This is an automated email from the ASF dual-hosted git repository. arm pushed a commit to branch arm in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 2e26ef9b8b57d8d18ef323155557dc3223e93ad1 Author: Alastair McFarlane <[email protected]> AuthorDate: Thu Mar 12 14:32:51 2026 +0000 #676 Validate exp and nbp when loading pydantic model for Github token. --- atr/models/github.py | 20 ++++++++++++++++++++ tests/unit/test_checks_compare.py | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/atr/models/github.py b/atr/models/github.py index d20ac73f..0797d139 100644 --- a/atr/models/github.py +++ b/atr/models/github.py @@ -17,6 +17,10 @@ from __future__ import annotations +import time + +import pydantic + from . import schema @@ -51,3 +55,19 @@ class TrustedPublisherPayload(schema.Subset): workflow: str workflow_ref: str workflow_sha: str + + @pydantic.field_validator("exp") + @classmethod + def _validate_exp(cls, value: int) -> int: + now = int(time.time()) + if now > value: + raise ValueError("Token has expired") + return value + + @pydantic.field_validator("nbf") + @classmethod + def _validate_nbf(cls, value: int | None) -> int | None: + now = int(time.time()) + if value and now < value: + raise ValueError("Token not yet valid") + return value diff --git a/tests/unit/test_checks_compare.py b/tests/unit/test_checks_compare.py index b608241d..4de719a9 100644 --- a/tests/unit/test_checks_compare.py +++ b/tests/unit/test_checks_compare.py @@ -871,7 +871,7 @@ def _make_payload( "enterprise": "", "enterprise_id": "", "event_name": "push", - "exp": 1, + "exp": 99999999999, "head_ref": "", "iat": 1, "iss": "issuer", --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
