spec: Allow expired JWTs to be used in contract tests

This will make the ignore_expiration flag always be used when decoding a JWT, so long as the 'a course with live events' provider state is being used. Also makes the proxy_app no longer override the Authorization header if the contents look like a JWT (even if it's an invalid JWT). fixes PLAT-5062 Change-Id: Ib69bce4821502c8853f2dd566762f2cd88f95aef Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/215090 Reviewed-by: Marc Phillips <[email protected]> Tested-by: Jenkins QA-Review: Tucker Mcknight <[email protected]> Product-Review: Tucker Mcknight <[email protected]>
ralacas · Oct 30, 2019 · de87b5b · de87b5b
1 parent 5eede9d
commit de87b5b
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 3 deletions.
diff --git a/spec/contracts/service_consumers/api/provider_states_for_consumer/oauth_provider_states.rb b/spec/contracts/service_consumers/api/provider_states_for_consumer/oauth_provider_states.rb
@@ -54,4 +54,23 @@
         to receive(:get_jwk_from_url).and_return(jwk)
     end
   end
+
+  provider_state 'a course with live events' do
+    set_up do
+      Canvas::Security.class_eval do
+        @old_decode_jwt = self.method(:decode_jwt)
+
+        def self.decode_jwt(body, keys = [])
+          @old_decode_jwt.call(body, keys, ignore_expiration: true)
+        end
+      end
+    end
+
+    tear_down do
+      Canvas::Security.class_eval do
+        define_singleton_method(:decode_jwt, @old_decode_jwt)
+        remove_instance_variable(:@old_decode_jwt)
+      end
+    end
+  end
 end
diff --git a/spec/contracts/service_consumers/api/proxy_app.rb b/spec/contracts/service_consumers/api/proxy_app.rb
@@ -23,7 +23,7 @@ class PactApiConsumerProxy
   def call(env)
     # Users calling the API will know the user name of the
     # user that they want to identify as. For example, "Admin1".
-    if expects_auth_header?(env)
+    if expects_auth_header_added?(env)
       user = find_requesting_user(env)
 
       # You can create an access token without having a pseudonym;
@@ -44,8 +44,24 @@ def call(env)
 
   private
 
-  def expects_auth_header?(env)
-    env[AUTH_HEADER]
+  def expects_auth_header_added?(env)
+    # If the auth header exists, and can *not* be read
+    # as a JWT, then we add an access token to it.
+    # If it can be read as a JWT, then leave it as it is.
+    if env[AUTH_HEADER]
+      begin
+        JSON::JWT.decode(env[AUTH_HEADER].split.last) # Remove the "Bearer "
+      rescue JSON::JWT::InvalidFormat
+        return true
+      rescue Exception
+        # Other exceptions (like VerificationFailed) are OK -- we do not
+        # expect a new token to be filled in if we get here. JWT
+        # verification should be stubbed in the provider state.
+        return false
+      end
+    else
+      false
+    end
   end
 
   def find_requesting_user(env)