2016-01-20 10:57:46 +00:00
|
|
|
from datetime import datetime, timedelta
|
2016-01-15 16:22:03 +00:00
|
|
|
|
2016-04-14 18:12:33 +01:00
|
|
|
import pytest
|
2016-02-09 18:48:02 +00:00
|
|
|
from notifications_python_client.authentication import create_jwt_token
|
2016-04-15 10:59:00 +01:00
|
|
|
from flask import json, current_app
|
2016-01-20 10:57:46 +00:00
|
|
|
from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key, get_unsigned_secret
|
|
|
|
|
from app.models import ApiKey, Service
|
2016-01-14 17:45:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_should_not_allow_request_with_no_token(notify_api):
|
|
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
2016-02-19 15:54:11 +00:00
|
|
|
response = client.get('/service')
|
2016-01-14 17:45:30 +00:00
|
|
|
assert response.status_code == 401
|
|
|
|
|
data = json.loads(response.get_data())
|
2016-03-14 15:51:04 +00:00
|
|
|
assert data['message'] == 'Unauthorized, authentication token must be provided'
|
2016-01-14 17:45:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_should_not_allow_request_with_incorrect_header(notify_api):
|
|
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
2016-02-19 15:54:11 +00:00
|
|
|
response = client.get(
|
|
|
|
|
'/service',
|
|
|
|
|
headers={'Authorization': 'Basic 1234'})
|
2016-01-14 17:45:30 +00:00
|
|
|
assert response.status_code == 401
|
|
|
|
|
data = json.loads(response.get_data())
|
2016-03-14 15:51:04 +00:00
|
|
|
assert data['message'] == 'Unauthorized, authentication bearer scheme must be used'
|
2016-01-14 17:45:30 +00:00
|
|
|
|
|
|
|
|
|
2016-02-19 15:54:11 +00:00
|
|
|
def test_should_not_allow_request_with_incorrect_token(notify_api, sample_user):
|
2016-01-14 17:45:30 +00:00
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
2016-02-19 15:54:11 +00:00
|
|
|
response = client.get(
|
|
|
|
|
'/service',
|
|
|
|
|
headers={'Authorization': 'Bearer 1234'})
|
2016-01-14 17:45:30 +00:00
|
|
|
assert response.status_code == 403
|
|
|
|
|
data = json.loads(response.get_data())
|
2016-03-14 15:51:04 +00:00
|
|
|
assert data['message'] == 'Invalid token: signature'
|
2016-01-14 17:45:30 +00:00
|
|
|
|
|
|
|
|
|
2016-02-19 15:54:11 +00:00
|
|
|
def test_should_not_allow_invalid_secret(notify_api, sample_api_key):
|
2016-01-14 17:45:30 +00:00
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
2016-02-19 15:54:11 +00:00
|
|
|
token = create_jwt_token(
|
|
|
|
|
secret="not-so-secret",
|
|
|
|
|
client_id=str(sample_api_key.service_id))
|
|
|
|
|
response = client.get(
|
|
|
|
|
'/service',
|
|
|
|
|
headers={'Authorization': "Bearer {}".format(token)}
|
|
|
|
|
)
|
2016-01-14 17:45:30 +00:00
|
|
|
assert response.status_code == 403
|
|
|
|
|
data = json.loads(response.get_data())
|
2016-03-14 15:51:04 +00:00
|
|
|
assert data['message'] == 'Invalid token: signature'
|
2016-01-14 17:45:30 +00:00
|
|
|
|
|
|
|
|
|
2016-02-19 15:54:11 +00:00
|
|
|
def test_should_allow_valid_token(notify_api, sample_api_key):
|
2016-01-14 17:45:30 +00:00
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
2016-01-19 12:07:00 +00:00
|
|
|
token = __create_get_token(sample_api_key.service_id)
|
2016-02-19 15:54:11 +00:00
|
|
|
response = client.get(
|
|
|
|
|
'/service/{}'.format(str(sample_api_key.service_id)),
|
|
|
|
|
headers={'Authorization': 'Bearer {}'.format(token)}
|
|
|
|
|
)
|
2016-01-22 09:59:02 +00:00
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
|
|
|
|
|
2016-02-19 15:54:11 +00:00
|
|
|
def test_should_allow_valid_token_for_request_with_path_params(notify_api, sample_api_key):
|
2016-01-22 09:59:02 +00:00
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
|
|
|
|
token = __create_get_token(sample_api_key.service_id)
|
2016-02-19 15:54:11 +00:00
|
|
|
response = client.get(
|
|
|
|
|
'/service/{}'.format(str(sample_api_key.service_id)),
|
|
|
|
|
headers={'Authorization': 'Bearer {}'.format(token)})
|
2016-01-14 17:45:30 +00:00
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
|
|
|
|
|
2016-02-19 15:54:11 +00:00
|
|
|
def test_should_allow_valid_token_when_service_has_multiple_keys(notify_api, sample_api_key):
|
2016-01-19 18:25:21 +00:00
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
2016-04-20 17:25:20 +01:00
|
|
|
data = {'service': sample_api_key.service,
|
|
|
|
|
'name': 'some key name',
|
|
|
|
|
'created_by': sample_api_key.created_by
|
|
|
|
|
}
|
2016-01-19 18:25:21 +00:00
|
|
|
api_key = ApiKey(**data)
|
|
|
|
|
save_model_api_key(api_key)
|
|
|
|
|
token = __create_get_token(sample_api_key.service_id)
|
2016-02-19 15:54:11 +00:00
|
|
|
response = client.get(
|
|
|
|
|
'/service/{}'.format(str(sample_api_key.service_id)),
|
|
|
|
|
headers={'Authorization': 'Bearer {}'.format(token)})
|
2016-01-19 18:25:21 +00:00
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
2016-01-20 10:57:46 +00:00
|
|
|
|
2016-01-15 16:22:03 +00:00
|
|
|
JSON_BODY = json.dumps({
|
2016-01-20 10:57:46 +00:00
|
|
|
"key1": "value1",
|
|
|
|
|
"key2": "value2",
|
|
|
|
|
"key3": "value3"
|
2016-01-15 16:22:03 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
2016-01-20 10:57:46 +00:00
|
|
|
def test_authentication_passes_admin_client_token(notify_api,
|
|
|
|
|
notify_db,
|
|
|
|
|
notify_db_session,
|
|
|
|
|
sample_api_key):
|
|
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
2016-02-19 15:54:11 +00:00
|
|
|
token = create_jwt_token(
|
|
|
|
|
secret=current_app.config.get('ADMIN_CLIENT_SECRET'),
|
|
|
|
|
client_id=current_app.config.get('ADMIN_CLIENT_USER_NAME'))
|
|
|
|
|
response = client.get(
|
|
|
|
|
'/service',
|
|
|
|
|
headers={'Authorization': 'Bearer {}'.format(token)})
|
2016-01-20 10:57:46 +00:00
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
|
|
|
|
|
2016-02-19 15:54:11 +00:00
|
|
|
def test_authentication_passes_when_service_has_multiple_keys_some_expired(
|
|
|
|
|
notify_api,
|
|
|
|
|
notify_db,
|
|
|
|
|
notify_db_session,
|
|
|
|
|
sample_api_key):
|
2016-01-20 10:57:46 +00:00
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
2016-04-20 17:25:20 +01:00
|
|
|
expired_key_data = {'service': sample_api_key.service,
|
|
|
|
|
'name': 'expired_key',
|
|
|
|
|
'expiry_date': datetime.now(),
|
|
|
|
|
'created_by': sample_api_key.created_by
|
|
|
|
|
}
|
|
|
|
|
expired_key = ApiKey(**expired_key_data)
|
|
|
|
|
save_model_api_key(expired_key)
|
|
|
|
|
another_key = {'service': sample_api_key.service,
|
|
|
|
|
'name': 'another_key',
|
|
|
|
|
'created_by': sample_api_key.created_by
|
|
|
|
|
}
|
2016-01-20 10:57:46 +00:00
|
|
|
api_key = ApiKey(**another_key)
|
|
|
|
|
save_model_api_key(api_key)
|
2016-02-19 15:54:11 +00:00
|
|
|
token = create_jwt_token(
|
|
|
|
|
secret=get_unsigned_secret(api_key.id),
|
|
|
|
|
client_id=str(sample_api_key.service_id))
|
|
|
|
|
response = client.get(
|
|
|
|
|
'/service',
|
|
|
|
|
headers={'Authorization': 'Bearer {}'.format(token)})
|
2016-01-20 10:57:46 +00:00
|
|
|
assert response.status_code == 200
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_authentication_returns_token_expired_when_service_uses_expired_key_and_has_multiple_keys(notify_api,
|
|
|
|
|
notify_db,
|
|
|
|
|
notify_db_session,
|
|
|
|
|
sample_api_key):
|
|
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
2016-04-20 17:25:20 +01:00
|
|
|
expired_key = {'service': sample_api_key.service,
|
|
|
|
|
'name': 'expired_key',
|
|
|
|
|
'created_by': sample_api_key.created_by
|
|
|
|
|
}
|
2016-01-20 10:57:46 +00:00
|
|
|
expired_api_key = ApiKey(**expired_key)
|
|
|
|
|
save_model_api_key(expired_api_key)
|
2016-04-20 17:25:20 +01:00
|
|
|
another_key = {'service': sample_api_key.service,
|
|
|
|
|
'name': 'another_key',
|
|
|
|
|
'created_by': sample_api_key.created_by
|
|
|
|
|
}
|
2016-01-20 10:57:46 +00:00
|
|
|
api_key = ApiKey(**another_key)
|
|
|
|
|
save_model_api_key(api_key)
|
2016-02-19 15:54:11 +00:00
|
|
|
token = create_jwt_token(
|
|
|
|
|
secret=get_unsigned_secret(expired_api_key.id),
|
|
|
|
|
client_id=str(sample_api_key.service_id))
|
2016-01-20 10:57:46 +00:00
|
|
|
# expire the key
|
|
|
|
|
expire_the_key = {'id': expired_api_key.id,
|
2016-04-20 17:25:20 +01:00
|
|
|
'service': sample_api_key.service,
|
2016-01-20 10:57:46 +00:00
|
|
|
'name': 'expired_key',
|
2016-04-20 17:25:20 +01:00
|
|
|
'expiry_date': datetime.now() + timedelta(hours=-2),
|
|
|
|
|
'created_by': sample_api_key.created_by}
|
2016-01-20 10:57:46 +00:00
|
|
|
save_model_api_key(expired_api_key, expire_the_key)
|
2016-02-19 15:54:11 +00:00
|
|
|
response = client.get(
|
|
|
|
|
'/service',
|
|
|
|
|
headers={'Authorization': 'Bearer {}'.format(token)})
|
2016-01-20 10:57:46 +00:00
|
|
|
assert response.status_code == 403
|
|
|
|
|
data = json.loads(response.get_data())
|
2016-03-14 15:51:04 +00:00
|
|
|
assert data['message'] == 'Invalid token: signature'
|
2016-01-20 10:57:46 +00:00
|
|
|
|
|
|
|
|
|
2016-02-08 11:29:53 +00:00
|
|
|
def test_authentication_returns_error_when_api_client_has_no_secrets(notify_api,
|
|
|
|
|
notify_db,
|
|
|
|
|
notify_db_session):
|
|
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
|
|
|
|
api_secret = notify_api.config.get('ADMIN_CLIENT_SECRET')
|
2016-02-19 15:54:11 +00:00
|
|
|
token = create_jwt_token(
|
|
|
|
|
secret=api_secret,
|
|
|
|
|
client_id=notify_api.config.get('ADMIN_CLIENT_USER_NAME')
|
|
|
|
|
)
|
2016-02-08 11:29:53 +00:00
|
|
|
notify_api.config['ADMIN_CLIENT_SECRET'] = ''
|
2016-02-19 15:54:11 +00:00
|
|
|
response = client.get(
|
|
|
|
|
'/service',
|
|
|
|
|
headers={'Authorization': 'Bearer {}'.format(token)})
|
2016-02-08 11:29:53 +00:00
|
|
|
assert response.status_code == 403
|
|
|
|
|
error_message = json.loads(response.get_data())
|
2016-03-14 15:51:04 +00:00
|
|
|
assert error_message['message'] == 'Invalid token: signature'
|
2016-02-08 11:29:53 +00:00
|
|
|
notify_api.config['ADMIN_CLIENT_SECRET'] = api_secret
|
|
|
|
|
|
|
|
|
|
|
2016-04-29 09:54:40 +01:00
|
|
|
def test_authentication_returns_error_when_service_has_no_secrets(notify_api,
|
|
|
|
|
notify_db,
|
|
|
|
|
notify_db_session,
|
2016-04-29 14:36:10 +01:00
|
|
|
sample_service,
|
|
|
|
|
fake_uuid):
|
2016-04-29 09:54:40 +01:00
|
|
|
with notify_api.test_request_context():
|
|
|
|
|
with notify_api.test_client() as client:
|
|
|
|
|
token = create_jwt_token(
|
2016-04-29 14:36:10 +01:00
|
|
|
secret=fake_uuid,
|
2016-04-29 09:54:40 +01:00
|
|
|
client_id=str(sample_service.id))
|
|
|
|
|
|
|
|
|
|
response = client.get(
|
|
|
|
|
'/service',
|
|
|
|
|
headers={'Authorization': 'Bearer {}'.format(token)})
|
|
|
|
|
assert response.status_code == 403
|
|
|
|
|
error_message = json.loads(response.get_data())
|
|
|
|
|
assert error_message['message'] == 'Invalid token: signature'
|
|
|
|
|
|
|
|
|
|
|
2016-01-15 16:22:03 +00:00
|
|
|
def __create_get_token(service_id):
|
2016-01-22 09:59:02 +00:00
|
|
|
if service_id:
|
2016-05-04 16:08:23 +01:00
|
|
|
return create_jwt_token(secret=get_unsigned_secrets(service_id)[0],
|
2016-02-02 14:16:08 +00:00
|
|
|
client_id=str(service_id))
|
2016-01-22 09:59:02 +00:00
|
|
|
else:
|
2016-05-04 16:08:23 +01:00
|
|
|
return create_jwt_token(secret=get_unsigned_secrets(service_id)[0],
|
2016-01-22 09:59:02 +00:00
|
|
|
client_id=service_id)
|
2016-01-15 16:22:03 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def __create_post_token(service_id, request_body):
|
|
|
|
|
return create_jwt_token(
|
2016-01-19 18:25:21 +00:00
|
|
|
secret=get_unsigned_secrets(service_id)[0],
|
2016-05-04 16:08:23 +01:00
|
|
|
client_id=str(service_id)
|
2016-01-15 16:22:03 +00:00
|
|
|
)
|
