use customized PyJwt instance to bypass subject verification (#355)

broHeryk · yinan-symphony · commit 638306e7a135 · 2025-05-15T14:38:37.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -58,15 +58,15 @@ jobs:
         timeout-minutes: 10
 
       - name: Upload test results
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: pytest-results-${{ matrix.os }}
+          name: pytest-results-${{ matrix.os }}-${{ matrix.python-version }}-${{ github.run_id }}
           path: test-results/junit.xml
         if: ${{ always() }}
 
       - name: Upload test coverage
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: pytest-coverage-${{ matrix.os }}
+          name: pytest-coverage-${{ matrix.os }}-${{ matrix.python-version }}-${{ github.run_id }}
           path: htmlcov
         if: ${{ always() }}
diff --git a/.github/workflows/pylint.yaml b/.github/workflows/pylint.yaml
@@ -50,7 +50,7 @@ jobs:
 
       - name: Upload Pylint results
         if: ${{ always() }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: .pylint.d
           path: ~/.pylint.d
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -5,7 +5,7 @@ on: [pull_request]
 jobs:
   semgrep:
     name: run-semgrep
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     container:
       image: returntocorp/semgrep
     steps:
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -12,14 +12,14 @@ packages = [
 ]
 
 [tool.poetry.dependencies]
-python = "^3.9"
+python = ">3.9.0,<3.9.1 || >3.9.1,<4.0"
 nulltype = "^2.3.1"
 python-dateutil = "^2.8.2"
 urllib3 = "^1.26.19"
 aiohttp = "^3.10.2"
 pyyaml = "^6.0"
 PyJWT = "^2.10.0"
-cryptography = "^43.0.1"
+cryptography = "^44.0.1"
 tenacity = "^8.0.1"
 defusedxml = "^0.7.1"
 docutils = "0.16"
@@ -30,6 +30,7 @@ pylint = "^2.6.0"
 pytest-cov = "^5.0.0"
 pytest-asyncio = "^0.24.0"
 Sphinx = "^4.4.0"
+jinja2 = "^3.1.6"
 recommonmark = "^0.7.1"
 furo = "^2022.3.4"
 hazelcast-python-client = "^5.0.1"
diff --git a/symphony/bdk/core/auth/jwt_helper.py b/symphony/bdk/core/auth/jwt_helper.py
@@ -2,7 +2,7 @@
 """
 import datetime
 
-import jwt
+from jwt import PyJWT, DecodeError, ExpiredSignatureError
 from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
 from cryptography.x509 import load_pem_x509_certificate
 
@@ -13,6 +13,7 @@
 
 DEFAULT_EXPIRATION_SECONDS = (5 * 50) - 10
 
+jwt = PyJWT({"verify_sub": False})
 
 def create_signed_jwt(private_key_config: BdkRsaKeyConfig, username: str, expiration: int = None) -> str:
     """Creates a JWT with the provided user name and expiration date, signed with the provided private key.
@@ -57,7 +58,7 @@ def validate_jwt(jwt_token: str, certificate: str, allowed_audience: str) -> dic
     try:
         return jwt.decode(jwt_token, _parse_public_key_from_x509_cert(certificate),
                           algorithms=[JWT_ENCRYPTION_ALGORITHM], audience=allowed_audience)
-    except (jwt.DecodeError, jwt.ExpiredSignatureError) as exc:
+    except (DecodeError, ExpiredSignatureError) as exc:
         raise AuthInitializationError("Unable to validate the jwt") from exc
 
 
