app/authentication/auth.py

from flask import request, jsonify, _request_ctx_stack, current_app
from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
from notifications_python_client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
from werkzeug.exceptions import abort
from app.dao.api_key_dao import get_unsigned_secrets
from app import api_user
from functools import wraps


def authentication_response(message, code):
    current_app.logger.info(message)
    return jsonify(result='error',
                   message=message
                   ), code


def requires_auth():
    auth_header = request.headers.get('Authorization', None)
    if not auth_header:
        return authentication_response('Unauthorized, authentication token must be provided', 401)

    auth_scheme = auth_header[:7]

    if auth_scheme != 'Bearer ':
        return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)

    auth_token = auth_header[7:]
    try:
        api_client = fetch_client(get_token_issuer(auth_token))
    except TokenDecodeError:
        return authentication_response("Invalid token: signature", 403)
    if api_client is None:
        authentication_response("Invalid credentials", 403)

    for secret in api_client['secret']:
        try:
            decode_jwt_token(
                auth_token,
                secret,
                request.method,
                request.path,
                request.data.decode() if request.data else None
            )
            _request_ctx_stack.top.api_user = api_client
            return
        except TokenRequestError:
            errors_resp = authentication_response("Invalid token: request", 403)
        except TokenExpiredError:
            errors_resp = authentication_response("Invalid token: expired", 403)
        except TokenPayloadError:
            errors_resp = authentication_response("Invalid token: payload", 403)
        except TokenDecodeError:
            errors_resp = authentication_response("Invalid token: signature", 403)

    return errors_resp


def fetch_client(client):
    if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
        return {
            "client": client,
            "secret": [current_app.config.get('ADMIN_CLIENT_SECRET')]
        }
    else:
        return {
            "client": client,
            "secret": get_unsigned_secrets(client)
        }


def require_admin():
    def wrap(func):
        @wraps(func)
        def wrap_func(*args, **kwargs):
            if not api_user['client'] == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
                abort(403)
            return func(*args, **kwargs)
        return wrap_func
    return wrap
Added logging for the authentication errors. Moved the "no api secret" error message to the end and only create it if there are no api client secrets 2016-02-08 11:10:54 +00:00			`from flask import request, jsonify, _request_ctx_stack, current_app`
bumped client version 2016-02-09 18:48:02 +00:00			`from notifications_python_client.authentication import decode_jwt_token, get_token_issuer`
			`from notifications_python_client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError`
Fetch endpoints for notifications - includes check on token type to ensure clients can perform admin style fetches 2016-03-01 13:30:10 +00:00			`from werkzeug.exceptions import abort`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`from app.dao.api_key_dao import get_unsigned_secrets`
Fetch endpoints for notifications - includes check on token type to ensure clients can perform admin style fetches 2016-03-01 13:30:10 +00:00			`from app import api_user`
			`from functools import wraps`
Added authorization headers for all requests 2016-01-15 16:22:03 +00:00
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00
			`def authentication_response(message, code):`
Added logging for the authentication errors. Moved the "no api secret" error message to the end and only create it if there are no api client secrets 2016-02-08 11:10:54 +00:00			`current_app.logger.info(message)`
Format authentication error messages for the client. 2016-03-14 15:51:04 +00:00			`return jsonify(result='error',`
			`message=message`
			`), code`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00

			`def requires_auth():`
			`auth_header = request.headers.get('Authorization', None)`
			`if not auth_header:`
			`return authentication_response('Unauthorized, authentication token must be provided', 401)`

			`auth_scheme = auth_header[:7]`

			`if auth_scheme != 'Bearer ':`
			`return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)`

Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`auth_token = auth_header[7:]`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00			`try:`
			`api_client = fetch_client(get_token_issuer(auth_token))`
			`except TokenDecodeError:`
			`return authentication_response("Invalid token: signature", 403)`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`if api_client is None:`
			`authentication_response("Invalid credentials", 403)`
Added logging for the authentication errors. Moved the "no api secret" error message to the end and only create it if there are no api client secrets 2016-02-08 11:10:54 +00:00
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`for secret in api_client['secret']:`
			`try:`
			`decode_jwt_token(`
			`auth_token,`
			`secret,`
			`request.method,`
			`request.path,`
			`request.data.decode() if request.data else None`
			`)`
			`_request_ctx_stack.top.api_user = api_client`
			`return`
			`except TokenRequestError:`
			`errors_resp = authentication_response("Invalid token: request", 403)`
			`except TokenExpiredError:`
			`errors_resp = authentication_response("Invalid token: expired", 403)`
			`except TokenPayloadError:`
			`errors_resp = authentication_response("Invalid token: payload", 403)`
			`except TokenDecodeError:`
			`errors_resp = authentication_response("Invalid token: signature", 403)`

			`return errors_resp`
First pass at implementing API authentication using new JWT tokens - NOTE - this does not manage secrets. There is only one URL and there is no functionality implemented - prior to rolling out we need to store secrets properly Uses the JWT libraries in [https://github.com/alphagov/notifications-python-client](https://github.com/alphagov/notifications-python-client) - Tokens are checked on every request and will be rejected if token is invalid as per the rules in the python clients. 2015-12-15 10:47:20 +00:00

			`def fetch_client(client):`
Authentication for admin client api calls where a user and service is not required. 2016-01-19 14:01:26 +00:00			`if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):`
			`return {`
			`"client": client,`
Allow services to have multiple api keys. /service/<service_id>/api-key/renew has been renamed to /service/<service_id>/api-key /service/<service_id>/api-key now creates a token and no longer expires the existing api key. Moved test for this endpoint to it's own file. 2016-01-20 10:57:46 +00:00			`"secret": [current_app.config.get('ADMIN_CLIENT_SECRET')]`
Authentication for admin client api calls where a user and service is not required. 2016-01-19 14:01:26 +00:00			`}`
			`else:`
			`return {`
			`"client": client,`
Allow for multiple api keys for a service. 2016-01-19 18:25:21 +00:00			`"secret": get_unsigned_secrets(client)`
Authentication for admin client api calls where a user and service is not required. 2016-01-19 14:01:26 +00:00			`}`
Fetch endpoints for notifications - includes check on token type to ensure clients can perform admin style fetches 2016-03-01 13:30:10 +00:00

			`def require_admin():`
			`def wrap(func):`
			`@wraps(func)`
			`def wrap_func(args, *kwargs):`
			`if not api_user['client'] == current_app.config.get('ADMIN_CLIENT_USER_NAME'):`
			`abort(403)`
			`return func(args, *kwargs)`
			`return wrap_func`
			`return wrap`