darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2026-03-03 08:52:22 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
cache-performance
notifications-api/app/authentication/auth.py

112 lines
3.8 KiB
Python
Raw Permalink Normal View History

Remove, cache or hardcode anything that could be cached when sending an email Probably shouldn’t deploy this to production 😅 This shows exactly what I removed, bodged and hardcoded to test what the performance implications of caching a bunch of stuff might look like. Test command: ```bash python -m timeit -n 1 -s "import notifications_python_client; c = notifications_python_client.notifications.NotificationsAPIClient('🤫', base_url='http://localhost:6011')" "c.send_email_notification(email_address='sender@something.com', template_id='be433bfc-fe31-464b-9f2c-5be11abf2176')" ``` Before: ``` raw times: 12.1 11.9 11.8 100 loops, best of 3: 118 msec per loop ``` After ``` raw times: 11.2 10.7 10.1 100 loops, best of 3: 101 msec per loop ``` Not a big improvement… So I was curious what it was doing in those ~100ms Let’s go back to master and comment out persisting the notification to the database: ``` raw times: 12.3 10.5 10.5 100 loops, best of 3: 105 msec per loop ``` (saves about 13ms) If we comment out sending to the queue: ``` raw times: 3.43 3.24 4.88 100 loops, best of 3: 32.4 msec per loop ``` (saves about 85ms) This means most of our request time is spent waiting for SQS. If we test our fake caching while sending to the queue is commented out we get a clearer picture of the potential improvements: ``` raw times: 2.13 1.84 2.18 100 loops, best of 3: 18.4 msec per loop ``` This is a saving of 14ms, from a baseline of 32.4ms, so 56%. A typical call to fetch a service from Redis from the admin app takes about 0.6ms, for context. It’s also worth thinking about whether we’re holding a database connection longer than we need to if we still have it while talking to SQS.
2020-04-16 11:28:43 +01:00
from functools import lru_cache
Minor change in how we inteprete Incoming IP
2017-09-13 17:23:23 +01:00
from flask import request, _request_ctx_stack, current_app, g
bumped client version
2016-02-09 18:48:02 +00:00
from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
from notifications_python_client.errors import (
Catch previously uncaught jwt exceptions added in python client 5.5.0 This fixes the test in the previous commit and means we will catch other unexpected jwt errors which are now raised as `TokenError`s and raise an AuthError based on this. This will stop us serving 5xx to users when we don't catch an exception. Also runs make freeze-requirements
2020-01-24 17:29:43 +00:00
TokenDecodeError, TokenExpiredError, TokenIssuerError, TokenAlgorithmError, TokenError
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
)
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
from notifications_utils import request_helper
Minor change in how we inteprete Incoming IP
2017-09-13 17:23:23 +01:00
from sqlalchemy.exc import DataError
from sqlalchemy.orm.exc import NoResultFound
refactor authentication code moved api_key secret manipulation (generating and getting) into authentiation/utils, and added a property on the model, to facilitate easier matching of authenticated requests and the api keys they used
2016-06-29 14:15:32 +01:00
Store the service we have used to authenticate the client API user against the request. We can then use this later - saving an extra DB query on every client facing API call - Note this doesn't affect admin calls which do not use the service from the api key, but use the one passed as part of the URL path.
2017-05-05 15:19:57 +01:00
from app.dao.services_dao import dao_fetch_service_by_id_with_api_keys
Added authorization headers for all requests
2016-01-15 16:22:03 +00:00
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
Improve text for error messages
2020-01-24 17:32:41 +00:00
GENERAL_TOKEN_ERROR_MESSAGE = 'Invalid token: make sure your API token matches the example at https://docs.notifications.service.gov.uk/rest-api.html#authorisation-header' # noqa
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
class AuthError(Exception):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
def __init__(self, message, code, service_id=None, api_key_id=None):
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
self.message = {"token": [message]}
Improvements to the tests. Update AuthError with a to_dict_v2 method.
2016-11-01 10:33:34 +00:00
self.short_message = message
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
self.code = code
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
self.service_id = service_id
self.api_key_id = api_key_id
def __str__(self):
return 'AuthError({message}, {code}, service_id={service_id}, api_key_id={api_key_id})'.format(**self.__dict__)
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
Improvements to the tests. Update AuthError with a to_dict_v2 method.
2016-11-01 10:33:34 +00:00
def to_dict_v2(self):
Use status_code in error response. Remove code.
2016-11-02 14:58:39 +00:00
return {
'status_code': self.code,
update V2 error response to {status_code: 403, errors: [error: AuthError, message: token has expired}] }
2016-11-09 14:56:54 +00:00
"errors": [
{
"error": "AuthError",
"message": self.short_message
}
]
Use status_code in error response. Remove code.
2016-11-02 14:58:39 +00:00
}
Improvements to the tests. Update AuthError with a to_dict_v2 method.
2016-11-01 10:33:34 +00:00
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
def get_auth_token(req):
auth_header = req.headers.get('Authorization', None)
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
if not auth_header:
Improve text for error messages
2020-01-24 17:32:41 +00:00
raise AuthError('Unauthorized: authentication token must be provided', 401)
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
Make bearer prefix on auth header case insensitive From a support ticket: > the "Bearer" prefix on the auth header is case sensitive. Can this be > made case-insensitive? Sure can 🙃
2016-11-07 10:45:18 +00:00
auth_scheme = auth_header[:7].title()
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
if auth_scheme != 'Bearer ':
Improve text for error messages
2020-01-24 17:32:41 +00:00
raise AuthError('Unauthorized: authentication bearer scheme must be used', 401)
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
return auth_header[7:]
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
def requires_no_auth():
pass
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
def requires_admin_auth():
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
request_helper.check_proxy_header_before_request()
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
auth_token = get_auth_token(request)
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
client = __get_token_issuer(auth_token)
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
Make `ADMIN_CLIENT_SECRET` a list of a single secret And support this change across our code. Note, this is a halfway step where it is not a list rather than a string but still only supports a single secret, ie one item in the list.
2020-02-19 16:42:40 +00:00
Change variable name to make more descriptive Also remove unnecessary if statement Also add manifest change to make sure relevant environment variables makes it into the app
2020-02-20 15:16:37 +00:00
for secret in current_app.config.get('API_INTERNAL_SECRETS'):
try:
decode_jwt_token(auth_token, secret)
return
except TokenExpiredError:
raise AuthError("Invalid token: expired, check that your system clock is accurate", 403)
except TokenDecodeError:
# TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions
# (which are children of `TokenDecodeError`) as these should cause an auth error immediately rather
# than continue on to check the next admin client secret
continue
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
# Either there are no admin client secrets or their token didn't match one of them so error
raise AuthError("Unauthorized: admin authentication token not found", 401)
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
else:
Improve text for error messages
2020-01-24 17:32:41 +00:00
raise AuthError('Unauthorized: admin authentication token required', 401)
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
Remove, cache or hardcode anything that could be cached when sending an email Probably shouldn’t deploy this to production 😅 This shows exactly what I removed, bodged and hardcoded to test what the performance implications of caching a bunch of stuff might look like. Test command: ```bash python -m timeit -n 1 -s "import notifications_python_client; c = notifications_python_client.notifications.NotificationsAPIClient('🤫', base_url='http://localhost:6011')" "c.send_email_notification(email_address='sender@something.com', template_id='be433bfc-fe31-464b-9f2c-5be11abf2176')" ``` Before: ``` raw times: 12.1 11.9 11.8 100 loops, best of 3: 118 msec per loop ``` After ``` raw times: 11.2 10.7 10.1 100 loops, best of 3: 101 msec per loop ``` Not a big improvement… So I was curious what it was doing in those ~100ms Let’s go back to master and comment out persisting the notification to the database: ``` raw times: 12.3 10.5 10.5 100 loops, best of 3: 105 msec per loop ``` (saves about 13ms) If we comment out sending to the queue: ``` raw times: 3.43 3.24 4.88 100 loops, best of 3: 32.4 msec per loop ``` (saves about 85ms) This means most of our request time is spent waiting for SQS. If we test our fake caching while sending to the queue is commented out we get a clearer picture of the potential improvements: ``` raw times: 2.13 1.84 2.18 100 loops, best of 3: 18.4 msec per loop ``` This is a saving of 14ms, from a baseline of 32.4ms, so 56%. A typical call to fetch a service from Redis from the admin app takes about 0.6ms, for context. It’s also worth thinking about whether we’re holding a database connection longer than we need to if we still have it while talking to SQS.
2020-04-16 11:28:43 +01:00
@lru_cache(maxsize=None)
def get_service(issuer):
return dao_fetch_service_by_id_with_api_keys(issuer)
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
def requires_auth():
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
request_helper.check_proxy_header_before_request()
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
auth_token = get_auth_token(request)
Improve text for error messages
2020-01-24 17:32:41 +00:00
issuer = __get_token_issuer(auth_token) # ie the `iss` claim which should be a service ID
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
Remove, cache or hardcode anything that could be cached when sending an email Probably shouldn’t deploy this to production 😅 This shows exactly what I removed, bodged and hardcoded to test what the performance implications of caching a bunch of stuff might look like. Test command: ```bash python -m timeit -n 1 -s "import notifications_python_client; c = notifications_python_client.notifications.NotificationsAPIClient('🤫', base_url='http://localhost:6011')" "c.send_email_notification(email_address='sender@something.com', template_id='be433bfc-fe31-464b-9f2c-5be11abf2176')" ``` Before: ``` raw times: 12.1 11.9 11.8 100 loops, best of 3: 118 msec per loop ``` After ``` raw times: 11.2 10.7 10.1 100 loops, best of 3: 101 msec per loop ``` Not a big improvement… So I was curious what it was doing in those ~100ms Let’s go back to master and comment out persisting the notification to the database: ``` raw times: 12.3 10.5 10.5 100 loops, best of 3: 105 msec per loop ``` (saves about 13ms) If we comment out sending to the queue: ``` raw times: 3.43 3.24 4.88 100 loops, best of 3: 32.4 msec per loop ``` (saves about 85ms) This means most of our request time is spent waiting for SQS. If we test our fake caching while sending to the queue is commented out we get a clearer picture of the potential improvements: ``` raw times: 2.13 1.84 2.18 100 loops, best of 3: 18.4 msec per loop ``` This is a saving of 14ms, from a baseline of 32.4ms, so 56%. A typical call to fetch a service from Redis from the admin app takes about 0.6ms, for context. It’s also worth thinking about whether we’re holding a database connection longer than we need to if we still have it while talking to SQS.
2020-04-16 11:28:43 +01:00
service = get_service(issuer)
g.service_id = issuer
_request_ctx_stack.top.authenticated_service = service
_request_ctx_stack.top.api_user = None
return
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
def __get_token_issuer(auth_token):
try:
Improve text for error messages
2020-01-24 17:32:41 +00:00
issuer = get_token_issuer(auth_token)
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
except TokenIssuerError:
raise AuthError("Invalid token: iss field not provided", 403)
bump requirements, fix pyflake8 things, unpin botocore/awscli
2018-11-07 13:39:08 +00:00
except TokenDecodeError:
Improve text for error messages
2020-01-24 17:32:41 +00:00
raise AuthError(GENERAL_TOKEN_ERROR_MESSAGE, 403)
return issuer
Reference in New Issue Copy Permalink