Update pyjwt (#785)

* Update pwjwt and add some tests
taverntesting · Jun 5, 2022 · 97a47d6 · 97a47d6
1 parent 79e2f50
commit 97a47d6
Show file tree

Hide file tree

Showing 8 changed files with 91 additions and 10 deletions.
diff --git a/example/advanced/test_server.tavern.yaml b/example/advanced/test_server.tavern.yaml
@@ -23,6 +23,7 @@ stages:
         extra_kwargs:
           jwt_key: "token"
           key: CGQgaG7GYvTcpaQZqosLy4
+          algorithms: [ HS256 ]
           options:
             verify_signature: true
             verify_aud: true

diff --git a/example/advanced/testing_utils.py b/example/advanced/testing_utils.py
@@ -24,6 +24,6 @@ def create_bearer_token():
         "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1),
     }
 
-    token = jwt.encode(payload, SECRET, algorithm="HS256").decode("utf8")
+    token = jwt.encode(payload, SECRET, algorithm="HS256")
 
     return {"Authorization": "Bearer {}".format(token)}
diff --git a/example/components/Dockerfile b/example/components/Dockerfile
@@ -2,7 +2,7 @@ FROM python:3.9-alpine
 
 RUN pip install flask
 
-RUN pip install pyjwt==1.7.1
+RUN pip install pyjwt>=2.4.0,<3
 
 COPY server.py /
 

diff --git a/requirements.txt b/requirements.txt
@@ -24,7 +24,7 @@ allure-pytest
 PyYAML>=5.3.1,<7
 pykwalify>=1.8.0,<2
 requests>=2.22.0,<3
-pyjwt>=1.7.1,<2
+pyjwt>=2.4.0,<3
 paho-mqtt>=1.3.1,<=1.6.1
 jmespath<1
 pytest>=6.2,<8

diff --git a/setup.cfg b/setup.cfg
@@ -36,7 +36,7 @@ install_requires =
     PyYAML>=5.3.1,<7
     pykwalify>=1.8.0,<2
     requests>=2.22.0,<3
-    pyjwt>=1.7.1,<2
+    pyjwt>=2.4.0,<3
     paho-mqtt>=1.3.1,<=1.5.1
     jmespath<1
     pytest>=6.2,<8

diff --git a/tavern/testutils/helpers.py b/tavern/testutils/helpers.py
@@ -2,7 +2,6 @@
 import json
 import logging
 import re
-import warnings
 
 from box import Box
 import jmespath
@@ -75,9 +74,8 @@ def validate_jwt(response, jwt_key, **kwargs):
     token = response.json()[jwt_key]
 
     if "algorithm" not in kwargs:
-        warnings.warn(
-            "Not passing the 'algorithm' parameter will be an error in a future release of Tavern",
-            FutureWarning,
+        logger.error(
+            "No algorithm passed, this is now an error. See https://github.com/taverntesting/tavern/issues/779#issuecomment-1146653459"
         )
 
     decoded = jwt.decode(token, **kwargs)

diff --git a/tests/integration/server.py b/tests/integration/server.py
@@ -1,15 +1,17 @@
 import base64
+import datetime
 import gzip
+import itertools
 import json
 import mimetypes
 import os
+import time
 from urllib.parse import unquote_plus
 import uuid
 
 from flask import Flask, Response, jsonify, redirect, request
-import itertools
+import jwt
 import math
-import time
 
 app = Flask(__name__)
 
@@ -377,3 +379,24 @@ def get_606_dict():
 @app.route("/magic-multi-method", methods=["GET", "POST", "DELETE"])
 def get_any_method():
     return jsonify({"method": request.method})
+
+
+@app.route("/get_jwt", methods=["POST"])
+def login():
+    secret = "240c8c9c-39b9-426b-9503-3126f96c2eaf"
+    audience = "testserver"
+
+    r = request.get_json()
+
+    if r["user"] != "test-user" or r["password"] != "correct-password":
+        return jsonify({"error": "Incorrect username/password"}), 401
+
+    payload = {
+        "sub": "test-user",
+        "aud": audience,
+        "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1),
+    }
+
+    token = jwt.encode(payload, secret, algorithm="HS256")
+
+    return jsonify({"jwt": token})
diff --git a/tests/integration/test_helpers.tavern.yaml b/tests/integration/test_helpers.tavern.yaml
@@ -0,0 +1,59 @@
+---
+
+test_name: Make sure JWT verification works
+
+includes:
+- !include common.yaml
+
+stages:
+- name: login
+  request:
+    url: "{host}/get_jwt"
+    json:
+      user: test-user
+      password: correct-password
+    method: POST
+  response:
+    status_code: 200
+    verify_response_with:
+      function: tavern.testutils.helpers:validate_jwt
+      extra_kwargs:
+        jwt_key: "jwt"
+        key: 240c8c9c-39b9-426b-9503-3126f96c2eaf
+        algorithms: [HS256]
+        options:
+          verify_signature: true
+          verify_aud: true
+          verify_exp: true
+        audience: testserver
+
+---
+
+test_name: Make sure JWT rejects the wrong algorithm
+
+includes:
+- !include common.yaml
+
+stages:
+- name: login
+  request:
+    url: "{host}/get_jwt"
+    json:
+      user: test-user
+      password: correct-password
+    method: POST
+  response:
+    status_code: 200
+    verify_response_with:
+      function: tavern.testutils.helpers:validate_jwt
+      extra_kwargs:
+        jwt_key: "jwt"
+        key: 240c8c9c-39b9-426b-9503-3126f96c2eaf
+        algorithms: [RS256]
+        options:
+          verify_signature: true
+          verify_aud: true
+          verify_exp: true
+        audience: testserver
+
+_xfail: run