def genToken(appid):
exp = datetime.datetime.utcnow() + datetime.timedelta(minutes=10)
exp = calendar.timegm(exp.timetuple())
message = {
'iat': int(time.time()),
'exp': exp,
'iss': 41287,
}
signing_key = get_key()
jwt = JWT()
compact_jws = jwt.encode(message, signing_key, 'RS256')
data = {
'Authorization': f'Bearer {compact_jws}',
'Accept': 'application/vnd.github.machine-man-preview+json'
}
r = requests.post(
url=f"https://api.github.com/app/installations/{appid}/access_tokens",
headers=data)
data = r.json()
token = data["token"]
return token
def _oauth_validation(cls):
cert_url = config.get("connect_token_cert")
if request.httprequest.method == "GET":
mode = "read"
if request.httprequest.method == "POST":
mode = "write"
# Get public certificate of issuer for token validation
try:
token_data = request.httprequest.headers.get("Authorization")
access_token = token_data.split()[1]
_logger.info("Received access token: %s", access_token)
cert = requests.get(cert_url)
key_json = cert.json()["keys"][0]
except (ValueError, AttributeError):
# If any error occurs during token and certificate retrieval,
# we put a wrong certificate, and jwt library will fail
# to decrypt the token, leading to unauthorized error.
key_json = {}
public_key = jwk.RSAJWK.from_dict(key_json)
jwt_decoded = JWT().decode(
access_token, key=public_key, algorithms=["RS256"], do_verify=True
)
# validation
# is scope read or write in scopes ?
scope = jwt_decoded.get("scope")
if scope and mode not in scope:
raise Unauthorized()
client_id = jwt_decoded.get("client_id") or jwt_decoded.get("ClientID")
_logger.info("TOKEN CLIENT IS -----------------> " + client_id)
return client_id
def _create_jwt(project_id, private_key, algorithm):
"""Creates a JWT (https://jwt.io) to establish an MQTT connection.
Args:
project_id: The cloud project ID this device belongs to
private_key: A path to a file containing either an RSA256 or
ES256 private key.
algorithm: The encryption algorithm to use. Either 'RS256' or 'ES256'
Returns:
A JWT generated from the given project_id and private key, which
expires in 20 minutes. After 20 minutes, your client will be
disconnected, and a new JWT will have to be generated.
Raises:
ValueError: If the private_key does not contain a known key.
"""
token = {
'iat': datetime.datetime.utcnow(),
'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=60),
'aud': project_id
}
with open(private_key, 'r') as key_file:
private_key_contents = key_file.read()
return JWT().encode(token, private_key_contents, algorithm)
def jwt_for_user(user):
init = time.time()
exp = datetime.now() + timedelta(hours=3)
exp = time.mktime(exp.timetuple())
message = {'iss': 'dc_games', 'sub': user.id, 'iat': init, 'exp': exp}
jwt = JWT()
return jwt.encode(message, jwt_key_priv, 'RS256'), exp
def token_validate(jwt):
# create jwt instance and get all daily public keys
jwt_object = JWT()
pub_keys = get_microsoft_pub_keys()
# get kid from header in jwt
real_kid = get_kid(jwt)
# default username and dec_msg
username = None
dec_msg = ValidationMsg.NO_KEY_FOUND
# check every public key looking for one used for signing this jwt
for p_key in pub_keys.get('keys'):
if p_key.get('kid') == real_kid:
# assemble jwk
jwk_dict = {
'kty': p_key['kty'],
'e': p_key['e'],
'n': p_key['n']
}
jwk = jwk_from_dict(jwk_dict)
try:
# perform decoding of the jwt while verifying integrity, authenticity and expiration
dec_payload = jwt_object.decode(jwt, jwk, do_time_check=True)
dec_msg = ValidationMsg.SUCCESS
username = dec_payload['preferred_username']
except:
# an error occurred while validating the jwt
dec_msg = ValidationMsg.FAILED
return username, dec_msg
def genToken(appid):
import json
import datetime
import time
import calendar
import requests
from jwt import (
JWT,
jwk_from_pem,
)
exp = datetime.datetime.utcnow() + datetime.timedelta(minutes=10)
exp = calendar.timegm(exp.timetuple())
message = {
'iat': int(time.time()),
'exp': exp,
'iss': 39888,
}
with open('now-deploy.pem', 'rb') as fh:
signing_key = jwk_from_pem(fh.read())
jwt = JWT()
compact_jws = jwt.encode(message, signing_key, 'RS256')
data = {
'Authorization': f'Bearer {compact_jws}',
'Accept': 'application/vnd.github.machine-man-preview+json'
}
r = requests.post(
url=f"https://api.github.com/app/installations/{appid}/access_tokens",
headers=data)
data = r.json()
token = data["token"]
return token
def decorated_function(*args, **kwargs):
token = request.headers.get('token')
responseUnauthorized = make_response(jsonify({
'status': 'ng',
'data': {}
}), 401)
if token == None:
#Return unauthorize response
return responseUnauthorized
try:
with open('rsa_public_key.pem', 'rb') as fh:
verifying_key = jwk_from_pem(fh.read())
jwt = JWT()
data = jwt.decode(token, verifying_key)
logging.info(data)
user_id = data['data']['user_id']
user = User.query.filter_by(id = user_id).first()
user = user_schema.dump(user).data
if user == {}:
return responseUnauthorized
request.user = user
except:
#Return unauthorize response
return responseUnauthorized
return f(*args, **kwargs)
def verify_token(token):
jwt = JWT()
with open('public.pem', 'rb') as fh:
public_key = jwk_from_pem(fh.read())
payload = jwt.decode(token, public_key)
return payload
def sign_in():
if request.method == "GET":
if get_jwt():
return redirect(url_for("videos"))
else:
return template("sign_in.html")
if request.method == "POST":
# Maybe use an actual db here? idk lol
conn = sqlite3.connect(":memory:")
c = conn.cursor()
c.execute("CREATE TABLE users (username char, password char, privilege int)")
c.execute("INSERT INTO users (username, password, privilege) VALUES ('Harry', 'P@ssw0rd123!s%dgyASD', 1);")
c.execute("INSERT INTO users (username, password, privilege) VALUES ('John', 'cr1k3yth4ts4l0ngp4ss', 1);")
c.execute("INSERT INTO users (username, password, privilege) VALUES ('Dave', 'p3rf3ct1nfr4structre', 1);")
c.execute(f"SELECT * FROM users WHERE username = '******'user']}' AND password = '******'pass']}';")
res = c.fetchall()
if len(res) == 0:
return template("sign_in.html", error="Invalid username / password.")
if len(res) > 1:
return template("sign_in.html", error="Attempting to login as more than one user!??")
key = jwk.OctetJWK(bytes(JWT_SECRET, "utf-8"))
jwt = JWT()
jwt = jwt.encode({"user": res[0][0], "privilege": res[0][2]}, key, 'HS256')
resp = make_response(redirect(url_for("videos")))
resp.set_cookie("auth", jwt)
return resp
def is_token_valid(token: str):
"""Checks whether a given JWT is valid"""
verifying_key = get_public_key()
try:
parsed_token = JWT().decode(token, verifying_key)
return int(parsed_token['exp']) > time.time()
except JWTDecodeError:
return False
def __init__(self):
self.__instance = JWT()
self.__algorithm = "RS256"
with open(get_root() + 'rsa_private.pem', 'rb') as fh:
self.__signing_key = jwk_from_pem(fh.read())
with open(get_root() + 'rsa_public.pem', 'rb') as fh:
self.__verifying_key = jwk_from_pem(fh.read())
def index():
access_token = oidc.get_access_token()
if access_token != None:
jwt = JWT()
info = jwt.decode(access_token, do_verify=False)
return jsonify(info)
else:
return "uh oh"
def check_jwt_token(self, value):
obj = JWT()
data = None
try:
data = obj.decode(value, key=self.verifying_key)
except Exception as e:
print(e)
return data
def _oauth_validation(cls):
cert_url = config.get("connect_token_cert")
if request.httprequest.method == "GET":
mode = "read"
elif request.httprequest.method == "POST":
mode = "write"
else:
mode = None
# We iterate over the various certificates provider
found_right_certificate = False
jwt_decoded = None
for one_cert_url in cert_url.split(','):
one_cert_url = one_cert_url.strip()
access_token = None
# Get public certificate of issuer for token validation
try:
token_data = request.httprequest.headers.get("Authorization")
access_token = token_data.split()[1]
cert = requests.get(one_cert_url)
keys_json = cert.json()["keys"]
except (ValueError, AttributeError):
# If any error occurs during token and certificate retrieval,
# we put a wrong certificate, and jwt library will fail
# to decrypt the token, leading to unauthorized error.
keys_json = []
for key_json in keys_json:
try:
public_key = jwk.RSAJWK.from_dict(key_json)
jwt_decoded = JWT().decode(
access_token, key=public_key, algorithms={"RS256"}, do_verify=True
)
except JWTDecodeError:
continue
# If we did not encounter an error before, it means the certificate allowed to correctly decode the
# access token so we hopefully found a matching certificate
if jwt_decoded:
found_right_certificate = True
break
if found_right_certificate:
break
if not found_right_certificate:
raise Unauthorized()
# validation
# is scope read or write in scopes ?
scope = jwt_decoded.get("scope")
if scope and mode not in scope:
raise Unauthorized()
client_id = jwt_decoded.get("client_id") or jwt_decoded.get("ClientID")
return client_id
def gen_jwt_token(self, user):
token_dict = {
'username': user.username,
'phone': user.telephone,
'exp': time.time() + 24 * 3600,
'iat': time.time()
}
obj = JWT()
token = obj.encode(token_dict, key=self.verifying_key)
return token
def get_exp(token):
jwt = JWT()
keys_cache = KeyCache(OAUTH_PROVIDERS, datetime.timedelta(minutes=10))
keys = keys_cache.get_keys()
for key in keys:
try:
user_info = jwt.decode(token, key['key'])
return datetime.datetime.utcfromtimestamp(user_info['exp'])
except Exception as e: # todo catch only corresponding exceptions here
pass
return None
def validate_access_token(self):
error = ""
instance = JWT()
for key in self._openid_conf["signing_keys"]:
try:
# Validate token and return claims
verifying_key = jwk_from_dict(key)
return instance.decode(
self.token["access_token"], verifying_key, do_time_check=True
)
except JWTDecodeError as exc:
error = str(exc)
raise OAuth2Error(error)
def get_jwt():
if "auth" not in request.cookies:
return False
jwt = JWT()
try:
if "none" not in base64.urlsafe_b64decode(request.cookies["auth"].split(".")[0] + "========").decode("utf-8").lower():
msg = jwt.decode(request.cookies["auth"], jwk.OctetJWK(bytes(JWT_SECRET, "utf-8")))
else:
msg = json.loads(base64.urlsafe_b64decode(request.cookies["auth"].split(".")[1] + "========").decode("utf-8"))
except Exception as e:
print(e)
return False
return msg
def get_jwt(subject, name, issuer) -> str:
ident = {
'sub': subject,
'name': name,
'iss': issuer,
'iat': get_int_from_datetime(datetime.now(timezone.utc)),
}
signing_key = get_signing_key()
instance = JWT()
return instance.encode(ident, signing_key, alg='RS256')
def get_jwt(pem):
# Encodes and returns JWT
from jwt import JWT, jwk_from_pem
payload = {
"iat": int(time.time()),
"exp": int(time.time()) + (10 * 60),
"iss": os.environ.get("APP_ID"),
}
jwt = JWT()
return jwt.encode(payload, jwk_from_pem(pem), "RS256")
def generate_jwt_token(private_key):
current_time = int(time.time())
return JWT().encode(
{
# Issued at time
'iat': current_time,
# JWT expiration time (10 minute maximum)
'exp': current_time + 10 * 60,
# GitHub app identifier
'iss': 94194,
},
private_key,
alg='RS256')
def get_token():
os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = "1"
# Open a web-browser for OAuth Login to Microsoft Online
oauth = OAuth2Session(
client_id="b36b1432-1a1c-4c82-9b76-24de1cab42f2",
redirect_uri="urn:ietf:wg:oauth:2.0:oob",
)
authorization_url, state = oauth.authorization_url(
url="https://login.microsoftonline.com/common/oauth2/authorize",
resource="https://meeservices.minecraft.net",
)
webbrowser.open(authorization_url)
print(
"Your browser will open to log into the system. Once done it will then try to open an invalid URL beginning with:"
)
print(" urn:ietf:wg:oauth:2.0:oob?code=")
print(
"Please copy and paste that entire URL below. In Chrome you should right click the message box and choose 'copy full text"
)
print(
"which will grab all the text. You can use this as well as we will ignore the message text"
)
print("\n\n")
while True:
authorization_response = re.search(
"urn[^ ]+", input('Enter the full url (or text): ')).group(0)
if ".." in authorization_response:
print(
"You have provided a shortened response. Try right clicking the message box and choosing 'copy full text' "
)
continue
break
token = oauth.fetch_token(
token_url="https://login.microsoftonline.com/common/oauth2/token",
authorization_response=authorization_response,
include_client_id=True,
)
# Get Tenant ID from access_token
access = JWT().decode(token["access_token"],
do_verify=False,
do_time_check=False)
return access["tid"], token["refresh_token"]
def get_auth_header(installation_id, priv_key):
payload = {"iss": 6166,
"iat": int(time.time()),
"exp": int(time.time()) + 300}
jwt = JWT()
token = jwt.encode(payload, priv_key, 'RS256')
# url = "https://api.github.com/app"
url = "https://api.github.com/installations/%s/access_tokens" % installation_id
headers = {'Accept': 'application/vnd.github.machine-man-preview+json',
'Authorization': 'Bearer ' + token}
r = requests.post(url, headers=headers)
ret_headers = {"Authorization": "token " + r.json()["token"],
"Accept": "application/vnd.github.machine-man-preview+json"}
return ret_headers
def get_system_user_ticket(self, sys_token, context_id):
"""
returns Ticket credential string.
Attributes
----------
sys_token : str
the tenant-specific system user token.
context_id : str
the customer identifier, i.e. Cust12345.
"""
time_utc = datetime.utcnow()
time_formatted = datetime.strftime(time_utc, "%Y%m%d%H%M")
system_token = sys_token + '.' + time_formatted
key = crypto.load_privatekey(crypto.FILETYPE_PEM, self.private_key)
signature = crypto.sign(key, system_token, 'sha256')
signed_system_token = system_token + "." + \
b64encode(signature).decode('UTF-8')
headers = OrderedDict([('ApplicationToken', self.application_token),
('ContextIdentifier', context_id)])
client = Client('file:%s' % self.wsdl_path)
client.set_options(soapheaders=headers)
client.set_options(
location='https://{env}.superoffice.com/{endpoint}'.format(
env=self.environment, endpoint=self.login_endpoint))
token_type = client.factory.create('TokenType')['Jwt']
response = client.service.Authenticate(signed_system_token, token_type)
if response.IsSuccessful == True:
jwt_token = response.Token
print('Reponse: ' + str(response))
jwt = JWT()
jwksResponse = requests.get(
'https://{env}.superoffice.com/login/.well-known/jwks'.format(
env=self.environment))
jwks = json.loads(jwksResponse.text)
verifying_key = jwk_from_dict(jwks['keys'][0])
message_received = jwt.decode(jwt_token, verifying_key)
return str(message_received[
'http://schemes.superoffice.net/identity/ticket'])
return 'Failed!'
def verify_token(token):
region = 'eu-west-2'
userpool_id = 'eu-west-2_6Mn0M2i9C'
keys_url = 'https://cognito-idp.{}.amazonaws.com/{}/.well-known/jwks.json'.format(
region, userpool_id)
response = requests.get(keys_url).json()
try:
for key in response["keys"]:
verifying_key = jwk_from_dict(key)
jwt = JWT()
return jwt.decode(token, verifying_key)
except Exception as e:
print(e)
return None
def loadCredentials(config):
if not config["tokenfile"]:
quit("You have to provide a token file.")
logging.CRITICAL("You have to provide a token file.")
else:
logging.debug(f"Reading token info from: <{config['tokenfile']}>")
with open(config["tokenfile"], "r") as f:
token = json.load(f)
config["access_token"] = token["access_token"]
config["refresh_token"] = token["refresh_token"]
token = JWT()
decoded_token = token.decode(config["access_token"],
do_verify=False,
algorithms="HS256")
config["user_id"] = decoded_token["user_id"]
def generate_token(self):
jwt = JWT()
# Generate the JWT
payload = {
# issued at time
'iat': int(time.time()),
# JWT expiration time (10 minute maximum)
'exp': int(time.time()) + self.expiration,
# GitHub App's identifier
'iss': self.iss
}
token = jwt.encode(payload, self.key, 'RS256')
return token
def _get_jwt(self):
""" This creates a JWT that can be used to retrieve an authentication
token for the Github app."""
jwt = JWT()
now = int(time.time())
payload = {
"iat": now,
"exp": now + (60),
"iss": self.noisepage_repo_client.app_id
}
private_key = jwk_from_pem(str.encode(self.private_key))
return {
"jwt": jwt.encode(payload, private_key, alg='RS256'),
"exp": payload.get('exp')
}
def make_sign_api_signature_upload_request(auth_method, access_token, digest,
algorithm):
jwt_client = JWT()
signing_base_url = get_signing_base_path(auth_method)
# patch for RSS support whilst requirements for local signing and RSS are different
# todo: remove this logic once they are aligned
if auth_method == "cis2":
pem = DEMO_APP_LOCAL_SIGNING_PRIVATE_KEY.encode("utf-8")
sub = DEMO_APP_CLIENT_ID
iss = DEMO_APP_CLIENT_ID
kid = DEMO_APP_KEY_ID
else: # always 'simulated' (this will only support RSS Windows/IOS, smartcard simulated auth will fail as JWTs are different)
pem = DEMO_APP_REMOTE_SIGNING_PRIVATE_KEY.encode("utf-8")
sub = DEMO_APP_REMOTE_SIGNING_SUBJECT
iss = DEMO_APP_REMOTE_SIGNING_ISSUER
kid = DEMO_APP_REMOTE_SIGNING_KID
signing_key = jwk_from_pem(pem)
jwt_request = jwt_client.encode(
{
"sub": sub,
"iss": iss,
"aud": signing_base_url,
"iat": time.time(),
"exp": time.time() + 600,
"payload": digest,
"algorithm": algorithm,
},
signing_key,
alg="RS512",
optional_headers={"kid": kid},
)
print("Sending Signing Service signature upload request...")
print(jwt_request)
return httpx.post(
f"{signing_base_url}/signaturerequest",
headers={
"Content-Type": "text/plain",
"Authorization": f"Bearer {access_token}"
},
data=jwt_request,
verify=False,
).json()
def compute_jwt_token(log,
private_file,
jwt_token_template=JWT_TEMPLATE,
max_timeout_hours=DEFAULT_EXPIRE_TIME):
jwt_token_template["exp"] = expires_timestamp(max_timeout_hours)
fp_private_file = os.path.realpath(private_file)
log.info("Opening private file: " + fp_private_file)
log.debug("JWT: " + json.dumps(jwt_token_template))
jwt_token = "not-calculated"
jwt_obj = JWT()
with open(fp_private_file, "r", encoding="UTF-8") as priv_file_pointer:
priv_key = jwk_from_pem(priv_file_pointer.read().encode())
jwt_token = jwt_obj.encode(jwt_token_template, priv_key, 'RS256')
log.debug("Calculated JWT token: " + str(jwt_token))
return jwt_token
return jwt_token
