def test_serializing_max_length_packet(self):
m = Macaroon(location='test',
identifier='blah',
key='secret',
version=MACAROON_V1)
m.add_first_party_caveat('x' * 65526) # exactly 0xFFFF
assert_not_equal(m.serialize(), None)
def test_serializing_too_long_packet(self):
m = Macaroon(location='test',
identifier='blah',
key='secret',
version=MACAROON_V1)
m.add_first_party_caveat('x' * 65527) # one byte too long
assert_raises(MacaroonSerializationException, m.serialize)
def test_verify_third_party_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier)
discharge = Macaroon(
location='http://auth.mybank/',
key=caveat_key,
identifier=identifier
)
discharge.add_first_party_caveat('time < 2015-01-01T00:00')
protected = m.prepare_for_request(discharge)
v = Verifier()
v.satisfy_exact('account = 3735928559')
v.satisfy_exact('time < 2015-01-01T00:00')
verified = v.verify(
m,
'this is a different super-secret key; \
never use the same secret twice',
discharge_macaroons=[protected]
)
assert_true(verified)
def generate_macaroon(self, nonce):
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat(
'http://auth.mybank/',
caveat_key,
identifier,
nonce=nonce,
)
discharge = Macaroon(
location='http://auth.mybank/',
key=caveat_key,
identifier=identifier
)
discharge.add_first_party_caveat('time < 2015-01-01T00:00')
protected = m.prepare_for_request(discharge)
return protected.signature
def test_prepare_for_request(self, rand_nonce):
# use a fixed nonce to ensure the same signature
rand_nonce.return_value = truncate_or_pad(
b'\0',
size=crypto_box_NONCEBYTES
)
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat(
'http://auth.mybank/',
caveat_key,
identifier
)
discharge = Macaroon(
location='http://auth.mybank/',
key=caveat_key,
identifier=identifier
)
discharge.add_first_party_caveat('time < 2015-01-01T00:00')
protected = m.prepare_for_request(discharge)
assert_equal(
protected.signature,
'2eb01d0dd2b4475330739140188648cf25dda0425ea9f661f1574ca0a9eac54e'
)
def test_serializing_max_length_packet(self):
m = Macaroon(location='test', identifier='blah', key='secret')
m.add_first_party_caveat('x' * 65526) # exactly 0xFFFF
assert_not_equal(
m.serialize(),
None
)
def test_verify_third_party_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier)
discharge = Macaroon(
location='http://auth.mybank/',
key=caveat_key,
identifier=identifier
)
discharge.add_first_party_caveat('time < 2015-01-01T00:00')
protected = m.prepare_for_request(discharge)
v = Verifier()
v.satisfy_exact('account = 3735928559')
v.satisfy_exact('time < 2015-01-01T00:00')
verified = v.verify(
m,
'this is a different super-secret key; \
never use the same secret twice',
discharge_macaroons=[protected]
)
assert_true(verified)
def test_serializing_too_long_packet(self):
m = Macaroon(location='test', identifier='blah', key='secret')
m.add_first_party_caveat('x' * 65527) # one byte too long
assert_raises(
MacaroonSerializationException,
m.serialize
)
def test_prepare_for_request(self, rand_nonce):
# use a fixed nonce to ensure the same signature
rand_nonce.return_value = truncate_or_pad(
b'\0',
size=crypto_box_NONCEBYTES
)
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat(
'http://auth.mybank/',
caveat_key,
identifier
)
discharge = Macaroon(
location='http://auth.mybank/',
key=caveat_key,
identifier=identifier
)
discharge.add_first_party_caveat('time < 2015-01-01T00:00')
protected = m.prepare_for_request(discharge)
assert_equal(
protected.signature,
'2eb01d0dd2b4475330739140188648cf25dda0425ea9f661f1574ca0a9eac54e'
)
def test_logging(self):
r = Request()
root_key = hashlib.sha256("root").hexdigest()
root_macaroon = Macaroon(key=root_key)
discharge_key = hashlib.sha256("discharge").hexdigest()
discharge_caveat_id = '{"secret": "thing"}'
root_macaroon.add_third_party_caveat(
"sso.example", discharge_key, discharge_caveat_id)
root_macaroon.add_first_party_caveat(
"store.example|package_id|{}".format(
json.dumps(["example-package"])))
unbound_discharge_macaroon = Macaroon(
location="sso.example", key=discharge_key,
identifier=discharge_caveat_id)
unbound_discharge_macaroon.add_first_party_caveat(
"sso.example|account|{}".format(
base64.b64encode(json.dumps({
"openid": "1234567",
"email": "*****@*****.**",
}))))
logger = BufferLogger()
MacaroonAuth(
root_macaroon.serialize(),
unbound_discharge_macaroon.serialize(), logger=logger)(r)
self.assertEqual(
['DEBUG root macaroon: snap-ids: ["example-package"]',
'DEBUG discharge macaroon: OpenID identifier: 1234567'],
logger.getLogBuffer().splitlines())
def callback(request):
new_macaroon = Macaroon(
location="sso.example", key=self.discharge_key,
identifier=self.discharge_caveat_id)
new_macaroon.add_first_party_caveat("sso|expires|tomorrow")
return (
200, {},
json.dumps({"discharge_macaroon": new_macaroon.serialize()}))
def test_serializing_deserializing_json(self):
m = Macaroon(location='http://test/',
identifier='first',
key='secret_key_1')
m.add_first_party_caveat('test = caveat')
n = Macaroon.deserialize(m.serialize(serializer=JsonSerializer()),
serializer=JsonSerializer())
assert_equal(m.signature, n.signature)
def bake(user: User, caveats: List[str]) -> str:
m_obj = Macaroon(location=os.environ.get("ENDPOINT"),
identifier=user.username,
key=user.key)
for caveat in caveats:
m_obj.add_first_party_caveat(caveat)
return m_obj.serialize()
def test_serializing_json(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.add_first_party_caveat('test = caveat')
assert_equal(
json.loads(m.serialize(serializer=JsonSerializer()))['signature'],
"197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67")
def issueMacaroon(self, context, **kwargs):
"""See `IMacaroonIssuer`."""
context = self.checkIssuingContext(context, **kwargs)
macaroon = Macaroon(location=config.vhost.mainsite.hostname,
identifier=self.identifier,
key=self._root_secret)
macaroon.add_first_party_caveat("%s %s" %
(self._primary_caveat_name, context))
return macaroon
def test_first_party_caveat(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.add_first_party_caveat('test = caveat')
assert_equal(
m.signature,
'197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67')
def login_device(macaroon, manufacturer, channel_id):
m = Macaroon(location='localhost',
identifier=manufacturer,
key=keys[manufacturer])
m1 = Macaroon.deserialize(macaroon)
channels = []
for caveat in m1.caveats:
m.add_first_party_caveat(caveat.to_dict()['cid'])
channels.append(caveat.to_dict()['cid'])
return m1.signature == m.signature and channel_id in channels[2:]
def test_serializing_json_v2(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it',
version=MACAROON_V2)
m.add_first_party_caveat('test = caveat')
assert_equal(
json.loads(m.serialize(serializer=JsonSerializer()))['s64'],
"GXusegRK8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWc")
def test_inspect(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.add_first_party_caveat('test = caveat')
assert_equal(m.inspect(), 'location http://mybank/\nidentifier we used\
our secret key\ncid test = caveat\nsignature 197bac7a044af33332865b9266e26d49\
3bdd668a660e44d88ce1a998c23dbd67')
def test_serializing_v2(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it',
version=MACAROON_V2)
m.add_first_party_caveat('test = caveat')
n = Macaroon.deserialize(m.serialize())
assert_equal(m.identifier_bytes, n.identifier_bytes)
assert_equal(m.version, n.version)
def test_serializing(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.add_first_party_caveat('test = caveat')
assert_equal(
m.serialize(),
'MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVzZ\
WQgb3VyIHNlY3JldCBrZXkKMDAxNmNpZCB0ZXN0ID0gY2F2ZWF0CjAwMmZzaWduYXR1cmUgGXusegR\
K8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWcK')
def test_serializing_with_binary_v2(self):
identifier = base64.b64decode('AK2o+q0Aq9+bONkXw7ky7HAuhCLO9hhaMMc==')
m = Macaroon(
location='http://mybank/',
identifier=identifier,
key='this is our super secret key; only we should know it',
version=MACAROON_V2)
m.add_first_party_caveat('test = caveat')
n = Macaroon.deserialize(m.serialize())
assert_equal(m.identifier_bytes, n.identifier_bytes)
assert_equal(m.version, n.version)
def test_verify_failing_first_party_general_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.add_first_party_caveat('general caveat')
v = Verifier()
v.satisfy_general(lambda _: False)
with assert_raises(MacaroonInvalidSignatureException) as cm:
v.verify(m, 'this is our super secret key; only we should know it')
def test_verify_first_party_exact_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.add_first_party_caveat('test = caveat')
v = Verifier()
v.satisfy_exact('test = caveat')
verified = v.verify(
m, 'this is our super secret key; only we should know it')
assert_true(verified)
def test_serializing_v2(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it',
version=MACAROON_V2
)
m.add_first_party_caveat('test = caveat')
n = Macaroon.deserialize(m.serialize())
assert_equal(m.identifier_bytes, n.identifier_bytes)
assert_equal(m.version, n.version)
def test_serializing_json(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.add_first_party_caveat('test = caveat')
assert_equal(
json.loads(m.serialize(serializer=JsonSerializer()))['signature'],
"197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67"
)
def test_serializing_deserializing_json(self):
m = Macaroon(
location='http://test/',
identifier='first',
key='secret_key_1'
)
m.add_first_party_caveat('test = caveat')
n = Macaroon.deserialize(
m.serialize(serializer=JsonSerializer()),
serializer=JsonSerializer()
)
assert_equal(m.signature, n.signature)
def test_serializing_with_binary_v2(self):
identifier = base64.b64decode('AK2o+q0Aq9+bONkXw7ky7HAuhCLO9hhaMMc==')
m = Macaroon(
location='http://mybank/',
identifier=identifier,
key='this is our super secret key; only we should know it',
version=MACAROON_V2
)
m.add_first_party_caveat('test = caveat')
n = Macaroon.deserialize(m.serialize())
assert_equal(m.identifier_bytes, n.identifier_bytes)
assert_equal(m.version, n.version)
def test_serializing_strips_padding(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.add_first_party_caveat('test = acaveat')
assert_equal(
m.serialize(),
# In padded base64, this would end with '=='
('MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVz'
'ZWQgb3VyIHNlY3JldCBrZXkKMDAxN2NpZCB0ZXN0ID0gYWNhdmVhdAowMDJmc2ln'
'bmF0dXJlIJRJ_V3WNJQnqlVq5eez7spnltwU_AXs8NIRY739sHooCg'))
def test_serializing_json_v2(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it',
version=MACAROON_V2
)
m.add_first_party_caveat('test = caveat')
assert_equal(
json.loads(m.serialize(serializer=JsonSerializer()))['s64'],
"GXusegRK8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWc"
)
def test_encrypted_first_party_caveat(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
encryptor = SecretBoxEncryptor(nonce=ZERO_NONCE)
m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate(
field_encryptor=encryptor)
m.add_first_party_caveat('test = caveat', encrypted=True)
assert_equal(
m.signature,
'a443bc61e8f45dca4f0c441d6cfde90b804cebb0b267aab60de1ec2ab8cc8522')
def test_serializing(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.add_first_party_caveat('test = caveat')
assert_equal(
m.serialize(),
'MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVzZ\
WQgb3VyIHNlY3JldCBrZXkKMDAxNmNpZCB0ZXN0ID0gY2F2ZWF0CjAwMmZzaWduYXR1cmUgGXusegR\
K8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWcK'
)
def test_serializing_macaroon_with_first_and_third_caveats(self):
m = Macaroon(location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice')
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier)
n = Macaroon.deserialize(m.serialize())
assert_equal(m.signature, n.signature)
def test_encrypted_first_party_caveat(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
encryptor = SecretBoxEncryptor(nonce=ZERO_NONCE)
m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate(field_encryptor=encryptor)
m.add_first_party_caveat('test = caveat', encrypted=True)
assert_equal(
m.signature,
'a443bc61e8f45dca4f0c441d6cfde90b804cebb0b267aab60de1ec2ab8cc8522'
)
def test_verify_first_party_exact_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.add_first_party_caveat('test = caveat')
v = Verifier()
v.satisfy_exact('test = caveat')
verified = v.verify(
m,
'this is our super secret key; only we should know it'
)
assert_true(verified)
def test_serializing_strips_padding(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.add_first_party_caveat('test = acaveat')
assert_equal(
m.serialize(),
# In padded base64, this would end with '=='
('MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVz'
'ZWQgb3VyIHNlY3JldCBrZXkKMDAxN2NpZCB0ZXN0ID0gYWNhdmVhdAowMDJmc2ln'
'bmF0dXJlIJRJ_V3WNJQnqlVq5eez7spnltwU_AXs8NIRY739sHooCg')
)
def test_verify_encrypted_first_party_exact_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate()
m.add_first_party_caveat('test = caveat', encrypted=True)
v = Verifier()
v.first_party_caveat_verifier_delegate = EncryptedFirstPartyCaveatVerifierDelegate(
)
v.satisfy_exact('test = caveat')
verified = v.verify(
m, 'this is our super secret key; only we should know it')
assert_true(verified)
def _gen_macaroon(ssn, role, user):
f = open("/var/EMR/secret_key", "r")
if f.mode == 'r':
secret_key = f.read()
mac = Macaroon(
location=
"http://127.0.0.1", #again, this should not be set to local host, but this is a demo, not a full system.
identifier=ssn,
key=secret_key)
mac.add_first_party_caveat('role = ' + role)
mac.add_first_party_caveat('user = ' + user)
return mac
else:
print("keyfile not found")
return None
def create_macaroon(self):
(key_id, key) = create_key_id_pair(
prefix='{loc}::{user}::'.format(
loc=current_app.config['AUTH_SERVICE_LOCATION'],
user=self.username),
duration=current_app.config['MAX_SESSION_REFRESH_LENGTH'])
macaroon = Macaroon(
location=current_app.config['AUTH_SERVICE_LOCATION'],
key=key,
identifier=key_id)
expires = expire_time_from_duration(
current_app.config['SESSION_LENGTH'])
macaroon.add_first_party_caveat('{key} < {expires}'.format(
key=current_app.config['TIME_KEY'], expires=str(expires)))
return macaroon
def test_verify_failing_first_party_general_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.add_first_party_caveat('general caveat')
v = Verifier()
v.satisfy_general(lambda _: False)
with assert_raises(MacaroonInvalidSignatureException) as cm:
v.verify(
m,
'this is our super secret key; only we should know it'
)
def test_third_party_caveat(self, rand_nonce):
# use a fixed nonce to ensure the same signature
rand_nonce.return_value = truncate_or_pad(b'\0',
size=crypto_box_NONCEBYTES)
m = Macaroon(location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice')
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier)
assert_equal(
m.signature,
'd27db2fd1f22760e4c3dae8137e2d8fc1df6c0741c18aed4b97256bf78d1f55c')
def test_verify_first_party_general_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.add_first_party_caveat('general caveat')
def general_caveat_validator(predicate):
return predicate == 'general caveat'
v = Verifier()
v.satisfy_general(general_caveat_validator)
verified = v.verify(
m, 'this is our super secret key; only we should know it')
assert_true(verified)
def test_third_party_caveat(self):
m = Macaroon(location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice')
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/',
caveat_key,
identifier,
nonce=ZERO_NONCE)
assert_equal(
m.signature,
'd27db2fd1f22760e4c3dae8137e2d8fc1df6c0741c18aed4b97256bf78d1f55c')
def test_verify_encrypted_first_party_exact_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.first_party_caveat_delegate = EncryptedFirstPartyCaveatDelegate()
m.add_first_party_caveat('test = caveat', encrypted=True)
v = Verifier()
v.first_party_caveat_verifier_delegate = EncryptedFirstPartyCaveatVerifierDelegate()
v.satisfy_exact('test = caveat')
verified = v.verify(
m,
'this is our super secret key; only we should know it'
)
assert_true(verified)
def test_verify_first_party_general_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.add_first_party_caveat('general caveat')
def general_caveat_validator(predicate):
return predicate == 'general caveat'
v = Verifier()
v.satisfy_general(general_caveat_validator)
verified = v.verify(
m,
'this is our super secret key; only we should know it'
)
assert_true(verified)
def test_serializing_macaroon_with_first_and_third_caveats(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier)
n = Macaroon.deserialize(m.serialize())
assert_equal(
m.signature,
n.signature
)
def test_third_party_caveat(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat(
'http://auth.mybank/',
caveat_key,
identifier,
nonce=ZERO_NONCE)
assert_equal(
m.signature,
'd27db2fd1f22760e4c3dae8137e2d8fc1df6c0741c18aed4b97256bf78d1f55c'
)
def photo_album_login():
login_successful = True
if login_successful:
m = Macaroon(location='cool-picture-service.example.com',
identifier='key-for-bob',
key=keys['key-for-bob'])
# Add a caveat for the target service
m.add_first_party_caveat('view_pictures = True')
serialized = m.serialize()
images = [True, True, True]
resp = make_response(
render_template("home.html",
showimages=True,
images=images,
macaroon=m.inspect().replace("\n", "<br/>")))
resp.set_cookie('macaroonCookie', serialized)
return resp
else:
return redirect(url_for("login"))
def test_third_party_caveat(self, rand_nonce):
# use a fixed nonce to ensure the same signature
rand_nonce.return_value = truncate_or_pad(
b'\0',
size=crypto_box_NONCEBYTES
)
m = Macaroon(
location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice'
)
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/', caveat_key, identifier)
assert_equal(
m.signature,
'd27db2fd1f22760e4c3dae8137e2d8fc1df6c0741c18aed4b97256bf78d1f55c'
)
def test_inspect(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it')
m.add_first_party_caveat('test = caveat')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat('http://auth.mybank/',
caveat_key,
identifier,
nonce=ZERO_NONCE)
assert_equal(m.inspect(), (
'location http://mybank/\n'
'identifier we used our secret key\n'
'cid test = caveat\n'
'cid this was how we remind auth of key/pred\n'
'vid AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA68NYajhiFuHnKGSNcVhkAwgbs0VZ0yK2o+q0Aq9+bONkXw7ky7HAuhCLO9hhaMMc\n'
'cl http://auth.mybank/\n'
'signature 7a9289bfbb92d725f748bbcb4f3e04e56b7021513ebeed8411bfba10a16a662e'
))
def generate_macaroon(self, nonce):
m = Macaroon(location='http://mybank/',
identifier='we used our other secret key',
key='this is a different super-secret key; \
never use the same secret twice')
m.add_first_party_caveat('account = 3735928559')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat(
'http://auth.mybank/',
caveat_key,
identifier,
nonce=nonce,
)
discharge = Macaroon(location='http://auth.mybank/',
key=caveat_key,
identifier=identifier)
discharge.add_first_party_caveat('time < 2015-01-01T00:00')
protected = m.prepare_for_request(discharge)
return protected.signature
def test_inspect(self):
m = Macaroon(
location='http://mybank/',
identifier='we used our secret key',
key='this is our super secret key; only we should know it'
)
m.add_first_party_caveat('test = caveat')
caveat_key = '4; guaranteed random by a fair toss of the dice'
identifier = 'this was how we remind auth of key/pred'
m.add_third_party_caveat(
'http://auth.mybank/',
caveat_key,
identifier,
nonce=ZERO_NONCE
)
assert_equal(m.inspect(), (
'location http://mybank/\n'
'identifier we used our secret key\n'
'cid test = caveat\n'
'cid this was how we remind auth of key/pred\n'
'vid AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA68NYajhiFuHnKGSNcVhkAwgbs0VZ0yK2o+q0Aq9+bONkXw7ky7HAuhCLO9hhaMMc\n'
'cl http://auth.mybank/\n'
'signature 7a9289bfbb92d725f748bbcb4f3e04e56b7021513ebeed8411bfba10a16a662e'))
def test_infer_declared(self):
tests = [
('no macaroons', [], {}, None),
('single macaroon with one declaration', [
[checkers.Caveat(condition='declared foo bar')]
], {'foo': 'bar'}, None),
('only one argument to declared', [
[checkers.Caveat(condition='declared foo')]
], {}, None),
('spaces in value', [
[checkers.Caveat(condition='declared foo bar bloggs')]
], {'foo': 'bar bloggs'}, None),
('attribute with declared prefix', [
[checkers.Caveat(condition='declaredccf foo')]
], {}, None),
('several macaroons with different declares', [
[
checkers.declared_caveat('a', 'aval'),
checkers.declared_caveat('b', 'bval')
], [
checkers.declared_caveat('c', 'cval'),
checkers.declared_caveat('d', 'dval')
]
], {'a': 'aval', 'b': 'bval', 'c': 'cval', 'd': 'dval'}, None),
('duplicate values', [
[
checkers.declared_caveat('a', 'aval'),
checkers.declared_caveat('a', 'aval'),
checkers.declared_caveat('b', 'bval')
], [
checkers.declared_caveat('a', 'aval'),
checkers.declared_caveat('b', 'bval'),
checkers.declared_caveat('c', 'cval'),
checkers.declared_caveat('d', 'dval')
]
], {'a': 'aval', 'b': 'bval', 'c': 'cval', 'd': 'dval'}, None),
('conflicting values', [
[
checkers.declared_caveat('a', 'aval'),
checkers.declared_caveat('a', 'conflict'),
checkers.declared_caveat('b', 'bval')
], [
checkers.declared_caveat('a', 'conflict'),
checkers.declared_caveat('b', 'another conflict'),
checkers.declared_caveat('c', 'cval'),
checkers.declared_caveat('d', 'dval')
]
], {'c': 'cval', 'd': 'dval'}, None),
('third party caveats ignored', [
[checkers.Caveat(condition='declared a no conflict',
location='location')],
[checkers.declared_caveat('a', 'aval')]
], {'a': 'aval'}, None),
('unparseable caveats ignored', [
[checkers.Caveat(condition=' bad')],
[checkers.declared_caveat('a', 'aval')]
], {'a': 'aval'}, None),
('infer with namespace', [
[
checkers.declared_caveat('a', 'aval'),
caveat_with_ns(checkers.declared_caveat('a', 'aval'),
'testns'),
]
], {'a': 'aval'}, None),
]
for test in tests:
uri_to_prefix = test[3]
if uri_to_prefix is None:
uri_to_prefix = {checkers.STD_NAMESPACE: ''}
ns = checkers.Namespace(uri_to_prefix)
print(test[0])
ms = []
for i, caveats in enumerate(test[1]):
m = Macaroon(key=None, identifier=six.int2byte(i), location='',
version=MACAROON_V2)
for cav in caveats:
cav = ns.resolve_caveat(cav)
if cav.location == '':
m.add_first_party_caveat(cav.condition)
else:
m.add_third_party_caveat(cav.location, None,
cav.condition)
ms.append(m)
self.assertEqual(checkers.infer_declared(ms), test[2])
def newMacaroon(conds=[]):
m = Macaroon(key='key', version=2)
for cond in conds:
m.add_first_party_caveat(cond)
return m
