|
| 1 | +import unittest |
| 2 | +import time |
| 3 | + |
| 4 | +from cryptography.hazmat.backends import default_backend |
| 5 | +from cryptography.hazmat.primitives.asymmetric import rsa |
| 6 | +from cryptography.hazmat.primitives.serialization import ( |
| 7 | + Encoding, |
| 8 | + PublicFormat, |
| 9 | + PrivateFormat, |
| 10 | + NoEncryption |
| 11 | +) |
| 12 | + |
| 13 | +from twilio.http.validation_client import ValidationPayload |
| 14 | +from twilio.jwt import Jwt |
| 15 | +from twilio.jwt.validation import ClientValidationJwt |
| 16 | + |
| 17 | + |
| 18 | +class ClientValidationJwtTest(unittest.TestCase): |
| 19 | + def test_generate_payload_basic(self): |
| 20 | + vp = ValidationPayload( |
| 21 | + method='GET', |
| 22 | + path='https://api.twilio.com/', |
| 23 | + query_string='q1=v1', |
| 24 | + signed_headers=['headerb', 'headera'], |
| 25 | + all_headers={'head': 'toe', 'headera': 'vala', 'headerb': 'valb'}, |
| 26 | + body='me=letop&you=leworst' |
| 27 | + ) |
| 28 | + |
| 29 | + expected_payload = '\n'.join([ |
| 30 | + 'GET', |
| 31 | + 'https://api.twilio.com/', |
| 32 | + 'q1=v1', |
| 33 | + 'headera:vala', |
| 34 | + 'headerb:valb', |
| 35 | + '', |
| 36 | + 'headera;headerb', |
| 37 | + '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst')) |
| 38 | + ]) |
| 39 | + expected_payload = ClientValidationJwt._hash(expected_payload) |
| 40 | + |
| 41 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp) |
| 42 | + |
| 43 | + actual_payload = jwt._generate_payload() |
| 44 | + self.assertEqual('headera;headerb', actual_payload['hrh']) |
| 45 | + self.assertEqual(expected_payload, actual_payload['rqh']) |
| 46 | + |
| 47 | + def test_generate_payload_complex(self): |
| 48 | + vp = ValidationPayload( |
| 49 | + method='GET', |
| 50 | + path='https://api.twilio.com/', |
| 51 | + query_string='q1=v1&q2=v2&a=b', |
| 52 | + signed_headers=['headerb', 'headera'], |
| 53 | + all_headers={'head': 'toe', 'Headerb': 'valb', 'yeezy': 'weezy'}, |
| 54 | + body='me=letop&you=leworst' |
| 55 | + ) |
| 56 | + |
| 57 | + expected_payload = '\n'.join([ |
| 58 | + 'GET', |
| 59 | + 'https://api.twilio.com/', |
| 60 | + 'a=b&q1=v1&q2=v2', |
| 61 | + 'headerb:valb', |
| 62 | + '', |
| 63 | + 'headera;headerb', |
| 64 | + '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst')) |
| 65 | + ]) |
| 66 | + expected_payload = ClientValidationJwt._hash(expected_payload) |
| 67 | + |
| 68 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp) |
| 69 | + |
| 70 | + actual_payload = jwt._generate_payload() |
| 71 | + self.assertEqual('headera;headerb', actual_payload['hrh']) |
| 72 | + self.assertEqual(expected_payload, actual_payload['rqh']) |
| 73 | + |
| 74 | + def test_generate_payload_no_query_string(self): |
| 75 | + vp = ValidationPayload( |
| 76 | + method='GET', |
| 77 | + path='https://api.twilio.com/', |
| 78 | + query_string='', |
| 79 | + signed_headers=['headerb', 'headera'], |
| 80 | + all_headers={'head': 'toe', 'Headerb': 'valb', 'yeezy': 'weezy'}, |
| 81 | + body='me=letop&you=leworst' |
| 82 | + ) |
| 83 | + |
| 84 | + expected_payload = '\n'.join([ |
| 85 | + 'GET', |
| 86 | + 'https://api.twilio.com/', |
| 87 | + '', |
| 88 | + 'headerb:valb', |
| 89 | + '', |
| 90 | + 'headera;headerb', |
| 91 | + '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst')) |
| 92 | + ]) |
| 93 | + expected_payload = ClientValidationJwt._hash(expected_payload) |
| 94 | + |
| 95 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp) |
| 96 | + |
| 97 | + actual_payload = jwt._generate_payload() |
| 98 | + self.assertEqual('headera;headerb', actual_payload['hrh']) |
| 99 | + self.assertEqual(expected_payload, actual_payload['rqh']) |
| 100 | + |
| 101 | + def test_generate_payload_no_req_body(self): |
| 102 | + vp = ValidationPayload( |
| 103 | + method='GET', |
| 104 | + path='https://api.twilio.com/', |
| 105 | + query_string='q1=v1', |
| 106 | + signed_headers=['headerb', 'headera'], |
| 107 | + all_headers={'head': 'toe', 'headera': 'vala', 'headerb': 'valb'}, |
| 108 | + body='' |
| 109 | + ) |
| 110 | + |
| 111 | + expected_payload = '\n'.join([ |
| 112 | + 'GET', |
| 113 | + 'https://api.twilio.com/', |
| 114 | + 'q1=v1', |
| 115 |
10000
+ 'headera:vala', |
| 116 | + 'headerb:valb', |
| 117 | + '', |
| 118 | + 'headera;headerb', |
| 119 | + '' |
| 120 | + ]) |
| 121 | + expected_payload = ClientValidationJwt._hash(expected_payload) |
| 122 | + |
| 123 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp) |
| 124 | + |
| 125 | + actual_payload = jwt._generate_payload() |
| 126 | + self.assertEqual('headera;headerb', actual_payload['hrh']) |
| 127 | + self.assertEqual(expected_payload, actual_payload['rqh']) |
| 128 | + |
| 129 | + def test_generate_payload_header_keys_lowercased(self): |
| 130 | + vp = ValidationPayload( |
| 131 | + method='GET', |
| 132 | + path='https://api.twilio.com/', |
| 133 | + query_string='q1=v1', |
| 134 | + signed_headers=['headerb', 'headera'], |
| 135 | + all_headers={'head': 'toe', 'Headera': 'vala', 'Headerb': 'valb'}, |
| 136 | + body='me=letop&you=leworst' |
| 137 | + ) |
| 138 | + |
| 139 | + expected_payload = '\n'.join([ |
| 140 | + 'GET', |
| 141 | + 'https://api.twilio.com/', |
| 142 | + 'q1=v1', |
| 143 | + 'headera:vala', |
| 144 | + 'headerb:valb', |
| 145 | + '', |
| 146 | + 'headera;headerb', |
| 147 | + '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst')) |
| 148 | + ]) |
| 149 | + expected_payload = ClientValidationJwt._hash(expected_payload) |
| 150 | + |
| 151 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp) |
| 152 | + |
| 153 | + actual_payload = jwt._generate_payload() |
| 154 | + self.assertEqual('headera;headerb', actual_payload['hrh']) |
| 155 | + self.assertEqual(expected_payload, actual_payload['rqh']) |
| 156 | + |
| 157 | + def test_generate_payload_no_headers(self): |
| 158 | + vp = ValidationPayload( |
| 159 | + method='GET', |
| 160 | + path='https://api.twilio.com/', |
| 161 | + query_string='q1=v1', |
| 162 | + signed_headers=['headerb', 'headera'], |
| 163 | + all_headers={}, |
| 164 | + body='me=letop&you=leworst' |
| 165 | + ) |
| 166 | + |
| 167 | + expected_payload = '\n'.join([ |
| 168 | + 'GET', |
| 169 | + 'https://api.twilio.com/', |
| 170 | + 'q1=v1', |
| 171 | + '', |
| 172 | + 'headera;headerb', |
| 173 | + '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst')) |
| 174 | + ]) |
| 175 | + expected_payload = ClientValidationJwt._hash(expected_payload) |
| 176 | + |
| 177 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp) |
| 178 | + |
| 179 | + actual_payload = jwt._generate_payload() |
| 180 | + self.assertEqual('headera;headerb', actual_payload['hrh']) |
| 181 | + self.assertEqual(expected_payload, actual_payload['rqh']) |
| 182 | + |
| 183 | + def test_generate_payload_schema_correct_1(self): |
| 184 | + """Test against a known good rqh payload hash""" |
| 185 | + vp = ValidationPayload( |
| 186 | + method='GET', |
| 187 | + path='/Messages', |
| 188 | + query_string='PageSize=5&Limit=10', |
| 189 | + signed_headers=['authorization', 'host'], |
| 190 | + all_headers={'authorization': 'foobar', 'host': 'api.twilio.com'}, |
| 191 | + body='foobar' |
| 192 | + ) |
| 193 | + |
| 194 | + expected_hash = '4dc9b67bed579647914587b0e22a1c65c1641d8674797cd82de65e766cce5f80' |
| 195 | + |
| 196 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp) |
| 197 | + |
| 198 | + actual_payload = jwt._generate_payload() |
| 199 | + self.assertEqual('authorization;host', actual_payload['hrh']) |
| 200 | + self.assertEqual(expected_hash, actual_payload['rqh']) |
| 201 | + |
| 202 | + def test_generate_payload_schema_correct_2(self): |
| 203 | + """Test against a known good rqh payload hash""" |
| 204 | + vp = ValidationPayload( |
| 205 | + method='POST', |
| 206 | + path='/Messages', |
| 207 | + query_string='', |
| 208 | + signed_headers=['authorization', 'host'], |
| 209 | + all_headers={'authorization': 'foobar', 'host': 'api.twilio.com'}, |
| 210 | + body='testbody' |
| 211 | + ) |
| 212 | + |
| 213 | + expected_hash = 'bd792c967c20d546c738b94068f5f72758a10d26c12979677501e1eefe58c65a' |
| 214 | + |
| 215 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp) |
| 216 | + |
| 217 | + actual_payload = jwt._generate_payload() |
| 218 | + self.assertEqual('authorization;host', actual_payload['hrh']) |
| 219 | + self.assertEqual(expected_hash, actual_payload['rqh']) |
| 220 | + |
| 221 | + def test_jwt_payload(self): |
| 222 | + vp = ValidationPayload( |
| 223 | + method='GET', |
| 224 | + path='/Messages', |
| 225 | + query_string='PageSize=5&Limit=10', |
| 226 | + signed_headers=['authorization', 'host'], |
| 227 | + all_headers={'authorization': 'foobar', 'host': 'api.twilio.com'}, |
| 228 | + body='foobar' |
| 229 | + ) |
| 230 | + expected_hash = '4dc9b67bed579647914587b0e22a1c65c1641d8674797cd82de65e766cce5f80' |
| 231 | + |
| 232 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp) |
| 233 | + |
| 234 | + self.assertDictContainsSubset({ |
| 235 | + 'hrh': 'authorization;host', |
| 236 | + 'rqh': expected_hash, |
| 237 | + 'iss': 'SK123', |
| 238 | + 'sub': 'AC123', |
| 239 | + }, jwt.payload) |
| 240 | + self.assertGreaterEqual(jwt.payload['exp'], time.time(), 'JWT exp is before now') |
| 241 | + self.assertLessEqual(jwt.payload['exp'], time.time() + 301, 'JWT exp is after now + 5mins') |
| 242 | + self.assertDictEqual({ |
| 243 | + 'alg': 'RS256', |
| 244 | + 'typ': 'JWT', |
| 245 | + 'cty': 'twilio-pkrv;v=1', |
| 246 | + 'kid': 'CR123' |
| 247 | + }, jwt.headers) |
| 248 | + |
| 249 | + def test_jwt_signing(self): |
| 250 | + vp = ValidationPayload( |
| 251 | + method='GET', |
| 252 | + path='/Messages', |
| 253 | + query_string='PageSize=5&Limit=10', |
| 254 | + signed_headers=['authorization', 'host'], |
| 255 | + all_headers={'authorization': 'foobar', 'host': 'api.twilio.com'}, |
| 256 | + body='foobar' |
| 257 | + ) |
| 258 | + expected_hash = '4dc9b67bed579647914587b0e22a1c65c1641d8674797cd82de65e766cce5f80' |
| 259 | + |
| 260 | + private_key = rsa.generate_private_key( |
| 261 | + public_exponent=65537, |
| 262 | + key_size=2048, |
| 263 | + backend=default_backend() |
| 264 | + ) |
| 265 | + public_key = private_key.public_key().public_bytes(Encoding.PEM, PublicFormat.PKCS1) |
| 266 | + private_key = private_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()) |
| 267 | + |
| 268 | + jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', private_key, vp) |
| 269 | + decoded = Jwt.from_jwt(jwt.to_jwt(), public_key) |
| 270 | + |
| 271 | + self.assertDictContainsSubset({ |
| 272 | + 'hrh': 'authorization;host', |
| 273 | + 'rqh': expected_hash, |
| 274 | + 'iss': 'SK123', |
| 275 | + 'sub': 'AC123', |
| 276 | + }, decoded.payload) |
| 277 | + self.assertGreaterEqual(decoded.payload['exp'], time.time(), 'JWT exp is before now') |
| 278 | + self.assertLessEqual(decoded.payload['exp'], time.time() + 501, 'JWT exp is after now + 5m') |
| 279 | + self.assertDictEqual({ |
| 280 | + 'alg': 'RS256', |
| 281 | + 'typ': 'JWT', |
| 282 | + 'cty': 'twilio-pkrv;v=1', |
| 283 | + 'kid': 'CR123' |
| 284 | + }, decoded.headers) |
| 285 | + |
| 286 | + |
0 commit comments