Skip to content

Commit

Permalink
Merge pull request #16 from SAP/xsa
Browse files Browse the repository at this point in the history 
XSA related change
  • Loading branch information
@strehle
strehle authored Jun 6, 2019
2 parents e12aac0 + a7fb6ac commit daa7281
Show file tree
Hide file tree
Showing 8 changed files with 73 additions and 3 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,16 @@ This project adheres to [Semantic Versioning](http://semver.org/).

The format is based on [Keep a Changelog](http://keepachangelog.com/).

## 2.0.6

### Fixed
- Added cryptography as dependency for pyjwt

## 2.0.5

### Fixed
- XSA fix: Do not require uaadomain in VCAP_SERVICES but use local verificationkey

## 2.0.4

### Fixed
Expand Down
2 changes: 2 additions & 0 deletions sap/xssec/jwt_validation_facade.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ def checkToken(self, token):
self._validator.checkToken(token)
else:
try:
if "-----BEGIN PUBLIC KEY-----" in self._pem and '\n' not in self._pem:
self._pem = self._pem.replace('-----BEGIN PUBLIC KEY-----', '-----BEGIN PUBLIC KEY-----\n').replace('-----END PUBLIC KEY-----','\n-----END PUBLIC KEY-----')
self._payload = jwt.decode(token, self._pem, algorithms=ALGORITHMS, options=OPTIONS)
self._error_desc = ''
self._error_code = 0
Expand Down
4 changes: 2 additions & 2 deletions sap/xssec/security_context.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ def _check_if_valid(item, name):

def _check_config(config):
_check_if_valid(config, 'config')
for prop in ['clientid', 'clientsecret', 'url', 'uaadomain']:
for prop in ['clientid', 'clientsecret', 'url']:
item = None
if prop in config:
item = config[prop]
Expand Down Expand Up @@ -287,7 +287,7 @@ def _set_scopes(self, jwt_payload):
def _validate_token(self):
""" Try to retrieve the key from the uaa if jku and kid is set. Otherwise use configured one."""

if self._properties['jku'] and self._properties['kid']:
if "uaadomain" in self._config and self._properties['jku'] and self._properties['kid']:
self._validate_jku()
try:
verification_key = SecurityContext.verificationKeyCache.load_key(self._properties['jku'],
Expand Down
2 changes: 2 additions & 0 deletions setup.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@
sap_py_jwt_dep = ''
if USE_SAP_PY_JWT:
sap_py_jwt_dep = 'sap_py_jwt>=1.1.1'
else:
sap_py_jwt_dep = 'cryptography'

setup(
name='sap_xssec',
Expand Down
11 changes: 11 additions & 0 deletions tests/jwt_tokens.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -426,3 +426,14 @@
'GVzdFVzZXIiLCJvcmlnaW4iOiJ1c2VyaWRwIiwidXNlcl9pZCI6ImI1NjA3YzFlLTU0OTQtNGJm' \
'My04MzA1LWRlMzUzNTdlMDAyMSIsInJldl9zaWciOiJmMmI4YWRlOCIsImF1ZCI6W119.' \
'62ebaE4eJDTK4UYirluOXwj1mM_P9AP6hPcekSkPyTU'

TOKEN_XSA_FORMAT = \
'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJIREIwMCIsIm5hbWUiOiJTWVNURU' \
'0iLCJjaWQiOiJzYi14c3NlY3Rlc3QiLCJ6aWQiOiJ1YWEiLCJhZG1pbiI6dHJ1ZSwiYXV0aG9yaX' \
'RpZXMiOlsidWFhLnJlc291cmNlIl0sInNjb3BlIjpbInVhYS51c2VyIiwib3BlbmlkIiwidWFhLn' \
'Jlc291cmNlIl0sInVzZXJfbmFtZSI6IkFETUlOIn0.FuOJCAKe94bOI0r4YdNAAL89rexX6KwDKD' \
'qwfwklsB27-9iFVdilncsyc7au8Hwg_2KB5Bq9mijASHY5OVgu5bVWODa7l8EQIdETBRfREpWZMv' \
'4cX45X3D7ueGviCmrYScnuL3d6QXr1JZp-g1N8RCOKn1PkiP4Bk_WIsoVPM1wrPbZsHcm6FT1LOz' \
'O1JswQFtqV7r1oK5B8zLONgZ8cquubDaoK7OmSh2iKFxGrRJ7clMO5GtTe18L93KKNdp7FWU4yWR' \
'xvwXfxjtEvIOw4-Kom2KuUbl84rwLQieW_bNiwdlLPgUg4ohODT2mPK5mS6VDNYjGctIUkivThmk' \
'YoVQ'
17 changes: 17 additions & 0 deletions tests/test_xssec.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,3 +415,20 @@ def test_not_trusted_jku(self):
xssec.create_security_context(jwt_tokens.CORRECT_END_USER_TOKEN, uaa_configs.VALID['uaa_no_verification_key_other_domain'])

self.assertEqual("JKU of token is not trusted", str(e.exception),)

def test_valid_xsa_token_attributes(self):
''' valid client credentials token (with attributes) '''
sec_context = xssec.create_security_context(
jwt_tokens.TOKEN_XSA_FORMAT,
uaa_configs.VALID['uaa_xsa_environment'])
self.assertEqual(
sec_context.get_logon_name(), 'ADMIN')


def test_valid_xsa_token_with_newlines(self):
''' valid client credentials token (with attributes) '''
sec_context = xssec.create_security_context(
jwt_tokens.TOKEN_XSA_FORMAT,
uaa_configs.VALID['uaa_xsa_with_newlines'])
self.assertEqual(
sec_context.get_logon_name(), 'ADMIN')
28 changes: 28 additions & 0 deletions tests/uaa_configs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,5 +184,33 @@
'url': 'https://test.me/uaa',
'tags': ['xsuaa'],
'uaadomain': 'api.cf2.test.com'
},
'uaa_xsa_environment': {
'clientid': 'sb-xssectest',
'xsappname': 'uaa',
'identityzone': 'uaa',
'identityzoneid': 'uaa',
'clientsecret': 'z431EZmJWiuA/yINKXGewGR/wo99JKiVKAzG7yRyUHld'
'IFUBiZx5SOMxvS2nqwwDzK6sqX2Hx2i2\nadgJjtIqgA==',
'url': 'http://localhost:8080/uaa',
'verificationkey': '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9MwIDAQAB-----END PUBLIC KEY-----',
'tags': ['xsuaa']
},
'uaa_xsa_with_newlines': {
'clientid': 'sb-xssectest',
'xsappname': 'uaa',
'identityzone': 'uaa',
'identityzoneid': 'uaa',
'clientsecret': 'z431EZmJWiuA/yINKXGewGR/wo99JKiVKAzG7yRyUHld'
'IFUBiZx5SOMxvS2nqwwDzK6sqX2Hx2i2\nadgJjtIqgA==',
'url': 'http://localhost:8080/uaa',
'verificationkey': '-----BEGIN PUBLIC KEY-----\n'
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA+k\n'
'zeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWga\n'
'OYIhwrXwKLqPr/11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu\n'
'0t8Y0e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4\n'
'Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9MwIDAQAB\n'
'-----END PUBLIC KEY-----',
'tags': ['xsuaa']
}
}
2 changes: 1 addition & 1 deletion version.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.0.4
2.0.6

0 comments on commit daa7281

Please sign in to comment.