def test_generate_from_key_string(self):
private1, public1 = generate_key_pair()
private2, public2 = generate_key_pair()
header = create_auth_header('foo', key=private1)
self.assertTrue(header.startswith('JWT '))
token = header.split(' ', 1)[1]
self.assertFalse(verify(token, public2))
self.assertTrue(verify(token, public1))
def test_generate_from_key_string(self):
private1, public1 = generate_key_pair()
private2, public2 = generate_key_pair()
header = create_auth_header('foo', key=private1)
self.assertTrue(header.startswith('JWT '))
token = header.split(' ', 1)[1]
self.assertFalse(verify(token, public2))
self.assertTrue(verify(token, public1))
def test_bad_nonce(self):
private, public = generate_key_pair()
t = token.sign('guido', private, generate_nonce=lambda username, iat: 1)
token_data = token.verify(t, public, validate_nonce=lambda username, iat, nonce: nonce == 1)
self.assertTrue(token_data)
t = token.sign('guido', private, generate_nonce=lambda username, iat: 1)
token_data = token.verify(t, public, validate_nonce=lambda username, iat, nonce: nonce == 2)
self.assertFalse(token_data)
t = token.sign('guido', private, generate_nonce=lambda username, iat: 2)
token_data = token.verify(t, public, validate_nonce=lambda username, iat, nonce: nonce == 1)
self.assertFalse(token_data)
def process_request(self, request):
if 'HTTP_AUTHORIZATION' not in request.META:
return
method, claim = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
if method.upper() != AUTH_METHOD:
return
username = token.get_claimed_username(claim)
if not username:
return
User = get_user_model()
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
return
claim_data = None
for public in user.public_keys.all():
claim_data = token.verify(claim,
public.key,
validate_nonce=self.validate_nonce)
if claim_data:
break
if not claim_data:
return
logging.info('Successfully authenticated %s using JWT', user.username)
request._dont_enforce_csrf_checks = True
request.user = user
def process_base(self, request):
"""
Base function for processing middleware (process_request) and DRF authentication
(authenticate)
"""
if 'HTTP_AUTHORIZATION' not in request.META:
return None
method, claim = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
if method.upper() != AUTH_METHOD:
return None
username = token.get_claimed_username(claim)
if not username:
return None
User = get_user_model()
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
return None
claim_data = None
for public in user.public_keys.all():
claim_data = token.verify(claim,
public.key,
validate_nonce=self.validate_nonce)
if claim_data:
break
if not claim_data:
return None
logger.debug('Successfully authenticated %s using JWT', user.username)
return user
def process_request(self, request):
if 'HTTP_AUTHORIZATION' not in request.META:
return
method, claim = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
if method.upper() != AUTH_METHOD:
return
username = token.get_claimed_username(claim)
if not username:
return
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
return
claim_data = None
for public in user.public_keys.all():
claim_data = token.verify(claim, public.key, validate_nonce=self.validate_nonce)
if claim_data:
break
if not claim_data:
return
logging.info('Successfully authenticated %s using JWT', user.username)
request._dont_enforce_csrf_checks = True
request.user = user
def test_bad_iat(self):
private, public = generate_key_pair()
t = token.sign('guido', private, iat=time.time())
token_data = token.verify(t, public)
self.assertTrue(token_data)
# IAT tolerance exists to account for clock drift between disparate systems.
tolerance = token.TIMESTAMP_TOLERANCE + 1
t = token.sign('guido', private, iat=time.time() - tolerance)
token_data = token.verify(t, public)
self.assertFalse(token_data)
t = token.sign('guido', private, iat=time.time() + tolerance)
token_data = token.verify(t, public)
self.assertFalse(token_data)
def test_generate_from_encrypted_key_file(self):
header = create_auth_header('foo',
key_file=KEY2_PRIVATE,
key_password=KEY2_PASSWORD)
self.assertTrue(header.startswith('JWT '))
token = header.split(' ', 1)[1]
with open(KEY2_PUBLIC, 'r') as public:
self.assertTrue(verify(token, public.read()))
def test_bad_iat(self):
private, public = generate_key_pair()
t = token.sign('guido', private, iat=time.time())
token_data = token.verify(t, public)
self.assertTrue(token_data)
# IAT tolerance exists to account for clock drift between disparate systems.
tolerance = token.TIMESTAMP_TOLERANCE + 1
t = token.sign('guido', private, iat=time.time() - tolerance)
token_data = token.verify(t, public)
self.assertFalse(token_data)
t = token.sign('guido', private, iat=time.time() + tolerance)
token_data = token.verify(t, public)
self.assertFalse(token_data)
def test_bad_keys(self):
private1, public1 = generate_key_pair()
private2, public2 = generate_key_pair()
t = token.sign('guido', private1)
token_data = token.verify(t, public1)
self.assertTrue(token_data)
t = token.sign('guido', private2)
token_data = token.verify(t, public2)
self.assertTrue(token_data)
t = token.sign('guido', private1)
token_data = token.verify(t, public2)
self.assertFalse(token_data)
t = token.sign('guido', private2)
token_data = token.verify(t, public1)
self.assertFalse(token_data)
def test_bad_keys(self):
private1, public1 = generate_key_pair()
private2, public2 = generate_key_pair()
t = token.sign('guido', private1)
token_data = token.verify(t, public1)
self.assertTrue(token_data)
t = token.sign('guido', private2)
token_data = token.verify(t, public2)
self.assertTrue(token_data)
t = token.sign('guido', private1)
token_data = token.verify(t, public2)
self.assertFalse(token_data)
t = token.sign('guido', private2)
token_data = token.verify(t, public1)
self.assertFalse(token_data)
def test_bad_nonce(self):
private, public = generate_key_pair()
t = token.sign('guido',
private,
generate_nonce=lambda username, iat: 1)
token_data = token.verify(
t, public, validate_nonce=lambda username, iat, nonce: nonce == 1)
self.assertTrue(token_data)
t = token.sign('guido',
private,
generate_nonce=lambda username, iat: 1)
token_data = token.verify(
t, public, validate_nonce=lambda username, iat, nonce: nonce == 2)
self.assertFalse(token_data)
t = token.sign('guido',
private,
generate_nonce=lambda username, iat: 2)
token_data = token.verify(
t, public, validate_nonce=lambda username, iat, nonce: nonce == 1)
self.assertFalse(token_data)
def process_request(self, request):
"""
Process a Django request and authenticate users.
If a JWT authentication header is detected and it is determined to be valid, the user is set as
``request.user`` and CSRF protection is disabled (``request._dont_enforce_csrf_checks = True``) on
the request.
:param request: Django Request instance
"""
if 'HTTP_AUTHORIZATION' not in request.META:
return
try:
method, claim = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
except ValueError:
return
if method.upper() != AUTH_METHOD:
return
username = token.get_claimed_username(claim)
if not username:
return
User = get_user_model()
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
return
claim_data = None
for public in user.public_keys.all():
claim_data = token.verify(claim,
public.key,
validate_nonce=self.validate_nonce)
if claim_data:
break
if not claim_data:
return
logger.debug('Successfully authenticated %s using JWT', user.username)
request._dont_enforce_csrf_checks = True
request.user = user
def test_roundtrip(self):
private, public = generate_key_pair()
t = token.sign('guido', private)
token_data = token.verify(t, public)
self.assertTrue(token_data)
self.assertEqual(token_data.get('username'), 'guido')
def test_generate_from_encrypted_key_file(self):
header = create_auth_header('foo', key_file=KEY2_PRIVATE, key_password=KEY2_PASSWORD)
self.assertTrue(header.startswith('JWT '))
token = header.split(' ', 1)[1]
with open(KEY2_PUBLIC, 'r') as public:
self.assertTrue(verify(token, public.read()))
def test_roundtrip(self):
private, public = generate_key_pair()
t = token.sign('guido', private)
token_data = token.verify(t, public)
self.assertTrue(token_data)
self.assertEqual(token_data.get('username'), 'guido')
