def test_cant_be_used_after_exp(self): past = utils.time_time() - tokens.ALLOWED_CLOCK_DRIFT_SEC - 1 _, _, jwt = self.make_good_jwt(iat=past - 3600, exp=past) with self.assertRaises(tokens.InvalidTokenError) as err: tokens.verify_jwt(jwt, self.mock_certs_bundle()) self.assertIn('Bad JWT: expired (now 1514768461 > exp 1514768430)', err.exception.message)
def test_iat_and_exp_are_numbers(self): for key in ('iat', 'exp'): _, _, jwt = self.make_good_jwt(**{key: 'z'}) with self.assertRaises(tokens.InvalidTokenError) as err: tokens.verify_jwt(jwt, self.mock_certs_bundle()) self.assertIn("'%s' (u'z') is not a number" % key, err.exception.message)
def test_cant_be_used_before_iat(self): future = utils.time_time() + tokens.ALLOWED_CLOCK_DRIFT_SEC + 1 _, _, jwt = self.make_good_jwt(iat=future, exp=future + 3600) with self.assertRaises(tokens.InvalidTokenError) as err: tokens.verify_jwt(jwt, self.mock_certs_bundle()) self.assertIn('Bad JWT: too early (now 1514768461 < nbf 1514768492)', err.exception.message)
def test_alg_not_rs256(self): with self.assertRaises(tokens.InvalidTokenError) as err: tokens.verify_jwt( self.make_jwt({ 'alg': 'NOTRS256', 'kid': self.KEY }, {}), self.mock_certs_bundle()) self.assertIn('Only RS256 tokens are supported', err.exception.message)
def test_happy_path(self): hdr, payload, jwt = self.make_good_jwt() bundle = self.mock_certs_bundle( expected_blob='%s.%s' % (to_json_b64(hdr), to_json_b64(payload))) verified_hdr, verified_payload = tokens.verify_jwt(jwt, bundle) self.assertEqual(verified_hdr, hdr) self.assertEqual(verified_payload, payload)
def test_iat_and_exp_are_required(self): for key in ('iat', 'exp'): _, _, jwt = self.make_good_jwt(**{key: self.OMIT}) with self.assertRaises(tokens.InvalidTokenError) as err: tokens.verify_jwt(jwt, self.mock_certs_bundle()) self.assertIn("has no '%s' field" % key, err.exception.message)
def test_bad_signature(self): _, _, jwt = self.make_good_jwt() with self.assertRaises(tokens.InvalidSignatureError) as err: tokens.verify_jwt( jwt, self.mock_certs_bundle(valid_sig='some-other-sig')) self.assertIn('invalid signature', err.exception.message)
def test_unknown_key(self): _, _, jwt = self.make_good_jwt() with self.assertRaises(signature.CertificateError) as err: tokens.verify_jwt( jwt, self.mock_certs_bundle(valid_key='some-other-key')) self.assertIn('No such key', err.exception.message)
def test_kid_is_required(self): with self.assertRaises(tokens.InvalidTokenError) as err: tokens.verify_jwt(self.make_jwt({'alg': 'RS256'}, {}), self.mock_certs_bundle()) self.assertIn('Key ID is not specified', err.exception.message)
def test_header_not_a_dict(self): with self.assertRaises(tokens.InvalidTokenError) as err: tokens.verify_jwt( '%s.%s.aaaa' % (to_json_b64([]), to_json_b64({})), self.mock_certs_bundle()) self.assertIn('not a dict', err.exception.message)
def test_bad_base64(self): with self.assertRaises(tokens.InvalidTokenError) as err: tokens.verify_jwt('x.x.x', self.mock_certs_bundle()) self.assertIn('not valid base64', err.exception.message)
def test_wrong_number_of_segments(self): _, _, jwt = self.make_good_jwt() with self.assertRaises(tokens.InvalidTokenError) as err: tokens.verify_jwt(jwt + '.aaaa', self.mock_certs_bundle()) self.assertIn('should have 3 segments', err.exception.message)