darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-16 10:12:32 -05:00
Code Issues Packages Projects Releases Wiki Activity

create new method to validate secret header, new tests

Browse Source
This commit is contained in:
venusbb
2017-11-03 18:19:59 +00:00
parent f4d005c7fb
commit 03fc781b8c
2 changed files with 135 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
app/authentication/auth.py
View File

@@ -7,6 +7,7 @@ from sqlalchemy.exc import DataError
from sqlalchemy.orm.exc import NoResultFound
from app.dao.services_dao import dao_fetch_service_by_id_with_api_keys
from flask import jsonify
class AuthError(Exception):
@@ -44,16 +45,26 @@ def requires_no_auth():
pass
def restrict_ip_sms():
def check_route_secret():
# Check route of inbound sms (Experimental)
# Temporary custom header for route security
# if request.headers.get("X-Custom-forwarder"):
# current_app.logger.info("X-Custom-forwarder received")
if request.headers.get("X-Custom-Forwarder"):
route_secret_key = request.headers.get("X-Custom-Forwarder")
if route_secret_key is None:
# Not blocking at the moment
# raise AuthError('invalid secret key', 403)
return
key_1 = current_app.config.get('ROUTE_SECRET_KEY_1')
key_2 = current_app.config.get('ROUTE_SECRET_KEY_2')
key_used = 0
if key_1 == '' and key_2 == '':
# Not blocking at the moment
# raise AuthError('X-Custom-Forwarder, no secret was set on server', 503)
return
key_used = None
route_allowed = False
if route_secret_key == key_1:
key_used = 1
@@ -63,12 +74,23 @@ def restrict_ip_sms():
route_allowed = True
current_app.logger.info({
'message': 'X-Custom-forwarder key {} is used'.format(key_used),
'message': 'X-Custom-Forwarder key {} is used'.format(key_used),
'log_contents': {
'passed': route_allowed,
}
})
if not key_used:
# Not blocking at the moment
# raise AuthError('X-Custom-Forwarder, wrong secret', 403)
return
return jsonify(key_used=key_used), 200
def restrict_ip_sms():
check_route_secret()
# Check IP of SMS providers
if request.headers.get("X-Forwarded-For"):
# X-Forwarded-For looks like "203.0.113.195, 70.41.3.18, 150.172.238.178"

124
tests/app/authentication/test_authentication.py
View File

@@ -12,7 +12,7 @@ from notifications_python_client.authentication import create_jwt_token
from app import api_user
from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key, get_unsigned_secret, expire_api_key
from app.models import ApiKey, KEY_TYPE_NORMAL
from app.authentication.auth import restrict_ip_sms, AuthError
from app.authentication.auth import restrict_ip_sms, AuthError, check_route_secret
# Test the require_admin_auth and require_auth methods
@@ -375,63 +375,155 @@ def test_allow_valid_ips_bits(restrict_ip_sms_app):
@pytest.fixture
def route_secret_app_1():
def route_secret_app_with_key_1_only():
app = flask.Flask(__name__)
app.config['TESTING'] = True
app.config['ROUTE_SECRET_KEY_1'] = "key_1"
app.config['ROUTE_SECRET_KEY_2'] = ""
app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24']
blueprint = flask.Blueprint('route_secret_app_1', __name__)
blueprint = flask.Blueprint('route_secret_app_with_key_1_only', __name__)
@blueprint.route('/')
def test_endpoint():
return 'OK', 200
blueprint.before_request(restrict_ip_sms)
blueprint.before_request(check_route_secret)
app.register_blueprint(blueprint)
with app.test_request_context(), app.test_client() as client:
yield client
def test_route_secret_key_1_is_used(route_secret_app_1):
response = route_secret_app_1.get(
def test_route_secret_key_1_is_used(route_secret_app_with_key_1_only):
response = route_secret_app_with_key_1_only.get(
path='/',
headers=[
('X-Custom-forwarder', 'some key 1'),
('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'),
('X-Custom-forwarder', 'key_1'),
]
)
resp_json = json.loads(response.get_data(as_text=True))
assert response.status_code == 200
assert resp_json['key_used'] == 1
# This tests for when we do key rotation when we use both keys
@pytest.fixture
def route_secret_app_2():
def route_secret_app_both_keys():
app = flask.Flask(__name__)
app.config['TESTING'] = True
app.config['ROUTE_SECRET_KEY_1'] = "key_1"
app.config['ROUTE_SECRET_KEY_2'] = "key_2"
app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24']
blueprint = flask.Blueprint('route_secret_app_2', __name__)
blueprint = flask.Blueprint('route_secret_app_both_keys', __name__)
@blueprint.route('/')
def test_endpoint():
return 'OK', 200
blueprint.before_request(restrict_ip_sms)
blueprint.before_request(check_route_secret)
app.register_blueprint(blueprint)
with app.test_request_context(), app.test_client() as client:
yield client
def test_can_use_secret_route_key_2(route_secret_app_2):
response = route_secret_app_2.get(
@pytest.mark.parametrize('secret_header, expected_key_used', [
('key_2', 2),
('key_1', 1)
])
def test_can_use_either_secret_route_key(route_secret_app_both_keys, secret_header, expected_key_used):
print(secret_header)
response = route_secret_app_both_keys.get(
path='/',
headers=[
('X-Custom-forwarder', 'key_2'),
('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'),
('X-Custom-forwarder', secret_header),
]
)
resp_json = json.loads(response.get_data(as_text=True))
assert response.status_code == 200
assert resp_json['key_used'] == expected_key_used
@pytest.fixture
def route_secret_app_with_key_2_only():
app = flask.Flask(__name__)
app.config['TESTING'] = True
app.config['ROUTE_SECRET_KEY_1'] = ""
app.config['ROUTE_SECRET_KEY_2'] = "key_2"
app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24']
blueprint = flask.Blueprint('route_secret_app_with_key_2_only', __name__)
@blueprint.route('/')
def test_endpoint():
return 'OK', 200
blueprint.before_request(check_route_secret)
app.register_blueprint(blueprint)
with app.test_request_context(), app.test_client() as client:
yield client
def test_route_secret_key_2_is_used(route_secret_app_with_key_2_only):
response = route_secret_app_with_key_2_only.get(
path='/',
headers=[
('X-Custom-Forwarder', 'key_2'),
]
)
resp_json = json.loads(response.get_data(as_text=True))
assert response.status_code == 200
assert resp_json['key_used'] == 2
# TODO: expected to fail because we have not implement blocking yet
@pytest.mark.parametrize('header_name, secret', [
pytest.mark.xfail(('some-header', 'some-value')),
pytest.mark.xfail(('X-Custom-Forwarder', 'wrong-value')),
])
def test_no_route_secret_raise_403(route_secret_app_with_key_2_only, header_name, secret):
response = route_secret_app_with_key_2_only.get(
path='/',
headers=[
(header_name, secret)
]
)
assert response.status_code == 403
@pytest.fixture
def route_secret_app_with_no_key():
app = flask.Flask(__name__)
app.config['TESTING'] = True
app.config['ROUTE_SECRET_KEY_1'] = ""
app.config['ROUTE_SECRET_KEY_2'] = ""
app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24']
blueprint = flask.Blueprint('route_secret_app_with_no_key', __name__)
@blueprint.route('/')
def test_endpoint():
return 'OK', 200
blueprint.before_request(check_route_secret)
app.register_blueprint(blueprint)
with app.test_request_context(), app.test_client() as client:
yield client
# TODO: expected to fail because we have not implement blocking yet
@pytest.mark.parametrize('secret', [
pytest.mark.xfail('some-header')
])
def test_route_secret_no_key_set_should_fail(route_secret_app_with_no_key, secret):
with pytest.raises(AuthError) as exc_info:
response = route_secret_app_with_no_key.get(
path='/',
headers=[
('X-Custom-Forwarder', 'some_value'),
]
)
resp_json = json.loads(response.get_data(as_text=True))
exc_info.value.short_message == 'X-Custom-Forwarder, no secret was set on server'
assert resp_json['key_used'] is None