def test__generate_claims(self):
""" tests that _generate_claims works as expected. """
expected_now = datetime.datetime(year=2001, day=1, month=1)
expected_audience = 'example_aud'
expected_iss = 'eg'
expected_key_id = 'eg/ex'
jwt_auth_signer = atlassian_jwt_auth.create_signer(
expected_iss,
expected_key_id,
self._private_key_pem)
jwt_auth_signer._now = lambda: expected_now
for additional_claims in [{}, {'extra': 'thing'}]:
expected_claims = {
'iss': expected_iss,
'exp': expected_now + datetime.timedelta(hours=1),
'iat': expected_now,
'aud': expected_audience,
'nbf': expected_now,
'sub': expected_iss,
}
expected_claims.update(additional_claims)
claims = jwt_auth_signer._generate_claims(
expected_audience,
additional_claims=additional_claims)
self.assertIsNotNone(claims['jti'])
del claims['jti']
self.assertEqual(claims, expected_claims)
def test_generate_jwt(self, m_jwt_encode):
""" tests that generate_jwt works as expected. """
expected_aud = 'aud_x'
expected_claims = {'eg': 'ex'}
expected_key_id = 'key_id'
expected_issuer = 'a_issuer'
jwt_auth_signer = atlassian_jwt_auth.create_signer(
expected_issuer,
expected_key_id,
private_key_pem=self._private_key_pem,
algorithm=self.algorithm,
)
jwt_auth_signer._generate_claims = lambda aud: expected_claims
jwt_auth_signer.generate_jwt(expected_aud)
m_jwt_encode.assert_called_with(
expected_claims,
key=mock.ANY,
algorithm=self.algorithm,
headers={'kid': expected_key_id})
for name, args, kwargs in m_jwt_encode.mock_calls:
call_private_key = kwargs['key'].private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()
)
self.assertEqual(call_private_key, self._private_key_pem)
def create_token(issuer, audience, key_id, private_key, subject=None):
"""" returns a token based upon the supplied parameters. """
signer = atlassian_jwt_auth.create_signer(issuer,
key_id,
private_key,
subject=subject)
return signer.generate_jwt(audience)
def test__generate_claims(self):
""" tests that _generate_claims works as expected. """
expected_now = datetime.datetime(year=2001, day=1, month=1)
expected_audience = 'example_aud'
expected_iss = 'eg'
expected_key_id = 'eg/ex'
jwt_auth_signer = atlassian_jwt_auth.create_signer(
expected_iss,
expected_key_id,
self._private_key_pem)
jwt_auth_signer._now = lambda: expected_now
for additional_claims in [{}, {'extra': 'thing'}]:
expected_claims = {
'iss': expected_iss,
'exp': expected_now + datetime.timedelta(hours=1),
'iat': expected_now,
'aud': expected_audience,
'nbf': expected_now,
'sub': expected_iss,
}
expected_claims.update(additional_claims)
claims = jwt_auth_signer._generate_claims(
expected_audience,
additional_claims=additional_claims)
self.assertIsNotNone(claims['jti'])
del claims['jti']
self.assertEqual(claims, expected_claims)
def get_example_jwt_auth_signer(**kwargs):
""" returns an example jwt_auth_signer instance. """
issuer = kwargs.get('issuer', 'egissuer')
key_id = kwargs.get('key_id', '%s/a' % issuer)
key = kwargs.get(
'private_key_pem', get_new_rsa_private_key_in_pem_format())
algorithm = kwargs.get('algorithm', 'RS256')
return atlassian_jwt_auth.create_signer(
issuer, key_id, key, algorithm=algorithm)
def test_JWTAuth_make_authenticated_request(self):
"""Verify a valid Authorization header is added by JWTAuth"""
jwt_auth_signer = atlassian_jwt_auth.create_signer(
'issuer',
'issuer/key',
self._private_key_pem.decode(),
algorithm=self.algorithm)
auth = self.auth_cls(jwt_auth_signer, 'audience')
self.assert_authorization_header_is_valid(auth)
def test_JWTAuth_make_authenticated_request(self):
"""Verify a valid Authorization header is added by JWTAuth"""
jwt_auth_signer = atlassian_jwt_auth.create_signer(
'issuer',
'issuer/key',
self._private_key_pem.decode(),
algorithm=self.algorithm)
auth = JWTAuth(jwt_auth_signer, 'audience')
req = auth(Request())
self.assert_authorization_header_is_valid(req)
def get_example_jwt_auth_signer(**kwargs):
""" returns an example jwt_auth_signer instance. """
issuer = kwargs.get('issuer', 'egissuer')
key_id = kwargs.get('key_id', '%s/a' % issuer)
key = kwargs.get('private_key_pem',
get_new_rsa_private_key_in_pem_format())
algorithm = kwargs.get('algorithm', 'RS256')
return atlassian_jwt_auth.create_signer(issuer,
key_id,
key,
algorithm=algorithm)
def test_verify_jwt_with_key_identifier_not_starting_with_issuer(self):
""" tests that verify_jwt rejects a jwt if the key identifier does
not start with the claimed issuer.
"""
verifier = self._setup_jwt_auth_verifier(self._public_key_pem)
signer = atlassian_jwt_auth.create_signer(
'issuer', 'issuerx', self._private_key_pem.decode(),
algorithm=self.algorithm,
)
a_jwt = signer.generate_jwt(self._example_aud)
with self.assertRaisesRegexp(ValueError, 'Issuer does not own'):
verifier.verify_jwt(a_jwt, self._example_aud)
def setUp(self):
self._private_key_pem = self.get_new_private_key_in_pem_format()
self._public_key_pem = utils.get_public_key_pem_for_private_key_pem(
self._private_key_pem)
self._example_aud = 'aud_x'
self._example_issuer = 'egissuer'
self._example_key_id = '%s/a' % self._example_issuer
self._jwt_auth_signer = atlassian_jwt_auth.create_signer(
self._example_issuer,
self._example_key_id,
self._private_key_pem.decode(),
algorithm=self.algorithm)
def __call__(self, request):
kwargs = {'additional_claims': {}}
if self.sub is not None:
kwargs['additional_claims']['sub'] = self.sub
signer = atlassian_jwt_auth.create_signer(self.iss, self.kid,
self.private_key)
token = signer.generate_jwt(self.aud, **kwargs)
request.headers['Authorization'] = 'Bearer {}'.format(
token.decode('utf-8'))
return request
def test_create_jwt_auth_with_additional_claims(self):
""" Verify a Valid Authorization header is added by JWTAuth and
contains the additional claims when provided.
"""
jwt_auth_signer = atlassian_jwt_auth.create_signer(
'issuer',
'issuer/key',
self._private_key_pem.decode(),
algorithm=self.algorithm)
auth = self.auth_cls(jwt_auth_signer, 'audience',
additional_claims={'example': 'claim'})
token = self.assert_authorization_header_is_valid(auth)
self.assertEqual(token.get('example'), 'claim')
def setUp(self):
self._private_key_pem = self.get_new_private_key_in_pem_format()
self._public_key_pem = utils.get_public_key_pem_for_private_key_pem(
self._private_key_pem)
self._example_aud = 'aud_x'
self._example_issuer = 'egissuer'
self._example_key_id = '%s/a' % self._example_issuer
self._jwt_auth_signer = atlassian_jwt_auth.create_signer(
self._example_issuer,
self._example_key_id,
self._private_key_pem.decode(),
algorithm=self.algorithm
)
def test_verify_jwt_with_key_identifier_not_starting_with_issuer(self):
""" tests that verify_jwt rejects a jwt if the key identifier does
not start with the claimed issuer.
"""
verifier = self._setup_jwt_auth_verifier(self._public_key_pem)
signer = atlassian_jwt_auth.create_signer(
'issuer',
'issuerx',
self._private_key_pem.decode(),
algorithm=self.algorithm,
)
a_jwt = signer.generate_jwt(self._example_aud)
with self.assertRaisesRegexp(ValueError, 'Issuer does not own'):
verifier.verify_jwt(a_jwt, self._example_aud)
def test_generate_jwt(self, m_jwt_encode):
""" tests that generate_jwt works as expected. """
expected_aud = 'aud_x'
expected_claims = {'eg': 'ex'}
expected_key_id = 'key_id'
expected_issuer = 'a_issuer'
jwt_auth_signer = atlassian_jwt_auth.create_signer(
expected_issuer,
expected_key_id,
private_key_pem=self._private_key_pem,
algorithm=self.algorithm,
)
jwt_auth_signer._generate_claims = lambda aud: expected_claims
jwt_auth_signer.generate_jwt(expected_aud)
m_jwt_encode.assert_called_with(expected_claims,
key=self._private_key_pem,
algorithm=self.algorithm,
headers={'kid': expected_key_id})
def test_generate_jwt(self, m_jwt_encode):
""" tests that generate_jwt works as expected. """
expected_aud = 'aud_x'
expected_claims = {'eg': 'ex'}
expected_key_id = 'key_id'
expected_issuer = 'a_issuer'
jwt_auth_signer = atlassian_jwt_auth.create_signer(
expected_issuer,
expected_key_id,
private_key_pem=self._private_key_pem,
algorithm=self.algorithm,
)
jwt_auth_signer._generate_claims = lambda aud: expected_claims
jwt_auth_signer.generate_jwt(expected_aud)
m_jwt_encode.assert_called_with(
expected_claims,
key=self._private_key_pem,
algorithm=self.algorithm,
headers={'kid': expected_key_id})
def parse_config_file(asap_config_file):
"""
Parse ``asap_config_file`` JSON and return the signer.
:param str asap_config_file: Path to the ASAP config file.
:return: atlassian_jwt_auth.signer.JWTAuthSigner
:raises ExitStatus.PLUGIN_ERROR: Invalid config.
"""
config = None
try:
with open(asap_config_file) as f:
config = json.load(f)
except IOError:
fatal_plugin_error(
"file not readable: {}".format(asap_config_file))
except ValueError:
fatal_plugin_error(
"invalid JSON config: {}".format(asap_config_file))
if config and not isinstance(config, dict):
fatal_plugin_error(
"invalid JSON config (expected dict): {}".format(
asap_config_file))
try:
return (
atlassian_jwt_auth.create_signer(config["issuer"],
config["kid"],
config["privateKey"]),
config["audience"],
config.get("sub"),
)
except KeyError as e:
fatal_plugin_error("expected key in config file: {}".format(e))
def create_token(issuer, audience, key_id, private_key):
signer = atlassian_jwt_auth.create_signer(
issuer, key_id, private_key
)
return signer.generate_jwt(audience)
def create_jwt_auth(issuer, key_identifier, private_key_pem, audience):
"""Instantiate a JWTAuth while creating the signer inline"""
signer = atlassian_jwt_auth.create_signer(issuer, key_identifier,
private_key_pem)
return JWTAuth(signer, audience)
def create(cls, issuer, key_identifier, private_key_pem, audience,
**kwargs):
"""Instantiate a JWTAuth while creating the signer inline"""
signer = atlassian_jwt_auth.create_signer(issuer, key_identifier,
private_key_pem, **kwargs)
return cls(signer, audience)
def create_token(issuer, audience, key_id, private_key, subject=None):
signer = create_signer(issuer, key_id, private_key, subject=subject)
return signer.generate_jwt(audience)
def create_token(issuer, audience, key_id, private_key):
signer = create_signer(issuer, key_id, private_key)
return signer.generate_jwt(audience)
def create_jwt_auth(
issuer, key_identifier, private_key_pem, audience, **kwargs):
"""Instantiate a JWTAuth while creating the signer inline"""
signer = atlassian_jwt_auth.create_signer(issuer, key_identifier,
private_key_pem, **kwargs)
return JWTAuth(signer, audience)
