zuul/zuul
Code Issues Proposed changes

Merge "Unpin JWT and use integer IAT values"

Browse Source
This commit is contained in:
Zuul 2022-11-29 23:45:18 +00:00 committed by Gerrit Code Review
commit 5443a0f51b
6 changed files with 49 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/source/authentication.rst
View File

@ -129,8 +129,8 @@ For example, in Python, and for an authenticator using the ``HS256`` algorithm:
>>> jwt.encode({'sub': 'user1', >>> jwt.encode({'sub': 'user1',
'iss': <issuer_id>, 'iss': <issuer_id>,
'aud': <client_id>, 'aud': <client_id>,
'iat': time.time(), 'iat': int(time.time()),
'exp': time.time() + 300, 'exp': int(time.time()) + 300,
'zuul': { 'zuul': {
'admin': ['tenant-one'] 'admin': ['tenant-one']
} }

2
requirements.txt
View File

@ -23,7 +23,7 @@ alembic
cryptography>=1.6 cryptography>=1.6
cachecontrol<0.12.7 cachecontrol<0.12.7
cachetools cachetools
pyjwt>=2.0.0,<2.6.0 pyjwt>=2.0.0
iso8601 iso8601
psutil psutil
fb-re2>=1.0.6 fb-re2>=1.0.6

2
tests/unit/test_auth.py
View File

@ -92,7 +92,7 @@ class TestOpenIDConnectAuthenticator(BaseTestCase):
payload = { payload = {
'iss': FAKE_WELL_KNOWN_CONFIG['issuer'], 'iss': FAKE_WELL_KNOWN_CONFIG['issuer'],
'aud': config['client_id'], 'aud': config['client_id'],
'exp': time.time() + 3600, 'exp': int(time.time()) + 3600,
'sub': 'someone' 'sub': 'someone'
} }
token = jwt.encode( token = jwt.encode(

78
tests/unit/test_web.py
View File

@ -2063,7 +2063,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ], 'admin': ['tenant-one', ],
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='OnlyZuulNoDana', token = jwt.encode(authz, key='OnlyZuulNoDana',
algorithm='HS256') algorithm='HS256')
resp = self.post_url( resp = self.post_url(
@ -2125,7 +2125,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() - 3600} 'exp': int(time.time()) - 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
resp = self.post_url( resp = self.post_url(
@ -2160,7 +2160,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-six', 'tenant-ten', ] 'admin': ['tenant-six', 'tenant-ten', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
resp = self.post_url( resp = self.post_url(
@ -2194,7 +2194,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'aud': 'zuul.example.com', 'aud': 'zuul.example.com',
'sub': 'testuser', 'sub': 'testuser',
'zuul': {'admin': ['tenant-one', ]}, 'zuul': {'admin': ['tenant-one', ]},
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
args = {"reason": "some reason", args = {"reason": "some reason",
"count": 1, "count": 1,
'job': 'project-test2', 'job': 'project-test2',
@ -2234,7 +2234,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.post_url( req = self.post_url(
@ -2286,7 +2286,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
request_id, _ = self._init_autohold_delete(authz) request_id, _ = self._init_autohold_delete(authz)
# now try the autohold-delete API # now try the autohold-delete API
bad_authz = {'iss': 'zuul_operator', bad_authz = {'iss': 'zuul_operator',
@ -2295,7 +2295,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-two', ] 'admin': ['tenant-two', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
bad_token = jwt.encode(bad_authz, key='NoDanaOnlyZuul', bad_token = jwt.encode(bad_authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
resp = self.delete_url( resp = self.delete_url(
@ -2313,7 +2313,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
bad_token = jwt.encode(authz, key='NoDanaOnlyZuul', bad_token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
resp = self.delete_url( resp = self.delete_url(
@ -2328,7 +2328,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
request_id, token = self._init_autohold_delete(authz) request_id, token = self._init_autohold_delete(authz)
resp = self.delete_url( resp = self.delete_url(
"api/tenant/tenant-one/autohold/%s" % request_id, "api/tenant/tenant-one/autohold/%s" % request_id,
@ -2352,7 +2352,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
path = "api/tenant/%(tenant)s/project/%(project)s/enqueue" path = "api/tenant/%(tenant)s/project/%(project)s/enqueue"
@ -2404,7 +2404,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.post_url(path % enqueue_args, req = self.post_url(path % enqueue_args,
@ -2448,7 +2448,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
path = "api/tenant/%(tenant)s/project/%(project)s/dequeue" path = "api/tenant/%(tenant)s/project/%(project)s/dequeue"
@ -2565,8 +2565,8 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ], 'admin': ['tenant-one', ],
}, },
'exp': time.time() + 3600, 'exp': int(time.time()) + 3600,
'iat': time.time()} 'iat': int(time.time())}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.post_url( req = self.post_url(
@ -2654,8 +2654,8 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ], 'admin': ['tenant-one', ],
}, },
'exp': time.time() + 3600, 'exp': int(time.time()) + 3600,
'iat': time.time()} 'iat': int(time.time())}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.post_url( req = self.post_url(
@ -2746,8 +2746,8 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ], 'admin': ['tenant-one', ],
}, },
'exp': time.time() + 3600, 'exp': int(time.time()) + 3600,
'iat': time.time()} 'iat': int(time.time())}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.post_url( req = self.post_url(
@ -2795,7 +2795,7 @@ class TestTenantScopedWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one'], 'admin': ['tenant-one'],
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.get_url( req = self.get_url(
@ -2838,7 +2838,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ], 'admin': ['tenant-one', ],
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.post_url( req = self.post_url(
@ -2877,21 +2877,21 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
authz = {'iss': 'zuul_operator', authz = {'iss': 'zuul_operator',
'aud': 'zuul.example.com', 'aud': 'zuul.example.com',
'sub': 'venkman', 'sub': 'venkman',
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
_test_project_enqueue_with_authz(i, p, authz, 200) _test_project_enqueue_with_authz(i, p, authz, 200)
i += 1 i += 1
# Unauthorized sub # Unauthorized sub
authz = {'iss': 'zuul_operator', authz = {'iss': 'zuul_operator',
'aud': 'zuul.example.com', 'aud': 'zuul.example.com',
'sub': 'vigo', 'sub': 'vigo',
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
_test_project_enqueue_with_authz(i, p, authz, 403) _test_project_enqueue_with_authz(i, p, authz, 403)
i += 1 i += 1
# unauthorized issuer # unauthorized issuer
authz = {'iss': 'columbia.edu', authz = {'iss': 'columbia.edu',
'aud': 'zuul.example.com', 'aud': 'zuul.example.com',
'sub': 'stantz', 'sub': 'stantz',
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
_test_project_enqueue_with_authz(i, p, authz, 401) _test_project_enqueue_with_authz(i, p, authz, 401)
self.waitUntilSettled() self.waitUntilSettled()
@ -2905,7 +2905,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
'aud': 'zuul.example.com', 'aud': 'zuul.example.com',
'sub': 'melnitz', 'sub': 'melnitz',
'groups': ['ghostbusters', 'secretary'], 'groups': ['ghostbusters', 'secretary'],
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
path = "api/tenant/%(tenant)s/project/%(project)s/enqueue" path = "api/tenant/%(tenant)s/project/%(project)s/enqueue"
@ -2931,7 +2931,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
'sub': 'zeddemore', 'sub': 'zeddemore',
'vehicle': { 'vehicle': {
'car': 'ecto-1'}, 'car': 'ecto-1'},
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
path = "api/tenant/%(tenant)s/project/%(project)s/enqueue" path = "api/tenant/%(tenant)s/project/%(project)s/enqueue"
@ -2953,7 +2953,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
'aud': 'zuul.example.com', 'aud': 'zuul.example.com',
'sub': 'testuser', 'sub': 'testuser',
'zuul': {'admin': admin_tenants}, 'zuul': {'admin': admin_tenants},
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.get_url('/api/tenant/tenant-one/authorizations', req = self.get_url('/api/tenant/tenant-one/authorizations',
@ -2991,7 +2991,7 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb):
for test_user in users: for test_user in users:
authz = test_user['authz'] authz = test_user['authz']
authz['exp'] = time.time() + 3600 authz['exp'] = int(time.time()) + 3600
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.get_url('/api/tenant/tenant-one/authorizations', req = self.get_url('/api/tenant/tenant-one/authorizations',
@ -3031,7 +3031,7 @@ class TestTenantScopedWebApiTokenWithExpiry(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
resp = self.post_url( resp = self.post_url(
@ -3066,8 +3066,8 @@ class TestTenantScopedWebApiTokenWithExpiry(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ], 'admin': ['tenant-one', ],
}, },
'exp': time.time() + 7200, 'exp': int(time.time()) + 7200,
'iat': time.time() + 3600} 'iat': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
resp = self.post_url( resp = self.post_url(
@ -3102,8 +3102,8 @@ class TestTenantScopedWebApiTokenWithExpiry(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ], 'admin': ['tenant-one', ],
}, },
'exp': time.time() + 3600, 'exp': int(time.time()) + 3600,
'iat': time.time()} 'iat': int(time.time())}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
time.sleep(10) time.sleep(10)
@ -3146,8 +3146,8 @@ class TestTenantScopedWebApiTokenWithExpiry(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ], 'admin': ['tenant-one', ],
}, },
'exp': time.time() + 3600, 'exp': int(time.time()) + 3600,
'iat': time.time()} 'iat': int(time.time())}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
req = self.post_url( req = self.post_url(
@ -3249,7 +3249,7 @@ class TestCLIViaWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(
@ -3288,7 +3288,7 @@ class TestCLIViaWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(
@ -3317,7 +3317,7 @@ class TestCLIViaWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(
@ -3356,7 +3356,7 @@ class TestCLIViaWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(
@ -3407,7 +3407,7 @@ class TestCLIViaWebApi(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(

10
tests/zuul_client/test_zuulclient.py
View File

@ -187,7 +187,7 @@ class TestZuulClientAdmin(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(
@ -227,7 +227,7 @@ class TestZuulClientAdmin(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(
@ -263,7 +263,7 @@ class TestZuulClientAdmin(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(
@ -308,7 +308,7 @@ class TestZuulClientAdmin(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(
@ -359,7 +359,7 @@ class TestZuulClientAdmin(BaseTestWeb):
'zuul': { 'zuul': {
'admin': ['tenant-one', ] 'admin': ['tenant-one', ]
}, },
'exp': time.time() + 3600} 'exp': int(time.time()) + 3600}
token = jwt.encode(authz, key='NoDanaOnlyZuul', token = jwt.encode(authz, key='NoDanaOnlyZuul',
algorithm='HS256') algorithm='HS256')
p = subprocess.Popen( p = subprocess.Popen(

2
zuul/cmd/client.py
View File

@ -735,7 +735,7 @@ class Client(zuul.cmd.ZuulApp):
print('"%s" authenticator configuration not found.' print('"%s" authenticator configuration not found.'
% self.args.auth_config) % self.args.auth_config)
sys.exit(1) sys.exit(1)
now = time.time() now = int(time.time())
token = {'iat': now, token = {'iat': now,
'exp': now + self.args.expires_in, 'exp': now + self.args.expires_in,
'iss': get_default(self.config, auth_section, 'issuer_id'), 'iss': get_default(self.config, auth_section, 'issuer_id'),