def test_parse_and_validate_invalid_parameters(test_input_token, test_input_jwt_bundle, test_input_audience, expected): with pytest.raises(ArgumentError) as exception: JwtSvid.parse_and_validate(test_input_token, test_input_jwt_bundle, test_input_audience) assert str(exception.value) == expected
def test_parse_and_validate_invalid_missing_kid(): key_id = 'kid10' token = create_jwt(kid=key_id) with pytest.raises(AuthorityNotFoundError) as exception: JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire']) assert str( exception.value) == 'Key (' + key_id + ') not found in authorities.'
def test_parse_and_validate_invalid_kid_mismatch(): rsa_key2 = rsa.generate_private_key(public_exponent=65537, key_size=2048) jwt_bundle = JwtBundle( DEFAULT_TRUST_DOMAIN, { 'kid1': DEFAULT_KEY.public_key(), 'kid10': rsa_key2.public_key() }, ) token = create_jwt(kid='kid10') with pytest.raises(InvalidTokenError) as exception: JwtSvid.parse_and_validate(token, jwt_bundle, ['spire']) assert str(exception.value) == 'Signature verification failed.'
def test_parse_and_validate_valid_token_RSA(): token = create_jwt() jwt_svid = JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire']) assert jwt_svid.audience == DEFAULT_AUDIENCE assert str(jwt_svid.spiffe_id) == DEFAULT_SPIFFE_ID assert jwt_svid.expiry == DEFAULT_EXPIRY assert jwt_svid.token == token
def test_parse_and_validate_valid_token_EC(): ec_key = ec.generate_private_key(ec.SECP384R1(), default_backend()) jwt_bundle = JwtBundle(DEFAULT_TRUST_DOMAIN, {'kid_ec': ec_key.public_key()}) ec_key_pem, _ = get_keys_pems(ec_key) token = create_jwt(ec_key_pem, 'kid_ec', alg='ES512') jwt_svid = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire']) assert jwt_svid.audience == DEFAULT_AUDIENCE assert str(jwt_svid.spiffe_id) == DEFAULT_SPIFFE_ID assert jwt_svid.expiry == DEFAULT_EXPIRY assert jwt_svid.token == token
def test_parse_and_validate_valid_token_multiple_keys_bundle(): ec_key = ec.generate_private_key(ec.SECP521R1(), default_backend()) jwt_bundle = JwtBundle( DEFAULT_TRUST_DOMAIN, { 'kid_rsa': DEFAULT_KEY.public_key(), 'kid_ec': ec_key.public_key() }, ) ec_key_pem, _ = get_keys_pems(ec_key) token = create_jwt(ec_key_pem, kid='kid_ec', alg='ES512') jwt_svid1 = JwtSvid.parse_and_validate(token, jwt_bundle, ['spire']) assert jwt_svid1.audience == DEFAULT_AUDIENCE assert str(jwt_svid1.spiffe_id) == DEFAULT_SPIFFE_ID assert jwt_svid1.expiry == DEFAULT_EXPIRY assert jwt_svid1.token == token token2 = create_jwt(kid='kid_rsa') jwt_svid2 = JwtSvid.parse_and_validate(token2, jwt_bundle, ['spire']) assert jwt_svid2.audience == DEFAULT_AUDIENCE assert str(jwt_svid2.spiffe_id) == DEFAULT_SPIFFE_ID assert jwt_svid2.expiry == DEFAULT_EXPIRY assert jwt_svid2.token == token2
def test_parse_and_validate_invalid_missing_sub(): token = create_jwt(spiffe_id='') with pytest.raises(InvalidTokenError) as exception: JwtSvid.parse_and_validate(token, JWT_BUNDLE, ['spire']) assert str(exception.value) == 'SPIFFE ID cannot be empty.'