SPR1-2674 Fix token tests for PyJWT >= 2.2.0

In order to avoid a test dependency on the cryptography package, I had a sneaky way to encode tokens with the "none" algorithm, even though the header requested "ES256" like a real MeerKAT token. I took the resultant unsecured JWS and then tacked on a dummy signature of the expected length of 86 characters, since that is all that matters to katdal. Sadly this trick stopped working in PyJWT >= 2.2.0, thanks to [jpadilla/pyjwt#673](jpadilla/pyjwt#673). The latest PyJWT prefers the algorithm in the header and won't let it be overridden by the `algorithm` parameter to `jwt.encode()`. Instead of inventing more tricks, take the hit and add cryptography to the test requirements. Use the example private key found in the PyJWT unit tests. There is no need for the corresponding public key, since katdal only checks some basic aspects of the token without verifying the signature.
ska-sa · Nov 24, 2022 · b00f9b3 · b00f9b3
1 parent eb8db22
commit b00f9b3
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 8 deletions.
diff --git a/katdal/test/test_chunkstore_s3.py b/katdal/test/test_chunkstore_s3.py
@@ -76,6 +76,14 @@
               raise_on_status=False, status_forcelist=_DEFAULT_SERVER_GLITCHES)
 SUGGESTED_STATUS_DELAY = 0.1
 READ_PAUSE = 0.1
+# Dummy private key for ES256 algorithm (taken from PyJWT unit tests)
+JWT_PRIVATE_KEY = """
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2nninfu2jMHDwAbn
+9oERUhRADS6duQaJEadybLaa0YShRANCAAQfMBxRZKUYEdy5/fLdGI2tYj6kTr50
+PZPt8jOD23rAR7dhtNpG1ojqopmH0AH5wEXadgk8nLCT4cAPK59Qp9Ek
+-----END PRIVATE KEY-----
+"""
 
 
 @contextlib.contextmanager
@@ -154,13 +162,9 @@ def testShort(self):
         self._truncate_and_fail_to_read(-1, 2)
 
 
-def encode_jwt(header, payload, signature=86 * 'x'):
-    """Generate JWT token with encoded signature (dummy ES256 one by default)."""
-    # Don't specify algorithm='ES256' here since that needs cryptography package
-    # This generates an Unsecured JWS without a signature: '<header>.<payload>.'
-    header_payload = jwt.encode(payload, '', algorithm='none', headers=header)
-    # Now tack on a signature that nominally matches the header
-    return header_payload + signature
+def encode_jwt(header, payload):
+    """Generate JWT token with encoded signature (expects ES256 algorithm)."""
+    return jwt.encode(payload, JWT_PRIVATE_KEY, headers=header)
 
 
 class TestTokenUtils:

diff --git a/setup.py b/setup.py
@@ -61,4 +61,4 @@
           's3': [],
           's3credentials': ['botocore']
       },
-      tests_require=['nose'])
+      tests_require=['nose', 'cryptography'])
diff --git a/test-requirements.txt b/test-requirements.txt
@@ -1,4 +1,7 @@
 -c https://raw.githubusercontent.com/ska-sa/katsdpdockerbase/master/docker-base-build/base-requirements.txt
 
+cffi==1.15.1                           # via cryptography
 coverage
+cryptography==38.0.3
 nose
+pycparser==2.21                        # via cffi