From 69c4d81773afaca572d7a84ba8c6782dce06b042 Mon Sep 17 00:00:00 2001 From: Martin Kopec Date: Fri, 8 Jan 2021 19:19:03 +0000 Subject: [PATCH] Comply with the newest release of PyJWT A new version of PyJWT==2.0.0 got released a few days back which changes a few significant things such as return types and option names, see: https://github.com/jpadilla/pyjwt/blob/03610f01030e25bd5e901fe625c0ede4c55dccc7/CHANGELOG.md#v200 This commit edits the code of refstack in order to comply with the newest changes of PyJWT. Change-Id: I153384cd39ebadb8ee9eb3d99cd21aa02b8c0673 --- refstack/api/utils.py | 7 ++++--- refstack/tests/unit/test_api_utils.py | 7 +++---- requirements.txt | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/refstack/api/utils.py b/refstack/api/utils.py index ddb385c0..44699e19 100644 --- a/refstack/api/utils.py +++ b/refstack/api/utils.py @@ -385,7 +385,8 @@ def decode_token(request): raise api_exc.ValidationError( "Authorization schema 'Bearer' should be used") try: - token_data = jwt.decode(token, algorithms='RS256', verify=False) + token_data = jwt.decode(token, algorithms=['RS256'], + options={"verify_signature": False}) except jwt.InvalidTokenError: raise api_exc.ValidationError("Token is not valid") @@ -408,10 +409,10 @@ def decode_token(request): else: try: token_data = jwt.decode( - token, key=pem_pubkey, + token, algorithms=['RS256'], key=pem_pubkey, options={'verify_signature': True, 'verify_exp': True, - 'require_exp': True}, + 'require': ['exp']}, leeway=const.JWT_VALIDATION_LEEWAY) # NOTE(sslipushenko) If at least one key is valid, let # the validation pass diff --git a/refstack/tests/unit/test_api_utils.py b/refstack/tests/unit/test_api_utils.py index 6a7a0ef3..25c54f61 100644 --- a/refstack/tests/unit/test_api_utils.py +++ b/refstack/tests/unit/test_api_utils.py @@ -22,7 +22,6 @@ from oslo_utils import timeutils from oslotest import base from pecan import rest import jwt -import six from six.moves.urllib import parse from webob import exc @@ -547,14 +546,14 @@ class APIUtilsTestCase(base.BaseTestCase): fake_token = jwt.encode({'foo': 'bar'}, key=PRIV_KEY, algorithm='RS256') - auth_str = 'Bearer %s' % six.text_type(fake_token, 'utf-8') + auth_str = 'Bearer %s' % fake_token mock_request.headers = {const.JWT_TOKEN_HEADER: auth_str} self.assertRaises(api_exc.ValidationError, api_utils.decode_token, mock_request) fake_token = jwt.encode({const.USER_OPENID: 'oid'}, key=PRIV_KEY, algorithm='RS256') - auth_str = 'Bearer %s' % six.text_type(fake_token, 'utf-8') + auth_str = 'Bearer %s' % fake_token mock_request.headers = {const.JWT_TOKEN_HEADER: auth_str} mock_pubkey.return_value = [{'format': 'ssh-rsa', 'pubkey': 'fakepubkey'}] @@ -570,7 +569,7 @@ class APIUtilsTestCase(base.BaseTestCase): 'exp': int(time.time()) + 3600}, key=PRIV_KEY, algorithm='RS256') - auth_str = 'Bearer %s' % six.text_type(fake_token, 'utf-8') + auth_str = 'Bearer %s' % fake_token mock_request.headers = {const.JWT_TOKEN_HEADER: auth_str} mock_pubkey.return_value = [{'format': 'ssh-rsa', 'pubkey': PUB_KEY}] diff --git a/requirements.txt b/requirements.txt index c9de66e4..757564b6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,7 +2,7 @@ SQLAlchemy>=0.8.3 alembic beaker beautifulsoup4 -cryptography>=1.0,!=1.3.0 # BSD/Apache-2.0 +cryptography>=3.0 # BSD/Apache-2.0 docutils>=0.11 oslo.config>=1.6.0 # Apache-2.0 oslo.db>=1.4.1 # Apache-2.0 @@ -13,6 +13,6 @@ pecan>=0.8.2 requests>=2.2.0,!=2.4.0 requests-cache>=0.4.9 jsonschema>=3.2.0 -PyJWT>=1.0.1 # MIT +PyJWT>=2.0.0 # MIT WebOb>=1.7.1 # MIT PyMySQL>=0.6.2,!=0.6.4