e744336385
C-6: ConnectorRuntime enforces capability_mask per operation.
READ-only ACs cannot invoke MUTATE operations (wipe, lock, retire).
C-7: AC validated against database (exists, active, not expired)
before connector invocation.
C-9: Delegated AC capability bounded by delegator's capability.
C-10: Command counter uses atomic SQL increment with limit check.
M-23: expire_stale() uses same atomic SQL pattern.
H-1: Sensitive credential fields hidden from repr/logs via repr=False.
H-2: Stub backend requires ALLOW_STUB_CREDENTIALS=true to activate.
H-3: Kerberos backend raises CredentialResolutionError instead of
returning stub ticket.
H-4: Chronicle INTENT emitted before execution, RESULT after.
H-5: device_id validated as UUID before Graph API URL interpolation.
H-8: ConnectorRuntime enforces governance for all connector invocations.
Signed-off-by: Tyler King <tking@guildhouse.dev>
113 lines
2.3 KiB
Python
113 lines
2.3 KiB
Python
class PyJWTError(Exception):
|
|
"""
|
|
Base class for all exceptions
|
|
"""
|
|
|
|
pass
|
|
|
|
|
|
class InvalidTokenError(PyJWTError):
|
|
"""Base exception when ``decode()`` fails on a token"""
|
|
|
|
pass
|
|
|
|
|
|
class DecodeError(InvalidTokenError):
|
|
"""Raised when a token cannot be decoded because it failed validation"""
|
|
|
|
pass
|
|
|
|
|
|
class InvalidSignatureError(DecodeError):
|
|
"""Raised when a token's signature doesn't match the one provided as part of
|
|
the token."""
|
|
|
|
pass
|
|
|
|
|
|
class ExpiredSignatureError(InvalidTokenError):
|
|
"""Raised when a token's ``exp`` claim indicates that it has expired"""
|
|
|
|
pass
|
|
|
|
|
|
class InvalidAudienceError(InvalidTokenError):
|
|
"""Raised when a token's ``aud`` claim does not match one of the expected
|
|
audience values"""
|
|
|
|
pass
|
|
|
|
|
|
class InvalidIssuerError(InvalidTokenError):
|
|
"""Raised when a token's ``iss`` claim does not match the expected issuer"""
|
|
|
|
pass
|
|
|
|
|
|
class InvalidIssuedAtError(InvalidTokenError):
|
|
"""Raised when a token's ``iat`` claim is non-numeric"""
|
|
|
|
pass
|
|
|
|
|
|
class ImmatureSignatureError(InvalidTokenError):
|
|
"""Raised when a token's ``nbf`` or ``iat`` claims represent a time in the future"""
|
|
|
|
pass
|
|
|
|
|
|
class InvalidKeyError(PyJWTError):
|
|
"""Raised when the specified key is not in the proper format"""
|
|
|
|
pass
|
|
|
|
|
|
class InvalidAlgorithmError(InvalidTokenError):
|
|
"""Raised when the specified algorithm is not recognized by PyJWT"""
|
|
|
|
pass
|
|
|
|
|
|
class MissingRequiredClaimError(InvalidTokenError):
|
|
"""Raised when a claim that is required to be present is not contained
|
|
in the claimset"""
|
|
|
|
def __init__(self, claim: str) -> None:
|
|
self.claim = claim
|
|
|
|
def __str__(self) -> str:
|
|
return f'Token is missing the "{self.claim}" claim'
|
|
|
|
|
|
class PyJWKError(PyJWTError):
|
|
pass
|
|
|
|
|
|
class MissingCryptographyError(PyJWKError):
|
|
"""Raised if the algorithm requires ``cryptography`` to be installed and it is not available."""
|
|
|
|
pass
|
|
|
|
|
|
class PyJWKSetError(PyJWTError):
|
|
pass
|
|
|
|
|
|
class PyJWKClientError(PyJWTError):
|
|
pass
|
|
|
|
|
|
class PyJWKClientConnectionError(PyJWKClientError):
|
|
pass
|
|
|
|
|
|
class InvalidSubjectError(InvalidTokenError):
|
|
"""Raised when a token's ``sub`` claim is not a string or doesn't match the expected ``subject``"""
|
|
|
|
pass
|
|
|
|
|
|
class InvalidJTIError(InvalidTokenError):
|
|
"""Raised when a token's ``jti`` claim is not a string"""
|
|
|
|
pass
|