Pull out JWT auth validation into validator class

Also fixes a small bug in validation (yay tests!)

util/config/validator.py

@@ -14,7 +14,6 @@ from bitbucket import BitBucket
 from boot import setup_jwt_proxy
 from data.database import validate_database_url
 from data.users import LDAP_CERT_FILENAME
-from data.users.externaljwt import ExternalJWTAuthN
 from oauth.services.github import GithubOAuthService
 from oauth.services.google import GoogleOAuthService
 from oauth.services.gitlab import GitLabOAuthService
@@ -29,6 +28,7 @@ from util.config.validators.validate_storage import StorageValidator
 from util.config.validators.validate_email import EmailValidator
 from util.config.validators.validate_ldap import LDAPValidator
 from util.config.validators.validate_keystone import KeystoneValidator
+from util.config.validators.validate_jwt import JWTAuthValidator
 
 logger = logging.getLogger(__name__)
 
@@ -236,61 +236,6 @@ def _validate_ssl(config, user_obj, _):
     raise ConfigValidationException('SSL private key failed to validate: %s' % kie.message)
 
 
-def _validate_jwt(config, user_obj, password):
-  """ Validates the JWT authentication system. """
-  if config.get('AUTHENTICATION_TYPE', 'Database') != 'JWT':
-    return
-
-  verify_endpoint = config.get('JWT_VERIFY_ENDPOINT')
-  query_endpoint = config.get('JWT_QUERY_ENDPOINT', None)
-  getuser_endpoint = config.get('JWT_GETUSER_ENDPOINT', None)
-
-  issuer = config.get('JWT_AUTH_ISSUER')
-
-  if not verify_endpoint:
-    raise ConfigValidationException('Missing JWT Verification endpoint')
-
-  if not issuer:
-    raise ConfigValidationException('Missing JWT Issuer ID')
-
-  # Try to instatiate the JWT authentication mechanism. This will raise an exception if
-  # the key cannot be found.
-  users = ExternalJWTAuthN(verify_endpoint, query_endpoint, getuser_endpoint, issuer,
-                           OVERRIDE_CONFIG_DIRECTORY,
-                           app.config['HTTPCLIENT'],
-                           app.config.get('JWT_AUTH_MAX_FRESH_S', 300),
-                           requires_email=config.get('FEATURE_MAILING', True))
-
-  # Verify that the superuser exists. If not, raise an exception.
-  username = user_obj.username
-  (result, err_msg) = users.verify_credentials(username, password)
-  if not result:
-    msg = ('Verification of superuser %s failed: %s. \n\nThe user either does not ' +
-           'exist in the remote authentication system ' +
-           'OR JWT auth is misconfigured') % (username, err_msg)
-    raise ConfigValidationException(msg)
-
-  # If the query endpoint exists, ensure we can query to find the current user and that we can
-  # look up users directly.
-  if query_endpoint:
-    (results, err_msg) = users.query_users(username)
-    if not results:
-      err_msg = err_msg or ('Could not find users matching query: %s' % username)
-      raise ConfigValidationException('Query endpoint is misconfigured or not returning ' +
-                                      'proper users: %s' % err_msg)
-
-    # Make sure the get user endpoint is also configured.
-    if not getuser_endpoint:
-      raise ConfigValidationException('The lookup user endpoint must be configured if the ' +
-                                      'query endpoint is set')
-
-    (result, err_msg) = users.get_user(username)
-    if not result:
-      err_msg = err_msg or ('Could not find user %s' % username)
-      raise ConfigValidationException('Lookup endpoint is misconfigured or not returning ' +
-                                      'properly: %s' % err_msg)
-
-
 def _validate_signer(config, user_obj, _):
   """ Validates the GPG public+private key pair used for signing converted ACIs. """
   if config.get('SIGNING_ENGINE') is None:
@@ -380,7 +325,7 @@ VALIDATORS = {
   'google-login': _validate_google_login,
   'ssl': _validate_ssl,
   LDAPValidator.name: LDAPValidator.validate,
-  'jwt': _validate_jwt,
+  JWTAuthValidator.name: JWTAuthValidator.validate,
   KeystoneValidator.name: KeystoneValidator.validate,
   'signer': _validate_signer,
   'security-scanner': _validate_security_scanner,