chore: update all libs to latest versions and fix jws conflict

Latest crypto library update introduced a change that this fixes as
well.

Closes #453

README.md

@@ -1,4 +1,4 @@
-[![codecov.io](https://img.shields.io/codecov/c/github/mozilla-services/autopush/master.svg)](https://codecov.io/github/mozilla-services/autopush?branch=master) [![Build Status](https://travis-ci.org/mozilla-services/autopush.svg?branch=master)](https://travis-ci.org/mozilla-services/autopush) [![Docs](https://readthedocs.org/projects/docs/badge/?version=latest)](http://autopush.readthedocs.org/)
+[![codecov.io](https://img.shields.io/codecov/c/github/mozilla-services/autopush/master.svg)](https://codecov.io/github/mozilla-services/autopush?branch=master) [![Build Status](https://travis-ci.org/mozilla-services/autopush.svg?branch=master)](https://travis-ci.org/mozilla-services/autopush) [![Docs](https://readthedocs.org/projects/docs/badge/?version=latest)](http://autopush.readthedocs.org/) [![Requirements Status](https://requires.io/github/mozilla-services/autopush/requirements.svg?branch=master)](https://requires.io/github/mozilla-services/autopush/requirements/?branch=master)
 
 # Autopush
 

autopush/tests/test_endpoint.py

@@ -797,7 +797,7 @@ def test_post_webpush_with_vapid_auth(self):
 
             kd2 = utils.base64url_decode(crypto_key)
             vk2 = ecdsa.VerifyingKey.from_string(kd2, curve=ecdsa.NIST256p)
-            res = jws.verify(token, vk2, algorithms=["ES256"])
+            res = json.loads(jws.verify(token, vk2, algorithms=["ES256"]))
             eq_(res, payload)
         """
         self.request_mock.headers["crypto-key"] = \

autopush/utils.py

@@ -2,6 +2,7 @@
 import base64
 import hashlib
 import hmac
+import json
 import socket
 import uuid
 
@@ -115,7 +116,11 @@ def extract_jwt(token, crypto_key):
 
     key = decipher_public_key(crypto_key)
     vk = ecdsa.VerifyingKey.from_string(key, curve=ecdsa.NIST256p)
-    return jws.verify(token, vk, algorithms=["ES256"])
+    # jose offers jwt.decode(token, vk, ...) which does a full check
+    # on the JWT object. Vapid is a bit more creative in how it
+    # stores data into a JWT and breaks expectations. We would have to
+    # turn off most of the validation in order for it to be useful.
+    return json.loads(jws.verify(token, vk, algorithms=["ES256"]))
 
 
 class ErrorLogger(object):

doc-requirements.txt

@@ -1,53 +1,61 @@
 sphinx>=1.3.1
 sphinxcontrib-httpdomain>=1.3.0
-ConfigArgParse==0.9.3
+ConfigArgParse==0.10.0
 Flask==0.10.1
-Jinja2==2.7.3
+Jinja2==2.8
 MarkupSafe==0.23
-Twisted==15.1.0
-Werkzeug==0.10.4
+Pympler==0.4.3
+Twisted==16.1.1
+Werkzeug==0.11.9
 apns==2.0.1
-argparse==1.2.1
-autobahn==0.10.4
-boto==2.38.0
-cffi==1.1.2
+attrs==15.2.0
+autobahn[twisted]==0.14.0
+boto==2.40.0
+boto3==1.3.1
+botocore==1.4.19
+cffi==1.6.0
 characteristic==14.3.0
-cryptography==0.9.1
+contextlib2==0.5.3
+cryptography==1.3.2
 cyclone==1.1
-datadog==0.5.0
-decorator==4.0.0
+datadog==0.11.0
+decorator==4.0.9
+docutils==0.12
 ecdsa==0.13
-enum34==1.0.4
-funcsigs==0.4
+enum34==1.1.5
+funcsigs==1.0.2
+future==0.15.2
+futures==3.0.5
 gcm-client==0.1.4
-greenlet==0.4.5
-hawkauthlib==0.1.1
-httpretty==0.8.9
-idna==2.0
-ipaddress==1.0.14
+gnureadline==6.3.3
+greenlet==0.4.9
+httpretty==0.8.14
+idna==2.1
+ipaddress==1.0.16
 itsdangerous==0.24
-jws==0.1.3
-mccabe==0.3.1
-pbr==1.3.0
-pluggy==0.3.0
-pyOpenSSL==0.15.1
-pyasn1==0.1.8
-pyasn1-modules==0.0.6
+jmespath==0.9.0
+mccabe==0.4.0
+pbr==1.9.1
+pluggy==0.3.1
+pyOpenSSL==16.0.0
+pyasn1==0.1.9
+pyasn1-modules==0.0.8
 pycparser==2.14
-pyflakes==0.8.1
-python-jose==0.5.6
-Pympler==0.4.2
-raven==5.3.1
+pycrypto==2.6.1
+pyflakes==1.2.3
+python-dateutil==2.5.3
+python-jose==0.6.1
+raven==5.16.0
 repoze.lru==0.6
-requests==2.7.0
-service-identity==14.0.0
-simplejson==3.8.0
+requests==2.10.0
+service-identity==16.0.0
+simplejson==3.8.2
+six==1.10.0
 translationstring==1.3
 -e git+https://github.com/habnabit/txstatsd.git@157ef85fbdeafe23865c7c4e176237ffcb3c3f1f#egg=txStatsD-master
-txaio==1.0.0
-virtualenv==13.1.0
+txaio==2.5.1
+virtualenv==15.0.1
 wsaccel==0.6.2
-wsgiref==0.1.2
-xmltodict==0.9.2
+xmltodict==0.10.1
 zope.deprecation==4.1.2
-zope.interface==4.1.2
+zope.interface==4.1.3

requirements.txt

@@ -1,51 +1,59 @@
-ConfigArgParse==0.9.3
+ConfigArgParse==0.10.0
 Flask==0.10.1
-Jinja2==2.7.3
+Jinja2==2.8
 MarkupSafe==0.23
-Twisted==16.0.0
-Werkzeug==0.10.4
+Pympler==0.4.3
+Twisted==16.1.1
+Werkzeug==0.11.9
 apns==2.0.1
-argparse==1.2.1
-autobahn[twisted]==0.13.0
-boto==2.38.0
-boto3==1.3.0
-cffi==1.5.2
+attrs==15.2.0
+autobahn[twisted]==0.14.0
+boto==2.40.0
+boto3==1.3.1
+botocore==1.4.19
+cffi==1.6.0
 characteristic==14.3.0
-cryptography==1.2.3
+contextlib2==0.5.3
+cryptography==1.3.2
 cyclone==1.1
-datadog==0.5.0
-decorator==4.0.0
+datadog==0.11.0
+decorator==4.0.9
+docutils==0.12
 ecdsa==0.13
-enum34==1.0.4
-funcsigs==0.4
+enum34==1.1.5
+funcsigs==1.0.2
+future==0.15.2
+futures==3.0.5
 gcm-client==0.1.4
-greenlet==0.4.5
-httpretty==0.8.9
-idna==2.0
-ipaddress==1.0.14
+gnureadline==6.3.3
+greenlet==0.4.9
+httpretty==0.8.14
+idna==2.1
+ipaddress==1.0.16
 itsdangerous==0.24
-mccabe==0.3.1
-pbr==1.3.0
-pluggy==0.3.0
-pyOpenSSL==0.15.1
-pyasn1==0.1.8
-pyasn1-modules==0.0.6
+jmespath==0.9.0
+mccabe==0.4.0
+pbr==1.9.1
+pluggy==0.3.1
+pyOpenSSL==16.0.0
+pyasn1==0.1.9
+pyasn1-modules==0.0.8
 pycparser==2.14
-pyflakes==0.8.1
-Pympler==0.4.2
-python-jose==0.5.6
-raven==5.10.2
-gnureadline==6.3.3
+pycrypto==2.6.1
+pyflakes==1.2.3
+python-dateutil==2.5.3
+python-jose==0.6.1
+raven==5.16.0
 repoze.lru==0.6
-requests==2.7.0
-service-identity==14.0.0
-simplejson==3.8.0
+requests==2.10.0
+service-identity==16.0.0
+simplejson==3.8.2
+six==1.10.0
 translationstring==1.3
 -e git+https://github.com/habnabit/txstatsd.git@157ef85fbdeafe23865c7c4e176237ffcb3c3f1f#egg=txStatsD-master
-txaio==2.2.2
-virtualenv==13.1.0
+txaio==2.5.1
+virtualenv==15.0.1
 wsaccel==0.6.2
-wsgiref==0.1.2
-xmltodict==0.9.2
+xmltodict==0.10.1
 zope.deprecation==4.1.2
 zope.interface==4.1.3

test-requirements.txt

@@ -4,56 +4,64 @@ mock>=1.0.1
 -e git+https://github.com/habnabit/txstatsd.git@master#egg=txStatsD
 -e git+https://github.com/bbangert/moto.git@3bdb75a961148ea5aa526f0e88d9e7835a30df3a#egg=moto
 flake8
-ConfigArgParse==0.9.3
+psutil
+websocket-client
+ConfigArgParse==0.10.0
 Flask==0.10.1
-Jinja2==2.7.3
+Jinja2==2.8
 MarkupSafe==0.23
-Twisted==16.0.0
-Werkzeug==0.10.4
+Pympler==0.4.3
+Twisted==16.1.1
+Werkzeug==0.11.9
 apns==2.0.1
-argparse==1.2.1
-autobahn[twisted]==0.13.0
-boto==2.38.0
-boto3==1.3.0
-cffi==1.5.2
+attrs==15.2.0
+autobahn[twisted]==0.14.0
+boto==2.40.0
+boto3==1.3.1
+botocore==1.4.19
+cffi==1.6.0
 characteristic==14.3.0
-cryptography==1.2.3
+contextlib2==0.5.3
+cryptography==1.3.2
 cyclone==1.1
-datadog==0.5.0
-decorator==4.0.0
+datadog==0.11.0
+decorator==4.0.9
+docutils==0.12
 ecdsa==0.13
-enum34==1.0.4
-funcsigs==0.4
+enum34==1.1.5
+funcsigs==1.0.2
+future==0.15.2
+futures==3.0.5
 gcm-client==0.1.4
-greenlet==0.4.5
-httpretty==0.8.9
-idna==2.0
-ipaddress==1.0.14
+gnureadline==6.3.3
+greenlet==0.4.9
+httpretty==0.8.14
+idna==2.1
+ipaddress==1.0.16
 itsdangerous==0.24
-mccabe==0.3.1
-pbr==1.3.0
-pluggy==0.3.0
-psutil==3.1.1
-pyOpenSSL==0.15.1
-pyasn1==0.1.8
-pyasn1-modules==0.0.6
+jmespath==0.9.0
+mccabe==0.4.0
+pbr==1.9.1
+pluggy==0.3.1
+pyOpenSSL==16.0.0
+pyasn1==0.1.9
+pyasn1-modules==0.0.8
 pycparser==2.14
-pyflakes==0.8.1
-Pympler==0.4.2
-python-jose==0.5.6
-raven==5.3.1
-gnureadline==6.3.3
+pycrypto==2.6.1
+pyflakes==1.2.3
+python-dateutil==2.5.3
+python-jose==0.6.1
+raven==5.16.0
 repoze.lru==0.6
-requests==2.7.0
-service-identity==14.0.0
-simplejson==3.8.0
+requests==2.10.0
+service-identity==16.0.0
+simplejson==3.8.2
+six==1.10.0
 translationstring==1.3
 -e git+https://github.com/habnabit/txstatsd.git@157ef85fbdeafe23865c7c4e176237ffcb3c3f1f#egg=txStatsD-master
-txaio==2.2.2
-virtualenv==13.1.0
-websocket-client==0.32.0
+txaio==2.5.1
+virtualenv==15.0.1
 wsaccel==0.6.2
-wsgiref==0.1.2
-xmltodict==0.9.2
+xmltodict==0.10.1
 zope.deprecation==4.1.2
 zope.interface==4.1.3