fix(auth): Workaround broken zope root JWT config

The existing Zope root JWT plugin configuration is broken. It is configured to use the `IKeyManager` utility but there is no such utility registered in that context. [An upgrade step](f9097a0) has to be run to fix that. If the browser has previously logged into the Volto UI through the React login component, then the `auth_token` cookie will be set. If that browser is then used to access the ZMI, [the presence of the cookie triggers the token decode code path](9422195), which in turn causes the exception from the broken plugin configuration. Thus any browser logged into the Volto UI may not be able to access the ZMI in order to run the upgrade step that fixes the plugin configuration. Workaround this trap by logging a helpful error instead of causing an exception.
plone · Feb 23, 2022 · 85670ea · 85670ea
1 parent c043475
commit 85670ea
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/src/plone/restapi/pas/plugin.py b/src/plone/restapi/pas/plugin.py
@@ -17,12 +17,15 @@
 from Products.PluggableAuthService.interfaces.plugins import ICredentialsUpdatePlugin
 from Products.PluggableAuthService.interfaces.plugins import ICredentialsResetPlugin
 from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
+from zope import component
 from zope.component import getUtility
 from zope.interface import implementer
 
 import jwt
+import logging
 import time
 
+logger = logging.getLogger(__name__)
 
 manage_addJWTAuthenticationPlugin = PageTemplateFile(
     "add_plugin", globals(), __name__="manage_addJWTAuthenticationPlugin"
@@ -211,7 +214,15 @@ def manage_updateConfig(self, REQUEST):
 
     def _decode_token(self, token, verify=True):
         if self.use_keyring:
-            manager = getUtility(IKeyManager)
+            manager = component.queryUtility(IKeyManager)
+            if manager is None:
+                logger.error(
+                    "JWT token plugin configured to use IKeyManager "
+                    "but no utility is registered: %r\n"
+                    "Have you upgraded the `plone.restapi:default` profile?",
+                    "/".join(self.getPhysicalPath()),
+                )
+                return
             for secret in manager["_system"]:
                 if secret is None:
                     continue