Add explicit config parameter to the JWT auth methods

util/security/registry_jwt.py

@@ -18,7 +18,7 @@ class InvalidBearerTokenException(Exception):
   pass
 
 
-def decode_bearer_header(bearer_header, instance_keys):
+def decode_bearer_header(bearer_header, instance_keys, config):
   """ decode_bearer_header decodes the given bearer header that contains an encoded JWT with both
       a Key ID as well as the signed JWT and returns the decoded and validated JWT. On any error,
       raises an InvalidBearerTokenException with the reason for failure.
@@ -30,16 +30,14 @@ def decode_bearer_header(bearer_header, instance_keys):
 
   encoded_jwt = match.group(1)
   logger.debug('encoded JWT: %s', encoded_jwt)
-  return decode_bearer_token(encoded_jwt, instance_keys)
+  return decode_bearer_token(encoded_jwt, instance_keys, config)
 
 
-def decode_bearer_token(bearer_token, instance_keys):
+def decode_bearer_token(bearer_token, instance_keys, config):
   """ decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the
       encoded JWT and returns the decoded and validated JWT. On any error, raises an
       InvalidBearerTokenException with the reason for failure.
   """
-  app_config = instance_keys.app.config
-
   # Decode the key ID.
   headers = jwt.get_unverified_header(bearer_token)
   kid = headers.get('kid', None)
@@ -56,8 +54,8 @@ def decode_bearer_token(bearer_token, instance_keys):
   # Load the JWT returned.
   try:
     expected_issuer = instance_keys.service_name
-    audience = app_config['SERVER_HOSTNAME']
-    max_signed_s = app_config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660)
+    audience = config['SERVER_HOSTNAME']
+    max_signed_s = config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660)
     max_exp = jwtutil.exp_max_s_option(max_signed_s)
     payload = jwtutil.decode(bearer_token, public_key, algorithms=[ALGORITHM], audience=audience,
                              issuer=expected_issuer, options=max_exp, leeway=JWT_CLOCK_SKEW_SECONDS)