Usage

Installation

To use LabOrchestratorLib-Auth, first install it using pip:

(.venv) $ pip3 install lab-orchestrator-lib-auth

Creating Tokens

To create a JWT token you can use the lab_orchestrator_lib_auth.auth.generate_auth_token(...) function:

lab_orchestrator_lib_auth.auth.generate_auth_token(user_id, lab_instance_token_params, secret_key, expires_in=3600, expires_at=None, algorithm='HS256')

Generates a JWT token.

Parameters

• user_id (Union[str, int]) – Id of the user.

• lab_instance_token_params (LabInstanceTokenParams) – The data that is included in the token.

• secret_key (str) – The secret key that is used to decrypt the token.

• expires_in (int) – Amount of seconds the token is valid.

• expires_at (Optional[int]) – Optional UNIX time at which this token expires. Overwrites expires_in.

• algorithm (str) – Algorithm that should be used for creating the token. Available algorithms: https://pyjwt.readthedocs.io/en/latest/algorithms.html

Return type

str

Returns

A JWT token.

The user_id parameter should be either of type str or int and contain the id of the user. As decryption HS256 is used, which is a symmetric algorithm. The secret_key parameter contains the symmetric key that is used to encrypt and decrypt the token. The lab_instance_token_params parameter contains the information that are written into the token:

class lab_orchestrator_lib_auth.auth.LabInstanceTokenParams(lab_id, lab_instance_id, namespace_name, allowed_vmi_names, additional_data=None)

Data that is inserted into the JWT token.

Parameters

• lab_id (Union[str, int]) – The id of the lab.

• lab_instance_id (Union[str, int]) – The id of the lab instance.

• namespace_name (str) – Name of the namespace the VMs are running into.

• allowed_vmi_names (List[str]) – List of VM-names that the user is allowed to access.

• additional_data (Optional[Dict[str, Any]]) – Additional data that should be added to the key. The data in this parameter needs to be json serializable.

The allowed_vmi_names parameter is a list of the VM-names the user is allowed to access. So you can use one token for accessing multiple VMs in a lab. The additional_data parameter can be a dictionary of json serialisable data or None. This parameter is used to add more data without always changing the auth library.

For example:

>>> import lab_orchestrator_lib_auth.auth
>>> param = lab_orchestrator_lib_auth.auth.LabInstanceTokenParams(1, 9, "pentest-ubuntu-3-9", ["ubuntu"])
>>> lab_orchestrator_lib_auth.auth.generate_auth_token(5, param, "secret")
'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6NSwiZXhwIjoxNjMyMTM3OTExLjc5NTg1NjcsImxhYl9pbnN0YW5jZSI6eyJsYWJfaWQiOjEsImxhYl9pbnN0YW5jZV9pZCI6OSwibmFtZXNwYWNlX25hbWUiOiJwZW50ZXN0LXVidW50dS0zLTkiLCJhbGxvd2VkX3ZtaV9uYW1lcyI6WyJ1YnVudHUiXX19.ag6f2OsBP5FFyDN9kEw_ivesT8Pa0jGMp2eKjRM9iCs'

To create tokens with asymmetric keys install pyjwt[crypto] and take a look at these two links:

• https://pyjwt.readthedocs.io/en/latest/usage.html#encoding-decoding-tokens-with-rs256-rsa

• https://gist.github.com/ygotthilf/baa58da5c3dd1f69fae9

Decoding Tokens

To decode a JWT token you can use the lab_orchestrator_lib_auth.auth.decode_auth_token(...) function:

lab_orchestrator_lib_auth.auth.decode_auth_token(token, secret_key, algorithms=None)

Decodes a JWT token.

Parameters

• token (str) – The token to decode.

• secret_key (str) – Key that should be used to decrypt the token.

• algorithms (Optional[List[str]]) – Allowed algorithms. If None, [‘HS256’] is used.

Return type

LabInstanceTokenParams

Returns

The data that is contained in the token or None if decode goes wrong.

Raises

• jwt.exceptions.DecodeError – Raised when a token cannot be decoded because it failed validation.

• jwt.exceptions.InvalidSignatureError – Raised when a token’s signature doesn’t match the one provided as part of the token.

• jwt.exceptions.ExpiredSignatureError – Raised when a token’s exp claim indicates that it has expired.

• jwt.exceptions.InvalidAudienceError – Raised when a token’s aud claim does not match one of the expected audience values.

• jwt.exceptions.InvalidIssuerError – Raised when a token’s iss claim does not match the expected issuer.

• jwt.exceptions.InvalidIssuedAtError – Raised when a token’s iat claim is in the future.

• jwt.exceptions.ImmatureSignatureError – Raised when a token’s nbf claim represents a time in the future.

• jwt.exceptions.InvalidKeyError – Raised when the specified key is not in the proper format.

• jwt.exceptions.InvalidAlgorithmError – Raised when the specified algorithm is not recognized by PyJWT.

• jwt.exceptions.MissingRequiredClaimError – Raised when a claim that is required to be present is not contained in the claimset.

This function also uses HS256 as decryption algorithm so you need to have the same secret key as during the creation of a token. This method then returns the data that was inserted into the token.

Verifying Tokens

To verfiy a JWT token you can use the lab_orchestrator_lib_auth.auth.verify_auth_token(...) function:

lab_orchestrator_lib_auth.auth.verify_auth_token(token, vmi_name, secret_key, algorithms=None)

Decodes a token and verifies if it’s valid.

Checks if the vmi_name is allowed in the token.

Parameters

• token (str) – The token to decode and verify.

• vmi_name (str) – The vmi_name the user wants to use.

• secret_key (str) – Key that is used to decrypt the token.

Return type

Tuple[bool, LabInstanceTokenParams]

Returns

The result of the verification as a boolean and the data contained in the token.

Raises

• jwt.exceptions.DecodeError – Raised when a token cannot be decoded because it failed validation.

• jwt.exceptions.InvalidSignatureError – Raised when a token’s signature doesn’t match the one provided as part of the token.

• jwt.exceptions.ExpiredSignatureError – Raised when a token’s exp claim indicates that it has expired.

• jwt.exceptions.InvalidAudienceError – Raised when a token’s aud claim does not match one of the expected audience values.

• jwt.exceptions.InvalidIssuerError – Raised when a token’s iss claim does not match the expected issuer.

• jwt.exceptions.InvalidIssuedAtError – Raised when a token’s iat claim is in the future.

• jwt.exceptions.ImmatureSignatureError – Raised when a token’s nbf claim represents a time in the future.

• jwt.exceptions.InvalidKeyError – Raised when the specified key is not in the proper format.

• jwt.exceptions.InvalidAlgorithmError – Raised when the specified algorithm is not recognized by PyJWT.

• jwt.exceptions.MissingRequiredClaimError – Raised when a claim that is required to be present is not contained in the claimset.

This function checks if the given vmi_name is allowed in the token.

Exceptions

exception jwt.exceptions.PyJWTError

Bases: Exception

Base class for all exceptions

exception jwt.exceptions.InvalidTokenError

Bases: jwt.exceptions.PyJWTError

exception jwt.exceptions.DecodeError

Bases: jwt.exceptions.InvalidTokenError

exception jwt.exceptions.InvalidSignatureError

Bases: jwt.exceptions.DecodeError

exception jwt.exceptions.ExpiredSignatureError

Bases: jwt.exceptions.InvalidTokenError

exception jwt.exceptions.InvalidAudienceError

Bases: jwt.exceptions.InvalidTokenError

exception jwt.exceptions.InvalidIssuerError

Bases: jwt.exceptions.InvalidTokenError

exception jwt.exceptions.InvalidIssuedAtError

Bases: jwt.exceptions.InvalidTokenError

exception jwt.exceptions.ImmatureSignatureError

Bases: jwt.exceptions.InvalidTokenError

exception jwt.exceptions.InvalidKeyError

Bases: jwt.exceptions.PyJWTError

exception jwt.exceptions.InvalidAlgorithmError

Bases: jwt.exceptions.InvalidTokenError

exception jwt.exceptions.MissingRequiredClaimError(claim)

Bases: jwt.exceptions.InvalidTokenError

exception jwt.exceptions.PyJWKError

Bases: jwt.exceptions.PyJWTError

exception jwt.exceptions.PyJWKSetError

Bases: jwt.exceptions.PyJWTError

exception jwt.exceptions.PyJWKClientError

Bases: jwt.exceptions.PyJWTError