diff --git a/endpoints/key_server.py b/endpoints/key_server.py index 4cfb6fc25..6ab4fddf5 100644 --- a/endpoints/key_server.py +++ b/endpoints/key_server.py @@ -174,6 +174,7 @@ def delete_service_key(service, kid): match = TOKEN_REGEX.match(jwt_header) if match is None: abort(400) + encoded_jwt = match.group(1) signer_kid = _signer_kid(encoded_jwt) diff --git a/initdb.py b/initdb.py index 984cf972a..6c3492504 100644 --- a/initdb.py +++ b/initdb.py @@ -655,16 +655,16 @@ def populate_database(minimal=False, with_storage=False): __generate_service_key('kid1', 'somesamplekey', new_user_1, today, ServiceKeyApprovalType.SUPERUSER) __generate_service_key('kid2', 'someexpiringkey', new_user_1, week_ago, - ServiceKeyApprovalType.SUPERUSER, today + timedelta(14)) + ServiceKeyApprovalType.SUPERUSER, today + timedelta(days=14)) __generate_service_key('kid3', 'unapprovedkey', new_user_1, today, None) __generate_service_key('kid4', 'autorotatingkey', new_user_1, six_ago, - ServiceKeyApprovalType.KEY_ROTATION, today + timedelta(1), + ServiceKeyApprovalType.KEY_ROTATION, today + timedelta(days=1), rotation_duration=timedelta(hours=12).total_seconds()) __generate_service_key('kid5', 'key for another service', new_user_1, today, - ServiceKeyApprovalType.SUPERUSER, today + timedelta(14), + ServiceKeyApprovalType.SUPERUSER, today + timedelta(days=14), service='different_sample_service') model.log.log_action('org_create_team', org.username, performer=new_user_1, diff --git a/test/test_endpoints.py b/test/test_endpoints.py index e5c95151f..10ba2c29c 100644 --- a/test/test_endpoints.py +++ b/test/test_endpoints.py @@ -190,13 +190,14 @@ class WebEndpointTestCase(EndpointTestCase): class KeyServerTestCase(EndpointTestCase): - _test_jwt_payload = { - 'iss': 'sample_service', - 'aud': key_server.JWT_AUDIENCE, - 'exp': int(time.time()) + 60, - 'iat': int(time.time()), - 'nbf': int(time.time()), - } + def _get_test_jwt_payload(self): + return { + 'iss': 'sample_service', + 'aud': key_server.JWT_AUDIENCE, + 'exp': int(time.time()) + 60, + 'iat': int(time.time()), + 'nbf': int(time.time()), + } def test_list_service_keys(self): unapproved_key = model.service_keys.get_service_key(kid='kid3') @@ -227,7 +228,7 @@ class KeyServerTestCase(EndpointTestCase): # Mint a JWT with our test payload private_key = RSA.generate(2048) jwk = RSAKey(key=private_key.publickey()).serialize() - payload = self._test_jwt_payload + payload = self._get_test_jwt_payload() token = jwt.encode(payload, private_key.exportKey('PEM'), 'RS256') # Publish a new key @@ -266,7 +267,7 @@ class KeyServerTestCase(EndpointTestCase): model.service_keys.approve_service_key('kid123', 1, ServiceKeyApprovalType.SUPERUSER) # Mint a JWT with our test payload - token = jwt.encode(self._test_jwt_payload, private_key.exportKey('PEM'), 'RS256', + token = jwt.encode(self._get_test_jwt_payload(), private_key.exportKey('PEM'), 'RS256', headers={'kid': 'kid123'}) # Using the credentials of our approved key, delete our unapproved key @@ -275,7 +276,7 @@ class KeyServerTestCase(EndpointTestCase): expected_code=204, service='sample_service', kid='kid321') # Attempt to delete a key signed by a key from a different service - bad_token = jwt.encode(self._test_jwt_payload, private_key.exportKey('PEM'), 'RS256', + bad_token = jwt.encode(self._get_test_jwt_payload(), private_key.exportKey('PEM'), 'RS256', headers={'kid': 'kid5'}) self.deleteResponse('key_server.delete_service_key', headers={'Authorization': 'Bearer %s' % bad_token},