darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-21 07:51:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
4b7ad89f6ae755b04d6a63081f1a5dda6c65a1f0
notifications-api/tests/app/authentication/test_authentication.py

384 lines
12 KiB
Python
Raw Normal View History

update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
import time
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
import uuid
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py
2016-06-29 16:33:02 +01:00
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
import jwt
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py
2016-06-29 16:33:02 +01:00
import pytest
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
from flask import current_app, g, request
attach api_key to app we previously attached the service id and the key's secret also more refactoring of auth.py
2016-06-29 16:33:02 +01:00
from notifications_python_client.authentication import create_jwt_token
Backfill missing tests for requires_auth function
2021-07-29 12:09:01 +01:00
from app import db
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
from app.authentication.auth import (
GENERAL_TOKEN_ERROR_MESSAGE,
AuthError,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token,
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_auth_token,
_get_token_issuer,
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
requires_auth,
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
requires_internal_auth,
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
)
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
from app.dao.api_key_dao import (
expire_api_key,
get_model_api_keys,
Run auto-correct on app/ and tests/
2021-03-10 13:55:06 +00:00
get_unsigned_secrets,
Revert "Revert "Merge pull request #2887 from alphagov/cache-the-serialised-things"" This reverts commit 7e85e37e1d0cbff0a22db0847111fbb13f44d7f2.
2020-06-26 14:10:12 +01:00
)
from app.dao.services_dao import dao_fetch_service_by_id
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
from tests.conftest import set_config_values
update tests to use new response messages while it doesn't strictly make sense for the error situations, these are not typical end user errors - they're about malformed requests. The typical use case is "api key was revoked" or similar - so that should be the default error message
2017-12-14 17:03:46 +00:00
Added the before_request so that all calls must have a valid token. Next is to get all the rest tests to pass again.
2016-01-14 17:45:30 +00:00
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
@pytest.fixture
def internal_jwt_token(notify_api):
with set_config_values(notify_api, {
'INTERNAL_CLIENT_API_KEYS': {
'my-internal-app': ['my-internal-app-secret'],
}
}):
yield create_jwt_token(
client_id='my-internal-app',
secret='my-internal-app-secret'
)
def requires_my_internal_app_auth():
requires_internal_auth('my-internal-app')
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
def create_custom_jwt_token(headers=None, payload=None, key=None):
# code copied from notifications_python_client.authentication.py::create_jwt_token
headers = headers or {"typ": 'JWT', "alg": 'HS256'}
return jwt.encode(payload=payload, key=key or str(uuid.uuid4()), headers=headers)
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
@pytest.fixture
def service_jwt_secret(sample_api_key):
return get_unsigned_secrets(sample_api_key.service_id)[0]
@pytest.fixture
def service_jwt_token(sample_api_key, service_jwt_secret):
return create_jwt_token(
secret=service_jwt_secret,
client_id=str(sample_api_key.service_id),
)
Rename ADMIN_CLIENT_USER_NAME to say CLIENT_ID "user name" implies we're doing basic auth, which we're not. We should use the standard terminology for bearer tokens.
2021-07-29 12:18:10 +01:00
def test_requires_auth_should_allow_valid_token_for_request(
Move happy path request-based tests to top of file We can simplify the rest of the tests to avoid the boilerplate of making an actual request. But it's worth keeping these two to prove the wrapper work correctly for an arbitrary route.
2021-07-29 11:00:10 +01:00
client,
service_jwt_token,
):
response = client.get('/notifications', headers={'Authorization': 'Bearer {}'.format(service_jwt_token)})
assert response.status_code == 200
Rename ADMIN_CLIENT_USER_NAME to say CLIENT_ID "user name" implies we're doing basic auth, which we're not. We should use the standard terminology for bearer tokens.
2021-07-29 12:18:10 +01:00
def test_requires_admin_auth_should_allow_valid_token_for_request(client):
admin_jwt_client_id = current_app.config['ADMIN_CLIENT_ID']
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
admin_jwt_secret = current_app.config['INTERNAL_CLIENT_API_KEYS'][admin_jwt_client_id][0]
admin_jwt_token = create_jwt_token(admin_jwt_secret, admin_jwt_client_id)
Move happy path request-based tests to top of file We can simplify the rest of the tests to avoid the boilerplate of making an actual request. But it's worth keeping these two to prove the wrapper work correctly for an arbitrary route.
2021-07-29 11:00:10 +01:00
response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(admin_jwt_token)})
assert response.status_code == 200
Add pretend authenticated API for govuk-alerts We can define the API properly in future work. I've used a separate blueprint from "broadcasts" since this API is purely internal, and it's helpful to make it clear it's specific to govuk-alerts.
2021-07-29 12:25:28 +01:00
def test_requires_govuk_alerts_auth_should_allow_valid_token_for_request(client):
govuk_alerts_jwt_client_id = current_app.config['GOVUK_ALERTS_CLIENT_ID']
govuk_alerts_jwt_secret = current_app.config['INTERNAL_CLIENT_API_KEYS'][govuk_alerts_jwt_client_id][0]
govuk_alerts_jwt_token = create_jwt_token(govuk_alerts_jwt_secret, govuk_alerts_jwt_client_id)
response = client.get('/v2/govuk-alerts', headers={'Authorization': 'Bearer {}'.format(govuk_alerts_jwt_token)})
assert response.status_code == 200
Move happy path request-based tests to top of file We can simplify the rest of the tests to avoid the boilerplate of making an actual request. But it's worth keeping these two to prove the wrapper work correctly for an arbitrary route.
2021-07-29 11:00:10 +01:00
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_auth_token_should_not_allow_request_with_no_token(client):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
request.headers = {}
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_auth_token(request)
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == 'Unauthorized: authentication token must be provided'
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_auth_token_should_not_allow_request_with_incorrect_header(client):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
request.headers = {'Authorization': 'Basic 1234'}
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_auth_token(request)
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == 'Unauthorized: authentication bearer scheme must be used'
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
@pytest.mark.parametrize('scheme', ['bearer', 'Bearer'])
def test_get_auth_token_should_allow_valid_token(client, scheme):
token = create_jwt_token(client_id='something', secret='secret')
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
request.headers = {'Authorization': '{} {}'.format(scheme, token)}
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
assert _get_auth_token(request) == token
def test_get_token_issuer_should_not_allow_request_with_incorrect_token(client):
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_token_issuer("Bearer 1234")
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == GENERAL_TOKEN_ERROR_MESSAGE
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
def test_get_token_issuer_should_not_allow_request_with_no_iss(client):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
payload={'iat': int(time.time())}
)
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
with pytest.raises(AuthError) as exc:
Simplify tests for get auth token / issuer This switches to testing the two functions directly as trying to test them through the top-level "requires_..." functions or calls to endpoints doesn't scale as we add more of them. While this has a slight risk that a "requires_..." function might not be using these helpers, it seems unlikely and we can always add a mock to check this if we're concerned in future.
2021-07-28 13:55:55 +01:00
_get_token_issuer(token)
log service id and api key id during auth example log line: ``` API AuthError: AuthError({'token': ['Invalid token: signature, api token is not valid']}, 403, service_id=3e1ed7ea-8a05-4b4e-93ec-d7bebfea6cae, api_key_id=None)" ```
2017-12-12 18:13:31 +00:00
assert exc.value.short_message == 'Invalid token: iss field not provided'
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_not_allow_non_hs256_algorithm(client, sample_api_key):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
headers={"typ": 'JWT', "alg": 'HS512'},
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
payload={},
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
with pytest.raises(AuthError) as exc:
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token(token, [sample_api_key])
Catch `TokenAlgorithmError` Instead of letting it go uncaught and causing an error, we now show the user an appropriate error message.
2019-12-11 16:04:38 +00:00
assert exc.value.short_message == 'Invalid token: algorithm used is not HS256'
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_not_allow_no_iat(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
payload={'iss': 'something'}
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
update tests to use new response messages while it doesn't strictly make sense for the error situations, these are not typical end user errors - they're about malformed requests. The typical use case is "api key was revoked" or similar - so that should be the default error message
2017-12-14 17:03:46 +00:00
with pytest.raises(AuthError) as exc:
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token(token, [sample_api_key])
Standardise auth checks for both kinds of API auth Previously "requires_auth" and "requires_admin_auth" had similar but different ways of checking their keys. This switches them to use the same checks, with the admin / internal auth passing in a fake / stub set of "api keys" to check. Pulling out the logic this way will make it easier to unpick the tests, so we can focus on testing what's unique to each kind of API auth and avoid future duplication when we start calling the "requires_internal_auth" method with other client_ids. Note that a couple of error messages / response codes have changed for admin / internal auth. None of these occur in practice, so we can make them consistent with the behaviour for the public API.
2021-07-27 18:04:12 +01:00
assert exc.value.short_message == "Invalid token: API key not found"
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_not_allow_old_iat(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
payload={'iss': 'something', 'iat': int(time.time()) - 60},
key=sample_api_key.secret,
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
with pytest.raises(AuthError) as exc:
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token(token, [sample_api_key])
Standardise auth checks for both kinds of API auth Previously "requires_auth" and "requires_admin_auth" had similar but different ways of checking their keys. This switches them to use the same checks, with the admin / internal auth passing in a fake / stub set of "api keys" to check. Pulling out the logic this way will make it easier to unpick the tests, so we can focus on testing what's unique to each kind of API auth and avoid future duplication when we start calling the "requires_internal_auth" method with other client_ids. Note that a couple of error messages / response codes have changed for admin / internal auth. None of these occur in practice, so we can make them consistent with the behaviour for the public API.
2021-07-27 18:04:12 +01:00
assert exc.value.short_message == "Error: Your system clock must be accurate to within 30 seconds"
update python client to 2.0.0 this is to prevent 500 errors because <2.0.0 raised AssertionError if supplied JWT tokens were incorrectly formatted tests added
2016-11-03 17:05:25 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_not_allow_extra_claims(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
sample_api_key,
):
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
token = create_custom_jwt_token(
payload={
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
'iss': 'something',
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
'iat': int(time.time()),
'aud': 'notifications.service.gov.uk' # extra claim that we don't support
},
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
key=sample_api_key.secret,
DRY-up creating JWT tokens manually in auth tests This makes it a bit easier to see what tests are missing.
2021-07-27 15:07:00 +01:00
)
Add test case for uncaught jwt exception
2020-01-24 17:25:49 +00:00
with pytest.raises(AuthError) as exc:
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
_decode_jwt_token(token, [sample_api_key])
Improve text for error messages
2020-01-24 17:32:41 +00:00
assert exc.value.short_message == GENERAL_TOKEN_ERROR_MESSAGE
Add test case for uncaught jwt exception
2020-01-24 17:25:49 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_not_allow_invalid_secret(
client,
sample_api_key
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
token = create_jwt_token(
secret="not-so-secret",
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
client_id=str(sample_api_key.service_id)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
)
Added the before_request so that all calls must have a valid token. Next is to get all the rest tests to pass again.
2016-01-14 17:45:30 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
with pytest.raises(AuthError) as exc:
_decode_jwt_token(token, [sample_api_key])
assert exc.value.short_message == 'Invalid token: API key not found'
Added the before_request so that all calls must have a valid token. Next is to get all the rest tests to pass again.
2016-01-14 17:45:30 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_allow_multiple_api_keys(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
sample_test_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
token = create_jwt_token(
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
secret=sample_test_api_key.secret,
client_id=str(sample_test_api_key.service_id),
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
)
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
# successful if no error is raised
_decode_jwt_token(token, [sample_api_key, sample_test_api_key])
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_should_allow_some_expired_keys(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
sample_test_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
expire_api_key(sample_api_key.service_id, sample_api_key.id)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
token = create_jwt_token(
secret=sample_test_api_key.secret,
client_id=str(sample_test_api_key.service_id),
)
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
# successful if no error is raised
_decode_jwt_token(token, [sample_api_key, sample_test_api_key])
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_errors_when_all_api_keys_are_expired(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
sample_api_key,
sample_test_api_key,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
expire_api_key(sample_api_key.service_id, sample_api_key.id)
expire_api_key(sample_test_api_key.service_id, sample_test_api_key.id)
Support granular API auth for internal apps Previously we just had a single array of API keys / secrets, any of which could be used to get past the "requires_admin_auth" check. While multiple keys are necessary to allow for rotation, we should avoid giving other apps access this way (too much privilege). This converts the existing config vars into a new dictionary, keyed by client_id. We can then use the dictionary to scope auth for new API consumers like gov.uk/alerts to just the endpoints they need to access, while maintaining existing access for the Admin app. Once the new dictionary is available as a JSON environment variable, we'll be able to remove the old credentials / config. In the next commits, we'll look at more tests for the new functionality.
2021-07-26 16:45:10 +01:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
token = create_jwt_token(
secret=sample_test_api_key.secret,
client_id=str(sample_test_api_key.service_id),
)
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
with pytest.raises(AuthError) as exc:
_decode_jwt_token(token, [sample_api_key, sample_test_api_key], service_id='1234')
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
assert exc.value.short_message == 'Invalid token: API key revoked'
assert exc.value.service_id == '1234'
assert exc.value.api_key_id == sample_test_api_key.id
Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT).
2020-02-19 17:50:00 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
def test_decode_jwt_token_returns_error_with_no_secrets(client):
with pytest.raises(AuthError) as exc:
_decode_jwt_token('token', [])
assert exc.value.short_message == "Invalid token: API key not found"
Allow services to have multiple api keys. /service/<service_id>/api-key/renew has been renamed to /service/<service_id>/api-key /service/<service_id>/api-key now creates a token and no longer expires the existing api key. Moved test for this endpoint to it's own file.
2016-01-20 10:57:46 +00:00
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
@pytest.mark.parametrize('service_id', ['not-a-valid-id', 1234])
def test_requires_auth_should_not_allow_service_id_with_the_wrong_data_type(
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
client,
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
service_jwt_secret,
service_id
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
token = create_jwt_token(
DRY-up tests for decoding JWT tokens Previously we had a lot of duplicate tests inconsistently checking each of the "requires_" functions. Since both of them now use the same "_decode_jwt_token" helper, we can consolidate all the tests onto that. In future commits we'll look at testing the top-level functions in terms of what they do specifically.
2021-07-28 17:32:23 +01:00
client_id=service_id,
secret=service_jwt_secret,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
)
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
request.headers = {'Authorization': "Bearer {}".format(token)}
with pytest.raises(AuthError) as exc:
requires_auth()
assert exc.value.short_message == 'Invalid token: service id is not the right data type'
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_returns_error_when_service_doesnt_exist(
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
client,
Improve the error message when the service id is not the right data type. Improve the error message is the api key is not valid.
2016-09-23 11:07:49 +01:00
sample_api_key
Add a test for auth-ing with non-existant service If you create a token signed with a service ID that doesn’t exist, you will get an error (as you should). However we didn’t have a test that explicitly checks for this. This commit adds one.
2016-09-16 08:36:44 +01:00
):
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
# get service ID and secret the wrong way around
token = create_jwt_token(
secret=str(sample_api_key.service_id),
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
client_id=str(sample_api_key.id),
First attempt at securing the endpoints. Started with adding a before_request event to the service_blueprint, which executes the requires_admin_auth method rather than the require_auth method. Obviously this is not done but want to get this in front of people to get an opinion.
2017-03-16 10:42:45 +00:00
)
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_auth()
assert exc.value.short_message == 'Invalid token: service not found'
Add a test for auth-ing with non-existant service If you create a token signed with a service ID that doesn’t exist, you will get an error (as you should). However we didn’t have a test that explicitly checks for this. This commit adds one.
2016-09-16 08:36:44 +01:00
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
def test_requires_auth_returns_error_when_service_inactive(
client,
sample_api_key,
service_jwt_token,
):
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
sample_api_key.service.active = False
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
request.headers = {'Authorization': 'Bearer {}'.format(service_jwt_token)}
with pytest.raises(AuthError) as exc:
requires_auth()
assert exc.value.short_message == 'Invalid token: service is archived'
add check for inactive services to auth handler cleaned up some auth code to marginally improve efficiency of error checking and hopefully make it easier to read fixed some incorrect auth headers in the deactivate tests
2016-11-10 11:07:12 +00:00
Backfill missing tests for requires_auth function
2021-07-29 12:09:01 +01:00
def test_requires_auth_should_assign_global_variables(
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
client,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
sample_api_key,
service_jwt_token,
):
Rewrite other requires_auth tests to call function This makes the tests easier to read by avoiding request boilerplate and making a clearer link between the name of the test and that we are actually testing that specific function.
2021-07-29 11:18:43 +01:00
request.headers = {'Authorization': 'Bearer {}'.format(service_jwt_token)}
requires_auth()
Backfill missing tests for requires_auth function
2021-07-29 12:09:01 +01:00
assert g.api_user.id == sample_api_key.id
assert g.service_id == sample_api_key.service_id
assert g.authenticated_service.id == str(sample_api_key.service_id)
def test_requires_auth_errors_if_service_has_no_api_keys(
client,
sample_api_key,
service_jwt_token,
):
db.session.delete(sample_api_key)
request.headers = {'Authorization': 'Bearer {}'.format(service_jwt_token)}
with pytest.raises(AuthError) as exc:
requires_auth()
assert exc.value.short_message == 'Invalid token: service has no API keys'
Fix bug with expired token error response
2016-07-22 15:10:37 +01:00
Colocate requires_auth test with the others This is to help minimise the diff for the next commit.
2021-07-29 11:55:04 +01:00
def test_requires_auth_should_cache_service_and_api_key_lookups(
mocker,
client,
service_jwt_token
):
mock_get_api_keys = mocker.patch(
'app.serialised_models.get_model_api_keys',
wraps=get_model_api_keys,
)
mock_get_service = mocker.patch(
'app.serialised_models.dao_fetch_service_by_id',
wraps=dao_fetch_service_by_id,
)
request.headers = {'Authorization': f'Bearer {service_jwt_token}'}
requires_auth()
requires_auth() # second request
mock_get_api_keys.assert_called_once()
mock_get_service.assert_called_once()
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
def test_requires_internal_auth_checks_proxy_key(
client,
mocker,
internal_jwt_token,
DRY-up and simplify creating JWT tokens in tests Previously this was heavily duplicated but with the odd test using a __create_token method. This adds some fixtures to remove all the boilerplate and standardise how tokens are created in each test.
2021-07-27 17:25:22 +01:00
):
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
proxy_check_mock = mocker.patch(
'app.authentication.auth.request_helper.check_proxy_header_before_request'
)
request.headers = {'Authorization': 'Bearer {}'.format(internal_jwt_token)}
requires_my_internal_app_auth()
proxy_check_mock.assert_called_once()
Move proxy header check to auth-requiring endpoints The main drive behind this is to allow us to enable http healthchecks on the `/_status` endpoint. The healthcheck requests are happening directly on the instances without going to the proxy to get the header properly set. In any case, endpoints like `/_status` should be generally accessible by anything without requiring any form of authorization.
2018-03-27 17:37:09 +01:00
Rewrite requires_admin_auth tests to be generic This adds previously missing tests and changes the existing ones to test the "requires_internal_auth" function directly. In order to make the tests generic, we have a fake auth function and an associated fixture. Having generic tests for internal auth will make it easier to add other "requires..." functions in future.
2021-07-29 11:52:25 +01:00
def test_requires_internal_auth_errors_for_unknown_app(client):
with pytest.raises(TypeError) as exc:
requires_internal_auth('another-app')
assert str(exc.value) == 'Unknown client_id for internal auth'
def test_requires_internal_auth_errors_for_api_app_mismatch(
client,
internal_jwt_token,
service_jwt_token
):
request.headers = {'Authorization': 'Bearer {}'.format(service_jwt_token)}
with pytest.raises(AuthError) as exc:
requires_my_internal_app_auth()
assert exc.value.short_message == 'Unauthorized: not allowed to perform this action'
def test_requires_internal_auth_sets_global_variables(
client,
internal_jwt_token,
):
request.headers = {'Authorization': 'Bearer {}'.format(internal_jwt_token)}
requires_my_internal_app_auth()
assert g.service_id == 'my-internal-app'
Reference in New Issue Copy Permalink