darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-20 23:41:17 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
49352a4be17f44848bf13d233068f2011c3a4a0a
notifications-api/tests/app/authentication/test_authentication.py

365 lines
11 KiB
Python
Raw Normal View History

update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
import time
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
import uuid
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py
2016-06-29 16:33:02 +01:00
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
import jwt
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py
2016-06-29 16:33:02 +01:00
import pytest
broadcast flake8 cleanup
2022-10-25 11:53:24 -04:00
from flask import g, request
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py
2016-06-29 16:33:02 +01:00
from notifications_python_client.authentication import create_jwt_token
Backfill missing tests for requires_auth function
2021-07-29 12:09:01 +01:00
from app import db
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
from app.authentication.auth import (
GENERAL_TOKEN_ERROR_MESSAGE,
AuthError,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token,
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_auth_token,
_get_token_issuer,
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
requires_auth,
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
requires_internal_auth,
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
)
code review feedback, fix setup.cfg and reformat
2023-08-25 08:10:33 -07:00
from app.dao.api_key_dao import expire_api_key, get_model_api_keys, get_unsigned_secrets
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
from app.dao.services_dao import dao_fetch_service_by_id
code review feedback, fix setup.cfg and reformat
2023-08-25 08:10:33 -07:00
from tests import create_admin_authorization_header, create_service_authorization_header
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
from tests.conftest import set_config_values
update tests to use new response messages while it doesn't strictly make sense for the error situations, these are not typical end user errors - they're about malformed requests. The typical use case is "api key was revoked" or similar - so that should be the default error message
2017-12-14 17:03:46 +00:00
Added the before_request so that all calls must have a valid token. Next is to get all the rest tests to pass again.
2016-01-14 17:45:30 +00:00
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
@pytest.fixture
def internal_jwt_token(notify_api):
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
with set_config_values(
notify_api,
{
"INTERNAL_CLIENT_API_KEYS": {
"my-internal-app": ["my-internal-app-secret"],
}
},
):
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
yield create_jwt_token(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
client_id="my-internal-app", secret="my-internal-app-secret"
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
)
def requires_my_internal_app_auth():
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
requires_internal_auth("my-internal-app")
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
Rename "key" to "secret" for consistency While "key" is the term used by the JWT library, all the rest of our code - the ApiKey model, the Python client - all use the term "secret" instead. Although "secret" is less precise than "key", it does help avoid confusion with (api) key (as a model object).
2021-08-03 15:36:41 +01:00
def create_custom_jwt_token(headers=None, payload=None, secret=None):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
# code copied from notifications_python_client.authentication.py::create_jwt_token
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
headers = headers or {"typ": "JWT", "alg": "HS256"}
Rename "key" to "secret" for consistency While "key" is the term used by the JWT library, all the rest of our code - the ApiKey model, the Python client - all use the term "secret" instead. Although "secret" is less precise than "key", it does help avoid confusion with (api) key (as a model object).
2021-08-03 15:36:41 +01:00
return jwt.encode(payload=payload, key=secret or str(uuid.uuid4()), headers=headers)
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
@pytest.fixture
def service_jwt_secret(sample_api_key):
return get_unsigned_secrets(sample_api_key.service_id)[0]
@pytest.fixture
def service_jwt_token(sample_api_key, service_jwt_secret):
return create_jwt_token(
secret=service_jwt_secret,
client_id=str(sample_api_key.service_id),
)
DRY-up creating auth headers for requests The rest of the tests need to construct the header directly so they can pass custom tokens. But for the three tests that actually make a request to prove the auth functions work as wrappers, we can use the same factory functions we use everywhere else in the tests.
2021-08-04 15:24:49 +01:00
def test_requires_auth_should_allow_valid_token_for_request(client, sample_api_key):
header = create_service_authorization_header(sample_api_key.service_id)
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
response = client.get("/notifications", headers=[header])
Move happy path request-based tests to top of file We can simplify the rest of the tests to avoid the boilerplate of making an actual request. But it's worth keeping these two to prove the wrapper work correctly for an arbitrary route.
2021-07-29 11:00:10 +01:00
assert response.status_code == 200
Rename ADMIN_CLIENT_USER_NAME to say CLIENT_ID "user name" implies we're doing basic auth, which we're not. We should use the standard terminology for bearer tokens.
2021-07-29 12:18:10 +01:00
def test_requires_admin_auth_should_allow_valid_token_for_request(client):
DRY-up creating auth headers for requests The rest of the tests need to construct the header directly so they can pass custom tokens. But for the three tests that actually make a request to prove the auth functions work as wrappers, we can use the same factory functions we use everywhere else in the tests.
2021-08-04 15:24:49 +01:00
header = create_admin_authorization_header()
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
response = client.get("/service", headers=[header])
Move happy path request-based tests to top of file We can simplify the rest of the tests to avoid the boilerplate of making an actual request. But it's worth keeping these two to prove the wrapper work correctly for an arbitrary route.
2021-07-29 11:00:10 +01:00
assert response.status_code == 200
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_auth_token_should_not_allow_request_with_no_token(client):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
request.headers = {}
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_auth_token(request)
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert (
exc.value.short_message == "Unauthorized: authentication token must be provided"
)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_auth_token_should_not_allow_request_with_incorrect_header(client):
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": "Basic 1234"}
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_auth_token(request)
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert (
exc.value.short_message
== "Unauthorized: authentication bearer scheme must be used"
)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
@pytest.mark.parametrize("scheme", ["bearer", "Bearer"])
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_auth_token_should_allow_valid_token(client, scheme):
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
token = create_jwt_token(client_id="something", secret="secret")
request.headers = {"Authorization": "{} {}".format(scheme, token)}
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
assert _get_auth_token(request) == token
def test_get_token_issuer_should_not_allow_request_with_incorrect_token(client):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_token_issuer("Bearer 1234")
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == GENERAL_TOKEN_ERROR_MESSAGE
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_token_issuer_should_not_allow_request_with_no_iss(client):
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
token = create_custom_jwt_token(payload={"iat": int(time.time())})
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_token_issuer(token)
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert exc.value.short_message == "Invalid token: iss field not provided"
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_not_allow_non_hs256_algorithm(client, sample_api_key):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
headers={"typ": "JWT", "alg": "HS512"},
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
payload={},
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
with pytest.raises(AuthError) as exc:
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token(token, [sample_api_key])
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert exc.value.short_message == "Invalid token: algorithm used is not HS256"
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_not_allow_no_iat(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
token = create_custom_jwt_token(payload={"iss": "something"})
update tests to use new response messages while it doesn't strictly make sense for the error situations, these are not typical end user errors - they're about malformed requests. The typical use case is "api key was revoked" or similar - so that should be the default error message
2017-12-14 17:03:46 +00:00
with pytest.raises(AuthError) as exc:
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token(token, [sample_api_key])
Standardise auth checks for both kinds of API auth Previously "requires_auth" and "requires_admin_auth" had similar but different ways of checking their keys. This switches them to use the same checks, with the admin / internal auth passing in a fake / stub set of "api keys" to check. Pulling out the logic this way will make it easier to unpick the tests, so we can focus on testing what's unique to each kind of API auth and avoid future duplication when we start calling the "requires_internal_auth" method with other client_ids. Note that a couple of error messages / response codes have changed for admin / internal auth. None of these occur in practice, so we can make them consistent with the behaviour for the public API.
2021-07-27 18:04:12 +01:00
assert exc.value.short_message == "Invalid token: API key not found"
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_not_allow_old_iat(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
payload={"iss": "something", "iat": int(time.time()) - 60},
Rename "key" to "secret" for consistency While "key" is the term used by the JWT library, all the rest of our code - the ApiKey model, the Python client - all use the term "secret" instead. Although "secret" is less precise than "key", it does help avoid confusion with (api) key (as a model object).
2021-08-03 15:36:41 +01:00
secret=sample_api_key.secret,
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
with pytest.raises(AuthError) as exc:
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token(token, [sample_api_key])
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert (
exc.value.short_message
== "Error: Your system clock must be accurate to within 30 seconds"
)
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_not_allow_extra_claims(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
sample_api_key,
):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
payload={
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
"iss": "something",
"iat": int(time.time()),
"aud": "notifications.service.gov.uk", # extra claim that we don't support
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
},
Rename "key" to "secret" for consistency While "key" is the term used by the JWT library, all the rest of our code - the ApiKey model, the Python client - all use the term "secret" instead. Although "secret" is less precise than "key", it does help avoid confusion with (api) key (as a model object).
2021-08-03 15:36:41 +01:00
secret=sample_api_key.secret,
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
Add test case for uncaught jwt exception
2020-01-24 17:25:49 +00:00
with pytest.raises(AuthError) as exc:
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token(token, [sample_api_key])
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == GENERAL_TOKEN_ERROR_MESSAGE
Add test case for uncaught jwt exception
2020-01-24 17:25:49 +00:00
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
def test_decode_jwt_token_should_not_allow_invalid_secret(client, sample_api_key):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
token = create_jwt_token(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
secret="not-so-secret", client_id=str(sample_api_key.service_id)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
)
Added the before_request so that all calls must have a valid token. Next is to get all the rest tests to pass again.
2016-01-14 17:45:30 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
with pytest.raises(AuthError) as exc:
_decode_jwt_token(token, [sample_api_key])
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert exc.value.short_message == "Invalid token: API key not found"
Added the before_request so that all calls must have a valid token. Next is to get all the rest tests to pass again.
2016-01-14 17:45:30 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_allow_multiple_api_keys(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
sample_test_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
token = create_jwt_token(
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
secret=sample_test_api_key.secret,
client_id=str(sample_test_api_key.service_id),
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
)
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
# successful if no error is raised
_decode_jwt_token(token, [sample_api_key, sample_test_api_key])
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_allow_some_expired_keys(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
sample_test_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
expire_api_key(sample_api_key.service_id, sample_api_key.id)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
token = create_jwt_token(
secret=sample_test_api_key.secret,
client_id=str(sample_test_api_key.service_id),
)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
# successful if no error is raised
_decode_jwt_token(token, [sample_api_key, sample_test_api_key])
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_errors_when_all_api_keys_are_expired(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
sample_test_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
expire_api_key(sample_api_key.service_id, sample_api_key.id)
expire_api_key(sample_test_api_key.service_id, sample_test_api_key.id)
Support granular API auth for internal apps Previously we just had a single array of API keys / secrets, any of which could be used to get past the "requires_admin_auth" check. While multiple keys are necessary to allow for rotation, we should avoid giving other apps access this way (too much privilege). This converts the existing config vars into a new dictionary, keyed by client_id. We can then use the dictionary to scope auth for new API consumers like gov.uk/alerts to just the endpoints they need to access, while maintaining existing access for the Admin app. Once the new dictionary is available as a JSON environment variable, we'll be able to remove the old credentials / config. In the next commits, we'll look at more tests for the new functionality.
2021-07-26 16:45:10 +01:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
token = create_jwt_token(
secret=sample_test_api_key.secret,
client_id=str(sample_test_api_key.service_id),
)
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
with pytest.raises(AuthError) as exc:
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
_decode_jwt_token(
token, [sample_api_key, sample_test_api_key], service_id="1234"
)
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert exc.value.short_message == "Invalid token: API key revoked"
assert exc.value.service_id == "1234"
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
assert exc.value.api_key_id == sample_test_api_key.id
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_returns_error_with_no_secrets(client):
with pytest.raises(AuthError) as exc:
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
_decode_jwt_token("token", [])
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
assert exc.value.short_message == "Invalid token: API key not found"
Allow services to have multiple api keys. /service/<service_id>/api-key/renew has been renamed to /service/<service_id>/api-key /service/<service_id>/api-key now creates a token and no longer expires the existing api key. Moved test for this endpoint to it's own file.
2016-01-20 10:57:46 +00:00
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
@pytest.mark.parametrize("service_id", ["not-a-valid-id", 1234])
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_requires_auth_should_not_allow_service_id_with_the_wrong_data_type(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
client, service_jwt_secret, service_id
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
token = create_jwt_token(
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
client_id=service_id,
secret=service_jwt_secret,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
)
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": "Bearer {}".format(token)}
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
with pytest.raises(AuthError) as exc:
requires_auth()
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert (
exc.value.short_message
== "Invalid token: service id is not the right data type"
)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
def test_requires_auth_returns_error_when_service_doesnt_exist(client, sample_api_key):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
# get service ID and secret the wrong way around
token = create_jwt_token(
secret=str(sample_api_key.service_id),
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
client_id=str(sample_api_key.id),
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
)
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": "Bearer {}".format(token)}
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
with pytest.raises(AuthError) as exc:
requires_auth()
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert exc.value.short_message == "Invalid token: service not found"
Add a test for auth-ing with non-existant service If you create a token signed with a service ID that doesn’t exist, you will get an error (as you should). However we didn’t have a test that explicitly checks for this. This commit adds one.
2016-09-16 08:36:44 +01:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_returns_error_when_service_inactive(
client,
sample_api_key,
service_jwt_token,
):
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
sample_api_key.service.active = False
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": "Bearer {}".format(service_jwt_token)}
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
with pytest.raises(AuthError) as exc:
requires_auth()
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert exc.value.short_message == "Invalid token: service is archived"
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
Backfill missing tests for requires_auth function
2021-07-29 12:09:01 +01:00
def test_requires_auth_should_assign_global_variables(
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
client,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
sample_api_key,
service_jwt_token,
):
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": "Bearer {}".format(service_jwt_token)}
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
requires_auth()
Backfill missing tests for requires_auth function
2021-07-29 12:09:01 +01:00
assert g.api_user.id == sample_api_key.id
assert g.service_id == sample_api_key.service_id
assert g.authenticated_service.id == str(sample_api_key.service_id)
def test_requires_auth_errors_if_service_has_no_api_keys(
client,
sample_api_key,
service_jwt_token,
):
db.session.delete(sample_api_key)
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": "Bearer {}".format(service_jwt_token)}
Backfill missing tests for requires_auth function
2021-07-29 12:09:01 +01:00
with pytest.raises(AuthError) as exc:
requires_auth()
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert exc.value.short_message == "Invalid token: service has no API keys"
Fix bug with expired token error response
2016-07-22 15:10:37 +01:00
Colocate requires_auth test with the others This is to help minimise the diff for the next commit.
2021-07-29 11:55:04 +01:00
def test_requires_auth_should_cache_service_and_api_key_lookups(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
mocker, client, service_jwt_token
Colocate requires_auth test with the others This is to help minimise the diff for the next commit.
2021-07-29 11:55:04 +01:00
):
mock_get_api_keys = mocker.patch(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
"app.serialised_models.get_model_api_keys",
Colocate requires_auth test with the others This is to help minimise the diff for the next commit.
2021-07-29 11:55:04 +01:00
wraps=get_model_api_keys,
)
mock_get_service = mocker.patch(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
"app.serialised_models.dao_fetch_service_by_id",
Colocate requires_auth test with the others This is to help minimise the diff for the next commit.
2021-07-29 11:55:04 +01:00
wraps=dao_fetch_service_by_id,
)
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": f"Bearer {service_jwt_token}"}
Colocate requires_auth test with the others This is to help minimise the diff for the next commit.
2021-07-29 11:55:04 +01:00
requires_auth()
requires_auth() # second request
mock_get_api_keys.assert_called_once()
mock_get_service.assert_called_once()
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
def test_requires_internal_auth_checks_proxy_key(
client,
mocker,
internal_jwt_token,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
proxy_check_mock = mocker.patch(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
"app.authentication.auth.request_helper.check_proxy_header_before_request"
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
)
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": "Bearer {}".format(internal_jwt_token)}
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
requires_my_internal_app_auth()
proxy_check_mock.assert_called_once()
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
def test_requires_internal_auth_errors_for_unknown_app(client):
with pytest.raises(TypeError) as exc:
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
requires_internal_auth("another-app")
assert str(exc.value) == "Unknown client_id for internal auth"
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
def test_requires_internal_auth_errors_for_api_app_mismatch(
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
client, internal_jwt_token, service_jwt_token
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
):
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": "Bearer {}".format(service_jwt_token)}
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
with pytest.raises(AuthError) as exc:
requires_my_internal_app_auth()
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert exc.value.short_message == "Unauthorized: not allowed to perform this action"
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
def test_requires_internal_auth_sets_global_variables(
client,
internal_jwt_token,
):
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
request.headers = {"Authorization": "Bearer {}".format(internal_jwt_token)}
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
requires_my_internal_app_auth()
notify-api-412 use black to enforce python style standards
2023-08-23 10:35:43 -07:00
assert g.service_id == "my-internal-app"
Reference in New Issue Copy Permalink