def test_jwt_does_not_contain_header_at_all(self):
token_without_header = "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(token_without_header)
self.assertIn("Missing Headers", ite.exception.value)
def test_signature_corrupt(self):
jwt = jwtio_header + "." + jwtio_payload + ".asdasddas"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("DecodeError", ite.exception.value)
def test_header_corrupt(self):
jwt = "asdsadsa" + "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Corrupted Header", ite.exception.value)
def test_jwt_does_not_contain_signature(self):
jwt = jwtio_header + "." + jwtio_payload + ".e30"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Signature verification failed", ite.exception.value)
def test_payload_contains_corrupted_json(self):
payload = base64.urlsafe_b64encode(b'{"user":"******","iat": "1454935765","exp": "2075297148"}ABDCE')
jwt = jwtio_header + "." + payload.decode() + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("DecodeError", ite.exception.value)
def test_signature_corrupt(self):
jwt = jwtio_header + "." + jwtio_payload + ".asdasddas"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("DecodeError", ite.exception.value)
def test_jwt_does_not_contain_signature(self):
jwt = jwtio_header + "." + jwtio_payload + ".e30"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Signature verification failed", ite.exception.value)
def test_jwt_does_not_contain_header_at_all(self):
token_without_header = "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(token_without_header)
self.assertIn("Missing Headers", ite.exception.value)
def test_authentication_tag_corrupted(self):
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), tag=b'adssadsadsadsadasdasdasads')
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
def flush_data():
if session:
session.clear()
encrypted_token = request.args.get('token')
if encrypted_token is None:
return Response(status=403)
decoder = JWTDecryptor(
current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY'],
current_app.config['EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD'],
current_app.config['EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY'],
)
decrypted_token = decoder.decrypt_jwt_token(
encrypted_token,
current_app.config['EQ_JWT_LEEWAY_IN_SECONDS'],
)
roles = decrypted_token.get('roles')
if roles and 'flusher' in roles:
user = _get_user(decrypted_token)
if _submit_data(user):
return Response(status=200)
else:
return Response(status=404)
else:
return Response(status=403)
def test_header_corrupt(self):
jwt = "asdsadsa" + "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Corrupted Header", ite.exception.value)
def test_signature_not_2048_bits(self):
jwt = jwtio_header + "." + jwtio_payload + "." + base64.urlsafe_b64encode(os.urandom(255)).decode()
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Signature verification", ite.exception.value)
def test_signature_not_2048_bits(self):
jwt = jwtio_header + "." + jwtio_payload + "." + base64.urlsafe_b64encode(
os.urandom(255)).decode()
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Signature verification", ite.exception.value)
def test_authentication_tag_not_128_bits(self):
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), tag=os.urandom(10))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("'Authentication tag must be 16 bytes or longer", ite.exception.value)
def assertInDecodeSignedJWTException(self, jwe, error):
decoder = JWTDecryptor(*self.decryptor_args)
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwe, self.leeway)
if error not in ite.exception.value:
raise AssertionError(
'"{}" not found in decode exception'.format(error))
def test_jose_header_missing_alg(self):
header = base64.urlsafe_b64encode(b'{"kid":"EDCRRM","typ":"JWT"}')
jwt = header.decode() + "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Missing Algorithm", ite.exception.value)
def test_jose_header_invalid_type(self):
header = base64.urlsafe_b64encode(b'{"alg":"RS256", "kid":"EDCRRM", "typ":"TEST"}')
jwt = header.decode() + "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Invalid Type", ite.exception.value)
def test_jose_header_contains_multiple_kid(self):
header = base64.urlsafe_b64encode(b'{"alg":"RS256", "kid":"EDCRRM", "kid":"test", "typ":"JWT"}')
jwt = header.decode() + "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Multiple kid Headers", ite.exception.value)
def test_authentication_tag_corrupted(self):
encoder = Encoder()
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
tag=b'adssadsadsadsadasdasdasads')
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException):
decoder.decrypt_jwt_token(jwe.decode())
def test_payload_contains_corrupted_json(self):
payload = base64.urlsafe_b64encode(
b'{"user":"******","iat": "1454935765","exp": "2075297148"}ABDCE')
jwt = jwtio_header + "." + payload.decode() + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("DecodeError", ite.exception.value)
def test_jose_header_missing_type(self):
header = base64.urlsafe_b64encode(b'{"alg":"RS256", "kid":"EDCRRM"}')
jwt = header.decode() + "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Missing Type", ite.exception.value)
def test_invalid_algorithm(self):
jwe_protected_header = b'{"alg":"PBES2_HS256_A128KW","enc":"A256GCM"}'
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("Invalid Algorithm", ite.exception.value)
def test_payload_does_not_contain_exp(self):
valid_token_no_exp = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibm" \
"FtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE0NTQ5MzU3NjcifQ.VupTBEOEzeDjxd37PQ34xv" \
"BlLzeGTA0xFdGnLZDcnxAS1AjNcJ66edRmr4tmPIXnD6Mgen3HSB36xuXSnfzPld2msFHUXmB18CoaJQK19BXEY" \
"vosrBPzc1ohSvam_DgXCzdSMAcWSE63e6LTWNCT93-npD3p9tjdY_TWpEOOg14"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_no_exp)
self.assertIn("Missing exp claim", ite.exception.value)
def test_jose_header_contains_multiple_kid(self):
header = base64.urlsafe_b64encode(
b'{"alg":"RS256", "kid":"EDCRRM", "kid":"test", "typ":"JWT"}')
jwt = header.decode() + "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Multiple kid Headers", ite.exception.value)
def test_jose_header_contains_invalid_kid(self):
header = base64.urlsafe_b64encode(
b'{"alg":"RS256", "kid":"UNKNOWN", "typ":"JWT"}')
jwt = header.decode() + "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Invalid Key Identifier", ite.exception.value)
def test_payload_does_not_contain_exp(self):
valid_token_no_exp = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibm" \
"FtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE0NTQ5MzU3NjcifQ.VupTBEOEzeDjxd37PQ34xv" \
"BlLzeGTA0xFdGnLZDcnxAS1AjNcJ66edRmr4tmPIXnD6Mgen3HSB36xuXSnfzPld2msFHUXmB18CoaJQK19BXEY" \
"vosrBPzc1ohSvam_DgXCzdSMAcWSE63e6LTWNCT93-npD3p9tjdY_TWpEOOg14"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_no_exp)
self.assertIn("Missing exp claim", ite.exception.value)
def test_jwe_header_only_contains_alg_and_enc(self):
jwe_protected_header = b'{"alg":"RSA-OAEP","enc":"A256GCM", "test":"test"}'
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("InvalidTag", ite.exception.value)
def test_jose_header_none_alg(self):
header = base64.urlsafe_b64encode(
b'{"alg":"None","kid":"EDCRRM","typ":"JWT"}')
jwt = header.decode() + "." + jwtio_payload + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Invalid Algorithm", ite.exception.value)
def test_payload_does_not_contain_iat(self):
valid_token_no_iat = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibm" \
"FtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwNzUyOTcxNDgifQ.SXWoPBkiXBW9KYaSvjISwQ" \
"gdKQuNJ6o5oXA8rwEFiIE9UYo0yALhsQf5BbYs7RmVq760jde2FqwbwHze_XHFlOcg9nODfevEbRAUxjt_jpDaI" \
"LWmzreVw8jYTie9qn-F-7Tb6R1fgvvi5Fd7h0Py_LTLTZ72H1NOXCMtL_bbv6Y"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_no_iat)
self.assertIn("Missing iat claim", ite.exception.value)
def test_enc_missing(self):
jwe_protected_header = b'{"alg":"RSA-OAEP"}'
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), jwe_protected_header=encoder._base_64_encode(jwe_protected_header))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("Missing Encoding", ite.exception.value)
def test_payload_does_not_contain_iat(self):
valid_token_no_iat = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibm" \
"FtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImV4cCI6IjIwNzUyOTcxNDgifQ.SXWoPBkiXBW9KYaSvjISwQ" \
"gdKQuNJ6o5oXA8rwEFiIE9UYo0yALhsQf5BbYs7RmVq760jde2FqwbwHze_XHFlOcg9nODfevEbRAUxjt_jpDaI" \
"LWmzreVw8jYTie9qn-F-7Tb6R1fgvvi5Fd7h0Py_LTLTZ72H1NOXCMtL_bbv6Y"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_no_iat)
self.assertIn("Missing iat claim", ite.exception.value)
def test_cek_not_256_bits(self):
cek = os.urandom(24)
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), cek=cek)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("CEK incorrect length", ite.exception.value)
def test_payload_expired_exp(self):
valid_token_with_exp_in_the_past = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM" \
"0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE0NTQ5MzU" \
"3NjUiLCJleHAiOiIxNDU0OTM1NzY2In0.PLIaSBh3jiPCsYgx7l1m8enorE7FzYUxVHgarlm" \
"ZiMzpNjNmEzBYBq0yCk7wzkbrJhe5slliaMDY6C4hrAGo8oIUwYp_bQxxDCzyfeXiqdewdPe" \
"L2X8D47Yw-KRt2XF03LXnMEyAaHD9CPhtnSWYUijka5h5yJIG62JTOGWvKGU"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_exp_in_the_past)
self.assertIn("Signature has expired", ite.exception.value)
def test_payload_exp_less_than_iat(self):
valid_token_with_exp_less_than_iat = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxM" \
"jM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE0NTQ" \
"5MzU3NjUiLCJleHAiOiIxNDU0OTM1NzY0In0.p2T1go1DblkgYiYHj_cLV1Jd169sG4bqv" \
"qncTSpYPYawMIkjeb7s0IWFaswi348YLvcaAuQxaq3H5sw6RG3338TmFWYMJhvJTOYCZBC" \
"pvkuu2PTKBAxYlQt9dHuWnFODYtjFgdsJigMrePdY9FIqyifyUAJsUHhA7WagOxUwW_I"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_exp_less_than_iat)
self.assertIn("Signature has expired", ite.exception.value)
def test_payload_contains_more_than_one_exp(self):
payload = base64.urlsafe_b64encode(b'{"user":"******",'
b'"iat": "1454935765",'
b'"exp": "1454935765",'
b'"exp": "2075297148"}')
jwt = jwtio_header + "." + payload.decode() + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Multiple exp claims", ite.exception.value)
def test_payload_invalid_exp(self):
valid_token_with_invalid_exp = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0NTY3" \
"ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE0NTQ5MzU3NjUiLCJle" \
"HAiOiI_In0.0ApxEXw1rzo21XQo8WgcPvnz0e8QnT0GaoXVbCj-OdJtB7GArPzaiQ1cU53WaJsvGE" \
"zHTczc6Y0xN7WzcTdcXN8Yjenf4VqoiYc6_FXGJ1s9Brd0JOFPyVipTFxPoWvYTWLXE-CAEpXrEb3" \
"0kB3nRjHFV_yVhLiiZUU-gpUHqNQ"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_invalid_exp)
self.assertIn("Expiration Time claim (exp) must be an integer", ite.exception.value)
def test_payload_invalid_iat(self):
valid_token_with_invalid_iat = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0NTY3" \
"ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6ImEiLCJleHAiOiIyMDc1M" \
"jk3MTQ4In0.1NIuxcD1FsZlU17NxK4UHdCfzl7qTV03qEaTRcqTC6A1Fs2Alc7mSQgkF_SpUw4Ylt" \
"n-7DhO2InfcwDA0VhxBOHDL6ZzcEvzw-49iD-AaSd4aINIkDK-Iim5uzbKzgQCuZqSXFqxsZlezA4" \
"BtwV7Lv2puqdPrXT8k3SvM2rOwRw"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_invalid_iat)
self.assertIn("Issued At claim (iat) must be an integer", ite.exception.value)
def test_payload_expired_exp(self):
valid_token_with_exp_in_the_past = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM" \
"0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE0NTQ5MzU" \
"3NjUiLCJleHAiOiIxNDU0OTM1NzY2In0.PLIaSBh3jiPCsYgx7l1m8enorE7FzYUxVHgarlm" \
"ZiMzpNjNmEzBYBq0yCk7wzkbrJhe5slliaMDY6C4hrAGo8oIUwYp_bQxxDCzyfeXiqdewdPe" \
"L2X8D47Yw-KRt2XF03LXnMEyAaHD9CPhtnSWYUijka5h5yJIG62JTOGWvKGU"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_exp_in_the_past)
self.assertIn("Signature has expired", ite.exception.value)
def test_payload_contains_more_than_one_exp(self):
payload = base64.urlsafe_b64encode(b'{"user":"******",'
b'"iat": "1454935765",'
b'"exp": "1454935765",'
b'"exp": "2075297148"}')
jwt = jwtio_header + "." + payload.decode() + "." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(jwt)
self.assertIn("Multiple exp claims", ite.exception.value)
def test_iv_not_96_bits(self):
iv = os.urandom(45)
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), iv=iv)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("IV incorrect length", ite.exception.value)
def test_payload_exp_less_than_iat(self):
valid_token_with_exp_less_than_iat = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxM" \
"jM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE0NTQ" \
"5MzU3NjUiLCJleHAiOiIxNDU0OTM1NzY0In0.p2T1go1DblkgYiYHj_cLV1Jd169sG4bqv" \
"qncTSpYPYawMIkjeb7s0IWFaswi348YLvcaAuQxaq3H5sw6RG3338TmFWYMJhvJTOYCZBC" \
"pvkuu2PTKBAxYlQt9dHuWnFODYtjFgdsJigMrePdY9FIqyifyUAJsUHhA7WagOxUwW_I"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_exp_less_than_iat)
self.assertIn("Signature has expired", ite.exception.value)
def test_authentication_tag_not_128_bits(self):
encoder = Encoder()
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
tag=os.urandom(10))
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("'Authentication tag must be 16 bytes or longer",
ite.exception.value)
def test_iv_not_96_bits(self):
iv = os.urandom(45)
encoder = Encoder()
encoder.iv = iv
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode())
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("IV incorrect length", ite.exception.value)
def test_cek_not_256_bits(self):
cek = os.urandom(24)
encoder = Encoder()
encoder.cek = cek
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode())
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("CEK incorrect length", ite.exception.value)
def test_payload_invalid_exp(self):
valid_token_with_invalid_exp = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0NTY3" \
"ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE0NTQ5MzU3NjUiLCJle" \
"HAiOiI_In0.0ApxEXw1rzo21XQo8WgcPvnz0e8QnT0GaoXVbCj-OdJtB7GArPzaiQ1cU53WaJsvGE" \
"zHTczc6Y0xN7WzcTdcXN8Yjenf4VqoiYc6_FXGJ1s9Brd0JOFPyVipTFxPoWvYTWLXE-CAEpXrEb3" \
"0kB3nRjHFV_yVhLiiZUU-gpUHqNQ"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_invalid_exp)
self.assertIn("Expiration Time claim (exp) must be an integer",
ite.exception.value)
def test_invalid_algorithm(self):
jwe_protected_header = b'{"alg":"PBES2_HS256_A128KW","enc":"A256GCM"}'
encoder = Encoder()
jwe = encoder.encrypt_token(
VALID_SIGNED_JWT.encode(),
jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) # pylint: disable=protected-access
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("Invalid Algorithm", ite.exception.value)
def test_payload_invalid_iat(self):
valid_token_with_invalid_iat = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0NTY3" \
"ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6ImEiLCJleHAiOiIyMDc1M" \
"jk3MTQ4In0.1NIuxcD1FsZlU17NxK4UHdCfzl7qTV03qEaTRcqTC6A1Fs2Alc7mSQgkF_SpUw4Ylt" \
"n-7DhO2InfcwDA0VhxBOHDL6ZzcEvzw-49iD-AaSd4aINIkDK-Iim5uzbKzgQCuZqSXFqxsZlezA4" \
"BtwV7Lv2puqdPrXT8k3SvM2rOwRw"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_invalid_iat)
self.assertIn("Issued At claim (iat) must be an integer",
ite.exception.value)
def test_jwe_header_only_contains_alg_and_enc(self):
jwe_protected_header = b'{"alg":"RSA-OAEP","enc":"A256GCM", "test":"test"}'
encoder = Encoder()
jwe = encoder.encrypt_token(
VALID_SIGNED_JWT.encode(),
jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) # pylint: disable=protected-access
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("InvalidTag", ite.exception.value)
def test_payload_iat_in_future(self):
# set iat to Oct 2035
valid_token_with_iat_in_future = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0N" \
"TY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjIwNzUyOTcxNDc" \
"iLCJleHAiOiIyMDc1Mjk3MTQ4In0.2MQNPXUAiT3AFhbQWoNZ3bs14WeQDloiJfP-3s9ddprzY" \
"tj4omGaym32WvD-f4kBjuEwe479QzpJQoV_oTYCwB8VmFnKd4lKWKMUnNHQYcG0GWVB1Y9qWuW" \
"nPG32kfS2Z7YuMkCgar8qttajB_YRcwhes4rIVaObFFXywnSinCQ"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_iat_in_future)
self.assertIn("Issued At claim (iat) cannot be in the future", ite.exception.value)
def test_decrypt(self):
decoder = JWTDecryptor(*self.decryptor_args)
tokens = encrypted_jwt.split('.')
self.assertEqual(jwe_protected_header, tokens[0])
cipher_text = decoder._base64_decode(tokens[3]) # pylint: disable=protected-access
tag = bytes(decoder._base64_decode(tokens[4])) # pylint: disable=protected-access
decrypted_token = decoder._decrypt_cipher_text(cipher_text, iv, cek, tag, jwe_protected_header) # pylint: disable=protected-access
self.assertEqual(plaintext, decrypted_token.decode())
def test_payload_iat_in_future(self):
# set iat to Oct 2035
valid_token_with_iat_in_future = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkVEQ1JSTSJ9.eyJzdWIiOiIxMjM0N" \
"TY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjIwNzUyOTcxNDc" \
"iLCJleHAiOiIyMDc1Mjk3MTQ4In0.2MQNPXUAiT3AFhbQWoNZ3bs14WeQDloiJfP-3s9ddprzY" \
"tj4omGaym32WvD-f4kBjuEwe479QzpJQoV_oTYCwB8VmFnKd4lKWKMUnNHQYcG0GWVB1Y9qWuW" \
"nPG32kfS2Z7YuMkCgar8qttajB_YRcwhes4rIVaObFFXywnSinCQ"
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(valid_token_with_iat_in_future)
self.assertIn("Issued At claim (iat) cannot be in the future",
ite.exception.value)
def test_decrypt(self):
decoder = JWTDecryptor()
tokens = encrypted_jwt.split('.')
self.assertEquals(jwe_protected_header, tokens[0])
cipher_text = decoder._base64_decode(tokens[3])
tag = bytes(decoder._base64_decode(tokens[4]))
decrypted_token = decoder._decrypt_cipher_text(cipher_text, iv, cek, tag, jwe_protected_header)
self.assertEquals(plaintext, decrypted_token.decode())
def test_jwe_key_not_2048_bits(self):
cek = os.urandom(32)
encoder = Encoder()
encrypted_key = encoder._encrypted_key(cek)
encrypted_key = encrypted_key[0:len(encrypted_key) - 2]
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode(), cek=cek, encrypted_key=encrypted_key)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("ValueError", ite.exception.value)
def test_enc_missing(self):
jwe_protected_header = b'{"alg":"RSA-OAEP"}'
encoder = Encoder()
jwe = encoder.encrypt_token(
VALID_SIGNED_JWT.encode(),
jwe_protected_header=encoder._base_64_encode(jwe_protected_header)) # pylint: disable=protected-access
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("Missing Encoding", ite.exception.value)
def test_jwe_key_not_2048_bits(self):
cek = os.urandom(32)
encoder = Encoder()
encoder.cek = cek
encrypted_key = encoder._encrypted_key(cek) # pylint: disable=protected-access
encrypted_key = encrypted_key[0:len(encrypted_key) - 2]
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode(),
encrypted_key=encrypted_key)
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(jwe.decode())
self.assertIn("ValueError", ite.exception.value)
def test_cipher_text_corrupted(self):
encoder = Encoder()
jwe = encoder.encrypt(VALID_SIGNED_JWT.encode())
tokens = jwe.decode().split('.')
jwe_protected_header = tokens[0]
encrypted_key = tokens[1]
encoded_iv = tokens[2]
encoded_cipher_text = tokens[3]
encoded_tag = tokens[4]
corrupted_cipher = encoded_cipher_text[0:len(encoded_cipher_text) - 1]
reassembled = jwe_protected_header + "." + encrypted_key + "." + encoded_iv + "." + corrupted_cipher + "." + encoded_tag
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decrypt_jwt_token(reassembled)
def test_cipher_text_corrupted(self):
encoder = Encoder()
jwe = encoder.encrypt_token(VALID_SIGNED_JWT.encode())
tokens = jwe.decode().split('.')
jwe_protected_header = tokens[0]
encrypted_key = tokens[1]
encoded_iv = tokens[2]
encoded_cipher_text = tokens[3]
encoded_tag = tokens[4]
corrupted_cipher = encoded_cipher_text[0:len(encoded_cipher_text) - 1]
reassembled = jwe_protected_header + "." + encrypted_key + "." + encoded_iv + "." + corrupted_cipher + "." + encoded_tag
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException):
decoder.decrypt_jwt_token(reassembled)
def _jwt_decrypt(self, request):
encrypted_token = request.args.get(EQ_URL_QUERY_STRING_JWT_FIELD_NAME)
decoder = JWTDecryptor()
token = decoder.decrypt_jwt_token(encrypted_token)
return token
def test_jwt_contains_empty_payload(self):
token_without_payload = jwtio_header + ".e30." + jwtio_signature
decoder = JWTDecryptor()
with self.assertRaises(InvalidTokenException) as ite:
decoder.decode_signed_jwt_token(token_without_payload)
self.assertIn("Missing Payload", ite.exception.value)
def test_decrypt_jwt_token(self):
decoder = JWTDecryptor()
token = decoder.decrypt_jwt_token(VALID_JWE)
self.assertEquals("jimmy", token.get("user"))