test: docs: registration polcies: Ensure both ssh and oidc notary pub…

…lic key resolvers tested seperatly

Signed-off-by: John Andersen <[email protected]>

scitt_emulator/key_loader_format_did_jwk.py

@@ -37,3 +37,17 @@ def key_loader_format_did_jwk(
             cose=None,
         )
     ]
+
+
+def to_object_jwk(verification_key: VerificationKey) -> dict:
+    if not isinstance(verification_key.original, jwcrypto.jwk.JWK):
+        return
+
+    return {
+        "content_type": verification_key.original_content_type,
+        "key": {
+            **verification_key.original.export_public(as_dict=True),
+            "use": "sig",
+            "kid": verification_key.original.thumbprint(),
+        },
+    }

scitt_emulator/key_loader_format_url_referencing_oidc_issuer.py

@@ -14,6 +14,7 @@
 
 from scitt_emulator.did_helpers import did_web_to_url
 from scitt_emulator.key_helper_dataclasses import VerificationKey
+from scitt_emulator.key_loader_format_did_jwk import to_object_jwk
 
 
 CONTENT_TYPE = "application/jwk+json"
@@ -72,17 +73,3 @@ def transform_key_instance_jwcrypto_jwk_to_cwt_cose(
         key.export_to_pem(),
         kid=key.thumbprint(),
     )
-
-
-def to_object_oidc_issuer(verification_key: VerificationKey) -> dict:
-    if verification_key.original_content_type != CONTENT_TYPE:
-        return
-
-    return {
-        "content_type": verification_key.original_content_type,
-        "key": {
-            **verification_key.original.export_public(as_dict=True),
-            "use": "sig",
-            "kid": verification_key.original.thumbprint(),
-        },
-    }

scitt_emulator/key_loader_format_url_referencing_ssh_authorized_keys.py

@@ -1,4 +1,5 @@
 import contextlib
+import dataclasses
 import urllib.parse
 import urllib.request
 from typing import List, Tuple
@@ -15,6 +16,7 @@
 
 from scitt_emulator.did_helpers import did_web_to_url
 from scitt_emulator.key_helper_dataclasses import VerificationKey
+from scitt_emulator.key_loader_format_did_jwk import to_object_jwk
 
 CONTENT_TYPE = "application/key+ssh"
 
@@ -57,11 +59,27 @@ def key_loader_format_url_referencing_ssh_authorized_keys(
 def transform_key_instance_cryptography_ecc_public_to_jwcrypto_jwk(
     key: cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey,
 ) -> jwcrypto.jwk.JWK:
-    if not isinstance(key, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey):
+    if not isinstance(
+        key, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey
+    ):
         raise TypeError(key)
     return jwcrypto.jwk.JWK.from_pem(
         key.public_bytes(
             encoding=serialization.Encoding.PEM,
             format=serialization.PublicFormat.SubjectPublicKeyInfo,
         )
     )
+
+
+def to_object_ssh_public(verification_key: VerificationKey) -> dict:
+    if verification_key.original_content_type != CONTENT_TYPE:
+        return
+
+    return to_object_jwk(
+        dataclasses.replace(
+            verification_key,
+            original=transform_key_instance_cryptography_ecc_public_to_jwcrypto_jwk(
+                verification_key.original,
+            )
+        )
+    )

scitt_emulator/verify_statement.py

@@ -64,6 +64,7 @@ def verify_statement(
             # TODO Logging
             continue
         msg.key = verification_key.cose
+        verify_signature = False
         with contextlib.suppress(Exception):
             verify_signature = msg.verify_signature()
         if verify_signature:

setup.py

@@ -22,7 +22,8 @@
             'transform_key_instance_cryptography_ecc_public_to_jwcrypto_jwk=scitt_emulator:key_loader_format_url_referencing_ssh_authorized_keys.transform_key_instance_cryptography_ecc_public_to_jwcrypto_jwk',
         ],
         'scitt_emulator.key_helpers.verification_key_to_object': [
-            'to_object_oidc_issuer=scitt_emulator.key_loader_format_url_referencing_oidc_issuer:to_object_oidc_issuer',
+            'to_object_jwk=scitt_emulator.key_loader_format_did_jwk:to_object_jwk',
+            'to_object_ssh_public=scitt_emulator.key_loader_format_url_referencing_ssh_authorized_keys:to_object_ssh_public',
         ],
     },
     python_requires=">=3.8",

tests/test_cli.py

@@ -156,13 +156,12 @@ def test_client_cli(use_lro: bool, tmp_path):
         assert receipt == receipt_2
 
 
-def create_flask_app_oidc_server(config):
-    app = Flask("oidc_server")
+def create_flask_app_ssh_authorized_keys_server(config):
+    app = Flask("ssh_authorized_keys_server")
 
     app.config.update(dict(DEBUG=True))
     app.config.update(config)
 
-    # TODO For testing ssh key style issuers, not OIDC related needs to be moved
     @app.route("/", methods=["GET"])
     def ssh_public_keys():
         from cryptography.hazmat.primitives import serialization
@@ -178,6 +177,15 @@ def ssh_public_keys():
             mimetype="text/plain",
         )
 
+    return app
+
+
+def create_flask_app_oidc_server(config):
+    app = Flask("oidc_server")
+
+    app.config.update(dict(DEBUG=True))
+    app.config.update(config)
+
     @app.route("/.well-known/openid-configuration", methods=["GET"])
     def openid_configuration():
         return jsonify(

tests/test_docs.py

@@ -14,6 +14,7 @@
 import subprocess
 import urllib.parse
 
+import pytest
 import myst_parser.parsers.docutils_
 import docutils.nodes
 import docutils.utils
@@ -28,6 +29,7 @@
     payload,
     execute_cli,
     create_flask_app_oidc_server,
+    create_flask_app_ssh_authorized_keys_server,
 )
 
 
@@ -162,7 +164,13 @@ def url_to_did_web(url_string):
         ]
     )
 
-def test_docs_registration_policies(tmp_path):
+@pytest.mark.parametrize(
+    "create_flask_app_notary_identity", [
+        create_flask_app_oidc_server,
+        create_flask_app_ssh_authorized_keys_server,
+    ],
+)
+def test_docs_registration_policies(create_flask_app_notary_identity, tmp_path):
     workspace_path = tmp_path / "workspace"
 
     claim_path = tmp_path / "claim.cose"
@@ -195,7 +203,7 @@ def test_docs_registration_policies(tmp_path):
 
     with Service(
         {"key": key, "algorithms": [algorithm]},
-        create_flask_app=create_flask_app_oidc_server,
+        create_flask_app=create_flask_app_notary_identity,
     ) as oidc_service, Service(
         {
             "tree_alg": "CCF",
@@ -238,7 +246,7 @@ def test_docs_registration_policies(tmp_path):
         assert os.path.exists(claim_path)
 
         # replace example issuer with test OIDC service issuer (URL) in error
-        claim_denied_error_blocked = CLAIM_DENIED_ERROR_BLOCKED
+        claim_denied_error_blocked = copy.deepcopy(CLAIM_DENIED_ERROR_BLOCKED)
         claim_denied_error_blocked["detail"] = claim_denied_error_blocked["detail"].replace(
             "did:web:denied.example.com", issuer,
         )
@@ -276,27 +284,7 @@ def test_docs_registration_policies(tmp_path):
             )
         )
 
-        # submit accepted claim using SSH authorized_keys lookup
-        command = [
-            "client",
-            "submit-claim",
-            "--claim",
-            claim_path,
-            "--out",
-            receipt_path,
-            "--out-entry-id",
-            entry_id_path,
-            "--url",
-            service.url
-        ]
-        execute_cli(command)
-        assert os.path.exists(receipt_path)
-        receipt_path.unlink()
-        assert os.path.exists(entry_id_path)
-        receipt_path.unlink(entry_id_path)
-
-        # TODO Switch back on the OIDC routes
-        # submit accepted claim using OIDC -> jwks lookup
+        # submit accepted claim
         command = [
             "client",
             "submit-claim",