testTestJWT.py

import unittest
import TestJWT
import signatures
from cryptography.hazmat.primitives.serialization import (
    load_pem_private_key, load_pem_public_key
)
from cryptography.hazmat.backends import default_backend

from cryptography.hazmat.primitives.asymmetric.rsa import (
    RSAPublicKey
)

import utils
from utils import rsa_jwks_to_pubkey, rsa_jwk_to_pubkey, rsa_pubkey_to_jwk


class TestTestJWT(unittest.TestCase):

    def setUp(self):
        self.token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.\
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.\
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
        print(self.token)
        _, _, self.sig = self.token.split(".", 3)
        print(self.sig)
        self.secret = "your-256-bit-secret"
        self.tjwt: TestJWT = TestJWT.TestJWT.deserialize(self.token)

    def test_deserialize_no_json(self):
        no_json_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.\
InN1YiI6ICIxMjM0NTY3ODkwIiwibmFtZSI6ICJKb2huIERvZSIsImlhdCI6IDE1MTYyMzkwMjI.\
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
        no_json_tjwt: TestJWT = TestJWT.TestJWT.deserialize(no_json_token)
        no_json_tjwt.show_token()
        self.assertFalse(no_json_tjwt.is_json)
        self.assertEqual("HS256", no_json_tjwt.get_algorithm())
        self.assertEqual("JWT", no_json_tjwt.header['typ'])
        self.assertEqual("\"sub\": \"1234567890\",\"name\": \"John Doe\",\"iat\": 1516239022",
                         no_json_tjwt.get_payload())
        self.assertTrue(self.tjwt.verify_signature(self.secret, self.sig))

    def test_verify(self):
        self.assertTrue(self.tjwt.is_json)
        self.assertEqual("HS256", self.tjwt.get_algorithm())
        self.assertEqual("JWT", self.tjwt.header['typ'])
        self.assertEqual("1234567890", self.tjwt.get_payload()['sub'])
        self.assertEqual(1516239022, self.tjwt.get_payload()['iat'])
        self.assertEqual("John Doe", self.tjwt.get_payload()['name'])
        self.assertTrue(self.tjwt.verify_signature(self.secret, self.sig))

    def test_verification_failed_wrong_secret(self):
        self.assertTrue(self.tjwt.is_json)
        self.assertEqual("HS256", self.tjwt.get_algorithm())
        self.assertEqual("JWT", self.tjwt.header['typ'])
        self.assertEqual("1234567890", self.tjwt.get_payload()['sub'])
        self.assertEqual(1516239022, self.tjwt.get_payload()['iat'])
        self.assertEqual("John Doe", self.tjwt.get_payload()['name'])
        self.assertFalse(self.tjwt.verify_signature("Your-256-bit-secret", self.sig))

    def test_none_signature(self):
        content_to_sign = self.tjwt.build_token_without_signature()
        self.assertEqual(b'', signatures.sign('none', content_to_sign))
        self.assertEqual(b'', signatures.sign('None', content_to_sign))
        self.assertEqual(b'', signatures.sign('NONE', content_to_sign))

    def test_hs256_signature(self):
        test_sig = self.tjwt.compute_signature(self.secret)
        self.assertEqual(utils.force_bytes(self.sig), test_sig)

    def test_hs256_signature2(self):
        ser_token_sig = "dBjftJeZ4CVP - mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
        ser_token = ".".join(["eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9",
                              "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
                              ser_token_sig])
        rsa_token = TestJWT.TestJWT.deserialize(ser_token)
        self.assertEqual("JWT", rsa_token.header['typ'])
        self.assertEqual("HS256", rsa_token.header['alg'])
        self.assertEqual("joe", rsa_token.payload['iss'])
        self.assertEqual(1300819380, rsa_token.payload['exp'])
        self.assertTrue(rsa_token.payload['http://example.com/is_root'])
        rsa_token.verify_signature(
            "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
            ser_token_sig)

    def test_rs256_signature(self):
        rsa256_token_header = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vd2ViaG9vay5zaXRlLzQ4MjAzNjZlLTRhY2YtNDQ5Mi04YjhiLTJmZDRlMGIyNmJlMiJ9"
        rsa256_token_payload = "eyJ1c2VyIjoiYWRtaW4ifQ"
        rsa256_token_signature = "lJSuLrAA6goQ5f2AXYXV25xZ66yuE_aRQlRpTpirSbVN7SxMOFooPkPIywejg1F5F89vFmibY_ATqu5bvyFjX1dIbb-PPFBSyB3AwgeLGq_UXSyRjf2WEw-UWYxq00l6b3f8qOI2nuS8Ea3iy5xfGqc6geUXXtJZN02o-QWoZ0qZ6vECrL3__dwbFQDLdgIw_TPYzrVjjLk69islxE8Vv9G5ZOAtwFZrzcZuTQTMTRJrpMNstuX4gYeJOu7VUWzKoQjT4D_PUX4mB_Sn80JyVMHPjcse_ZtHSkWgse86Gx0-Tmv7B7tqTXNtNfugctrkUxwZM2b0k4XYErnycXK-Bg"
        rsa_token_ser = ".".join([rsa256_token_header, rsa256_token_payload, rsa256_token_signature])
        rsa_token = TestJWT.TestJWT.deserialize(rsa_token_ser)
        # TODO extract load_pem_private_key and load_pem_public_key to utils.py
        pk = load_pem_private_key(utils.read_pem_file("./keys/pk1.pem"), None, default_backend())
        pubkey = load_pem_public_key(utils.read_pem_file("./keys/pubkey1.pem"), default_backend())
        signature = rsa_token.compute_signature(pk)
        self.assertEqual(rsa256_token_signature, utils.force_unicode(signature))
        self.assertTrue(rsa_token.verify_signature(pubkey, utils.base64url_decode(signature)))
        self.assertTrue(rsa_token.verify_signature(pubkey, utils.base64url_decode(rsa256_token_signature)))

    def test_rs256_signature2(self):
        rsa256_token_header = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vd2ViaG9vay5zaXRlLzQ4MjAzNjZlLTRhY2YtNDQ5Mi04YjhiLTJmZDRlMGIyNmJlMiJ9"
        rsa256_token_payload = "eyJ1c2VyIjoiYWRtaW4ifQ"
        rsa256_token_signature = "lJSuLrAA6goQ5f2AXYXV25xZ66yuE_aRQlRpTpirSbVN7SxMOFooPkPIywejg1F5F89vFmibY_ATqu5bvyFjX1dIbb-PPFBSyB3AwgeLGq_UXSyRjf2WEw-UWYxq00l6b3f8qOI2nuS8Ea3iy5xfGqc6geUXXtJZN02o-QWoZ0qZ6vECrL3__dwbFQDLdgIw_TPYzrVjjLk69islxE8Vv9G5ZOAtwFZrzcZuTQTMTRJrpMNstuX4gYeJOu7VUWzKoQjT4D_PUX4mB_Sn80JyVMHPjcse_ZtHSkWgse86Gx0-Tmv7B7tqTXNtNfugctrkUxwZM2b0k4XYErnycXK-Bg"
        rsa_token_ser = ".".join([rsa256_token_header, rsa256_token_payload, rsa256_token_signature])
        rsa_token = TestJWT.TestJWT.deserialize(rsa_token_ser)

        self.assertEqual("RS256", rsa_token.header['alg'])
        self.assertEqual("JWT", rsa_token.header['typ'])
        self.assertEqual("https://webhook.site/4820366e-4acf-4492-8b8b-2fd4e0b26be2", rsa_token.header['jku'])
        self.assertEqual("admin", rsa_token.payload['user'])

        pk = load_pem_private_key(utils.read_pem_file("./keys/pk1.pem"), None, default_backend())
        pubkey = load_pem_public_key(utils.read_pem_file("./keys/pubkey1.pem"), default_backend())
        signature = rsa_token.compute_signature(pk)
        self.assertEqual(rsa256_token_signature, utils.force_unicode(signature))
        self.assertTrue(rsa_token.verify_signature(pubkey, utils.base64url_decode(signature)))
        self.assertTrue(rsa_token.verify_signature(pubkey, utils.base64url_decode(rsa256_token_signature)))

    def test_rsa256_pubkey_to_jwk(self):
        expected_n = b'oGV0P-rgmJd8qEu_0c1YYjNLt8RjBmGcy4X0RXK3lEfHjGWJggkaHFY_zP-m0uWijPl7ASq1gf7cL7w801pLXB_vUqxPyl7rP8ul_4j_ghWjGrl58yNyRBcIVh18HICCqAduvbasehRstSv0JSAP6VArEcpLGOnHI0IILclWjFQf35A4fbsVYbqs2ZUhP7C5Jq36SA5GRqq4QTKuG0YP4t1j9CEEIQUldwHcuoMzBH4GOP0eZd1EkhTw8uQvQeHtao-J0Mfh-ljFC2Rcvoysx6HwGVZIg2DlGiWttYCWzUvc5q2doFIJ640gO9KLFeOC5ebGTwnzJ_Z5jCaim2Eomw'
        expected_e = b'AQAB'
        jwk = rsa_pubkey_to_jwk("./keys/pubkey1.pem", "test_key")
        self.assertEqual(jwk['alg'], "RS256")
        self.assertEqual(jwk['kty'], "RSA")
        self.assertEqual(jwk['kid'], "test_key")
        self.assertEqual(jwk['e'], utils.force_unicode(expected_e))
        self.assertEqual(jwk['n'], utils.force_unicode(expected_n))

    def test_rsa256_jwks_to_pubkey_single_key(self):
        n = b'oGV0P-rgmJd8qEu_0c1YYjNLt8RjBmGcy4X0RXK3lEfHjGWJggkaHFY_zP-m0uWijPl7ASq1gf7cL7w801pLXB_vUqxPyl7rP8ul_4j_ghWjGrl58yNyRBcIVh18HICCqAduvbasehRstSv0JSAP6VArEcpLGOnHI0IILclWjFQf35A4fbsVYbqs2ZUhP7C5Jq36SA5GRqq4QTKuG0YP4t1j9CEEIQUldwHcuoMzBH4GOP0eZd1EkhTw8uQvQeHtao-J0Mfh-ljFC2Rcvoysx6HwGVZIg2DlGiWttYCWzUvc5q2doFIJ640gO9KLFeOC5ebGTwnzJ_Z5jCaim2Eomw'
        e = b'AQAB'
        jwks = {'keys': [
            {'alg': "RS256", 'kty': "RSA", 'kid': "test_key", 'e': e, 'n': n}
        ]}
        print("{}".format(jwks))

        expected_pubkey: RSAPublicKey = load_pem_public_key(utils.read_pem_file("./keys/pubkey1.pem"),
                                                            default_backend())
        pubkey: RSAPublicKey = rsa_jwks_to_pubkey(jwks)
        self.assertEqual(expected_pubkey.public_numbers().e, pubkey.public_numbers().e)
        self.assertEqual(expected_pubkey.public_numbers().n, pubkey.public_numbers().n)

    def test_rsa256_jwks_to_pubkey_multiple_keys(self):
        n = b'oGV0P-rgmJd8qEu_0c1YYjNLt8RjBmGcy4X0RXK3lEfHjGWJggkaHFY_zP-m0uWijPl7ASq1gf7cL7w801pLXB_vUqxPyl7rP8ul_4j_ghWjGrl58yNyRBcIVh18HICCqAduvbasehRstSv0JSAP6VArEcpLGOnHI0IILclWjFQf35A4fbsVYbqs2ZUhP7C5Jq36SA5GRqq4QTKuG0YP4t1j9CEEIQUldwHcuoMzBH4GOP0eZd1EkhTw8uQvQeHtao-J0Mfh-ljFC2Rcvoysx6HwGVZIg2DlGiWttYCWzUvc5q2doFIJ640gO9KLFeOC5ebGTwnzJ_Z5jCaim2Eomw'
        e = b'AQAB'
        n1 = "yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ"
        jwks = {'keys': [{'alg': "RS256", 'kty': "RSA", 'kid': "another_key", 'e': e, 'n': n1},
                         {'alg': "RS256", 'kty': "RSA", 'kid': "test_key", 'e': e, 'n': n},
                         {'alg': "RS256", 'kty': "RSA", 'kid': "kez123", 'e': e, 'n': n1}
                         ]}
        expected_pubkey: RSAPublicKey = load_pem_public_key(utils.read_pem_file("./keys/pubkey1.pem"),
                                                            default_backend())
        pubkey: RSAPublicKey = rsa_jwks_to_pubkey(jwks, keyid='test_key')
        self.assertEqual(expected_pubkey.public_numbers().e, pubkey.public_numbers().e)
        self.assertEqual(expected_pubkey.public_numbers().n, pubkey.public_numbers().n)

    def test_rsa256_jwks_to_pubkey_multiple_keys_default(self):
        n = b'oGV0P-rgmJd8qEu_0c1YYjNLt8RjBmGcy4X0RXK3lEfHjGWJggkaHFY_zP-m0uWijPl7ASq1gf7cL7w801pLXB_vUqxPyl7rP8ul_4j_ghWjGrl58yNyRBcIVh18HICCqAduvbasehRstSv0JSAP6VArEcpLGOnHI0IILclWjFQf35A4fbsVYbqs2ZUhP7C5Jq36SA5GRqq4QTKuG0YP4t1j9CEEIQUldwHcuoMzBH4GOP0eZd1EkhTw8uQvQeHtao-J0Mfh-ljFC2Rcvoysx6HwGVZIg2DlGiWttYCWzUvc5q2doFIJ640gO9KLFeOC5ebGTwnzJ_Z5jCaim2Eomw'
        e = b'AQAB'
        n1 = "yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ"
        jwks = {'keys': [{'alg': "RS256", 'kty': "RSA", 'kid': "another_key", 'e': e, 'n': n},
                         {'alg': "RS256", 'kty': "RSA", 'kid': "test_key", 'e': e, 'n': n1},
                         {'alg': "RS256", 'kty': "RSA", 'kid': "kez123", 'e': e, 'n': n1}
                         ]}
        expected_pubkey: RSAPublicKey = load_pem_public_key(utils.read_pem_file("./keys/pubkey1.pem"),
                                                            default_backend())
        pubkey: RSAPublicKey = rsa_jwks_to_pubkey(jwks)
        self.assertEqual(expected_pubkey.public_numbers().e, pubkey.public_numbers().e)
        self.assertEqual(expected_pubkey.public_numbers().n, pubkey.public_numbers().n)

    def test_rsa256_jwks_to_pubkey_multiple_keys_duplicate(self):
        n = b'oGV0P-rgmJd8qEu_0c1YYjNLt8RjBmGcy4X0RXK3lEfHjGWJggkaHFY_zP-m0uWijPl7ASq1gf7cL7w801pLXB_vUqxPyl7rP8ul_4j_ghWjGrl58yNyRBcIVh18HICCqAduvbasehRstSv0JSAP6VArEcpLGOnHI0IILclWjFQf35A4fbsVYbqs2ZUhP7C5Jq36SA5GRqq4QTKuG0YP4t1j9CEEIQUldwHcuoMzBH4GOP0eZd1EkhTw8uQvQeHtao-J0Mfh-ljFC2Rcvoysx6HwGVZIg2DlGiWttYCWzUvc5q2doFIJ640gO9KLFeOC5ebGTwnzJ_Z5jCaim2Eomw'
        e = b'AQAB'
        n1 = "yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ"
        jwks = {'keys': [{'alg': "RS256", 'kty': "RSA", 'kid': "test_key", 'e': e, 'n': n1},
                         {'alg': "RS256", 'kty': "RSA", 'kid': "test_key", 'e': e, 'n': n},
                         {'alg': "RS256", 'kty': "RSA", 'kid': "kez123", 'e': e, 'n': n1}
                         ]}
        expected_pubkey: RSAPublicKey = load_pem_public_key(utils.read_pem_file("./keys/pubkey1.pem"),
                                                            default_backend())
        pubkey: RSAPublicKey = rsa_jwks_to_pubkey(jwks, 'test_key')
        self.assertEqual(expected_pubkey.public_numbers().e, pubkey.public_numbers().e)
        self.assertEqual(expected_pubkey.public_numbers().n, pubkey.public_numbers().n)

    def test_rsa256_jwk_to_pubkey(self):
        n = b'oGV0P-rgmJd8qEu_0c1YYjNLt8RjBmGcy4X0RXK3lEfHjGWJggkaHFY_zP-m0uWijPl7ASq1gf7cL7w801pLXB_vUqxPyl7rP8ul_4j_ghWjGrl58yNyRBcIVh18HICCqAduvbasehRstSv0JSAP6VArEcpLGOnHI0IILclWjFQf35A4fbsVYbqs2ZUhP7C5Jq36SA5GRqq4QTKuG0YP4t1j9CEEIQUldwHcuoMzBH4GOP0eZd1EkhTw8uQvQeHtao-J0Mfh-ljFC2Rcvoysx6HwGVZIg2DlGiWttYCWzUvc5q2doFIJ640gO9KLFeOC5ebGTwnzJ_Z5jCaim2Eomw'
        e = b'AQAB'
        jwk = {'alg': "RS256", 'kty': "RSA", 'kid': "test_key", 'e': e, 'n': n}
        expected_pubkey: RSAPublicKey = load_pem_public_key(utils.read_pem_file("./keys/pubkey1.pem"),
                                                            default_backend())


if __name__ == '__main__':
    unittest.main()