Better exception handling for JWT condition evaluation

nucypher/policy/conditions/exceptions.py

@@ -62,3 +62,7 @@ class RPCExecutionFailed(ConditionEvaluationFailed):
 
 class JsonRequestException(ConditionEvaluationFailed):
     """Raised when an exception is raised from a JSON request."""
+
+
+class JWTException(ConditionEvaluationFailed):
+    """Raised when an exception is raised when validating a JWT token"""

nucypher/policy/conditions/jwt.py

@@ -11,6 +11,7 @@ from nucypher.policy.conditions.context import (
     is_context_variable,
     resolve_any_context_variables,
 )
+from nucypher.policy.conditions.exceptions import JWTException
 from nucypher.policy.conditions.lingo import (
     ConditionType,
     ExecutionCallAccessControlCondition,
@@ -97,9 +98,9 @@ class JWTVerificationCall(ExecutionCall):
                 issuer=self.expected_issuer,
             )
         except jwt.exceptions.InvalidAlgorithmError:
-            raise  # TODO: raise something specific
-        except jwt.exceptions.DecodeError:
-            raise
+            raise JWTException(f"valid algorithms: {self._valid_jwt_algorithms}")
+        except jwt.exceptions.InvalidTokenError as e:
+            raise JWTException(e)
 
         return payload
 
@@ -157,11 +158,6 @@ class JWTCondition(ExecutionCallAccessControlCondition):
         return self.execution_call.expected_issuer
 
     def verify(self, **context) -> Tuple[bool, Any]:
-        try:
-            payload = self.execution_call.execute(**context)
-            result = True  # TODO: Additional condition checks
-        except Exception:  # TODO: specific exceptions
-            payload = None
-            result = False
-
+        payload = self.execution_call.execute(**context)
+        result = True
         return result, payload

tests/unit/conditions/test_jwt_condition.py

@@ -8,7 +8,7 @@ from cryptography.hazmat.primitives.asymmetric import ec
 from marshmallow import validates
 
 from nucypher.policy.conditions.base import ExecutionCall
-from nucypher.policy.conditions.exceptions import InvalidCondition
+from nucypher.policy.conditions.exceptions import InvalidCondition, JWTException
 from nucypher.policy.conditions.jwt import JWTCondition, JWTVerificationCall
 
 TEST_ECDSA_PRIVATE_KEY_RAW_B64 = (
@@ -194,7 +194,7 @@ def test_jwt_condition_verify_with_correct_issuer():
     assert result == {"iss": "Isabel"}
 
 
-def test_jwt_condition_verify_with_incorrect_issuer():
+def test_jwt_condition_verify_with_invalid_issuer():
     token = jwt_token(with_iat=False, claims={"iss": "Isabel"})
     condition = JWTCondition(
         jwt_token=":anotherContextVariableForJWTs",
@@ -203,9 +203,8 @@ def test_jwt_condition_verify_with_incorrect_issuer():
     )
 
     context = {":anotherContextVariableForJWTs": token}
-    success, result = condition.verify(**context)
-    assert not success
-    assert result is None
+    with pytest.raises(JWTException, match="Invalid issuer"):
+        _ = condition.verify(**context)
 
 
 def test_jwt_condition_verify_expired_token():
@@ -218,9 +217,8 @@ def test_jwt_condition_verify_expired_token():
     )
 
     context = {":contextVar": expired_token}
-    success, result = condition.verify(**context)
-    assert not success
-    assert result is None
+    with pytest.raises(JWTException, match="Signature has expired"):
+        _ = condition.verify(**context)
 
 
 def test_jwt_condition_verify_valid_token_with_expiration():