Refactor audience checking in crypt.verify_signed_jwt_with_certs.

dhermes · dhermes · commit f7f279266ba5 · 2015-09-01T09:58:33.000-07:00
Moved check into protected function _check_audience.
diff --git a/oauth2client/crypt.py b/oauth2client/crypt.py
@@ -119,7 +119,29 @@ def _verify_signature(message, signature, certs):
     raise AppIdentityError('Invalid token signature')
 
 
-def verify_signed_jwt_with_certs(jwt, certs, audience):
+def _check_audience(payload_dict, audience):
+    """Checks audience field from a JWT payload.
+
+    Does nothing if the passed in ``audience`` is null.
+
+    Args:
+        payload_dict: dict, A dictionary containing a JWT payload.
+        audience: string or NoneType, an audience to check for in
+                  the JWT payload.
+    """
+    if audience is None:
+        return
+
+    audience_in_payload = payload_dict.get('aud')
+    if audience_in_payload is None:
+        raise AppIdentityError('No aud field in token: %s' %
+                               (payload_dict,))
+    if audience_in_payload != audience:
+        raise AppIdentityError('Wrong recipient, %s != %s: %s' %
+                               (audience_in_payload, audience, payload_dict))
+
+
+def verify_signed_jwt_with_certs(jwt, certs, audience=None):
     """Verify a JWT against public certs.
 
     See http://self-issued.info/docs/draft-jones-json-web-token.html.
@@ -180,13 +202,6 @@ def verify_signed_jwt_with_certs(jwt, certs, audience):
                                (now, latest, payload_bytes))
 
     # Check audience.
-    if audience is not None:
-        aud = payload_dict.get('aud')
-        if aud is None:
-            raise AppIdentityError('No aud field in token: %s' %
-                                   (payload_bytes,))
-        if aud != audience:
-            raise AppIdentityError('Wrong recipient, %s != %s: %s' %
-                                   (aud, audience, payload_bytes))
+    _check_audience(payload_dict, audience)
 
     return payload_dict
diff --git a/tests/test_crypt.py b/tests/test_crypt.py
@@ -148,6 +148,34 @@ def test_failure(self):
             verifier.verify.assert_called_once_with(message, signature)
 
 
+class Test__check_audience(unittest.TestCase):
+
+    def test_null_audience(self):
+        result = crypt._check_audience(None, None)
+        self.assertEqual(result, None)
+
+    def test_success(self):
+        audience = 'audience'
+        payload_dict = {'aud': audience}
+        result = crypt._check_audience(payload_dict, audience)
+        # No exception and no result.
+        self.assertEqual(result, None)
+
+    def test_missing_aud(self):
+        audience = 'audience'
+        payload_dict = {}
+        self.assertRaises(crypt.AppIdentityError, crypt._check_audience,
+                          payload_dict, audience)
+
+    def test_wrong_aud(self):
+        audience1 = 'audience1'
+        audience2 = 'audience2'
+        self.assertNotEqual(audience1, audience2)
+        payload_dict = {'aud': audience1}
+        self.assertRaises(crypt.AppIdentityError, crypt._check_audience,
+                          payload_dict, audience2)
+
+
 class _MockOrderedDict(object):
 
     def __init__(self, *values):
