vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add explicit config parameter to the JWT auth methods

Browse source
This commit is contained in:
Joseph Schorr 2016-09-19 16:19:29 -04:00
parent 460137779f
commit 6ae3faf7fc
5 changed files with 16 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
auth/registry_jwt_auth.py
View file

@ -144,7 +144,7 @@ def identity_from_bearer_token(bearer_header):
logger.debug('Validating auth header: %s', bearer_header) logger.debug('Validating auth header: %s', bearer_header)
try: try:
payload = decode_bearer_header(bearer_header, instance_keys) payload = decode_bearer_header(bearer_header, instance_keys, app.config)
except InvalidBearerTokenException as bte: except InvalidBearerTokenException as bte:
logger.exception('Invalid bearer token: %s', bte) logger.exception('Invalid bearer token: %s', bte)
raise InvalidJWTException(bte) raise InvalidJWTException(bte)

10
storage/downloadproxy.py
View file

@ -1,12 +1,12 @@
import logging
import urllib import urllib
from urlparse import urlparse, parse_qs
from util.security.registry_jwt import (generate_bearer_token, decode_bearer_token,
InvalidBearerTokenException)
from urlparse import urlparse
from flask import abort, request from flask import abort, request
from jsonschema import validate, ValidationError from jsonschema import validate, ValidationError
import logging from util.security.registry_jwt import (generate_bearer_token, decode_bearer_token,
InvalidBearerTokenException)
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -126,7 +126,7 @@ class DownloadProxy(object):
# Decode the bearer token. # Decode the bearer token.
try: try:
decoded = decode_bearer_token(token, self.instance_keys) decoded = decode_bearer_token(token, self.instance_keys, self.app.config)
except InvalidBearerTokenException: except InvalidBearerTokenException:
logger.exception('Invalid token for storage proxy') logger.exception('Invalid token for storage proxy')
abort(401) abort(401)

2
test/registry_tests.py
View file

@ -1958,7 +1958,7 @@ class V2LoginTests(V2RegistryLoginMixin, LoginTests, RegistryTestCaseMixin, Base
encoded = response.json()['token'] encoded = response.json()['token']
header = 'Bearer ' + encoded header = 'Bearer ' + encoded
payload = decode_bearer_header(header, instance_keys) payload = decode_bearer_header(header, instance_keys, app.config)
self.assertIsNotNone(payload) self.assertIsNotNone(payload)
if scope is None: if scope is None:

7
test/test_storageproxy.py
View file

@ -1,12 +1,13 @@
import unittest
import requests
import os import os
import requests
import unittest
from flask import Flask from flask import Flask
from flask.ext.testing import LiveServerTestCase from flask.ext.testing import LiveServerTestCase
from initdb import setup_database_for_testing, finished_database_for_testing from initdb import setup_database_for_testing, finished_database_for_testing
from util.security.instancekeys import InstanceKeys
from storage import Storage from storage import Storage
from util.security.instancekeys import InstanceKeys
_PORT_NUMBER = 5001 _PORT_NUMBER = 5001

12
util/security/registry_jwt.py
View file

@ -18,7 +18,7 @@ class InvalidBearerTokenException(Exception):
pass pass
def decode_bearer_header(bearer_header, instance_keys): def decode_bearer_header(bearer_header, instance_keys, config):
""" decode_bearer_header decodes the given bearer header that contains an encoded JWT with both """ decode_bearer_header decodes the given bearer header that contains an encoded JWT with both
a Key ID as well as the signed JWT and returns the decoded and validated JWT. On any error, a Key ID as well as the signed JWT and returns the decoded and validated JWT. On any error,
raises an InvalidBearerTokenException with the reason for failure. raises an InvalidBearerTokenException with the reason for failure.
@ -30,16 +30,14 @@ def decode_bearer_header(bearer_header, instance_keys):
encoded_jwt = match.group(1) encoded_jwt = match.group(1)
logger.debug('encoded JWT: %s', encoded_jwt) logger.debug('encoded JWT: %s', encoded_jwt)
return decode_bearer_token(encoded_jwt, instance_keys) return decode_bearer_token(encoded_jwt, instance_keys, config)
def decode_bearer_token(bearer_token, instance_keys): def decode_bearer_token(bearer_token, instance_keys, config):
""" decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the """ decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the
encoded JWT and returns the decoded and validated JWT. On any error, raises an encoded JWT and returns the decoded and validated JWT. On any error, raises an
InvalidBearerTokenException with the reason for failure. InvalidBearerTokenException with the reason for failure.
""" """
app_config = instance_keys.app.config
# Decode the key ID. # Decode the key ID.
headers = jwt.get_unverified_header(bearer_token) headers = jwt.get_unverified_header(bearer_token)
kid = headers.get('kid', None) kid = headers.get('kid', None)
@ -56,8 +54,8 @@ def decode_bearer_token(bearer_token, instance_keys):
# Load the JWT returned. # Load the JWT returned.
try: try:
expected_issuer = instance_keys.service_name expected_issuer = instance_keys.service_name
audience = app_config['SERVER_HOSTNAME'] audience = config['SERVER_HOSTNAME']
max_signed_s = app_config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660) max_signed_s = config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660)
max_exp = jwtutil.exp_max_s_option(max_signed_s) max_exp = jwtutil.exp_max_s_option(max_signed_s)
payload = jwtutil.decode(bearer_token, public_key, algorithms=[ALGORITHM], audience=audience, payload = jwtutil.decode(bearer_token, public_key, algorithms=[ALGORITHM], audience=audience,
issuer=expected_issuer, options=max_exp, leeway=JWT_CLOCK_SKEW_SECONDS) issuer=expected_issuer, options=max_exp, leeway=JWT_CLOCK_SKEW_SECONDS)