Sem-Ver: feature Add WSGI middleware

Fix a broken test

Enhance tests for WSGI middleware

Fix extra line at the end of a file

Modify WSGI backend to check if request is None instead of falsey

Fix some failing tests

Fix another test

Don't initialize verifier in _process_asap_token if there is no token

Pass through the merged settings to backend.get_verifier.

Signed-off-by: David Black <dblack@atlassian.com>

When creating an instance of JWTAuthVerifier we should not provide a subject_should_match_issuer keyword argument if the settings value is None.

Signed-off-by: David Black <dblack@atlassian.com>

Add a test for when the django decorator is used to override the settings defined subject_does_need_to_match_issuer value.

Signed-off-by: David Black <dblack@atlassian.com>

Remove the unused SubjectIssuerMismatchError exception.

Signed-off-by: David Black <dblack@atlassian.com>

Restore the docstring for requires_asap.

Signed-off-by: David Black <dblack@atlassian.com>

Do not catch the InvalidTokenError as an exception variable.

Signed-off-by: David Black <dblack@atlassian.com>

Author: mark-adams

atlassian_jwt_auth/contrib/django/decorators.py

@@ -44,6 +44,10 @@ def validate_asap_wrapper(request, *args, **kwargs):
 
 
 def requires_asap(issuers=None, subject_should_match_issuer=None, func=None):
+    """Decorator for Django endpoints to require ASAP
+
+    :param list issuers: *required The 'iss' claims that this endpoint is from.
+    """
     return with_asap(func=func,
                      required=True,
                      issuers=issuers,

atlassian_jwt_auth/contrib/flask_app/decorators.py

@@ -2,6 +2,11 @@
 
 
 def requires_asap(f, issuers=None, subject_should_match_issuer=None):
+    """
+    Wrapper for Flask endpoints to make them require asap authentication to
+    access.
+    """
+
     return with_asap(func=f,
                      required=True,
                      issuers=issuers,

atlassian_jwt_auth/frameworks/common/asap.py

@@ -9,14 +9,13 @@
 def _process_asap_token(request, backend, settings):
     """ Verifies an ASAP token, validates the claims, and returns an error
     response"""
-    verifier = backend.get_verifier()
     token = backend.get_asap_token(request)
     error_response = None
 
     try:
         if token is None:
             raise NoTokenProvidedError
-
+        verifier = backend.get_verifier(settings=settings)
         asap_claims = verifier.verify_jwt(
             token,
             settings.ASAP_VALID_AUDIENCE,
@@ -26,7 +25,9 @@ def _process_asap_token(request, backend, settings):
         _verify_issuers(asap_claims, settings.ASAP_VALID_ISSUERS)
         backend.set_asap_claims_for_request(request, asap_claims)
     except NoTokenProvidedError:
-        error_response = backend.get_401_response('Unauthorized')
+        error_response = backend.get_401_response(
+            'Unauthorized', request=request
+        )
     except PublicKeyRetrieverException as e:
         if e.status_code not in (403, 404):
             # Any error other than "not found" is a problem and should
@@ -38,18 +39,18 @@ def _process_asap_token(request, backend, settings):
             raise
 
         error_response = backend.get_401_response(
-            'Unauthorized: Key not found'
+            'Unauthorized: Key not found', request=request
         )
     except InvalidIssuerError:
         error_response = backend.get_403_response(
-            'Forbidden: Invalid token issuer'
+            'Forbidden: Invalid token issuer', request=request
         )
     except InvalidTokenError:
         error_response = backend.get_401_response(
-            'Unauthorized: Invalid token'
+            'Unauthorized: Invalid token', request=request
         )
 
-    if error_response and settings.ASAP_REQUIRED:
+    if error_response is not None and settings.ASAP_REQUIRED:
         return error_response
 
 

atlassian_jwt_auth/frameworks/common/backend.py

@@ -46,11 +46,11 @@ def get_authorization_header(self, request=None):
         pass
 
     @abstractmethod
-    def get_401_response(self, data=None, headers=None):
+    def get_401_response(self, data=None, headers=None, request=None):
         pass
 
     @abstractmethod
-    def get_403_response(self, data=None, headers=None):
+    def get_403_response(self, data=None, headers=None, request=None):
         pass
 
     @abstractmethod
@@ -81,17 +81,21 @@ def get_asap_token(self, request):
 
         return auth_values[1]
 
-    def get_verifier(self):
+    def get_verifier(self, settings=None):
         """Returns a verifier for ASAP JWT tokens"""
-        settings = self.settings
+        if settings is None:
+            settings = self.settings
 
         retriever = settings.ASAP_KEY_RETRIEVER_CLASS(
             base_url=settings.ASAP_PUBLICKEY_REPOSITORY
         )
+        kwargs = {}
+        if settings.ASAP_SUBJECT_SHOULD_MATCH_ISSUER is not None:
+            kwargs = {'subject_should_match_issuer':
+                      settings.ASAP_SUBJECT_SHOULD_MATCH_ISSUER}
         return JWTAuthVerifier(
             retriever,
-            # This is handled in utils.validate_claims
-            subject_should_match_issuer=False,
+            **kwargs
         )
 
     def _process_settings(self, settings):

atlassian_jwt_auth/frameworks/common/decorators.py

@@ -29,7 +29,7 @@ def with_asap_wrapper(*args, **kwargs):
                 request, backend, settings
             )
 
-            if error_response:
+            if error_response is not None:
                 return error_response
 
             return func(*args, **kwargs)
@@ -61,18 +61,18 @@ def restrict_asap_wrapper(request, *args, **kwargs):
 
             if required and not asap_claims:
                 return backend.get_401_response(
-                    'Unauthorized'
+                    'Unauthorized', request=request
                 )
 
             try:
                 _verify_issuers(asap_claims, settings.ASAP_VALID_ISSUERS)
             except InvalidIssuerError:
                 error_response = backend.get_403_response(
-                    'Forbidden: Invalid token issuer'
+                    'Forbidden: Invalid token issuer', request=request
                 )
             except InvalidTokenError:
                 error_response = backend.get_401_response(
-                    'Unauthorized: Invalid token'
+                    'Unauthorized: Invalid token', request=request
                 )
 
             if error_response and required:

atlassian_jwt_auth/frameworks/common/tests/test_decorators.py

@@ -11,7 +11,7 @@ def get_authorization_header(self, request=None):
 
         return request.META.get('HTTP_AUTHORIZATION', b'')
 
-    def get_401_response(self, data=None, headers=None):
+    def get_401_response(self, data=None, headers=None, request=None):
         if headers is None:
             headers = {}
 
@@ -23,7 +23,7 @@ def get_401_response(self, data=None, headers=None):
 
         return response
 
-    def get_403_response(self, data=None, headers=None):
+    def get_403_response(self, data=None, headers=None, request=None):
         if headers is None:
             headers = {}
 

atlassian_jwt_auth/frameworks/django/backend.py

@@ -9,7 +9,7 @@ def asap_middleware(get_response):
 
     def middleware(request):
         error_response = _process_asap_token(request, backend, settings)
-        if error_response:
+        if error_response is not None:
             return error_response
 
         return get_response(request)
@@ -29,5 +29,5 @@ def process_request(self, request):
         error_response = _process_asap_token(
             request, self.backend, self.settings
         )
-        if error_response:
+        if error_response is not None:
             return error_response

atlassian_jwt_auth/frameworks/django/middleware.py

@@ -272,6 +272,23 @@ def test_request_subject_does_not_need_to_match_issuer(self):
 
         self.assertContains(response, 'Subject does not need to match issuer.')
 
+    def test_request_subject_does_need_to_match_issuer_override_settings(self):
+        """ tests that the with_asap decorator can override the
+            ASAP_SUBJECT_SHOULD_MATCH_ISSUER setting.
+        """
+        token = create_token(
+            issuer='client-app', audience='server-app',
+            key_id='client-app/key01', private_key=self._private_key_pem,
+            subject='not-client-app',
+        )
+        with override_settings(**dict(
+                self.test_settings, ASAP_SUBJECT_SHOULD_MATCH_ISSUER=False)):
+            message = 'Issuer does not match the subject'
+            with self.assertRaisesRegexp(ValueError, message):
+                response = self.client.get(
+                    reverse('subject_does_need_to_match_issuer'),
+                    HTTP_AUTHORIZATION=b'Bearer ' + token)
+
     def test_request_subject_does_not_need_to_match_issuer_from_settings(self):
         token = create_token(
             issuer='client-app', audience='server-app',

atlassian_jwt_auth/frameworks/django/tests/test_django.py

@@ -12,6 +12,9 @@
     url(r'^asap/subject_does_not_need_to_match_issuer$',
         views.subject_does_not_need_to_match_issuer_view,
         name='subject_does_not_need_to_match_issuer'),
+    url(r'^asap/subject_does_need_to_match_issuer_view$',
+        views.subject_does_need_to_match_issuer_view,
+        name='subject_does_need_to_match_issuer'),
 
     url(r'^asap/subject_does_not_need_to_match_issuer_from_settings$',
         views.subject_does_not_need_to_match_issuer_from_settings_view,