From e5ab29bc2deb98011e7139d0370b9426eff45c78 Mon Sep 17 00:00:00 2001 From: Sam Gaus Date: Wed, 3 Oct 2018 16:33:06 +0100 Subject: [PATCH 1/4] Fixed incorrect JWT parsing in rasa_core server --- rasa_core/server.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rasa_core/server.py b/rasa_core/server.py index a1f470faa63..14b6cb57cb9 100644 --- a/rasa_core/server.py +++ b/rasa_core/server.py @@ -88,8 +88,10 @@ def sender_id_from_args(f, args, kwargs): def sufficient_scope(*args, **kwargs): jwt_data = view_decorators._decode_jwt_from_headers() - role = jwt_data.get("role", None) - username = jwt_data.get("username", None) + user = jwt_data.get("user", {}) + + username = user.get("user", None) + role = user.get("role", None) if role == "admin": return True From b6969ce33ce54bef8c2d7c1f5b05399749b3b1d9 Mon Sep 17 00:00:00 2001 From: Sam Gaus Date: Wed, 3 Oct 2018 16:34:39 +0100 Subject: [PATCH 2/4] Add JWT parsing fix to the changelog --- CHANGELOG.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0c1e6377018..561afdee732 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -33,6 +33,7 @@ Fixed - use utf8 everywhere when handling file IO - argument ``--connector`` on run script accepts custom channel module names - properly handle non ascii categorical slot values, e.g. ``大于100亿元`` +- fixed HTTP server attempting to authenticate based on incorrect path to the correct JWT data field [0.11.8] - 2018-09-28 ^^^^^^^^^^^^^^^^^^^^^ From 5b4ba11d101c4481dd8e17f7f4ae33136912c54e Mon Sep 17 00:00:00 2001 From: Sam Gaus Date: Thu, 4 Oct 2018 00:45:21 +0100 Subject: [PATCH 3/4] Updated tests for JWTs --- tests/test_server.py | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tests/test_server.py b/tests/test_server.py index a735b365ee6..a85825ca8bb 100644 --- a/tests/test_server.py +++ b/tests/test_server.py @@ -212,21 +212,21 @@ def test_list_conversations_with_jwt(secured_app): # token generated with secret "core" and algorithm HS256 # on https://jwt.io/ - # {"username": "testadmin", "role": "admin"} + # {"user": {"user": "testadmin", "role": "admin"}} jwt_header = { - "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ" - "1c2VybmFtZSI6InRlc3RhZG1pbiIsInJvbGUiOiJhZG1pbi" - "J9.3gp-0pEEUJpU_NoR76lVYMrW86Aedx_QULKUcw3ODbo" + "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." + "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0YWRtaW4iLCJyb2xlIjoiYWRtaW4ifX0." + "VUOiT2DL3LWoesfKm7wWv5Yp8mSnc5v2OXFSq6Tiis0" } response = secured_app.get("/conversations", headers=jwt_header) assert response.status_code == 200 - # {"username": "testuser", "role": "user"} + # {"user": {"user": "testuser", "role": "user"}} jwt_header = { - "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ" - "1c2VybmFtZSI6InRlc3R1c2VyIiwicm9sZSI6InVzZXIifQ" - ".X4wN0sLRW0Urd9E-ProsCK_IQHjuNZ5SJwm4RXiX6fQ" + "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." + "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0dXNlciIsInJvbGUiOiJ1c2VyIn19." + "_Gu7YX6euPvq9pfDFHzgH4qPNMbJH1XGXGCVRnXiP24" } response = secured_app.get("/conversations", headers=jwt_header) @@ -237,11 +237,11 @@ def test_get_tracker_with_jwt(secured_app): # token generated with secret "core" and algorithm HS256 # on https://jwt.io/ - # {"username": "testadmin", "role": "admin"} + # {"user": {"user": "testadmin", "role": "admin"}} jwt_header = { - "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ" - "1c2VybmFtZSI6InRlc3RhZG1pbiIsInJvbGUiOiJhZG1pbi" - "J9.3gp-0pEEUJpU_NoR76lVYMrW86Aedx_QULKUcw3ODbo" + "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." + "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0YWRtaW4iLCJyb2xlIjoiYWRtaW4ifX0." + "VUOiT2DL3LWoesfKm7wWv5Yp8mSnc5v2OXFSq6Tiis0" } response = secured_app.get("/conversations/testadmin/tracker", headers=jwt_header) @@ -251,11 +251,11 @@ def test_get_tracker_with_jwt(secured_app): headers=jwt_header) assert response.status_code == 200 - # {"username": "testuser", "role": "user"} + # {"user": {"user": "testuser", "role": "user"}} jwt_header = { - "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ" - "1c2VybmFtZSI6InRlc3R1c2VyIiwicm9sZSI6InVzZXIifQ" - ".X4wN0sLRW0Urd9E-ProsCK_IQHjuNZ5SJwm4RXiX6fQ" + "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." + "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0dXNlciIsInJvbGUiOiJ1c2VyIn19." + "_Gu7YX6euPvq9pfDFHzgH4qPNMbJH1XGXGCVRnXiP24" } response = secured_app.get("/conversations/testadmin/tracker", headers=jwt_header) From 7f3ae7aa8b71d87f9a1d94f03efffb7ff6d74403 Mon Sep 17 00:00:00 2001 From: Sam Gaus Date: Thu, 4 Oct 2018 00:56:52 +0100 Subject: [PATCH 4/4] Team pep --- tests/test_server.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/test_server.py b/tests/test_server.py index a85825ca8bb..12bfe4a00c8 100644 --- a/tests/test_server.py +++ b/tests/test_server.py @@ -215,8 +215,8 @@ def test_list_conversations_with_jwt(secured_app): # {"user": {"user": "testadmin", "role": "admin"}} jwt_header = { "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." - "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0YWRtaW4iLCJyb2xlIjoiYWRtaW4ifX0." - "VUOiT2DL3LWoesfKm7wWv5Yp8mSnc5v2OXFSq6Tiis0" + "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0YWRtaW4iLCJyb2xlIjoiYWRt" + "aW4ifX0.VUOiT2DL3LWoesfKm7wWv5Yp8mSnc5v2OXFSq6Tiis0" } response = secured_app.get("/conversations", headers=jwt_header) @@ -225,8 +225,8 @@ def test_list_conversations_with_jwt(secured_app): # {"user": {"user": "testuser", "role": "user"}} jwt_header = { "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." - "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0dXNlciIsInJvbGUiOiJ1c2VyIn19." - "_Gu7YX6euPvq9pfDFHzgH4qPNMbJH1XGXGCVRnXiP24" + "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0dXNlciIsInJvbGUiOiJ1c2Vy" + "In19._Gu7YX6euPvq9pfDFHzgH4qPNMbJH1XGXGCVRnXiP24" } response = secured_app.get("/conversations", headers=jwt_header) @@ -240,8 +240,8 @@ def test_get_tracker_with_jwt(secured_app): # {"user": {"user": "testadmin", "role": "admin"}} jwt_header = { "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." - "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0YWRtaW4iLCJyb2xlIjoiYWRtaW4ifX0." - "VUOiT2DL3LWoesfKm7wWv5Yp8mSnc5v2OXFSq6Tiis0" + "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0YWRtaW4iLCJyb2xlIjoiYWRt" + "aW4ifX0.VUOiT2DL3LWoesfKm7wWv5Yp8mSnc5v2OXFSq6Tiis0" } response = secured_app.get("/conversations/testadmin/tracker", headers=jwt_header) @@ -254,8 +254,8 @@ def test_get_tracker_with_jwt(secured_app): # {"user": {"user": "testuser", "role": "user"}} jwt_header = { "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." - "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0dXNlciIsInJvbGUiOiJ1c2VyIn19." - "_Gu7YX6euPvq9pfDFHzgH4qPNMbJH1XGXGCVRnXiP24" + "eyJ1c2VyIjp7InVzZXIiOiJ0ZXN0dXNlciIsInJvbGUiOiJ1c2Vy" + "In19._Gu7YX6euPvq9pfDFHzgH4qPNMbJH1XGXGCVRnXiP24" } response = secured_app.get("/conversations/testadmin/tracker", headers=jwt_header)