Fix python3.2 failing jwt tests

codejudas · codejudas · commit 05133ff28d3e · 2017-02-21T11:02:11.000-08:00
diff --git a/twilio/jwt/__init__.py b/twilio/jwt/__init__.py
@@ -1,3 +1,12 @@
+import hmac
+import sys
+
+from twilio.jwt import compat
+
+if sys.version_info[0] == 3 and sys.version_info[1] == 2:
+    # PyJWT expects hmac.compare_digest to exist even under python 3.2
+    hmac.compare_digest = compat.compare_digest
+
 import jwt as jwt_lib
 
 try:
@@ -140,7 +149,7 @@ def from_jwt(cls, jwt, key=''):
         verify = True if key else False
 
         try:
-            payload = jwt_lib.decode(jwt, key, verify=verify, options={
+            payload = jwt_lib.decode(bytes(jwt), key, verify=verify, options={
                 'verify_signature': True,
                 'verify_exp': True,
                 'verify_nbf': True,
diff --git a/twilio/jwt/compat.py b/twilio/jwt/compat.py
@@ -0,0 +1,23 @@
+##
+## PyJWT expects hmac.compare_digest to exist for all Python 3.x, however it was added in Python > 3.3
+## Copied from: https://github.com/python/cpython/commit/6cea65555caf2716b4633827715004ab0291a282#diff-c49659257ec1b129707ce47a98adc96eL16
+##
+def compare_digest(a, b):
+    """Returns the equivalent of 'a == b', but avoids content based short
+    circuiting to reduce the vulnerability to timing attacks."""
+    # Consistent timing matters more here than data type flexibility
+    if not (isinstance(a, bytes) and isinstance(b, bytes)):
+        raise TypeError("inputs must be bytes instances")
+
+    # We assume the length of the expected digest is public knowledge,
+    # thus this early return isn't leaking anything an attacker wouldn't
+    # already know
+    if len(a) != len(b):
+        return False
+
+    # We assume that integers in the bytes range are all cached,
+    # thus timing shouldn't vary much due to integer object creation
+    result = 0
+    for x, y in zip(a, b):
+        result |= x ^ y
+    return result == 0
