tests/app/dao/test_api_key_dao.py

from datetime import timedelta

import pytest
from sqlalchemy.exc import IntegrityError
from sqlalchemy.orm.exc import NoResultFound

from app.dao.api_key_dao import (
    expire_api_key,
    get_model_api_keys,
    get_unsigned_secret,
    get_unsigned_secrets,
    save_model_api_key,
)
from app.enums import KeyType
from app.models import ApiKey
from app.utils import utc_now


def test_save_api_key_should_create_new_api_key_and_history(sample_service):
    api_key = ApiKey(
        **{
            "service": sample_service,
            "name": sample_service.name,
            "created_by": sample_service.created_by,
            "key_type": KeyType.NORMAL,
        }
    )
    save_model_api_key(api_key)

    all_api_keys = get_model_api_keys(service_id=sample_service.id)
    assert len(all_api_keys) == 1
    assert all_api_keys[0] == api_key
    assert api_key.version == 1

    all_history = api_key.get_history_model().query.all()
    assert len(all_history) == 1
    assert all_history[0].id == api_key.id
    assert all_history[0].version == api_key.version


def test_expire_api_key_should_update_the_api_key_and_create_history_record(
    notify_api, sample_api_key
):
    expire_api_key(service_id=sample_api_key.service_id, api_key_id=sample_api_key.id)
    all_api_keys = get_model_api_keys(service_id=sample_api_key.service_id)
    assert len(all_api_keys) == 1
    assert all_api_keys[0].expiry_date <= utc_now()
    assert all_api_keys[0].secret == sample_api_key.secret
    assert all_api_keys[0].id == sample_api_key.id
    assert all_api_keys[0].service_id == sample_api_key.service_id

    all_history = sample_api_key.get_history_model().query.all()
    assert len(all_history) == 2
    assert all_history[0].id == sample_api_key.id
    assert all_history[1].id == sample_api_key.id
    sorted_all_history = sorted(all_history, key=lambda hist: hist.version)
    sorted_all_history[0].version = 1
    sorted_all_history[1].version = 2


def test_get_api_key_should_raise_exception_when_api_key_does_not_exist(
    sample_service, fake_uuid
):
    with pytest.raises(NoResultFound):
        get_model_api_keys(sample_service.id, id=fake_uuid)


def test_should_return_api_key_for_service(
    notify_api, notify_db_session, sample_api_key
):
    api_key = get_model_api_keys(
        service_id=sample_api_key.service_id, id=sample_api_key.id
    )
    assert api_key == sample_api_key


def test_should_return_unsigned_api_keys_for_service_id(sample_api_key):
    unsigned_api_key = get_unsigned_secrets(sample_api_key.service_id)
    assert len(unsigned_api_key) == 1
    assert sample_api_key._secret != unsigned_api_key[0]
    assert unsigned_api_key[0] == sample_api_key.secret


def test_get_unsigned_secret_returns_key(sample_api_key):
    unsigned_api_key = get_unsigned_secret(sample_api_key.id)
    assert sample_api_key._secret != unsigned_api_key
    assert unsigned_api_key == sample_api_key.secret


def test_should_not_allow_duplicate_key_names_per_service(sample_api_key, fake_uuid):
    api_key = ApiKey(
        **{
            "id": fake_uuid,
            "service": sample_api_key.service,
            "name": sample_api_key.name,
            "created_by": sample_api_key.created_by,
            "key_type": KeyType.NORMAL,
        }
    )
    with pytest.raises(IntegrityError):
        save_model_api_key(api_key)


def test_save_api_key_can_create_key_with_same_name_if_other_is_expired(sample_service):
    expired_api_key = ApiKey(
        **{
            "service": sample_service,
            "name": "normal api key",
            "created_by": sample_service.created_by,
            "key_type": KeyType.NORMAL,
            "expiry_date": utc_now(),
        }
    )
    save_model_api_key(expired_api_key)
    api_key = ApiKey(
        **{
            "service": sample_service,
            "name": "normal api key",
            "created_by": sample_service.created_by,
            "key_type": KeyType.NORMAL,
        }
    )
    save_model_api_key(api_key)
    keys = ApiKey.query.all()
    assert len(keys) == 2


def test_save_api_key_should_not_create_new_service_history(sample_service):
    from app.models import Service

    assert Service.query.count() == 1
    assert Service.get_history_model().query.count() == 1

    api_key = ApiKey(
        **{
            "service": sample_service,
            "name": sample_service.name,
            "created_by": sample_service.created_by,
            "key_type": KeyType.NORMAL,
        }
    )
    save_model_api_key(api_key)

    assert Service.get_history_model().query.count() == 1


@pytest.mark.parametrize("days_old, expected_length", [(5, 1), (8, 0)])
def test_should_not_return_revoked_api_keys_older_than_7_days(
    sample_service, days_old, expected_length
):
    expired_api_key = ApiKey(
        **{
            "service": sample_service,
            "name": sample_service.name,
            "created_by": sample_service.created_by,
            "key_type": KeyType.NORMAL,
            "expiry_date": utc_now() - timedelta(days=days_old),
        }
    )
    save_model_api_key(expired_api_key)

    all_api_keys = get_model_api_keys(service_id=sample_service.id)

    assert len(all_api_keys) == expected_length
remove datetime.utcnow() 2024-05-23 13:59:51 -07:00			`from datetime import timedelta`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00
default to KEY_TYPE_NORMAL to ensure backwards compatibility also cleaned up tests around api_keys - fixed imports, reduced fixture usage and added an additional (temporary) test for default test type 2016-06-24 16:10:25 +01:00			`import pytest`
			`from sqlalchemy.exc import IntegrityError`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00			`from sqlalchemy.orm.exc import NoResultFound`

Update the unique constraint for the name of an api_key so that it only looks at api_keys that are not expired (or expiry_date is null). This will allow clients to create a new api key with the same name. 2019-06-04 15:30:27 +01:00			`from app.dao.api_key_dao import (`
Run auto-correct on app/ and tests/ 2021-03-10 13:55:06 +00:00			`expire_api_key,`
Update the unique constraint for the name of an api_key so that it only looks at api_keys that are not expired (or expiry_date is null). This will allow clients to create a new api key with the same name. 2019-06-04 15:30:27 +01:00			`get_model_api_keys,`
			`get_unsigned_secret,`
Run auto-correct on app/ and tests/ 2021-03-10 13:55:06 +00:00			`get_unsigned_secrets,`
			`save_model_api_key,`
Update the unique constraint for the name of an api_key so that it only looks at api_keys that are not expired (or expiry_date is null). This will allow clients to create a new api key with the same name. 2019-06-04 15:30:27 +01:00			`)`
Cleaning up tests. Signed-off-by: Cliff Hill <Clifford.hill@gsa.gov> 2024-01-16 14:46:17 -05:00			`from app.enums import KeyType`
			`from app.models import ApiKey`
remove datetime.utcnow() 2024-05-23 13:59:51 -07:00			`from app.utils import utc_now`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00

default to KEY_TYPE_NORMAL to ensure backwards compatibility also cleaned up tests around api_keys - fixed imports, reduced fixture usage and added an additional (temporary) test for default test type 2016-06-24 16:10:25 +01:00			`def test_save_api_key_should_create_new_api_key_and_history(sample_service):`
reformat 2023-08-29 14:54:30 -07:00			`api_key = ApiKey(`
			`**{`
			`"service": sample_service,`
			`"name": sample_service.name,`
			`"created_by": sample_service.created_by,`
Cleaning up tests. Signed-off-by: Cliff Hill <Clifford.hill@gsa.gov> 2024-01-16 14:46:17 -05:00			`"key_type": KeyType.NORMAL,`
reformat 2023-08-29 14:54:30 -07:00			`}`
			`)`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00			`save_model_api_key(api_key)`

Update api-key/revoke endpoint to expire the key for the service. Previously we assumed there was only one api key that was valid. 2016-01-20 14:48:44 +00:00			`all_api_keys = get_model_api_keys(service_id=sample_service.id)`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00			`assert len(all_api_keys) == 1`
			`assert all_api_keys[0] == api_key`
Added version history to api keys. This needed a bit of change to create history to handle foreign keys better. There may yet be a better way of doing this that I have not found yet in sqlalchemy docs. 2016-04-20 17:25:20 +01:00			`assert api_key.version == 1`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00
Added version history to api keys. This needed a bit of change to create history to handle foreign keys better. There may yet be a better way of doing this that I have not found yet in sqlalchemy docs. 2016-04-20 17:25:20 +01:00			`all_history = api_key.get_history_model().query.all()`
			`assert len(all_history) == 1`
			`assert all_history[0].id == api_key.id`
			`assert all_history[0].version == api_key.version`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00
Added version history to api keys. This needed a bit of change to create history to handle foreign keys better. There may yet be a better way of doing this that I have not found yet in sqlalchemy docs. 2016-04-20 17:25:20 +01:00
reformat 2023-08-29 14:54:30 -07:00			`def test_expire_api_key_should_update_the_api_key_and_create_history_record(`
			`notify_api, sample_api_key`
			`):`
Refactor the api_key_dao. The only update we should be doing to an api key is to expire/revoke the api key. Removed the update_dict from the the save method. Added an expire_api_key method that only updates the api key with an expiry date. 2016-06-22 15:27:28 +01:00			`expire_api_key(service_id=sample_api_key.service_id, api_key_id=sample_api_key.id)`
Update api-key/revoke endpoint to expire the key for the service. Previously we assumed there was only one api key that was valid. 2016-01-20 14:48:44 +00:00			`all_api_keys = get_model_api_keys(service_id=sample_api_key.service_id)`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00			`assert len(all_api_keys) == 1`
remove datetime.utcnow() 2024-05-23 13:59:51 -07:00			`assert all_api_keys[0].expiry_date <= utc_now()`
Refactor the api_key_dao. The only update we should be doing to an api key is to expire/revoke the api key. Removed the update_dict from the the save method. Added an expire_api_key method that only updates the api key with an expiry date. 2016-06-22 15:27:28 +01:00			`assert all_api_keys[0].secret == sample_api_key.secret`
			`assert all_api_keys[0].id == sample_api_key.id`
			`assert all_api_keys[0].service_id == sample_api_key.service_id`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00
Refactor the api_key_dao. The only update we should be doing to an api key is to expire/revoke the api key. Removed the update_dict from the the save method. Added an expire_api_key method that only updates the api key with an expiry date. 2016-06-22 15:27:28 +01:00			`all_history = sample_api_key.get_history_model().query.all()`
Added version history to api keys. This needed a bit of change to create history to handle foreign keys better. There may yet be a better way of doing this that I have not found yet in sqlalchemy docs. 2016-04-20 17:25:20 +01:00			`assert len(all_history) == 2`
Refactor the api_key_dao. The only update we should be doing to an api key is to expire/revoke the api key. Removed the update_dict from the the save method. Added an expire_api_key method that only updates the api key with an expiry date. 2016-06-22 15:27:28 +01:00			`assert all_history[0].id == sample_api_key.id`
			`assert all_history[1].id == sample_api_key.id`
Added version history to api keys. This needed a bit of change to create history to handle foreign keys better. There may yet be a better way of doing this that I have not found yet in sqlalchemy docs. 2016-04-20 17:25:20 +01:00			`sorted_all_history = sorted(all_history, key=lambda hist: hist.version)`
			`sorted_all_history[0].version = 1`
			`sorted_all_history[1].version = 2`

Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00
reformat 2023-08-29 14:54:30 -07:00			`def test_get_api_key_should_raise_exception_when_api_key_does_not_exist(`
			`sample_service, fake_uuid`
			`):`
default to KEY_TYPE_NORMAL to ensure backwards compatibility also cleaned up tests around api_keys - fixed imports, reduced fixture usage and added an additional (temporary) test for default test type 2016-06-24 16:10:25 +01:00			`with pytest.raises(NoResultFound):`
Rebased migrations, all tests working. 2016-04-08 13:34:46 +01:00			`get_model_api_keys(sample_service.id, id=fake_uuid)`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00

reformat 2023-08-29 14:54:30 -07:00			`def test_should_return_api_key_for_service(`
			`notify_api, notify_db_session, sample_api_key`
			`):`
			`api_key = get_model_api_keys(`
			`service_id=sample_api_key.service_id, id=sample_api_key.id`
			`)`
Change Tokens to ApiKey Added name to ApiKey model 2016-01-19 12:07:00 +00:00			`assert api_key == sample_api_key`


default to KEY_TYPE_NORMAL to ensure backwards compatibility also cleaned up tests around api_keys - fixed imports, reduced fixture usage and added an additional (temporary) test for default test type 2016-06-24 16:10:25 +01:00			`def test_should_return_unsigned_api_keys_for_service_id(sample_api_key):`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`unsigned_api_key = get_unsigned_secrets(sample_api_key.service_id)`
			`assert len(unsigned_api_key) == 1`
Refactor ApiKeys.secret and ServiceInboundApi.bearer_token to use the same encryption method and get rid of the duplicate code. 2017-06-19 14:32:22 +01:00			`assert sample_api_key._secret != unsigned_api_key[0]`
			`assert unsigned_api_key[0] == sample_api_key.secret`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00

default to KEY_TYPE_NORMAL to ensure backwards compatibility also cleaned up tests around api_keys - fixed imports, reduced fixture usage and added an additional (temporary) test for default test type 2016-06-24 16:10:25 +01:00			`def test_get_unsigned_secret_returns_key(sample_api_key):`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`unsigned_api_key = get_unsigned_secret(sample_api_key.id)`
Refactor ApiKeys.secret and ServiceInboundApi.bearer_token to use the same encryption method and get rid of the duplicate code. 2017-06-19 14:32:22 +01:00			`assert sample_api_key._secret != unsigned_api_key`
			`assert unsigned_api_key == sample_api_key.secret`
Add unique constraint for api_key on service_id and name 2016-01-21 16:53:53 +00:00

default to KEY_TYPE_NORMAL to ensure backwards compatibility also cleaned up tests around api_keys - fixed imports, reduced fixture usage and added an additional (temporary) test for default test type 2016-06-24 16:10:25 +01:00			`def test_should_not_allow_duplicate_key_names_per_service(sample_api_key, fake_uuid):`
reformat 2023-08-29 14:54:30 -07:00			`api_key = ApiKey(`
			`**{`
			`"id": fake_uuid,`
			`"service": sample_api_key.service,`
			`"name": sample_api_key.name,`
			`"created_by": sample_api_key.created_by,`
Cleaning up tests. Signed-off-by: Cliff Hill <Clifford.hill@gsa.gov> 2024-01-16 14:46:17 -05:00			`"key_type": KeyType.NORMAL,`
reformat 2023-08-29 14:54:30 -07:00			`}`
			`)`
default to KEY_TYPE_NORMAL to ensure backwards compatibility also cleaned up tests around api_keys - fixed imports, reduced fixture usage and added an additional (temporary) test for default test type 2016-06-24 16:10:25 +01:00			`with pytest.raises(IntegrityError):`
Add unique constraint for api_key on service_id and name 2016-01-21 16:53:53 +00:00			`save_model_api_key(api_key)`
When using the versioned decorator I noticed that when adding or revoking an api key the service it associated with was of course added to db.session.dirty. That resulted in an updated version of service being added to the service history table that showed no visible difference from that record immediately precending it as the change was to another table, namely the api_key table. A new api key or revoked api key was correctly added to api_key and api_key_history tables. However I think an 'unchanged' service history record may be a bit confusing as you'd need to correlate with api_keys to work out what the change was. I think it's best to just record the new/revoked api_key and not create another version of the service. This pr wraps the exisiting versioned decorator with one that take a class which you are interested in versioning. Using the new decorator you only get a new version and history record for the class you pass to outer decorator. If the exising behaviour is acceptable to the powers that be then by all means ignore/close this pr. 2016-04-21 18:10:57 +01:00

Update the unique constraint for the name of an api_key so that it only looks at api_keys that are not expired (or expiry_date is null). This will allow clients to create a new api key with the same name. 2019-06-04 15:30:27 +01:00			`def test_save_api_key_can_create_key_with_same_name_if_other_is_expired(sample_service):`
reformat 2023-08-29 14:54:30 -07:00			`expired_api_key = ApiKey(`
			`**{`
			`"service": sample_service,`
			`"name": "normal api key",`
			`"created_by": sample_service.created_by,`
Cleaning up tests. Signed-off-by: Cliff Hill <Clifford.hill@gsa.gov> 2024-01-16 14:46:17 -05:00			`"key_type": KeyType.NORMAL,`
remove datetime.utcnow() 2024-05-23 13:59:51 -07:00			`"expiry_date": utc_now(),`
reformat 2023-08-29 14:54:30 -07:00			`}`
			`)`
Update the unique constraint for the name of an api_key so that it only looks at api_keys that are not expired (or expiry_date is null). This will allow clients to create a new api key with the same name. 2019-06-04 15:30:27 +01:00			`save_model_api_key(expired_api_key)`
reformat 2023-08-29 14:54:30 -07:00			`api_key = ApiKey(`
			`**{`
			`"service": sample_service,`
			`"name": "normal api key",`
			`"created_by": sample_service.created_by,`
Cleaning up tests. Signed-off-by: Cliff Hill <Clifford.hill@gsa.gov> 2024-01-16 14:46:17 -05:00			`"key_type": KeyType.NORMAL,`
reformat 2023-08-29 14:54:30 -07:00			`}`
			`)`
Update the unique constraint for the name of an api_key so that it only looks at api_keys that are not expired (or expiry_date is null). This will allow clients to create a new api key with the same name. 2019-06-04 15:30:27 +01:00			`save_model_api_key(api_key)`
			`keys = ApiKey.query.all()`
			`assert len(keys) == 2`


default to KEY_TYPE_NORMAL to ensure backwards compatibility also cleaned up tests around api_keys - fixed imports, reduced fixture usage and added an additional (temporary) test for default test type 2016-06-24 16:10:25 +01:00			`def test_save_api_key_should_not_create_new_service_history(sample_service):`
When using the versioned decorator I noticed that when adding or revoking an api key the service it associated with was of course added to db.session.dirty. That resulted in an updated version of service being added to the service history table that showed no visible difference from that record immediately precending it as the change was to another table, namely the api_key table. A new api key or revoked api key was correctly added to api_key and api_key_history tables. However I think an 'unchanged' service history record may be a bit confusing as you'd need to correlate with api_keys to work out what the change was. I think it's best to just record the new/revoked api_key and not create another version of the service. This pr wraps the exisiting versioned decorator with one that take a class which you are interested in versioning. Using the new decorator you only get a new version and history record for the class you pass to outer decorator. If the exising behaviour is acceptable to the powers that be then by all means ignore/close this pr. 2016-04-21 18:10:57 +01:00			`from app.models import Service`

			`assert Service.query.count() == 1`
			`assert Service.get_history_model().query.count() == 1`

reformat 2023-08-29 14:54:30 -07:00			`api_key = ApiKey(`
			`**{`
			`"service": sample_service,`
			`"name": sample_service.name,`
			`"created_by": sample_service.created_by,`
Cleaning up tests. Signed-off-by: Cliff Hill <Clifford.hill@gsa.gov> 2024-01-16 14:46:17 -05:00			`"key_type": KeyType.NORMAL,`
reformat 2023-08-29 14:54:30 -07:00			`}`
			`)`
When using the versioned decorator I noticed that when adding or revoking an api key the service it associated with was of course added to db.session.dirty. That resulted in an updated version of service being added to the service history table that showed no visible difference from that record immediately precending it as the change was to another table, namely the api_key table. A new api key or revoked api key was correctly added to api_key and api_key_history tables. However I think an 'unchanged' service history record may be a bit confusing as you'd need to correlate with api_keys to work out what the change was. I think it's best to just record the new/revoked api_key and not create another version of the service. This pr wraps the exisiting versioned decorator with one that take a class which you are interested in versioning. Using the new decorator you only get a new version and history record for the class you pass to outer decorator. If the exising behaviour is acceptable to the powers that be then by all means ignore/close this pr. 2016-04-21 18:10:57 +01:00			`save_model_api_key(api_key)`

			`assert Service.get_history_model().query.count() == 1`
filter revoked api keys older than 7 days 2018-03-12 11:55:19 +00:00

reformat 2023-08-29 14:54:30 -07:00			`@pytest.mark.parametrize("days_old, expected_length", [(5, 1), (8, 0)])`
filter revoked api keys older than 7 days 2018-03-12 11:55:19 +00:00			`def test_should_not_return_revoked_api_keys_older_than_7_days(`
reformat 2023-08-29 14:54:30 -07:00			`sample_service, days_old, expected_length`
filter revoked api keys older than 7 days 2018-03-12 11:55:19 +00:00			`):`
reformat 2023-08-29 14:54:30 -07:00			`expired_api_key = ApiKey(`
			`**{`
			`"service": sample_service,`
			`"name": sample_service.name,`
			`"created_by": sample_service.created_by,`
Cleaning up tests. Signed-off-by: Cliff Hill <Clifford.hill@gsa.gov> 2024-01-16 14:46:17 -05:00			`"key_type": KeyType.NORMAL,`
remove datetime.utcnow() 2024-05-23 13:59:51 -07:00			`"expiry_date": utc_now() - timedelta(days=days_old),`
reformat 2023-08-29 14:54:30 -07:00			`}`
			`)`
filter revoked api keys older than 7 days 2018-03-12 11:55:19 +00:00			`save_model_api_key(expired_api_key)`

			`all_api_keys = get_model_api_keys(service_id=sample_service.id)`

			`assert len(all_api_keys) == expected_length`