Skip to content

Commit dd1df0e

Browse files
dbaxadbaxa
committed
Sem-Ver: bugfix Flake8 fix up - add an explicit check that the aud claim has been provided.
This is not a breaking change because even if verify_jwt was to use an audience value of None & a jwt did not have an aud claim, a KeyError would be raised. Signed-off-by: David Black <[email protected]>
1 parent 331cefb commit dd1df0e

File tree

2 files changed

+40
-1
lines changed

2 files changed

+40
-1
lines changed

atlassian_jwt_auth/tests/test_verifier.py

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -192,6 +192,41 @@ def test_verify_jwt_subject_does_not_need_to_match_issuer(self):
192192
additional_claims={'sub': 'not-' + self._example_issuer})
193193
self.assertIsNotNone(verifier.verify_jwt(a_jwt, self._example_aud))
194194

195+
@mock.patch('atlassian_jwt_auth.verifier.jwt.decode')
196+
def test_verify_jwt_with_missing_aud_claim(self, m_j_decode):
197+
""" tests that verify_jwt rejects jwt that do not have an aud
198+
claim.
199+
"""
200+
expected_msg = ('Claims validity, the aud claim must be provided and '
201+
'cannot be empty.')
202+
claims = self._jwt_auth_signer._generate_claims(self._example_aud)
203+
del claims['aud']
204+
m_j_decode.return_value = claims
205+
a_jwt = self._jwt_auth_signer.generate_jwt(self._example_aud)
206+
verifier = self._setup_jwt_auth_verifier(self._public_key_pem)
207+
with self.assertRaisesRegexp(KeyError, expected_msg):
208+
verifier.verify_jwt(a_jwt, self._example_aud)
209+
210+
def test_verify_jwt_with_none_aud(self):
211+
""" tests that verify_jwt rejects jwt that have a None aud claim. """
212+
verifier = self._setup_jwt_auth_verifier(self._public_key_pem)
213+
a_jwt = self._jwt_auth_signer.generate_jwt(
214+
self._example_aud,
215+
additional_claims={'aud': None})
216+
with self.assertRaises(jwt.exceptions.InvalidAudienceError):
217+
verifier.verify_jwt(a_jwt, self._example_aud)
218+
219+
def test_verify_jwt_with_non_matching_aud(self):
220+
""" tests that verify_jwt rejects a jwt if the aud claim does not
221+
match the given & expected audience.
222+
"""
223+
verifier = self._setup_jwt_auth_verifier(self._public_key_pem)
224+
a_jwt = self._jwt_auth_signer.generate_jwt(
225+
self._example_aud,
226+
additional_claims={'aud': self._example_aud + '-different'})
227+
with self.assertRaises(jwt.exceptions.InvalidAudienceError):
228+
verifier.verify_jwt(a_jwt, self._example_aud)
229+
195230

196231
class JWTAuthVerifierRS256Test(
197232
BaseJWTAuthVerifierTest,

atlassian_jwt_auth/verifier.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,11 @@ def _decode_jwt(self, a_jwt, key_identifier, jwt_key,
6666
raise exceptions.SubjectDoesNotMatchIssuerException(
6767
'Issuer does not match the subject.')
6868

69-
_aud = claims['aud']
69+
_aud = claims.get('aud', None)
70+
if _aud is None:
71+
_msg = ("Claims validity, the aud claim must be provided and "
72+
"cannot be empty.")
73+
raise KeyError(_msg)
7074
_exp = int(claims['exp'])
7175
_iat = int(claims['iat'])
7276
if _exp - _iat > 3600:

0 commit comments

Comments
 (0)