Sem-Ver: bugfix Catch SubjectDoesNotMatchIssuerException in the frameworks.

dbaxa · dbaxa · commit 693a30fc4a12 · 2020-02-27T11:06:49.000+11:00
Signed-off-by: David Black &lt;dblack@atlassian.com&gt;
diff --git a/atlassian_jwt_auth/frameworks/common/asap.py b/atlassian_jwt_auth/frameworks/common/asap.py
@@ -4,6 +4,7 @@
     PublicKeyRetrieverException,
     NoTokenProvidedError,
     JtiUniquenessException,
+    SubjectDoesNotMatchIssuerException,
 )
 
 
@@ -57,6 +58,10 @@ def _process_asap_token(request, backend, settings, verifier=None):
         error_response = backend.get_401_response(
             'Unauthorized: Invalid token - duplicate jti', request=request
         )
+    except SubjectDoesNotMatchIssuerException:
+        error_response = backend.get_401_response(
+            'Unauthorized: Subject and Issuer do not match', request=request
+        )
 
     if error_response is not None and settings.ASAP_REQUIRED:
         return error_response
diff --git a/atlassian_jwt_auth/frameworks/django/tests/test_django.py b/atlassian_jwt_auth/frameworks/django/tests/test_django.py
@@ -163,6 +163,14 @@ def test_request_subject_does_not_need_to_match_issuer_from_settings(self):
         self.test_settings['ASAP_SUBJECT_SHOULD_MATCH_ISSUER'] = False
         self.check_response('needed', 'one', 200, subject='different_than_is')
 
+    def test_request_subject_and_issue_not_matching(self):
+        self.check_response(
+            'needed',
+            'Subject and Issuer do not match',
+            401,
+            subject='different_than_is',
+        )
+
 
 class TestAsapDecorator(DjangoAsapMixin, RS256KeyTestMixin, SimpleTestCase):
     def test_request_with_valid_token_is_allowed(self):
@@ -294,10 +302,14 @@ def test_request_subject_does_need_to_match_issuer_override_settings(self):
         with override_settings(**dict(
                 self.test_settings, ASAP_SUBJECT_SHOULD_MATCH_ISSUER=False)):
             message = 'Issuer does not match the subject'
-            with self.assertRaisesRegexp(ValueError, message):
-                response = self.client.get(
-                    reverse('subject_does_need_to_match_issuer'),
-                    HTTP_AUTHORIZATION=b'Bearer ' + token)
+            response = self.client.get(
+                reverse('subject_does_need_to_match_issuer'),
+                HTTP_AUTHORIZATION=b'Bearer ' + token)
+            self.assertContains(
+                response,
+                'Unauthorized: Subject and Issuer do not match',
+                status_code=401
+            )
 
     def test_request_subject_does_not_need_to_match_issuer_from_settings(self):
         token = create_token(
diff --git a/atlassian_jwt_auth/frameworks/flask/tests/test_flask.py b/atlassian_jwt_auth/frameworks/flask/tests/test_flask.py
@@ -105,3 +105,20 @@ def test_decorated_request_with_invalid_issuer_is_rejected(self):
         )
         url = '/restricted-to-another-client/'
         self.assertEqual(self.send_request(token, url=url).status_code, 403)
+
+    def test_request_subject_and_issue_not_matching(self):
+        token = create_token(
+            'client-app', 'server-app',
+            'client-app/key01', self._private_key_pem,
+            subject='different'
+        )
+        self.assertEqual(self.send_request(token).status_code, 401)
+
+    def test_request_subject_does_not_need_to_match_issuer_from_settings(self):
+        self.app.config['ASAP_SUBJECT_SHOULD_MATCH_ISSUER'] = False
+        token = create_token(
+            'client-app', 'server-app',
+            'client-app/key01', self._private_key_pem,
+            subject='different'
+        )
+        self.assertEqual(self.send_request(token).status_code, 200)
diff --git a/atlassian_jwt_auth/frameworks/wsgi/tests/test_wsgi.py b/atlassian_jwt_auth/frameworks/wsgi/tests/test_wsgi.py
@@ -87,3 +87,24 @@ def test_request_with_invalid_token_is_rejected(self):
         body, resp_info, environ = self.send_request(token=b'notavalidtoken')
         self.assertEqual(resp_info['status'], '401 Unauthorized')
         self.assertNotIn('ATL_ASAP_CLAIMS', environ)
+
+    def test_request_subject_and_issue_not_matching(self):
+        token = create_token(
+            'client-app', 'server-app',
+            'client-app/key01', self._private_key_pem,
+            subject='different'
+        )
+        body, resp_info, environ = self.send_request(token=token)
+        self.assertEqual(resp_info['status'], '401 Unauthorized')
+        self.assertNotIn('ATL_ASAP_CLAIMS', environ)
+
+    def test_request_subject_does_not_need_to_match_issuer_from_settings(self):
+        self.config['ASAP_SUBJECT_SHOULD_MATCH_ISSUER'] = False
+        token = create_token(
+            'client-app', 'server-app',
+            'client-app/key01', self._private_key_pem,
+            subject='different'
+        )
+        body, resp_info, environ = self.send_request(token=token)
+        self.assertEqual(resp_info['status'], '200 OK')
+        self.assertIn('ATL_ASAP_CLAIMS', environ)
