def test_decode_failure(self):
"""
Verifies the function logs decode failures, and raises an InvalidTokenError if the token cannot be decoded
"""
# Create tokens using each invalid issuer and attempt to decode them against
# the valid issuers list, which won't work
with mock.patch(
'edx_rest_framework_extensions.utils.logger') as patched_log:
with self.assertRaises(jwt.InvalidTokenError):
self.payload['iss'] = 'invalid-issuer'
signing_key = 'invalid-secret-key'
# Generate a token using the invalid issuer data
token = generate_jwt_token(self.payload, signing_key)
# Attempt to decode the token against the entries in the valid issuers list,
# which will fail with an InvalidTokenError
utils.jwt_decode_handler(token)
# Verify that the proper entries were written to the log file
msg = "Token decode failed for issuer 'test-issuer-1'"
patched_log.info.assert_any_call(msg, exc_info=True)
msg = "Token decode failed for issuer 'test-issuer-2'"
patched_log.info.assert_any_call(msg, exc_info=True)
msg = "All combinations of JWT issuers and secret keys failed to validate the token."
patched_log.error.assert_any_call(msg)
def has_permission(self, request, view):
"""
Implement the business logic discussed above
"""
# if is_oauth_scope_enforcement_enabled():
if settings.FEATURES.get('ENABLE_OAUTH_SCOPE_ENFORCEMENT', False):
token = request.auth
decoded_token = jwt_decode_handler(token)
# check to see if token is a DOP token
# if so this represents a client which is implicitly trusted
# (since it is an internal Open edX application)
if decoded_token['edx_trusted_application']:
return True
if is_token_version_incompatible(decoded_token['version']):
return False
if hasattr(view, 'required_scopes'):
if not getattr(view, 'required_scopes')[0] in decoded_token['scopes']:
return False
has_permission = super(HasScopedToken, self).has_permission(request, view)
if has_permission:
setattr(request, 'oauth_scopes_filters', self._token_filters(decoded_token))
return has_permission
else:
return True
def test_decode_valid_token_multiple_valid_issuers(self, jwt_issuer):
"""
Validates that a valid token is properly decoded given a list of multiple valid issuers
"""
# Verify that each valid issuer is properly matched against the valid issuers list
# and used to decode the token that was generated using said valid issuer data
self.payload['iss'] = jwt_issuer['ISSUER']
token = generate_jwt_token(self.payload, jwt_issuer['SECRET_KEY'])
self.assertEqual(utils.jwt_decode_handler(token), self.payload)
def test_decode_success(self):
"""
Confirms that the format of the valid response from the token decoder matches the payload
"""
self.assertDictEqual(utils.jwt_decode_handler(self.jwt), self.payload)
def setUp(self):
super(IsTokenVersionIncompatibleTests, self).setUp()
self.user = UserFactory()
self.payload = generate_jwt_payload(self.user)
self.jwt = generate_jwt_token(self.payload)
self.decoded_token = utils.jwt_decode_handler(self.jwt)