def test__generate_claims(self): """ tests that _generate_claims works as expected. """ expected_now = datetime.datetime(year=2001, day=1, month=1) expected_audience = 'example_aud' expected_iss = 'eg' expected_key_id = 'eg/ex' jwt_auth_signer = atlassian_jwt_auth.create_signer( expected_iss, expected_key_id, self._private_key_pem) jwt_auth_signer._now = lambda: expected_now for additional_claims in [{}, {'extra': 'thing'}]: expected_claims = { 'iss': expected_iss, 'exp': expected_now + datetime.timedelta(hours=1), 'iat': expected_now, 'aud': expected_audience, 'nbf': expected_now, 'sub': expected_iss, } expected_claims.update(additional_claims) claims = jwt_auth_signer._generate_claims( expected_audience, additional_claims=additional_claims) self.assertIsNotNone(claims['jti']) del claims['jti'] self.assertEqual(claims, expected_claims)
def test_generate_jwt(self, m_jwt_encode): """ tests that generate_jwt works as expected. """ expected_aud = 'aud_x' expected_claims = {'eg': 'ex'} expected_key_id = 'key_id' expected_issuer = 'a_issuer' jwt_auth_signer = atlassian_jwt_auth.create_signer( expected_issuer, expected_key_id, private_key_pem=self._private_key_pem, algorithm=self.algorithm, ) jwt_auth_signer._generate_claims = lambda aud: expected_claims jwt_auth_signer.generate_jwt(expected_aud) m_jwt_encode.assert_called_with( expected_claims, key=mock.ANY, algorithm=self.algorithm, headers={'kid': expected_key_id}) for name, args, kwargs in m_jwt_encode.mock_calls: call_private_key = kwargs['key'].private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption() ) self.assertEqual(call_private_key, self._private_key_pem)
def create_token(issuer, audience, key_id, private_key, subject=None): """" returns a token based upon the supplied parameters. """ signer = atlassian_jwt_auth.create_signer(issuer, key_id, private_key, subject=subject) return signer.generate_jwt(audience)
def test__generate_claims(self): """ tests that _generate_claims works as expected. """ expected_now = datetime.datetime(year=2001, day=1, month=1) expected_audience = 'example_aud' expected_iss = 'eg' expected_key_id = 'eg/ex' jwt_auth_signer = atlassian_jwt_auth.create_signer( expected_iss, expected_key_id, self._private_key_pem) jwt_auth_signer._now = lambda: expected_now for additional_claims in [{}, {'extra': 'thing'}]: expected_claims = { 'iss': expected_iss, 'exp': expected_now + datetime.timedelta(hours=1), 'iat': expected_now, 'aud': expected_audience, 'nbf': expected_now, 'sub': expected_iss, } expected_claims.update(additional_claims) claims = jwt_auth_signer._generate_claims( expected_audience, additional_claims=additional_claims) self.assertIsNotNone(claims['jti']) del claims['jti'] self.assertEqual(claims, expected_claims)
def get_example_jwt_auth_signer(**kwargs): """ returns an example jwt_auth_signer instance. """ issuer = kwargs.get('issuer', 'egissuer') key_id = kwargs.get('key_id', '%s/a' % issuer) key = kwargs.get( 'private_key_pem', get_new_rsa_private_key_in_pem_format()) algorithm = kwargs.get('algorithm', 'RS256') return atlassian_jwt_auth.create_signer( issuer, key_id, key, algorithm=algorithm)
def test_JWTAuth_make_authenticated_request(self): """Verify a valid Authorization header is added by JWTAuth""" jwt_auth_signer = atlassian_jwt_auth.create_signer( 'issuer', 'issuer/key', self._private_key_pem.decode(), algorithm=self.algorithm) auth = self.auth_cls(jwt_auth_signer, 'audience') self.assert_authorization_header_is_valid(auth)
def test_JWTAuth_make_authenticated_request(self): """Verify a valid Authorization header is added by JWTAuth""" jwt_auth_signer = atlassian_jwt_auth.create_signer( 'issuer', 'issuer/key', self._private_key_pem.decode(), algorithm=self.algorithm) auth = JWTAuth(jwt_auth_signer, 'audience') req = auth(Request()) self.assert_authorization_header_is_valid(req)
def get_example_jwt_auth_signer(**kwargs): """ returns an example jwt_auth_signer instance. """ issuer = kwargs.get('issuer', 'egissuer') key_id = kwargs.get('key_id', '%s/a' % issuer) key = kwargs.get('private_key_pem', get_new_rsa_private_key_in_pem_format()) algorithm = kwargs.get('algorithm', 'RS256') return atlassian_jwt_auth.create_signer(issuer, key_id, key, algorithm=algorithm)
def test_verify_jwt_with_key_identifier_not_starting_with_issuer(self): """ tests that verify_jwt rejects a jwt if the key identifier does not start with the claimed issuer. """ verifier = self._setup_jwt_auth_verifier(self._public_key_pem) signer = atlassian_jwt_auth.create_signer( 'issuer', 'issuerx', self._private_key_pem.decode(), algorithm=self.algorithm, ) a_jwt = signer.generate_jwt(self._example_aud) with self.assertRaisesRegexp(ValueError, 'Issuer does not own'): verifier.verify_jwt(a_jwt, self._example_aud)
def setUp(self): self._private_key_pem = self.get_new_private_key_in_pem_format() self._public_key_pem = utils.get_public_key_pem_for_private_key_pem( self._private_key_pem) self._example_aud = 'aud_x' self._example_issuer = 'egissuer' self._example_key_id = '%s/a' % self._example_issuer self._jwt_auth_signer = atlassian_jwt_auth.create_signer( self._example_issuer, self._example_key_id, self._private_key_pem.decode(), algorithm=self.algorithm)
def __call__(self, request): kwargs = {'additional_claims': {}} if self.sub is not None: kwargs['additional_claims']['sub'] = self.sub signer = atlassian_jwt_auth.create_signer(self.iss, self.kid, self.private_key) token = signer.generate_jwt(self.aud, **kwargs) request.headers['Authorization'] = 'Bearer {}'.format( token.decode('utf-8')) return request
def test_create_jwt_auth_with_additional_claims(self): """ Verify a Valid Authorization header is added by JWTAuth and contains the additional claims when provided. """ jwt_auth_signer = atlassian_jwt_auth.create_signer( 'issuer', 'issuer/key', self._private_key_pem.decode(), algorithm=self.algorithm) auth = self.auth_cls(jwt_auth_signer, 'audience', additional_claims={'example': 'claim'}) token = self.assert_authorization_header_is_valid(auth) self.assertEqual(token.get('example'), 'claim')
def setUp(self): self._private_key_pem = self.get_new_private_key_in_pem_format() self._public_key_pem = utils.get_public_key_pem_for_private_key_pem( self._private_key_pem) self._example_aud = 'aud_x' self._example_issuer = 'egissuer' self._example_key_id = '%s/a' % self._example_issuer self._jwt_auth_signer = atlassian_jwt_auth.create_signer( self._example_issuer, self._example_key_id, self._private_key_pem.decode(), algorithm=self.algorithm )
def test_verify_jwt_with_key_identifier_not_starting_with_issuer(self): """ tests that verify_jwt rejects a jwt if the key identifier does not start with the claimed issuer. """ verifier = self._setup_jwt_auth_verifier(self._public_key_pem) signer = atlassian_jwt_auth.create_signer( 'issuer', 'issuerx', self._private_key_pem.decode(), algorithm=self.algorithm, ) a_jwt = signer.generate_jwt(self._example_aud) with self.assertRaisesRegexp(ValueError, 'Issuer does not own'): verifier.verify_jwt(a_jwt, self._example_aud)
def test_generate_jwt(self, m_jwt_encode): """ tests that generate_jwt works as expected. """ expected_aud = 'aud_x' expected_claims = {'eg': 'ex'} expected_key_id = 'key_id' expected_issuer = 'a_issuer' jwt_auth_signer = atlassian_jwt_auth.create_signer( expected_issuer, expected_key_id, private_key_pem=self._private_key_pem, algorithm=self.algorithm, ) jwt_auth_signer._generate_claims = lambda aud: expected_claims jwt_auth_signer.generate_jwt(expected_aud) m_jwt_encode.assert_called_with(expected_claims, key=self._private_key_pem, algorithm=self.algorithm, headers={'kid': expected_key_id})
def test_generate_jwt(self, m_jwt_encode): """ tests that generate_jwt works as expected. """ expected_aud = 'aud_x' expected_claims = {'eg': 'ex'} expected_key_id = 'key_id' expected_issuer = 'a_issuer' jwt_auth_signer = atlassian_jwt_auth.create_signer( expected_issuer, expected_key_id, private_key_pem=self._private_key_pem, algorithm=self.algorithm, ) jwt_auth_signer._generate_claims = lambda aud: expected_claims jwt_auth_signer.generate_jwt(expected_aud) m_jwt_encode.assert_called_with( expected_claims, key=self._private_key_pem, algorithm=self.algorithm, headers={'kid': expected_key_id})
def parse_config_file(asap_config_file): """ Parse ``asap_config_file`` JSON and return the signer. :param str asap_config_file: Path to the ASAP config file. :return: atlassian_jwt_auth.signer.JWTAuthSigner :raises ExitStatus.PLUGIN_ERROR: Invalid config. """ config = None try: with open(asap_config_file) as f: config = json.load(f) except IOError: fatal_plugin_error( "file not readable: {}".format(asap_config_file)) except ValueError: fatal_plugin_error( "invalid JSON config: {}".format(asap_config_file)) if config and not isinstance(config, dict): fatal_plugin_error( "invalid JSON config (expected dict): {}".format( asap_config_file)) try: return ( atlassian_jwt_auth.create_signer(config["issuer"], config["kid"], config["privateKey"]), config["audience"], config.get("sub"), ) except KeyError as e: fatal_plugin_error("expected key in config file: {}".format(e))
def create_token(issuer, audience, key_id, private_key): signer = atlassian_jwt_auth.create_signer( issuer, key_id, private_key ) return signer.generate_jwt(audience)
def create_jwt_auth(issuer, key_identifier, private_key_pem, audience): """Instantiate a JWTAuth while creating the signer inline""" signer = atlassian_jwt_auth.create_signer(issuer, key_identifier, private_key_pem) return JWTAuth(signer, audience)
def create(cls, issuer, key_identifier, private_key_pem, audience, **kwargs): """Instantiate a JWTAuth while creating the signer inline""" signer = atlassian_jwt_auth.create_signer(issuer, key_identifier, private_key_pem, **kwargs) return cls(signer, audience)
def create_token(issuer, audience, key_id, private_key, subject=None): signer = create_signer(issuer, key_id, private_key, subject=subject) return signer.generate_jwt(audience)
def create_token(issuer, audience, key_id, private_key): signer = create_signer(issuer, key_id, private_key) return signer.generate_jwt(audience)
def create_jwt_auth( issuer, key_identifier, private_key_pem, audience, **kwargs): """Instantiate a JWTAuth while creating the signer inline""" signer = atlassian_jwt_auth.create_signer(issuer, key_identifier, private_key_pem, **kwargs) return JWTAuth(signer, audience)