darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-21 07:51:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
2c568698d1278c3d3c2f7204bbf8202fc0b02080
notifications-api/tests/app/authentication/test_authentication.py

513 lines
17 KiB
Python
Raw Normal View History

update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
import time
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
import uuid
refactor authentication code moved api_key secret manipulation (generating and getting) into authentiation/utils, and added a property on the model, to facilitate easier matching of authenticated requests and the api keys they used
2016-06-29 14:15:32 +01:00
from datetime import datetime
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
from unittest.mock import call
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py
2016-06-29 16:33:02 +01:00
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
import jwt
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py
2016-06-29 16:33:02 +01:00
import pytest
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
from flask import current_app, json, request
Fix bug with expired token error response
2016-07-22 15:10:37 +01:00
from freezegun import freeze_time
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py
2016-06-29 16:33:02 +01:00
from notifications_python_client.authentication import create_jwt_token
from app import api_user
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
from app.authentication.auth import (
GENERAL_TOKEN_ERROR_MESSAGE,
AuthError,
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_auth_token,
_get_token_issuer,
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
requires_admin_auth,
requires_auth,
)
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
from app.dao.api_key_dao import (
expire_api_key,
get_model_api_keys,
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
get_unsigned_secret,
get_unsigned_secrets,
save_model_api_key,
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
)
from app.dao.services_dao import dao_fetch_service_by_id
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
from app.models import KEY_TYPE_NORMAL, ApiKey
from tests.conftest import set_config, set_config_values
update tests to use new response messages while it doesn't strictly make sense for the error situations, these are not typical end user errors - they're about malformed requests. The typical use case is "api key was revoked" or similar - so that should be the default error message
2017-12-14 17:03:46 +00:00
Added the before_request so that all calls must have a valid token. Next is to get all the rest tests to pass again.
2016-01-14 17:45:30 +00:00
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
def create_custom_jwt_token(headers=None, payload=None, key=None):
# code copied from notifications_python_client.authentication.py::create_jwt_token
headers = headers or {"typ": 'JWT', "alg": 'HS256'}
return jwt.encode(payload=payload, key=key or str(uuid.uuid4()), headers=headers)
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
@pytest.fixture
def service_jwt_secret(sample_api_key):
return get_unsigned_secrets(sample_api_key.service_id)[0]
@pytest.fixture
def service_jwt_token(sample_api_key, service_jwt_secret):
return create_jwt_token(
secret=service_jwt_secret,
client_id=str(sample_api_key.service_id),
)
@pytest.fixture
def admin_jwt_client_id():
return current_app.config['ADMIN_CLIENT_USER_NAME']
@pytest.fixture
def admin_jwt_secret(admin_jwt_client_id):
return current_app.config['INTERNAL_CLIENT_API_KEYS'][admin_jwt_client_id][0]
@pytest.fixture
def admin_jwt_token(admin_jwt_client_id, admin_jwt_secret):
return create_jwt_token(admin_jwt_secret, admin_jwt_client_id)
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_auth_token_should_not_allow_request_with_no_token(client):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
request.headers = {}
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_auth_token(request)
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == 'Unauthorized: authentication token must be provided'
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_auth_token_should_not_allow_request_with_incorrect_header(client):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
request.headers = {'Authorization': 'Basic 1234'}
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_auth_token(request)
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == 'Unauthorized: authentication bearer scheme must be used'
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
@pytest.mark.parametrize('scheme', ['bearer', 'Bearer'])
def test_get_auth_token_should_allow_valid_token(client, scheme):
token = create_jwt_token(client_id='something', secret='secret')
request.headers={'Authorization': '{} {}'.format(scheme, token)}
assert _get_auth_token(request) == token
def test_get_token_issuer_should_not_allow_request_with_incorrect_token(client):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_token_issuer("Bearer 1234")
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == GENERAL_TOKEN_ERROR_MESSAGE
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_token_issuer_should_not_allow_request_with_no_iss(client):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
payload={'iat': int(time.time())}
)
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_token_issuer(token)
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
assert exc.value.short_message == 'Invalid token: iss field not provided'
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
def test_requires_auth_should_not_allow_request_with_no_iat(client, sample_api_key):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
payload={'iss': str(sample_api_key.service_id)}
)
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
update tests to use new response messages while it doesn't strictly make sense for the error situations, these are not typical end user errors - they're about malformed requests. The typical use case is "api key was revoked" or similar - so that should be the default error message
2017-12-14 17:03:46 +00:00
requires_auth()
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == 'Invalid token: API key not found'
update tests to use new response messages while it doesn't strictly make sense for the error situations, these are not typical end user errors - they're about malformed requests. The typical use case is "api key was revoked" or similar - so that should be the default error message
2017-12-14 17:03:46 +00:00
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
def test_requires_auth_should_not_allow_request_with_non_hs256_algorithm(client, sample_api_key):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
headers={"typ": 'JWT', "alg": 'HS512'},
payload={'iss': str(sample_api_key.service_id), 'iat': int(time.time())}
)
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_auth()
assert exc.value.short_message == 'Invalid token: algorithm used is not HS256'
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_admin_auth_should_not_allow_request_with_no_iat(
client,
admin_jwt_client_id,
admin_jwt_secret,
):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
payload={'iss': admin_jwt_client_id},
key=admin_jwt_secret
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
update tests to use new response messages while it doesn't strictly make sense for the error situations, these are not typical end user errors - they're about malformed requests. The typical use case is "api key was revoked" or similar - so that should be the default error message
2017-12-14 17:03:46 +00:00
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_admin_auth()
Standardise auth checks for both kinds of API auth Previously "requires_auth" and "requires_admin_auth" had similar but different ways of checking their keys. This switches them to use the same checks, with the admin / internal auth passing in a fake / stub set of "api keys" to check. Pulling out the logic this way will make it easier to unpick the tests, so we can focus on testing what's unique to each kind of API auth and avoid future duplication when we start calling the "requires_internal_auth" method with other client_ids. Note that a couple of error messages / response codes have changed for admin / internal auth. None of these occur in practice, so we can make them consistent with the behaviour for the public API.
2021-07-27 18:04:12 +01:00
assert exc.value.short_message == "Invalid token: API key not found"
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_admin_auth_should_not_allow_request_with_old_iat(
client,
admin_jwt_client_id,
admin_jwt_secret,
):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
payload={'iss': admin_jwt_client_id, 'iat': int(time.time()) - 60},
key=admin_jwt_secret
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_admin_auth()
Standardise auth checks for both kinds of API auth Previously "requires_auth" and "requires_admin_auth" had similar but different ways of checking their keys. This switches them to use the same checks, with the admin / internal auth passing in a fake / stub set of "api keys" to check. Pulling out the logic this way will make it easier to unpick the tests, so we can focus on testing what's unique to each kind of API auth and avoid future duplication when we start calling the "requires_internal_auth" method with other client_ids. Note that a couple of error messages / response codes have changed for admin / internal auth. None of these occur in practice, so we can make them consistent with the behaviour for the public API.
2021-07-27 18:04:12 +01:00
assert exc.value.short_message == "Error: Your system clock must be accurate to within 30 seconds"
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_should_not_allow_request_with_extra_claims(
client,
sample_api_key,
service_jwt_secret,
):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
payload={
'iss': str(sample_api_key.service_id),
'iat': int(time.time()),
'aud': 'notifications.service.gov.uk' # extra claim that we don't support
},
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
key=service_jwt_secret,
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
Add test case for uncaught jwt exception
2020-01-24 17:25:49 +00:00
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_auth()
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == GENERAL_TOKEN_ERROR_MESSAGE
Add test case for uncaught jwt exception
2020-01-24 17:25:49 +00:00
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
def test_requires_auth_should_not_allow_invalid_secret(client, sample_api_key):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
token = create_jwt_token(
secret="not-so-secret",
client_id=str(sample_api_key.service_id))
response = client.get(
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
'/notifications',
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
headers={'Authorization': "Bearer {}".format(token)}
)
assert response.status_code == 403
data = json.loads(response.get_data())
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert data['message'] == {"token": ['Invalid token: API key not found']}
Added the before_request so that all calls must have a valid token. Next is to get all the rest tests to pass again.
2016-01-14 17:45:30 +00:00
make sure all non-uuid service ids 403 in api keys previously 'invalid-strings' would be handled, but integers would just return 500.
2021-04-29 18:48:59 +01:00
@pytest.mark.parametrize('service_id', ['not-a-valid-id', 1234])
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_should_not_allow_service_id_with_the_wrong_data_type(
client,
service_jwt_secret,
service_id
):
token = create_jwt_token(
client_id=service_id,
secret=service_jwt_secret,
)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
response = client.get(
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
'/notifications',
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
headers={'Authorization': "Bearer {}".format(token)}
)
assert response.status_code == 403
data = json.loads(response.get_data())
assert data['message'] == {"token": ['Invalid token: service id is not the right data type']}
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_should_allow_valid_token_for_request_with_path_params_for_public_url(
client,
service_jwt_token,
):
response = client.get('/notifications', headers={'Authorization': 'Bearer {}'.format(service_jwt_token)})
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
assert response.status_code == 200
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_admin_auth_should_allow_valid_token_for_request_with_path_params(
client,
admin_jwt_token
):
response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(admin_jwt_token)})
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
assert response.status_code == 200
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_admin_auth_should_allow_valid_token_for_request_with_path_params_with_second_secret(
client,
admin_jwt_client_id,
):
new_secrets = {admin_jwt_client_id: ["secret1", "secret2"]}
Support granular API auth for internal apps Previously we just had a single array of API keys / secrets, any of which could be used to get past the "requires_admin_auth" check. While multiple keys are necessary to allow for rotation, we should avoid giving other apps access this way (too much privilege). This converts the existing config vars into a new dictionary, keyed by client_id. We can then use the dictionary to scope auth for new API consumers like gov.uk/alerts to just the endpoints they need to access, while maintaining existing access for the Admin app. Once the new dictionary is available as a JSON environment variable, we'll be able to remove the old credentials / config. In the next commits, we'll look at more tests for the new functionality.
2021-07-26 16:45:10 +01:00
with set_config(client.application, 'INTERNAL_CLIENT_API_KEYS', new_secrets):
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
token = create_jwt_token("secret1", admin_jwt_client_id)
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)})
assert response.status_code == 200
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
token = create_jwt_token("secret2", admin_jwt_client_id)
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)})
assert response.status_code == 200
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_should_allow_valid_token_when_service_has_multiple_keys(
client,
sample_api_key,
service_jwt_token,
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
data = {'service': sample_api_key.service,
'name': 'some key name',
'created_by': sample_api_key.created_by,
'key_type': KEY_TYPE_NORMAL
}
api_key = ApiKey(**data)
save_model_api_key(api_key)
response = client.get(
flake8 fixes a stricter flake8 bump. mostly things around f strings and format strings, but a couple of bad placeholder names in loops
2020-12-07 15:15:50 +00:00
'/notifications',
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
headers={'Authorization': 'Bearer {}'.format(service_jwt_token)})
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
assert response.status_code == 200
Allow services to have multiple api keys. /service/<service_id>/api-key/renew has been renamed to /service/<service_id>/api-key /service/<service_id>/api-key now creates a token and no longer expires the existing api key. Moved test for this endpoint to it's own file.
2016-01-20 10:57:46 +00:00
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
def test_requires_auth_passes_when_service_has_multiple_keys_some_expired(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
sample_api_key,
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
expired_key_data = {'service': sample_api_key.service,
'name': 'expired_key',
'expiry_date': datetime.utcnow(),
'created_by': sample_api_key.created_by,
'key_type': KEY_TYPE_NORMAL
}
expired_key = ApiKey(**expired_key_data)
save_model_api_key(expired_key)
another_key = {'service': sample_api_key.service,
'name': 'another_key',
'created_by': sample_api_key.created_by,
'key_type': KEY_TYPE_NORMAL
}
api_key = ApiKey(**another_key)
save_model_api_key(api_key)
token = create_jwt_token(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client_id=str(sample_api_key.service_id),
secret=get_unsigned_secret(api_key.id)
)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
response = client.get(
'/notifications',
headers={'Authorization': 'Bearer {}'.format(token)})
assert response.status_code == 200
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
def test_requires_auth_returns_token_expired_when_service_uses_expired_key_and_has_multiple_keys(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
sample_api_key
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
expired_key = {'service': sample_api_key.service,
'name': 'expired_key',
'created_by': sample_api_key.created_by,
'key_type': KEY_TYPE_NORMAL
}
expired_api_key = ApiKey(**expired_key)
save_model_api_key(expired_api_key)
another_key = {'service': sample_api_key.service,
'name': 'another_key',
'created_by': sample_api_key.created_by,
'key_type': KEY_TYPE_NORMAL
}
api_key = ApiKey(**another_key)
save_model_api_key(api_key)
token = create_jwt_token(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client_id=str(sample_api_key.service_id),
secret=get_unsigned_secret(expired_api_key.id)
)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
expire_api_key(service_id=sample_api_key.service_id, api_key_id=expired_api_key.id)
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_auth()
assert exc.value.short_message == 'Invalid token: API key revoked'
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
assert exc.value.service_id == str(expired_api_key.service_id)
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
assert exc.value.api_key_id == expired_api_key.id
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_admin_auth_returns_error_with_no_secrets(
client,
admin_jwt_client_id,
admin_jwt_token,
):
new_secrets = {admin_jwt_client_id: []}
Support granular API auth for internal apps Previously we just had a single array of API keys / secrets, any of which could be used to get past the "requires_admin_auth" check. While multiple keys are necessary to allow for rotation, we should avoid giving other apps access this way (too much privilege). This converts the existing config vars into a new dictionary, keyed by client_id. We can then use the dictionary to scope auth for new API consumers like gov.uk/alerts to just the endpoints they need to access, while maintaining existing access for the Admin app. Once the new dictionary is available as a JSON environment variable, we'll be able to remove the old credentials / config. In the next commits, we'll look at more tests for the new functionality.
2021-07-26 16:45:10 +01:00
with set_config(client.application, 'INTERNAL_CLIENT_API_KEYS', new_secrets):
update tests to use new response messages while it doesn't strictly make sense for the error situations, these are not typical end user errors - they're about malformed requests. The typical use case is "api key was revoked" or similar - so that should be the default error message
2017-12-14 17:03:46 +00:00
response = client.get(
'/service',
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
headers={'Authorization': 'Bearer {}'.format(admin_jwt_token)})
Support granular API auth for internal apps Previously we just had a single array of API keys / secrets, any of which could be used to get past the "requires_admin_auth" check. While multiple keys are necessary to allow for rotation, we should avoid giving other apps access this way (too much privilege). This converts the existing config vars into a new dictionary, keyed by client_id. We can then use the dictionary to scope auth for new API consumers like gov.uk/alerts to just the endpoints they need to access, while maintaining existing access for the Admin app. Once the new dictionary is available as a JSON environment variable, we'll be able to remove the old credentials / config. In the next commits, we'll look at more tests for the new functionality.
2021-07-26 16:45:10 +01:00
Standardise auth checks for both kinds of API auth Previously "requires_auth" and "requires_admin_auth" had similar but different ways of checking their keys. This switches them to use the same checks, with the admin / internal auth passing in a fake / stub set of "api keys" to check. Pulling out the logic this way will make it easier to unpick the tests, so we can focus on testing what's unique to each kind of API auth and avoid future duplication when we start calling the "requires_internal_auth" method with other client_ids. Note that a couple of error messages / response codes have changed for admin / internal auth. None of these occur in practice, so we can make them consistent with the behaviour for the public API.
2021-07-27 18:04:12 +01:00
assert response.status_code == 403
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
error_message = json.loads(response.get_data())
Standardise auth checks for both kinds of API auth Previously "requires_auth" and "requires_admin_auth" had similar but different ways of checking their keys. This switches them to use the same checks, with the admin / internal auth passing in a fake / stub set of "api keys" to check. Pulling out the logic this way will make it easier to unpick the tests, so we can focus on testing what's unique to each kind of API auth and avoid future duplication when we start calling the "requires_internal_auth" method with other client_ids. Note that a couple of error messages / response codes have changed for admin / internal auth. None of these occur in practice, so we can make them consistent with the behaviour for the public API.
2021-07-27 18:04:12 +01:00
assert error_message['message'] == {"token": ["Invalid token: API key not found"]}
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_admin_auth_returns_error_when_secret_is_invalid(
client,
admin_jwt_client_id,
admin_jwt_token,
):
new_secrets = {admin_jwt_client_id: ['something-wrong']}
Support granular API auth for internal apps Previously we just had a single array of API keys / secrets, any of which could be used to get past the "requires_admin_auth" check. While multiple keys are necessary to allow for rotation, we should avoid giving other apps access this way (too much privilege). This converts the existing config vars into a new dictionary, keyed by client_id. We can then use the dictionary to scope auth for new API consumers like gov.uk/alerts to just the endpoints they need to access, while maintaining existing access for the Admin app. Once the new dictionary is available as a JSON environment variable, we'll be able to remove the old credentials / config. In the next commits, we'll look at more tests for the new functionality.
2021-07-26 16:45:10 +01:00
with set_config(client.application, 'INTERNAL_CLIENT_API_KEYS', new_secrets):
response = client.get(
'/service',
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
headers={'Authorization': 'Bearer {}'.format(admin_jwt_token)})
Support granular API auth for internal apps Previously we just had a single array of API keys / secrets, any of which could be used to get past the "requires_admin_auth" check. While multiple keys are necessary to allow for rotation, we should avoid giving other apps access this way (too much privilege). This converts the existing config vars into a new dictionary, keyed by client_id. We can then use the dictionary to scope auth for new API consumers like gov.uk/alerts to just the endpoints they need to access, while maintaining existing access for the Admin app. Once the new dictionary is available as a JSON environment variable, we'll be able to remove the old credentials / config. In the next commits, we'll look at more tests for the new functionality.
2021-07-26 16:45:10 +01:00
Standardise auth checks for both kinds of API auth Previously "requires_auth" and "requires_admin_auth" had similar but different ways of checking their keys. This switches them to use the same checks, with the admin / internal auth passing in a fake / stub set of "api keys" to check. Pulling out the logic this way will make it easier to unpick the tests, so we can focus on testing what's unique to each kind of API auth and avoid future duplication when we start calling the "requires_internal_auth" method with other client_ids. Note that a couple of error messages / response codes have changed for admin / internal auth. None of these occur in practice, so we can make them consistent with the behaviour for the public API.
2021-07-27 18:04:12 +01:00
assert response.status_code == 403
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
error_message = json.loads(response.get_data())
Standardise auth checks for both kinds of API auth Previously "requires_auth" and "requires_admin_auth" had similar but different ways of checking their keys. This switches them to use the same checks, with the admin / internal auth passing in a fake / stub set of "api keys" to check. Pulling out the logic this way will make it easier to unpick the tests, so we can focus on testing what's unique to each kind of API auth and avoid future duplication when we start calling the "requires_internal_auth" method with other client_ids. Note that a couple of error messages / response codes have changed for admin / internal auth. None of these occur in practice, so we can make them consistent with the behaviour for the public API.
2021-07-27 18:04:12 +01:00
assert error_message['message'] == {"token": ["Invalid token: API key not found"]}
Added a test for the case when there is no secret for the api client. Fix codestyle
2016-02-08 11:29:53 +00:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_returns_error_when_service_doesnt_exist(
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
client,
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid.
2016-09-23 11:07:49 +01:00
sample_api_key
Add a test for auth-ing with non-existant service If you create a token signed with a service ID that doesn’t exist, you will get an error (as you should). However we didn’t have a test that explicitly checks for this. This commit adds one.
2016-09-16 08:36:44 +01:00
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
# get service ID and secret the wrong way around
token = create_jwt_token(
secret=str(sample_api_key.service_id),
client_id=str(sample_api_key.id))
response = client.get(
'/notifications',
headers={'Authorization': 'Bearer {}'.format(token)}
)
assert response.status_code == 403
error_message = json.loads(response.get_data())
assert error_message['message'] == {'token': ['Invalid token: service not found']}
Add a test for auth-ing with non-existant service If you create a token signed with a service ID that doesn’t exist, you will get an error (as you should). However we didn’t have a test that explicitly checks for this. This commit adds one.
2016-09-16 08:36:44 +01:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_returns_error_when_service_inactive(
client,
sample_api_key,
service_jwt_token,
):
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
sample_api_key.service.active = False
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
response = client.get('/notifications', headers={'Authorization': 'Bearer {}'.format(service_jwt_token)})
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
assert response.status_code == 403
error_message = json.loads(response.get_data())
assert error_message['message'] == {'token': ['Invalid token: service is archived']}
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
def test_requires_auth_returns_error_when_service_has_no_secrets(
client, sample_service, fake_uuid
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
token = create_jwt_token(
secret=fake_uuid,
client_id=str(sample_service.id))
This pull request fixes a bug in authentication. If the service does not have any api keys, there would be an error but it was not formed well.
2016-04-29 09:54:40 +01:00
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_auth()
assert exc.value.short_message == 'Invalid token: service has no API keys'
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
assert exc.value.service_id == str(sample_service.id)
This pull request fixes a bug in authentication. If the service does not have any api keys, there would be an error but it was not formed well.
2016-04-29 09:54:40 +01:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_should_attach_the_current_api_key_to_current_app(
notify_api,
sample_service,
sample_api_key,
service_jwt_token,
):
more flake8. lots of unused imports and variables that didn't get used. i tried to preserve old variable names as comments when it looked like they were useful (eg when they were describing timestamps)
2017-11-28 17:21:21 +00:00
with notify_api.test_request_context(), notify_api.test_client() as client:
Fix bug with expired token error response
2016-07-22 15:10:37 +01:00
response = client.get(
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
'/notifications',
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
headers={'Authorization': 'Bearer {}'.format(service_jwt_token)}
Fix bug with expired token error response
2016-07-22 15:10:37 +01:00
)
assert response.status_code == 200
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
assert str(api_user.id) == str(sample_api_key.id)
Fix bug with expired token error response
2016-07-22 15:10:37 +01:00
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
def test_requires_auth_return_403_when_token_is_expired(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
sample_api_key,
service_jwt_secret,
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
with freeze_time('2001-01-01T12:00:00'):
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
token = create_jwt_token(
client_id=str(sample_api_key.service_id),
secret=service_jwt_secret,
)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
with freeze_time('2001-01-01T12:00:40'):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
with pytest.raises(AuthError) as exc:
request.headers = {'Authorization': 'Bearer {}'.format(token)}
requires_auth()
change token expiry err msg for clarity
2017-12-15 16:06:30 +00:00
assert exc.value.short_message == 'Error: Your system clock must be accurate to within 30 seconds'
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
assert exc.value.service_id == str(sample_api_key.service_id)
assert str(exc.value.api_key_id) == str(sample_api_key.id)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
@pytest.mark.parametrize('check_proxy_header,header_value', [
(True, 'key_1'),
(True, 'wrong_key'),
(False, 'key_1'),
(False, 'wrong_key'),
Parametrize tests
2017-11-16 17:00:38 +00:00
])
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
def test_requires_no_auth_proxy_key(notify_api, check_proxy_header, header_value):
Use function from utils to check secret header value This adds a before_request handler to check whether all incoming requests have the proxy header configured.
2017-11-14 14:26:00 +00:00
with set_config_values(notify_api, {
'ROUTE_SECRET_KEY_1': 'key_1',
'ROUTE_SECRET_KEY_2': '',
Parametrize tests
2017-11-16 17:00:38 +00:00
'CHECK_PROXY_HEADER': check_proxy_header,
Use function from utils to check secret header value This adds a before_request handler to check whether all incoming requests have the proxy header configured.
2017-11-14 14:26:00 +00:00
}):
initial logging for route protection
2017-11-03 14:43:56 +00:00
Parametrize tests
2017-11-16 17:00:38 +00:00
with notify_api.test_client() as client:
response = client.get(
path='/_status',
headers=[
('X-Custom-Forwarder', header_value),
]
)
Rename tests to match the function under test This makes it easier to see what we're missing. I also tweaked one test where a parameter wasn't necessary.
2021-07-27 15:19:46 +01:00
assert response.status_code == 200
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
@pytest.mark.parametrize('check_proxy_header,header_value,expected_status', [
(True, 'key_1', 200),
(True, 'wrong_key', 403),
(False, 'key_1', 200),
(False, 'wrong_key', 200),
])
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_admin_auth_proxy_key(
notify_api,
check_proxy_header,
header_value,
expected_status,
admin_jwt_token,
):
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
with set_config_values(notify_api, {
'ROUTE_SECRET_KEY_1': 'key_1',
'ROUTE_SECRET_KEY_2': '',
'CHECK_PROXY_HEADER': check_proxy_header,
}):
with notify_api.test_client() as client:
response = client.get(
path='/service',
headers=[
('X-Custom-Forwarder', header_value),
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
('Authorization', 'Bearer {}'.format(admin_jwt_token))
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
]
)
assert response.status_code == expected_status
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_should_cache_service_and_api_key_lookups(
mocker,
client,
sample_api_key,
service_jwt_token
):
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
mock_get_api_keys = mocker.patch(
'app.serialised_models.get_model_api_keys',
wraps=get_model_api_keys,
)
mock_get_service = mocker.patch(
'app.serialised_models.dao_fetch_service_by_id',
wraps=dao_fetch_service_by_id,
)
Do extra code style checks with flake8-bugbear Flake8 Bugbear checks for some extra things that aren’t code style errors, but are likely to introduce bugs or unexpected behaviour. A good example is having mutable default function arguments, which get shared between every call to the function and therefore mutating a value in one place can unexpectedly cause it to change in another. This commit enables all the extra warnings provided by Flake8 Bugbear, except for: - the line length one (because we already lint for that separately) - B903 Data class should either be immutable or use `__slots__` because this seems to false-positive on some of our custom exceptions - B902 Invalid first argument 'cls' used for instance method because some SQLAlchemy decorators (eg `declared_attr`) make things that aren’t formally class methods take a class not an instance as their first argument It disables: - _B306: BaseException.message is removed in Python 3_ because I think our exceptions have a custom structure that means the `.message` attribute is still present Matches the work done in other repos: - https://github.com/alphagov/notifications-admin/pull/3172/files
2020-12-22 15:46:31 +00:00
for _ in range(5):
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
client.get('/notifications', headers={
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
'Authorization': f'Bearer {service_jwt_token}'
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
})
assert mock_get_api_keys.call_args_list == [
call(str(sample_api_key.service_id))
]
assert mock_get_service.call_args_list == [
make sure all non-uuid service ids 403 in api keys previously 'invalid-strings' would be handled, but integers would just return 500.
2021-04-29 18:48:59 +01:00
call(sample_api_key.service_id)
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
]
Reference in New Issue Copy Permalink