def CheckToken(token):
try:
jwt.verify_jwt(token, key, ['PS256'])
return True
except:
return False
def test_exported_key_doesnt_verify_invalid_token(
fake_client_app, fake_email, create_fake_client_app
):
fake_client_app2 = create_fake_client_app()
token = security_token.generate(fake_email, fake_client_app)
exported_key_dict = security_client_app.export_public_key(fake_client_app2)
key = jwk.JWK(**exported_key_dict)
assert fake_client_app.get_key() != fake_client_app2.get_key()
with pytest.raises(InvalidJWSSignature):
jwt.verify_jwt(token, key, allowed_algs=["ES256"])
def verify_access_token(access_token):
try:
access_token = access_token[7:]
JWT._access_token_in_cache(access_token)
jwt.verify_jwt(jwt=access_token,
pub_key=JWT._get_private_key(),
allowed_algs=['PS256'])
except Exception as error:
return False, error, 401
# If we get to this point. All good.
# Check the token exists. Not sure it is for the user but we have to assume. That is how jwt works. I think.
# Token not expired
return True, "", 200
def get_token(request):
token = Token()
authorization = request.headers.get('Authorization')
if authorization is None:
return token
if authorization[0:6].lower() != 'bearer':
return token
token.jwt = authorization[7:] # 去除前缀“Bearer ”
try:
jwt_decoded = python_jwt.verify_jwt(
token.jwt,
jwk.JWK.from_pem(g.config.public_key), ['RS256'],
checks_optional=True,
ignore_not_implemented=True)
claims = jwt_decoded[1]
token.username = claims.get('user_name') or claims.get('client_id')
token.rules = claims.get('authorities') or []
token.is_valid = True
except Exception as e:
token.is_valid = False
token.jwt = None
token.username = None
token.rules = []
return token
def gen_client_token():
claims = {'scope': ['web-app'], 'client_id': 'internal'}
try:
jwt = python_jwt.generate_jwt(claims,
priv_key=jwk.JWK.from_pem(
g.config.private_key),
algorithm='RS256',
lifetime=datetime.timedelta(seconds=300),
jti_size=16)
except:
return None
try:
jwt_decoded = python_jwt.verify_jwt(jwt,
pub_key=jwk.JWK.from_pem(
g.config.public_key),
allowed_algs=['RS256'],
checks_optional=True,
ignore_not_implemented=True)
except:
return None
result = {
'access_token': jwt,
'token_type': 'bearer',
'scope': 'web-app',
"iat": jwt_decoded[1].get('iat'),
'expires_in':
jwt_decoded[1].get('exp') - jwt_decoded[1].get('iat') - 1,
"jti": jwt_decoded[1].get('jti')
}
return result
def wrapper(request, *args, **kwargs):
# if 'HTTP_X_FORWARDED_FOR' in request.META:
# ip = request.META['HTTP_X_FORWARDED_FOR'] # 获取代理前客户端的真实IP地址
# else:
# ip = request.META['REMOTE_ADDR'] # 获取客户端IP地址
token = request.headers.get('token', None)
if token:
try:
header, payload = jwt.verify_jwt(token, key, [alg, ]) # 获取JWT中的信息
request.user = payload['user']
if not request.user:
result = {'status': 402, 'message': '认证失败'}
logger.error('认证失败,未知用户')
return JsonResponse(result)
else:
token_black_list = TokenOP(request.user, token)
if not token_black_list.is_valid_token(): # 验证token是否在黑名单中
result = {'status': 402, 'message': '认证失败'}
logger.error('认证失败,token失效')
return JsonResponse(result)
except Exception as e:
result = {'status': 402, 'message': '无效的token'}
logger.error('认证失败,无效的token')
return JsonResponse(result)
else:
logger.error('认证失败,无效的token')
return JsonResponse({'status': 402, 'message': '无效的token'})
logger.debug('认证通过: {}'.format(request.user))
return func(request, *args, **kwargs)
def decode_token(self, token):
with open(f"{os.environ['KEY_PATH']}/{os.environ['KEY_NAME']}.pub", 'r') as pb_key:
return jwt.verify_jwt(
token,
jwk.JWK.from_json(pb_key.readline()),
['RS256']
)
def GetToken(self, username, password):
try:
db = NWD_DB()
sub = db.authenticate_user(username, password)[0]
if sub != '':
key = jwk.JWK.generate(kty='RSA', size=2048)
userinfo = db.get_user_info(sub)
payload = {
'fname': userinfo['fname'],
'lname': userinfo['lname'],
'phone': userinfo['phone'],
'email': userinfo['email'],
'datejoined': userinfo['datejoined'],
'sub': userinfo['user_id'],
}
token = jwt.generate_jwt(payload, key, 'PS256',
datetime.timedelta(days=1))
header, claims = jwt.verify_jwt(token, key, ['PS256'])
for k in payload:
assert claims[k] == payload[k]
return token
else:
return ''
except:
return ''
def validate_token(jwkset, token, clock_skew_seconds):
headers, _ = jwt.process_jwt(token)
alg = headers['alg']
kid = headers['kid']
if not alg:
raise Exception('No \'alg\' claim in JWT token header')
if not alg in allowed_algs:
raise Exception('\'%s\' is not an allowed algorithm.' % alg)
if not kid:
raise Exception('No \'kid\' claim in JWT token header')
json_key = jwkset.get_key(kid)
algorithms = [alg]
# Exception raised on invalid token input will be bubble up to the caller.
_, payload = jwt.verify_jwt(token, json_key, algorithms,
datetime.timedelta(seconds=clock_skew_seconds))
typ = payload.get('typ', None)
if typ != 'Bearer':
raise Exception(
'The token is not intended for autorization (\'typ\' should be \'Bearer\', not \'%s\')'
% typ)
return payload
def parse_token(self, data, app=None):
# parse token header and get relevant public key
unverified_header, unverified_claims = jwt.process_jwt(
data['id_token'])
public_key = self.get_public_key(unverified_header.get('kid'))
# verify signature, iat, exp
header, claims = jwt.verify_jwt(data['id_token'],
public_key, ['RS256'],
timedelta(minutes=1),
checks_optional=True)
# Verify we are the intended audience for the token
intended_audiences = [self.intended_aud]
if app is not None:
intended_audiences.append(app.client_id)
if claims.get('aud') is not None and claims.get(
'aud') not in intended_audiences:
raise OAuth2Error(
"JWT aud {} does not match intended audience {}".format(
claims.get('aud'), self.intended_aud))
social_token = SocialToken(token=data['id_token'])
social_token.expires_at = datetime.fromtimestamp(claims['iat'],
tz=timezone.utc)
return social_token
def validateToken(self, token, secret=None):
if not secret:
secret = jwk.JWK.from_pem(config.jwt_key)
try:
header, claims = jwt.verify_jwt(token, secret, ['PS256'])
except (jwt._JWTError, jws.InvalidJWSSignature, ValueError):
return False
return True
def verify(self, incoming_token):
secret = self._info.get('secret')
if not secret:
raise sei_py.base.exception.SeiException( \
False, ['secret not found'])
header, claims = jwt.verify_jwt(incoming_token, secret, ['HS256'])
return bool(header and claims)
def crear_encuesta():
# Creacion de la cola
connection = pika.BlockingConnection(
pika.ConnectionParameters(host=os.environ['RABBITMQ_ENDPOINT']))
channel = connection.channel()
logger.info('ENCUESTA ')
token_type, token = request.headers['Authorization'].split()
print token
usr = ""
try:
header, claims = jwt.verify_jwt(token, public_key, ['RS256'])
except jws.exceptions.SignatureError:
message = "Invalid token"
usr = claims['userid']
logger.info('USER : %s ', usr)
logger.info('Processing create ')
data = request.json
cnx = None
try:
#variables para el request
state = "En proceso"
total = 0
paramHash = data['hash']
paramTime = data['time']
paramSurvey = data['surveyname']
logger.info('connect : %s', mysql_config)
cnx = pymysql.connect(**mysql_config)
cursor = cnx.cursor()
insert_test = "INSERT INTO jobs (username, surveyname, hash, tiempo, count,state) VALUES (%s,%s,%s,%s,%s,%s)"
data = (usr, paramSurvey, paramHash, paramTime, total, state
) # tupla s
cursor.execute(insert_test, data)
cnx.commit()
cursor.close()
ret = {"status": "OK"}
except pymysql.Error as err:
logger.info('error : %s', err)
ret = {"status": "FAIL", "msg": err}
finally:
if cnx:
cnx.close()
logger.info('---------------ANTES DEL MSG---------------')
msg = {
"user": usr,
"paramHash": paramHash,
"paramTime": paramTime,
"paramSurvey": paramSurvey
}
logger.info('SEND : %s ', msg)
channel.basic_publish(exchange='',
routing_key='newsurvey',
body=json.dumps(msg))
connection.close()
# ret = {"status": "OK"}
return ret
def validate_jwt(token, client=None):
from openid_connect_op.models import OpenIDClient
if client is None:
client = OpenIDClient.self_instance()
if client.client_auth_type == OpenIDClient.CLIENT_AUTH_TYPE_SECRET_JWT:
key = jwk.JWK(kty="oct",
use="sig",
alg="HS256",
k=base64url_encode(client.client_hashed_secret))
return jwt.verify_jwt(token, key, ['HS256'], checks_optional=True)
header, __ = jwt.process_jwt(token)
key = client.get_key(alg=header.get('alg', 'RS256'),
kid=header.get('kid', None))
return jwt.verify_jwt(token,
key, [key._params.get('alg', 'RS256')],
checks_optional=True)
def validate_token(token):
public_key_file = os.path.join(os.path.dirname(__file__), 'keypair.pub')
with open(public_key_file, 'r') as fd:
public_key = RSA.importKey(fd.read())
try:
header, claims = jwt.verify_jwt(token, public_key, ['RS256'])
except jwt.exceptions.SignatureError:
print('invalid token signature')
raise SystemExit()
def validate_token(token):
key = generate_key()
try:
header, claims = jwt.verify_jwt(token, key, ['RS256'])
return dict(
user_id=claims['user_id']
)
except:
return False
def test_exported_key_verifies_token(fake_client_app, fake_email):
token = security_token.generate(fake_email, fake_client_app)
exported_key_dict = security_client_app.export_public_key(fake_client_app)
key = jwk.JWK(**exported_key_dict)
headers, claims = jwt.verify_jwt(token, key, allowed_algs=["ES256"])
assert headers["alg"] == "ES256"
assert claims["sub"] == fake_email
assert claims["iss"] == f"{config.ISSUER}/app/{fake_client_app.app_id}"
def parse_token(token):
try:
header, claims = jwt.verify_jwt(token, pub_key, ['RS256'])
except jwt._JWTError:
# 通常为过期
return "token expired!"
except Exception:
return "token error!"
else:
return claims
def test_will_raise_exception_when_typ_is_not_Bearer():
payload = {'typ': 'ID', 'foo': 'bar', 'baz': 42}
other_headers = {'kid': key.key_id}
token = generate_jwt(payload,
key,
'RS256',
datetime.timedelta(minutes=5),
other_headers=other_headers)
assert_raises(Exception, verify_jwt(token, key, ['RS256']))
def run():
token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODY4MTYzMTIsImZvbyI6ImJhciIsImlhdCI6MTU4NjgxNjI1MiwianRpIjoiV1VJbkhrT01RSFMzSC1LUURIYUpZdyIsIm5iZiI6MTU4NjgxNjI1Miwid3VwIjo5MH0.Ep0hCSDh5FBTxwbPadjh-9P42ePrcTmWgWNv46oyQrSB6jgA9z3kPlZ9NKK7v_MmrfV_Pj1MlUhs1-Umvyk8Cr6gDVb7Mm9mcqDxf3e-sgmYCMxmPPofTPX_b0-faDzL7K_zjdjHmoVFUpsIBONZ8jU8YBXHxu4sKJXIyPNPiYp2kzffnMj8TClUXmCMRK7mrHYgD0RHXwdo9aJT3glmtnxGYdHqkV6ygiasOC5jGSdYKf3jBKzY10vYocOvsMniT25a8Z-CbeFNWriCCDcBOB3Z74speoGreqxBrqVu5h8AJ0EPQ6GJvrRSToNMQMCddEsqNGanU-Rt0wibTZ7hbg'
key_uri = os.path.join(BASE_DIR, 'afinidata.key')
key_file = pem.parse_file(key_uri)
key_string = str(key_file[0]).encode()
key = jwk.JWK.from_pem(key_string)
try:
header, claims = jwt.verify_jwt(token, key, ['RS256'])
print(header, claims)
except:
print('expired')
def post(self, request):
try:
token = request.headers.get('token')
header, payload = jwt.verify_jwt(token, key, [alg, ])
token_black_list = TokenOP(payload['user'], token)
token_black_list.append_to_black_list()
except Exception as e:
pass
finally:
logger.warning('退出登录: {}'.format(payload['user']))
return JsonResponse({'status': 200, 'message': '退出登录'})
def test_generate(fake_email, fake_client_app):
token = security_token.generate(fake_email, fake_client_app)
assert token is not None
headers, claims = jwt.verify_jwt(token,
fake_client_app.get_key(),
allowed_algs=["ES256"])
assert headers["alg"] == "ES256"
assert claims["sub"] == fake_email
assert claims["iss"] == f"{config.ISSUER}/app/{fake_client_app.app_id}"
def run():
key_uri = os.path.join(BASE_DIR, 'afinidata.key')
key_file = pem.parse_file(key_uri)
key_string = str(key_file[0]).encode()
payload = {'foo': 'bar', 'wup': 90}
priv_key = jwk.JWK.from_pem(key_string)
token = jwt.generate_jwt(payload, priv_key, 'RS256',
datetime.timedelta(minutes=1))
print('token: ', token)
header, claims = jwt.verify_jwt(token, priv_key, ['RS256'])
print(header, claims)
for k in payload:
assert claims[k] == payload[k]
def gen_user_token(user):
claims = {
'user_name': user.login,
'authorities': user.authorities,
'scope': ['openid'],
'client_id': 'web_app'
}
try:
access_token = python_jwt.generate_jwt(
claims,
priv_key=jwk.JWK.from_pem(g.config.private_key),
algorithm='RS256',
lifetime=datetime.timedelta(seconds=300), # 5 min
jti_size=16)
except:
return None
try:
jwt_decoded = python_jwt.verify_jwt(access_token,
pub_key=jwk.JWK.from_pem(
g.config.public_key),
allowed_algs=['RS256'],
checks_optional=True,
ignore_not_implemented=True)
except:
return None
try:
refresh_token = python_jwt.generate_jwt(
claims,
priv_key=jwk.JWK.from_pem(g.config.private_key),
algorithm='RS256',
lifetime=datetime.timedelta(seconds=604800), # 7 days
jti_size=16)
except:
return None
result = {
'access_token': access_token,
'refresh_token': refresh_token,
'token_type': 'bearer',
'scope': 'web-app',
'iat': jwt_decoded[1].get('iat'),
'exp': jwt_decoded[1].get('exp'),
'expires_in':
jwt_decoded[1].get('exp') - jwt_decoded[1].get('iat') - 1,
'jti': jwt_decoded[1].get('jti')
}
return result
def decode_auth_token(auth_token):
"""
验证token
:param auth_token: string 待校验的token
:return: (tuple)|none 如果校验成功则返回usrid和logintime的元组
"""
try:
_, playload = jwt.verify_jwt(auth_token, key, ['HS256'])
if 'usr_id' in playload and 'login_time' in playload:
return playload['usr_id'], playload['login_time']
else:
return None
except Exception as e:
return None
def _check_token(token, key, app_id) -> (dict, dict):
try:
headers, claims = jwt.verify_jwt(token, key, allowed_algs=["ES256"])
except (
jwt._JWTError,
UnicodeDecodeError,
InvalidJWSObject,
InvalidJWSSignature,
ValueError,
):
raise TokenVerificationError
if claims["iss"] != f"{config.ISSUER}/app/{app_id}":
raise TokenVerificationError
return headers, claims
async def verify_token(self, token):
"""Verify a JustAuthenticateMe token against jwks.
:param token: idToken (jwt) from JustAuthenticateMe
:returns headers, claims: headers and claims encoded in the user jwt
:raises JAMNotVerified: if verification fails on a token
"""
try:
return jwt.verify_jwt(token, await self.jwk(), ["ES512"])
except InvalidJWSSignature:
raise JAMNotVerified()
except jwt._JWTError as e:
raise JAMNotVerified(str(e))
except Exception:
raise JustAuthenticateMeError("Unknown Error")
def verify_jwt(self, token):
""" verification token, if pass return claims
"""
try:
_, claims = jwt.verify_jwt(token, self.settings['cookie_secret'], "HS256")
except:
return
is_blacked = self.redis.get("jwt_blacked:%s" % claims["id"])
if is_blacked:
return
return claims
def test_validate_token():
payload = {'typ': 'Bearer', 'foo': 'bar', 'baz': 42}
other_headers = {'kid': key.key_id}
token = generate_jwt(payload, key, 'RS256', datetime.timedelta(minutes=5), other_headers=other_headers)
header, claims = verify_jwt(token, key, ['RS256'])
assert header is not None
assert claims is not None
keyset = JWKSet()
keyset.add(key)
assert validate_token(keyset, token, clock_skew_seconds=60)
def verify_token(request):
f2 = open('apps/login/pem/PUB.pem', 'rb')
PUB_PEM = f2.read()
PUB_KEY = jwk.JWK.from_pem(PUB_PEM) # 公共秘钥
f2.close()
token = get_token(request)
try:
header, claims = jwt.verify_jwt(token,
pub_key=PUB_KEY,
allowed_algs=['RS256'])
except:
return None
else:
uid = claims['uid']
return int(uid)
JWT_TOKEN_NOT_BEFORE_TIMEDELTA = 10
print '##### Generating token'
private_key_file = os.path.join(os.path.dirname(__file__), 'keypair.priv')
#private_key_file = os.path.join(os.path.dirname(__file__), 'otra.priv')
with open(private_key_file, 'r') as fd:
private_key = RSA.importKey(fd.read())
payload = {'userId': '1234', 'role': 'admin'};
print 'payload =', json.dumps(payload)
token = jwt.generate_jwt(payload, private_key, 'RS256', datetime.timedelta(minutes=5))
print 'token:', token
print '##### Validating token'
public_key_file = os.path.join(os.path.dirname(__file__), 'keypair.pub')
with open(public_key_file, 'r') as fd:
public_key = RSA.importKey(fd.read())
try:
header, claims = jwt.verify_jwt(token, public_key, ['RS256'])
except jws.exceptions.SignatureError:
print 'invalid token signature!'
raise SystemExit()
print 'token OK'
print 'header:', json.dumps(header)
print 'claims:', json.dumps(claims)
for k in payload: assert claims[k] == payload[k]
