diff options
author | Zuul <zuul@review.opendev.org> | 2022-07-14 18:29:09 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2022-07-14 18:29:09 +0000 |
commit | 8434446c98ff4ee5b7aa5ae4f3c7b14ebab9adea (patch) | |
tree | 693875c51ad1d182aea773483889f1d5c2a90c6e | |
parent | cce45ec1dd4b526c75e3d0d5e65b647a1deafcbb (diff) | |
parent | 03878ee643c575c6df9ebc5fb49da6f7a204a81e (diff) | |
download | zuul-8434446c98ff4ee5b7aa5ae4f3c7b14ebab9adea.tar.gz |
Merge "Handle jwt decoding error, fix exception default messages"
-rw-r--r-- | tests/unit/test_web.py | 27 | ||||
-rw-r--r-- | zuul/exceptions.py | 4 | ||||
-rw-r--r-- | zuul/lib/auth.py | 14 |
3 files changed, 38 insertions, 7 deletions
diff --git a/tests/unit/test_web.py b/tests/unit/test_web.py index ba0c10488..53546c1de 100644 --- a/tests/unit/test_web.py +++ b/tests/unit/test_web.py @@ -1855,6 +1855,33 @@ class TestTenantScopedWebApi(BaseTestWeb): 'pipeline': 'check'}) self.assertEqual(401, resp.status_code) + def test_bad_format_JWT_token(self): + token = 'thisisnotwhatatokenshouldbelike' + resp = self.post_url( + "api/tenant/tenant-one/project/org/project/autohold", + headers={'Authorization': 'Bearer %s' % token}, + json={'job': 'project-test1', + 'count': 1, + 'reason': 'because', + 'node_hold_expiration': 36000}) + self.assertEqual(401, resp.status_code) + resp = self.post_url( + "api/tenant/tenant-one/project/org/project/enqueue", + headers={'Authorization': 'Bearer %s' % token}, + json={'trigger': 'gerrit', + 'change': '2,1', + 'pipeline': 'check'}) + self.assertEqual(401, resp.status_code) + resp = self.post_url( + "api/tenant/tenant-one/project/org/project/enqueue", + headers={'Authorization': 'Bearer %s' % token}, + json={'trigger': 'gerrit', + 'ref': 'abcd', + 'newrev': 'aaaa', + 'oldrev': 'bbbb', + 'pipeline': 'check'}) + self.assertEqual(401, resp.status_code) + def test_expired_JWT_token(self): authz = {'iss': 'zuul_operator', 'sub': 'testuser', diff --git a/zuul/exceptions.py b/zuul/exceptions.py index ec1e5cdaf..a332ba1af 100644 --- a/zuul/exceptions.py +++ b/zuul/exceptions.py @@ -82,11 +82,11 @@ class AuthTokenUnauthorizedException(AuthTokenException): class AuthTokenUndecodedException(AuthTokenUnauthorizedException): - default_msg = 'Auth Token could not be decoded' + defaultMsg = 'Auth Token could not be decoded' class AuthTokenInvalidSignatureException(AuthTokenUnauthorizedException): - default_msg = 'Invalid signature' + defaultMsg = 'Invalid signature' class BearerTokenRequiredError(AuthTokenUnauthorizedException): diff --git a/zuul/lib/auth.py b/zuul/lib/auth.py index a5866e908..db37d56fa 100644 --- a/zuul/lib/auth.py +++ b/zuul/lib/auth.py @@ -74,10 +74,14 @@ class AuthenticatorRegistry(object): cpb.capabilities_registry.register_capabilities('auth', capabilities) def authenticate(self, rawToken): - unverified = jwt.decode(rawToken, options={'verify_signature': False}) - for auth_name in self.authenticators: - authenticator = self.authenticators[auth_name] - if authenticator.issuer_id == unverified.get('iss', ''): - return authenticator.authenticate(rawToken) + try: + unverified = jwt.decode(rawToken, + options={'verify_signature': False}) + for auth_name in self.authenticators: + authenticator = self.authenticators[auth_name] + if authenticator.issuer_id == unverified.get('iss', ''): + return authenticator.authenticate(rawToken) + except jwt.exceptions.DecodeError: + raise exceptions.AuthTokenUndecodedException(self.default_realm) # No known issuer found, use default realm raise exceptions.IssuerUnknownError(self.default_realm) |