def test_parse_and_validate_valid_token_RSA(): token = create_jwt() jwt_svid = JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire']) assert jwt_svid.audience == DEFAULT_AUDIENCE assert str(jwt_svid.spiffe_id) == DEFAULT_SPIFFE_ID assert jwt_svid.expiry == DEFAULT_EXPIRY assert jwt_svid.token == token
def test_parse_and_validate_invalid_missing_kid(): key_id = 'kid10' token = create_jwt(kid=key_id) with pytest.raises(AuthorityNotFoundError) as exception: JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire']) assert str( exception.value) == 'Key (' + key_id + ') not found in authorities.'
def mock_client_get_jwt_svid(mocker): jwt_svid = create_jwt(spiffe_id=str(SPIFFE_ID)) WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTSVID = mocker.Mock( return_value=workload_pb2.JWTSVIDResponse(svids=[ workload_pb2.JWTSVID( spiffe_id=str(SPIFFE_ID), svid=jwt_svid, ) ]))
def test_validate_jwt_svid_raise_error(mocker): jwt_svid = create_jwt() WORKLOAD_API_CLIENT._spiffe_workload_api_stub.ValidateJWTSVID = mocker.Mock( side_effect=Exception('Mocked error')) with pytest.raises(ValidateJwtSvidError) as exception: WORKLOAD_API_CLIENT.validate_jwt_svid(token=jwt_svid, audience='audience') assert str(exception.value) == 'JWT SVID is not valid: Mocked error.'
def test_fetch_jwt_svid_wrong_token(mocker): jwt_svid = create_jwt(spiffe_id='') WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTSVID = mocker.Mock( return_value=workload_pb2.JWTSVIDResponse( svids=[workload_pb2.JWTSVID(svid=jwt_svid, )])) with pytest.raises(FetchJwtSvidError) as exception: WORKLOAD_API_CLIENT.fetch_jwt_svid(audiences=DEFAULT_AUDIENCE) assert (str(exception.value) == 'Error fetching JWT SVID: Missing required claim: sub.')
def test_parse_and_validate_valid_token_EC(): ec_key = ec.generate_private_key(ec.SECP384R1(), default_backend()) jwt_bundle = JwtBundle(DEFAULT_TRUST_DOMAIN, {'kid_ec': ec_key.public_key()}) ec_key_pem, _ = get_keys_pems(ec_key) token = create_jwt(ec_key_pem, 'kid_ec', alg='ES512') jwt_svid = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire']) assert jwt_svid.audience == DEFAULT_AUDIENCE assert str(jwt_svid.spiffe_id) == DEFAULT_SPIFFE_ID assert jwt_svid.expiry == DEFAULT_EXPIRY assert jwt_svid.token == token
def test_fetch_jwt_svid_wrong_token(mocker): spiffe_id = '' jwt_svid = create_jwt(spiffe_id=spiffe_id) WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTSVID = mocker.Mock( return_value=iter([ workload_pb2.JWTSVIDResponse( svids=[workload_pb2.JWTSVID(svid=jwt_svid, )]) ])) with pytest.raises(FetchJwtSvidError) as exception: WORKLOAD_API_CLIENT.fetch_jwt_svid(audiences=DEFAULT_AUDIENCE) assert str(exception.value).startswith('Error fetching JWT SVID')
def test_parse_and_validate_invalid_kid_mismatch(): rsa_key2 = rsa.generate_private_key(public_exponent=65537, key_size=2048) jwt_bundle = JwtBundle( DEFAULT_TRUST_DOMAIN, { 'kid1': DEFAULT_KEY.public_key(), 'kid10': rsa_key2.public_key() }, ) token = create_jwt(kid='kid10') with pytest.raises(InvalidTokenError) as exception: JwtSvid.parse_and_validate(token, jwt_bundle, ['spire']) assert str(exception.value) == 'Signature verification failed.'
def test_fetch_jwt_svid_aud(mocker): spiffe_id = 'spiffe://test.com/my_service' jwt_svid = create_jwt(spiffe_id=spiffe_id) WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTSVID = mocker.Mock( return_value=workload_pb2.JWTSVIDResponse( svids=[workload_pb2.JWTSVID(svid=jwt_svid, )])) svid = WORKLOAD_API_CLIENT.fetch_jwt_svid(audiences=DEFAULT_AUDIENCE) utc_time = timegm(datetime.datetime.utcnow().utctimetuple()) assert svid.spiffe_id == SpiffeId.parse(spiffe_id) assert svid.token == jwt_svid assert svid.claims['aud'] == DEFAULT_AUDIENCE assert int(svid.expiry) > utc_time
def test_parse_and_validate_valid_token_multiple_keys_bundle(): ec_key = ec.generate_private_key(ec.SECP521R1(), default_backend()) jwt_bundle = JwtBundle( DEFAULT_TRUST_DOMAIN, { 'kid_rsa': DEFAULT_KEY.public_key(), 'kid_ec': ec_key.public_key() }, ) ec_key_pem, _ = get_keys_pems(ec_key) token = create_jwt(ec_key_pem, kid='kid_ec', alg='ES512') jwt_svid1 = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire']) assert jwt_svid1.audience == DEFAULT_AUDIENCE assert str(jwt_svid1.spiffe_id) == DEFAULT_SPIFFE_ID assert jwt_svid1.expiry == DEFAULT_EXPIRY assert jwt_svid1.token == token token2 = create_jwt(kid='kid_rsa') jwt_svid2 = JwtSvid.parse_and_validate(token2, jwt_bundle, ['spire']) assert jwt_svid2.audience == DEFAULT_AUDIENCE assert str(jwt_svid2.spiffe_id) == DEFAULT_SPIFFE_ID assert jwt_svid2.expiry == DEFAULT_EXPIRY assert jwt_svid2.token == token2
def test_validate_jwt_svid(mocker): audience = 'spire' spiffe_id = 'spiffe://test.com/my_service' jwt_svid = create_jwt(audience=[audience], spiffe_id=spiffe_id) WORKLOAD_API_CLIENT._spiffe_workload_api_stub.ValidateJWTSVID = mocker.Mock( return_value=workload_pb2.ValidateJWTSVIDResponse(spiffe_id=spiffe_id, )) svid = WORKLOAD_API_CLIENT.validate_jwt_svid(token=jwt_svid, audience=audience) assert svid.spiffe_id == SpiffeId.parse(spiffe_id) assert svid.token == jwt_svid assert svid.claims['aud'] == [audience] assert svid.audience == [audience]
def test_parse_and_validate_invalid_missing_sub(): token = create_jwt(spiffe_id='') with pytest.raises(InvalidTokenError) as exception: JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire']) assert str(exception.value) == 'SPIFFE ID cannot be empty.'