def test_authtoken_rs256_verification(self): # Verify that the auth token (signed by Bouncer's private key) # can be validated using Bouncer's public key. Obtain/construct # Bouncer's public key from it's JSON Web Key Set (jwks) entpoint # Obtain authentication token. token, _ = self.test_authtoken_rs256_anatomy() # Obtain the JSON Web Key Set. r = requests.get(Url('/auth/jwks')) keys = r.json()['keys'][0] # Extract the public modulus and exponent from the data. exponent_bytes = base64url_decode(keys['e'].encode('ascii')) exponent_int = bytes_to_number(exponent_bytes) modulus_bytes = base64url_decode(keys['n'].encode('ascii')) modulus_int = bytes_to_number(modulus_bytes) # Generate a public key instance from these numbers. public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int) public_key = public_numbers.public_key(backend=cryptography_backend) # Verify token signature using that public key. payload = jwt.decode(token, public_key, algorithms='RS256') assert payload['uid'] == self.user1_uid
def verify_token(masterUrl, authToken): keys = requests.get('https://' + masterUrl + '/acs/api/v1/auth/jwks', verify=False).json()['keys'][0] exponent_bytes = base64url_decode(keys['e'].encode('ascii')) exponent_int = bytes_to_number(exponent_bytes) modulus_bytes = base64url_decode(keys['n'].encode('ascii')) modulus_int = bytes_to_number(modulus_bytes) public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int) public_key = public_numbers.public_key(backend=default_backend()) payload = jwt.decode(authToken, public_key, algorithm='RS256') print payload print "expiration is: " + time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(payload['exp']))
def dcos_adminrouter(b, opts): b.cluster_id() # Require the IAM to already be up and running. The IAM contains logic for # achieving consensus about a key pair, and exposes the public key # information via its JWKS endpoint. Talk directly to the local IAM instance # which is reachable via the local network interface. r = requests.get('http://127.0.0.1:8101/acs/api/v1/auth/jwks') if r.status_code != 200: log.info('JWKS retrieval failed. Got %s with body: %s', r, r.text) sys.exit(1) jwks = r.json() # The first key in the JSON Web Key Set corresponds to the current private # key used for signing authentiction tokens. key = jwks['keys'][0] exponent_bytes = base64url_decode(key['e'].encode('ascii')) exponent_int = bytes_to_number(exponent_bytes) modulus_bytes = base64url_decode(key['n'].encode('ascii')) modulus_int = bytes_to_number(modulus_bytes) # Generate a `cryptography` public key object instance from these numbers. public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int) public_key = public_numbers.public_key( backend=cryptography.hazmat.backends.default_backend()) # Serialize public key into the OpenSSL PEM public key format RFC 5280). pubkey_pem_bytes = public_key.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) rundir = utils.dcos_run_path / 'dcos-adminrouter' rundir.mkdir(parents=True, exist_ok=True) pubkey_path = rundir / 'auth-token-verification-key' utils.write_public_file(pubkey_path, pubkey_pem_bytes) utils.chown(pubkey_path, user='******')
def dcos_adminrouter(b, opts): b.cluster_id() # Require the IAM to already be up and running. The IAM contains logic for # achieving consensus about a key pair, and exposes the public key # information via its JWKS endpoint. Talk directly to the local IAM instance # which is reachable via the local network interface. r = requests.get('http://127.0.0.1:8101/acs/api/v1/auth/jwks') if r.status_code != 200: log.info('JWKS retrieval failed. Got %s with body: %s', r, r.text) sys.exit(1) jwks = r.json() # The first key in the JSON Web Key Set corresponds to the current private # key used for signing authentiction tokens. key = jwks['keys'][0] exponent_bytes = base64url_decode(key['e'].encode('ascii')) exponent_int = bytes_to_number(exponent_bytes) modulus_bytes = base64url_decode(key['n'].encode('ascii')) modulus_int = bytes_to_number(modulus_bytes) # Generate a `cryptography` public key object instance from these numbers. public_numbers = rsa.RSAPublicNumbers(n=modulus_int, e=exponent_int) public_key = public_numbers.public_key( backend=cryptography.hazmat.backends.default_backend()) # Serialize public key into the OpenSSL PEM public key format RFC 5280). pubkey_pem_bytes = public_key.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) os.makedirs('/run/dcos/dcos-adminrouter', exist_ok=True) pubkey_path = '/run/dcos/dcos-adminrouter/auth-token-verification-key' _write_file_bytes(pubkey_path, pubkey_pem_bytes, 0o644) shutil.chown(pubkey_path, user='******')