From 6ae3faf7fccbad247f28510130dad16e338a1ede Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 19 Sep 2016 16:19:29 -0400
Subject: [PATCH] Add explicit config parameter to the JWT auth methods

---
 auth/registry_jwt_auth.py     |  2 +-
 storage/downloadproxy.py      | 10 +++++-----
 test/registry_tests.py        |  2 +-
 test/test_storageproxy.py     |  7 ++++---
 util/security/registry_jwt.py | 12 +++++-------
 5 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/auth/registry_jwt_auth.py b/auth/registry_jwt_auth.py
index 014757751..611d7c071 100644
--- a/auth/registry_jwt_auth.py
+++ b/auth/registry_jwt_auth.py
@@ -144,7 +144,7 @@ def identity_from_bearer_token(bearer_header):
   logger.debug('Validating auth header: %s', bearer_header)
 
   try:
-    payload = decode_bearer_header(bearer_header, instance_keys)
+    payload = decode_bearer_header(bearer_header, instance_keys, app.config)
   except InvalidBearerTokenException as bte:
     logger.exception('Invalid bearer token: %s', bte)
     raise InvalidJWTException(bte)
diff --git a/storage/downloadproxy.py b/storage/downloadproxy.py
index 41b0727aa..af41feb9e 100644
--- a/storage/downloadproxy.py
+++ b/storage/downloadproxy.py
@@ -1,12 +1,12 @@
+import logging
 import urllib
-from urlparse import urlparse, parse_qs
-from util.security.registry_jwt import (generate_bearer_token, decode_bearer_token,
-                                        InvalidBearerTokenException)
 
+from urlparse import urlparse
 from flask import abort, request
 from jsonschema import validate, ValidationError
 
-import logging
+from util.security.registry_jwt import (generate_bearer_token, decode_bearer_token,
+                                        InvalidBearerTokenException)
 
 logger = logging.getLogger(__name__)
 
@@ -126,7 +126,7 @@ class DownloadProxy(object):
 
     # Decode the bearer token.
     try:
-      decoded = decode_bearer_token(token, self.instance_keys)
+      decoded = decode_bearer_token(token, self.instance_keys, self.app.config)
     except InvalidBearerTokenException:
       logger.exception('Invalid token for storage proxy')
       abort(401)
diff --git a/test/registry_tests.py b/test/registry_tests.py
index 4bd91109a..4e98aba00 100644
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@@ -1958,7 +1958,7 @@ class V2LoginTests(V2RegistryLoginMixin, LoginTests, RegistryTestCaseMixin, Base
     encoded = response.json()['token']
     header = 'Bearer ' + encoded
 
-    payload = decode_bearer_header(header, instance_keys)
+    payload = decode_bearer_header(header, instance_keys, app.config)
     self.assertIsNotNone(payload)
 
     if scope is None:
diff --git a/test/test_storageproxy.py b/test/test_storageproxy.py
index b314c1793..8db766068 100644
--- a/test/test_storageproxy.py
+++ b/test/test_storageproxy.py
@@ -1,12 +1,13 @@
-import unittest
-import requests
 import os
+import requests
+import unittest
 
 from flask import Flask
 from flask.ext.testing import LiveServerTestCase
+
 from initdb import setup_database_for_testing, finished_database_for_testing
-from util.security.instancekeys import InstanceKeys
 from storage import Storage
+from util.security.instancekeys import InstanceKeys
 
 _PORT_NUMBER = 5001
 
diff --git a/util/security/registry_jwt.py b/util/security/registry_jwt.py
index 212fa4f37..ff11f3db4 100644
--- a/util/security/registry_jwt.py
+++ b/util/security/registry_jwt.py
@@ -18,7 +18,7 @@ class InvalidBearerTokenException(Exception):
   pass
 
 
-def decode_bearer_header(bearer_header, instance_keys):
+def decode_bearer_header(bearer_header, instance_keys, config):
   """ decode_bearer_header decodes the given bearer header that contains an encoded JWT with both
       a Key ID as well as the signed JWT and returns the decoded and validated JWT. On any error,
       raises an InvalidBearerTokenException with the reason for failure.
@@ -30,16 +30,14 @@ def decode_bearer_header(bearer_header, instance_keys):
 
   encoded_jwt = match.group(1)
   logger.debug('encoded JWT: %s', encoded_jwt)
-  return decode_bearer_token(encoded_jwt, instance_keys)
+  return decode_bearer_token(encoded_jwt, instance_keys, config)
 
 
-def decode_bearer_token(bearer_token, instance_keys):
+def decode_bearer_token(bearer_token, instance_keys, config):
   """ decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the
       encoded JWT and returns the decoded and validated JWT. On any error, raises an
       InvalidBearerTokenException with the reason for failure.
   """
-  app_config = instance_keys.app.config
-
   # Decode the key ID.
   headers = jwt.get_unverified_header(bearer_token)
   kid = headers.get('kid', None)
@@ -56,8 +54,8 @@ def decode_bearer_token(bearer_token, instance_keys):
   # Load the JWT returned.
   try:
     expected_issuer = instance_keys.service_name
-    audience = app_config['SERVER_HOSTNAME']
-    max_signed_s = app_config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660)
+    audience = config['SERVER_HOSTNAME']
+    max_signed_s = config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660)
     max_exp = jwtutil.exp_max_s_option(max_signed_s)
     payload = jwtutil.decode(bearer_token, public_key, algorithms=[ALGORITHM], audience=audience,
                              issuer=expected_issuer, options=max_exp, leeway=JWT_CLOCK_SKEW_SECONDS)