spec: Allow expired JWTs to be used in contract tests

This will make the ignore_expiration flag always be used when decoding a JWT, so long as the 'a course with live events' provider state is being used. Also makes the proxy_app no longer override the Authorization header if the contents look like a JWT (even if it's an invalid JWT). fixes PLAT-5062 Change-Id: Ib69bce4821502c8853f2dd566762f2cd88f95aef Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/215090 Reviewed-by: Marc Phillips <mphillips@instructure.com> Tested-by: Jenkins QA-Review: Tucker Mcknight <tmcknight@instructure.com> Product-Review: Tucker Mcknight <tmcknight@instructure.com>
2019-10-29 10:56:16 -06:00 · 2019-10-29 10:56:16 -06:00 · de87b5b7db
parent 5eede9dcb8
commit de87b5b7db
2 changed files with 38 additions and 3 deletions
--- a/spec/contracts/service_consumers/api/provider_states_for_consumer/oauth_provider_states.rb
+++ b/spec/contracts/service_consumers/api/provider_states_for_consumer/oauth_provider_states.rb
@ -54,4 +54,23 @@ Pact.provider_states_for PactConfig::Consumers::ALL do
        to receive(:get_jwk_from_url).and_return(jwk)
    end
  end
+
+  provider_state 'a course with live events' do
+    set_up do
+      Canvas::Security.class_eval do
+        @old_decode_jwt = self.method(:decode_jwt)
+
+        def self.decode_jwt(body, keys = [])
+          @old_decode_jwt.call(body, keys, ignore_expiration: true)
+        end
+      end
+    end
+
+    tear_down do
+      Canvas::Security.class_eval do
+        define_singleton_method(:decode_jwt, @old_decode_jwt)
+        remove_instance_variable(:@old_decode_jwt)
+      end
+    end
+  end
 end
--- a/spec/contracts/service_consumers/api/proxy_app.rb
+++ b/spec/contracts/service_consumers/api/proxy_app.rb
@ -23,7 +23,7 @@ class PactApiConsumerProxy
  def call(env)
    # Users calling the API will know the user name of the
    # user that they want to identify as. For example, "Admin1".
-    if expects_auth_header?(env)
+    if expects_auth_header_added?(env)
      user = find_requesting_user(env)

      # You can create an access token without having a pseudonym;
@ -44,8 +44,24 @@ class PactApiConsumerProxy

  private

-  def expects_auth_header?(env)
-    env[AUTH_HEADER]
+  def expects_auth_header_added?(env)
+    # If the auth header exists, and can *not* be read
+    # as a JWT, then we add an access token to it.
+    # If it can be read as a JWT, then leave it as it is.
+    if env[AUTH_HEADER]
+      begin
+        JSON::JWT.decode(env[AUTH_HEADER].split.last) # Remove the "Bearer "
+      rescue JSON::JWT::InvalidFormat
+        return true
+      rescue Exception
+        # Other exceptions (like VerificationFailed) are OK -- we do not
+        # expect a new token to be filled in if we get here. JWT
+        # verification should be stubbed in the provider state.
+        return false
+      end
+    else
+      false
+    end
  end

  def find_requesting_user(env)