Initial commit

Code refactoring

Changing reference doc string

Adding tests

PR review 1

Adding dependencies and polishing code

Python 2 compat

Author: abhidnya13

msal/application.py

@@ -1,6 +1,11 @@
 import functools
 import json
 import time
+
+import six
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+
 try:  # Python 2
     from urlparse import urljoin
 except:  # Python 3
@@ -124,6 +129,7 @@ def __init__(
                     "private_key": "...-----BEGIN PRIVATE KEY-----...",
                     "thumbprint": "A1B2C3D4E5F6...",
                     "public_certificate": "...-----BEGIN CERTIFICATE-----..." (Optional. See below.)
+                    "passphrase": "Passphrase if the private_key is encrypted (Optional)"
                 }
 
             *Added in version 0.5.0*:
@@ -252,8 +258,21 @@ def _build_client(self, client_credential, authority):
             headers = {}
             if 'public_certificate' in client_credential:
                 headers["x5c"] = extract_certs(client_credential['public_certificate'])
+            if not client_credential.get("passphrase"):
+                unencrypted_private_key = client_credential['private_key']
+            else:
+                if isinstance(client_credential['private_key'], six.text_type):
+                    private_key = client_credential['private_key'].encode(encoding="utf-8")
+                else:
+                    private_key = client_credential['private_key']
+                if isinstance(client_credential['passphrase'], six.text_type):
+                    password = client_credential['passphrase'].encode(encoding="utf-8")
+                else:
+                    password = client_credential['passphrase']
+                unencrypted_private_key = serialization.load_pem_private_key(
+                    private_key, password=password, backend=default_backend())
             assertion = JwtAssertionCreator(
-                client_credential["private_key"], algorithm="RS256",
+                unencrypted_private_key, algorithm="RS256",
                 sha1_thumbprint=client_credential.get("thumbprint"), headers=headers)
             client_assertion = assertion.create_regenerative_assertion(
                 audience=authority.token_endpoint, issuer=self.client_id,

setup.py

@@ -74,6 +74,8 @@
     install_requires=[
         'requests>=2.0.0,<3',
         'PyJWT[crypto]>=1.0.0,<2',
+        'six>=1.6',
+        'cryptography>=2.1.4'
     ]
 )
 

tests/test_application.py

@@ -39,6 +39,33 @@ def test_extract_multiple_tag_enclosed_certs(self):
         self.assertEqual(["my_cert1", "my_cert2"], extract_certs(pem))
 
 
+class TestEncryptedKeyAsClientCredential(unittest.TestCase):
+    # Internally, we use serialization.load_pem_private_key() to load an encrypted private key with a passphrase
+    # This function takes in encrypted key in bytes and passphrase in bytes too
+    # Our code handles such a conversion, adding test cases to verify such a conversion is needed
+
+    def test_encyrpted_key_in_bytes_and_string_password_should_error(self):
+        private_key = b"""
+        -----BEGIN ENCRYPTED PRIVATE KEY-----
+        test_private_key
+        -----END ENCRYPTED PRIVATE KEY-----
+        """
+        with self.assertRaises(TypeError):
+            # Using a unicode string for Python 2 to identify it as a string and not default to bytes
+            serialization.load_pem_private_key(
+                private_key, password=u"string_password", backend=default_backend())
+
+    def test_encyrpted_key_is_string_and_bytes_password_should_error(self):
+        private_key = u"""
+        -----BEGIN ENCRYPTED PRIVATE KEY-----
+        test_private_key
+        -----END ENCRYPTED PRIVATE KEY-----
+        """
+        with self.assertRaises(TypeError):
+            serialization.load_pem_private_key(
+                private_key, password=b"byte_password", backend=default_backend())
+
+
 class TestClientApplicationAcquireTokenSilentErrorBehaviors(unittest.TestCase):
 
     def setUp(self):