def test_create_header_with_type(self):
encoded_header = _jwt_format.create_header('HS256', 'typeHeader', None)
json_header = _jwt_format.decode_header(encoded_header)
self.assertEqual(json_header, '{"alg":"HS256","typ":"typeHeader"}')
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header, 'HS256')
self.assertEqual(_jwt_format.get_type_header(header), 'typeHeader')
def test_signed_compact_create_split_with_kid(self):
raw_jwt = _raw_jwt.raw_jwt_from_json(None, '{"iss":"joe"}')
signature = _jwt_format.decode_signature(
b'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
unsigned_compact = _jwt_format.create_unsigned_compact(
'RS256', 'AZxkm2U', raw_jwt)
signed_compact = _jwt_format.create_signed_compact(
unsigned_compact, signature)
un_comp, hdr, pay, sig = _jwt_format.split_signed_compact(
signed_compact)
self.assertEqual(
unsigned_compact,
b'eyJraWQiOiJBWnhrbTJVIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJqb2UifQ')
self.assertEqual(
signed_compact,
'eyJraWQiOiJBWnhrbTJVIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJqb2UifQ'
'.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
self.assertEqual(un_comp, unsigned_compact)
self.assertEqual(sig, signature)
self.assertEqual(hdr, '{"kid":"AZxkm2U","alg":"RS256"}')
header = _json_util.json_loads(hdr)
_jwt_format.validate_header(header, 'RS256')
self.assertEqual(pay, '{"iss":"joe"}')
self.assertIsNone(_jwt_format.get_type_header(header))
def test_create_header_with_type_and_kid(self):
encoded_header = _jwt_format.create_header('HS256', 'typeHeader', 'GsapRA')
json_header = _jwt_format.decode_header(encoded_header)
self.assertEqual(json_header,
'{"kid":"GsapRA","alg":"HS256","typ":"typeHeader"}')
header = _jwt_format.json_loads(json_header)
_jwt_format.validate_header(header, 'HS256')
self.assertEqual(_jwt_format.get_type_header(header), 'typeHeader')
def test_validate_header_with_missing_kid_missing(self):
json_header = '{"alg":"HS256"}'
header = _json_util.json_loads(json_header)
with self.assertRaises(_jwt_error.JwtInvalidError):
# if tink_kid is set, a kid header is required.
_jwt_format.validate_header(header, 'HS256', tink_kid='GsapRA')
# if custom_kid is set, a kid header is *not* required.
_jwt_format.validate_header(header, 'HS256', custom_kid='GsapRA')
def verify_mac_and_decode(
self, compact: Text,
validator: _jwt_validator.JwtValidator) -> _verified_jwt.VerifiedJwt:
"""Verifies, validates and decodes a MACed compact JWT token."""
parts = _jwt_format.split_signed_compact(compact)
unsigned_compact, json_header, json_payload, mac = parts
self._verify_mac(mac, unsigned_compact)
_jwt_format.validate_header(json_header, self._algorithm)
raw_jwt = _raw_jwt.RawJwt.from_json_payload(json_payload)
_jwt_validator.validate(validator, raw_jwt)
return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def verify_mac_and_decode_with_kid(
self, compact: str, validator: _jwt_validator.JwtValidator,
kid: Optional[str]) -> _verified_jwt.VerifiedJwt:
"""Verifies, validates and decodes a MACed compact JWT token."""
parts = _jwt_format.split_signed_compact(compact)
unsigned_compact, json_header, json_payload, mac = parts
self._verify_mac(mac, unsigned_compact)
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header=header,
algorithm=self._algorithm,
tink_kid=kid,
custom_kid=self._custom_kid)
raw_jwt = _raw_jwt.raw_jwt_from_json(
_jwt_format.get_type_header(header), json_payload)
_jwt_validator.validate(validator, raw_jwt)
return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def test_validate_header_with_kid_success(self):
json_header = '{"kid":"GsapRA","alg":"HS256"}'
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header, 'HS256')
_jwt_format.validate_header(header, 'HS256', tink_kid='GsapRA')
_jwt_format.validate_header(header, 'HS256', custom_kid='GsapRA')
with self.assertRaises(_jwt_error.JwtInvalidError):
# fails because tink_kid and custom_kid must not be set at the same time.
_jwt_format.validate_header(header,
'HS256',
tink_kid='GsapRA',
custom_kid='GsapRA')
def test_signed_compact_create_split(self):
payload = '{"iss":"joe"}'
signature = _jwt_format.decode_signature(
b'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
unsigned_compact = _jwt_format.create_unsigned_compact(
'RS256', payload)
signed_compact = _jwt_format.create_signed_compact(
unsigned_compact, signature)
un_comp, hdr, pay, sig = _jwt_format.split_signed_compact(
signed_compact)
self.assertEqual(unsigned_compact,
b'eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJqb2UifQ')
self.assertEqual(
signed_compact, 'eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJqb2UifQ.'
'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
self.assertEqual(un_comp, unsigned_compact)
self.assertEqual(sig, signature)
self.assertEqual(hdr, '{"alg":"RS256"}')
_jwt_format.validate_header(hdr, 'RS256')
self.assertEqual(pay, payload)
def verify_mac_and_decode(
self, compact: Text, validator: _jwt_validator.JwtValidator
) -> _verified_jwt.VerifiedJwt:
"""Verifies, validates and decodes a MACed compact JWT token."""
encoded = compact.encode('utf8')
try:
unsigned_compact, encoded_signature = encoded.rsplit(b'.', 1)
except ValueError:
raise _jwt_error.JwtInvalidError('invalid token')
signature = _jwt_format.decode_signature(encoded_signature)
self._verify_mac(signature, unsigned_compact)
try:
encoded_header, encoded_payload = unsigned_compact.split(b'.')
except ValueError:
raise _jwt_error.JwtInvalidError('invalid token')
_jwt_format.validate_header(encoded_header, self._algorithm)
json_payload = _jwt_format.decode_payload(encoded_payload)
raw_jwt = _raw_jwt.RawJwt.from_json_payload(json_payload)
_jwt_validator.validate(validator, raw_jwt)
return _verified_jwt.VerifiedJwt._create(raw_jwt) # pylint: disable=protected-access
def test_validate_header_with_other_kid_fails(self):
json_header = '{"kid":"GsapRA","alg":"HS256"}'
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header, 'HS256')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS256', tink_kid='otherKid')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS256', custom_kid='otherKid')
def test_signed_compact_create_split(self):
payload = '{"iss":"joe"}'
signature = _jwt_format.decode_signature(
b'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
unsigned_compact = _jwt_format.create_unsigned_compact(
'RS256', 'JWT', None, payload)
signed_compact = _jwt_format.create_signed_compact(unsigned_compact,
signature)
un_comp, hdr, pay, sig = _jwt_format.split_signed_compact(signed_compact)
self.assertEqual(
unsigned_compact,
b'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJqb2UifQ')
self.assertEqual(
signed_compact, 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.'
'eyJpc3MiOiJqb2UifQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')
self.assertEqual(un_comp, unsigned_compact)
self.assertEqual(sig, signature)
self.assertEqual(hdr, '{"alg":"RS256","typ":"JWT"}')
header = _jwt_format.json_loads(hdr)
_jwt_format.validate_header(header, 'RS256')
self.assertEqual(pay, payload)
self.assertEqual(_jwt_format.get_type_header(header), 'JWT')
def test_validate_header_ignores_typ(self):
header = _json_util.json_loads('{"alg":"HS256","typ":"unknown"}')
_jwt_format.validate_header(header, 'HS256')
def test_validate_header_with_unknown_entry_success(self):
header = _json_util.json_loads('{"alg":"HS256","unknown":"header"}')
_jwt_format.validate_header(header, 'HS256')
def test_validate_header_with_unknown_algorithm_fails(self):
header = _json_util.json_loads('{"alg":"HS123"}')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS123')
def test_verify_empty_header_fails(self):
header = _json_util.json_loads('{}')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'ES256')
def test_validate_header_with_unknown_entry_success(self):
_jwt_format.validate_header('{"alg":"HS256","unknown":"header"}',
'HS256')
def test_validate_header_with_unknown_algorithm_fails(self):
header = _jwt_format.encode_header({})
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS123')
def test_verify_wrong_header_fails(self):
header = _jwt_format.create_header('HS256')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'ES256')
def test_validate_header_with_lowercase_typ_success(self):
_jwt_format.validate_header('{"alg":"HS256","typ":"jwt"}', 'HS256')
def test_create_validate_header(self, algorithm):
header = _jwt_format.create_header(algorithm)
_jwt_format.validate_header(header, algorithm)
def test_validate_header_with_bad_typ_fails(self):
header = _jwt_format.encode_header({'alg': 'HS256', 'typ': 'IWT'})
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS256')
def test_validate_header_with_lowercase_typ_success(self):
header = _jwt_format.encode_header({'alg': 'HS256', 'typ': 'jwt'})
_jwt_format.validate_header(header, 'HS256')
def test_validate_header_rejects_crit(self):
header = _json_util.json_loads(
'{"alg":"HS256","crit":["http://example.invalid/UNDEFINED"],'
'"http://example.invalid/UNDEFINED":true}')
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'HS256')
def test_create_validate_header(self, algorithm):
encoded_header = _jwt_format.create_header(algorithm, None, None)
json_header = _jwt_format.decode_header(encoded_header)
header = _json_util.json_loads(json_header)
_jwt_format.validate_header(header, algorithm)
self.assertIsNone(_jwt_format.get_type_header(header))
def test_validate_header_with_unknown_algorithm_fails(self):
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header('{"alg":"HS123"}', 'HS123')
def test_validate_header_without_quotes(self):
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header('{alg:"RS256"}', 'RS256')
def test_verify_empty_header_fails(self):
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header('{}', 'ES256')
def test_create_verify_different_algorithms_fails(self):
encoded_header = _jwt_format.create_header('HS256', None, None)
json_header = _jwt_format.decode_header(encoded_header)
header = _json_util.json_loads(json_header)
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'ES256')
def test_verify_empty_header_fails(self):
header = _jwt_format.encode_header({})
with self.assertRaises(_jwt_error.JwtInvalidError):
_jwt_format.validate_header(header, 'ES256')
def test_validate_header_ignores_typ(self):
_jwt_format.validate_header('{"alg":"HS256","typ":"unknown"}', 'HS256')