Mercurial > p > roundup > code
diff test/test_config.py @ 7809:be6cb2e0d471
feat: add support for rotating jwt keys
This allows jwt_secret to have multiple ',' separated secrets. The
first/leftmost should be used to sign new JWTs. All of them are used
(starting from left/newest) to try to verify a JWT.
If the first secret is < 32 chars in length JWTs are disabled. If any
of the other secrets are < 32 chars, the configuration code causes the
software to exit. This prevents insecure (too short) secrets from
being used.
Updated doc examples and tests.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 14 Mar 2024 19:04:19 -0400 |
| parents | a5629f6e7ec2 |
| children | 011941fcb598 |
line wrap: on
line diff
--- a/test/test_config.py Wed Mar 13 18:25:59 2024 -0400 +++ b/test/test_config.py Thu Mar 14 19:04:19 2024 -0400 @@ -623,6 +623,25 @@ self.assertEqual(v, "test") + def testListSecret_for_jwt_invalid_secret(self): + """A jwt_secret is made of ',' separated strings. + If the first string is < 32 characters (like the default + value of disabled) then jwt is disabled and no harm done. + If any other secrets are <32 characters we raise a red flag + on startup to prevent them from being used. + """ + self.munge_configini(mods=[ ("jwt_secret = ", "disable, test"), ]) + + config = configuration.CoreConfig() + + with self.assertRaises(configuration.OptionValueError) as cm: + config.load(self.dirname) + + print(cm.exception.args) + self.assertEqual( + cm.exception.args[2], + "One or more secrets less then 32 characters in length\nfound: test") + def testSetMailPassword_with_set_username(self): """ Set [mail] username and set the password. Should have both values set.