Merge pull request #53 from CiscoSecurity/release-2.0.2

Release 2.0.2

Dockerfile

@@ -1,14 +1,18 @@
 FROM alpine:3.14
 LABEL maintainer="Ian Redden <iaredden@cisco.com>"
 
+ENV PIP_IGNORE_INSTALLED 1
+
 # install packages we need
 RUN apk update && apk add --no-cache musl-dev openssl-dev gcc py3-configobj \
-supervisor git libffi-dev uwsgi-python3 uwsgi-http jq syslog-ng uwsgi-syslog \
+supervisor libffi-dev uwsgi-python3 uwsgi-http jq syslog-ng uwsgi-syslog \
 py3-pip python3-dev
 
 # do the Python dependencies
 ADD code /app
-RUN pip3 install -r /app/requirements.txt
+ADD code/Pipfile code/Pipfile.lock /
+RUN set -ex && pip install --no-cache-dir --upgrade pipenv && \
+ pipenv install --system
 RUN chown -R uwsgi.uwsgi /etc/uwsgi
 
 # copy over scripts to init

README.md

@@ -25,9 +25,9 @@ cd code
 ```
 
 If you want to test the application you have to install a couple of extra
-dependencies from the [test-requirements.txt](test-requirements.txt) file:
+dependencies from the [Pipfile](code/Pipfile) file:
 ```
-pip install --upgrade --requirement requirements.txt
+pip install --no-cache-dir --upgrade pipenv && pipenv install --dev
 ```
 
 You can perform two kinds of testing:

code/Pipfile

@@ -0,0 +1,19 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+cryptography = "==3.3.2"
+Flask = "==2.0.1"
+marshmallow = "==3.12.1"
+requests = "==2.25.1"
+PyJWT = "==2.1.0"
+
+[dev-packages]
+flake8 = "==3.9.2"
+coverage = "==5.5"
+pytest = "==6.2.4"
+
+[requires]
+python_version = "3.9"

code/api/utils.py

@@ -7,7 +7,12 @@
 from typing import Optional
 from http import HTTPStatus
 from flask import request, current_app, jsonify, g
-from requests.exceptions import ConnectionError, InvalidURL, SSLError
+from requests.exceptions import (
+ ConnectionError,
+ InvalidURL,
+ SSLError,
+ HTTPError,
+)
 from jwt import InvalidSignatureError, InvalidAudienceError, DecodeError
 
 from api.errors import (
@@ -31,7 +36,7 @@
 WRONG_KEY = ('Failed to decode JWT with provided key. '
  'Make sure domain in custom_jwks_host '
  'corresponds to your SecureX instance region.')
-JWK_HOST_MISSING = ('jwk_host is missing in JWT payload. Make sure '
+JWK_HOST_MISSING = ('jwks_host is missing in JWT payload. Make sure '
  'custom_jwks_host field is present in module_type')
 WRONG_JWKS_HOST = ('Wrong jwks_host in JWT payload. Make sure domain follows '
  'the visibility.<region>.cisco.com structure')
@@ -54,13 +59,15 @@ def set_ctr_entities_limit(payload):
 
 
 def get_public_key(jwks_host, token):
- expected_errors = {
- ConnectionError: WRONG_JWKS_HOST,
- InvalidURL: WRONG_JWKS_HOST,
- JSONDecodeError: WRONG_JWKS_HOST,
- }
+ expected_errors = (
+ ConnectionError,
+ InvalidURL,
+ JSONDecodeError,
+ HTTPError,
+ )
  try:
  response = requests.get(f"https://{jwks_host}/.well-known/jwks")
+ response.raise_for_status()
  jwks = response.json()
 
  public_keys = {}
@@ -72,8 +79,8 @@ def get_public_key(jwks_host, token):
  kid = jwt.get_unverified_header(token)['kid']
  return public_keys.get(kid)
 
- except tuple(expected_errors) as error:
- raise AuthorizationError(expected_errors[error.__class__])
+ except expected_errors:
+ raise AuthorizationError(WRONG_JWKS_HOST)
 
 
 def get_jwt():
@@ -93,10 +100,9 @@ def get_jwt():
 
  token = get_auth_token()
  try:
- jwks_host = jwt.decode(
- token, options={'verify_signature': False}
- ).get('jwks_host')
- assert jwks_host
+ jwks_payload = jwt.decode(token, options={'verify_signature': False})
+ assert 'jwks_host' in jwks_payload
+ jwks_host = jwks_payload.get('jwks_host')
  key = get_public_key(jwks_host, token)
  aud = request.url_root
  payload = jwt.decode(

code/container_settings.json

@@ -1,4 +1,4 @@
 {
- "VERSION": "2.0.1",
+ "VERSION": "2.0.2",
  "NAME": "Spycloud Employee Ato Prevention Relay"
 }

code/tests/unit/api/test_authorization.py

@@ -102,7 +102,7 @@ def test_call_with_missing_jwks_host(
 
  response = client.post(
  route, json=valid_json,
- headers=headers(valid_jwt(jwks_host=''))
+ headers=headers(valid_jwt(wrong_jwks_host=True))
  )
  assert response.status_code == HTTPStatus.OK
  assert response.json == authorization_errors_expected_payload(

code/tests/unit/conftest.py

@@ -25,14 +25,18 @@ def _make_jwt(
  jwks_host='visibility.amp.cisco.com',
  aud='http://localhost',
  kid='02B1174234C29F8EFB69911438F597FF3FFEE6B7',
- wrong_structure=False
+ wrong_structure=False,
+ wrong_jwks_host=False,
  ):
  payload = {
  'key': key,
  'jwks_host': jwks_host,
  'aud': aud,
  }
 
+ if wrong_jwks_host:
+ payload.pop('jwks_host')
+
  if wrong_structure:
  payload.pop('key')
 

scripts/entrypoint.sh

@@ -1,12 +1,6 @@
 #!/usr/bin/env sh
 set -e
 
-# Grab the repository
-if [ -n "$GITREPO" ]; then
- echo "rm -rf /app && git clone $GITREPO /app"
- rm -rf /app && git clone $GITREPO /app
-fi
-
 
 if [ -n "$ALPINEPYTHON" ] ; then
  export PYTHONPATH=$PYTHONPATH:/usr/local/lib/$ALPINEPYTHON/site-packages:/usr/lib/$ALPINEPYTHON/site-packages