Add explicit config parameter to the JWT auth methods

2016-09-19 16:19:29 -04:00 · 2016-09-19 16:19:29 -04:00 · 6ae3faf7fc
commit 6ae3faf7fc
parent 460137779f
5 changed files with 16 additions and 17 deletions
--- a/auth/registry_jwt_auth.py
+++ b/auth/registry_jwt_auth.py
@ -144,7 +144,7 @@ def identity_from_bearer_token(bearer_header):
  logger.debug('Validating auth header: %s', bearer_header)

  try:
-    payload = decode_bearer_header(bearer_header, instance_keys)
+    payload = decode_bearer_header(bearer_header, instance_keys, app.config)
  except InvalidBearerTokenException as bte:
    logger.exception('Invalid bearer token: %s', bte)
    raise InvalidJWTException(bte)
--- a/storage/downloadproxy.py
+++ b/storage/downloadproxy.py
@ -1,12 +1,12 @@
+import logging
 import urllib
-from urlparse import urlparse, parse_qs
-from util.security.registry_jwt import (generate_bearer_token, decode_bearer_token,
-                                        InvalidBearerTokenException)

+from urlparse import urlparse
 from flask import abort, request
 from jsonschema import validate, ValidationError

-import logging
+from util.security.registry_jwt import (generate_bearer_token, decode_bearer_token,
+                                        InvalidBearerTokenException)

 logger = logging.getLogger(__name__)

@ -126,7 +126,7 @@ class DownloadProxy(object):

    # Decode the bearer token.
    try:
-      decoded = decode_bearer_token(token, self.instance_keys)
+      decoded = decode_bearer_token(token, self.instance_keys, self.app.config)
    except InvalidBearerTokenException:
      logger.exception('Invalid token for storage proxy')
      abort(401)
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@ -1958,7 +1958,7 @@ class V2LoginTests(V2RegistryLoginMixin, LoginTests, RegistryTestCaseMixin, Base
    encoded = response.json()['token']
    header = 'Bearer ' + encoded

-    payload = decode_bearer_header(header, instance_keys)
+    payload = decode_bearer_header(header, instance_keys, app.config)
    self.assertIsNotNone(payload)

    if scope is None:
--- a/test/test_storageproxy.py
+++ b/test/test_storageproxy.py
@ -1,12 +1,13 @@
-import unittest
-import requests
 import os
+import requests
+import unittest

 from flask import Flask
 from flask.ext.testing import LiveServerTestCase
+
 from initdb import setup_database_for_testing, finished_database_for_testing
-from util.security.instancekeys import InstanceKeys
 from storage import Storage
+from util.security.instancekeys import InstanceKeys

 _PORT_NUMBER = 5001

--- a/util/security/registry_jwt.py
+++ b/util/security/registry_jwt.py
@ -18,7 +18,7 @@ class InvalidBearerTokenException(Exception):
  pass


-def decode_bearer_header(bearer_header, instance_keys):
+def decode_bearer_header(bearer_header, instance_keys, config):
  """ decode_bearer_header decodes the given bearer header that contains an encoded JWT with both
      a Key ID as well as the signed JWT and returns the decoded and validated JWT. On any error,
      raises an InvalidBearerTokenException with the reason for failure.
@ -30,16 +30,14 @@ def decode_bearer_header(bearer_header, instance_keys):

  encoded_jwt = match.group(1)
  logger.debug('encoded JWT: %s', encoded_jwt)
-  return decode_bearer_token(encoded_jwt, instance_keys)
+  return decode_bearer_token(encoded_jwt, instance_keys, config)


-def decode_bearer_token(bearer_token, instance_keys):
+def decode_bearer_token(bearer_token, instance_keys, config):
  """ decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the
      encoded JWT and returns the decoded and validated JWT. On any error, raises an
      InvalidBearerTokenException with the reason for failure.
  """
-  app_config = instance_keys.app.config
-
  # Decode the key ID.
  headers = jwt.get_unverified_header(bearer_token)
  kid = headers.get('kid', None)
@ -56,8 +54,8 @@ def decode_bearer_token(bearer_token, instance_keys):
  # Load the JWT returned.
  try:
    expected_issuer = instance_keys.service_name
-    audience = app_config['SERVER_HOSTNAME']
-    max_signed_s = app_config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660)
+    audience = config['SERVER_HOSTNAME']
+    max_signed_s = config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660)
    max_exp = jwtutil.exp_max_s_option(max_signed_s)
    payload = jwtutil.decode(bearer_token, public_key, algorithms=[ALGORITHM], audience=audience,
                             issuer=expected_issuer, options=max_exp, leeway=JWT_CLOCK_SKEW_SECONDS)