def test_serializing_max_length_packet(self): m = Macaroon(location='test', identifier='blah', key='secret', version=MACAROON_V1) m.add_first_party_caveat('x' * 65526) # exactly 0xFFFF assert_not_equal(m.serialize(), None)
def test_serializing_too_long_packet(self): m = Macaroon(location='test', identifier='blah', key='secret', version=MACAROON_V1) m.add_first_party_caveat('x' * 65527) # one byte too long assert_raises(MacaroonSerializationException, m.serialize)
def test_verify_third_party_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier) discharge = Macaroon( location='http://auth.mybank/', key=caveat_key, identifier=identifier ) discharge.add_first_party_caveat('time < 2015-01-01T00:00') protected = m.prepare_for_request(discharge) v = Verifier() v.satisfy_exact('account = 3735928559') v.satisfy_exact('time < 2015-01-01T00:00') verified = v.verify( m, 'this is a different super-secret key; \ never use the same secret twice', discharge_macaroons=[protected] ) assert_true(verified)
def generate_macaroon(self, nonce): m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat( 'http://auth.mybank/', caveat_key, identifier, nonce=nonce, ) discharge = Macaroon( location='http://auth.mybank/', key=caveat_key, identifier=identifier ) discharge.add_first_party_caveat('time < 2015-01-01T00:00') protected = m.prepare_for_request(discharge) return protected.signature
def test_prepare_for_request(self, rand_nonce): # use a fixed nonce to ensure the same signature rand_nonce.return_value = truncate_or_pad( b'\0', size=crypto_box_NONCEBYTES ) m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat( 'http://auth.mybank/', caveat_key, identifier ) discharge = Macaroon( location='http://auth.mybank/', key=caveat_key, identifier=identifier ) discharge.add_first_party_caveat('time < 2015-01-01T00:00') protected = m.prepare_for_request(discharge) assert_equal( protected.signature, '2eb01d0dd2b4475330739140188648cf25dda0425ea9f661f1574ca0a9eac54e' )
def test_serializing_max_length_packet(self): m = Macaroon(location='test', identifier='blah', key='secret') m.add_first_party_caveat('x' * 65526) # exactly 0xFFFF assert_not_equal( m.serialize(), None )
def test_verify_third_party_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier) discharge = Macaroon( location='http://auth.mybank/', key=caveat_key, identifier=identifier ) discharge.add_first_party_caveat('time < 2015-01-01T00:00') protected = m.prepare_for_request(discharge) v = Verifier() v.satisfy_exact('account = 3735928559') v.satisfy_exact('time < 2015-01-01T00:00') verified = v.verify( m, 'this is a different super-secret key; \ never use the same secret twice', discharge_macaroons=[protected] ) assert_true(verified)
def test_serializing_too_long_packet(self): m = Macaroon(location='test', identifier='blah', key='secret') m.add_first_party_caveat('x' * 65527) # one byte too long assert_raises( MacaroonSerializationException, m.serialize )
def test_prepare_for_request(self, rand_nonce): # use a fixed nonce to ensure the same signature rand_nonce.return_value = truncate_or_pad( b'\0', size=crypto_box_NONCEBYTES ) m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat( 'http://auth.mybank/', caveat_key, identifier ) discharge = Macaroon( location='http://auth.mybank/', key=caveat_key, identifier=identifier ) discharge.add_first_party_caveat('time < 2015-01-01T00:00') protected = m.prepare_for_request(discharge) assert_equal( protected.signature, '2eb01d0dd2b4475330739140188648cf25dda0425ea9f661f1574ca0a9eac54e' )
def test_logging(self): r = Request() root_key = hashlib.sha256("root").hexdigest() root_macaroon = Macaroon(key=root_key) discharge_key = hashlib.sha256("discharge").hexdigest() discharge_caveat_id = '{"secret": "thing"}' root_macaroon.add_third_party_caveat( "sso.example", discharge_key, discharge_caveat_id) root_macaroon.add_first_party_caveat( "store.example|package_id|{}".format( json.dumps(["example-package"]))) unbound_discharge_macaroon = Macaroon( location="sso.example", key=discharge_key, identifier=discharge_caveat_id) unbound_discharge_macaroon.add_first_party_caveat( "sso.example|account|{}".format( base64.b64encode(json.dumps({ "openid": "1234567", "email": "*****@*****.**", })))) logger = BufferLogger() MacaroonAuth( root_macaroon.serialize(), unbound_discharge_macaroon.serialize(), logger=logger)(r) self.assertEqual( ['DEBUG root macaroon: snap-ids: ["example-package"]', 'DEBUG discharge macaroon: OpenID identifier: 1234567'], logger.getLogBuffer().splitlines())
def callback(request): new_macaroon = Macaroon( location="sso.example", key=self.discharge_key, identifier=self.discharge_caveat_id) new_macaroon.add_first_party_caveat("sso|expires|tomorrow") return ( 200, {}, json.dumps({"discharge_macaroon": new_macaroon.serialize()}))
def test_serializing_deserializing_json(self): m = Macaroon(location='http://test/', identifier='first', key='secret_key_1') m.add_first_party_caveat('test = caveat') n = Macaroon.deserialize(m.serialize(serializer=JsonSerializer()), serializer=JsonSerializer()) assert_equal(m.signature, n.signature)
def bake(user: User, caveats: List[str]) -> str: m_obj = Macaroon(location=os.environ.get("ENDPOINT"), identifier=user.username, key=user.key) for caveat in caveats: m_obj.add_first_party_caveat(caveat) return m_obj.serialize()
def test_serializing_json(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.add_first_party_caveat('test = caveat') assert_equal( json.loads(m.serialize(serializer=JsonSerializer()))['signature'], "197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67")
def issueMacaroon(self, context, **kwargs): """See `IMacaroonIssuer`.""" context = self.checkIssuingContext(context, **kwargs) macaroon = Macaroon(location=config.vhost.mainsite.hostname, identifier=self.identifier, key=self._root_secret) macaroon.add_first_party_caveat("%s %s" % (self._primary_caveat_name, context)) return macaroon
def test_first_party_caveat(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.add_first_party_caveat('test = caveat') assert_equal( m.signature, '197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67')
def login_device(macaroon, manufacturer, channel_id): m = Macaroon(location='localhost', identifier=manufacturer, key=keys[manufacturer]) m1 = Macaroon.deserialize(macaroon) channels = [] for caveat in m1.caveats: m.add_first_party_caveat(caveat.to_dict()['cid']) channels.append(caveat.to_dict()['cid']) return m1.signature == m.signature and channel_id in channels[2:]
def test_serializing_json_v2(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it', version=MACAROON_V2) m.add_first_party_caveat('test = caveat') assert_equal( json.loads(m.serialize(serializer=JsonSerializer()))['s64'], "GXusegRK8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWc")
def test_inspect(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.add_first_party_caveat('test = caveat') assert_equal(m.inspect(), 'location http://mybank/\nidentifier we used\ our secret key\ncid test = caveat\nsignature 197bac7a044af33332865b9266e26d49\ 3bdd668a660e44d88ce1a998c23dbd67')
def test_serializing_v2(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it', version=MACAROON_V2) m.add_first_party_caveat('test = caveat') n = Macaroon.deserialize(m.serialize()) assert_equal(m.identifier_bytes, n.identifier_bytes) assert_equal(m.version, n.version)
def test_serializing(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.add_first_party_caveat('test = caveat') assert_equal( m.serialize(), 'MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVzZ\ WQgb3VyIHNlY3JldCBrZXkKMDAxNmNpZCB0ZXN0ID0gY2F2ZWF0CjAwMmZzaWduYXR1cmUgGXusegR\ K8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWcK')
def test_serializing_with_binary_v2(self): identifier = base64.b64decode('AK2o+q0Aq9+bONkXw7ky7HAuhCLO9hhaMMc==') m = Macaroon( location='http://mybank/', identifier=identifier, key='this is our super secret key; only we should know it', version=MACAROON_V2) m.add_first_party_caveat('test = caveat') n = Macaroon.deserialize(m.serialize()) assert_equal(m.identifier_bytes, n.identifier_bytes) assert_equal(m.version, n.version)
def test_verify_failing_first_party_general_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.add_first_party_caveat('general caveat') v = Verifier() v.satisfy_general(lambda _: False) with assert_raises(MacaroonInvalidSignatureException) as cm: v.verify(m, 'this is our super secret key; only we should know it')
def test_verify_first_party_exact_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.add_first_party_caveat('test = caveat') v = Verifier() v.satisfy_exact('test = caveat') verified = v.verify( m, 'this is our super secret key; only we should know it') assert_true(verified)
def test_serializing_v2(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it', version=MACAROON_V2 ) m.add_first_party_caveat('test = caveat') n = Macaroon.deserialize(m.serialize()) assert_equal(m.identifier_bytes, n.identifier_bytes) assert_equal(m.version, n.version)
def test_serializing_json(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.add_first_party_caveat('test = caveat') assert_equal( json.loads(m.serialize(serializer=JsonSerializer()))['signature'], "197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67" )
def test_serializing_deserializing_json(self): m = Macaroon( location='http://test/', identifier='first', key='secret_key_1' ) m.add_first_party_caveat('test = caveat') n = Macaroon.deserialize( m.serialize(serializer=JsonSerializer()), serializer=JsonSerializer() ) assert_equal(m.signature, n.signature)
def test_serializing_with_binary_v2(self): identifier = base64.b64decode('AK2o+q0Aq9+bONkXw7ky7HAuhCLO9hhaMMc==') m = Macaroon( location='http://mybank/', identifier=identifier, key='this is our super secret key; only we should know it', version=MACAROON_V2 ) m.add_first_party_caveat('test = caveat') n = Macaroon.deserialize(m.serialize()) assert_equal(m.identifier_bytes, n.identifier_bytes) assert_equal(m.version, n.version)
def test_serializing_strips_padding(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.add_first_party_caveat('test = acaveat') assert_equal( m.serialize(), # In padded base64, this would end with '==' ('MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVz' 'ZWQgb3VyIHNlY3JldCBrZXkKMDAxN2NpZCB0ZXN0ID0gYWNhdmVhdAowMDJmc2ln' 'bmF0dXJlIJRJ_V3WNJQnqlVq5eez7spnltwU_AXs8NIRY739sHooCg'))
def test_serializing_json_v2(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it', version=MACAROON_V2 ) m.add_first_party_caveat('test = caveat') assert_equal( json.loads(m.serialize(serializer=JsonSerializer()))['s64'], "GXusegRK8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWc" )
def test_encrypted_first_party_caveat(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') encryptor = SecretBoxEncryptor(nonce=ZERO_NONCE) m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate( field_encryptor=encryptor) m.add_first_party_caveat('test = caveat', encrypted=True) assert_equal( m.signature, 'a443bc61e8f45dca4f0c441d6cfde90b804cebb0b267aab60de1ec2ab8cc8522')
def test_serializing(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.add_first_party_caveat('test = caveat') assert_equal( m.serialize(), 'MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVzZ\ WQgb3VyIHNlY3JldCBrZXkKMDAxNmNpZCB0ZXN0ID0gY2F2ZWF0CjAwMmZzaWduYXR1cmUgGXusegR\ K8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWcK' )
def test_serializing_macaroon_with_first_and_third_caveats(self): m = Macaroon(location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice') m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier) n = Macaroon.deserialize(m.serialize()) assert_equal(m.signature, n.signature)
def test_encrypted_first_party_caveat(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) encryptor = SecretBoxEncryptor(nonce=ZERO_NONCE) m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate(field_encryptor=encryptor) m.add_first_party_caveat('test = caveat', encrypted=True) assert_equal( m.signature, 'a443bc61e8f45dca4f0c441d6cfde90b804cebb0b267aab60de1ec2ab8cc8522' )
def test_verify_first_party_exact_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.add_first_party_caveat('test = caveat') v = Verifier() v.satisfy_exact('test = caveat') verified = v.verify( m, 'this is our super secret key; only we should know it' ) assert_true(verified)
def test_serializing_strips_padding(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.add_first_party_caveat('test = acaveat') assert_equal( m.serialize(), # In padded base64, this would end with '==' ('MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVz' 'ZWQgb3VyIHNlY3JldCBrZXkKMDAxN2NpZCB0ZXN0ID0gYWNhdmVhdAowMDJmc2ln' 'bmF0dXJlIJRJ_V3WNJQnqlVq5eez7spnltwU_AXs8NIRY739sHooCg') )
def test_verify_encrypted_first_party_exact_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate() m.add_first_party_caveat('test = caveat', encrypted=True) v = Verifier() v.first_party_caveat_verifier_delegate = EncryptedFirstPartyCaveatVerifierDelegate( ) v.satisfy_exact('test = caveat') verified = v.verify( m, 'this is our super secret key; only we should know it') assert_true(verified)
def _gen_macaroon(ssn, role, user): f = open("/var/EMR/secret_key", "r") if f.mode == 'r': secret_key = f.read() mac = Macaroon( location= "http://127.0.0.1", #again, this should not be set to local host, but this is a demo, not a full system. identifier=ssn, key=secret_key) mac.add_first_party_caveat('role = ' + role) mac.add_first_party_caveat('user = ' + user) return mac else: print("keyfile not found") return None
def create_macaroon(self): (key_id, key) = create_key_id_pair( prefix='{loc}::{user}::'.format( loc=current_app.config['AUTH_SERVICE_LOCATION'], user=self.username), duration=current_app.config['MAX_SESSION_REFRESH_LENGTH']) macaroon = Macaroon( location=current_app.config['AUTH_SERVICE_LOCATION'], key=key, identifier=key_id) expires = expire_time_from_duration( current_app.config['SESSION_LENGTH']) macaroon.add_first_party_caveat('{key} < {expires}'.format( key=current_app.config['TIME_KEY'], expires=str(expires))) return macaroon
def test_verify_failing_first_party_general_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.add_first_party_caveat('general caveat') v = Verifier() v.satisfy_general(lambda _: False) with assert_raises(MacaroonInvalidSignatureException) as cm: v.verify( m, 'this is our super secret key; only we should know it' )
def test_third_party_caveat(self, rand_nonce): # use a fixed nonce to ensure the same signature rand_nonce.return_value = truncate_or_pad(b'\0', size=crypto_box_NONCEBYTES) m = Macaroon(location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice') m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier) assert_equal( m.signature, 'd27db2fd1f22760e4c3dae8137e2d8fc1df6c0741c18aed4b97256bf78d1f55c')
def test_verify_first_party_general_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.add_first_party_caveat('general caveat') def general_caveat_validator(predicate): return predicate == 'general caveat' v = Verifier() v.satisfy_general(general_caveat_validator) verified = v.verify( m, 'this is our super secret key; only we should know it') assert_true(verified)
def test_third_party_caveat(self): m = Macaroon(location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice') m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier, nonce=ZERO_NONCE) assert_equal( m.signature, 'd27db2fd1f22760e4c3dae8137e2d8fc1df6c0741c18aed4b97256bf78d1f55c')
def test_verify_encrypted_first_party_exact_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate() m.add_first_party_caveat('test = caveat', encrypted=True) v = Verifier() v.first_party_caveat_verifier_delegate = EncryptedFirstPartyCaveatVerifierDelegate() v.satisfy_exact('test = caveat') verified = v.verify( m, 'this is our super secret key; only we should know it' ) assert_true(verified)
def test_verify_first_party_general_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.add_first_party_caveat('general caveat') def general_caveat_validator(predicate): return predicate == 'general caveat' v = Verifier() v.satisfy_general(general_caveat_validator) verified = v.verify( m, 'this is our super secret key; only we should know it' ) assert_true(verified)
def test_serializing_macaroon_with_first_and_third_caveats(self): m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier) n = Macaroon.deserialize(m.serialize()) assert_equal( m.signature, n.signature )
def test_third_party_caveat(self): m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat( 'http://auth.mybank/', caveat_key, identifier, nonce=ZERO_NONCE) assert_equal( m.signature, 'd27db2fd1f22760e4c3dae8137e2d8fc1df6c0741c18aed4b97256bf78d1f55c' )
def photo_album_login(): login_successful = True if login_successful: m = Macaroon(location='cool-picture-service.example.com', identifier='key-for-bob', key=keys['key-for-bob']) # Add a caveat for the target service m.add_first_party_caveat('view_pictures = True') serialized = m.serialize() images = [True, True, True] resp = make_response( render_template("home.html", showimages=True, images=images, macaroon=m.inspect().replace("\n", "<br/>"))) resp.set_cookie('macaroonCookie', serialized) return resp else: return redirect(url_for("login"))
def test_third_party_caveat(self, rand_nonce): # use a fixed nonce to ensure the same signature rand_nonce.return_value = truncate_or_pad( b'\0', size=crypto_box_NONCEBYTES ) m = Macaroon( location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice' ) m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier) assert_equal( m.signature, 'd27db2fd1f22760e4c3dae8137e2d8fc1df6c0741c18aed4b97256bf78d1f55c' )
def test_inspect(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it') m.add_first_party_caveat('test = caveat') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier, nonce=ZERO_NONCE) assert_equal(m.inspect(), ( 'location http://mybank/\n' 'identifier we used our secret key\n' 'cid test = caveat\n' 'cid this was how we remind auth of key/pred\n' 'vid AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA68NYajhiFuHnKGSNcVhkAwgbs0VZ0yK2o+q0Aq9+bONkXw7ky7HAuhCLO9hhaMMc\n' 'cl http://auth.mybank/\n' 'signature 7a9289bfbb92d725f748bbcb4f3e04e56b7021513ebeed8411bfba10a16a662e' ))
def generate_macaroon(self, nonce): m = Macaroon(location='http://mybank/', identifier='we used our other secret key', key='this is a different super-secret key; \ never use the same secret twice') m.add_first_party_caveat('account = 3735928559') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat( 'http://auth.mybank/', caveat_key, identifier, nonce=nonce, ) discharge = Macaroon(location='http://auth.mybank/', key=caveat_key, identifier=identifier) discharge.add_first_party_caveat('time < 2015-01-01T00:00') protected = m.prepare_for_request(discharge) return protected.signature
def test_inspect(self): m = Macaroon( location='http://mybank/', identifier='we used our secret key', key='this is our super secret key; only we should know it' ) m.add_first_party_caveat('test = caveat') caveat_key = '4; guaranteed random by a fair toss of the dice' identifier = 'this was how we remind auth of key/pred' m.add_third_party_caveat( 'http://auth.mybank/', caveat_key, identifier, nonce=ZERO_NONCE ) assert_equal(m.inspect(), ( 'location http://mybank/\n' 'identifier we used our secret key\n' 'cid test = caveat\n' 'cid this was how we remind auth of key/pred\n' 'vid AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA68NYajhiFuHnKGSNcVhkAwgbs0VZ0yK2o+q0Aq9+bONkXw7ky7HAuhCLO9hhaMMc\n' 'cl http://auth.mybank/\n' 'signature 7a9289bfbb92d725f748bbcb4f3e04e56b7021513ebeed8411bfba10a16a662e'))
def test_infer_declared(self): tests = [ ('no macaroons', [], {}, None), ('single macaroon with one declaration', [ [checkers.Caveat(condition='declared foo bar')] ], {'foo': 'bar'}, None), ('only one argument to declared', [ [checkers.Caveat(condition='declared foo')] ], {}, None), ('spaces in value', [ [checkers.Caveat(condition='declared foo bar bloggs')] ], {'foo': 'bar bloggs'}, None), ('attribute with declared prefix', [ [checkers.Caveat(condition='declaredccf foo')] ], {}, None), ('several macaroons with different declares', [ [ checkers.declared_caveat('a', 'aval'), checkers.declared_caveat('b', 'bval') ], [ checkers.declared_caveat('c', 'cval'), checkers.declared_caveat('d', 'dval') ] ], {'a': 'aval', 'b': 'bval', 'c': 'cval', 'd': 'dval'}, None), ('duplicate values', [ [ checkers.declared_caveat('a', 'aval'), checkers.declared_caveat('a', 'aval'), checkers.declared_caveat('b', 'bval') ], [ checkers.declared_caveat('a', 'aval'), checkers.declared_caveat('b', 'bval'), checkers.declared_caveat('c', 'cval'), checkers.declared_caveat('d', 'dval') ] ], {'a': 'aval', 'b': 'bval', 'c': 'cval', 'd': 'dval'}, None), ('conflicting values', [ [ checkers.declared_caveat('a', 'aval'), checkers.declared_caveat('a', 'conflict'), checkers.declared_caveat('b', 'bval') ], [ checkers.declared_caveat('a', 'conflict'), checkers.declared_caveat('b', 'another conflict'), checkers.declared_caveat('c', 'cval'), checkers.declared_caveat('d', 'dval') ] ], {'c': 'cval', 'd': 'dval'}, None), ('third party caveats ignored', [ [checkers.Caveat(condition='declared a no conflict', location='location')], [checkers.declared_caveat('a', 'aval')] ], {'a': 'aval'}, None), ('unparseable caveats ignored', [ [checkers.Caveat(condition=' bad')], [checkers.declared_caveat('a', 'aval')] ], {'a': 'aval'}, None), ('infer with namespace', [ [ checkers.declared_caveat('a', 'aval'), caveat_with_ns(checkers.declared_caveat('a', 'aval'), 'testns'), ] ], {'a': 'aval'}, None), ] for test in tests: uri_to_prefix = test[3] if uri_to_prefix is None: uri_to_prefix = {checkers.STD_NAMESPACE: ''} ns = checkers.Namespace(uri_to_prefix) print(test[0]) ms = [] for i, caveats in enumerate(test[1]): m = Macaroon(key=None, identifier=six.int2byte(i), location='', version=MACAROON_V2) for cav in caveats: cav = ns.resolve_caveat(cav) if cav.location == '': m.add_first_party_caveat(cav.condition) else: m.add_third_party_caveat(cav.location, None, cav.condition) ms.append(m) self.assertEqual(checkers.infer_declared(ms), test[2])
def newMacaroon(conds=[]): m = Macaroon(key='key', version=2) for cond in conds: m.add_first_party_caveat(cond) return m