darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-23 08:51:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

Allow for multiple api keys for a service.

Browse Source
This commit is contained in:
Rebecca Law
2016-01-19 18:25:21 +00:00
parent 811e7c1bec
commit 1db57dca8c
7 changed files with 80 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
app/authentication/auth.py
View File

@@ -1,8 +1,7 @@
from flask import request, jsonify, _request_ctx_stack from flask import request, jsonify, _request_ctx_stack
from client.authentication import decode_jwt_token, get_token_issuer from client.authentication import decode_jwt_token, get_token_issuer
from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
from app.dao.api_key_dao import get_unsigned_secrets
from app.dao.api_key_dao import get_unsigned_secret
def authentication_response(message, code): def authentication_response(message, code):
@@ -21,28 +20,36 @@ def requires_auth():
if auth_scheme != 'Bearer ': if auth_scheme != 'Bearer ':
return authentication_response('Unauthorized, authentication bearer scheme must be used', 401) return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)
auth_token = auth_header[7:]
try: try:
auth_token = auth_header[7:]
api_client = fetch_client(get_token_issuer(auth_token)) api_client = fetch_client(get_token_issuer(auth_token))
if api_client is None:
authentication_response("Invalid credentials", 403)
decode_jwt_token(
auth_token,
api_client['secret'],
request.method,
request.path,
request.data.decode() if request.data else None
)
_request_ctx_stack.top.api_user = api_client
except TokenRequestError:
return authentication_response("Invalid token: request", 403)
except TokenExpiredError:
return authentication_response("Invalid token: expired", 403)
except TokenPayloadError:
return authentication_response("Invalid token: payload", 403)
except TokenDecodeError: except TokenDecodeError:
return authentication_response("Invalid token: signature", 403) return authentication_response("Invalid token: signature", 403)
if api_client is None:
authentication_response("Invalid credentials", 403)
# If the api_client does not have any secrets return response saying that
errors_resp = authentication_response("Invalid token: api client has no secrets", 403)
for secret in api_client['secret']:
try:
decode_jwt_token(
auth_token,
secret,
request.method,
request.path,
request.data.decode() if request.data else None
)
_request_ctx_stack.top.api_user = api_client
return
except TokenRequestError:
errors_resp = authentication_response("Invalid token: request", 403)
except TokenExpiredError:
errors_resp = authentication_response("Invalid token: expired", 403)
except TokenPayloadError:
errors_resp = authentication_response("Invalid token: payload", 403)
except TokenDecodeError:
errors_resp = authentication_response("Invalid token: signature", 403)
return errors_resp
def fetch_client(client): def fetch_client(client):
@@ -55,5 +62,5 @@ def fetch_client(client):
else: else:
return { return {
"client": client, "client": client,
"secret": get_unsigned_secret(client) "secret": get_unsigned_secrets(client)
} }

14
app/dao/api_key_dao.py
View File

@@ -30,12 +30,20 @@ def get_model_api_keys(service_id=None, raise_=True):
return ApiKey.query.filter_by().all() return ApiKey.query.filter_by().all()
def get_unsigned_secret(service_id): def get_unsigned_secrets(service_id):
""" """
There should only be one valid api_keys for each service.
This method can only be exposed to the Authentication of the api calls. This method can only be exposed to the Authentication of the api calls.
""" """
api_key = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).one() api_keys = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).all()
keys = [_get_secret(x.secret) for x in api_keys]
return keys
def get_unsigned_secret(key_id):
"""
This method can only be exposed to the Authentication of the api calls.
"""
api_key = ApiKey.query.filter_by(id=key_id, expiry_date=None).one()
return _get_secret(api_key.secret) return _get_secret(api_key.secret)

7
app/service/rest.py
View File

@@ -75,7 +75,7 @@ def get_service(service_id=None):
return jsonify(data=data) return jsonify(data=data)
@service.route('/<int:service_id>/api-key/renew', methods=['POST']) @service.route('/<int:service_id>/api-key', methods=['POST'])
def renew_api_key(service_id=None): def renew_api_key(service_id=None):
try: try:
service = get_model_services(service_id=service_id) service = get_model_services(service_id=service_id)
@@ -92,10 +92,11 @@ def renew_api_key(service_id=None):
# create a new one # create a new one
# TODO: what validation should be done here? # TODO: what validation should be done here?
secret_name = request.get_json()['name'] secret_name = request.get_json()['name']
save_model_api_key(ApiKey(service=service, name=secret_name)) key = ApiKey(service=service, name=secret_name)
save_model_api_key(key)
except DAOException as e: except DAOException as e:
return jsonify(result='error', message=str(e)), 400 return jsonify(result='error', message=str(e)), 400
unsigned_api_key = get_unsigned_secret(service_id) unsigned_api_key = get_unsigned_secret(key.id)
return jsonify(data=unsigned_api_key), 201 return jsonify(data=unsigned_api_key), 201

4
tests/__init__.py
View File

@@ -1,13 +1,13 @@
from flask import current_app from flask import current_app
from client.authentication import create_jwt_token from client.authentication import create_jwt_token
from app.dao.api_key_dao import get_unsigned_secret from app.dao.api_key_dao import get_unsigned_secrets
def create_authorization_header(path, method, request_body=None, service_id=None): def create_authorization_header(path, method, request_body=None, service_id=None):
if service_id: if service_id:
client_id = service_id client_id = service_id
secret = get_unsigned_secret(service_id) secret = get_unsigned_secrets(service_id)[0]
else: else:
client_id = current_app.config.get('ADMIN_CLIENT_USER_NAME') client_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
secret = current_app.config.get('ADMIN_CLIENT_SECRET') secret = current_app.config.get('ADMIN_CLIENT_SECRET')

23
tests/app/authentication/test_authentication.py
View File

@@ -1,7 +1,8 @@
from client.authentication import create_jwt_token from client.authentication import create_jwt_token
from flask import json, url_for from flask import json, url_for
from app.dao.api_key_dao import get_unsigned_secret from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key
from app.models import ApiKey
def test_should_not_allow_request_with_no_token(notify_api): def test_should_not_allow_request_with_no_token(notify_api):
@@ -23,7 +24,7 @@ def test_should_not_allow_request_with_incorrect_header(notify_api):
assert data['error'] == 'Unauthorized, authentication bearer scheme must be used' assert data['error'] == 'Unauthorized, authentication bearer scheme must be used'
def test_should_not_allow_request_with_incorrect_token(notify_api): def test_should_not_allow_request_with_incorrect_token(notify_api, notify_db, notify_db_session, sample_api_key):
with notify_api.test_request_context(): with notify_api.test_request_context():
with notify_api.test_client() as client: with notify_api.test_client() as client:
response = client.get(url_for('service.get_service'), response = client.get(url_for('service.get_service'),
@@ -38,7 +39,7 @@ def test_should_not_allow_incorrect_path(notify_api, notify_db, notify_db_sessio
with notify_api.test_client() as client: with notify_api.test_client() as client:
token = create_jwt_token(request_method="GET", token = create_jwt_token(request_method="GET",
request_path="/bad", request_path="/bad",
secret=get_unsigned_secret(sample_api_key.service_id), secret=get_unsigned_secrets(sample_api_key.service_id)[0],
client_id=sample_api_key.service_id) client_id=sample_api_key.service_id)
response = client.get(url_for('service.get_service'), response = client.get(url_for('service.get_service'),
headers={'Authorization': "Bearer {}".format(token)}) headers={'Authorization': "Bearer {}".format(token)})
@@ -79,6 +80,18 @@ def test_should_allow_valid_token(notify_api, notify_db, notify_db_session, samp
assert response.status_code == 200 assert response.status_code == 200
def test_should_allow_valid_token_when_service_has_multiple_keys(notify_api, notify_db, notify_db_session,
sample_api_key):
with notify_api.test_request_context():
with notify_api.test_client() as client:
data = {'service_id': sample_api_key.service_id, 'name': 'some key name'}
api_key = ApiKey(**data)
save_model_api_key(api_key)
token = __create_get_token(sample_api_key.service_id)
response = client.get(url_for('service.get_service'),
headers={'Authorization': 'Bearer {}'.format(token)})
assert response.status_code == 200
JSON_BODY = json.dumps({ JSON_BODY = json.dumps({
'name': 'new name' 'name': 'new name'
}) })
@@ -118,7 +131,7 @@ def test_should_not_allow_valid_token_with_invalid_post_body(notify_api, notify_
def __create_get_token(service_id): def __create_get_token(service_id):
return create_jwt_token(request_method="GET", return create_jwt_token(request_method="GET",
request_path=url_for('service.get_service'), request_path=url_for('service.get_service'),
secret=get_unsigned_secret(service_id), secret=get_unsigned_secrets(service_id)[0],
client_id=service_id) client_id=service_id)
@@ -126,7 +139,7 @@ def __create_post_token(service_id, request_body):
return create_jwt_token( return create_jwt_token(
request_method="POST", request_method="POST",
request_path=url_for('service.create_service'), request_path=url_for('service.create_service'),
secret=get_unsigned_secret(service_id), secret=get_unsigned_secrets(service_id)[0],
client_id=service_id, client_id=service_id,
request_body=request_body request_body=request_body
) )

2
tests/app/conftest.py
View File

@@ -69,7 +69,7 @@ def sample_api_key(notify_db,
service=None): service=None):
if service is None: if service is None:
service = sample_service(notify_db, notify_db_session) service = sample_service(notify_db, notify_db_session)
data = {'service_id': service.id, 'name': service.name} data = {'service_id': service.id, 'name': uuid.uuid4()}
api_key = ApiKey(**data) api_key = ApiKey(**data)
save_model_api_key(api_key) save_model_api_key(api_key)
return api_key return api_key

21
tests/app/dao/test_api_key_dao.py
View File

@@ -5,6 +5,7 @@ from sqlalchemy.orm.exc import NoResultFound
from app.dao.api_key_dao import (save_model_api_key, from app.dao.api_key_dao import (save_model_api_key,
get_model_api_keys, get_model_api_keys,
get_unsigned_secrets,
get_unsigned_secret, get_unsigned_secret,
_generate_secret, _generate_secret,
_get_secret) _get_secret)
@@ -60,10 +61,20 @@ def test_should_return_api_key_for_service(notify_api, notify_db, notify_db_sess
assert api_key == sample_api_key assert api_key == sample_api_key
def test_should_return_unsigned_api_key_for_service_id(notify_api, def test_should_return_unsigned_api_keys_for_service_id(notify_api,
notify_db, notify_db,
notify_db_session, notify_db_session,
sample_api_key): sample_api_key):
unsigned_api_key = get_unsigned_secret(sample_api_key.service_id) unsigned_api_key = get_unsigned_secrets(sample_api_key.service_id)
assert len(unsigned_api_key) == 1
assert sample_api_key.secret != unsigned_api_key[0]
assert unsigned_api_key[0] == _get_secret(sample_api_key.secret)
def test_get_unsigned_secret_returns_key(notify_api,
notify_db,
notify_db_session,
sample_api_key):
unsigned_api_key = get_unsigned_secret(sample_api_key.id)
assert sample_api_key.secret != unsigned_api_key assert sample_api_key.secret != unsigned_api_key
assert unsigned_api_key == _get_secret(sample_api_key.secret) assert unsigned_api_key == _get_secret(sample_api_key.secret)