# Personality
#### Authorization using JWT

Import JWT library

In [56]:
import jwt
from jwt import PyJWKClient
from ecdsa import SigningKey, NIST256p

Import library for trillian API

In [57]:
import grpc
import trillian_admin_api_pb2_grpc
import trillian_admin_api_pb2
import crypto.keyspb.keyspb_pb2
from google.protobuf import duration_pb2
import trillian_log_api_pb2_grpc
import trillian_log_api_pb2

Class of the authorization server

In [58]:
class authorization_server:
    def __init__(self):
        '''Initialize the authorization server with its key pair and the token count'''
        sk = SigningKey.generate(curve=NIST256p)
        self.sk = sk.to_pem()
        pk = sk.verifying_key
        self.pk = pk.to_pem()
        self.id = 1
        
        
    def generate_jwt(self, client='C', resource='R', key_algorithm='ES256'):
        token = jwt.encode(payload={'id':self.id, 'client':client, 'resource':resource}, 
                           key=self.sk, algorithm=key_algorithm)
        self.id+=1
        return token

Class of the personality

In [166]:
class trillian:
    def __init__(self, key_algorithm=['ES256'], resource_server={}, clients={}):
        '''Initialize the trillian personality with its key pair, 
        the allowed algorithms and the dictionaries of the resource 
        servers and clients that are added to the Merkle Tree. Start 
        also the services to communicate with the Trillian server'''
        sk = SigningKey.generate(curve=NIST256p)
        self.sk = sk.to_pem()
        pk = sk.verifying_key
        self.pk = pk.to_pem()
        self.allowed_algorithms = key_algorithm
        self.server = resource_server
        self.clients = clients
        #Open the connection with the Trillian server and the service to use the API
        channel = grpc.insecure_channel('localhost:8090')
        self.stub = trillian_admin_api_pb2_grpc.TrillianAdminStub(channel)
        self.stub2 = trillian_log_api_pb2_grpc.TrillianLogStub(channel)
        #Create the three and initialize it
        self.tree_id = self.create_tree()
        self.init_log(self.tree_id)
        
        
    def create_tree(self):
        time=duration_pb2.Duration(seconds=3600)
        response = self.stub.CreateTree(trillian_admin_api_pb2. \
        CreateTreeRequest(tree={"tree_state":'ACTIVE',"tree_type":'LOG', \
        "hash_strategy":'RFC6962_SHA256', "hash_algorithm":'SHA256', \
        "signature_algorithm":'ECDSA', "display_name":'', \
        "description":'',"max_root_duration":time}, \
        key_spec=crypto.keyspb.keyspb_pb2.Specification \
        (ecdsa_params={"curve":'P256'})))
        return response.tree_id
    
    
    def init_log(self,tree_id):
        response = self.stub2.InitLog(trillian_log_api_pb2. \
        InitLogRequest(log_id=tree_id, \
        charge_to=trillian_log_api_pb2.ChargeTo(user='test')))
        return response
        
        
    def queue_leaf(self,tree_id,leaf_value,extra_data=''):
        '''Insert a leaf in the tree'''
        response = self.stub2.QueueLeaf(trillian_log_api_pb2. \
        QueueLeafRequest(log_id=tree_id, \
        leaf={'leaf_value':f'{leaf_value}'.encode(),'extra_data':f'{extra_data}'.encode()}))
        return response
        
        
    def inclusion_proof(self,tree_id,leaf_id):
        '''Return the inclusion proof for a leaf, indicated with his id, 
        for a specific size of the tree'''
        response = self.stub2.GetInclusionProof(trillian_log_api_pb2. \
        GetInclusionProofRequest(log_id=tree_id, 
        leaf_index=leaf_id, tree_size=leaf_id+1))
        return response

        
    def update_info(self,data):
        '''Update the dictionary of clients and servers that are added
        to the log'''
        if data["resource"] in self.server.keys():
            self.server[data["resource"]].append(data["client"])
        else:
            self.server[data["resource"]] = [data["client"]]
        if data["client"] in self.clients.keys():
            self.clients[data["client"]].append(data["resource"])
        else:
            self.clients[data["client"]] = [data["resource"]]
        
    
    def decode_jwt(self, token, auth_pk):
        '''Decode a JWT'''
        data = jwt.decode(jwt=token, key=auth_pk, algorithms=self.allowed_algorithms)
        leaf_value = data["client"]+" allowed in "+data["resource"]
        leaf_id = data["id"]
        print(f'Leaf value: {leaf_value}')
        leaf_added = self.queue_leaf(self.tree_id,leaf_value)
        print(f'Leaf added:\n{leaf_added}')
        inclusion_proof = self.inclusion_proof(self.tree_id,leaf_id)
        print(f'Inclusion Proof:\n{inclusion_proof}')
        if leaf_added.queued_leaf.leaf.leaf_index != -1:
            self.update_info(data)
        else:
            print("Leaf already present in the log")
        return data
    
    
    def check_server(self, server):
        '''Check if a server is in the log and, if it is, print clients
        that are allowed to access it'''
        try:
            return self.server[f"{server}"]
        except KeyError:
            print("The server is not present in the log")
        
        
    def check_client(self, client):
        '''Check if a client is in the log and, if it is, print servers
        that he has permission to access'''
        try:
            return self.clients[f"{client}"]
        except:
            print("The client is not present in the log")

Create the 2 object

In [167]:
auth = authorization_server()
personality = trillian()

The authorization server creates the token. The trillian personality decodes the token,
add the leaf at the Merkle Tree and send back to the authorization server the Inclusion proof

In [175]:
token = auth.generate_jwt(client='I',resource='P')
print(f'Token: {token}')
data = personality.decode_jwt(token,auth.pk)
print(data)

Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpZCI6NiwiY2xpZW50IjoiSSIsInJlc291cmNlIjoiUCJ9.FLWSNGnMVE_JYrVMw8FFm6Bcempxp5Eu4hTmMEGe-VUXcnxZ3xr5d-5voaWptC9JGoP-lwfqIgp3CCNOMdRMwQ
Leaf value: I allowed in P
Leaf added:
queued_leaf {
  leaf {
    merkle_leaf_hash: "\252d\304t[\221<7e\tYs,\344\3263\t\026\331zZ\033\312~.p4\314\365\034\006B"
    leaf_value: "I allowed in P"
    leaf_identity_hash: "\252d\304t[\221<7e\tYs,\344\3263\t\026\331zZ\033\312~.p4\314\365\034\006B"
    queue_timestamp {
      seconds: 1617918575
      nanos: 341079374
    }
  }
}

Inclusion Proof:
signed_log_root {
  key_hint: "q\025\302e\276R\372G"
  log_root: "\000\001\000\000\000\000\000\000\000\004 \237\264vA\321gm\014\023\341\316\316\353[\310\177\257\374j\364 8\275\036\0374\250\'\342]:\350\026t\000[\017\225B\243\000\000\000\000\000\000\000\004\000\000"
  log_root_signature: "0E\002 <\340\347O\000\206\307\302]n\337\362jT\036\311W;)\200\350~\024C\341\313\257a\260N\006\031\002!\000\300\013\362,\346K:d%x\355\311\03

The dictionaries of the servers and clients added to the log 

In [171]:
print(personality.server)
print(personality.clients)

{'F': ['Y']}
{'Y': ['F']}


In [128]:
personality.check_server('F')

['B', 'C', 'Y']

#### Test JWT

Create the signing/verifying key for the authorization server

In [14]:
sk = SigningKey.generate(curve=NIST256p)
#sk_string = sk.to_string()
#sk2 = SigningKey.from_string(sk_string, curve=NIST256p)
vk = sk.verifying_key
vk_pem = vk.to_pem()  #Public Key for verify
sk_pem = sk.to_pem()  #Secret Key for sign

In [29]:
print(vk_pem)
print(sk_pem)

b'-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdXv6o6c1Uo5PGMi6FJK3kRTd2jjN\nVD+wmmq01J/38Jwhc43c0Upwy8j5OFigcy9J08Jg/WQMsTBgWkxG5+zqFw==\n-----END PUBLIC KEY-----\n'
b'-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIGvKiSw+39LIEydKYSnxdXy4x7Vf9S6WyfRr/i+zHKuGoAoGCCqGSM49\nAwEHoUQDQgAEdXv6o6c1Uo5PGMi6FJK3kRTd2jjNVD+wmmq01J/38Jwhc43c0Upw\ny8j5OFigcy9J08Jg/WQMsTBgWkxG5+zqFw==\n-----END EC PRIVATE KEY-----\n'


Create JWT

In [23]:
jwt.encode(payload={'id':'1', 'client':'C', 'resource':'R'}, key=sk_pem, algorithm='ES256')

'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpZCI6IjEiLCJjbGllbnQiOiJDIiwicmVzb3VyY2UiOiJSIn0.XWVtCm-sdYSoHW5G0B_k4z7ZoGip_3JKlToEM3sNmXVm34ffIPmxBPhgqtxvCP7t_y98VoJgv9ggHaWIV0VkDQ'

Decode JWT

In [28]:
token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpZCI6IjEiLCJjbGllbnQiOiJDIiwicmVzb3VyY2UiOiJSIn0.XWVtCm-sdYSoHW5G0B_k4z7ZoGip_3JKlToEM3sNmXVm34ffIPmxBPhgqtxvCP7t_y98VoJgv9ggHaWIV0VkDQ'
#kid = "NEE1QURBOTM4MzI5RkFDNTYxOTU1MDg2ODgwQ0UzMTk1QjYyRkRFQw"  #Key ID
#url = "https://dev-87evx9ru.auth0.com/.well-known/jwks.json"
#jwks_client = PyJWKClient(url)
#signing_key = jwks_client.get_signing_key_from_jwt(token)
data = jwt.decode( \
        jwt=token, \
        key=vk_pem, \
        algorithms=["ES256"], \
 #       audience="https://expenses-api", \
 #       options={"verify_exp": False}, \
    )
print(data)

{'id': '1', 'client': 'C', 'resource': 'R'}
