record fail for expired signature, add test cases

Author: ceorourke

src/sentry/integrations/jira/webhooks/installed.py

@@ -67,16 +67,26 @@ def post(self, request: Request, *args, **kwargs) -> Response:
                 return self.respond(
                     {"detail": "Invalid key id"}, status=status.HTTP_400_BAD_REQUEST
                 )
-            except (InvalidSignatureError, ExpiredSignatureError):
-                lifecycle.record_halt(halt_reason="JWT contained invalid or expired signature")
+            except ExpiredSignatureError as e:
+                lifecycle.record_failure(e)
                 return self.respond(
-                    {"detail": "Invalid or expired signature"}, status=status.HTTP_400_BAD_REQUEST
+                    {"detail": "Expired signature"}, status=status.HTTP_400_BAD_REQUEST
+                )
+            except InvalidSignatureError:
+                lifecycle.record_halt(halt_reason="JWT contained invalid signature")
+                return self.respond(
+                    {"detail": "Invalid signature"}, status=status.HTTP_400_BAD_REQUEST
                 )
             except DecodeError:
                 lifecycle.record_halt(halt_reason="Could not decode JWT token")
                 return self.respond(
                     {"detail": "Could not decode JWT token"}, status=status.HTTP_400_BAD_REQUEST
                 )
+            except Exception:
+                lifecycle.record_halt("JWT authentication failed")
+                return self.respond(
+                    {"detail": "JWT authentication failed"}, status=status.HTTP_400_BAD_REQUEST
+                )
 
             data = JiraIntegrationProvider().build_integration(state)
             integration = ensure_integration(self.provider, data)

tests/sentry/integrations/jira/test_installed.py

@@ -6,6 +6,7 @@
 
 import jwt
 import responses
+from jwt import DecodeError, ExpiredSignatureError, InvalidSignatureError
 from rest_framework import status
 
 from sentry.constants import ObjectStatus
@@ -16,7 +17,11 @@
     AtlassianConnectValidationError,
     get_query_hash,
 )
-from sentry.testutils.asserts import assert_count_of_metric, assert_halt_metric
+from sentry.testutils.asserts import (
+    assert_count_of_metric,
+    assert_failure_metric,
+    assert_halt_metric,
+)
 from sentry.testutils.cases import APITestCase
 from sentry.testutils.silo import control_silo_test
 from sentry.utils.http import absolute_uri
@@ -104,7 +109,85 @@ def test_no_claims(self, mock_authenticate_asymmetric_jwt: MagicMock) -> None:
         self.get_error_response(
             **self.body(),
             extra_headers=dict(HTTP_AUTHORIZATION="JWT " + self.jwt_token_cdn()),
-            status_code=status.HTTP_409_CONFLICT,
+            status_code=status.HTTP_400_BAD_REQUEST,
+        )
+
+    @patch(
+        "sentry.integrations.jira.webhooks.installed.authenticate_asymmetric_jwt",
+        side_effect=ExpiredSignatureError(),
+    )
+    @patch("sentry.integrations.utils.metrics.EventLifecycle.record_event")
+    @responses.activate
+    def test_expired_signature(
+        self, mock_record_event: MagicMock, mock_authenticate_asymmetric_jwt: MagicMock
+    ) -> None:
+        self.add_response()
+
+        self.get_error_response(
+            **self.body(),
+            extra_headers=dict(HTTP_AUTHORIZATION="JWT " + self.jwt_token_cdn()),
+            status_code=status.HTTP_400_BAD_REQUEST,
+        )
+        # SLO metric asserts
+        # ENSURE_CONTROL_SILO (success) -> VERIFY_INSTALLATION (failure) -> GET_CONTROL_RESPONSE (success)
+        assert_count_of_metric(mock_record_event, EventLifecycleOutcome.STARTED, 3)
+        assert_count_of_metric(mock_record_event, EventLifecycleOutcome.FAILURE, 1)
+        assert_count_of_metric(mock_record_event, EventLifecycleOutcome.SUCCESS, 2)
+        assert_failure_metric(
+            mock_record_event,
+            ExpiredSignatureError(),
+        )
+
+    @patch(
+        "sentry.integrations.jira.webhooks.installed.authenticate_asymmetric_jwt",
+        side_effect=InvalidSignatureError(),
+    )
+    @patch("sentry.integrations.utils.metrics.EventLifecycle.record_event")
+    @responses.activate
+    def test_invalid_signature(
+        self, mock_record_event: MagicMock, mock_authenticate_asymmetric_jwt: MagicMock
+    ) -> None:
+        self.add_response()
+
+        self.get_error_response(
+            **self.body(),
+            extra_headers=dict(HTTP_AUTHORIZATION="JWT " + self.jwt_token_cdn()),
+            status_code=status.HTTP_400_BAD_REQUEST,
+        )
+        # SLO metric asserts
+        # ENSURE_CONTROL_SILO (success) -> VERIFY_INSTALLATION (halt) -> GET_CONTROL_RESPONSE (success)
+        assert_count_of_metric(mock_record_event, EventLifecycleOutcome.STARTED, 3)
+        assert_count_of_metric(mock_record_event, EventLifecycleOutcome.HALTED, 1)
+        assert_count_of_metric(mock_record_event, EventLifecycleOutcome.SUCCESS, 2)
+        assert_halt_metric(
+            mock_record_event,
+            "JWT contained invalid signature",
+        )
+
+    @patch(
+        "sentry.integrations.jira.webhooks.installed.authenticate_asymmetric_jwt",
+        side_effect=DecodeError(),
+    )
+    @patch("sentry.integrations.utils.metrics.EventLifecycle.record_event")
+    @responses.activate
+    def test_decode_error(
+        self, mock_record_event: MagicMock, mock_authenticate_asymmetric_jwt: MagicMock
+    ) -> None:
+        self.add_response()
+
+        self.get_error_response(
+            **self.body(),
+            extra_headers=dict(HTTP_AUTHORIZATION="JWT " + self.jwt_token_cdn()),
+            status_code=status.HTTP_400_BAD_REQUEST,
+        )
+        # SLO metric asserts
+        # ENSURE_CONTROL_SILO (success) -> VERIFY_INSTALLATION (halt) -> GET_CONTROL_RESPONSE (success)
+        assert_count_of_metric(mock_record_event, EventLifecycleOutcome.STARTED, 3)
+        assert_count_of_metric(mock_record_event, EventLifecycleOutcome.HALTED, 1)
+        assert_count_of_metric(mock_record_event, EventLifecycleOutcome.SUCCESS, 2)
+        assert_halt_metric(
+            mock_record_event,
+            "Could not decode JWT token",
         )
 
     @patch("sentry_sdk.set_tag")