Python jws.JWS属性代码示例

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def _get_keyset(self, kid=None):
        """
        Get keyset from available sources.

        If using a RSA key, forcefully set the key id
        to match the one from the JWT token.
        """
        keyset = []

        if self.keyset_url:
            # TODO: Improve support for keyset handling, handle errors.
            keyset.extend(load_jwks_from_url(self.keyset_url))

        if self.public_key and kid:
            # Fill in key id of stored key.
            # This is needed because if the JWS is signed with a
            # key with a kid, pyjwkest doesn't match them with
            # keys without kid (kid=None) and fails verification
            self.public_key.kid = kid

            # Add to keyset
            keyset.append(self.public_key)

        return keyset 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def encode_and_sign(self, message, expiration=None):
        """
        Encode and sign JSON with RSA key
        """
        if not self.key:
            raise exceptions.RsaKeyNotSet()

        _message = copy.deepcopy(message)

        # Set iat and exp if expiration is set
        if expiration:
            _message.update({
                "iat": int(round(time.time())),
                "exp": int(round(time.time()) + expiration),
            })

        # The class instance that sets up the signing operation
        # An RS 256 key is required for LTI 1.3
        _jws = JWS(_message, alg="RS256", cty="JWT")

        # Encode and sign LTI message
        return _jws.sign_compact([self.key]) 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def _consent_registration(self, consent_args):
        """
        Register a request at the consent service

        :type consent_args: dict
        :rtype: str

        :param consent_args: All necessary parameters for the consent request
        :return: Ticket received from the consent service
        """
        jws = JWS(json.dumps(consent_args), alg=self.signing_key.alg).sign_compact([self.signing_key])
        request = "{}/creq/{}".format(self.api_url, jws)
        res = requests.get(request)

        if res.status_code != 200:
            raise UnexpectedResponseError("Consent service error: %s %s", res.status_code, res.text)

        return res.text 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def test_existing_account_linking_with_known_known_uuid(self, account_linking_config, internal_response, context):
        uuid = "uuid"
        data = {
            "idp": internal_response.auth_info.issuer,
            "id": internal_response.subject_id,
            "redirect_endpoint": self.account_linking.base_url + "/account_linking/handle_account_linking"
        }
        key = RSAKey(key=rsa_load(account_linking_config["sign_key"]), use="sig", alg="RS256")
        jws = JWS(json.dumps(data), alg=key.alg).sign_compact([key])
        responses.add(
            responses.GET,
            "%s/get_id?jwt=%s" % (account_linking_config["api_url"], jws),
            status=200,
            body=uuid,
            content_type="text/html",
            match_querystring=True
        )

        self.account_linking.process(context, internal_response)
        assert internal_response.subject_id == uuid 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def test_authorization_code(self):
        """
        We MUST validate the signature of the ID Token according to JWS
        using the algorithm specified in the alg Header Parameter of
        the JOSE Header.
        """
        SIGKEYS = self._get_keys()
        code = self._create_code()

        post_data = self._auth_code_post_data(code=code.code)

        response = self._post_request(post_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        id_token = JWS().verify_compact(response_dic['id_token'].encode('utf-8'), SIGKEYS)

        token = Token.objects.get(user=self.user)
        self.assertEqual(response_dic['access_token'], token.access_token)
        self.assertEqual(response_dic['refresh_token'], token.refresh_token)
        self.assertEqual(response_dic['token_type'], 'bearer')
        self.assertEqual(response_dic['expires_in'], 720)
        self.assertEqual(id_token['sub'], str(self.user.id))
        self.assertEqual(id_token['aud'], self.client.client_id) 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def test_idtoken_sign_validation(self):
        """
        We MUST validate the signature of the ID Token according to JWS
        using the algorithm specified in the alg Header Parameter of
        the JOSE Header.
        """
        SIGKEYS = self._get_keys()
        RSAKEYS = [k for k in SIGKEYS if k.kty == 'RSA']

        code = self._create_code()

        post_data = self._auth_code_post_data(code=code.code)

        response = self._post_request(post_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        JWS().verify_compact(response_dic['id_token'].encode('utf-8'), RSAKEYS) 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def create_jwt(self, user):
        """
        Creates a signed (JWS) ID token.

        Returns:
            str: JWS
        """
        key = SYMKey(key=self.site.siteconfiguration.oauth_settings['SOCIAL_AUTH_EDX_OAUTH2_SECRET'])
        now = datetime.datetime.utcnow()
        expiration_datetime = now + datetime.timedelta(seconds=3600)
        issue_datetime = now
        payload = {
            'iss': self.site.siteconfiguration.lms_url_root,
            'administrator': False,
            'iat': timegm(issue_datetime.utctimetuple()),
            'sub': str(uuid.uuid4()),
            'preferred_username': user.username,
            'aud': self.site.siteconfiguration.oauth_settings['SOCIAL_AUTH_EDX_OAUTH2_KEY'],
            'exp': timegm(expiration_datetime.utctimetuple()),
        }
        access_token = JWS(payload, jwk=key, alg='HS512').sign_compact()
        return access_token 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def generate_jws(self, **kwargs):
        return JWS(self.generate_jws_dict(**kwargs), jwk=self.key, alg='RS256').sign_compact() 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def test_cannot_validate_an_id_token_with_multiple_audiences_but_no_authorized_party(self):
        jws_dict = self.generate_jws_dict()
        jws_dict['aud'] = [oidc_rp_settings.CLIENT_ID, '2']
        jws_dict.pop('azp')
        jws = JWS(jws_dict, jwk=self.key, alg='RS256').sign_compact()
        with pytest.raises(SuspiciousOperation):
            validate_and_return_id_token(jws) 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def _get_jwks_keys(shared_key):
    """ Returns JWKS keys used to decrypt id_token values. """
    # The OpenID Connect Provider (OP) uses RSA keys to sign/enrypt ID tokens and generate public
    # keys allowing to decrypt them. These public keys are exposed through the 'jwks_uri' and should
    # be used to decrypt the JWS - JSON Web Signature.
    jwks_keys = KEYS()
    jwks_keys.load_from_url(oidc_rp_settings.PROVIDER_JWKS_ENDPOINT)
    # Adds the shared key (which can correspond to the client_secret) as an oct key so it can be
    # used for HMAC signatures.
    jwks_keys.add({'key': smart_bytes(shared_key), 'kty': 'oct'})
    return jwks_keys 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def validate_and_decode(self, token):
        """
        Check if a message sent by the tool is valid.

        From https://www.imsglobal.org/spec/security/v1p0/#using-oauth-2-0-client-credentials-grant:

        The authorization server decodes the JWT and MUST validate the values for the
        iss, sub, exp, aud and jti claims.
        """
        try:
            # Get KID from JWT header
            jwt = JWT().unpack(token)

            # Verify message signature
            message = JWS().verify_compact(
                token,
                keys=self._get_keyset(
                    jwt.headers.get('kid')
                )
            )

            # If message is valid, check expiration from JWT
            if 'exp' in message and message['exp'] < time.time():
                raise exceptions.TokenSignatureExpired()

            # TODO: Validate other JWT claims

            # Else returns decoded message
            return message

        except NoSuitableSigningKeys:
            raise exceptions.NoSuitableKeys()
        except BadSyntax:
            raise exceptions.MalformedJwtToken()
        except WrongNumberOfParts:
            raise exceptions.MalformedJwtToken() 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def _decode_token(self, token):
        """
        Checks for a valid signarute and decodes JWT signed LTI message

        This also tests the public keyset function.
        """
        public_keyset = self.lti_consumer.get_public_keyset()
        key_set = load_jwks(json.dumps(public_keyset))

        return JWS().verify_compact(token, keys=key_set) 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def _decode_token(self, token):
        """
        Checks for a valid signarute and decodes JWT signed LTI message

        This also touches the public keyset method.
        """
        public_keyset = self.key_handler.get_public_jwk()
        key_set = load_jwks(json.dumps(public_keyset))

        return JWS().verify_compact(token, keys=key_set) 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def get_jwt_claims(self, auth_token):
        """Decodes the auth_token into JWT claims represented as a JSON object.

        This method first tries to look up the cache and returns the result
        immediately in case of a cache hit. When cache misses, the method tries to
        decode the given auth token, verify its signature, and check the existence
        of required JWT claims. When successful, the decoded JWT claims are loaded
        into the cache and then returned.

        Args:
          auth_token: the auth token to be decoded.

        Returns:
          The decoded JWT claims.

        Raises:
          UnauthenticatedException: When the signature verification fails, or when
            required claims are missing.
        """

        def _decode_and_verify():
            jwt_claims = jwt.JWT().unpack(auth_token).payload()
            _verify_required_claims_exist(jwt_claims)

            issuer = jwt_claims[u"iss"]
            keys = self._jwks_supplier.supply(issuer)
            try:
                return jws.JWS().verify_compact(auth_token, keys)
            except (jwkest.BadSignature, jws.NoSuitableSigningKeys,
                    jws.SignerAlgError) as exception:
                raise suppliers.UnauthenticatedException(u"Signature verification failed",
                                                         exception)

        return self._cache.get_or_create(auth_token, _decode_and_verify) 

# 需要导入模块: from jwkest import jws [as 别名]
# 或者: from jwkest.jws import JWS [as 别名]
def generate_auth_token(payload, keys, alg=u"ES256", kid=None):
    json_web_signature = jws.JWS(json.dumps(payload), alg=alg, kid=kid)
    return json_web_signature.sign_compact(keys=keys)