tests/app/v2/broadcast/test_post_broadcast.py

from flask import json
from freezegun import freeze_time
from tests import create_authorization_header
from unittest.mock import ANY
from . import sample_cap_xml_documents


def test_broadcast_for_service_without_permission_returns_400(
    client,
    sample_service,
):
    auth_header = create_authorization_header(service_id=sample_service.id)
    response = client.post(
        path='/v2/broadcast',
        data='',
        headers=[('Content-Type', 'application/json'), auth_header],
    )

    assert response.status_code == 400
    assert response.get_json()['errors'][0]['message'] == (
        'Service is not allowed to send broadcast messages'
    )


def test_valid_post_broadcast_returns_201(
    client,
    sample_broadcast_service,
):
    auth_header = create_authorization_header(service_id=sample_broadcast_service.id)

    response = client.post(
        path='/v2/broadcast',
        data=json.dumps({
            'content': 'This is a test',
            'reference': 'abc123',
            'category': 'Other',
            'areas': [
                {
                    'name': 'Hackney Marshes',
                    'polygons': [[
                        [-0.038280487060546875, 51.55738264619775],
                        [-0.03184318542480469, 51.553913882566754],
                        [-0.023174285888671875, 51.55812972989382],
                        [-0.023174285888671999, 51.55812972989999],
                        [-0.029869079589843747, 51.56165153059717],
                        [-0.038280487060546875, 51.55738264619775],
                    ]],
                },
            ],
        }),
        headers=[('Content-Type', 'application/json'), auth_header],
    )

    assert response.status_code == 201

    response_json = json.loads(response.get_data(as_text=True))

    assert response_json['approved_at'] is None
    assert response_json['approved_by_id'] == None
    assert response_json['areas'] == [
        'Hackney Marshes'
    ]
    assert response_json['cancelled_at'] == None
    assert response_json['cancelled_by_id'] == None
    assert response_json['content'] == 'This is a test'
    assert response_json['reference'] == 'abc123'
    assert response_json['created_at']  # datetime generated by the DB so can’t freeze it
    assert response_json['created_by_id'] == None
    assert response_json['finishes_at'] is None
    assert response_json['id'] == ANY
    assert response_json['personalisation'] is None
    assert response_json['service_id'] == str(sample_broadcast_service.id)
    assert response_json['simple_polygons'] == [[
        [-0.03817522145265898, 51.557381351011166],
        [-0.03791399800364216, 51.55758039392131],
        [-0.030362635618559567, 51.56141279571522],
        [-0.02986997783677049, 51.56152875195115],
        [-0.029379069367567606, 51.561405599957745],
        [-0.023537043373602105, 51.5583323982824],
        [-0.02328416546450603, 51.55813395976017],
        [-0.02355422144186266, 51.557933308587664],
        [-0.0313493058222969, 51.55414241384808],
        [-0.031840673207720764, 51.55403463730992],
        [-0.032327132941933706, 51.55416275685022],
        [-0.037918974384948616, 51.55717594115094],
        [-0.03817522145265898, 51.557381351011166],
    ]]
    assert response_json['starts_at'] is None
    assert response_json['status'] == 'pending-approval'
    assert response_json['template_id'] is None
    assert response_json['template_name'] is None
    assert response_json['template_version'] is None
    assert response_json['updated_at'] is None


def test_valid_post_cap_xml_broadcast_returns_201(
    client,
    sample_broadcast_service,
):
    auth_header = create_authorization_header(service_id=sample_broadcast_service.id)

    response = client.post(
        path='/v2/broadcast',
        data=sample_cap_xml_documents.WAINFLEET,
        headers=[('Content-Type', 'application/cap+xml'), auth_header],
    )

    assert response.status_code == 201

    response_json = json.loads(response.get_data(as_text=True))

    assert response_json['approved_at'] is None
    assert response_json['approved_by_id'] == None
    assert response_json['areas'] == [
        'River Steeping in Wainfleet All Saints'
    ]
    assert response_json['cancelled_at'] == None
    assert response_json['cancelled_by_id'] == None
    assert response_json['content'].startswith(
        'A severe flood warning has been issued. Storm Dennis'
    )
    assert response_json['content'].endswith(
        'closely monitoring the situation throughout the night. '
    )
    assert response_json['reference'] == '50385fcb0ab7aa447bbd46d848ce8466E'
    assert response_json['created_at']  # datetime generated by the DB so can’t freeze it
    assert response_json['created_by_id'] == None
    assert response_json['finishes_at'] is None
    assert response_json['id'] == ANY
    assert response_json['personalisation'] is None
    assert response_json['service_id'] == str(sample_broadcast_service.id)
    assert len(response_json['simple_polygons']) == 1
    assert len(response_json['simple_polygons'][0]) == 23
    assert response_json['simple_polygons'][0][0] == [53.10561946699971, 0.2441253049430708]
    assert response_json['simple_polygons'][0][-1] == [53.10561946699971, 0.2441253049430708]
    assert response_json['starts_at'] is None
    assert response_json['status'] == 'pending-approval'
    assert response_json['template_id'] is None
    assert response_json['template_name'] is None
    assert response_json['template_version'] is None
    assert response_json['updated_at'] is None


def test_invalid_post_cap_xml_broadcast_returns_400(
    client,
    sample_broadcast_service,
):
    auth_header = create_authorization_header(service_id=sample_broadcast_service.id)

    response = client.post(
        path='/v2/broadcast',
        data="<alert>Oh no</alert>",
        headers=[('Content-Type', 'application/cap+xml'), auth_header],
    )

    assert response.status_code == 400
    assert json.loads(response.get_data(as_text=True)) == {
        'errors': [{
            'error': 'BadRequestError',
            'message': 'Request data is not valid CAP XML'
        }],
        'status_code': 400,
    }
-												Add public API endpoint to create emergency alerts

We know there is at least one system which wants to integrate with
Notify to send out emergency alerts, rather than creating them manually.

This commit adds an endpoint to the public API to let them do that.

To start with we’ll just let the system create them in a single call,
meaning they still have to be approved manually. This reduces the risk
of an attacker being able to broadcast an alert via the API, should the
other system be compromised.

We’ve worked with the owners of the other system to define which fields
we should care about initially.

											
										
										
											2021-01-18 10:01:44 +00:00
+								from flask import json
 								from freezegun import freeze_time
 								from tests import create_authorization_header
 								from unittest.mock import ANY
-												Accept CAP XML

This commit makes the existing endpoint also accept CAP XML, should the
appropriate `Content-Type` header be set.

It uses the translation code we added in a previous commit to convert
the CAP to a dict. We can then validate that dict against with the JSON
schema to ensure it’s something we can work with.

											
										
										
											2021-01-18 10:01:46 +00:00
+								from . import sample_cap_xml_documents
-												Add public API endpoint to create emergency alerts

We know there is at least one system which wants to integrate with
Notify to send out emergency alerts, rather than creating them manually.

This commit adds an endpoint to the public API to let them do that.

To start with we’ll just let the system create them in a single call,
meaning they still have to be approved manually. This reduces the risk
of an attacker being able to broadcast an alert via the API, should the
other system be compromised.

We’ve worked with the owners of the other system to define which fields
we should care about initially.

											
										
										
											2021-01-18 10:01:44 +00:00
 								def test_broadcast_for_service_without_permission_returns_400(
 								    client,
 								    sample_service,
 								):
 								    auth_header = create_authorization_header(service_id=sample_service.id)
 								    response = client.post(
 								        path='/v2/broadcast',
 								        data='',
 								        headers=[('Content-Type', 'application/json'), auth_header],
 								    )
 								    assert response.status_code == 400
 								    assert response.get_json()['errors'][0]['message'] == (
 								        'Service is not allowed to send broadcast messages'
 								    )
 								def test_valid_post_broadcast_returns_201(
 								    client,
 								    sample_broadcast_service,
 								):
 								    auth_header = create_authorization_header(service_id=sample_broadcast_service.id)
 								    response = client.post(
 								        path='/v2/broadcast',
 								        data=json.dumps({
 								            'content': 'This is a test',
 								            'reference': 'abc123',
-												Validate broadcast against schema

This commit adds a JSONSchema which can validate the fields in an API
call to create a broadcast. It takes the CAP XML schema as a starting
point.

											
										
										
											2021-01-18 10:01:44 +00:00
+								            'category': 'Other',
 								            'areas': [
 								                {
-												Simplify polygons before storing them

We’re going to let people pass in fairly complex polygons, but:
- we don’t want to store massive polygons
- we don’t want to pass the CBCs massive polygons

So this commit adds a step to simplify the polygons before storing them.

We think it’s best for us to do this because:
- writing code to do polygon simplification is non-trivial, and we don’t
  want to make all potential integrators do it
- the simplification we’ve developed is domain-specific to emergency
  alerting, so should throw away less information than

There’s a bit more detail about how we simplify polygons in
https://github.com/alphagov/notifications-admin/pull/3590/files

											
										
										
											2021-01-20 16:07:19 +00:00
+								                    'name': 'Hackney Marshes',
-												Validate broadcast against schema

This commit adds a JSONSchema which can validate the fields in an API
call to create a broadcast. It takes the CAP XML schema as a starting
point.

											
										
										
											2021-01-18 10:01:44 +00:00
+								                    'polygons': [[
-												Simplify polygons before storing them

We’re going to let people pass in fairly complex polygons, but:
- we don’t want to store massive polygons
- we don’t want to pass the CBCs massive polygons

So this commit adds a step to simplify the polygons before storing them.

We think it’s best for us to do this because:
- writing code to do polygon simplification is non-trivial, and we don’t
  want to make all potential integrators do it
- the simplification we’ve developed is domain-specific to emergency
  alerting, so should throw away less information than

There’s a bit more detail about how we simplify polygons in
https://github.com/alphagov/notifications-admin/pull/3590/files

											
										
										
											2021-01-20 16:07:19 +00:00
+								                        [-0.038280487060546875, 51.55738264619775],
 								                        [-0.03184318542480469, 51.553913882566754],
 								                        [-0.023174285888671875, 51.55812972989382],
 								                        [-0.023174285888671999, 51.55812972989999],
 								                        [-0.029869079589843747, 51.56165153059717],
 								                        [-0.038280487060546875, 51.55738264619775],
-												Validate broadcast against schema

This commit adds a JSONSchema which can validate the fields in an API
call to create a broadcast. It takes the CAP XML schema as a starting
point.

											
										
										
											2021-01-18 10:01:44 +00:00
+								                    ]],
 								                },
 								            ],
-												Add public API endpoint to create emergency alerts

We know there is at least one system which wants to integrate with
Notify to send out emergency alerts, rather than creating them manually.

This commit adds an endpoint to the public API to let them do that.

To start with we’ll just let the system create them in a single call,
meaning they still have to be approved manually. This reduces the risk
of an attacker being able to broadcast an alert via the API, should the
other system be compromised.

We’ve worked with the owners of the other system to define which fields
we should care about initially.

											
										
										
											2021-01-18 10:01:44 +00:00
+								        }),
 								        headers=[('Content-Type', 'application/json'), auth_header],
 								    )
 								    assert response.status_code == 201
 								    response_json = json.loads(response.get_data(as_text=True))
 								    assert response_json['approved_at'] is None
 								    assert response_json['approved_by_id'] == None
-												Validate broadcast against schema

This commit adds a JSONSchema which can validate the fields in an API
call to create a broadcast. It takes the CAP XML schema as a starting
point.

											
										
										
											2021-01-18 10:01:44 +00:00
+								    assert response_json['areas'] == [
-												Simplify polygons before storing them

We’re going to let people pass in fairly complex polygons, but:
- we don’t want to store massive polygons
- we don’t want to pass the CBCs massive polygons

So this commit adds a step to simplify the polygons before storing them.

We think it’s best for us to do this because:
- writing code to do polygon simplification is non-trivial, and we don’t
  want to make all potential integrators do it
- the simplification we’ve developed is domain-specific to emergency
  alerting, so should throw away less information than

There’s a bit more detail about how we simplify polygons in
https://github.com/alphagov/notifications-admin/pull/3590/files

											
										
										
											2021-01-20 16:07:19 +00:00
+								        'Hackney Marshes'
-												Validate broadcast against schema

This commit adds a JSONSchema which can validate the fields in an API
call to create a broadcast. It takes the CAP XML schema as a starting
point.

											
										
										
											2021-01-18 10:01:44 +00:00
+								    ]
-												Add public API endpoint to create emergency alerts

We know there is at least one system which wants to integrate with
Notify to send out emergency alerts, rather than creating them manually.

This commit adds an endpoint to the public API to let them do that.

To start with we’ll just let the system create them in a single call,
meaning they still have to be approved manually. This reduces the risk
of an attacker being able to broadcast an alert via the API, should the
other system be compromised.

We’ve worked with the owners of the other system to define which fields
we should care about initially.

											
										
										
											2021-01-18 10:01:44 +00:00
+								    assert response_json['cancelled_at'] == None
 								    assert response_json['cancelled_by_id'] == None
 								    assert response_json['content'] == 'This is a test'
 								    assert response_json['reference'] == 'abc123'
 								    assert response_json['created_at']  # datetime generated by the DB so can’t freeze it
 								    assert response_json['created_by_id'] == None
 								    assert response_json['finishes_at'] is None
 								    assert response_json['id'] == ANY
 								    assert response_json['personalisation'] is None
 								    assert response_json['service_id'] == str(sample_broadcast_service.id)
-												Simplify polygons before storing them

We’re going to let people pass in fairly complex polygons, but:
- we don’t want to store massive polygons
- we don’t want to pass the CBCs massive polygons

So this commit adds a step to simplify the polygons before storing them.

We think it’s best for us to do this because:
- writing code to do polygon simplification is non-trivial, and we don’t
  want to make all potential integrators do it
- the simplification we’ve developed is domain-specific to emergency
  alerting, so should throw away less information than

There’s a bit more detail about how we simplify polygons in
https://github.com/alphagov/notifications-admin/pull/3590/files

											
										
										
											2021-01-20 16:07:19 +00:00
+								    assert response_json['simple_polygons'] == [[
 								        [-0.03817522145265898, 51.557381351011166],
 								        [-0.03791399800364216, 51.55758039392131],
 								        [-0.030362635618559567, 51.56141279571522],
 								        [-0.02986997783677049, 51.56152875195115],
 								        [-0.029379069367567606, 51.561405599957745],
 								        [-0.023537043373602105, 51.5583323982824],
 								        [-0.02328416546450603, 51.55813395976017],
 								        [-0.02355422144186266, 51.557933308587664],
 								        [-0.0313493058222969, 51.55414241384808],
 								        [-0.031840673207720764, 51.55403463730992],
 								        [-0.032327132941933706, 51.55416275685022],
 								        [-0.037918974384948616, 51.55717594115094],
 								        [-0.03817522145265898, 51.557381351011166],
 								    ]]
-												Add public API endpoint to create emergency alerts

We know there is at least one system which wants to integrate with
Notify to send out emergency alerts, rather than creating them manually.

This commit adds an endpoint to the public API to let them do that.

To start with we’ll just let the system create them in a single call,
meaning they still have to be approved manually. This reduces the risk
of an attacker being able to broadcast an alert via the API, should the
other system be compromised.

We’ve worked with the owners of the other system to define which fields
we should care about initially.

											
										
										
											2021-01-18 10:01:44 +00:00
+								    assert response_json['starts_at'] is None
 								    assert response_json['status'] == 'pending-approval'
 								    assert response_json['template_id'] is None
 								    assert response_json['template_name'] is None
 								    assert response_json['template_version'] is None
 								    assert response_json['updated_at'] is None
-												Accept CAP XML

This commit makes the existing endpoint also accept CAP XML, should the
appropriate `Content-Type` header be set.

It uses the translation code we added in a previous commit to convert
the CAP to a dict. We can then validate that dict against with the JSON
schema to ensure it’s something we can work with.

											
										
										
											2021-01-18 10:01:46 +00:00
 								def test_valid_post_cap_xml_broadcast_returns_201(
 								    client,
 								    sample_broadcast_service,
 								):
 								    auth_header = create_authorization_header(service_id=sample_broadcast_service.id)
 								    response = client.post(
 								        path='/v2/broadcast',
 								        data=sample_cap_xml_documents.WAINFLEET,
 								        headers=[('Content-Type', 'application/cap+xml'), auth_header],
 								    )
 								    assert response.status_code == 201
 								    response_json = json.loads(response.get_data(as_text=True))
 								    assert response_json['approved_at'] is None
 								    assert response_json['approved_by_id'] == None
 								    assert response_json['areas'] == [
 								        'River Steeping in Wainfleet All Saints'
 								    ]
 								    assert response_json['cancelled_at'] == None
 								    assert response_json['cancelled_by_id'] == None
 								    assert response_json['content'].startswith(
 								        'A severe flood warning has been issued. Storm Dennis'
 								    )
 								    assert response_json['content'].endswith(
 								        'closely monitoring the situation throughout the night. '
 								    )
 								    assert response_json['reference'] == '50385fcb0ab7aa447bbd46d848ce8466E'
 								    assert response_json['created_at']  # datetime generated by the DB so can’t freeze it
 								    assert response_json['created_by_id'] == None
 								    assert response_json['finishes_at'] is None
 								    assert response_json['id'] == ANY
 								    assert response_json['personalisation'] is None
 								    assert response_json['service_id'] == str(sample_broadcast_service.id)
 								    assert len(response_json['simple_polygons']) == 1
-												Simplify polygons before storing them

We’re going to let people pass in fairly complex polygons, but:
- we don’t want to store massive polygons
- we don’t want to pass the CBCs massive polygons

So this commit adds a step to simplify the polygons before storing them.

We think it’s best for us to do this because:
- writing code to do polygon simplification is non-trivial, and we don’t
  want to make all potential integrators do it
- the simplification we’ve developed is domain-specific to emergency
  alerting, so should throw away less information than

There’s a bit more detail about how we simplify polygons in
https://github.com/alphagov/notifications-admin/pull/3590/files

											
										
										
											2021-01-20 16:07:19 +00:00
+								    assert len(response_json['simple_polygons'][0]) == 23
 								    assert response_json['simple_polygons'][0][0] == [53.10561946699971, 0.2441253049430708]
 								    assert response_json['simple_polygons'][0][-1] == [53.10561946699971, 0.2441253049430708]
-												Accept CAP XML

This commit makes the existing endpoint also accept CAP XML, should the
appropriate `Content-Type` header be set.

It uses the translation code we added in a previous commit to convert
the CAP to a dict. We can then validate that dict against with the JSON
schema to ensure it’s something we can work with.

											
										
										
											2021-01-18 10:01:46 +00:00
+								    assert response_json['starts_at'] is None
 								    assert response_json['status'] == 'pending-approval'
 								    assert response_json['template_id'] is None
 								    assert response_json['template_name'] is None
 								    assert response_json['template_version'] is None
 								    assert response_json['updated_at'] is None
-												Validate CAP against the spec

This gives us some extra confidence that there aren’t any problems with
the data we’re getting from the other service. It doesn’t address any
specific problems we’ve seen, rather it seems like a sensible precaution
to take.

											
										
										
											2021-01-18 10:01:47 +00:00
 								def test_invalid_post_cap_xml_broadcast_returns_400(
 								    client,
 								    sample_broadcast_service,
 								):
 								    auth_header = create_authorization_header(service_id=sample_broadcast_service.id)
 								    response = client.post(
 								        path='/v2/broadcast',
 								        data="<alert>Oh no</alert>",
 								        headers=[('Content-Type', 'application/cap+xml'), auth_header],
 								    )
 								    assert response.status_code == 400
 								    assert json.loads(response.get_data(as_text=True)) == {
 								        'errors': [{
 								            'error': 'BadRequestError',
 								            'message': 'Request data is not valid CAP XML'
 								        }],
 								        'status_code': 400,
 								    }