Sem-Ver: feature Add a SubjectDoesNotMatchIssuerException for when the subject does not match the issuer.

Signed-off-by: David Black <[email protected]>

Author: dbaxa

atlassian_jwt_auth/exceptions.py

@@ -57,6 +57,10 @@ class JtiUniquenessException(ASAPAuthenticationException):
     """Raise when a JTI is seen more than once. """
 
 
+class SubjectDoesNotMatchIssuerException(ASAPAuthenticationException):
+    """Raise when the subject and issuer differ. """
+
+
 class NoTokenProvidedError(ASAPAuthenticationException):
     """Raise when no token is provided"""
     pass

atlassian_jwt_auth/tests/test_verifier.py

@@ -70,8 +70,12 @@ def test_verify_jwt_with_non_matching_sub_and_iss(self, m_j_decode):
         }
         a_jwt = self._jwt_auth_signer.generate_jwt(self._example_aud)
         verifier = self._setup_jwt_auth_verifier(self._public_key_pem)
-        with self.assertRaisesRegexp(ValueError, expected_msg):
-            verifier.verify_jwt(a_jwt, self._example_aud)
+        for exception in [
+            ValueError,
+            atlassian_jwt_auth.exceptions.SubjectDoesNotMatchIssuerException,
+        ]:
+            with self.assertRaisesRegexp(exception, expected_msg):
+                verifier.verify_jwt(a_jwt, self._example_aud)
 
     @mock.patch('atlassian_jwt_auth.verifier.jwt.decode')
     def test_verify_jwt_with_jwt_lasting_gt_max_time(self, m_j_decode):

atlassian_jwt_auth/verifier.py

@@ -63,7 +63,8 @@ def _decode_jwt(self, a_jwt, key_identifier, jwt_key,
 
         if self._subject_should_match_issuer and (
                 claims.get('sub') and claims['iss'] != claims['sub']):
-            raise ValueError('Issuer does not match the subject.')
+            raise exceptions.SubjectDoesNotMatchIssuerException(
+                'Issuer does not match the subject.')
 
         _aud = claims['aud']
         _exp = int(claims['exp'])