oidc/services: fix mischaracterized error (#16197)

woodruffw · web-flow · commit cfe6489f00a1 · 2024-07-01T21:55:45.000Z
* oidc/services: fix mischaracterized error

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

* formatting

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

* remove non-JWT error branch

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

---------

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;
diff --git a/tests/unit/oidc/test_services.py b/tests/unit/oidc/test_services.py
@@ -106,10 +106,7 @@ def test_verify_jwt_signature(self, monkeypatch):
             )
         ]
 
-    @pytest.mark.parametrize("exc", [DecodeError, TypeError("foo")])
-    def test_verify_jwt_signature_get_key_for_token_fails(
-        self, metrics, monkeypatch, exc
-    ):
+    def test_verify_jwt_signature_get_key_for_token_fails(self, metrics, monkeypatch):
         service = services.OIDCPublisherService(
             session=pretend.stub(),
             publisher="fakepublisher",
@@ -120,8 +117,8 @@ def test_verify_jwt_signature_get_key_for_token_fails(
         )
 
         token = pretend.stub()
-        jwt = pretend.stub(decode=pretend.raiser(exc), PyJWTError=PyJWTError)
-        monkeypatch.setattr(service, "_get_key_for_token", pretend.raiser(exc))
+        jwt = pretend.stub(PyJWTError=PyJWTError)
+        monkeypatch.setattr(service, "_get_key_for_token", pretend.raiser(DecodeError))
         monkeypatch.setattr(services, "jwt", jwt)
         monkeypatch.setattr(
             services.sentry_sdk,
@@ -136,13 +133,7 @@ def test_verify_jwt_signature_get_key_for_token_fails(
                 tags=["publisher:fakepublisher"],
             )
         ]
-
-        if exc != DecodeError:
-            assert services.sentry_sdk.capture_message.calls == [
-                pretend.call(f"JWT backend raised generic error: {exc}")
-            ]
-        else:
-            assert services.sentry_sdk.capture_message.calls == []
+        assert services.sentry_sdk.capture_message.calls == []
 
     @pytest.mark.parametrize("exc", [PyJWTError, TypeError("foo")])
     def test_verify_jwt_signature_fails(self, metrics, monkeypatch, exc):
diff --git a/warehouse/oidc/services.py b/warehouse/oidc/services.py
@@ -222,20 +222,13 @@ def _get_key_for_token(self, token):
     def verify_jwt_signature(self, unverified_token: str) -> SignedClaims | None:
         try:
             key = self._get_key_for_token(unverified_token)
-        except Exception as e:
+        except jwt.PyJWTError:
             # The user might feed us an entirely nonsense JWT, e.g. one
             # with missing components.
             self.metrics.increment(
                 "warehouse.oidc.verify_jwt_signature.malformed_jwt",
                 tags=[f"publisher:{self.publisher}"],
             )
-
-            if not isinstance(e, jwt.PyJWTError):
-                with sentry_sdk.push_scope() as scope:
-                    scope.fingerprint = e
-                    # Similar to below: Other exceptions indicate an abstraction
-                    # leak, so we log them for upstream reporting.
-                    sentry_sdk.capture_message(f"JWT backend raised generic error: {e}")
             return None
 
         try:
