def test_03_verify_auth_token(self): # create a jwt with a trusted private key with open("tests/testdata/jwt_sign.key", "r") as f: key = f.read() with mock.patch("logging.Logger.warning") as mock_log: auth_token = jwt.encode(payload={ "role": "user", "user": "******", "realm": "realm1", "resolver": "resolverX" }, key=key, algorithm="RS256") r = verify_auth_token(auth_token=auth_token, required_role="user") self.assertEqual(r.get("realm"), "realm1") self.assertEqual(r.get("user"), "userA") self.assertEqual( r.get("resolver"), "resolverX", ) self.assertEqual(r.get("role"), "user") mock_log.assert_called_once_with( "Unsupported JWT algorithm in PI_TRUSTED_JWT.") # The signature has expired expired_token = jwt.encode(payload={ "role": "admin", "exp": datetime.datetime.utcnow() - datetime.timedelta(seconds=1000) }, key=key, algorithm="RS256") self.assertRaises(AuthError, verify_auth_token, auth_token=expired_token, required_role="admin") # The signature does not match with mock.patch("logging.Logger.info") as mock_log: auth_token = jwt.encode(payload={ "role": "user", "user": "******", "realm": "realm1", "resolver": "resolverX" }, key=key, algorithm="RS256") r = verify_auth_token(auth_token=auth_token, required_role="user") mock_log.assert_any_call("A given JWT definition does not match.")
def before_request(): """ This is executed before the request """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. request.all_data = remove_session_from_param(request.values, request.data) # Verify the authtoken! authtoken = request.all_data.get("authtoken") r = verify_auth_token(authtoken, ["user", "admin"]) request.PI_username = r.get("username") request.PI_realm = r.get("realm") request.PI_role = r.get("role")
def before_request(): """ This is executed before the request """ # remove session from param and gather all parameters, either # from the Form data or from JSON in the request body. request.all_data = get_all_params(request.values, request.data) # Verify the authtoken! authtoken = request.all_data.get("authtoken") r = verify_auth_token(authtoken, ["user", "admin"]) request.PI_username = r.get("username") request.PI_realm = r.get("realm") request.PI_role = r.get("role")
def check_auth_token(required_role=None): """ This checks the authentication token You need to pass an authentication header: PI-Authorization: <token> You can do this using httpie like this: http -j POST http://localhost:5000/system/getConfig Authorization:ewrt """ auth_token = request.headers.get('PI-Authorization') if not auth_token: auth_token = request.headers.get('Authorization') r = verify_auth_token(auth_token, required_role) g.logged_in_user = {"username": r.get("username"), "realm": r.get("realm"), "role": r.get("role")}
def test_03_verify_auth_token(self): # create a jwt with a trusted private key with open("tests/testdata/jwt_sign.key", "r") as f: key = f.read() # successful authentication with wildcard user, starting with an "h" and ending with "s" auth_token = jwt.encode(payload={ "role": "user", "username": "******", "realm": "realmX", "resolver": "resolverX" }, key=key, algorithm="RS256") r = verify_auth_token(auth_token=auth_token, required_role="user") self.assertEqual(r.get("realm"), "realmX") self.assertEqual(r.get("username"), "hans") self.assertEqual( r.get("resolver"), "resolverX", ) self.assertEqual(r.get("role"), "user") # A user starting with hans and ending with "t" is not allowed auth_token = jwt.encode(payload={ "role": "user", "username": "******", "realm": "realmX", "resolver": "resolverX" }, key=key, algorithm="RS256") with warnings.catch_warnings(): warnings.simplefilter('ignore', category=DeprecationWarning) self.assertRaisesRegexp( AuthError, "The username hanswurst is not allowed to impersonate via JWT.", verify_auth_token, auth_token=auth_token, required_role="user") # A user ending with hans is not allowed # A user starting with hans and ending with "t" is not allowed auth_token = jwt.encode(payload={ "role": "user", "username": "******", "realm": "realmX", "resolver": "resolverX" }, key=key, algorithm="RS256") with warnings.catch_warnings(): warnings.simplefilter('ignore', category=DeprecationWarning) self.assertRaisesRegexp( AuthError, "The username kleinerhans is not allowed to impersonate via JWT.", verify_auth_token, auth_token=auth_token, required_role="user") # Successful authentication with dedicated user with mock.patch("logging.Logger.warning") as mock_log: auth_token = jwt.encode(payload={ "role": "user", "username": "******", "realm": "realm1", "resolver": "resolverX" }, key=key, algorithm="RS256") r = verify_auth_token(auth_token=auth_token, required_role="user") self.assertEqual(r.get("realm"), "realm1") self.assertEqual(r.get("username"), "userA") self.assertEqual( r.get("resolver"), "resolverX", ) self.assertEqual(r.get("role"), "user") # ...but there is an unsupported configuration mock_log.assert_called_once_with( "Unsupported JWT algorithm in PI_TRUSTED_JWT.") # The signature has expired expired_token = jwt.encode(payload={ "role": "admin", "exp": datetime.datetime.utcnow() - datetime.timedelta(seconds=1000) }, key=key, algorithm="RS256") self.assertRaises(AuthError, verify_auth_token, auth_token=expired_token, required_role="admin") # The signature does not match with mock.patch("logging.Logger.info") as mock_log: auth_token = jwt.encode(payload={ "role": "user", "username": "******", "realm": "realm1", "resolver": "resolverX" }, key=key, algorithm="RS256") r = verify_auth_token(auth_token=auth_token, required_role="user") mock_log.assert_any_call("A given JWT definition does not match.")