Merge pull request #265 from digital-asset/python-fix-jwt-decoding

da-tanabe · web-flow · commit 1ca84afc030e · 2021-07-29T18:53:09.000-04:00
python: Fix an error in the way that dazl interprets JWTs.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-7.5.6
+7.5.7
diff --git a/pyproject.toml b/pyproject.toml
@@ -3,7 +3,7 @@
 
 [tool.poetry]
 name = "dazl"
-version = "7.5.6"
+version = "7.5.7"
 description = "high-level Ledger API client for DAML ledgers"
 license = "Apache-2.0"
 authors = ["Davin K. Tanabe <davin.tanabe@digitalasset.com>"]
diff --git a/python/dazl/ledger/config/access.py b/python/dazl/ledger/config/access.py
@@ -388,7 +388,9 @@ def decode_token(token: str) -> Mapping[str, Any]:
     components = token.split(".", 3)
     if len(components) != 3:
         raise ValueError("not a JWT")
-    claim_str = base64.urlsafe_b64decode(components[1])
+
+    pad_bytes = "=" * (-len(components[1]) % 4)
+    claim_str = base64.urlsafe_b64decode(components[1] + pad_bytes)
     claims = json.loads(claim_str)
     claims_dict = claims.get(DamlLedgerApiNamespace)
     if claims_dict is None:
@@ -418,9 +420,9 @@ def encode_unsigned_token(
     }
 
     return (
-        base64.urlsafe_b64encode(json.dumps(header).encode("utf-8"))
+        base64.urlsafe_b64encode(json.dumps(header).encode("utf-8")).rstrip(b"=")
         + b"."
-        + base64.urlsafe_b64encode(json.dumps(payload).encode("utf-8"))
+        + base64.urlsafe_b64encode(json.dumps(payload).encode("utf-8")).rstrip(b"=")
         + b"."
     )
 
diff --git a/python/dazl/ledger/grpc/channel.py b/python/dazl/ledger/grpc/channel.py
@@ -66,6 +66,7 @@ def __call__(self, context: "AuthMetadataContext", callback: "AuthMetadataPlugin
         # TODO: Add support here for refresh tokens
         token = self._config.access.token
         if token:
-            options.append(("Authorization", "Bearer " + self._config.access.token))
+            # note: gRPC headers MUST be lowercased
+            options.append(("authorization", "Bearer " + self._config.access.token))
 
         callback(tuple(options), None)
diff --git a/python/tests/unit/test_ledger_config_access.py b/python/tests/unit/test_ledger_config_access.py
@@ -0,0 +1,13 @@
+# Copyright (c) 2017-2021 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+from dazl.ledger.config import PropertyBasedAccessConfig
+from dazl.ledger.config.access import DamlLedgerApiNamespace
+from dazl.prim import Party
+import jwt
+
+
+def test_access_jwts_are_valid():
+    config = PropertyBasedAccessConfig(act_as=[Party("Alice")])
+    claims = jwt.decode(config.token, algorithms=["none"], options={"verify_signature": False})
+
+    assert claims[DamlLedgerApiNamespace]["actAs"] == ["Alice"]
diff --git a/python/tests/unit/test_ledger_config_argv.py b/python/tests/unit/test_ledger_config_argv.py
@@ -1,3 +1,6 @@
+# Copyright (c) 2017-2021 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
 import argparse
 from io import StringIO
 import logging
diff --git a/python/tests/unit/test_ledger_config_url.py b/python/tests/unit/test_ledger_config_url.py
@@ -1,3 +1,6 @@
+# Copyright (c) 2017-2021 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
 from urllib.parse import urlparse
 
 from dazl.ledger.config import create_url
