diff --git a/app/authentication/auth.py b/app/authentication/auth.py index d6c2399b3..64e1074b3 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -1,8 +1,7 @@ from flask import request, jsonify, _request_ctx_stack from client.authentication import decode_jwt_token, get_token_issuer from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError - -from app.dao.api_key_dao import get_unsigned_secret +from app.dao.api_key_dao import get_unsigned_secrets def authentication_response(message, code): @@ -21,28 +20,36 @@ def requires_auth(): if auth_scheme != 'Bearer ': return authentication_response('Unauthorized, authentication bearer scheme must be used', 401) + auth_token = auth_header[7:] try: - auth_token = auth_header[7:] api_client = fetch_client(get_token_issuer(auth_token)) - if api_client is None: - authentication_response("Invalid credentials", 403) - - decode_jwt_token( - auth_token, - api_client['secret'], - request.method, - request.path, - request.data.decode() if request.data else None - ) - _request_ctx_stack.top.api_user = api_client - except TokenRequestError: - return authentication_response("Invalid token: request", 403) - except TokenExpiredError: - return authentication_response("Invalid token: expired", 403) - except TokenPayloadError: - return authentication_response("Invalid token: payload", 403) except TokenDecodeError: return authentication_response("Invalid token: signature", 403) + if api_client is None: + authentication_response("Invalid credentials", 403) + # If the api_client does not have any secrets return response saying that + errors_resp = authentication_response("Invalid token: api client has no secrets", 403) + for secret in api_client['secret']: + try: + decode_jwt_token( + auth_token, + secret, + request.method, + request.path, + request.data.decode() if request.data else None + ) + _request_ctx_stack.top.api_user = api_client + return + except TokenRequestError: + errors_resp = authentication_response("Invalid token: request", 403) + except TokenExpiredError: + errors_resp = authentication_response("Invalid token: expired", 403) + except TokenPayloadError: + errors_resp = authentication_response("Invalid token: payload", 403) + except TokenDecodeError: + errors_resp = authentication_response("Invalid token: signature", 403) + + return errors_resp def fetch_client(client): @@ -55,5 +62,5 @@ def fetch_client(client): else: return { "client": client, - "secret": get_unsigned_secret(client) + "secret": get_unsigned_secrets(client) } diff --git a/app/dao/api_key_dao.py b/app/dao/api_key_dao.py index 3a1912a70..b53abb08e 100644 --- a/app/dao/api_key_dao.py +++ b/app/dao/api_key_dao.py @@ -30,12 +30,20 @@ def get_model_api_keys(service_id=None, raise_=True): return ApiKey.query.filter_by().all() -def get_unsigned_secret(service_id): +def get_unsigned_secrets(service_id): """ - There should only be one valid api_keys for each service. This method can only be exposed to the Authentication of the api calls. """ - api_key = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).one() + api_keys = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).all() + keys = [_get_secret(x.secret) for x in api_keys] + return keys + + +def get_unsigned_secret(key_id): + """ + This method can only be exposed to the Authentication of the api calls. + """ + api_key = ApiKey.query.filter_by(id=key_id, expiry_date=None).one() return _get_secret(api_key.secret) diff --git a/app/service/rest.py b/app/service/rest.py index aa722a83c..cb0a6f7a9 100644 --- a/app/service/rest.py +++ b/app/service/rest.py @@ -75,7 +75,7 @@ def get_service(service_id=None): return jsonify(data=data) -@service.route('//api-key/renew', methods=['POST']) +@service.route('//api-key', methods=['POST']) def renew_api_key(service_id=None): try: service = get_model_services(service_id=service_id) @@ -92,10 +92,11 @@ def renew_api_key(service_id=None): # create a new one # TODO: what validation should be done here? secret_name = request.get_json()['name'] - save_model_api_key(ApiKey(service=service, name=secret_name)) + key = ApiKey(service=service, name=secret_name) + save_model_api_key(key) except DAOException as e: return jsonify(result='error', message=str(e)), 400 - unsigned_api_key = get_unsigned_secret(service_id) + unsigned_api_key = get_unsigned_secret(key.id) return jsonify(data=unsigned_api_key), 201 diff --git a/tests/__init__.py b/tests/__init__.py index b35e397d3..2fdb13ad3 100644 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -1,13 +1,13 @@ from flask import current_app from client.authentication import create_jwt_token -from app.dao.api_key_dao import get_unsigned_secret +from app.dao.api_key_dao import get_unsigned_secrets def create_authorization_header(path, method, request_body=None, service_id=None): if service_id: client_id = service_id - secret = get_unsigned_secret(service_id) + secret = get_unsigned_secrets(service_id)[0] else: client_id = current_app.config.get('ADMIN_CLIENT_USER_NAME') secret = current_app.config.get('ADMIN_CLIENT_SECRET') diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index c88c87163..f98e8cb5a 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -1,7 +1,8 @@ from client.authentication import create_jwt_token from flask import json, url_for -from app.dao.api_key_dao import get_unsigned_secret +from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key +from app.models import ApiKey def test_should_not_allow_request_with_no_token(notify_api): @@ -23,7 +24,7 @@ def test_should_not_allow_request_with_incorrect_header(notify_api): assert data['error'] == 'Unauthorized, authentication bearer scheme must be used' -def test_should_not_allow_request_with_incorrect_token(notify_api): +def test_should_not_allow_request_with_incorrect_token(notify_api, notify_db, notify_db_session, sample_api_key): with notify_api.test_request_context(): with notify_api.test_client() as client: response = client.get(url_for('service.get_service'), @@ -38,7 +39,7 @@ def test_should_not_allow_incorrect_path(notify_api, notify_db, notify_db_sessio with notify_api.test_client() as client: token = create_jwt_token(request_method="GET", request_path="/bad", - secret=get_unsigned_secret(sample_api_key.service_id), + secret=get_unsigned_secrets(sample_api_key.service_id)[0], client_id=sample_api_key.service_id) response = client.get(url_for('service.get_service'), headers={'Authorization': "Bearer {}".format(token)}) @@ -79,6 +80,18 @@ def test_should_allow_valid_token(notify_api, notify_db, notify_db_session, samp assert response.status_code == 200 +def test_should_allow_valid_token_when_service_has_multiple_keys(notify_api, notify_db, notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + data = {'service_id': sample_api_key.service_id, 'name': 'some key name'} + api_key = ApiKey(**data) + save_model_api_key(api_key) + token = __create_get_token(sample_api_key.service_id) + response = client.get(url_for('service.get_service'), + headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 200 + JSON_BODY = json.dumps({ 'name': 'new name' }) @@ -118,7 +131,7 @@ def test_should_not_allow_valid_token_with_invalid_post_body(notify_api, notify_ def __create_get_token(service_id): return create_jwt_token(request_method="GET", request_path=url_for('service.get_service'), - secret=get_unsigned_secret(service_id), + secret=get_unsigned_secrets(service_id)[0], client_id=service_id) @@ -126,7 +139,7 @@ def __create_post_token(service_id, request_body): return create_jwt_token( request_method="POST", request_path=url_for('service.create_service'), - secret=get_unsigned_secret(service_id), + secret=get_unsigned_secrets(service_id)[0], client_id=service_id, request_body=request_body ) diff --git a/tests/app/conftest.py b/tests/app/conftest.py index ced56de67..a45f8c994 100644 --- a/tests/app/conftest.py +++ b/tests/app/conftest.py @@ -69,7 +69,7 @@ def sample_api_key(notify_db, service=None): if service is None: service = sample_service(notify_db, notify_db_session) - data = {'service_id': service.id, 'name': service.name} + data = {'service_id': service.id, 'name': uuid.uuid4()} api_key = ApiKey(**data) save_model_api_key(api_key) return api_key diff --git a/tests/app/dao/test_api_key_dao.py b/tests/app/dao/test_api_key_dao.py index 0f4e374a5..4af1bd5e0 100644 --- a/tests/app/dao/test_api_key_dao.py +++ b/tests/app/dao/test_api_key_dao.py @@ -5,6 +5,7 @@ from sqlalchemy.orm.exc import NoResultFound from app.dao.api_key_dao import (save_model_api_key, get_model_api_keys, + get_unsigned_secrets, get_unsigned_secret, _generate_secret, _get_secret) @@ -60,10 +61,20 @@ def test_should_return_api_key_for_service(notify_api, notify_db, notify_db_sess assert api_key == sample_api_key -def test_should_return_unsigned_api_key_for_service_id(notify_api, - notify_db, - notify_db_session, - sample_api_key): - unsigned_api_key = get_unsigned_secret(sample_api_key.service_id) +def test_should_return_unsigned_api_keys_for_service_id(notify_api, + notify_db, + notify_db_session, + sample_api_key): + unsigned_api_key = get_unsigned_secrets(sample_api_key.service_id) + assert len(unsigned_api_key) == 1 + assert sample_api_key.secret != unsigned_api_key[0] + assert unsigned_api_key[0] == _get_secret(sample_api_key.secret) + + +def test_get_unsigned_secret_returns_key(notify_api, + notify_db, + notify_db_session, + sample_api_key): + unsigned_api_key = get_unsigned_secret(sample_api_key.id) assert sample_api_key.secret != unsigned_api_key assert unsigned_api_key == _get_secret(sample_api_key.secret)