Skip to content

Commit 04fa637

Browse files
committed
Move default JWT validation to general OIDC handler function
1 parent 51cbff4 commit 04fa637

File tree

2 files changed

+18
-18
lines changed

2 files changed

+18
-18
lines changed

tests/unit/oidc/test_views.py

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -122,7 +122,8 @@ def body(self):
122122
return json.dumps(body)
123123

124124
req = Request()
125-
resp = views.mint_token_from_oidc_github(req)
125+
oidc_service = pretend.stub()
126+
resp = views.mint_token(oidc_service, req)
126127

127128
assert req.response.status == 422
128129
assert resp["message"] == "Token request failed"
@@ -144,7 +145,7 @@ def test_mint_token_from_trusted_publisher_verify_jwt_signature_fails():
144145
flags=pretend.stub(disallow_oidc=lambda *a: False),
145146
)
146147

147-
response = views.mint_token(oidc_service, request, "faketoken")
148+
response = views.mint_token(oidc_service, request)
148149
assert request.response.status == 422
149150
assert response == {
150151
"message": "Token request failed",
@@ -210,7 +211,7 @@ def test_mint_token_from_oidc_pending_publisher_project_already_exists(db_reques
210211
)
211212
db_request.find_service = pretend.call_recorder(lambda *a, **kw: oidc_service)
212213

213-
resp = views.mint_token(oidc_service, db_request, "faketoken")
214+
resp = views.mint_token(oidc_service, db_request)
214215
assert db_request.response.status_code == 422
215216
assert resp == {
216217
"message": "Token request failed",
@@ -346,7 +347,7 @@ def test_mint_token_from_pending_trusted_publisher_invalidates_others(
346347

347348
oidc_service = db_request.find_service(IOIDCPublisherService, name="github")
348349

349-
resp = views.mint_token(oidc_service, db_request, token)
350+
resp = views.mint_token(oidc_service, db_request)
350351
assert resp["success"]
351352
assert resp["token"].startswith("pypi-")
352353

@@ -424,7 +425,7 @@ def find_service(iface, **kw):
424425
flags=pretend.stub(disallow_oidc=lambda *a: False),
425426
)
426427

427-
response = views.mint_token(oidc_service, request, "faketoken")
428+
response = views.mint_token(oidc_service, request)
428429
assert response == {
429430
"success": True,
430431
"token": "raw-macaroon",

warehouse/oidc/views.py

Lines changed: 12 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -107,28 +107,27 @@ def mint_token_from_oidc_github(request: Request):
107107
request=request,
108108
)
109109

110-
try:
111-
payload = TokenPayload.parse_raw(request.body)
112-
unverified_jwt = payload.token
113-
except ValidationError as exc:
114-
return _invalid(
115-
errors=[{"code": "invalid-payload", "description": str(exc)}],
116-
request=request,
117-
)
118-
119110
# For the time being, GitHub is our only OIDC publisher.
120111
# In the future, this should locate the correct service based on an
121112
# identifier in the request body.
122113
oidc_service: OIDCPublisherService = request.find_service(
123114
IOIDCPublisherService, name="github"
124115
)
125116

126-
return mint_token(oidc_service, request, unverified_jwt)
117+
return mint_token(oidc_service, request)
127118

128119

129-
def mint_token(
130-
oidc_service: OIDCPublisherService, request: Request, unverified_jwt: str
131-
) -> JsonRespone:
120+
def mint_token(oidc_service: OIDCPublisherService, request: Request) -> JsonRespone:
121+
unverified_jwt: str
122+
try:
123+
payload = TokenPayload.parse_raw(request.body)
124+
unverified_jwt = payload.token
125+
except ValidationError as exc:
126+
return _invalid(
127+
errors=[{"code": "invalid-payload", "description": str(exc)}],
128+
request=request,
129+
)
130+
132131
claims = oidc_service.verify_jwt_signature(unverified_jwt)
133132
if not claims:
134133
return _invalid(

0 commit comments

Comments
 (0)