodetestLastNameExtAttr')
コード例 #20
0
ファイル: test_req_token.py プロジェクト: mhaas/cloud-pysec
    def test_req_client_for_user_401_error(self):
        sec_context = xssec.create_security_context(
            sign(jwt_payloads.USER_TOKEN_SCOPE_UAA_USER), uaa_configs.VALID['uaa'])
        expected_message = \
            'Bearer token invalid, requesting client does'\
            ' not have grant_type=user_token or no scopes were granted.'

        self._request_token_for_client_error(
            sec_context, flask_url + '/401', expected_message)
コード例 #21
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_token_with_ext_cxt(self):
     ''' valid user token with "ext_cxt" property '''
     sec_context = xssec.create_security_context(
         jwt_tokens.TOKEN_NEW_FORMAT,
         uaa_configs.VALID['uaa_new_token_structure'])
     self._check_hdb_token(sec_context)
     jobsheduler_token = sec_context.get_token(
         xssec.constants.SYSTEM, xssec.constants.JOBSCHEDULER)
     self.assertEqual(jobsheduler_token, jwt_tokens.TOKEN_NEW_FORMAT)
     self.assertNotEqual(sec_context.get_hdb_token(), jobsheduler_token)
コード例 #22
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_client_credentials_token_attributes(self):
     ''' valid client credentials token (with attributes) '''
     sec_context = xssec.create_security_context(
         jwt_tokens.CORRECT_CLIENT_CREDENTIALS_TOKEN,
         uaa_configs.VALID['uaa_cc'])
     self._check_client_credentials_token(sec_context)
     self.assertEqual(
         sec_context.get_additional_auth_attribute('external_group'), 'domaingroup1')
     self.assertEqual(
         sec_context.get_clone_service_instance_id(), 'abcd1234')
コード例 #23
0
def validatejwt(encodedJwtToken):
    """JWT offline validation"""
    xs_security = getattr(g, '_sap_xssec', None)
    if xs_security is None:
        xs_security = xssec.create_security_context(encodedJwtToken,
                                                    g._uaaCredentials)
    if xs_security.get_grant_type is None:
        return False
    g._sap_xssec = xs_security
    return True
コード例 #24
0
ファイル: test_req_token.py プロジェクト: mhaas/cloud-pysec
 def test_request_token_for_client_missing_uaa_user_scope(self):
     '''
     Test valid end-user token no attributes.
     request_token_for_client failure, scope uaa.user missing
     '''
     sec_context = xssec.create_security_context(
         sign(jwt_payloads.USER_TOKEN_NO_ATTR), uaa_configs.VALID['uaa'])
     self._request_token_for_client_error(
         sec_context, flask_url + '/500',
         'JWT token does not include scope "uaa.user"')
コード例 #25
0
ファイル: test_req_token.py プロジェクト: mhaas/cloud-pysec
 def test_req_client_for_user(self):
     sec_context = xssec.create_security_context(
         sign(jwt_payloads.USER_TOKEN_SCOPE_UAA_USER), uaa_configs.VALID['uaa'])
     service_credentials = {
         'clientid': 'clientid',
         'clientsecret': 'clientsecret',
         'url': flask_url + '/correct'
     }
     token = sec_context.request_token_for_client(service_credentials, None)
     self.assertEqual(token, 'access_token')
コード例 #26
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_end_user_token_in_foreign_mode_idz(self):
     ''' valid end-user token in foreign mode (idz - correct SAP_JWT_TRUST_ACL) '''
     environ['SAP_JWT_TRUST_ACL'] = '[{"clientid":"sb-xssectest","identityzone":"test-idz"}]'
     sec_context = xssec.create_security_context(
         jwt_tokens.CORRECT_END_USER_TOKEN, uaa_configs.VALID['uaa_foreign_idz'])
     self.assertTrue(sec_context.is_in_foreign_mode())
     self.assertEqual(
         sec_context.get_additional_auth_attribute('external_group'), 'domaingroup1')
     self.assertIsNone(sec_context.get_additional_auth_attribute('hugo'))
     self.assertIsNone(sec_context.get_hdb_token())
     self.assertIsNotNone(sec_context.get_app_token())
コード例 #27
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_end_user_token_with_attr(self):
     ''' Test valid end-user token with attributes '''
     sec_context = xssec.create_security_context(
         jwt_tokens.CORRECT_END_USER_TOKEN, uaa_configs.VALID['uaa'])
     self._check_user_token(sec_context)
     self.assertTrue(sec_context.has_attributes())
     self.assertEqual(sec_context.get_attribute('country'), ['USA'])
     self.assertEqual(
         sec_context.get_clone_service_instance_id(), 'abcd1234')
     self.assertEqual(
         sec_context.get_additional_auth_attribute('external_group'), 'domaingroup1')
コード例 #28
0
def checkAuth(header):
    if 'authorization' not in request.headers:
        return False

    access_token = header.get('authorization')[7:]
    security_context = xssec.create_security_context(access_token, uaa_service)
    isAuthorized = security_context.check_scope(
        'openid') or security_context.check_scope('uaa.resource')
    if not isAuthorized:
        return False

    return True
コード例 #29
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_application_plan_with_trustedclientidsuffix(self):
     ''' valid application plan with shared tenant mode, defined via SAP_JWT_TRUST_ACL '''
     environ['SAP_JWT_TRUST_ACL'] = json.dumps([{
         'clientid': '*',
         'identityzone': '*'
     }])
     sec_context = xssec.create_security_context(
         jwt_tokens.INVALID_TRUSTED_APPLICATION_PLAN_TOKEN,
         uaa_configs.INVALID['uaa_broker_plan_wrong_suffix'])
     self.assertEqual('sb-tenant-test!t13',sec_context.get_clientid())
     self.assertEqual('api', sec_context.get_identity_zone())
     self.assertEqual('api', sec_context.get_zone_id())
コード例 #30
0
ファイル: test_xssec.py プロジェクト: mattreddy3/cloud-pysec
 def test_valid_end_user_saml_bearer_token(self):
     ''' valid end-user saml bearer token '''
     sec_context = xssec.create_security_context(
         jwt_tokens.CORRECT_END_USER_SAML_BEARER_TOKEN, uaa_configs.VALID['uaa_bearer'])
     self.assertTrue(sec_context.check_scope('openid'))
     self._check_user_info(sec_context)
     self._check_hdb_token(sec_context)
     self.assertEqual(sec_context.get_grant_type(),
                      xssec.constants.GRANTTYPE_SAML2BEARER)
     self.assertEqual(sec_context.get_identity_zone(), 'test-idz')
     self.assertEqual(sec_context.get_zone_id(), 'test-idz')
     self.assertEqual(sec_context.get_subaccount_id(), 'test-idz')
     self.assertIsNone(sec_context.get_subdomain())
     self.assertFalse(sec_context.is_in_foreign_mode())