cal-itp · angela-tran · Aug 2, 2022 · Jul 25, 2022 · Jul 25, 2022 · Jul 25, 2022
@@ -23,6 +23,7 @@
 JWE_CEK_ENC = "A256CBC-HS512"
 JWE_ENCRYPTION_ALG = "RSA-OAEP"
 JWS_SIGNING_ALG = "RS256"
+SUB_FORMAT_REGEX = os.environ.get("SUB_FORMAT_REGEX", ".*")
 
 # Hash Configs from .env file
 

@@ -81,6 +81,28 @@ def _make_token(self, payload):
         encrypted_token.make_encrypted_token(client_public_key)
         return encrypted_token.serialize()
 
+    def _get_response(self, token_payload):
+        try:
+            # craft the response payload using parsed request token
+            sub, name, eligibility = token_payload["sub"], token_payload["name"], list(token_payload["eligibility"])
+            resp_payload = dict(
+                jti=token_payload["jti"],
+                iss=settings.APP_NAME,
+                iat=int(datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).timestamp()),
+            )
+            # sub format check
+            if re.match(settings.SUB_FORMAT_REGEX, sub):
+                # eligibility check against db
+                resp_payload["eligibility"] = self._db.check_user(sub, name, eligibility)
+                code = 200
+            else:
+                resp_payload["error"] = {"sub": "invalid"}
+                code = 400
+            # make a response token with appropriate response code
+            return self._make_token(resp_payload), code
+        except Exception as ex:
+            return str(ex), 500
+
     def get(self):
         """Respond to a verification request."""
         # introduce small fake delay
@@ -102,25 +124,6 @@ def get(self):
             return str(ex), 400
 
         if token_payload:
-            try:
-                # craft the response payload using parsed request token
-                sub, name, eligibility = token_payload["sub"], token_payload["name"], list(token_payload["eligibility"])
-                resp_payload = dict(
-                    jti=token_payload["jti"],
-                    iss=settings.APP_NAME,
-                    iat=int(datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).timestamp()),
-                )
-                # sub format check
-                if re.match(r"^[A-Z]\d{7}$", sub):
-                    # eligibility check against db
-                    resp_payload["eligibility"] = self._db.check_user(sub, name, eligibility)
-                    code = 200
-                else:
-                    resp_payload["error"] = {"sub": "invalid"}
-                    code = 400
-                # make a response token with appropriate response code
-                return self._make_token(resp_payload), code
-            except Exception as ex:
-                return str(ex), 500
+            return self._get_response(token_payload)
         else:
             return "Invalid token format", 400
@@ -1,2 +1,3 @@
 IMPORT_FILE_PATH=data/server.csv
 INPUT_HASH_ALGO=sha512
+SUB_FORMAT_REGEX=test\\
@@ -1,2 +1,3 @@
 coverage
 pytest
+pytest-mock
@@ -33,3 +33,8 @@ def test_hash_settings_env():
 def test_debug():
     if settings.DEBUG_MODE:
         assert True
+
+
+@pytest.mark.settingstest
+def test_sub_format_regex_env():
+    assert settings.SUB_FORMAT_REGEX == "test\\"
@@ -0,0 +1,23 @@
+import json
+import uuid
+
+from eligibility_server.verify import Verify
+
+
+def test_Verify_get_response_sub_format_match(mocker):
+    mocker.patch("eligibility_server.settings.SUB_FORMAT_REGEX", r"^[A-Z]\d{7}$")
+    token_payload = json.loads(json.dumps(dict(sub="A1234567", name="Garcia", eligibility=["type1"], jti=str(uuid.uuid4()))))
+
+    response = Verify()._get_response(token_payload)
+
+    assert response[1] == 200
+
+
+def test_Verify_get_response_sub_format_no_match(mocker):
+    mocker.patch("eligibility_server.settings.SUB_FORMAT_REGEX", r"^[A-Z]\d{7}$")
+    # "sub" value does not match the format regex
+    token_payload = json.loads(json.dumps(dict(sub="nomatch", name="Garcia", eligibility=["type1"], jti=str(uuid.uuid4()))))
+
+    response = Verify()._get_response(token_payload)
+
+    assert response[1] == 400