Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted publishing: Enforce strict audience checking #14158

Merged
merged 5 commits into from
Jul 18, 2023
Merged

Trusted publishing: Enforce strict audience checking #14158

merged 5 commits into from
Jul 18, 2023

Conversation

woodruffw
Copy link
Member

This bumps pyjwt to 2.8.0 and uses the newly-added strict_aud option to ensure that we reject JWTs that don't contain exactly a single string aud claim.

Closes #13887.

woodruffw added 3 commits July 18, 2023 16:11
@woodruffw
requirements: bump PyJWT
86f8d56 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
oidc/services: strict aud checking
06d890b 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
test/oidc: add strict_aud kw
601b890 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw requested a review from a team as a code owner July 18, 2023 20:23
@woodruffw woodruffw self-assigned this Jul 18, 2023
di
di reviewed Jul 18, 2023
View reviewed changes
requirements/main.txt Outdated Show resolved Hide resolved
@woodruffw @di
Update requirements/main.txt
8d679e4 
Co-authored-by: Dustin Ingram <[email protected]>
@di
Copy link
Member

di commented Jul 18, 2023

@woodruffw A test to ensure this doesn't regress would be nice!

@woodruffw
Copy link
Member Author

@woodruffw A test to ensure this doesn't regress would be nice!

Sounds good, doing now.

@woodruffw
tests/oidc: strict, backstop tests
9c79765 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Copy link
Member Author

Done: I've added a test on both our own JWT helper and a "backstop" test on pyjwt itself.

woodruffw
woodruffw commented Jul 18, 2023
View reviewed changes
tests/unit/oidc/test_services.py
Comment on lines +966 to +968
def __init__(self) -> None:
self._privkey = rsa.generate_private_key(65537, 2048)
self._pubkey = self._privkey.public_key()
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff is messy here, but I took the opportunity to optimize this test group a bit (RSA keygen is pretty slow and the keys don't need to be unique per-test, so I'm having them reuse the same keypair rather than regenerating each time.)

@di di merged commit a6a0f2f into pypi:main Jul 18, 2023
@di di deleted the tob-pyjwt-strict-aud branch July 18, 2023 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

Assignees

@woodruffw woodruffw

Labels
trusted-publishing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Trusted publishing: ensure aud _only_ contains our audience.
2 participants
@woodruffw @di