darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-16 10:12:32 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
3702d4eae824994bcb50cb4a89bb50c371c1b829
notifications-api/app/authentication/auth.py

162 lines
6.1 KiB
Python
Raw Normal View History

Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
from flask import _request_ctx_stack, current_app, g, request
from gds_metrics import Histogram
from notifications_python_client.authentication import (
decode_jwt_token,
get_token_issuer,
)
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
from notifications_python_client.errors import (
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
TokenAlgorithmError,
TokenDecodeError,
TokenError,
TokenExpiredError,
TokenIssuerError,
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
)
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
from notifications_utils import request_helper
Minor change in how we inteprete Incoming IP
2017-09-13 17:23:23 +01:00
from sqlalchemy.exc import DataError
from sqlalchemy.orm.exc import NoResultFound
refactor authentication code moved api_key secret manipulation (generating and getting) into authentiation/utils, and added a property on the model, to facilitate easier matching of authenticated requests and the api keys they used
2016-06-29 14:15:32 +01:00
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
from app.serialised_models import SerialisedService
Added authorization headers for all requests
2016-01-15 16:22:03 +00:00
Improve text for error messages
2020-01-24 17:32:41 +00:00
GENERAL_TOKEN_ERROR_MESSAGE = 'Invalid token: make sure your API token matches the example at https://docs.notifications.service.gov.uk/rest-api.html#authorisation-header' # noqa
add more prometheus metrics Two new metrics: auth_db_connection_duration_seconds (histogram) wraps the first DB call of post notifications. This includes waiting to get a connection from the pool, and also making the actual request to the db to retrieve the service and api keys. (i'm not sure there's an easy way to separate these two things) post_notification_json_parse_duration_seconds wraps parsing the v2 post notifications json parsing and schema validation. Shouldn't include any async code
2020-06-15 16:19:00 +01:00
AUTH_DB_CONNECTION_DURATION_SECONDS = Histogram(
'auth_db_connection_duration_seconds',
'Time taken to get DB connection and fetch service from database',
)
Improve text for error messages
2020-01-24 17:32:41 +00:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
class AuthError(Exception):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
def __init__(self, message, code, service_id=None, api_key_id=None):
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
self.message = {"token": [message]}
Improvements to the tests. Update AuthError with a to_dict_v2 method.
2016-11-01 10:33:34 +00:00
self.short_message = message
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
self.code = code
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
self.service_id = service_id
self.api_key_id = api_key_id
def __str__(self):
return 'AuthError({message}, {code}, service_id={service_id}, api_key_id={api_key_id})'.format(**self.__dict__)
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
Improvements to the tests. Update AuthError with a to_dict_v2 method.
2016-11-01 10:33:34 +00:00
def to_dict_v2(self):
Use status_code in error response. Remove code.
2016-11-02 14:58:39 +00:00
return {
'status_code': self.code,
update V2 error response to {status_code: 403, errors: [error: AuthError, message: token has expired}] }
2016-11-09 14:56:54 +00:00
"errors": [
{
"error": "AuthError",
"message": self.short_message
}
]
Use status_code in error response. Remove code.
2016-11-02 14:58:39 +00:00
}
Improvements to the tests. Update AuthError with a to_dict_v2 method.
2016-11-01 10:33:34 +00:00
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
def get_auth_token(req):
auth_header = req.headers.get('Authorization', None)
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
if not auth_header:
Improve text for error messages
2020-01-24 17:32:41 +00:00
raise AuthError('Unauthorized: authentication token must be provided', 401)
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
Make bearer prefix on auth header case insensitive From a support ticket: > the "Bearer" prefix on the auth header is case sensitive. Can this be > made case-insensitive? Sure can 🙃
2016-11-07 10:45:18 +00:00
auth_scheme = auth_header[:7].title()
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
if auth_scheme != 'Bearer ':
Improve text for error messages
2020-01-24 17:32:41 +00:00
raise AuthError('Unauthorized: authentication bearer scheme must be used', 401)
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
return auth_header[7:]
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients.
2015-12-15 10:47:20 +00:00
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
def requires_no_auth():
pass
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
def requires_admin_auth():
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
request_helper.check_proxy_header_before_request()
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
auth_token = get_auth_token(request)
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
client = __get_token_issuer(auth_token)
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
Make `ADMIN_CLIENT_SECRET` a list of a single secret And support this change across our code. Note, this is a halfway step where it is not a list rather than a string but still only supports a single secret, ie one item in the list.
2020-02-19 16:42:40 +00:00
Change variable name to make more descriptive Also remove unnecessary if statement Also add manifest change to make sure relevant environment variables makes it into the app
2020-02-20 15:16:37 +00:00
for secret in current_app.config.get('API_INTERNAL_SECRETS'):
try:
decode_jwt_token(auth_token, secret)
return
except TokenExpiredError:
raise AuthError("Invalid token: expired, check that your system clock is accurate", 403)
except TokenDecodeError:
# TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions
# (which are children of `TokenDecodeError`) as these should cause an auth error immediately rather
# than continue on to check the next admin client secret
continue
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
# Either there are no admin client secrets or their token didn't match one of them so error
raise AuthError("Unauthorized: admin authentication token not found", 401)
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
else:
Improve text for error messages
2020-01-24 17:32:41 +00:00
raise AuthError('Unauthorized: admin authentication token required', 401)
Testing out adding a admin authentication requirement per blueprint.
2017-03-15 16:52:44 +00:00
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
def requires_auth():
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
request_helper.check_proxy_header_before_request()
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
auth_token = get_auth_token(request)
Improve text for error messages
2020-01-24 17:32:41 +00:00
issuer = __get_token_issuer(auth_token) # ie the `iss` claim which should be a service ID
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid.
2016-09-23 11:07:49 +01:00
try:
add more prometheus metrics Two new metrics: auth_db_connection_duration_seconds (histogram) wraps the first DB call of post notifications. This includes waiting to get a connection from the pool, and also making the actual request to the db to retrieve the service and api keys. (i'm not sure there's an easy way to separate these two things) post_notification_json_parse_duration_seconds wraps parsing the v2 post notifications json parsing and schema validation. Shouldn't include any async code
2020-06-15 16:19:00 +01:00
with AUTH_DB_CONNECTION_DURATION_SECONDS.time():
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
service = SerialisedService.from_id(issuer)
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid.
2016-09-23 11:07:49 +01:00
except DataError:
raise AuthError("Invalid token: service id is not the right data type", 403)
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
except NoResultFound:
raise AuthError("Invalid token: service not found", 403)
if not service.api_keys:
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
raise AuthError("Invalid token: service has no API keys", 403, service_id=service.id)
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
if not service.active:
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
raise AuthError("Invalid token: service is archived", 403, service_id=service.id)
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
for api_key in service.api_keys:
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
try:
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
decode_jwt_token(auth_token, api_key.secret)
except TokenExpiredError:
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
err_msg = "Error: Your system clock must be accurate to within 30 seconds"
raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id)
except TokenAlgorithmError:
err_msg = "Invalid token: algorithm used is not HS256"
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id)
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
except TokenDecodeError:
Improve text for error messages
2020-01-24 17:32:41 +00:00
# we attempted to validate the token but it failed meaning it was not signed using this api key.
# Let's try the next one
# TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions (which
# are children of `TokenDecodeError`) as these should cause an auth error immediately rather than
# continue on to check the next API key
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
continue
Catch previously uncaught jwt exceptions added in python client 5.5.0 This fixes the test in the previous commit and means we will catch other unexpected jwt errors which are now raised as `TokenError`s and raise an AuthError based on this. This will stop us serving 5xx to users when we don't catch an exception. Also runs make freeze-requirements
2020-01-24 17:29:43 +00:00
except TokenError:
Improve text for error messages
2020-01-24 17:32:41 +00:00
# General error when trying to decode and validate the token
raise AuthError(GENERAL_TOKEN_ERROR_MESSAGE, 403, service_id=service.id, api_key_id=api_key.id)
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
if api_key.expiry_date:
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
raise AuthError("Invalid token: API key revoked", 403, service_id=service.id, api_key_id=api_key.id)
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
g.service_id = service.id
Store the service we have used to authenticate the client API user against the request. We can then use this later - saving an extra DB query on every client facing API call - Note this doesn't affect admin calls which do not use the service from the api key, but use the one passed as part of the URL path.
2017-05-05 15:19:57 +01:00
_request_ctx_stack.top.authenticated_service = service
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
_request_ctx_stack.top.api_user = api_key
Update validators to use is_message_too_long() - update check_sms_content_char_count to use the SMSTemplate.is_message_too_long function, and updated the error message to align with the message returned by the admin app. - Update the the code used by version 1 of the api to use the validate_template method. - I did find a couple of services still using the old api, however, this change should not affect them as I checked the messages being sent and they are not too long. - We will be sending a message to them to see if they can upgrade. - Update the log message for authenication to include the URL - makes it easier to track if a service is using version 1 of the api.
2020-03-04 17:04:11 +00:00
current_app.logger.info('API authorised for service {} with api key {}, using issuer {} for URL: {}'.format(
log user agents on api call auth. this'll be useful for trying to figure out which services are using what
2017-12-14 17:12:26 +00:00
service.id,
api_key.id,
Update validators to use is_message_too_long() - update check_sms_content_char_count to use the SMSTemplate.is_message_too_long function, and updated the error message to align with the message returned by the admin app. - Update the the code used by version 1 of the api to use the validate_template method. - I did find a couple of services still using the old api, however, this change should not affect them as I checked the messages being sent and they are not too long. - We will be sending a message to them to see if they can upgrade. - Update the log message for authenication to include the URL - makes it easier to track if a service is using version 1 of the api.
2020-03-04 17:04:11 +00:00
request.headers.get('User-Agent'),
request.base_url
log user agents on api call auth. this'll be useful for trying to figure out which services are using what
2017-12-14 17:12:26 +00:00
))
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
return
else:
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
# service has API keys, but none matching the one the user provided
Improve text for error messages
2020-01-24 17:32:41 +00:00
raise AuthError("Invalid token: API key not found", 403, service_id=service.id)
refactored the requires_auth handler to raise exceptions hopefully cleans up code flow and readability [a tiny bit]. raise an AuthException in auth.py, and catch it in errors.py to save on returning error_repsonse values throughout the function
2016-06-29 17:37:20 +01:00
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
def __get_token_issuer(auth_token):
try:
Improve text for error messages
2020-01-24 17:32:41 +00:00
issuer = get_token_issuer(auth_token)
Register a before_request event for all blueprints, that defines the authentication requirement. There are three authentication methods: - requires_no_auth - public endpoint that does not require an Authorisation header - requires_auth - public endpoints that need an API key in the Authorisation header - requires_admin_auth - private endpoint that requires an Authorisation header which contains the API key for the defined as the client admin user
2017-03-16 18:15:49 +00:00
except TokenIssuerError:
raise AuthError("Invalid token: iss field not provided", 403)
bump requirements, fix pyflake8 things, unpin botocore/awscli
2018-11-07 13:39:08 +00:00
except TokenDecodeError:
Improve text for error messages
2020-01-24 17:32:41 +00:00
raise AuthError(GENERAL_TOKEN_ERROR_MESSAGE, 403)
return issuer
Reference in New Issue Copy Permalink