This repository has been archived by the owner on Nov 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 29
/
alg_none_verification_vows.py
86 lines (72 loc) · 3.66 KB
/
alg_none_verification_vows.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
""" Test verification of tokens with algorithms none """
# pylint: disable=wrong-import-order
from test.common import payload, generated_key
from test import python_jwt as jwt
from datetime import timedelta
from pyvows import Vows, expect
from jwcrypto.jwt import JWK
from jwcrypto.common import base64url_encode
# JWT from @timmclean
jwt_alg_none = "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpYXQiOjAsIm5iZiI6MCwiZXhwIjoxZTIwfQ."
@Vows.batch
class AlgNoneVerification(Vows.Context):
""" Check we get an error when verifying token that has alg none with
a public key """
def topic(self):
""" Return the token """
return jwt_alg_none
class VerifyJWTNoPublicKeyNoneAllowed(Vows.Context):
""" Verify token without specifying public key and allowing none alg """
def topic(self, topic):
""" Verify the token """
return jwt.verify_jwt(topic, None, ['none'])
def token_should_verify(self, r):
""" Should verify """
expect(r).to_be_instance_of(tuple)
class VerifyJWTPublicKeyNoneAllowed(Vows.Context):
""" Verify token with public key and specify none alg is allowed """
@Vows.capture_error
def topic(self, topic):
""" Verify the token with some public key and none alg allowed """
return jwt.verify_jwt(topic, JWK(kty='oct', k=base64url_encode('anysecrethere')), ['none'])
def token_should_verify(self, r):
""" Should not verify because jwcrypto doesn't support verifying none alg """
expect(r).to_be_an_error()
expect(str(r)).to_equal('Verification failed for all signatures[\'Failed: [InvalidJWSSignature(\\\'Verification failed {InvalidSignature(\\\\\\\'The "none" signature cannot be verified\\\\\\\',)}\\\',)]\']')
class VerifyJWTPublicKeyNoneNotAllowed(Vows.Context):
""" Verify token with public key """
@Vows.capture_error
def topic(self, topic):
""" Verify the token with some public key """
return jwt.verify_jwt(topic, JWK(kty='oct', k=base64url_encode('anysecrethere')))
def token_should_fail_to_verify_when_pub_key_specified(self, r):
""" Check it doesn't verify because alg is none """
expect(r).to_be_an_error()
expect(str(r)).to_equal('algorithm not allowed: none')
class VerifyJWTNoPublicKeyNoneNotAllowed(Vows.Context):
""" Verify token with no public key """
@Vows.capture_error
def topic(self, topic):
""" Verify the token with no public key """
return jwt.verify_jwt(topic)
def token_should_fail_to_verify_when_pub_key_specified(self, r):
""" Check it doesn't verify because alg is none """
expect(r).to_be_an_error()
expect(str(r)).to_equal('algorithm not allowed: none')
@Vows.batch
class AlgNoneVerification2(Vows.Context):
""" Check we get an error when verifying token that has alg RS256 with
no public key """
def topic(self):
""" Generate the token """
return jwt.generate_jwt(payload, generated_key, 'RS256', timedelta(seconds=10))
class VerifyJWTNoPublicKeyAlgButNotNoneAllowed(Vows.Context):
""" Verify token with no public key """
@Vows.capture_error
def topic(self, topic):
""" Verify token with no public key and allow RS256 """
return jwt.verify_jwt(topic, None, ['RS256'])
def token_should_fail_to_verify_when_pub_key_specified(self, r):
""" Check it doesn't verify because alg none not allowed """
expect(r).to_be_an_error()
expect(str(r)).to_equal('no key but none alg not allowed')