require kid

Author: ceorourke

src/sentry/integrations/jira/webhooks/installed.py

@@ -1,6 +1,8 @@
 import sentry_sdk
 from django.db import router, transaction
-from jwt import DecodeError, ExpiredSignatureError, InvalidAlgorithmError, InvalidSignatureError
+from jwt import (
+    InvalidKeyError,
+)
 from rest_framework import status
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -21,9 +23,6 @@
 )
 from sentry.utils import jwt
 
-# Atlassian sends scanner bots to "test" Atlassian apps and they often hit this endpoint with a bad kid causing errors
-INVALID_KEY_IDS = ["fake-kid"]
-
 
 @control_silo_endpoint
 class JiraSentryInstalledWebhook(JiraWebhookBase):
@@ -57,36 +56,17 @@ def post(self, request: Request, *args, **kwargs) -> Response:
                 }
             )
 
-            if key_id:
-                if key_id in INVALID_KEY_IDS:
-                    lifecycle.record_halt(halt_reason="JWT contained invalid key_id (kid)")
-                    return self.respond(
-                        {"detail": "Invalid key id"}, status=status.HTTP_400_BAD_REQUEST
-                    )
+            if not key_id:
+                lifecycle.record_halt(halt_reason="Missing key_id (kid)")
+                return self.respond(
+                    {"detail": "Missing key id"}, status=status.HTTP_400_BAD_REQUEST
+                )
+            try:
                 decoded_claims = authenticate_asymmetric_jwt(token, key_id)
-            else:
-                shared_secret = state.get("sharedSecret")
-                if not shared_secret:
-                    return self.respond(
-                        {"detail": "Missing shared secret"}, status=status.HTTP_400_BAD_REQUEST
-                    )
-                try:
-                    decoded_claims = jwt.decode(token, shared_secret, audience=False)
-                except (
-                    InvalidSignatureError,
-                    ExpiredSignatureError,
-                    DecodeError,
-                    InvalidAlgorithmError,
-                ):
-                    return self.respond(
-                        {"detail": "Invalid JWT"}, status=status.HTTP_400_BAD_REQUEST
-                    )
-
-            if decoded_claims.get("iss") != state.get("clientKey"):
-                lifecycle.record_halt(halt_reason="JWT issuer does not match client key")
+            except InvalidKeyError:
+                lifecycle.record_halt(halt_reason="JWT contained invalid key_id (kid)")
                 return self.respond(
-                    {"detail": "JWT issuer does not match client key"},
-                    status=status.HTTP_400_BAD_REQUEST,
+                    {"detail": "Invalid key id"}, status=status.HTTP_400_BAD_REQUEST
                 )
 
             verify_claims(decoded_claims, request.path, request.GET, method="POST")

tests/sentry/integrations/jira/test_installed.py

@@ -111,19 +111,6 @@ def test_no_claims(self, mock_authenticate_asymmetric_jwt: MagicMock) -> None:
             status_code=status.HTTP_409_CONFLICT,
         )
 
-    @patch("sentry.integrations.utils.metrics.EventLifecycle.record_event")
-    @patch("sentry_sdk.set_tag")
-    def test_with_shared_secret(self, mock_set_tag: MagicMock, mock_record_event) -> None:
-        self.get_success_response(
-            **self.body(),
-            extra_headers=dict(HTTP_AUTHORIZATION="JWT " + self.jwt_token_secret()),
-        )
-        integration = Integration.objects.get(provider="jira", external_id=self.external_id)
-
-        mock_set_tag.assert_any_call("integration_id", integration.id)
-        assert integration.status == ObjectStatus.ACTIVE
-        mock_record_event.assert_called_with(EventLifecycleOutcome.SUCCESS, None, False, None)
-
     @patch("sentry_sdk.set_tag")
     @responses.activate
     def test_with_key_id(self, mock_set_tag: MagicMock) -> None: