def test_parse_and_validate_valid_token_RSA():
token = create_jwt()
jwt_svid = JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire'])
assert jwt_svid.audience == DEFAULT_AUDIENCE
assert str(jwt_svid.spiffe_id) == DEFAULT_SPIFFE_ID
assert jwt_svid.expiry == DEFAULT_EXPIRY
assert jwt_svid.token == token
def test_parse_and_validate_invalid_missing_kid():
key_id = 'kid10'
token = create_jwt(kid=key_id)
with pytest.raises(AuthorityNotFoundError) as exception:
JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire'])
assert str(
exception.value) == 'Key (' + key_id + ') not found in authorities.'
def mock_client_get_jwt_svid(mocker):
jwt_svid = create_jwt(spiffe_id=str(SPIFFE_ID))
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTSVID = mocker.Mock(
return_value=workload_pb2.JWTSVIDResponse(svids=[
workload_pb2.JWTSVID(
spiffe_id=str(SPIFFE_ID),
svid=jwt_svid,
)
]))
def test_validate_jwt_svid_raise_error(mocker):
jwt_svid = create_jwt()
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.ValidateJWTSVID = mocker.Mock(
side_effect=Exception('Mocked error'))
with pytest.raises(ValidateJwtSvidError) as exception:
WORKLOAD_API_CLIENT.validate_jwt_svid(token=jwt_svid,
audience='audience')
assert str(exception.value) == 'JWT SVID is not valid: Mocked error.'
def test_fetch_jwt_svid_wrong_token(mocker):
jwt_svid = create_jwt(spiffe_id='')
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTSVID = mocker.Mock(
return_value=workload_pb2.JWTSVIDResponse(
svids=[workload_pb2.JWTSVID(svid=jwt_svid, )]))
with pytest.raises(FetchJwtSvidError) as exception:
WORKLOAD_API_CLIENT.fetch_jwt_svid(audiences=DEFAULT_AUDIENCE)
assert (str(exception.value) ==
'Error fetching JWT SVID: Missing required claim: sub.')
def test_parse_and_validate_valid_token_EC():
ec_key = ec.generate_private_key(ec.SECP384R1(), default_backend())
jwt_bundle = JwtBundle(DEFAULT_TRUST_DOMAIN,
{'kid_ec': ec_key.public_key()})
ec_key_pem, _ = get_keys_pems(ec_key)
token = create_jwt(ec_key_pem, 'kid_ec', alg='ES512')
jwt_svid = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire'])
assert jwt_svid.audience == DEFAULT_AUDIENCE
assert str(jwt_svid.spiffe_id) == DEFAULT_SPIFFE_ID
assert jwt_svid.expiry == DEFAULT_EXPIRY
assert jwt_svid.token == token
def test_fetch_jwt_svid_wrong_token(mocker):
spiffe_id = ''
jwt_svid = create_jwt(spiffe_id=spiffe_id)
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTSVID = mocker.Mock(
return_value=iter([
workload_pb2.JWTSVIDResponse(
svids=[workload_pb2.JWTSVID(svid=jwt_svid, )])
]))
with pytest.raises(FetchJwtSvidError) as exception:
WORKLOAD_API_CLIENT.fetch_jwt_svid(audiences=DEFAULT_AUDIENCE)
assert str(exception.value).startswith('Error fetching JWT SVID')
def test_parse_and_validate_invalid_kid_mismatch():
rsa_key2 = rsa.generate_private_key(public_exponent=65537, key_size=2048)
jwt_bundle = JwtBundle(
DEFAULT_TRUST_DOMAIN,
{
'kid1': DEFAULT_KEY.public_key(),
'kid10': rsa_key2.public_key()
},
)
token = create_jwt(kid='kid10')
with pytest.raises(InvalidTokenError) as exception:
JwtSvid.parse_and_validate(token, jwt_bundle, ['spire'])
assert str(exception.value) == 'Signature verification failed.'
def test_fetch_jwt_svid_aud(mocker):
spiffe_id = 'spiffe://test.com/my_service'
jwt_svid = create_jwt(spiffe_id=spiffe_id)
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTSVID = mocker.Mock(
return_value=workload_pb2.JWTSVIDResponse(
svids=[workload_pb2.JWTSVID(svid=jwt_svid, )]))
svid = WORKLOAD_API_CLIENT.fetch_jwt_svid(audiences=DEFAULT_AUDIENCE)
utc_time = timegm(datetime.datetime.utcnow().utctimetuple())
assert svid.spiffe_id == SpiffeId.parse(spiffe_id)
assert svid.token == jwt_svid
assert svid.claims['aud'] == DEFAULT_AUDIENCE
assert int(svid.expiry) > utc_time
def test_parse_and_validate_valid_token_multiple_keys_bundle():
ec_key = ec.generate_private_key(ec.SECP521R1(), default_backend())
jwt_bundle = JwtBundle(
DEFAULT_TRUST_DOMAIN,
{
'kid_rsa': DEFAULT_KEY.public_key(),
'kid_ec': ec_key.public_key()
},
)
ec_key_pem, _ = get_keys_pems(ec_key)
token = create_jwt(ec_key_pem, kid='kid_ec', alg='ES512')
jwt_svid1 = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire'])
assert jwt_svid1.audience == DEFAULT_AUDIENCE
assert str(jwt_svid1.spiffe_id) == DEFAULT_SPIFFE_ID
assert jwt_svid1.expiry == DEFAULT_EXPIRY
assert jwt_svid1.token == token
token2 = create_jwt(kid='kid_rsa')
jwt_svid2 = JwtSvid.parse_and_validate(token2, jwt_bundle, ['spire'])
assert jwt_svid2.audience == DEFAULT_AUDIENCE
assert str(jwt_svid2.spiffe_id) == DEFAULT_SPIFFE_ID
assert jwt_svid2.expiry == DEFAULT_EXPIRY
assert jwt_svid2.token == token2
def test_validate_jwt_svid(mocker):
audience = 'spire'
spiffe_id = 'spiffe://test.com/my_service'
jwt_svid = create_jwt(audience=[audience], spiffe_id=spiffe_id)
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.ValidateJWTSVID = mocker.Mock(
return_value=workload_pb2.ValidateJWTSVIDResponse(spiffe_id=spiffe_id,
))
svid = WORKLOAD_API_CLIENT.validate_jwt_svid(token=jwt_svid,
audience=audience)
assert svid.spiffe_id == SpiffeId.parse(spiffe_id)
assert svid.token == jwt_svid
assert svid.claims['aud'] == [audience]
assert svid.audience == [audience]
def test_parse_and_validate_invalid_missing_sub():
token = create_jwt(spiffe_id='')
with pytest.raises(InvalidTokenError) as exception:
JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire'])
assert str(exception.value) == 'SPIFFE ID cannot be empty.'
