app/authentication/auth.py

from flask import request, jsonify, _request_ctx_stack, current_app
from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
from notifications_python_client.errors import TokenDecodeError, TokenExpiredError
from werkzeug.exceptions import abort
from app.dao.api_key_dao import get_unsigned_secrets
from app import api_user
from functools import wraps


def authentication_response(message, code):
    return jsonify(result='error',
                   message={"token": [message]}
                   ), code


def requires_auth():
    auth_header = request.headers.get('Authorization', None)
    if not auth_header:
        return authentication_response('Unauthorized, authentication token must be provided', 401)

    auth_scheme = auth_header[:7]

    if auth_scheme != 'Bearer ':
        return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)

    auth_token = auth_header[7:]
    try:
        api_client = fetch_client(get_token_issuer(auth_token))
    except TokenDecodeError:
        return authentication_response("Invalid token: signature", 403)

    for secret in api_client['secret']:
        try:
            decode_jwt_token(
                auth_token,
                secret
            )
            _request_ctx_stack.top.api_user = api_client
            return
        except TokenExpiredError:
            errors_resp = authentication_response("Invalid token: expired", 403)
        except TokenDecodeError:
            errors_resp = authentication_response("Invalid token: signature", 403)

    if not api_client['secret']:
        errors_resp = authentication_response("Invalid token: no api keys for service", 403)
    current_app.logger.info(errors_resp)
    return errors_resp


def fetch_client(client):
    if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
        return {
            "client": client,
            "secret": [current_app.config.get('ADMIN_CLIENT_SECRET')]
        }
    else:
        return {
            "client": client,
            "secret": get_unsigned_secrets(client)
        }
Added logging for the authentication errors. Moved the "no api secret" error message to the end and only create it if there are no api client secrets 2016-02-08 11:10:54 +00:00			`from flask import request, jsonify, _request_ctx_stack, current_app`
bumped client version 2016-02-09 18:48:02 +00:00			`from notifications_python_client.authentication import decode_jwt_token, get_token_issuer`
Use the new version of the notifications-python-client. This version no longer adds the req and pay to the claims of the jwt. The change is backward compatible so an older client that sends a jwt with the extra claims will pass authentication. Once all the clients have been updated to not include the extra claims some updates to exclude them from the method signatures will happen as well. 2016-04-14 18:12:33 +01:00			`from notifications_python_client.errors import TokenDecodeError, TokenExpiredError`
Fetch endpoints for notifications - includes check on token type to ensure clients can perform admin style fetches 2016-03-01 13:30:10 +00:00			`from werkzeug.exceptions import abort`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`from app.dao.api_key_dao import get_unsigned_secrets`
Fetch endpoints for notifications - includes check on token type to ensure clients can perform admin style fetches 2016-03-01 13:30:10 +00:00			`from app import api_user`
			`from functools import wraps`
Added authorization headers for all requests 2016-01-15 16:22:03 +00:00
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
			`def authentication_response(message, code):`
Format authentication error messages for the client. 2016-03-14 15:51:04 +00:00			`return jsonify(result='error',`
Update auth module to return consistently formed error messages. We are trying to get all the error messages to return in the following format: {result: error, message: ['what caused error': 'reason for error'] } 2016-06-17 14:22:58 +01:00			`message={"token": [message]}`
Format authentication error messages for the client. 2016-03-14 15:51:04 +00:00			`), code`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00

			`def requires_auth():`
			`auth_header = request.headers.get('Authorization', None)`
			`if not auth_header:`
			`return authentication_response('Unauthorized, authentication token must be provided', 401)`

			`auth_scheme = auth_header[:7]`

			`if auth_scheme != 'Bearer ':`
			`return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)`

Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`auth_token = auth_header[7:]`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00			`try:`
			`api_client = fetch_client(get_token_issuer(auth_token))`
			`except TokenDecodeError:`
			`return authentication_response("Invalid token: signature", 403)`
Added logging for the authentication errors. Moved the "no api secret" error message to the end and only create it if there are no api client secrets 2016-02-08 11:10:54 +00:00
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`for secret in api_client['secret']:`
			`try:`
			`decode_jwt_token(`
			`auth_token,`
Update python client to version 1.0.0. This version of the client removed the request method, path and body from the encode and decode methods. The biggest changes here is to the unit tests. 2016-05-04 16:08:23 +01:00			`secret`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`)`
			`_request_ctx_stack.top.api_user = api_client`
			`return`
			`except TokenExpiredError:`
			`errors_resp = authentication_response("Invalid token: expired", 403)`
			`except TokenDecodeError:`
			`errors_resp = authentication_response("Invalid token: signature", 403)`

This pull request fixes a bug in authentication. If the service does not have any api keys, there would be an error but it was not formed well. 2016-04-29 09:54:40 +01:00			`if not api_client['secret']:`
Update auth module to return consistently formed error messages. We are trying to get all the error messages to return in the following format: {result: error, message: ['what caused error': 'reason for error'] } 2016-06-17 14:22:58 +01:00			`errors_resp = authentication_response("Invalid token: no api keys for service", 403)`
Update python client to version 1.0.0. This version of the client removed the request method, path and body from the encode and decode methods. The biggest changes here is to the unit tests. 2016-05-04 16:08:23 +01:00			`current_app.logger.info(errors_resp)`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`return errors_resp`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00

			`def fetch_client(client):`
Authentication for admin client api calls where a user and service is not required. 2016-01-19 14:01:26 +00:00			`if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):`
			`return {`
			`"client": client,`
Allow services to have multiple api keys. /service/<service_id>/api-key/renew has been renamed to /service/<service_id>/api-key /service/<service_id>/api-key now creates a token and no longer expires the existing api key. Moved test for this endpoint to it's own file. 2016-01-20 10:57:46 +00:00			`"secret": [current_app.config.get('ADMIN_CLIENT_SECRET')]`
Authentication for admin client api calls where a user and service is not required. 2016-01-19 14:01:26 +00:00			`}`
			`else:`
			`return {`
			`"client": client,`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`"secret": get_unsigned_secrets(client)`
Authentication for admin client api calls where a user and service is not required. 2016-01-19 14:01:26 +00:00			`}`