Files
wehub-resource-sync bcbd1bdb22
Integ / changes (push) Has been skipped
Pre-commit / pre-commit (push) Failing after 1s
CLI exit codes / changes (push) Has been skipped
Test (Install) / changes (push) Has been skipped
Test (Python) / changes (push) Has been skipped
Test (TypeScript) / changes (push) Has been skipped
CLI exit codes / cli-gate (push) Has been cancelled
Test (Install) / test-install-gate (push) Has been cancelled
Integ / integ-gate (push) Has been cancelled
Test (Python) / test-python-gate (push) Has been cancelled
Test (TypeScript) / test-typescript-gate (push) Has been cancelled
Test (Install) / python-minimal (3.12) (push) Has been cancelled
Test (Install) / python-minimal (3.11) (push) Has been cancelled
Test (Install) / python-extra (agno, mirage.agents.agno) (push) Has been cancelled
Test (Install) / python-extra (chroma, mirage.resource.chroma) (push) Has been cancelled
Test (Install) / python-extra (pdf, mirage.core.filetype.pdf) (push) Has been cancelled
Integ / integ (push) Has been cancelled
Integ / integ-database (push) Has been cancelled
Integ / integ-database-ts (push) Has been cancelled
Integ / integ-data (push) Has been cancelled
Integ / integ-ssh (push) Has been cancelled
Integ / integ-ssh-ts (push) Has been cancelled
Test (Python) / audit (push) Has been cancelled
Test (TypeScript) / test (push) Has been cancelled
Test (TypeScript) / python-fs-shim (push) Has been cancelled
CLI exit codes / Python CLI (push) Has been cancelled
CLI exit codes / TypeScript CLI (push) Has been cancelled
CLI exit codes / Cross-language snapshot interop (push) Has been cancelled
Test (Python) / test (push) Has been cancelled
Test (Python) / import-isolation (deepagents, openai, mirage.agents.openai_agents) (push) Has been cancelled
Test (Python) / import-isolation (deepagents, pydantic-ai, mirage.agents.pydantic_ai) (push) Has been cancelled
Integ / integ-ts (push) Has been cancelled
Integ / integ-fuse (push) Has been cancelled
Test (Install) / python-extra (databricks, mirage.resource.databricks_volume) (push) Has been cancelled
Test (Install) / python-extra (deepagents, mirage.agents.langchain) (push) Has been cancelled
Test (Install) / python-extra (email, mirage.resource.email) (push) Has been cancelled
Test (Install) / python-extra (fuse, mirage.fuse.mount) (push) Has been cancelled
Test (Install) / python-extra (hdf5, mirage.core.filetype.hdf5) (push) Has been cancelled
Test (Install) / python-extra (hf, mirage.resource.hf_buckets) (push) Has been cancelled
Test (Install) / python-extra (lancedb, mirage.resource.lancedb) (push) Has been cancelled
Test (Install) / python-extra (langfuse, mirage.resource.langfuse) (push) Has been cancelled
Test (Install) / python-extra (mongodb, mirage.resource.mongodb) (push) Has been cancelled
Test (Install) / python-extra (nextcloud, mirage.resource.nextcloud) (push) Has been cancelled
Test (Install) / python-extra (openai, mirage.agents.openai_agents) (push) Has been cancelled
Test (Install) / python-extra (openhands, mirage.agents.openhands, 3.12) (push) Has been cancelled
Test (Install) / python-extra (parquet, mirage.core.filetype.parquet) (push) Has been cancelled
Test (Install) / python-extra (postgres, mirage.resource.postgres) (push) Has been cancelled
Test (Install) / python-extra (pydantic-ai, mirage.agents.pydantic_ai) (push) Has been cancelled
Test (Install) / python-extra (qdrant, mirage.resource.qdrant) (push) Has been cancelled
Test (Install) / python-extra (redis, mirage.resource.redis) (push) Has been cancelled
Test (Install) / python-extra (s3, mirage.resource.s3) (push) Has been cancelled
Test (Install) / python-extra (ssh, mirage.resource.ssh) (push) Has been cancelled
Test (Install) / ts-minimal (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:30:44 +08:00

203 lines
6.3 KiB
Python

# ========= Copyright 2026 @ Strukto.AI All Rights Reserved. =========
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ========= Copyright 2026 @ Strukto.AI All Rights Reserved. =========
import time
from dataclasses import dataclass
import jwt as pyjwt
import pytest
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from mirage.server.auth.config import JWTConfig
from mirage.server.auth.jwt import JWTVerificationError, verify_jwt
@dataclass
class KeyPair:
private_pem: bytes
public_pem: bytes
@pytest.fixture(scope="module")
def rsa_keys() -> KeyPair:
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048)
private_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
public_pem = private_key.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
return KeyPair(private_pem=private_pem, public_pem=public_pem)
def _make_cfg(rsa_keys: KeyPair, **overrides) -> JWTConfig:
base = dict(
key=rsa_keys.public_pem.decode(),
algorithm="RS256",
issuer=None,
audience=None,
authorized_parties=(),
clock_skew_seconds=5,
)
base.update(overrides)
return JWTConfig(**base)
def _sign(rsa_keys: KeyPair,
claims: dict,
*,
alg: str = "RS256",
headers: dict | None = None) -> str:
return pyjwt.encode(claims,
rsa_keys.private_pem,
algorithm=alg,
headers=headers)
@pytest.mark.no_host_override
def test_verify_jwt_accepts_valid_rs256(rsa_keys):
cfg = _make_cfg(rsa_keys)
token = _sign(rsa_keys, {"sub": "user-1", "exp": int(time.time()) + 60})
claims = verify_jwt(token, cfg)
assert claims["sub"] == "user-1"
@pytest.mark.no_host_override
def test_verify_jwt_rejects_alg_none(rsa_keys):
cfg = _make_cfg(rsa_keys)
token = pyjwt.encode({
"sub": "x",
"exp": int(time.time()) + 60
},
key="",
algorithm="none")
with pytest.raises(JWTVerificationError):
verify_jwt(token, cfg)
@pytest.mark.no_host_override
def test_verify_jwt_rejects_alg_confusion(rsa_keys):
cfg = _make_cfg(rsa_keys, algorithm="RS256")
token = pyjwt.encode({
"sub": "x",
"exp": int(time.time()) + 60
},
key="shared-secret",
algorithm="HS256")
with pytest.raises(JWTVerificationError):
verify_jwt(token, cfg)
@pytest.mark.no_host_override
def test_verify_jwt_rejects_missing_exp(rsa_keys):
cfg = _make_cfg(rsa_keys)
token = _sign(rsa_keys, {"sub": "x"})
with pytest.raises(JWTVerificationError):
verify_jwt(token, cfg)
@pytest.mark.no_host_override
def test_verify_jwt_rejects_expired(rsa_keys):
cfg = _make_cfg(rsa_keys, clock_skew_seconds=0)
token = _sign(rsa_keys, {"sub": "x", "exp": int(time.time()) - 60})
with pytest.raises(JWTVerificationError):
verify_jwt(token, cfg)
@pytest.mark.no_host_override
def test_verify_jwt_accepts_within_clock_skew(rsa_keys):
cfg = _make_cfg(rsa_keys, clock_skew_seconds=30)
token = _sign(rsa_keys, {"sub": "x", "exp": int(time.time()) - 5})
claims = verify_jwt(token, cfg)
assert claims["sub"] == "x"
@pytest.mark.no_host_override
def test_verify_jwt_rejects_wrong_issuer(rsa_keys):
cfg = _make_cfg(rsa_keys, issuer="https://issuer.example")
token = _sign(
rsa_keys, {
"sub": "x",
"exp": int(time.time()) + 60,
"iss": "https://attacker.example",
})
with pytest.raises(JWTVerificationError):
verify_jwt(token, cfg)
@pytest.mark.no_host_override
def test_verify_jwt_rejects_wrong_audience(rsa_keys):
cfg = _make_cfg(rsa_keys, audience="mirage-daemon")
token = _sign(rsa_keys, {
"sub": "x",
"exp": int(time.time()) + 60,
"aud": "something-else",
})
with pytest.raises(JWTVerificationError):
verify_jwt(token, cfg)
@pytest.mark.no_host_override
def test_verify_jwt_rejects_unauthorized_party(rsa_keys):
cfg = _make_cfg(rsa_keys, authorized_parties=("https://app.example", ))
token = _sign(
rsa_keys, {
"sub": "x",
"exp": int(time.time()) + 60,
"azp": "https://attacker.example",
})
with pytest.raises(JWTVerificationError):
verify_jwt(token, cfg)
@pytest.mark.no_host_override
def test_verify_jwt_accepts_matching_authorized_party(rsa_keys):
cfg = _make_cfg(rsa_keys,
authorized_parties=("https://app.example",
"https://other.example"))
token = _sign(rsa_keys, {
"sub": "x",
"exp": int(time.time()) + 60,
"azp": "https://other.example",
})
claims = verify_jwt(token, cfg)
assert claims["sub"] == "x"
@pytest.mark.no_host_override
def test_verify_jwt_rejects_bad_typ_header(rsa_keys):
cfg = _make_cfg(rsa_keys)
token = _sign(rsa_keys, {
"sub": "x",
"exp": int(time.time()) + 60
},
headers={"typ": "NotAJWT"})
with pytest.raises(JWTVerificationError):
verify_jwt(token, cfg)
@pytest.mark.no_host_override
def test_verify_jwt_accepts_missing_typ_header(rsa_keys):
# Some issuers omit `typ` entirely. PyJWT does not require it,
# and we should not force it when it's absent.
cfg = _make_cfg(rsa_keys)
token = _sign(rsa_keys, {"sub": "x", "exp": int(time.time()) + 60})
claims = verify_jwt(token, cfg)
assert claims["sub"] == "x"