Add feature flag to force all direct download URLs to be proxied
Fixes #1667
This commit is contained in:
Joseph Schorr
parent
2b00c644b5
commit
dd2e086a20
12 changed files with 350 additions and 34 deletions
|
|
@ -18,6 +18,21 @@ class InvalidBearerTokenException(Exception):
|
|||
pass
|
||||
|
||||
|
||||
def decode_bearer_header(bearer_header, instance_keys):
|
||||
""" decode_bearer_header decodes the given bearer header that contains an encoded JWT with both
|
||||
a Key ID as well as the signed JWT and returns the decoded and validated JWT. On any error,
|
||||
raises an InvalidBearerTokenException with the reason for failure.
|
||||
"""
|
||||
# Extract the jwt token from the header
|
||||
match = jwtutil.TOKEN_REGEX.match(bearer_header)
|
||||
if match is None:
|
||||
raise InvalidBearerTokenException('Invalid bearer token format')
|
||||
|
||||
encoded_jwt = match.group(1)
|
||||
logger.debug('encoded JWT: %s', encoded_jwt)
|
||||
return decode_bearer_token(encoded_jwt, instance_keys)
|
||||
|
||||
|
||||
def decode_bearer_token(bearer_token, instance_keys):
|
||||
""" decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the
|
||||
encoded JWT and returns the decoded and validated JWT. On any error, raises an
|
||||
|
|
@ -25,19 +40,11 @@ def decode_bearer_token(bearer_token, instance_keys):
|
|||
"""
|
||||
app_config = instance_keys.app.config
|
||||
|
||||
# Extract the jwt token from the header
|
||||
match = jwtutil.TOKEN_REGEX.match(bearer_token)
|
||||
if match is None:
|
||||
raise InvalidBearerTokenException('Invalid bearer token format')
|
||||
|
||||
encoded_jwt = match.group(1)
|
||||
logger.debug('encoded JWT: %s', encoded_jwt)
|
||||
|
||||
# Decode the key ID.
|
||||
headers = jwt.get_unverified_header(encoded_jwt)
|
||||
headers = jwt.get_unverified_header(bearer_token)
|
||||
kid = headers.get('kid', None)
|
||||
if kid is None:
|
||||
logger.error('Missing kid header on encoded JWT: %s', encoded_jwt)
|
||||
logger.error('Missing kid header on encoded JWT: %s', bearer_token)
|
||||
raise InvalidBearerTokenException('Missing kid header')
|
||||
|
||||
# Find the matching public key.
|
||||
|
|
@ -51,9 +58,8 @@ def decode_bearer_token(bearer_token, instance_keys):
|
|||
expected_issuer = instance_keys.service_name
|
||||
audience = app_config['SERVER_HOSTNAME']
|
||||
max_signed_s = app_config.get('REGISTRY_JWT_AUTH_MAX_FRESH_S', 3660)
|
||||
|
||||
max_exp = jwtutil.exp_max_s_option(max_signed_s)
|
||||
payload = jwtutil.decode(encoded_jwt, public_key, algorithms=[ALGORITHM], audience=audience,
|
||||
payload = jwtutil.decode(bearer_token, public_key, algorithms=[ALGORITHM], audience=audience,
|
||||
issuer=expected_issuer, options=max_exp, leeway=JWT_CLOCK_SKEW_SECONDS)
|
||||
except jwtutil.InvalidTokenError as ite:
|
||||
logger.exception('Invalid token reason: %s', ite)
|
||||
|
|
|
|||
Reference in a new issue