Follow rfc 7515 and strip padding from JWS segments (#324)

adityanatraj · theacodes · commit ae7e4f366472 · 2019-02-14T21:02:10.000-08:00
* strip off illegal padding

* oops: remove unused import base64
diff --git a/google/auth/_helpers.py b/google/auth/_helpers.py
@@ -215,3 +215,20 @@ def padded_urlsafe_b64decode(value):
     b64string = to_bytes(value)
     padded = b64string + b'=' * (-len(b64string) % 4)
     return base64.urlsafe_b64decode(padded)
+
+
+def unpadded_urlsafe_b64encode(value):
+    """Encodes base64 strings removing any padding characters.
+
+    `rfc 7515`_ defines Base64url to NOT include any padding
+    characters, but the stdlib doesn't do that by default.
+
+    _rfc7515: https://tools.ietf.org/html/rfc7515#page-6
+
+    Args:
+        value (Union[str|bytes]): The bytes-like value to encode
+
+    Returns:
+        Union[str|bytes]: The encoded value
+    """
+    return base64.urlsafe_b64encode(value).rstrip(b'=')
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
@@ -40,7 +40,6 @@
 
 """
 
-import base64
 import collections
 import copy
 import datetime
@@ -86,13 +85,19 @@ def encode(signer, payload, header=None, key_id=None):
         header['kid'] = key_id
 
     segments = [
-        base64.urlsafe_b64encode(json.dumps(header).encode('utf-8')),
-        base64.urlsafe_b64encode(json.dumps(payload).encode('utf-8')),
+        _helpers.unpadded_urlsafe_b64encode(
+            json.dumps(header).encode('utf-8')
+        ),
+        _helpers.unpadded_urlsafe_b64encode(
+            json.dumps(payload).encode('utf-8')
+        ),
     ]
 
     signing_input = b'.'.join(segments)
     signature = signer.sign(signing_input)
-    segments.append(base64.urlsafe_b64encode(signature))
+    segments.append(
+        _helpers.unpadded_urlsafe_b64encode(signature)
+    )
 
     return b'.'.join(segments)
 
diff --git a/tests/test__helpers.py b/tests/test__helpers.py
@@ -167,3 +167,15 @@ def test_padded_urlsafe_b64decode():
 
     for case, expected in cases:
         assert _helpers.padded_urlsafe_b64decode(case) == expected
+
+
+def test_unpadded_urlsafe_b64encode():
+    cases = [
+        (b'', b''),
+        (b'a', b'YQ'),
+        (b'aa', b'YWE'),
+        (b'aaa', b'YWFh'),
+    ]
+
+    for case, expected in cases:
+        assert _helpers.unpadded_urlsafe_b64encode(case) == expected
