Files
wehub-resource-sync 60e0ffc959
Upgrade checks / Notify on failure (push) Has been cancelled
Upgrade checks / Close issue on success (push) Has been cancelled
Schema Crash Test / Real-world schema crash test (232K schemas) (push) Has been cancelled
Run static analysis / static_analysis (push) Has been cancelled
Tests / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Tests / Tests with lowest-direct dependencies (push) Has been cancelled
Tests / MCP conformance tests (push) Has been cancelled
Tests / Integration tests (push) Has been cancelled
Tests / Package install smoke (push) Has been cancelled
Upgrade checks / Static analysis (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Upgrade checks / Integration tests (push) Has been cancelled
Update MCPServerConfig Schema / update-config-schema (push) Has been cancelled
Update SDK Documentation / update-sdk-docs (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:39:59 +08:00

689 lines
23 KiB
Python

import time
from collections.abc import AsyncGenerator
from typing import Any
from unittest.mock import patch
import pytest
from joserfc import jwk as jose_jwk
from joserfc import jwt
from joserfc.jws import JWSRegistry
from joserfc.registry import HeaderParameter
from pytest_httpx import HTTPXMock
from fastmcp import FastMCP
from fastmcp.server.auth.providers.jwt import JWKData, JWKSData, JWTVerifier, RSAKeyPair
from fastmcp.utilities.tests import run_server_async
# Standard public IP used for DNS mocking in tests
TEST_PUBLIC_IP = "93.184.216.34"
class SymmetricKeyHelper:
"""Helper class for generating symmetric key JWT tokens for testing."""
def __init__(self, secret: str):
"""Initialize with a secret key."""
self.secret = secret
def create_token(
self,
subject: str = "fastmcp-user",
issuer: str = "https://fastmcp.example.com",
audience: str | list[str] | None = None,
scopes: list[str] | None = None,
expires_in_seconds: int = 3600,
additional_claims: dict[str, Any] | None = None,
algorithm: str = "HS256",
) -> str:
"""
Generate a test JWT token using symmetric key for testing purposes.
Args:
subject: Subject claim (usually user ID)
issuer: Issuer claim
audience: Audience claim - can be a string or list of strings (optional)
scopes: List of scopes to include
expires_in_seconds: Token expiration time in seconds
additional_claims: Any additional claims to include
algorithm: JWT signing algorithm (HS256, HS384, or HS512)
"""
# Create header
header = {"alg": algorithm}
# Create payload
payload: dict[str, str | int | list[str]] = {
"sub": subject,
"iss": issuer,
"iat": int(time.time()),
"exp": int(time.time()) + expires_in_seconds,
}
if audience:
payload["aud"] = audience
if scopes:
payload["scope"] = " ".join(scopes)
if additional_claims:
payload.update(additional_claims)
# Create JWT
signing_key = jose_jwk.import_key(self.secret, "oct")
token = jwt.encode(header, payload, signing_key, algorithms=[algorithm])
return token
@pytest.fixture(scope="module")
def rsa_key_pair() -> RSAKeyPair:
return RSAKeyPair.generate()
@pytest.fixture(scope="module")
def symmetric_key_helper() -> SymmetricKeyHelper:
"""Generate a symmetric key helper for testing."""
return SymmetricKeyHelper("test-secret-key-for-hmac-signing")
@pytest.fixture(scope="module")
def bearer_token(rsa_key_pair: RSAKeyPair) -> str:
return rsa_key_pair.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
)
@pytest.fixture
def bearer_provider(rsa_key_pair: RSAKeyPair) -> JWTVerifier:
return JWTVerifier(
public_key=rsa_key_pair.public_key,
issuer="https://test.example.com",
audience="https://api.example.com",
)
@pytest.fixture
def symmetric_provider(symmetric_key_helper: SymmetricKeyHelper) -> JWTVerifier:
"""Create JWTVerifier configured for symmetric key verification."""
return JWTVerifier(
public_key=symmetric_key_helper.secret,
issuer="https://test.example.com",
audience="https://api.example.com",
algorithm="HS256",
)
def create_mcp_server(
public_key: str,
auth_kwargs: dict[str, Any] | None = None,
) -> FastMCP:
mcp = FastMCP(
auth=JWTVerifier(
public_key=public_key,
**auth_kwargs or {},
)
)
@mcp.tool
def add(a: int, b: int) -> int:
return a + b
return mcp
@pytest.fixture
async def mcp_server_url(rsa_key_pair: RSAKeyPair) -> AsyncGenerator[str, None]:
server = create_mcp_server(
public_key=rsa_key_pair.public_key,
auth_kwargs=dict(
issuer="https://test.example.com",
audience="https://api.example.com",
),
)
async with run_server_async(server, transport="http") as url:
yield url
class TestRSAKeyPair:
def test_generate_key_pair(self):
"""Test RSA key pair generation."""
key_pair = RSAKeyPair.generate()
assert key_pair.private_key is not None
assert key_pair.public_key is not None
# Check that keys are in PEM format
private_pem = key_pair.private_key.get_secret_value()
public_pem = key_pair.public_key
assert "-----BEGIN PRIVATE KEY-----" in private_pem
assert "-----END PRIVATE KEY-----" in private_pem
assert "-----BEGIN PUBLIC KEY-----" in public_pem
assert "-----END PUBLIC KEY-----" in public_pem
def test_create_basic_token(self, rsa_key_pair: RSAKeyPair):
"""Test basic token creation."""
token = rsa_key_pair.create_token(
subject="test-user",
issuer="https://test.example.com",
)
assert isinstance(token, str)
assert len(token.split(".")) == 3 # JWT has 3 parts
def test_create_token_with_scopes(self, rsa_key_pair: RSAKeyPair):
"""Test token creation with scopes."""
token = rsa_key_pair.create_token(
subject="test-user",
issuer="https://test.example.com",
scopes=["read", "write"],
)
assert isinstance(token, str)
# We'll validate the scopes in the BearerToken tests
class TestJWTVerifierHeaders:
async def test_non_critical_private_header_is_allowed(
self, rsa_key_pair: RSAKeyPair
):
signing_key = jose_jwk.import_key(
rsa_key_pair.private_key.get_secret_value(),
"RSA",
)
token = jwt.encode(
{
"alg": "RS256",
"cat": "cl_example",
},
{
"sub": "test-user",
"iss": "https://test.example.com",
"exp": int(time.time()) + 3600,
},
signing_key,
algorithms=["RS256"],
registry=JWSRegistry(strict_check_header=False),
)
verifier = JWTVerifier(
public_key=rsa_key_pair.public_key,
issuer="https://test.example.com",
)
access_token = await verifier.verify_token(token)
assert access_token is not None
assert access_token.client_id == "test-user"
async def test_critical_private_header_is_rejected(self, rsa_key_pair: RSAKeyPair):
signing_key = jose_jwk.import_key(
rsa_key_pair.private_key.get_secret_value(),
"RSA",
)
token = jwt.encode(
{
"alg": "RS256",
"crit": ["cat"],
"cat": "cl_example",
},
{
"sub": "test-user",
"iss": "https://test.example.com",
"exp": int(time.time()) + 3600,
},
signing_key,
algorithms=["RS256"],
registry=JWSRegistry(
header_registry={
"cat": HeaderParameter("Custom private header", "str")
},
strict_check_header=False,
),
)
verifier = JWTVerifier(
public_key=rsa_key_pair.public_key,
issuer="https://test.example.com",
)
access_token = await verifier.verify_token(token)
assert access_token is None
class TestSymmetricKeyJWT:
"""Tests for JWT verification using symmetric keys (HMAC algorithms)."""
def test_initialization_with_symmetric_key(
self, symmetric_key_helper: SymmetricKeyHelper
):
"""Test JWTVerifier initialization with symmetric key."""
provider = JWTVerifier(
public_key=symmetric_key_helper.secret,
issuer="https://test.example.com",
algorithm="HS256",
)
assert provider.issuer == "https://test.example.com"
assert provider.public_key == symmetric_key_helper.secret
assert provider.algorithm == "HS256"
assert provider.jwks_uri is None
def test_initialization_rejects_hs_algorithm_with_jwks_uri(self):
"""Test that HMAC algorithms cannot be used with JWKS URI."""
with pytest.raises(ValueError, match="cannot be used with jwks_uri"):
JWTVerifier(
jwks_uri="https://test.example.com/.well-known/jwks.json",
issuer="https://test.example.com",
algorithm="HS256",
)
def test_initialization_with_different_symmetric_algorithms(
self, symmetric_key_helper: SymmetricKeyHelper
):
"""Test JWTVerifier initialization with different HMAC algorithms."""
algorithms = ["HS256", "HS384", "HS512"]
for algorithm in algorithms:
provider = JWTVerifier(
public_key=symmetric_key_helper.secret,
issuer="https://test.example.com",
algorithm=algorithm,
)
assert provider.algorithm == algorithm
def test_symmetric_algorithm_rejects_jwks_uri(self):
"""HS* algorithms must not be configured with JWKS/public key endpoints."""
with pytest.raises(ValueError, match="cannot be used with jwks_uri"):
JWTVerifier(
jwks_uri="https://test.example.com/.well-known/jwks.json",
issuer="https://test.example.com",
algorithm="HS256",
)
def test_symmetric_algorithm_rejects_pem_public_key(self, rsa_key_pair: RSAKeyPair):
"""HS* algorithms must use a shared secret, not PEM public key material."""
with pytest.raises(ValueError, match="require a shared secret"):
JWTVerifier(
public_key=rsa_key_pair.public_key,
issuer="https://test.example.com",
algorithm="HS256",
)
def test_symmetric_algorithm_accepts_bytes_secret(self):
"""HS* algorithms accept bytes secrets without TypeError."""
verifier = JWTVerifier(
public_key=b"secret",
algorithm="HS256",
)
assert verifier.algorithm == "HS256"
async def test_valid_symmetric_token_validation(
self, symmetric_key_helper: SymmetricKeyHelper, symmetric_provider: JWTVerifier
):
"""Test validation of a valid token signed with symmetric key."""
token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
scopes=["read", "write"],
algorithm="HS256",
)
access_token = await symmetric_provider.load_access_token(token)
assert access_token is not None
assert access_token.client_id == "test-user"
assert "read" in access_token.scopes
assert "write" in access_token.scopes
assert access_token.expires_at is not None
async def test_symmetric_token_with_different_algorithms(
self, symmetric_key_helper: SymmetricKeyHelper
):
"""Test that different HMAC algorithms work correctly."""
algorithms = ["HS256", "HS384", "HS512"]
for algorithm in algorithms:
provider = JWTVerifier(
public_key=symmetric_key_helper.secret,
issuer="https://test.example.com",
algorithm=algorithm,
)
token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
algorithm=algorithm,
)
access_token = await provider.load_access_token(token)
assert access_token is not None
assert access_token.client_id == "test-user"
async def test_symmetric_token_issuer_validation(
self, symmetric_key_helper: SymmetricKeyHelper, symmetric_provider: JWTVerifier
):
"""Test issuer validation with symmetric key tokens."""
# Valid issuer
valid_token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
)
access_token = await symmetric_provider.load_access_token(valid_token)
assert access_token is not None
# Invalid issuer
invalid_token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://evil.example.com",
audience="https://api.example.com",
)
access_token = await symmetric_provider.load_access_token(invalid_token)
assert access_token is None
async def test_symmetric_token_audience_validation(
self, symmetric_key_helper: SymmetricKeyHelper, symmetric_provider: JWTVerifier
):
"""Test audience validation with symmetric key tokens."""
# Valid audience
valid_token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
)
access_token = await symmetric_provider.load_access_token(valid_token)
assert access_token is not None
# Invalid audience
invalid_token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://wrong-api.example.com",
)
access_token = await symmetric_provider.load_access_token(invalid_token)
assert access_token is None
async def test_symmetric_token_scope_extraction(
self, symmetric_key_helper: SymmetricKeyHelper, symmetric_provider: JWTVerifier
):
"""Test scope extraction from symmetric key tokens."""
token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
scopes=["read", "write", "admin"],
)
access_token = await symmetric_provider.load_access_token(token)
assert access_token is not None
assert set(access_token.scopes) == {"read", "write", "admin"}
async def test_symmetric_token_expiration(
self, symmetric_key_helper: SymmetricKeyHelper, symmetric_provider: JWTVerifier
):
"""Test expiration validation with symmetric key tokens."""
# Valid token
valid_token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
expires_in_seconds=3600, # 1 hour from now
)
access_token = await symmetric_provider.load_access_token(valid_token)
assert access_token is not None
# Expired token
expired_token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
expires_in_seconds=-3600, # 1 hour ago
)
access_token = await symmetric_provider.load_access_token(expired_token)
assert access_token is None
async def test_symmetric_token_invalid_signature(
self, symmetric_key_helper: SymmetricKeyHelper, symmetric_provider: JWTVerifier
):
"""Test rejection of tokens with invalid signatures."""
# Create a token with a different secret
other_helper = SymmetricKeyHelper("different-secret-key")
token = other_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
)
access_token = await symmetric_provider.load_access_token(token)
assert access_token is None
async def test_symmetric_token_algorithm_mismatch(
self, symmetric_key_helper: SymmetricKeyHelper
):
"""Test that tokens with mismatched algorithms are rejected."""
# Create provider expecting HS256
provider = JWTVerifier(
public_key=symmetric_key_helper.secret,
issuer="https://test.example.com",
algorithm="HS256",
)
# Create token with HS512
token = symmetric_key_helper.create_token(
subject="test-user",
issuer="https://test.example.com",
algorithm="HS512",
)
# Should fail because provider expects HS256
access_token = await provider.load_access_token(token)
assert access_token is None
class TestBearerTokenJWKS:
"""Tests for JWKS URI functionality.
Note: With SSRF protection, JWKS fetches validate DNS and connect to the
resolved IP. Tests mock DNS resolution to return a public IP.
"""
@pytest.fixture
def jwks_provider(self, rsa_key_pair: RSAKeyPair) -> JWTVerifier:
"""Provider configured with JWKS URI."""
return JWTVerifier(
jwks_uri="https://test.example.com/.well-known/jwks.json",
issuer="https://test.example.com",
audience="https://api.example.com",
)
@pytest.fixture
def mock_jwks_data(self, rsa_key_pair: RSAKeyPair) -> JWKSData:
"""Create mock JWKS data from RSA key pair."""
# Create JWK from the RSA public key
public_key = jose_jwk.import_key(rsa_key_pair.public_key, "RSA")
public_key_data = public_key.as_dict()
kty = public_key_data["kty"]
n = public_key_data["n"]
e = public_key_data["e"]
assert isinstance(kty, str)
assert isinstance(n, str)
assert isinstance(e, str)
jwk_data = JWKData(
kty=kty,
n=n,
e=e,
kid="test-key-1",
alg="RS256",
)
return {"keys": [jwk_data]}
@pytest.fixture
def mock_dns(self):
"""Mock DNS resolution to return test public IP."""
with patch(
"fastmcp.server.auth.ssrf.resolve_hostname",
return_value=[TEST_PUBLIC_IP],
):
yield
async def test_jwks_token_validation(
self,
rsa_key_pair: RSAKeyPair,
jwks_provider: JWTVerifier,
mock_jwks_data: JWKSData,
httpx_mock: HTTPXMock,
mock_dns,
):
"""Test token validation using JWKS URI."""
httpx_mock.add_response(json=mock_jwks_data)
username = "test-user"
issuer = "https://test.example.com"
audience = "https://api.example.com"
token = rsa_key_pair.create_token(
subject=username,
issuer=issuer,
audience=audience,
)
access_token = await jwks_provider.load_access_token(token)
assert access_token is not None
assert access_token.client_id == username
# ensure the raw claims are present - #1398
assert access_token.claims.get("sub") == username
assert access_token.claims.get("iss") == issuer
assert access_token.claims.get("aud") == audience
async def test_jwks_token_validation_with_invalid_key(
self,
rsa_key_pair: RSAKeyPair,
jwks_provider: JWTVerifier,
mock_jwks_data: JWKSData,
httpx_mock: HTTPXMock,
mock_dns,
):
httpx_mock.add_response(json=mock_jwks_data)
token = RSAKeyPair.generate().create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
)
access_token = await jwks_provider.load_access_token(token)
assert access_token is None
async def test_jwks_token_validation_with_kid(
self,
rsa_key_pair: RSAKeyPair,
jwks_provider: JWTVerifier,
mock_jwks_data: JWKSData,
httpx_mock: HTTPXMock,
mock_dns,
):
mock_jwks_data["keys"][0]["kid"] = "test-key-1"
httpx_mock.add_response(json=mock_jwks_data)
token = rsa_key_pair.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
kid="test-key-1",
)
access_token = await jwks_provider.load_access_token(token)
assert access_token is not None
assert access_token.client_id == "test-user"
async def test_jwks_token_validation_with_kid_and_no_kid_in_token(
self,
rsa_key_pair: RSAKeyPair,
jwks_provider: JWTVerifier,
mock_jwks_data: JWKSData,
httpx_mock: HTTPXMock,
mock_dns,
):
mock_jwks_data["keys"][0]["kid"] = "test-key-1"
httpx_mock.add_response(json=mock_jwks_data)
token = rsa_key_pair.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
)
access_token = await jwks_provider.load_access_token(token)
assert access_token is not None
assert access_token.client_id == "test-user"
async def test_jwks_token_validation_with_no_kid_and_kid_in_jwks(
self,
rsa_key_pair: RSAKeyPair,
jwks_provider: JWTVerifier,
mock_jwks_data: JWKSData,
httpx_mock: HTTPXMock,
mock_dns,
):
mock_jwks_data["keys"][0]["kid"] = "test-key-1"
httpx_mock.add_response(json=mock_jwks_data)
token = rsa_key_pair.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
)
access_token = await jwks_provider.load_access_token(token)
assert access_token is not None
assert access_token.client_id == "test-user"
async def test_jwks_token_validation_with_kid_mismatch(
self,
rsa_key_pair: RSAKeyPair,
jwks_provider: JWTVerifier,
mock_jwks_data: JWKSData,
httpx_mock: HTTPXMock,
mock_dns,
):
mock_jwks_data["keys"][0]["kid"] = "test-key-1"
httpx_mock.add_response(json=mock_jwks_data)
token = rsa_key_pair.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
kid="test-key-2",
)
access_token = await jwks_provider.load_access_token(token)
assert access_token is None
async def test_jwks_token_validation_with_multiple_keys_and_no_kid_in_token(
self,
rsa_key_pair: RSAKeyPair,
jwks_provider: JWTVerifier,
mock_jwks_data: JWKSData,
httpx_mock: HTTPXMock,
mock_dns,
):
mock_jwks_data["keys"] = [
{
"kid": "test-key-1",
"alg": "RS256",
},
{
"kid": "test-key-2",
"alg": "RS256",
},
]
httpx_mock.add_response(json=mock_jwks_data)
token = rsa_key_pair.create_token(
subject="test-user",
issuer="https://test.example.com",
audience="https://api.example.com",
)
access_token = await jwks_provider.load_access_token(token)
assert access_token is None