From edca2d35e3720ed58dadc07e8423692f5de88ed1 Mon Sep 17 00:00:00 2001 From: Katy Baulch <46493669+katybaulch@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:14:11 +0100 Subject: [PATCH] Remove audience check on app token decode (#355) * Only verify_aud if not in DEVELOPMENT_MODE * Set DEVELOPMENT_MODE as True on staging * Check that decoding with invalid aud in dev_mode works * Bump to 1.17.2 * Don't verify audience at all * Skip test regarding origin/audience comparison * Revert changes --- app/core/custom_app.py | 1 + pyproject.toml | 2 +- .../vespa/test_vespa_corpus_filtering.py | 1 + .../test_decode_configuration_token.py | 22 ++++++++++++++++++- 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/app/core/custom_app.py b/app/core/custom_app.py index cc68cd6a..62b20a86 100644 --- a/app/core/custom_app.py +++ b/app/core/custom_app.py @@ -111,6 +111,7 @@ def decode_config_token(token: str, audience: Optional[str]) -> list[str]: algorithms=[security.ALGORITHM], issuer=ISSUER, audience=audience, + options={"verify_aud": False}, ) corpora_ids: list = decoded_token.get("allowed_corpora_ids") diff --git a/pyproject.toml b/pyproject.toml index 30dcfd02..271524f7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "navigator_backend" -version = "1.17.1" +version = "1.17.2" description = "" authors = ["CPR-dev-team "] packages = [{ include = "app" }, { include = "tests" }] diff --git a/tests/search/vespa/test_vespa_corpus_filtering.py b/tests/search/vespa/test_vespa_corpus_filtering.py index a26bd409..095b6844 100644 --- a/tests/search/vespa/test_vespa_corpus_filtering.py +++ b/tests/search/vespa/test_vespa_corpus_filtering.py @@ -126,6 +126,7 @@ def test_search_decoding_token_raises_PyJWTError( assert response["detail"] == "Could not decode configuration token" +@pytest.mark.skip("Re-implement this as part of PDCT-1509") @pytest.mark.search def test_search_decoding_token_with_none_origin_passed_to_audience( data_client, diff --git a/tests/unit/app/core/custom_app/test_decode_configuration_token.py b/tests/unit/app/core/custom_app/test_decode_configuration_token.py index f56a502f..d5f0af71 100644 --- a/tests/unit/app/core/custom_app/test_decode_configuration_token.py +++ b/tests/unit/app/core/custom_app/test_decode_configuration_token.py @@ -14,6 +14,7 @@ def test_decoding_expired_token_raise_expired_signature_token_error(expired_toke assert str(error.value) == "Signature has expired" +@pytest.mark.skip("Re-implement this as part of PDCT-1509") @pytest.mark.parametrize( "input_str, aud, error_msg", [ @@ -30,7 +31,7 @@ def test_decoding_expired_token_raise_expired_signature_token_error(expired_toke ), ], ) -def test_decoding_token_with_invalid_aud_raises_expired_signature_token_error( +def test_decoding_token_with_invalid_aud_raises_invalid_token_error( input_str: str, aud: Optional[str], error_msg: str ): token = create_configuration_token(input_str) @@ -40,6 +41,25 @@ def test_decoding_token_with_invalid_aud_raises_expired_signature_token_error( assert str(error.value) == error_msg +@pytest.mark.parametrize( + "input_str, aud", + [ + ("mango,apple;subject;https://audience.com", None), + ("mango,apple;subject;https://audience.com", "https://audience.org"), + ("mango,apple;subject;https://AUDIENCE.OrG", "https://AUDIENCE.Com"), + ], +) +def test_decoding_token_with_invalid_aud_success_in_dev_mode( + input_str: str, aud: Optional[str] +): + token = create_configuration_token(input_str) + decoded_corpora_ids = decode_config_token(token, aud) + assert len(decoded_corpora_ids) > 0 + + expected_num_corpora = 2 + assert len(decoded_corpora_ids) == expected_num_corpora + + def test_decode_configuration_token_success(valid_token): decoded_corpora_ids = decode_config_token(valid_token, VALID_AUDIENCE) assert len(decoded_corpora_ids) > 0