feat: add issuer monitoring (#325)

Add new custom attributes to verify how the issuer is being verified at this time.
openedx · Apr 12, 2023 · ae7416f · ae7416f
1 parent 813cdc7
commit ae7416f
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -19,6 +19,7 @@ Added
 ~~~~~
 
 * Added ``jwt_auth_check_symmetric_key``, ``jwt_auth_asymmetric_verified``, ``jwt_auth_symmetric_verified``, and ``jwt_auth_verification_failed`` custom attributes to aid in deprecation and removal of symmetric keys.
+* Added ``jwt_auth_issuer`` and ``jwt_auth_issuer_verification`` custom attributes.
 
 Changed
 ~~~~~~~

diff --git a/edx_rest_framework_extensions/auth/jwt/decoder.py b/edx_rest_framework_extensions/auth/jwt/decoder.py
@@ -274,8 +274,19 @@ def _decode_and_verify_token(token, jwt_issuer):
 
     # TODO (ARCH-204): verify issuer manually until it is properly configured.
     token_issuer = decoded_token.get('iss')
+    # .. custom_attribute_name: jwt_auth_issuer
+    # .. custom_attribute_description: Value set to the JWT auth issuer.
+    set_custom_attribute('jwt_auth_issuer', token_issuer)
     issuer_matched = any(issuer['ISSUER'] == token_issuer for issuer in get_jwt_issuers())
-    if not issuer_matched:
+    if token_issuer == jwt_issuer['ISSUER']:
+        # .. custom_attribute_name: jwt_auth_issuer_verification
+        # .. custom_attribute_description: Depending on issuer verification, the value will
+        #   be one of: matches-first-issuer, matches-later-issuer, or no-match.
+        set_custom_attribute('jwt_auth_issuer_verification', 'matches-first-issuer')
+    elif issuer_matched:
+        set_custom_attribute('jwt_auth_issuer_verification', 'matches-later-issuer')
+    else:
+        set_custom_attribute('jwt_auth_issuer_verification', 'no-match')
         logger.info('Token decode failed due to mismatched issuer [%s]', token_issuer)
         raise jwt.InvalidTokenError('%s is not a valid issuer.' % token_issuer)
 

diff --git a/edx_rest_framework_extensions/auth/jwt/tests/test_decoder.py b/edx_rest_framework_extensions/auth/jwt/tests/test_decoder.py
@@ -217,15 +217,21 @@ def test_keyset_size_and_other_monitoring(self, mock_set_custom_attribute):
             mock.call('jwt_auth_check_symmetric_key', True),
             mock.call('jwt_auth_verify_asymmetric_keys_count', 1),
             mock.call('jwt_auth_asymmetric_verified', True),
+            mock.call('jwt_auth_issuer', 'test-issuer-1'),
+            mock.call('jwt_auth_issuer_verification', 'matches-first-issuer'),
 
             mock.call('jwt_auth_check_symmetric_key', False),
             mock.call('jwt_auth_verify_asymmetric_keys_count', 1),
             mock.call('jwt_auth_asymmetric_verified', True),
+            mock.call('jwt_auth_issuer', 'test-issuer-1'),
+            mock.call('jwt_auth_issuer_verification', 'matches-first-issuer'),
 
             mock.call('jwt_auth_check_symmetric_key', True),
             mock.call('jwt_auth_verify_asymmetric_keys_count', 1),
             mock.call('jwt_auth_verify_all_keys_count', 2),
             mock.call('jwt_auth_symmetric_verified', True),
+            mock.call('jwt_auth_issuer', 'test-issuer-1'),
+            mock.call('jwt_auth_issuer_verification', 'matches-first-issuer'),
         ]
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,6 +19,7 @@ Added @@
     ~~~~~
     * Added ``jwt_auth_check_symmetric_key``, ``jwt_auth_asymmetric_verified``, ``jwt_auth_symmetric_verified``, and ``jwt_auth_verification_failed`` custom attributes to aid in deprecation and removal of symmetric keys.
+    * Added ``jwt_auth_issuer`` and ``jwt_auth_issuer_verification`` custom attributes.
     Changed
     ~~~~~~~
@@ Expand Down @@