def clean_headers(headers): """Forces header keys and values to be strings, i.e not unicode. The httplib module just concats the header keys and values in a way that may make the message header a unicode string, which, if it then tries to contatenate to a binary request body may result in a unicode decode error. Args: headers: dict, A dictionary of headers. Returns: The same dictionary but with all the keys converted to strings. """ clean = {} try: for k, v in six.iteritems(headers): if not isinstance(k, six.binary_type): k = str(k) if not isinstance(v, six.binary_type): v = str(v) clean[_helpers._to_bytes(k)] = _helpers._to_bytes(v) except UnicodeEncodeError: from oauth2client.client import NonAsciiHeaderError raise NonAsciiHeaderError(k, ': ', v) return clean
def test_with_system_time(self): digest = b'foobar' curr_time = 1440449755.74 digester = mock.MagicMock() digester.digest = mock.MagicMock(name='digest', return_value=digest) with mock.patch('oauth2client.xsrfutil.hmac') as hmac: hmac.new = mock.MagicMock(name='new', return_value=digester) with mock.patch('oauth2client.xsrfutil.time') as time: time.time = mock.MagicMock(name='time', return_value=curr_time) # when= is omitted token = xsrfutil.generate_token(TEST_KEY, TEST_USER_ID_1, action_id=TEST_ACTION_ID_1) hmac.new.assert_called_once_with(TEST_KEY) time.time.assert_called_once_with() digester.digest.assert_called_once_with() expected_digest_calls = [ mock.call.update(_to_bytes(str(TEST_USER_ID_1))), mock.call.update(xsrfutil.DELIMITER), mock.call.update(TEST_ACTION_ID_1), mock.call.update(xsrfutil.DELIMITER), mock.call.update(_to_bytes(str(int(curr_time)))), ] self.assertEqual(digester.method_calls, expected_digest_calls) expected_token_as_bytes = (digest + xsrfutil.DELIMITER + _to_bytes(str(int(curr_time)))) expected_token = base64.urlsafe_b64encode( expected_token_as_bytes) self.assertEqual(token, expected_token)
def generate_token(key, user_id, action_id='', when=None): """Generates a URL-safe token for the given user, action, time tuple. Args: key: secret key to use. user_id: the user ID of the authenticated user. action_id: a string identifier of the action they requested authorization for. when: the time in seconds since the epoch at which the user was authorized for this action. If not set the current time is used. Returns: A string XSRF protection token. """ digester = hmac.new(_to_bytes(key, encoding='utf-8')) digester.update(_to_bytes(str(user_id), encoding='utf-8')) digester.update(DELIMITER) digester.update(_to_bytes(action_id, encoding='utf-8')) digester.update(DELIMITER) when = _to_bytes(str(when or int(time.time())), encoding='utf-8') digester.update(when) digest = digester.digest() token = base64.urlsafe_b64encode(digest + DELIMITER + when) return token
def test_it(self): digest = b'foobar' digester = mock.MagicMock() digester.digest = mock.MagicMock(name='digest', return_value=digest) with mock.patch('oauth2client.contrib.xsrfutil.hmac') as hmac: hmac.new = mock.MagicMock(name='new', return_value=digester) token = xsrfutil.generate_token(TEST_KEY, TEST_USER_ID_1, action_id=TEST_ACTION_ID_1, when=TEST_TIME) hmac.new.assert_called_once_with(TEST_KEY) digester.digest.assert_called_once_with() expected_digest_calls = [ mock.call.update(_helpers._to_bytes(str(TEST_USER_ID_1))), mock.call.update(xsrfutil.DELIMITER), mock.call.update(TEST_ACTION_ID_1), mock.call.update(xsrfutil.DELIMITER), mock.call.update(_helpers._to_bytes(str(TEST_TIME))), ] self.assertEqual(digester.method_calls, expected_digest_calls) expected_token_as_bytes = (digest + xsrfutil.DELIMITER + _helpers._to_bytes(str(TEST_TIME))) expected_token = base64.urlsafe_b64encode(expected_token_as_bytes) self.assertEqual(token, expected_token)
def test_it(self): digest = b'foobar' digester = mock.Mock() digester.digest = mock.Mock(name='digest', return_value=digest) with mock.patch('oauth2client.contrib.xsrfutil.hmac') as hmac: hmac.new = mock.Mock(name='new', return_value=digester) token = xsrfutil.generate_token(TEST_KEY, TEST_USER_ID_1, action_id=TEST_ACTION_ID_1, when=TEST_TIME) hmac.new.assert_called_once_with(TEST_KEY) digester.digest.assert_called_once_with() expected_digest_calls = [ mock.call.update(_helpers._to_bytes(str(TEST_USER_ID_1))), mock.call.update(xsrfutil.DELIMITER), mock.call.update(TEST_ACTION_ID_1), mock.call.update(xsrfutil.DELIMITER), mock.call.update(_helpers._to_bytes(str(TEST_TIME))), ] self.assertEqual(digester.method_calls, expected_digest_calls) expected_token_as_bytes = (digest + xsrfutil.DELIMITER + _helpers._to_bytes(str(TEST_TIME))) expected_token = base64.urlsafe_b64encode( expected_token_as_bytes) self.assertEqual(token, expected_token)
def clean_headers(headers): """Forces header keys and values to be strings, i.e not unicode. The httplib module just concats the header keys and values in a way that may make the message header a unicode string, which, if it then tries to contatenate to a binary request body may result in a unicode decode error. Args: headers: dict, A dictionary of headers. Returns: The same dictionary but with all the keys converted to strings. """ clean = {} try: for k, v in six.iteritems(headers): if not isinstance(k, six.binary_type): k = str(k) if not isinstance(v, six.binary_type): v = str(v) clean[_to_bytes(k)] = _to_bytes(v) except UnicodeEncodeError: from oauth2client.client import NonAsciiHeaderError raise NonAsciiHeaderError(k, ': ', v) return clean
def from_string(cls, key_pem, is_x509_cert): """Construct an RsaVerifier instance from a string. Args: key_pem: string, public key in PEM format. is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it is expected to be an RSA key in PEM format. Returns: RsaVerifier instance. Raises: ValueError: if the key_pem can't be parsed. In either case, error will begin with 'No PEM start marker'. If ``is_x509_cert`` is True, will fail to find the "-----BEGIN CERTIFICATE-----" error, otherwise fails to find "-----BEGIN RSA PUBLIC KEY-----". """ key_pem = _to_bytes(key_pem) if is_x509_cert: der = rsa.pem.load_pem(key_pem, 'CERTIFICATE') asn1_cert, remaining = decoder.decode(der, asn1Spec=Certificate()) if remaining != b'': raise ValueError('Unused bytes', remaining) cert_info = asn1_cert['tbsCertificate']['subjectPublicKeyInfo'] key_bytes = _bit_list_to_bytes(cert_info['subjectPublicKey']) pubkey = rsa.PublicKey.load_pkcs1(key_bytes, 'DER') else: pubkey = rsa.PublicKey.load_pkcs1(key_pem, 'PEM') return cls(pubkey)
def from_string(key, password='******'): """Construct a Signer instance from a string. Args: key: string, private key in PEM format. password: string, password for private key file. Unused for PEM files. Returns: Signer instance. Raises: NotImplementedError if the key isn't in PEM format. """ parsed_pem_key = _parse_pem_key(_to_bytes(key)) if parsed_pem_key: pkey = RSA.importKey(parsed_pem_key) else: raise NotImplementedError( 'PKCS12 format is not supported by the PyCrypto library. ' 'Try converting to a "PEM" ' '(openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > ' 'privatekey.pem) ' 'or using PyOpenSSL if native code is an option.') return PyCryptoSigner(pkey)
def test_no_newline_in_received_header(self): non_zero_port = 1 sock = mock.MagicMock() header_without_newline = '' sock.recv(6).decode = mock.MagicMock( name='decode', return_value=header_without_newline) with mock.patch('oauth2client.devshell.os') as os_mod: os_mod.getenv = mock.MagicMock(name='getenv', return_value=non_zero_port) with mock.patch('oauth2client.devshell.socket') as socket: socket.socket = mock.MagicMock(name='socket', return_value=sock) self.assertRaises(CommunicationError, _SendRecv) os_mod.getenv.assert_called_once_with(DEVSHELL_ENV, 0) socket.socket.assert_called_once_with() sock.recv(6).decode.assert_called_once_with() data = CREDENTIAL_INFO_REQUEST_JSON msg = _to_bytes('%s\n%s' % (len(data), data), encoding='utf-8') expected_sock_calls = [ mock.call.recv(6), # From the set-up above mock.call.connect(('localhost', non_zero_port)), mock.call.sendall(msg), mock.call.recv(6), mock.call.recv(6), # From the check above ] self.assertEqual(sock.method_calls, expected_sock_calls)
def test_token_length_differs_from_generated(self): token_time = 123456789 # Make sure it isn't too old. curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1 key = object() user_id = object() action_id = object() token = base64.b64encode(_to_bytes(str(token_time))) generated_token = b'a' # Make sure the token length comparison will fail. self.assertNotEqual(len(token), len(generated_token)) with mock.patch('oauth2client.contrib.xsrfutil.generate_token', return_value=generated_token) as gen_tok: self.assertFalse( xsrfutil.validate_token(key, token, user_id, current_time=curr_time, action_id=action_id)) gen_tok.assert_called_once_with(key, user_id, action_id=action_id, when=token_time)
def _SendRecv(): """Communicate with the Developer Shell server socket.""" port = int(os.getenv(DEVSHELL_ENV, 0)) if port == 0: raise NoDevshellServer() import socket sock = socket.socket() sock.connect(('localhost', port)) data = CREDENTIAL_INFO_REQUEST_JSON msg = '%s\n%s' % (len(data), data) sock.sendall(_to_bytes(msg, encoding='utf-8')) header = sock.recv(6).decode() if '\n' not in header: raise CommunicationError('saw no newline in the first 6 bytes') len_str, json_str = header.split('\n', 1) to_read = int(len_str) - len(json_str) if to_read > 0: json_str += sock.recv(to_read, socket.MSG_WAITALL).decode() return CredentialInfoResponse(json_str)
def _SendRecv(): """Communicate with the Developer Shell server socket.""" port = int(os.getenv(DEVSHELL_ENV, 0)) if port == 0: raise NoDevshellServer() import socket sock = socket.socket() sock.connect(("localhost", port)) data = CREDENTIAL_INFO_REQUEST_JSON msg = "%s\n%s" % (len(data), data) sock.sendall(_to_bytes(msg, encoding="utf-8")) header = sock.recv(6).decode() if "\n" not in header: raise CommunicationError("saw no newline in the first 6 bytes") len_str, json_str = header.split("\n", 1) to_read = int(len_str) - len(json_str) if to_read > 0: json_str += sock.recv(to_read, socket.MSG_WAITALL).decode() return CredentialInfoResponse(json_str)
def test_token_differs_from_generated_but_same_length(self): token_time = 123456789 # Make sure it isn't too old. curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1 key = object() user_id = object() action_id = object() token = base64.b64encode(_to_bytes(str(token_time))) # It is encoded as b'MTIzNDU2Nzg5', which has length 12. generated_token = b'M' * 12 # Make sure the token length comparison will succeed, but the token # comparison will fail. self.assertEqual(len(token), len(generated_token)) self.assertNotEqual(token, generated_token) with mock.patch('oauth2client.xsrfutil.generate_token', return_value=generated_token) as gen_tok: self.assertFalse( xsrfutil.validate_token(key, token, user_id, current_time=curr_time, action_id=action_id)) gen_tok.assert_called_once_with(key, user_id, action_id=action_id, when=token_time)
def from_string(cls, key_pem, is_x509_cert): """Construct an RsaVerifier instance from a string. Args: key_pem: string, public key in PEM format. is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it is expected to be an RSA key in PEM format. Returns: RsaVerifier instance. Raises: ValueError: if the key_pem can't be parsed. In either case, error will begin with 'No PEM start marker'. If ``is_x509_cert`` is True, will fail to find the "-----BEGIN CERTIFICATE-----" error, otherwise fails to find "-----BEGIN RSA PUBLIC KEY-----". """ key_pem = _helpers._to_bytes(key_pem) if is_x509_cert: der = rsa.pem.load_pem(key_pem, 'CERTIFICATE') asn1_cert, remaining = decoder.decode(der, asn1Spec=Certificate()) if remaining != b'': raise ValueError('Unused bytes', remaining) cert_info = asn1_cert['tbsCertificate']['subjectPublicKeyInfo'] key_bytes = _bit_list_to_bytes(cert_info['subjectPublicKey']) pubkey = rsa.PublicKey.load_pkcs1(key_bytes, 'DER') else: pubkey = rsa.PublicKey.load_pkcs1(key_pem, 'PEM') return cls(pubkey)
def test_no_newline_in_received_header(self): non_zero_port = 1 sock = mock.MagicMock() header_without_newline = '' sock.recv(6).decode = mock.MagicMock( name='decode', return_value=header_without_newline) with mock.patch('oauth2client.contrib.devshell.os') as os_mod: os_mod.getenv = mock.MagicMock(name='getenv', return_value=non_zero_port) with mock.patch('oauth2client.contrib.devshell.socket') as socket: socket.socket = mock.MagicMock(name='socket', return_value=sock) with self.assertRaises(CommunicationError): _SendRecv() os_mod.getenv.assert_called_once_with(DEVSHELL_ENV, 0) socket.socket.assert_called_once_with() sock.recv(6).decode.assert_called_once_with() data = CREDENTIAL_INFO_REQUEST_JSON msg = _to_bytes('{0}\n{1}'.format(len(data), data), encoding='utf-8') expected_sock_calls = [ mock.call.recv(6), # From the set-up above mock.call.connect(('localhost', non_zero_port)), mock.call.sendall(msg), mock.call.recv(6), mock.call.recv(6), # From the check above ] self.assertEqual(sock.method_calls, expected_sock_calls)
def test_no_newline_in_received_header(self): non_zero_port = 1 sock = mock.MagicMock() header_without_newline = "" sock.recv(6).decode = mock.MagicMock(name="decode", return_value=header_without_newline) with mock.patch("oauth2client.devshell.os") as os_mod: os_mod.getenv = mock.MagicMock(name="getenv", return_value=non_zero_port) with mock.patch("oauth2client.devshell.socket") as socket: socket.socket = mock.MagicMock(name="socket", return_value=sock) self.assertRaises(CommunicationError, _SendRecv) os_mod.getenv.assert_called_once_with(DEVSHELL_ENV, 0) socket.socket.assert_called_once_with() sock.recv(6).decode.assert_called_once_with() data = CREDENTIAL_INFO_REQUEST_JSON msg = _to_bytes("%s\n%s" % (len(data), data), encoding="utf-8") expected_sock_calls = [ mock.call.recv(6), # From the set-up above mock.call.connect(("localhost", non_zero_port)), mock.call.sendall(msg), mock.call.recv(6), mock.call.recv(6), # From the check above ] self.assertEqual(sock.method_calls, expected_sock_calls)
def _get_private_key(private_key_pkcs8_text): """Get an RSA private key object from a pkcs8 representation.""" private_key_pkcs8_text = _to_bytes(private_key_pkcs8_text) der = rsa.pem.load_pem(private_key_pkcs8_text, 'PRIVATE KEY') asn1_private_key, _ = decoder.decode(der, asn1Spec=PrivateKeyInfo()) return rsa.PrivateKey.load_pkcs1( asn1_private_key.getComponentByName('privateKey').asOctets(), format='DER')
def test_token_too_old_explicit_current_time(self): token_time = 123456789 curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS + 1 key = user_id = None token = base64.b64encode(_to_bytes(str(token_time))) self.assertFalse(xsrfutil.validate_token(key, token, user_id, current_time=curr_time))
def test_token_too_old_implicit_current_time(self): token_time = 123456789 curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS + 1 key = user_id = None token = base64.b64encode(_to_bytes(str(token_time))) with mock.patch('oauth2client.xsrfutil.time') as time: time.time = mock.MagicMock(name='time', return_value=curr_time) self.assertFalse(xsrfutil.validate_token(key, token, user_id)) time.time.assert_called_once_with()
def sign(self, message): """Signs a message. Args: message: bytes, Message to be signed. Returns: string, The signature of the message for the given key. """ message = _helpers._to_bytes(message, encoding='utf-8') return rsa.pkcs1.sign(message, self._key, 'SHA-256')
def test_token_too_old_explicit_current_time(self): token_time = 123456789 curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS + 1 key = user_id = None token = base64.b64encode(_to_bytes(str(token_time))) self.assertFalse( xsrfutil.validate_token(key, token, user_id, current_time=curr_time))
def sign(self, message): """Signs a message. Args: message: string, Message to be signed. Returns: string, The signature of the message for the given key. """ message = _helpers._to_bytes(message, encoding='utf-8') return PKCS1_v1_5.new(self._key).sign(SHA256.new(message))
def sign(self, message): """Signs a message. Args: message: string, Message to be signed. Returns: string, The signature of the message for the given key. """ message = _to_bytes(message, encoding='utf-8') return PKCS1_v1_5.new(self._key).sign(SHA256.new(message))
def verify(self, message, signature): """Verifies a message against a signature. Args: message: string or bytes, The message to verify. If string, will be encoded to bytes as utf-8. signature: string or bytes, The signature on the message. If string, will be encoded to bytes as utf-8. Returns: True if message was signed by the private key associated with the public key that this object was constructed with. """ message = _to_bytes(message, encoding='utf-8') signature = _to_bytes(signature, encoding='utf-8') try: crypto.verify(self._pubkey, signature, message, 'sha256') return True except crypto.Error: return False
def sign(self, message): """Signs a message. Args: message: bytes, Message to be signed. Returns: string, The signature of the message for the given key. """ message = _to_bytes(message, encoding='utf-8') return crypto.sign(self._key, message, 'sha256')
def from_string(key, password=b'notasecret'): """Construct a Signer instance from a string. Args: key: string, private key in PKCS12 or PEM format. password: string, password for the private key file. Returns: Signer instance. Raises: OpenSSL.crypto.Error if the key can't be parsed. """ key = _helpers._to_bytes(key) parsed_pem_key = _helpers._parse_pem_key(key) if parsed_pem_key: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, parsed_pem_key) else: password = _helpers._to_bytes(password, encoding='utf-8') pkey = crypto.load_pkcs12(key, password).get_privatekey() return OpenSSLSigner(pkey)
def from_string(key, password=b'notasecret'): """Construct a Signer instance from a string. Args: key: string, private key in PKCS12 or PEM format. password: string, password for the private key file. Returns: Signer instance. Raises: OpenSSL.crypto.Error if the key can't be parsed. """ key = _to_bytes(key) parsed_pem_key = _parse_pem_key(key) if parsed_pem_key: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, parsed_pem_key) else: password = _to_bytes(password, encoding='utf-8') pkey = crypto.load_pkcs12(key, password).get_privatekey() return OpenSSLSigner(pkey)
def pkcs12_key_as_pem(private_key_bytes, private_key_password): """Convert the contents of a PKCS#12 key to PEM using pyOpenSSL. Args: private_key_bytes: Bytes. PKCS#12 key in DER format. private_key_password: String. Password for PKCS#12 key. Returns: String. PEM contents of ``private_key_bytes``. """ private_key_password = _helpers._to_bytes(private_key_password) pkcs12 = crypto.load_pkcs12(private_key_bytes, private_key_password) return crypto.dump_privatekey(crypto.FILETYPE_PEM, pkcs12.get_privatekey())
def pkcs12_key_as_pem(private_key_bytes, private_key_password): """Convert the contents of a PKCS#12 key to PEM using pyOpenSSL. Args: private_key_bytes: Bytes. PKCS#12 key in DER format. private_key_password: String. Password for PKCS#12 key. Returns: String. PEM contents of ``private_key_bytes``. """ private_key_password = _to_bytes(private_key_password) pkcs12 = crypto.load_pkcs12(private_key_bytes, private_key_password) return crypto.dump_privatekey(crypto.FILETYPE_PEM, pkcs12.get_privatekey())
def verify(self, message, signature): """Verifies a message against a signature. Args: message: string or bytes, The message to verify. If string, will be encoded to bytes as utf-8. signature: string or bytes, The signature on the message. Returns: True if message was signed by the private key associated with the public key that this object was constructed with. """ message = _to_bytes(message, encoding='utf-8') return PKCS1_v1_5.new(self._pubkey).verify( SHA256.new(message), signature)
def verify(self, message, signature): """Verifies a message against a signature. Args: message: string or bytes, The message to verify. If string, will be encoded to bytes as utf-8. signature: string or bytes, The signature on the message. Returns: True if message was signed by the private key associated with the public key that this object was constructed with. """ message = _helpers._to_bytes(message, encoding='utf-8') return PKCS1_v1_5.new(self._pubkey).verify(SHA256.new(message), signature)
def pkcs12_key_as_pem(private_key_text, private_key_password): """Convert the contents of a PKCS12 key to PEM using OpenSSL. Args: private_key_text: String. Private key. private_key_password: String. Password for PKCS12. Returns: String. PEM contents of ``private_key_text``. """ decoded_body = base64.b64decode(private_key_text) private_key_password = _to_bytes(private_key_password) pkcs12 = crypto.load_pkcs12(decoded_body, private_key_password) return crypto.dump_privatekey(crypto.FILETYPE_PEM, pkcs12.get_privatekey())
def test_success(self): token_time = 123456789 # Make sure it isn't too old. curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1 key = object() user_id = object() action_id = object() token = base64.b64encode(_to_bytes(str(token_time))) with mock.patch('oauth2client.xsrfutil.generate_token', return_value=token) as gen_tok: self.assertTrue(xsrfutil.validate_token(key, token, user_id, current_time=curr_time, action_id=action_id)) gen_tok.assert_called_once_with(key, user_id, action_id=action_id, when=token_time)
def verify(self, message, signature): """Verifies a message against a signature. Args: message: string or bytes, The message to verify. If string, will be encoded to bytes as utf-8. signature: string or bytes, The signature on the message. If string, will be encoded to bytes as utf-8. Returns: True if message was signed by the private key associated with the public key that this object was constructed with. """ message = _to_bytes(message, encoding='utf-8') try: return rsa.pkcs1.verify(message, signature, self._pubkey) except (ValueError, rsa.pkcs1.VerificationError): return False
def verify(self, message, signature): """Verifies a message against a signature. Args: message: string or bytes, The message to verify. If string, will be encoded to bytes as utf-8. signature: string or bytes, The signature on the message. If string, will be encoded to bytes as utf-8. Returns: True if message was signed by the private key associated with the public key that this object was constructed with. """ message = _helpers._to_bytes(message, encoding='utf-8') try: return rsa.pkcs1.verify(message, signature, self._pubkey) except (ValueError, rsa.pkcs1.VerificationError): return False
def verify_signed_jwt_with_certs(jwt, certs, audience=None): """Verify a JWT against public certs. See http://self-issued.info/docs/draft-jones-json-web-token.html. Args: jwt: string, A JWT. certs: dict, Dictionary where values of public keys in PEM format. audience: string, The audience, 'aud', that this JWT should contain. If None then the JWT's 'aud' parameter is not verified. Returns: dict, The deserialized JSON payload in the JWT. Raises: AppIdentityError: if any checks are failed. """ jwt = _helpers._to_bytes(jwt) if jwt.count(b'.') != 2: raise AppIdentityError( 'Wrong number of segments in token: {0}'.format(jwt)) header, payload, signature = jwt.split(b'.') message_to_sign = header + b'.' + payload signature = _helpers._urlsafe_b64decode(signature) # Parse token. payload_bytes = _helpers._urlsafe_b64decode(payload) try: payload_dict = json.loads(_helpers._from_bytes(payload_bytes)) except: raise AppIdentityError('Can\'t parse token: {0}'.format(payload_bytes)) # Verify that the signature matches the message. _verify_signature(message_to_sign, signature, certs.values()) # Verify the issued at and created times in the payload. _verify_time_range(payload_dict) # Check audience. _check_audience(payload_dict, audience) return payload_dict
def _refresh_success_helper(self, bytes_response=False): access_token = u'this-is-a-token' return_val = json.dumps({u'access_token': access_token}) if bytes_response: return_val = _to_bytes(return_val) http = mock.MagicMock() http.request = mock.MagicMock( return_value=(mock.Mock(status=http_client.OK), return_val)) credentials = AppAssertionCredentials() self.assertEquals(None, credentials.access_token) credentials.refresh(http) self.assertEquals(access_token, credentials.access_token) base_metadata_uri = ( 'http://metadata.google.internal/computeMetadata/v1/instance/' 'service-accounts/default/token') http.request.assert_called_once_with( base_metadata_uri, headers={'Metadata-Flavor': 'Google'})
def _refresh_success_helper(self, bytes_response=False): access_token = u'this-is-a-token' return_val = json.dumps({u'access_token': access_token}) if bytes_response: return_val = _to_bytes(return_val) http = mock.MagicMock() http.request = mock.MagicMock(return_value=(mock.Mock( status=http_client.OK), return_val)) credentials = AppAssertionCredentials() self.assertEquals(None, credentials.access_token) credentials.refresh(http) self.assertEquals(access_token, credentials.access_token) base_metadata_uri = ( 'http://metadata.google.internal/computeMetadata/v1/instance/' 'service-accounts/default/token') http.request.assert_called_once_with( base_metadata_uri, headers={'Metadata-Flavor': 'Google'})
def test_bad_message_to_mock_server(self): request_content = CREDENTIAL_INFO_REQUEST_JSON + "extrastuff" request_message = _to_bytes("%d\n%s" % (len(request_content), request_content)) response_message = "foobar" with _AuthReferenceServer(response_message) as auth_server: self.assertFalse(auth_server.bad_request) sock = socket.socket() port = int(os.getenv(DEVSHELL_ENV, 0)) sock.connect(("localhost", port)) sock.sendall(request_message) # Mimic the receive part of _SendRecv header = sock.recv(6).decode() len_str, result = header.split("\n", 1) to_read = int(len_str) - len(result) result += sock.recv(to_read, socket.MSG_WAITALL).decode() self.assertTrue(auth_server.bad_request) self.assertEqual(result, response_message)
def from_string(key_pem, is_x509_cert): """Construct a Verified instance from a string. Args: key_pem: string, public key in PEM format. is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it is expected to be an RSA key in PEM format. Returns: Verifier instance. Raises: OpenSSL.crypto.Error: if the key_pem can't be parsed. """ key_pem = _to_bytes(key_pem) if is_x509_cert: pubkey = crypto.load_certificate(crypto.FILETYPE_PEM, key_pem) else: pubkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem) return OpenSSLVerifier(pubkey)
def _refresh_success_helper(self, bytes_response=False): access_token = u'this-is-a-token' return_val = json.dumps({u'accessToken': access_token}) if bytes_response: return_val = _to_bytes(return_val) http = mock.MagicMock() http.request = mock.MagicMock( return_value=(mock.Mock(status=http_client.OK), return_val)) scopes = ['http://example.com/a', 'http://example.com/b'] credentials = AppAssertionCredentials(scope=scopes) self.assertEquals(None, credentials.access_token) credentials.refresh(http) self.assertEquals(access_token, credentials.access_token) base_metadata_uri = ('http://metadata.google.internal/0.1/meta-data/' 'service-accounts/default/acquire') escaped_scopes = urllib.parse.quote(' '.join(scopes), safe='') request_uri = base_metadata_uri + '?scope=' + escaped_scopes http.request.assert_called_once_with(request_uri)
def test_token_length_differs_from_generated(self): token_time = 123456789 # Make sure it isn't too old. curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1 key = object() user_id = object() action_id = object() token = base64.b64encode(_to_bytes(str(token_time))) generated_token = b'a' # Make sure the token length comparison will fail. self.assertNotEqual(len(token), len(generated_token)) with mock.patch('oauth2client.xsrfutil.generate_token', return_value=generated_token) as gen_tok: self.assertFalse(xsrfutil.validate_token(key, token, user_id, current_time=curr_time, action_id=action_id)) gen_tok.assert_called_once_with(key, user_id, action_id=action_id, when=token_time)
def from_string(key_pem, is_x509_cert): """Construct a Verified instance from a string. Args: key_pem: string, public key in PEM format. is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it is expected to be an RSA key in PEM format. Returns: Verifier instance. Raises: OpenSSL.crypto.Error: if the key_pem can't be parsed. """ key_pem = _helpers._to_bytes(key_pem) if is_x509_cert: pubkey = crypto.load_certificate(crypto.FILETYPE_PEM, key_pem) else: pubkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem) return OpenSSLVerifier(pubkey)
def test_bad_message_to_mock_server(self): request_content = CREDENTIAL_INFO_REQUEST_JSON + 'extrastuff' request_message = _to_bytes( '%d\n%s' % (len(request_content), request_content)) response_message = 'foobar' with _AuthReferenceServer(response_message) as auth_server: self.assertFalse(auth_server.bad_request) sock = socket.socket() port = int(os.getenv(DEVSHELL_ENV, 0)) sock.connect(('localhost', port)) sock.sendall(request_message) # Mimic the receive part of _SendRecv header = sock.recv(6).decode() len_str, result = header.split('\n', 1) to_read = int(len_str) - len(result) result += sock.recv(to_read, socket.MSG_WAITALL).decode() self.assertTrue(auth_server.bad_request) self.assertEqual(result, response_message)
def test_bad_message_to_mock_server(self): request_content = devshell.CREDENTIAL_INFO_REQUEST_JSON + 'extrastuff' request_message = _helpers._to_bytes( '{0}\n{1}'.format(len(request_content), request_content)) response_message = 'foobar' with _AuthReferenceServer(response_message) as auth_server: self.assertFalse(auth_server.bad_request) sock = socket.socket() port = int(os.getenv(devshell.DEVSHELL_ENV, 0)) sock.connect(('localhost', port)) sock.sendall(request_message) # Mimic the receive part of _SendRecv header = sock.recv(6).decode() len_str, result = header.split('\n', 1) to_read = int(len_str) - len(result) result += sock.recv(to_read, socket.MSG_WAITALL).decode() self.assertTrue(auth_server.bad_request) self.assertEqual(result, response_message)
def _refresh_success_helper(self, bytes_response=False): access_token = u'this-is-a-token' return_val = json.dumps({u'accessToken': access_token}) if bytes_response: return_val = _to_bytes(return_val) http = mock.MagicMock() http.request = mock.MagicMock( return_value=(mock.Mock(status=200), return_val)) scopes = ['http://example.com/a', 'http://example.com/b'] credentials = AppAssertionCredentials(scope=scopes) self.assertEquals(None, credentials.access_token) credentials.refresh(http) self.assertEquals(access_token, credentials.access_token) base_metadata_uri = ('http://metadata.google.internal/0.1/meta-data/' 'service-accounts/default/acquire') escaped_scopes = urllib.parse.quote(' '.join(scopes), safe='') request_uri = base_metadata_uri + '?scope=' + escaped_scopes http.request.assert_called_once_with(request_uri)
def _write_credentials_file(credentials_file, credentials): """Writes credentials to a file. Refer to :func:`_load_credentials_file` for the format. Args: credentials_file: An open file handle, must be read/write. credentials: A dictionary mapping user-defined keys to an instance of :class:`oauth2client.client.Credentials`. """ data = {"file_version": 2, "credentials": {}} for key, credential in iteritems(credentials): credential_json = credential.to_json() encoded_credential = _helpers._from_bytes(base64.b64encode(_helpers._to_bytes(credential_json))) data["credentials"][key] = encoded_credential credentials_file.seek(0) json.dump(data, credentials_file) credentials_file.truncate()
def test_success(self): token_time = 123456789 # Make sure it isn't too old. curr_time = token_time + xsrfutil.DEFAULT_TIMEOUT_SECS - 1 key = object() user_id = object() action_id = object() token = base64.b64encode(_to_bytes(str(token_time))) with mock.patch('oauth2client.xsrfutil.generate_token', return_value=token) as gen_tok: self.assertTrue( xsrfutil.validate_token(key, token, user_id, current_time=curr_time, action_id=action_id)) gen_tok.assert_called_once_with(key, user_id, action_id=action_id, when=token_time)
def _write_credentials_file(credentials_file, credentials): """Writes credentials to a file. Refer to :func:`_load_credentials_file` for the format. Args: credentials_file: An open file handle, must be read/write. credentials: A dictionary mapping user-defined keys to an instance of :class:`oauth2client.client.Credentials`. """ data = {'file_version': 2, 'credentials': {}} for key, credential in iteritems(credentials): credential_json = credential.to_json() encoded_credential = _helpers._from_bytes( base64.b64encode(_helpers._to_bytes(credential_json))) data['credentials'][key] = encoded_credential credentials_file.seek(0) json.dump(data, credentials_file) credentials_file.truncate()
def from_string(key_pem, is_x509_cert): """Construct a Verified instance from a string. Args: key_pem: string, public key in PEM format. is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it is expected to be an RSA key in PEM format. Returns: Verifier instance. """ if is_x509_cert: key_pem = _helpers._to_bytes(key_pem) pemLines = key_pem.replace(b' ', b'').split() certDer = _helpers._urlsafe_b64decode(b''.join(pemLines[1:-1])) certSeq = DerSequence() certSeq.decode(certDer) tbsSeq = DerSequence() tbsSeq.decode(certSeq[0]) pubkey = RSA.importKey(tbsSeq[6]) else: pubkey = RSA.importKey(key_pem) return PyCryptoVerifier(pubkey)