Sem-Ver: api-break Rework Django and Flask support

Previously, contributors introduced Django and Flask support via
differing implementations into the contrib/ package. The implementations
were similar (sometimes almost copied and pasted from one another) but
also diverged in terms of their functionality and feature sets.

This change's primary goal is to take the contrib/{django,flask} and
refactor them into a shared implementation with framework-specific
backends to abstract away the differences between the two. To
demonstrate this formalization of support for these frameworks, they
have also been moved from contrib into frameworks/{django,flask}.

In addition the following changes were made in this commit:

- Django and Flask decorators no longer require an issuer to be present
in BOTH the global setting and the decorator argument to be valid.
Decorator arguments now override the global setting.
- The proxied middleware seems like a one-off special case and remains
in contrib while a more general ASAP middleware which applies the
decorator logic to all views is included in the supported package.
- The @require_asap decorator has been renamed to @with_asap since you
can technically pass the required=False argument to make ASAP not
enforced.
- The @validate_asap decorator has been renamed to a more descriptive
@restrict_asap to symbolize that it applies additional restrictions onto
an already processed ASAP authenticated request.
- The 'subjects' arg to the @validate_asap decorator has been removed
since it appears to be unused and is inconsistent with the existing
@with_asap decorator.

Sem-Ver: api-break

frameworks: Rework how settings overrides work

Instead of passing in an argument for each overrideable setting all the
way down the functional call chain when using the decorators, this
change duplicates the settings object and then overrides the applicable
properties and passes that settings object in to the validation code.

The following changes are also included in this commit:

- SettingsDict attributes are now immutable
- ASAP_VALID_ISSUERS is now converted into a set

Fixed a typo in comment

Remove an unused import

Refactored some of the common logic into something simpler

pep8 fix up.

Signed-off-by: David Black <dblack@atlassian.com>

_validate_claims does not need to perform the subject and issuer check as that has already been done by the verifier.

Signed-off-by: David Black <dblack@atlassian.com>

s/_validate_claims/_verify_issuers/

Signed-off-by: David Black <dblack@atlassian.com>

delete the server helpers module as it is no longer used.

Signed-off-by: David Black <dblack@atlassian.com>

Slightly less churn in the the flask tests.

Signed-off-by: David Black <dblack@atlassian.com>

style fix up.

Signed-off-by: David Black <dblack@atlassian.com>

Sem-Ver: feature Restore the previous requires_asap decorators to make migration easier.

Signed-off-by: David Black <dblack@atlassian.com>

set required to True by default.

Signed-off-by: David Black <dblack@atlassian.com>

make func the last argument.

Signed-off-by: David Black <dblack@atlassian.com>

default ASAP_SUBJECT_SHOULD_MATCH_ISSUER to None.

Signed-off-by: David Black <dblack@atlassian.com>

also default to required=True in _update_settings_from_kwargs.

Signed-off-by: David Black <dblack@atlassian.com>

restore the restricted_subject_view test.

Signed-off-by: David Black <dblack@atlassian.com>

frameworks: Rework how settings overrides work

Instead of passing in an argument for each overrideable setting all the
way down the functional call chain when using the decorators, this
change duplicates the settings object and then overrides the applicable
properties and passes that settings object in to the validation code.

The following changes are also included in this commit:

- SettingsDict attributes are now immutable
- ASAP_VALID_ISSUERS is now converted into a set

Fixed a typo in comment

Remove an unused import

Refactored some of the common logic into something simpler

Add usage of django.utils.deprecation.MiddlewareMixin to ProxiedAsapMiddleware

Move NoTokenProvidedError to the top exceptions module.

Signed-off-by: David Black <dblack@atlassian.com>
(cherry picked from commit 36bab18)

Move the contrib deprecation warnings to the respective deprecated __init__.py files.

Signed-off-by: David Black <dblack@atlassian.com>

Move NoTokenProvidedError to the top exceptions module.

Signed-off-by: David Black <dblack@atlassian.com>

Author: mark-adams

atlassian_jwt_auth/contrib/django/__init__.py

@@ -0,0 +1,8 @@
+import warnings
+
+
+warnings.warn(
+    "The atlassian_jwt_auth.contrib.django package is deprecated in 4.0.0 "
+    "in favour of atlassian_jwt_auth.frameworks.django.",
+    DeprecationWarning, stacklevel=2
+)

atlassian_jwt_auth/contrib/django/decorators.py

@@ -1,11 +1,8 @@
 from functools import wraps
 
-from django.conf import settings
 from django.http.response import HttpResponse
 
-import atlassian_jwt_auth
-from .utils import parse_jwt, verify_issuers, _build_response
-from ..server.helpers import _requires_asap
+from atlassian_jwt_auth.frameworks.django.decorators import with_asap
 
 
 def validate_asap(issuers=None, subjects=None, required=True):
@@ -46,44 +43,8 @@ def validate_asap_wrapper(request, *args, **kwargs):
     return validate_asap_decorator
 
 
-def requires_asap(issuers=None, subject_should_match_issuer=None):
-    """Decorator for Django endpoints to require ASAP
-
-    :param list issuers: *required The 'iss' claims that this endpoint is from.
-    """
-    def requires_asap_decorator(func):
-        @wraps(func)
-        def requires_asap_wrapper(request, *args, **kwargs):
-            verifier = _get_verifier(subject_should_match_issuer)
-            auth_header = request.META.get('HTTP_AUTHORIZATION', b'')
-            err_response = _requires_asap(
-                verifier=verifier,
-                auth=auth_header,
-                parse_jwt_func=parse_jwt,
-                build_response_func=_build_response,
-                asap_claim_holder=request,
-                verify_issuers_func=verify_issuers,
-                issuers=issuers,
-            )
-            if err_response is None:
-                return func(request, *args, **kwargs)
-            return err_response
-
-        return requires_asap_wrapper
-    return requires_asap_decorator
-
-
-def _get_verifier(subject_should_match_issuer=None):
-    """Return a verifier for ASAP JWT tokens based on settings"""
-    retriever_cls = getattr(settings, 'ASAP_KEY_RETRIEVER_CLASS',
-                            atlassian_jwt_auth.HTTPSPublicKeyRetriever)
-    retriever = retriever_cls(
-        base_url=getattr(settings, 'ASAP_PUBLICKEY_REPOSITORY')
-    )
-    if subject_should_match_issuer is None:
-        subject_should_match_issuer = getattr(
-            settings, 'ASAP_SUBJECT_SHOULD_MATCH_ISSUER', None)
-    v_kwargs = {}
-    if subject_should_match_issuer is not None:
-        v_kwargs['subject_should_match_issuer'] = subject_should_match_issuer
-    return atlassian_jwt_auth.JWTAuthVerifier(retriever, **v_kwargs)
+def requires_asap(issuers=None, subject_should_match_issuer=None, func=None):
+    return with_asap(func=func,
+                     required=True,
+                     issuers=issuers,
+                     subject_should_match_issuer=subject_should_match_issuer)

atlassian_jwt_auth/contrib/django/middleware.py

@@ -1,21 +1,19 @@
 from django.conf import settings
+from django.utils.deprecation import MiddlewareMixin
 
-import atlassian_jwt_auth
-from ..server.helpers import _requires_asap
-from .utils import parse_jwt, verify_issuers, _build_response
-from .decorators import _get_verifier
+from atlassian_jwt_auth.frameworks.django.middleware import (
+    OldStyleASAPMiddleware
+)
 
 
-class ASAPForwardedMiddleware(object):
+class ProxiedAsapMiddleware(OldStyleASAPMiddleware, MiddlewareMixin):
     """Enable client auth for ASAP-enabled services that are forwarding
     non-ASAP client requests.
 
-    This must come before any authentication middleware.
-
-    DEPRECATED: use ASAPMiddleware instead.
-    """
+    This must come before any authentication middleware."""
 
     def __init__(self, get_response=None):
+        super(ProxiedAsapMiddleware, self).__init__()
         self.get_response = get_response
 
         # Rely on this header to tell us if a request has been forwarded
@@ -27,13 +25,14 @@ def __init__(self, get_response=None):
         self.xauth = getattr(settings, 'ASAP_PROXIED_AUTHORIZATION_HEADER',
                              'HTTP_X_ASAP_AUTHORIZATION')
 
-    def __call__(self, request):
-        early_response = self.process_request(request)
-        if early_response:
-            return early_response
-        return self.get_response(request)
-
     def process_request(self, request):
+        error_response = super(ProxiedAsapMiddleware, super).process_request(
+            request
+        )
+
+        if error_response:
+            return error_response
+
         forwarded_for = request.META.pop(self.xfwd, None)
         if forwarded_for is None:
             return
@@ -62,35 +61,3 @@ def process_view(self, request, view_func, view_args, view_kwargs):
             request.META['HTTP_AUTHORIZATION'] = asap_auth
         if orig_auth is not None:
             request.META[self.xauth] = orig_auth
-
-
-class ASAPMiddleware(ASAPForwardedMiddleware):
-    """Enable ASAP for Django applications.
-
-    To use proxied credentials, this must come before any authentication
-    middleware.
-    """
-
-    def __init__(self, get_response=None):
-        super(ASAPMiddleware, self).__init__(get_response=get_response)
-        self.required = getattr(settings, 'ASAP_REQUIRED', True)
-        self.client_auth = getattr(settings, 'ASAP_CLIENT_AUTH', False)
-
-        # Configure verifier based on settings
-        self.verifier = _get_verifier()
-
-    def process_request(self, request):
-        auth_header = request.META.get('HTTP_AUTHORIZATION', b'')
-        asap_err = _requires_asap(
-            verifier=self.verifier,
-            auth=auth_header,
-            parse_jwt_func=parse_jwt,
-            build_response_func=_build_response,
-            asap_claim_holder=request,
-            verify_issuers_func=verify_issuers,
-        )
-
-        if asap_err and self.required:
-            return asap_err
-        elif self.client_auth:
-            super(ASAPMiddleware, self).process_request(request)

atlassian_jwt_auth/contrib/django/utils.py

@@ -1,2 +1,10 @@
+import warnings
 
-from atlassian_jwt_auth.contrib.flask_app.decorators import requires_asap
+from .decorators import requires_asap
+
+
+warnings.warn(
+    "The atlassian_jwt_auth.contrib.flask_app package is deprecated in 4.0.0 "
+    "in favour of atlassian_jwt_auth.frameworks.flask.",
+    DeprecationWarning, stacklevel=2
+)

atlassian_jwt_auth/contrib/flask_app/__init__.py

@@ -1,46 +1,8 @@
-from functools import wraps
+from atlassian_jwt_auth.frameworks.flask.decorators import with_asap
 
-from flask import Response, current_app, g, request
 
-import atlassian_jwt_auth
-from .utils import parse_jwt
-from ..server.helpers import _requires_asap
-
-
-def requires_asap(f):
-    """
-    Wrapper for Flask endpoints to make them require asap authentication to
-    access.
-    """
-
-    @wraps(f)
-    def decorated(*args, **kwargs):
-        verifier = _get_verifier()
-        auth = request.headers.get('AUTHORIZATION', '')
-        err_response = _requires_asap(
-            verifier=verifier,
-            auth=auth,
-            parse_jwt_func=parse_jwt,
-            build_response_func=_build_response,
-            asap_claim_holder=g,
-        )
-        if err_response is None:
-            return f(*args, **kwargs)
-        return err_response
-
-    return decorated
-
-
-def _get_verifier():
-    """Returns a verifier for ASAP JWT tokens basd on application settings"""
-    retriever_cls = current_app.config.get(
-        'ASAP_KEY_RETRIEVER_CLASS', atlassian_jwt_auth.HTTPSPublicKeyRetriever
-    )
-    retriever = retriever_cls(
-        base_url=current_app.config.get('ASAP_PUBLICKEY_REPOSITORY')
-    )
-    return atlassian_jwt_auth.JWTAuthVerifier(retriever)
-
-
-def _build_response(message, status, headers=None):
-    return Response(message, status=status, headers=headers)
+def requires_asap(f, issuers=None, subject_should_match_issuer=None):
+    return with_asap(func=f,
+                     required=True,
+                     issuers=issuers,
+                     subject_should_match_issuer=subject_should_match_issuer)

atlassian_jwt_auth/contrib/flask_app/decorators.py

@@ -51,3 +51,8 @@ class PrivateKeyRetrieverException(_WithStatus, ASAPAuthenticationException):
 
 class KeyIdentifierException(ASAPAuthenticationException):
     """Raise when there are issues validating the key identifier"""
+
+
+class NoTokenProvidedError(ASAPAuthenticationException):
+    """Raise when no token is provided"""
+    pass