darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-22 16:31:15 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
a1e539e785c4ef7f10c6ad7e5afaf711a80b00e8
notifications-api/tests/app/v2/broadcast/test_post_broadcast.py

164 lines
5.6 KiB
Python
Raw Normal View History

Handle XML files that have a declaration `lxml` wants its input in bytes: > XML is explicitly defined as a stream of bytes. It's not Unicode text. > […] rule number one: do not decode your XML data yourself. – https://lxml.de/FAQ.html#why-can-t-lxml-parse-my-xml-from-unicode-strings It will accept strings unless, unless the document contains a declaration[1] with an `encoding` attribute. Then it will refuse to parse the document and raises a `ValueError`[2]. We can get fix this by passing `lxml` the bytes from the request, rather than the decoded text. 1. > XML documents may begin with an XML declaration that describes some > information about themselves. An example is > `<?xml version="1.0" encoding="UTF-8"?>`. – https://en.wikipedia.org/wiki/XML#XML_declaration 2. See an example of this exception being raised in production here: https://kibana.logit.io/s/9423a789-282c-4113-908d-0be3b1bc9d1d/app/kibana#/doc/logstash-*/logstash-2021.02.05/syslog?id=AXdzfZVz5ZSa5DKpJiYd&_g=()
2021-02-08 08:50:51 +00:00
import pytest
Add public API endpoint to create emergency alerts We know there is at least one system which wants to integrate with Notify to send out emergency alerts, rather than creating them manually. This commit adds an endpoint to the public API to let them do that. To start with we’ll just let the system create them in a single call, meaning they still have to be approved manually. This reduces the risk of an attacker being able to broadcast an alert via the API, should the other system be compromised. We’ve worked with the owners of the other system to define which fields we should care about initially.
2021-01-18 10:01:44 +00:00
from flask import json
from freezegun import freeze_time
from tests import create_authorization_header
from unittest.mock import ANY
Accept CAP XML This commit makes the existing endpoint also accept CAP XML, should the appropriate `Content-Type` header be set. It uses the translation code we added in a previous commit to convert the CAP to a dict. We can then validate that dict against with the JSON schema to ensure it’s something we can work with.
2021-01-18 10:01:46 +00:00
from . import sample_cap_xml_documents
Set broadcast message to stubbed when posting broadcast via API
2021-02-08 19:08:43 +00:00
from app.dao.broadcast_message_dao import dao_get_broadcast_message_by_id_and_service_id
Add public API endpoint to create emergency alerts We know there is at least one system which wants to integrate with Notify to send out emergency alerts, rather than creating them manually. This commit adds an endpoint to the public API to let them do that. To start with we’ll just let the system create them in a single call, meaning they still have to be approved manually. This reduces the risk of an attacker being able to broadcast an alert via the API, should the other system be compromised. We’ve worked with the owners of the other system to define which fields we should care about initially.
2021-01-18 10:01:44 +00:00
def test_broadcast_for_service_without_permission_returns_400(
client,
sample_service,
):
auth_header = create_authorization_header(service_id=sample_service.id)
response = client.post(
path='/v2/broadcast',
data='',
headers=[('Content-Type', 'application/json'), auth_header],
)
assert response.status_code == 400
assert response.get_json()['errors'][0]['message'] == (
'Service is not allowed to send broadcast messages'
)
def test_valid_post_broadcast_returns_201(
client,
sample_broadcast_service,
):
auth_header = create_authorization_header(service_id=sample_broadcast_service.id)
response = client.post(
path='/v2/broadcast',
data=json.dumps({
'content': 'This is a test',
'reference': 'abc123',
Validate broadcast against schema This commit adds a JSONSchema which can validate the fields in an API call to create a broadcast. It takes the CAP XML schema as a starting point.
2021-01-18 10:01:44 +00:00
'category': 'Other',
'areas': [
{
Simplify polygons before storing them We’re going to let people pass in fairly complex polygons, but: - we don’t want to store massive polygons - we don’t want to pass the CBCs massive polygons So this commit adds a step to simplify the polygons before storing them. We think it’s best for us to do this because: - writing code to do polygon simplification is non-trivial, and we don’t want to make all potential integrators do it - the simplification we’ve developed is domain-specific to emergency alerting, so should throw away less information than There’s a bit more detail about how we simplify polygons in https://github.com/alphagov/notifications-admin/pull/3590/files
2021-01-20 16:07:19 +00:00
'name': 'Hackney Marshes',
Validate broadcast against schema This commit adds a JSONSchema which can validate the fields in an API call to create a broadcast. It takes the CAP XML schema as a starting point.
2021-01-18 10:01:44 +00:00
'polygons': [[
Simplify polygons before storing them We’re going to let people pass in fairly complex polygons, but: - we don’t want to store massive polygons - we don’t want to pass the CBCs massive polygons So this commit adds a step to simplify the polygons before storing them. We think it’s best for us to do this because: - writing code to do polygon simplification is non-trivial, and we don’t want to make all potential integrators do it - the simplification we’ve developed is domain-specific to emergency alerting, so should throw away less information than There’s a bit more detail about how we simplify polygons in https://github.com/alphagov/notifications-admin/pull/3590/files
2021-01-20 16:07:19 +00:00
[-0.038280487060546875, 51.55738264619775],
[-0.03184318542480469, 51.553913882566754],
[-0.023174285888671875, 51.55812972989382],
[-0.023174285888671999, 51.55812972989999],
[-0.029869079589843747, 51.56165153059717],
[-0.038280487060546875, 51.55738264619775],
Validate broadcast against schema This commit adds a JSONSchema which can validate the fields in an API call to create a broadcast. It takes the CAP XML schema as a starting point.
2021-01-18 10:01:44 +00:00
]],
},
],
Add public API endpoint to create emergency alerts We know there is at least one system which wants to integrate with Notify to send out emergency alerts, rather than creating them manually. This commit adds an endpoint to the public API to let them do that. To start with we’ll just let the system create them in a single call, meaning they still have to be approved manually. This reduces the risk of an attacker being able to broadcast an alert via the API, should the other system be compromised. We’ve worked with the owners of the other system to define which fields we should care about initially.
2021-01-18 10:01:44 +00:00
}),
headers=[('Content-Type', 'application/json'), auth_header],
)
Use correct HTTP status code for bad content type 415 is the status code for ‘Unsupported media type’ https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/415
2021-01-26 12:01:10 +00:00
assert response.status_code == 415
Don’t allow broadcasts to be created from JSON Until we know we’re going to have real users for this, let’s not expose it.
2021-01-26 12:00:19 +00:00
assert json.loads(response.get_data(as_text=True)) == {
'errors': [{
'error': 'BadRequestError',
'message': 'Content type application/json not supported'
}],
Use correct HTTP status code for bad content type 415 is the status code for ‘Unsupported media type’ https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/415
2021-01-26 12:01:10 +00:00
'status_code': 415,
Don’t allow broadcasts to be created from JSON Until we know we’re going to have real users for this, let’s not expose it.
2021-01-26 12:00:19 +00:00
}
Accept CAP XML This commit makes the existing endpoint also accept CAP XML, should the appropriate `Content-Type` header be set. It uses the translation code we added in a previous commit to convert the CAP to a dict. We can then validate that dict against with the JSON schema to ensure it’s something we can work with.
2021-01-18 10:01:46 +00:00
def test_valid_post_cap_xml_broadcast_returns_201(
client,
sample_broadcast_service,
):
auth_header = create_authorization_header(service_id=sample_broadcast_service.id)
response = client.post(
path='/v2/broadcast',
data=sample_cap_xml_documents.WAINFLEET,
headers=[('Content-Type', 'application/cap+xml'), auth_header],
)
assert response.status_code == 201
response_json = json.loads(response.get_data(as_text=True))
assert response_json['approved_at'] is None
assert response_json['approved_by_id'] == None
assert response_json['areas'] == [
'River Steeping in Wainfleet All Saints'
]
assert response_json['cancelled_at'] == None
assert response_json['cancelled_by_id'] == None
assert response_json['content'].startswith(
'A severe flood warning has been issued. Storm Dennis'
)
assert response_json['content'].endswith(
'closely monitoring the situation throughout the night. '
)
assert response_json['reference'] == '50385fcb0ab7aa447bbd46d848ce8466E'
assert response_json['created_at'] # datetime generated by the DB so cant freeze it
assert response_json['created_by_id'] == None
assert response_json['finishes_at'] is None
assert response_json['id'] == ANY
assert response_json['personalisation'] is None
assert response_json['service_id'] == str(sample_broadcast_service.id)
assert len(response_json['simple_polygons']) == 1
Simplify polygons before storing them We’re going to let people pass in fairly complex polygons, but: - we don’t want to store massive polygons - we don’t want to pass the CBCs massive polygons So this commit adds a step to simplify the polygons before storing them. We think it’s best for us to do this because: - writing code to do polygon simplification is non-trivial, and we don’t want to make all potential integrators do it - the simplification we’ve developed is domain-specific to emergency alerting, so should throw away less information than There’s a bit more detail about how we simplify polygons in https://github.com/alphagov/notifications-admin/pull/3590/files
2021-01-20 16:07:19 +00:00
assert len(response_json['simple_polygons'][0]) == 23
assert response_json['simple_polygons'][0][0] == [53.10561946699971, 0.2441253049430708]
assert response_json['simple_polygons'][0][-1] == [53.10561946699971, 0.2441253049430708]
Accept CAP XML This commit makes the existing endpoint also accept CAP XML, should the appropriate `Content-Type` header be set. It uses the translation code we added in a previous commit to convert the CAP to a dict. We can then validate that dict against with the JSON schema to ensure it’s something we can work with.
2021-01-18 10:01:46 +00:00
assert response_json['starts_at'] is None
assert response_json['status'] == 'pending-approval'
assert response_json['template_id'] is None
assert response_json['template_name'] is None
assert response_json['template_version'] is None
assert response_json['updated_at'] is None
Validate CAP against the spec This gives us some extra confidence that there aren’t any problems with the data we’re getting from the other service. It doesn’t address any specific problems we’ve seen, rather it seems like a sensible precaution to take.
2021-01-18 10:01:47 +00:00
Set broadcast message to stubbed when posting broadcast via API
2021-02-08 19:08:43 +00:00
@pytest.mark.parametrize("training_mode_service", [True, False])
def test_valid_post_cap_xml_broadcast_sets_stubbed_to_true_for_training_mode_services(
client,
sample_broadcast_service,
training_mode_service
):
sample_broadcast_service.restricted = training_mode_service
auth_header = create_authorization_header(service_id=sample_broadcast_service.id)
response = client.post(
path='/v2/broadcast',
data=sample_cap_xml_documents.WAINFLEET,
headers=[('Content-Type', 'application/cap+xml'), auth_header],
)
assert response.status_code == 201
response_json = json.loads(response.get_data(as_text=True))
broadcast_message = dao_get_broadcast_message_by_id_and_service_id(
response_json['id'], sample_broadcast_service.id
)
assert broadcast_message.stubbed == training_mode_service
Handle XML files that have a declaration `lxml` wants its input in bytes: > XML is explicitly defined as a stream of bytes. It's not Unicode text. > […] rule number one: do not decode your XML data yourself. – https://lxml.de/FAQ.html#why-can-t-lxml-parse-my-xml-from-unicode-strings It will accept strings unless, unless the document contains a declaration[1] with an `encoding` attribute. Then it will refuse to parse the document and raises a `ValueError`[2]. We can get fix this by passing `lxml` the bytes from the request, rather than the decoded text. 1. > XML documents may begin with an XML declaration that describes some > information about themselves. An example is > `<?xml version="1.0" encoding="UTF-8"?>`. – https://en.wikipedia.org/wiki/XML#XML_declaration 2. See an example of this exception being raised in production here: https://kibana.logit.io/s/9423a789-282c-4113-908d-0be3b1bc9d1d/app/kibana#/doc/logstash-*/logstash-2021.02.05/syslog?id=AXdzfZVz5ZSa5DKpJiYd&_g=()
2021-02-08 08:50:51 +00:00
@pytest.mark.parametrize('xml_document', (
'<alert>Oh no</alert>',
'<?xml version="1.0" encoding="utf-8" ?><foo><bar/></foo>',
))
Validate CAP against the spec This gives us some extra confidence that there aren’t any problems with the data we’re getting from the other service. It doesn’t address any specific problems we’ve seen, rather it seems like a sensible precaution to take.
2021-01-18 10:01:47 +00:00
def test_invalid_post_cap_xml_broadcast_returns_400(
client,
sample_broadcast_service,
Handle XML files that have a declaration `lxml` wants its input in bytes: > XML is explicitly defined as a stream of bytes. It's not Unicode text. > […] rule number one: do not decode your XML data yourself. – https://lxml.de/FAQ.html#why-can-t-lxml-parse-my-xml-from-unicode-strings It will accept strings unless, unless the document contains a declaration[1] with an `encoding` attribute. Then it will refuse to parse the document and raises a `ValueError`[2]. We can get fix this by passing `lxml` the bytes from the request, rather than the decoded text. 1. > XML documents may begin with an XML declaration that describes some > information about themselves. An example is > `<?xml version="1.0" encoding="UTF-8"?>`. – https://en.wikipedia.org/wiki/XML#XML_declaration 2. See an example of this exception being raised in production here: https://kibana.logit.io/s/9423a789-282c-4113-908d-0be3b1bc9d1d/app/kibana#/doc/logstash-*/logstash-2021.02.05/syslog?id=AXdzfZVz5ZSa5DKpJiYd&_g=()
2021-02-08 08:50:51 +00:00
xml_document,
Validate CAP against the spec This gives us some extra confidence that there aren’t any problems with the data we’re getting from the other service. It doesn’t address any specific problems we’ve seen, rather it seems like a sensible precaution to take.
2021-01-18 10:01:47 +00:00
):
auth_header = create_authorization_header(service_id=sample_broadcast_service.id)
response = client.post(
path='/v2/broadcast',
Handle XML files that have a declaration `lxml` wants its input in bytes: > XML is explicitly defined as a stream of bytes. It's not Unicode text. > […] rule number one: do not decode your XML data yourself. – https://lxml.de/FAQ.html#why-can-t-lxml-parse-my-xml-from-unicode-strings It will accept strings unless, unless the document contains a declaration[1] with an `encoding` attribute. Then it will refuse to parse the document and raises a `ValueError`[2]. We can get fix this by passing `lxml` the bytes from the request, rather than the decoded text. 1. > XML documents may begin with an XML declaration that describes some > information about themselves. An example is > `<?xml version="1.0" encoding="UTF-8"?>`. – https://en.wikipedia.org/wiki/XML#XML_declaration 2. See an example of this exception being raised in production here: https://kibana.logit.io/s/9423a789-282c-4113-908d-0be3b1bc9d1d/app/kibana#/doc/logstash-*/logstash-2021.02.05/syslog?id=AXdzfZVz5ZSa5DKpJiYd&_g=()
2021-02-08 08:50:51 +00:00
data=xml_document,
Validate CAP against the spec This gives us some extra confidence that there aren’t any problems with the data we’re getting from the other service. It doesn’t address any specific problems we’ve seen, rather it seems like a sensible precaution to take.
2021-01-18 10:01:47 +00:00
headers=[('Content-Type', 'application/cap+xml'), auth_header],
)
assert response.status_code == 400
assert json.loads(response.get_data(as_text=True)) == {
'errors': [{
'error': 'BadRequestError',
'message': 'Request data is not valid CAP XML'
}],
'status_code': 400,
}
Reference in New Issue Copy Permalink