Exemplo n.º 1
0
def test_parse_and_validate_invalid_parameters(test_input_token,
                                               test_input_jwt_bundle,
                                               test_input_audience, expected):
    with pytest.raises(ArgumentError) as exception:
        JwtSvid.parse_and_validate(test_input_token, test_input_jwt_bundle,
                                   test_input_audience)
    assert str(exception.value) == expected
Exemplo n.º 2
0
def test_parse_and_validate_invalid_missing_kid():
    key_id = 'kid10'
    token = create_jwt(kid=key_id)

    with pytest.raises(AuthorityNotFoundError) as exception:
        JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire'])
    assert str(
        exception.value) == 'Key (' + key_id + ') not found in authorities.'
Exemplo n.º 3
0
def test_parse_and_validate_invalid_kid_mismatch():
    rsa_key2 = rsa.generate_private_key(public_exponent=65537, key_size=2048)
    jwt_bundle = JwtBundle(
        DEFAULT_TRUST_DOMAIN,
        {
            'kid1': DEFAULT_KEY.public_key(),
            'kid10': rsa_key2.public_key()
        },
    )
    token = create_jwt(kid='kid10')

    with pytest.raises(InvalidTokenError) as exception:
        JwtSvid.parse_and_validate(token, jwt_bundle, ['spire'])
    assert str(exception.value) == 'Signature verification failed.'
Exemplo n.º 4
0
def test_parse_and_validate_valid_token_RSA():
    token = create_jwt()
    jwt_svid = JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire'])
    assert jwt_svid.audience == DEFAULT_AUDIENCE
    assert str(jwt_svid.spiffe_id) == DEFAULT_SPIFFE_ID
    assert jwt_svid.expiry == DEFAULT_EXPIRY
    assert jwt_svid.token == token
Exemplo n.º 5
0
    def validate_jwt_svid(self, token: str, audience: str) -> JwtSvid:
        """Validates the JWT-SVID token. The parsed and validated JWT-SVID is returned.

        Args:
            token: JWT to validate.
            audience: Audience to validate against.

        Returns:
            JwtSvid: If the token and audience could be validated.

        Raises:
            ArgumentError: In case token or audience is empty.
            ValidateJwtSvidError: In case an error occurs calling the Workload API or
                                in case the response from the Workload API cannot be processed.
        """
        if not token:
            raise ArgumentError('Token cannot be empty')
        if not audience:
            raise ArgumentError('Audience cannot be empty')

        self._spiffe_workload_api_stub.ValidateJWTSVID(
            request=workload_pb2.ValidateJWTSVIDRequest(
                audience=audience,
                svid=token,
            ))

        return JwtSvid.parse_insecure(token, [audience])
Exemplo n.º 6
0
    def fetch_jwt_svid(self,
                       audiences: List[str],
                       subject: Optional[SpiffeId] = None) -> JwtSvid:
        """Fetches a SPIFFE JWT-SVID.

        Args:
            audiences: List of audiences for the JWT SVID.
            subject: SPIFFE ID subject for the JWT.

        Returns:
            JwtSvid: Instance of JwtSvid object.
        Raises:
            ArgumentError: In case audience is empty.
            FetchJwtSvidError: In case there is an error in fetching the JWT-SVID from the Workload API.
        """
        if not audiences:
            raise ArgumentError('Parameter audiences cannot be empty')

        response = self._spiffe_workload_api_stub.FetchJWTSVID(
            request=workload_pb2.JWTSVIDRequest(
                audience=audiences,
                spiffe_id=str(subject),
            ))

        if len(response.svids) == 0:
            raise FetchJwtSvidError('JWT SVID response is empty')

        svid = response.svids[0].svid
        return JwtSvid.parse_insecure(svid, audiences)
Exemplo n.º 7
0
    def validate_jwt_svid(self, token: str, audience: str) -> JwtSvid:
        """Validates the JWT-SVID token. The parsed and validated JWT-SVID is returned.

        Args:
            token: JWT to validate.
            audience: Audience to validate against.

        Returns:
            JwtSvid: If the token and audience could be validated.
            ArgumentError: In case token or audience is empty.
        """
        if not token:
            raise ArgumentError('Token cannot be empty')
        if not audience:
            raise ArgumentError('Audience cannot be empty')

        try:
            request = workload_pb2.ValidateJWTSVIDRequest(
                audience=audience,
                svid=token,
            )

            self._spiffe_workload_api_stub.ValidateJWTSVID(request)
        except Exception as e:
            raise ValidateJwtSvidError(str(e))

        return JwtSvid.parse_insecure(token, [audience])
Exemplo n.º 8
0
def test_parse_and_validate_valid_token_EC():
    ec_key = ec.generate_private_key(ec.SECP384R1(), default_backend())
    jwt_bundle = JwtBundle(DEFAULT_TRUST_DOMAIN,
                           {'kid_ec': ec_key.public_key()})

    ec_key_pem, _ = get_keys_pems(ec_key)
    token = create_jwt(ec_key_pem, 'kid_ec', alg='ES512')
    jwt_svid = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire'])
    assert jwt_svid.audience == DEFAULT_AUDIENCE
    assert str(jwt_svid.spiffe_id) == DEFAULT_SPIFFE_ID
    assert jwt_svid.expiry == DEFAULT_EXPIRY
    assert jwt_svid.token == token
Exemplo n.º 9
0
def test_parse_and_validate_valid_token_multiple_keys_bundle():
    ec_key = ec.generate_private_key(ec.SECP521R1(), default_backend())
    jwt_bundle = JwtBundle(
        DEFAULT_TRUST_DOMAIN,
        {
            'kid_rsa': DEFAULT_KEY.public_key(),
            'kid_ec': ec_key.public_key()
        },
    )
    ec_key_pem, _ = get_keys_pems(ec_key)

    token = create_jwt(ec_key_pem, kid='kid_ec', alg='ES512')
    jwt_svid1 = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire'])
    assert jwt_svid1.audience == DEFAULT_AUDIENCE
    assert str(jwt_svid1.spiffe_id) == DEFAULT_SPIFFE_ID
    assert jwt_svid1.expiry == DEFAULT_EXPIRY
    assert jwt_svid1.token == token

    token2 = create_jwt(kid='kid_rsa')
    jwt_svid2 = JwtSvid.parse_and_validate(token2, jwt_bundle, ['spire'])
    assert jwt_svid2.audience == DEFAULT_AUDIENCE
    assert str(jwt_svid2.spiffe_id) == DEFAULT_SPIFFE_ID
    assert jwt_svid2.expiry == DEFAULT_EXPIRY
    assert jwt_svid2.token == token2
Exemplo n.º 10
0
    def fetch_jwt_svid(self,
                       audiences: List[str],
                       subject: Optional[SpiffeId] = None) -> JwtSvid:
        """Fetches a SPIFFE JWT-SVID.

        Args:
            audiences: List of audiences for the JWT SVID.
            subject: SPIFFE ID subject for the JWT.

        Returns:
            JwtSvid: Instance of JwtSvid object.
        Raises:
            ArgumentError: In case audience is empty.
            FetchJwtSvidError: In case there is an error in fetching the JWTSVID from the Workload API.
        """
        if not audiences:
            raise ArgumentError('Parameter audiences cannot be empty')
        try:
            response = self._call_fetch_jwt_svids(audiences, str(subject))
            svid = response.svids[0].svid
            return JwtSvid.parse_insecure(svid, audiences)
        except JwtSvidError as e:
            raise FetchJwtSvidError(str(e))
Exemplo n.º 11
0
def test_invalid_input_parse_insecure(test_input_token, test_input_audience, expected):
    with pytest.raises(ValueError) as exception:
        JwtSvid.parse_insecure(test_input_token, test_input_audience)

    assert str(exception.value) == expected
Exemplo n.º 12
0
def test_valid_parse_insecure(test_input_token, test_input_audience, expected):
    result = JwtSvid.parse_insecure(test_input_token, test_input_audience)
    assert result.token == test_input_token
    assert str(result.spiffeId) == expected
Exemplo n.º 13
0
def test_invalid_token_parse_insecure(test_input_token, test_input_audience):
    with pytest.raises(InvalidTokenError):
        JwtSvid.parse_insecure(test_input_token, test_input_audience)
Exemplo n.º 14
0
def test_parse_and_validate_invalid_missing_sub():
    token = create_jwt(spiffe_id='')

    with pytest.raises(InvalidTokenError) as exception:
        JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire'])
    assert str(exception.value) == 'SPIFFE ID cannot be empty.'