ValidationClient for client validation, add ClientValidationJwt

Author: codejudas

tests/requirements.txt

@@ -6,3 +6,4 @@ nosexcover
 flake8
 mccabe
 wheel>=0.22.0
+cryptography

tests/unit/jwt/test_client_validation.py

@@ -0,0 +1,266 @@
+import unittest
+import time
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization import (
+    Encoding,
+    PublicFormat,
+    PrivateFormat,
+    NoEncryption
+)
+
+from twilio.http.validation_client import ValidationPayload
+from twilio.jwt import Jwt
+from twilio.jwt.validation import ClientValidationJwt
+
+
+class ClientValidationJwtTest(unittest.TestCase):
+    def test_generate_payload_basic(self):
+        vp = ValidationPayload(
+            method='GET',
+            url='https://api.twilio.com/',
+            query_string='q1=v1',
+            signed_headers=['headerb', 'headera'],
+            all_headers={'head': 'toe', 'headera': 'vala', 'headerb': 'valb'},
+            body='me=letop&you=leworst'
+        )
+
+        expected_payload = '\n'.join([
+            'GET',
+            'https://api.twilio.com/',
+            'q1=v1',
+            'headera:vala',
+            'headerb:valb',
+            '',
+            'headera;headerb',
+            '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst'))
+        ])
+        expected_payload = ClientValidationJwt._hash(expected_payload)
+
+        jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp)
+
+        actual_payload = jwt._generate_payload()
+        self.assertEqual('headera;headerb', actual_payload['hrh'])
+        self.assertEqual(expected_payload, actual_payload['rqh'])
+
+    def test_generate_payload_complex(self):
+        vp = ValidationPayload(
+            method='GET',
+            url='https://api.twilio.com/',
+            query_string='q1=v1&q2=v2&a=b',
+            signed_headers=['headerb', 'headera'],
+            all_headers={'head': 'toe', 'Headerb': 'valb', 'yeezy': 'weezy'},
+            body='me=letop&you=leworst'
+        )
+
+        expected_payload = '\n'.join([
+            'GET',
+            'https://api.twilio.com/',
+            'a=b&q1=v1&q2=v2',
+            'headerb:valb',
+            '',
+            'headera;headerb',
+            '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst'))
+        ])
+        expected_payload = ClientValidationJwt._hash(expected_payload)
+
+        jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp)
+
+        actual_payload = jwt._generate_payload()
+        self.assertEqual('headera;headerb', actual_payload['hrh'])
+        self.assertEqual(expected_payload, actual_payload['rqh'])
+
+    def test_generate_payload_no_query_string(self):
+        vp = ValidationPayload(
+            method='GET',
+            url='https://api.twilio.com/',
+            query_string='',
+            signed_headers=['headerb', 'headera'],
+            all_headers={'head': 'toe', 'Headerb': 'valb', 'yeezy': 'weezy'},
+            body='me=letop&you=leworst'
+        )
+
+        expected_payload = '\n'.join([
+            'GET',
+            'https://api.twilio.com/',
+            '',
+            'headerb:valb',
+            '',
+            'headera;headerb',
+            '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst'))
+        ])
+        expected_payload = ClientValidationJwt._hash(expected_payload)
+
+        jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp)
+
+        actual_payload = jwt._generate_payload()
+        self.assertEqual('headera;headerb', actual_payload['hrh'])
+        self.assertEqual(expected_payload, actual_payload['rqh'])
+
+    def test_generate_payload_no_req_body(self):
+        vp = ValidationPayload(
+            method='GET',
+            url='https://api.twilio.com/',
+            query_string='q1=v1',
+            signed_headers=['headerb', 'headera'],
+            all_headers={'head': 'toe', 'headera': 'vala', 'headerb': 'valb'},
+            body=None
+        )
+
+        expected_payload = '\n'.join([
+            'GET',
+            'https://api.twilio.com/',
+            'q1=v1',
+            'headera:vala',
+            'headerb:valb',
+            '',
+            'headera;headerb',
+        ])
+        expected_payload = ClientValidationJwt._hash(expected_payload)
+
+        jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp)
+
+        actual_payload = jwt._generate_payload()
+        self.assertEqual('headera;headerb', actual_payload['hrh'])
+        self.assertEqual(expected_payload, actual_payload['rqh'])
+
+    def test_generate_payload_header_keys_lowercased(self):
+        vp = ValidationPayload(
+            method='GET',
+            url='https://api.twilio.com/',
+            query_string='q1=v1',
+            signed_headers=['headerb', 'headera'],
+            all_headers={'head': 'toe', 'Headera': 'vala', 'Headerb': 'valb'},
+            body='me=letop&you=leworst'
+        )
+
+        expected_payload = '\n'.join([
+            'GET',
+            'https://api.twilio.com/',
+            'q1=v1',
+            'headera:vala',
+            'headerb:valb',
+            '',
+            'headera;headerb',
+            '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst'))
+        ])
+        expected_payload = ClientValidationJwt._hash(expected_payload)
+
+        jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp)
+
+        actual_payload = jwt._generate_payload()
+        self.assertEqual('headera;headerb', actual_payload['hrh'])
+        self.assertEqual(expected_payload, actual_payload['rqh'])
+
+    def test_generate_payload_no_headers(self):
+        vp = ValidationPayload(
+            method='GET',
+            url='https://api.twilio.com/',
+            query_string='q1=v1',
+            signed_headers=['headerb', 'headera'],
+            all_headers={},
+            body='me=letop&you=leworst'
+        )
+
+        expected_payload = '\n'.join([
+            'GET',
+            'https://api.twilio.com/',
+            'q1=v1',
+            '',
+            'headera;headerb',
+            '{}'.format(ClientValidationJwt._hash('me=letop&you=leworst'))
+        ])
+        expected_payload = ClientValidationJwt._hash(expected_payload)
+
+        jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp)
+
+        actual_payload = jwt._generate_payload()
+        self.assertEqual('headera;headerb', actual_payload['hrh'])
+        self.assertEqual(expected_payload, actual_payload['rqh'])
+
+    def test_generate_payload_schema_correct(self):
+        """Test against a known good rqh payload hash"""
+        vp = ValidationPayload(
+            method='GET',
+            url='/Messages',
+            query_string='PageSize=5&Limit=10',
+            signed_headers=['authorization', 'host'],
+            all_headers={'authorization': 'foobar', 'host': 'api.twilio.com'},
+            body='foobar'
+        )
+
+        expected_hash = '4dc9b67bed579647914587b0e22a1c65c1641d8674797cd82de65e766cce5f80'
+
+        jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp)
+
+        actual_payload = jwt._generate_payload()
+        self.assertEqual('authorization;host', actual_payload['hrh'])
+        self.assertEqual(expected_hash, actual_payload['rqh'])
+
+    def test_jwt_payload(self):
+        vp = ValidationPayload(
+            method='GET',
+            url='/Messages',
+            query_string='PageSize=5&Limit=10',
+            signed_headers=['authorization', 'host'],
+            all_headers={'authorization': 'foobar', 'host': 'api.twilio.com'},
+            body='foobar'
+        )
+        expected_hash = '4dc9b67bed579647914587b0e22a1c65c1641d8674797cd82de65e766cce5f80'
+
+        jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', 'secret', vp)
+
+        self.assertDictContainsSubset({
+            'hrh': 'authorization;host',
+            'rqh': expected_hash,
+            'iss': 'SK123',
+            'sub': 'AC123',
+        }, jwt.payload)
+        self.assertGreaterEqual(jwt.payload['exp'], time.time(), 'JWT exp is before now')
+        self.assertLessEqual(jwt.payload['exp'], time.time() + 501, 'JWT exp is after now + 5mins')
+        self.assertDictEqual({
+            'alg': 'RS256',
+            'typ': 'JWT',
+            'cty': 'twilio-pkrv;v=1',
+            'kid': 'CR123'
+        }, jwt.headers)
+
+    def test_jwt_signing(self):
+        vp = ValidationPayload(
+            method='GET',
+            url='/Messages',
+            query_string='PageSize=5&Limit=10',
+            signed_headers=['authorization', 'host'],
+            all_headers={'authorization': 'foobar', 'host': 'api.twilio.com'},
+            body='foobar'
+        )
+        expected_hash = '4dc9b67bed579647914587b0e22a1c65c1641d8674797cd82de65e766cce5f80'
+
+        private_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=2048,
+            backend=default_backend()
+        )
+        public_key = private_key.public_key().public_bytes(Encoding.PEM, PublicFormat.PKCS1)
+        private_key = private_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption())
+
+        jwt = ClientValidationJwt('AC123', 'SK123', 'CR123', private_key, vp)
+        decoded = Jwt.from_jwt(jwt.to_jwt(), public_key)
+
+        self.assertDictContainsSubset({
+            'hrh': 'authorization;host',
+            'rqh': expected_hash,
+            'iss': 'SK123',
+            'sub': 'AC123',
+        }, decoded.payload)
+        self.assertGreaterEqual(decoded.payload['exp'], time.time(), 'JWT exp is before now')
+        self.assertLessEqual(decoded.payload['exp'], time.time() + 501, 'JWT exp is after now + 5m')
+        self.assertDictEqual({
+            'alg': 'RS256',
+            'typ': 'JWT',
+            'cty': 'twilio-pkrv;v=1',
+            'kid': 'CR123'
+        }, decoded.headers)
+
+

twilio/http/http_client.py

@@ -5,10 +5,11 @@
 
 
 class TwilioHttpClient(HttpClient):
+    """General purpose HTTP Client for interacting with the Twilio API"""
     def request(self, method, url, params=None, data=None, headers=None, auth=None, timeout=None,
                 allow_redirects=False):
         """
-        General purpose HTTP client to make an HTTP request
+        Make an HTTP Request with parameters provided.
 
         :param str method: The HTTP method to use
         :param str url: The URL to request
@@ -18,11 +19,10 @@ def request(self, method, url, params=None, data=None, headers=None, auth=None,
         :param tuple auth: Basic Auth arguments
         :param float timeout: Socket/Read timeout for the request
         :param boolean allow_redirects: Whether or not to allow redirects
+        See the requests documentation for explanation of all these parameters
 
         :return: An http response
         :rtype: A :class:`Response <twilio.rest.http.response.Response>` object
-
-        See the requests documentation for explanation of all these parameters
         """
         session = Session()
         session.verify = get_cert_file()

twilio/http/validation_client.py

@@ -0,0 +1,89 @@
+from collections import namedtuple
+
+from requests import Request, Session
+
+from twilio.http import HttpClient, get_cert_file
+from twilio.http.response import Response
+from twilio.jwt.validation import ClientValidationJwt
+
+
+ValidationPayload = namedtuple('ValidationPayload', ['method', 'url', 'query_string', 'all_headers',
+                                                     'signed_headers', 'body'])
+
+
+class ValidationClient(HttpClient):
+    __SIGNED_HEADERS = ['authorization', 'host']
+
+    def __init__(self, account_sid, api_key_sid, credential_sid, private_key):
+        """
+        Build a ValidationClient which signs requests with private_key and allows Twilio to
+        validate request has not been tampered with.
+
+        :param str account_sid: A Twilio Account Sid starting with 'AC'
+        :param str api_key_sid: A Twilio API Key Sid starting with 'SK'
+        :param str credential_sid: A Credential Sid starting with 'CR',
+                                   corresponds to public key Twilio will use to verify the JWT.
+        :param str private_key: The private key used to sign the Client Validation JWT.
+        """
+        self.account_sid = account_sid
+        self.credential_sid = credential_sid
+        self.api_key_sid = api_key_sid
+        self.private_key = private_key
+
+    def request(self, method, url, params=None, data=None, headers=None, auth=None, timeout=None,
+                allow_redirects=False):
+        """
+        Make a signed HTTP Request
+
+        :param str method: The HTTP method to use
+        :param str url: The URL to request
+        :param dict params: Query parameters to append to the URL
+        :param dict data: Parameters to go in the body of the HTTP request
+        :param dict headers: HTTP Headers to send with the request
+        :param tuple auth: Basic Auth arguments
+        :param float timeout: Socket/Read timeout for the request
+        :param boolean allow_redirects: Whether or not to allow redirects
+        See the requests documentation for explanation of all these parameters
+
+        :return: An http response
+        :rtype: A :class:`Response <twilio.rest.http.response.Response>` object
+        """
+        session = Session()
+        session.verify = get_cert_file()
+
+        request = Request(method.upper(), url, params=params, data=data, headers=headers, auth=auth)
+        prepared_request = session.prepare_request(request)
+
+        validation_payload = self.__build_validation_payload(prepared_request)
+        jwt = ClientValidationJwt(self.account_sid, self.api_key_sid, self.credential_sid,
+                                  self.private_key, validation_payload)
+        prepared_request.headers['Twilio-Client-Validation'] = jwt.to_jwt()
+
+        response = session.send(
+            prepared_request,
+            allow_redirects=allow_redirects,
+            timeout=timeout,
+        )
+
+        return Response(int(response.status_code), response.content.decode('utf-8'))
+
+    def __build_validation_payload(self, request):
+        """
+        Extract relevant information from request to build a ClientValidationJWT
+        :param PreparedRequest request: request we will extract information from.
+        :return: ValidationPayload
+        """
+        try:
+            url, query_string = request.url.split('?', 1)
+        except ValueError:
+            url = request.url
+            query_string = ''
+
+        return ValidationPayload(
+            method=request.method,
+            url=url,
+            query_string=query_string,
+            all_headers=request.headers,
+            signed_headers=ValidationClient.__SIGNED_HEADERS,
+            body=request.body
+        )