Merge pull request #8865 from edx/nickersoft/jwt-security

XCOM-281: LMS now passes JWT issuer and expiration date to ecommerce API client
2015-07-09 16:43:07 -04:00
parent 2b51029db3 2d13e9e886
commit 825d99deee
4 changed files with 26 additions and 3 deletions
--- a/lms/djangoapps/commerce/init.py
+++ b/lms/djangoapps/commerce/init.py
@@ -23,8 +23,14 @@ def is_commerce_service_configured():

 def ecommerce_api_client(user):
    """ Returns an E-Commerce API client setup with authentication for the specified user. """
-    return EcommerceApiClient(settings.ECOMMERCE_API_URL, settings.ECOMMERCE_API_SIGNING_KEY, user.username,
-                              user.profile.name, user.email, tracking_context=create_tracking_context(user))
+    return EcommerceApiClient(settings.ECOMMERCE_API_URL,
+                              settings.ECOMMERCE_API_SIGNING_KEY,
+                              user.username,
+                              user.profile.name,
+                              user.email,
+                              tracking_context=create_tracking_context(user),
+                              issuer=settings.JWT_ISSUER,
+                              expires_in=settings.JWT_EXPIRATION)


 # this is here to support registering the signals in signals.py
--- a/lms/djangoapps/commerce/tests/init.py
+++ b/lms/djangoapps/commerce/tests/init.py
@@ -1,12 +1,17 @@
 # -*- coding: utf-8 -*-
 """ Commerce app tests package. """
+import datetime
+import json

+from django.conf import settings
 from django.test import TestCase
 from django.test.utils import override_settings
+from freezegun import freeze_time
 import httpretty
 import jwt
 import mock

+from ecommerce_api_client import auth
 from commerce import ecommerce_api_client
 from student.tests.factories import UserFactory

@@ -32,16 +37,20 @@ class EcommerceApiClientTest(TestCase):

    def setUp(self):
        super(EcommerceApiClientTest, self).setUp()
+
        self.user = UserFactory()
        self.user.email = self.TEST_USER_EMAIL
        self.user.save()  # pylint: disable=no-member

    @httpretty.activate
+    @freeze_time('2015-7-2')
+    @override_settings(JWT_ISSUER='http://example.com/oauth', JWT_EXPIRATION=30)
    def test_tracking_context(self):
        """
        Ensure the tracking context is set up in the api client correctly and
        automatically.
        """
+
        # fake an ecommerce api request.
        httpretty.register_uri(
            httpretty.POST,
@@ -49,6 +58,7 @@ class EcommerceApiClientTest(TestCase):
            status=200, body='{}',
            adding_headers={'Content-Type': JSON}
        )
+
        mock_tracker = mock.Mock()
        mock_tracker.resolve_context = mock.Mock(return_value={'client_id': self.TEST_CLIENT_ID})
        with mock.patch('commerce.tracker.get_tracker', return_value=mock_tracker):
@@ -60,11 +70,14 @@ class EcommerceApiClientTest(TestCase):
            'username': self.user.username,
            'full_name': self.user.profile.name,
            'email': self.user.email,
+            'iss': settings.JWT_ISSUER,
+            'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=settings.JWT_EXPIRATION),
            'tracking_context': {
                'lms_user_id': self.user.id,  # pylint: disable=no-member
                'lms_client_id': self.TEST_CLIENT_ID,
            },
        }
+
        expected_header = 'JWT {}'.format(jwt.encode(expected_payload, TEST_API_SIGNING_KEY))
        self.assertEqual(actual_header, expected_header)

--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -2565,3 +2565,7 @@ CREDIT_HELP_LINK_URL = "#"
 # not expected to be active; this setting simply allows administrators to
 # route any messages intended for LTI users to a common domain.
 LTI_USER_EMAIL_DOMAIN = 'lti.example.com'
+
+# Number of seconds before JWT tokens expire
+JWT_EXPIRATION = 30
+JWT_ISSUER = None
--- a/requirements/edx/github.txt
+++ b/requirements/edx/github.txt
@@ -53,7 +53,7 @@ git+https://github.com/edx/edx-lint.git@ed8c8d2a0267d4d42f43642d193e25f8bd575d9b
 -e git+https://github.com/edx/xblock-utils.git@213a97a50276d6a2504d8133650b2930ead357a0#egg=xblock-utils
 -e git+https://github.com/edx-solutions/xblock-google-drive.git@138e6fa0bf3a2013e904a085b9fed77dab7f3f21#egg=xblock-google-drive
 -e git+https://github.com/edx/edx-reverification-block.git@a286e89c73e1b788e35ac5b08a54b71a9fa63cfd#egg=edx-reverification-block
-git+https://github.com/edx/ecommerce-api-client.git@1.0.0#egg=ecommerce-api-client==1.0.0
+git+https://github.com/edx/ecommerce-api-client.git@1.1.0#egg=ecommerce-api-client==1.1.0
 -e git+https://github.com/edx/edx-user-state-client.git@64a8b603f42669bb7fdca03d364d4e8d3d6ad67d#egg=edx-user-state-client

 # Third Party XBlocks