From ae7416f200bb7595b0172eb345e669c7fbcbc903 Mon Sep 17 00:00:00 2001 From: Robert Raposa Date: Wed, 12 Apr 2023 16:35:46 -0400 Subject: [PATCH] feat: add issuer monitoring (#325) Add new custom attributes to verify how the issuer is being verified at this time. --- CHANGELOG.rst | 1 + edx_rest_framework_extensions/auth/jwt/decoder.py | 13 ++++++++++++- .../auth/jwt/tests/test_decoder.py | 6 ++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ec069ad5..9198adc3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -19,6 +19,7 @@ Added ~~~~~ * Added ``jwt_auth_check_symmetric_key``, ``jwt_auth_asymmetric_verified``, ``jwt_auth_symmetric_verified``, and ``jwt_auth_verification_failed`` custom attributes to aid in deprecation and removal of symmetric keys. +* Added ``jwt_auth_issuer`` and ``jwt_auth_issuer_verification`` custom attributes. Changed ~~~~~~~ diff --git a/edx_rest_framework_extensions/auth/jwt/decoder.py b/edx_rest_framework_extensions/auth/jwt/decoder.py index 6ff72f78..a3ee3186 100644 --- a/edx_rest_framework_extensions/auth/jwt/decoder.py +++ b/edx_rest_framework_extensions/auth/jwt/decoder.py @@ -274,8 +274,19 @@ def _decode_and_verify_token(token, jwt_issuer): # TODO (ARCH-204): verify issuer manually until it is properly configured. token_issuer = decoded_token.get('iss') + # .. custom_attribute_name: jwt_auth_issuer + # .. custom_attribute_description: Value set to the JWT auth issuer. + set_custom_attribute('jwt_auth_issuer', token_issuer) issuer_matched = any(issuer['ISSUER'] == token_issuer for issuer in get_jwt_issuers()) - if not issuer_matched: + if token_issuer == jwt_issuer['ISSUER']: + # .. custom_attribute_name: jwt_auth_issuer_verification + # .. custom_attribute_description: Depending on issuer verification, the value will + # be one of: matches-first-issuer, matches-later-issuer, or no-match. + set_custom_attribute('jwt_auth_issuer_verification', 'matches-first-issuer') + elif issuer_matched: + set_custom_attribute('jwt_auth_issuer_verification', 'matches-later-issuer') + else: + set_custom_attribute('jwt_auth_issuer_verification', 'no-match') logger.info('Token decode failed due to mismatched issuer [%s]', token_issuer) raise jwt.InvalidTokenError('%s is not a valid issuer.' % token_issuer) diff --git a/edx_rest_framework_extensions/auth/jwt/tests/test_decoder.py b/edx_rest_framework_extensions/auth/jwt/tests/test_decoder.py index f654c752..84535d02 100644 --- a/edx_rest_framework_extensions/auth/jwt/tests/test_decoder.py +++ b/edx_rest_framework_extensions/auth/jwt/tests/test_decoder.py @@ -217,15 +217,21 @@ def test_keyset_size_and_other_monitoring(self, mock_set_custom_attribute): mock.call('jwt_auth_check_symmetric_key', True), mock.call('jwt_auth_verify_asymmetric_keys_count', 1), mock.call('jwt_auth_asymmetric_verified', True), + mock.call('jwt_auth_issuer', 'test-issuer-1'), + mock.call('jwt_auth_issuer_verification', 'matches-first-issuer'), mock.call('jwt_auth_check_symmetric_key', False), mock.call('jwt_auth_verify_asymmetric_keys_count', 1), mock.call('jwt_auth_asymmetric_verified', True), + mock.call('jwt_auth_issuer', 'test-issuer-1'), + mock.call('jwt_auth_issuer_verification', 'matches-first-issuer'), mock.call('jwt_auth_check_symmetric_key', True), mock.call('jwt_auth_verify_asymmetric_keys_count', 1), mock.call('jwt_auth_verify_all_keys_count', 2), mock.call('jwt_auth_symmetric_verified', True), + mock.call('jwt_auth_issuer', 'test-issuer-1'), + mock.call('jwt_auth_issuer_verification', 'matches-first-issuer'), ]