tighten key_type validation on letters api

when in research mode or test key, dont send letters via api - instead, just put them straight to success state when using a team key, flat out reject the request (403)
2026-01-31 23:26:23 -05:00 · 2017-07-31 18:28:00 +01:00
parent 76ea0dbc76
commit 075d2a3346
5 changed files with 78 additions and 17 deletions
--- a/tests/app/db.py
+++ b/tests/app/db.py
@@ -50,7 +50,9 @@ def create_service(
    service_id=None,
    restricted=False,
    service_permissions=[EMAIL_TYPE, SMS_TYPE],
-    sms_sender='testing'
+    sms_sender='testing',
+    research_mode=False,
+    active=True,
 ):
    service = Service(
        name=service_name,
@@ -58,9 +60,13 @@ def create_service(
        restricted=restricted,
        email_from=service_name.lower().replace(' ', '.'),
        created_by=user or create_user(),
-        sms_sender=sms_sender
+        sms_sender=sms_sender,
    )
    dao_create_service(service, service.created_by, service_id, service_permissions=service_permissions)
+
+    service.active = active
+    service.research_mode = research_mode
+
    return service


--- a/tests/app/notifications/rest/test_send_notification.py
+++ b/tests/app/notifications/rest/test_send_notification.py
@@ -580,17 +580,12 @@ def test_should_send_email_if_team_api_key_and_a_service_user(client, sample_ema
        'to': sample_email_template.service.created_by.email_address,
        'template': sample_email_template.id
    }
-    api_key = ApiKey(service=sample_email_template.service,
-                     name='team_key',
-                     created_by=sample_email_template.created_by,
-                     key_type=KEY_TYPE_TEAM)
-    save_model_api_key(api_key)
-    auth_header = create_jwt_token(secret=api_key.secret, client_id=str(api_key.service_id))
+    auth_header = create_authorization_header(service_id=sample_email_template.service_id, key_type=KEY_TYPE_TEAM)

    response = client.post(
        path='/notifications/email',
        data=json.dumps(data),
-        headers=[('Content-Type', 'application/json'), ('Authorization', 'Bearer {}'.format(auth_header))])
+        headers=[('Content-Type', 'application/json'), auth_header])

    app.celery.provider_tasks.deliver_email.apply_async.assert_called_once_with(
        [fake_uuid],
--- a/tests/app/v2/notifications/test_post_letter_notifications.py
+++ b/tests/app/v2/notifications/test_post_letter_notifications.py
@@ -6,22 +6,27 @@ import pytest

 from app.models import EMAIL_TYPE
 from app.models import Job
+from app.models import KEY_TYPE_NORMAL
+from app.models import KEY_TYPE_TEAM
+from app.models import KEY_TYPE_TEST
 from app.models import LETTER_TYPE
 from app.models import Notification
 from app.models import SMS_TYPE
 from app.v2.errors import RateLimitError
-from app.v2.notifications.post_notifications import process_letter_notification

 from tests import create_authorization_header
 from tests.app.db import create_service
 from tests.app.db import create_template


-def letter_request(client, data, service_id, _expected_status=201):
+def letter_request(client, data, service_id, key_type=KEY_TYPE_NORMAL, _expected_status=201):
    resp = client.post(
        url_for('v2_notifications.post_notification', notification_type='letter'),
        data=json.dumps(data),
-        headers=[('Content-Type', 'application/json'), create_authorization_header(service_id=service_id)]
+        headers=[
+            ('Content-Type', 'application/json'),
+            create_authorization_header(service_id=service_id, key_type=key_type)
+        ]
    )
    json_resp = json.loads(resp.get_data(as_text=True))
    assert resp.status_code == _expected_status, json_resp
@@ -170,3 +175,50 @@ def test_post_letter_notification_returns_403_if_not_allowed_to_send_notificatio
    assert error_json['errors'] == [
        {'error': 'BadRequestError', 'message': 'Cannot send letters'}
    ]
+
+
+@pytest.mark.parametrize('research_mode, key_type', [
+    (True, KEY_TYPE_NORMAL),
+    (False, KEY_TYPE_TEST)
+])
+def test_post_letter_notification_doesnt_queue_task(
+    client,
+    notify_db_session,
+    mocker,
+    research_mode,
+    key_type
+):
+    real_task = mocker.patch('app.celery.tasks.build_dvla_file.apply_async')
+    fake_task = mocker.patch('app.celery.tasks.update_job_to_sent_to_dvla.apply_async')
+
+    service = create_service(research_mode=research_mode, service_permissions=[LETTER_TYPE])
+    template = create_template(service, template_type=LETTER_TYPE)
+
+    data = {
+        'template_id': str(template.id),
+        'personalisation': {'address_line_1': 'Foo', 'postcode': 'Bar'}
+    }
+
+    letter_request(client, data, service_id=service.id, key_type=key_type)
+
+    job = Job.query.one()
+    assert not real_task.called
+    fake_task.assert_called_once_with([str(job.id)], queue='research-mode-tasks')
+
+
+def test_post_letter_notification_doesnt_accept_team_key(client, sample_letter_template):
+    data = {
+        'template_id': str(sample_letter_template.id),
+        'personalisation': {'address_line_1': 'Foo', 'postcode': 'Bar'}
+    }
+
+    error_json = letter_request(
+        client,
+        data,
+        sample_letter_template.service_id,
+        key_type=KEY_TYPE_TEAM,
+        _expected_status=403
+    )
+
+    assert error_json['status_code'] == 403
+    assert error_json['errors'] == [{'error': 'BadRequestError', 'message': 'Cannot send letters with a team api key'}]