Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-auth-library-python / cfbfd25ddeaefd6c484541922b8da6bb1ebf9c36 / . / tests / test_jwt.py
blob: 22c5bc5386496c8dd38ccec654c106fbcd25f25c [file] [log] [blame]
Jon Wayne Parrott5824ad82016-10-06 09:27:44 -0700[diff] [blame]1# Copyright 2014 Google Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15import base64
16import datetime
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]17import json
Jon Wayne Parrott5824ad82016-10-06 09:27:44 -0700[diff] [blame]18import os
19
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]20import mock
Jon Wayne Parrott5824ad82016-10-06 09:27:44 -0700[diff] [blame]21import pytest
22
23from google.auth import _helpers
24from google.auth import crypt
Jon Wayne Parrottcfbfd252017-03-28 13:03:11 -0700[diff] [blame^]25from google.auth import exceptions
Jon Wayne Parrott5824ad82016-10-06 09:27:44 -0700[diff] [blame]26from google.auth import jwt
27
28
29DATA_DIR = os.path.join(os.path.dirname(__file__), 'data')
30
31with open(os.path.join(DATA_DIR, 'privatekey.pem'), 'rb') as fh:
32 PRIVATE_KEY_BYTES = fh.read()
33
34with open(os.path.join(DATA_DIR, 'public_cert.pem'), 'rb') as fh:
35 PUBLIC_CERT_BYTES = fh.read()
36
37with open(os.path.join(DATA_DIR, 'other_cert.pem'), 'rb') as fh:
38 OTHER_CERT_BYTES = fh.read()
39
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]40SERVICE_ACCOUNT_JSON_FILE = os.path.join(DATA_DIR, 'service_account.json')
41
42with open(SERVICE_ACCOUNT_JSON_FILE, 'r') as fh:
43 SERVICE_ACCOUNT_INFO = json.load(fh)
44
Jon Wayne Parrott5824ad82016-10-06 09:27:44 -0700[diff] [blame]45
46@pytest.fixture
47def signer():
Jon Wayne Parrott254befe2017-02-22 14:37:31 -0800[diff] [blame]48 return crypt.RSASigner.from_string(PRIVATE_KEY_BYTES, '1')
Jon Wayne Parrott5824ad82016-10-06 09:27:44 -0700[diff] [blame]49
50
51def test_encode_basic(signer):
52 test_payload = {'test': 'value'}
53 encoded = jwt.encode(signer, test_payload)
54 header, payload, _, _ = jwt._unverified_decode(encoded)
55 assert payload == test_payload
56 assert header == {'typ': 'JWT', 'alg': 'RS256', 'kid': signer.key_id}
57
58
59def test_encode_extra_headers(signer):
60 encoded = jwt.encode(signer, {}, header={'extra': 'value'})
61 header = jwt.decode_header(encoded)
62 assert header == {
63 'typ': 'JWT', 'alg': 'RS256', 'kid': signer.key_id, 'extra': 'value'}
64
65
66@pytest.fixture
67def token_factory(signer):
68 def factory(claims=None, key_id=None):
69 now = _helpers.datetime_to_secs(_helpers.utcnow())
70 payload = {
71 'aud': 'audience@example.com',
72 'iat': now,
73 'exp': now + 300,
74 'user': 'billy bob',
75 'metadata': {'meta': 'data'}
76 }
77 payload.update(claims or {})
78
79 # False is specified to remove the signer's key id for testing
80 # headers without key ids.
81 if key_id is False:
Jon Wayne Parrott254befe2017-02-22 14:37:31 -0800[diff] [blame]82 signer._key_id = None
Jon Wayne Parrott5824ad82016-10-06 09:27:44 -0700[diff] [blame]83 key_id = None
84
85 return jwt.encode(signer, payload, key_id=key_id)
86 return factory
87
88
89def test_decode_valid(token_factory):
90 payload = jwt.decode(token_factory(), certs=PUBLIC_CERT_BYTES)
91 assert payload['aud'] == 'audience@example.com'
92 assert payload['user'] == 'billy bob'
93 assert payload['metadata']['meta'] == 'data'
94
95
96def test_decode_valid_with_audience(token_factory):
97 payload = jwt.decode(
98 token_factory(), certs=PUBLIC_CERT_BYTES,
99 audience='audience@example.com')
100 assert payload['aud'] == 'audience@example.com'
101 assert payload['user'] == 'billy bob'
102 assert payload['metadata']['meta'] == 'data'
103
104
105def test_decode_valid_unverified(token_factory):
106 payload = jwt.decode(token_factory(), certs=OTHER_CERT_BYTES, verify=False)
107 assert payload['aud'] == 'audience@example.com'
108 assert payload['user'] == 'billy bob'
109 assert payload['metadata']['meta'] == 'data'
110
111
112def test_decode_bad_token_wrong_number_of_segments():
113 with pytest.raises(ValueError) as excinfo:
114 jwt.decode('1.2', PUBLIC_CERT_BYTES)
115 assert excinfo.match(r'Wrong number of segments')
116
117
118def test_decode_bad_token_not_base64():
119 with pytest.raises((ValueError, TypeError)) as excinfo:
120 jwt.decode('1.2.3', PUBLIC_CERT_BYTES)
121 assert excinfo.match(r'Incorrect padding')
122
123
124def test_decode_bad_token_not_json():
125 token = b'.'.join([base64.urlsafe_b64encode(b'123!')] * 3)
126 with pytest.raises(ValueError) as excinfo:
127 jwt.decode(token, PUBLIC_CERT_BYTES)
128 assert excinfo.match(r'Can\'t parse segment')
129
130
131def test_decode_bad_token_no_iat_or_exp(signer):
132 token = jwt.encode(signer, {'test': 'value'})
133 with pytest.raises(ValueError) as excinfo:
134 jwt.decode(token, PUBLIC_CERT_BYTES)
135 assert excinfo.match(r'Token does not contain required claim')
136
137
138def test_decode_bad_token_too_early(token_factory):
139 token = token_factory(claims={
140 'iat': _helpers.datetime_to_secs(
141 _helpers.utcnow() + datetime.timedelta(hours=1))
142 })
143 with pytest.raises(ValueError) as excinfo:
144 jwt.decode(token, PUBLIC_CERT_BYTES)
145 assert excinfo.match(r'Token used too early')
146
147
148def test_decode_bad_token_expired(token_factory):
149 token = token_factory(claims={
150 'exp': _helpers.datetime_to_secs(
151 _helpers.utcnow() - datetime.timedelta(hours=1))
152 })
153 with pytest.raises(ValueError) as excinfo:
154 jwt.decode(token, PUBLIC_CERT_BYTES)
155 assert excinfo.match(r'Token expired')
156
157
158def test_decode_bad_token_wrong_audience(token_factory):
159 token = token_factory()
160 audience = 'audience2@example.com'
161 with pytest.raises(ValueError) as excinfo:
162 jwt.decode(token, PUBLIC_CERT_BYTES, audience=audience)
163 assert excinfo.match(r'Token has wrong audience')
164
165
166def test_decode_wrong_cert(token_factory):
167 with pytest.raises(ValueError) as excinfo:
168 jwt.decode(token_factory(), OTHER_CERT_BYTES)
169 assert excinfo.match(r'Could not verify token signature')
170
171
172def test_decode_multicert_bad_cert(token_factory):
173 certs = {'1': OTHER_CERT_BYTES, '2': PUBLIC_CERT_BYTES}
174 with pytest.raises(ValueError) as excinfo:
175 jwt.decode(token_factory(), certs)
176 assert excinfo.match(r'Could not verify token signature')
177
178
179def test_decode_no_cert(token_factory):
180 certs = {'2': PUBLIC_CERT_BYTES}
181 with pytest.raises(ValueError) as excinfo:
182 jwt.decode(token_factory(), certs)
183 assert excinfo.match(r'Certificate for key id 1 not found')
184
185
186def test_decode_no_key_id(token_factory):
187 token = token_factory(key_id=False)
188 certs = {'2': PUBLIC_CERT_BYTES}
189 payload = jwt.decode(token, certs)
190 assert payload['user'] == 'billy bob'
191
192
193def test_roundtrip_explicit_key_id(token_factory):
194 token = token_factory(key_id='3')
195 certs = {'2': OTHER_CERT_BYTES, '3': PUBLIC_CERT_BYTES}
196 payload = jwt.decode(token, certs)
197 assert payload['user'] == 'billy bob'
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]198
199
Jon Wayne Parrottcfbfd252017-03-28 13:03:11 -0700[diff] [blame^]200class TestCredentials(object):
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]201 SERVICE_ACCOUNT_EMAIL = 'service-account@example.com'
202 SUBJECT = 'subject'
203 AUDIENCE = 'audience'
204 ADDITIONAL_CLAIMS = {'meta': 'data'}
205 credentials = None
206
207 @pytest.fixture(autouse=True)
208 def credentials_fixture(self, signer):
209 self.credentials = jwt.Credentials(
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]210 signer, self.SERVICE_ACCOUNT_EMAIL, self.SERVICE_ACCOUNT_EMAIL,
211 self.AUDIENCE)
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]212
213 def test_from_service_account_info(self):
214 with open(SERVICE_ACCOUNT_JSON_FILE, 'r') as fh:
215 info = json.load(fh)
216
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]217 credentials = jwt.Credentials.from_service_account_info(
218 info, audience=self.AUDIENCE)
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]219
220 assert credentials._signer.key_id == info['private_key_id']
221 assert credentials._issuer == info['client_email']
222 assert credentials._subject == info['client_email']
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]223 assert credentials._audience == self.AUDIENCE
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]224
225 def test_from_service_account_info_args(self):
226 info = SERVICE_ACCOUNT_INFO.copy()
227
228 credentials = jwt.Credentials.from_service_account_info(
229 info, subject=self.SUBJECT, audience=self.AUDIENCE,
230 additional_claims=self.ADDITIONAL_CLAIMS)
231
232 assert credentials._signer.key_id == info['private_key_id']
233 assert credentials._issuer == info['client_email']
234 assert credentials._subject == self.SUBJECT
235 assert credentials._audience == self.AUDIENCE
236 assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
237
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]238 def test_from_service_account_file(self):
239 info = SERVICE_ACCOUNT_INFO.copy()
240
241 credentials = jwt.Credentials.from_service_account_file(
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]242 SERVICE_ACCOUNT_JSON_FILE, audience=self.AUDIENCE)
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]243
244 assert credentials._signer.key_id == info['private_key_id']
245 assert credentials._issuer == info['client_email']
246 assert credentials._subject == info['client_email']
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]247 assert credentials._audience == self.AUDIENCE
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]248
249 def test_from_service_account_file_args(self):
250 info = SERVICE_ACCOUNT_INFO.copy()
251
252 credentials = jwt.Credentials.from_service_account_file(
253 SERVICE_ACCOUNT_JSON_FILE, subject=self.SUBJECT,
254 audience=self.AUDIENCE, additional_claims=self.ADDITIONAL_CLAIMS)
255
256 assert credentials._signer.key_id == info['private_key_id']
257 assert credentials._issuer == info['client_email']
258 assert credentials._subject == self.SUBJECT
259 assert credentials._audience == self.AUDIENCE
260 assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
261
Jon Wayne Parrottb8f48d02017-02-24 09:03:24 -0800[diff] [blame]262 def test_from_signing_credentials(self):
263 jwt_from_signing = self.credentials.from_signing_credentials(
264 self.credentials,
265 audience=mock.sentinel.new_audience)
266 jwt_from_info = jwt.Credentials.from_service_account_info(
267 SERVICE_ACCOUNT_INFO,
268 audience=mock.sentinel.new_audience)
269
270 assert isinstance(jwt_from_signing, jwt.Credentials)
271 assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
272 assert jwt_from_signing._issuer == jwt_from_info._issuer
273 assert jwt_from_signing._subject == jwt_from_info._subject
274 assert jwt_from_signing._audience == jwt_from_info._audience
275
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]276 def test_default_state(self):
277 assert not self.credentials.valid
278 # Expiration hasn't been set yet
279 assert not self.credentials.expired
280
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]281 def test_with_claims(self):
282 new_audience = 'new_audience'
283 new_credentials = self.credentials.with_claims(
284 audience=new_audience)
285
286 assert new_credentials._signer == self.credentials._signer
287 assert new_credentials._issuer == self.credentials._issuer
288 assert new_credentials._subject == self.credentials._subject
289 assert new_credentials._audience == new_audience
290 assert (new_credentials._additional_claims ==
291 self.credentials._additional_claims)
292
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]293 def test_sign_bytes(self):
294 to_sign = b'123'
295 signature = self.credentials.sign_bytes(to_sign)
296 assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
297
Jon Wayne Parrottd7221672017-02-16 09:05:11 -0800[diff] [blame]298 def test_signer(self):
Jon Wayne Parrott254befe2017-02-22 14:37:31 -0800[diff] [blame]299 assert isinstance(self.credentials.signer, crypt.RSASigner)
Jon Wayne Parrottd7221672017-02-16 09:05:11 -0800[diff] [blame]300
Jon Wayne Parrott4c883f02016-12-02 14:26:33 -0800[diff] [blame]301 def test_signer_email(self):
302 assert (self.credentials.signer_email ==
303 SERVICE_ACCOUNT_INFO['client_email'])
304
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]305 def _verify_token(self, token):
306 payload = jwt.decode(token, PUBLIC_CERT_BYTES)
307 assert payload['iss'] == self.SERVICE_ACCOUNT_EMAIL
308 return payload
309
310 def test_refresh(self):
311 self.credentials.refresh(None)
312 assert self.credentials.valid
313 assert not self.credentials.expired
314
315 def test_expired(self):
316 assert not self.credentials.expired
317
318 self.credentials.refresh(None)
319 assert not self.credentials.expired
320
321 with mock.patch('google.auth._helpers.utcnow') as now:
322 one_day = datetime.timedelta(days=1)
323 now.return_value = self.credentials.expiry + one_day
324 assert self.credentials.expired
325
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]326 def test_before_request(self):
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]327 headers = {}
328
329 self.credentials.refresh(None)
330 self.credentials.before_request(
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]331 None, 'GET', 'http://example.com?a=1#3', headers)
332
333 header_value = headers['authorization']
334 _, token = header_value.split(' ')
335
336 # Since the audience is set, it should use the existing token.
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]337 assert token.encode('utf-8') == self.credentials.token
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]338
339 payload = self._verify_token(token)
340 assert payload['aud'] == self.AUDIENCE
341
342 def test_before_request_refreshes(self):
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]343 assert not self.credentials.valid
344 self.credentials.before_request(
Jon Wayne Parrottabcd3ed2016-10-17 11:23:47 -0700[diff] [blame]345 None, 'GET', 'http://example.com?a=1#3', {})
Jon Wayne Parrottab086892017-02-23 09:20:14 -0800[diff] [blame]346 assert self.credentials.valid
Jon Wayne Parrottcfbfd252017-03-28 13:03:11 -0700[diff] [blame^]347
348
349class TestOnDemandCredentials(object):
350 SERVICE_ACCOUNT_EMAIL = 'service-account@example.com'
351 SUBJECT = 'subject'
352 ADDITIONAL_CLAIMS = {'meta': 'data'}
353 credentials = None
354
355 @pytest.fixture(autouse=True)
356 def credentials_fixture(self, signer):
357 self.credentials = jwt.OnDemandCredentials(
358 signer, self.SERVICE_ACCOUNT_EMAIL, self.SERVICE_ACCOUNT_EMAIL,
359 max_cache_size=2)
360
361 def test_from_service_account_info(self):
362 with open(SERVICE_ACCOUNT_JSON_FILE, 'r') as fh:
363 info = json.load(fh)
364
365 credentials = jwt.OnDemandCredentials.from_service_account_info(info)
366
367 assert credentials._signer.key_id == info['private_key_id']
368 assert credentials._issuer == info['client_email']
369 assert credentials._subject == info['client_email']
370
371 def test_from_service_account_info_args(self):
372 info = SERVICE_ACCOUNT_INFO.copy()
373
374 credentials = jwt.OnDemandCredentials.from_service_account_info(
375 info, subject=self.SUBJECT,
376 additional_claims=self.ADDITIONAL_CLAIMS)
377
378 assert credentials._signer.key_id == info['private_key_id']
379 assert credentials._issuer == info['client_email']
380 assert credentials._subject == self.SUBJECT
381 assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
382
383 def test_from_service_account_file(self):
384 info = SERVICE_ACCOUNT_INFO.copy()
385
386 credentials = jwt.OnDemandCredentials.from_service_account_file(
387 SERVICE_ACCOUNT_JSON_FILE)
388
389 assert credentials._signer.key_id == info['private_key_id']
390 assert credentials._issuer == info['client_email']
391 assert credentials._subject == info['client_email']
392
393 def test_from_service_account_file_args(self):
394 info = SERVICE_ACCOUNT_INFO.copy()
395
396 credentials = jwt.OnDemandCredentials.from_service_account_file(
397 SERVICE_ACCOUNT_JSON_FILE, subject=self.SUBJECT,
398 additional_claims=self.ADDITIONAL_CLAIMS)
399
400 assert credentials._signer.key_id == info['private_key_id']
401 assert credentials._issuer == info['client_email']
402 assert credentials._subject == self.SUBJECT
403 assert credentials._additional_claims == self.ADDITIONAL_CLAIMS
404
405 def test_from_signing_credentials(self):
406 jwt_from_signing = self.credentials.from_signing_credentials(
407 self.credentials)
408 jwt_from_info = jwt.OnDemandCredentials.from_service_account_info(
409 SERVICE_ACCOUNT_INFO)
410
411 assert isinstance(jwt_from_signing, jwt.OnDemandCredentials)
412 assert jwt_from_signing._signer.key_id == jwt_from_info._signer.key_id
413 assert jwt_from_signing._issuer == jwt_from_info._issuer
414 assert jwt_from_signing._subject == jwt_from_info._subject
415
416 def test_default_state(self):
417 # Credentials are *always* valid.
418 assert self.credentials.valid
419 # Credentials *never* expire.
420 assert not self.credentials.expired
421
422 def test_with_claims(self):
423 new_claims = {'meep': 'moop'}
424 new_credentials = self.credentials.with_claims(
425 additional_claims=new_claims)
426
427 assert new_credentials._signer == self.credentials._signer
428 assert new_credentials._issuer == self.credentials._issuer
429 assert new_credentials._subject == self.credentials._subject
430 assert new_credentials._additional_claims == new_claims
431
432 def test_sign_bytes(self):
433 to_sign = b'123'
434 signature = self.credentials.sign_bytes(to_sign)
435 assert crypt.verify_signature(to_sign, signature, PUBLIC_CERT_BYTES)
436
437 def test_signer(self):
438 assert isinstance(self.credentials.signer, crypt.RSASigner)
439
440 def test_signer_email(self):
441 assert (self.credentials.signer_email ==
442 SERVICE_ACCOUNT_INFO['client_email'])
443
444 def _verify_token(self, token):
445 payload = jwt.decode(token, PUBLIC_CERT_BYTES)
446 assert payload['iss'] == self.SERVICE_ACCOUNT_EMAIL
447 return payload
448
449 def test_refresh(self):
450 with pytest.raises(exceptions.RefreshError):
451 self.credentials.refresh(None)
452
453 def test_before_request(self):
454 headers = {}
455
456 self.credentials.before_request(
457 None, 'GET', 'http://example.com?a=1#3', headers)
458
459 _, token = headers['authorization'].split(' ')
460 payload = self._verify_token(token)
461
462 assert payload['aud'] == 'http://example.com'
463
464 # Making another request should re-use the same token.
465 self.credentials.before_request(
466 None, 'GET', 'http://example.com?b=2', headers)
467
468 _, new_token = headers['authorization'].split(' ')
469
470 assert new_token == token
471
472 def test_expired_token(self):
473 self.credentials._cache['audience'] = (
474 mock.sentinel.token, datetime.datetime.min)
475
476 token = self.credentials._get_jwt_for_audience('audience')
477
478 assert token != mock.sentinel.token