mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-23 08:51:30 -05:00
Allow for multiple api keys for a service.
This commit is contained in:
Rebecca Law
@@ -1,8 +1,7 @@
|
||||
from flask import request, jsonify, _request_ctx_stack
|
||||
from client.authentication import decode_jwt_token, get_token_issuer
|
||||
from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError
|
||||
|
||||
from app.dao.api_key_dao import get_unsigned_secret
|
||||
from app.dao.api_key_dao import get_unsigned_secrets
|
||||
|
||||
|
||||
def authentication_response(message, code):
|
||||
@@ -21,28 +20,36 @@ def requires_auth():
|
||||
if auth_scheme != 'Bearer ':
|
||||
return authentication_response('Unauthorized, authentication bearer scheme must be used', 401)
|
||||
|
||||
try:
|
||||
auth_token = auth_header[7:]
|
||||
try:
|
||||
api_client = fetch_client(get_token_issuer(auth_token))
|
||||
except TokenDecodeError:
|
||||
return authentication_response("Invalid token: signature", 403)
|
||||
if api_client is None:
|
||||
authentication_response("Invalid credentials", 403)
|
||||
|
||||
# If the api_client does not have any secrets return response saying that
|
||||
errors_resp = authentication_response("Invalid token: api client has no secrets", 403)
|
||||
for secret in api_client['secret']:
|
||||
try:
|
||||
decode_jwt_token(
|
||||
auth_token,
|
||||
api_client['secret'],
|
||||
secret,
|
||||
request.method,
|
||||
request.path,
|
||||
request.data.decode() if request.data else None
|
||||
)
|
||||
_request_ctx_stack.top.api_user = api_client
|
||||
return
|
||||
except TokenRequestError:
|
||||
return authentication_response("Invalid token: request", 403)
|
||||
errors_resp = authentication_response("Invalid token: request", 403)
|
||||
except TokenExpiredError:
|
||||
return authentication_response("Invalid token: expired", 403)
|
||||
errors_resp = authentication_response("Invalid token: expired", 403)
|
||||
except TokenPayloadError:
|
||||
return authentication_response("Invalid token: payload", 403)
|
||||
errors_resp = authentication_response("Invalid token: payload", 403)
|
||||
except TokenDecodeError:
|
||||
return authentication_response("Invalid token: signature", 403)
|
||||
errors_resp = authentication_response("Invalid token: signature", 403)
|
||||
|
||||
return errors_resp
|
||||
|
||||
|
||||
def fetch_client(client):
|
||||
@@ -55,5 +62,5 @@ def fetch_client(client):
|
||||
else:
|
||||
return {
|
||||
"client": client,
|
||||
"secret": get_unsigned_secret(client)
|
||||
"secret": get_unsigned_secrets(client)
|
||||
}
|
||||
|
||||
@@ -30,12 +30,20 @@ def get_model_api_keys(service_id=None, raise_=True):
|
||||
return ApiKey.query.filter_by().all()
|
||||
|
||||
|
||||
def get_unsigned_secret(service_id):
|
||||
def get_unsigned_secrets(service_id):
|
||||
"""
|
||||
There should only be one valid api_keys for each service.
|
||||
This method can only be exposed to the Authentication of the api calls.
|
||||
"""
|
||||
api_key = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).one()
|
||||
api_keys = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).all()
|
||||
keys = [_get_secret(x.secret) for x in api_keys]
|
||||
return keys
|
||||
|
||||
|
||||
def get_unsigned_secret(key_id):
|
||||
"""
|
||||
This method can only be exposed to the Authentication of the api calls.
|
||||
"""
|
||||
api_key = ApiKey.query.filter_by(id=key_id, expiry_date=None).one()
|
||||
return _get_secret(api_key.secret)
|
||||
|
||||
|
||||
|
||||
@@ -75,7 +75,7 @@ def get_service(service_id=None):
|
||||
return jsonify(data=data)
|
||||
|
||||
|
||||
@service.route('/<int:service_id>/api-key/renew', methods=['POST'])
|
||||
@service.route('/<int:service_id>/api-key', methods=['POST'])
|
||||
def renew_api_key(service_id=None):
|
||||
try:
|
||||
service = get_model_services(service_id=service_id)
|
||||
@@ -92,10 +92,11 @@ def renew_api_key(service_id=None):
|
||||
# create a new one
|
||||
# TODO: what validation should be done here?
|
||||
secret_name = request.get_json()['name']
|
||||
save_model_api_key(ApiKey(service=service, name=secret_name))
|
||||
key = ApiKey(service=service, name=secret_name)
|
||||
save_model_api_key(key)
|
||||
except DAOException as e:
|
||||
return jsonify(result='error', message=str(e)), 400
|
||||
unsigned_api_key = get_unsigned_secret(service_id)
|
||||
unsigned_api_key = get_unsigned_secret(key.id)
|
||||
return jsonify(data=unsigned_api_key), 201
|
||||
|
||||
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
from flask import current_app
|
||||
from client.authentication import create_jwt_token
|
||||
|
||||
from app.dao.api_key_dao import get_unsigned_secret
|
||||
from app.dao.api_key_dao import get_unsigned_secrets
|
||||
|
||||
|
||||
def create_authorization_header(path, method, request_body=None, service_id=None):
|
||||
if service_id:
|
||||
client_id = service_id
|
||||
secret = get_unsigned_secret(service_id)
|
||||
secret = get_unsigned_secrets(service_id)[0]
|
||||
else:
|
||||
client_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
|
||||
secret = current_app.config.get('ADMIN_CLIENT_SECRET')
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
from client.authentication import create_jwt_token
|
||||
from flask import json, url_for
|
||||
|
||||
from app.dao.api_key_dao import get_unsigned_secret
|
||||
from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key
|
||||
from app.models import ApiKey
|
||||
|
||||
|
||||
def test_should_not_allow_request_with_no_token(notify_api):
|
||||
@@ -23,7 +24,7 @@ def test_should_not_allow_request_with_incorrect_header(notify_api):
|
||||
assert data['error'] == 'Unauthorized, authentication bearer scheme must be used'
|
||||
|
||||
|
||||
def test_should_not_allow_request_with_incorrect_token(notify_api):
|
||||
def test_should_not_allow_request_with_incorrect_token(notify_api, notify_db, notify_db_session, sample_api_key):
|
||||
with notify_api.test_request_context():
|
||||
with notify_api.test_client() as client:
|
||||
response = client.get(url_for('service.get_service'),
|
||||
@@ -38,7 +39,7 @@ def test_should_not_allow_incorrect_path(notify_api, notify_db, notify_db_sessio
|
||||
with notify_api.test_client() as client:
|
||||
token = create_jwt_token(request_method="GET",
|
||||
request_path="/bad",
|
||||
secret=get_unsigned_secret(sample_api_key.service_id),
|
||||
secret=get_unsigned_secrets(sample_api_key.service_id)[0],
|
||||
client_id=sample_api_key.service_id)
|
||||
response = client.get(url_for('service.get_service'),
|
||||
headers={'Authorization': "Bearer {}".format(token)})
|
||||
@@ -79,6 +80,18 @@ def test_should_allow_valid_token(notify_api, notify_db, notify_db_session, samp
|
||||
assert response.status_code == 200
|
||||
|
||||
|
||||
def test_should_allow_valid_token_when_service_has_multiple_keys(notify_api, notify_db, notify_db_session,
|
||||
sample_api_key):
|
||||
with notify_api.test_request_context():
|
||||
with notify_api.test_client() as client:
|
||||
data = {'service_id': sample_api_key.service_id, 'name': 'some key name'}
|
||||
api_key = ApiKey(**data)
|
||||
save_model_api_key(api_key)
|
||||
token = __create_get_token(sample_api_key.service_id)
|
||||
response = client.get(url_for('service.get_service'),
|
||||
headers={'Authorization': 'Bearer {}'.format(token)})
|
||||
assert response.status_code == 200
|
||||
|
||||
JSON_BODY = json.dumps({
|
||||
'name': 'new name'
|
||||
})
|
||||
@@ -118,7 +131,7 @@ def test_should_not_allow_valid_token_with_invalid_post_body(notify_api, notify_
|
||||
def __create_get_token(service_id):
|
||||
return create_jwt_token(request_method="GET",
|
||||
request_path=url_for('service.get_service'),
|
||||
secret=get_unsigned_secret(service_id),
|
||||
secret=get_unsigned_secrets(service_id)[0],
|
||||
client_id=service_id)
|
||||
|
||||
|
||||
@@ -126,7 +139,7 @@ def __create_post_token(service_id, request_body):
|
||||
return create_jwt_token(
|
||||
request_method="POST",
|
||||
request_path=url_for('service.create_service'),
|
||||
secret=get_unsigned_secret(service_id),
|
||||
secret=get_unsigned_secrets(service_id)[0],
|
||||
client_id=service_id,
|
||||
request_body=request_body
|
||||
)
|
||||
|
||||
@@ -69,7 +69,7 @@ def sample_api_key(notify_db,
|
||||
service=None):
|
||||
if service is None:
|
||||
service = sample_service(notify_db, notify_db_session)
|
||||
data = {'service_id': service.id, 'name': service.name}
|
||||
data = {'service_id': service.id, 'name': uuid.uuid4()}
|
||||
api_key = ApiKey(**data)
|
||||
save_model_api_key(api_key)
|
||||
return api_key
|
||||
|
||||
@@ -5,6 +5,7 @@ from sqlalchemy.orm.exc import NoResultFound
|
||||
|
||||
from app.dao.api_key_dao import (save_model_api_key,
|
||||
get_model_api_keys,
|
||||
get_unsigned_secrets,
|
||||
get_unsigned_secret,
|
||||
_generate_secret,
|
||||
_get_secret)
|
||||
@@ -60,10 +61,20 @@ def test_should_return_api_key_for_service(notify_api, notify_db, notify_db_sess
|
||||
assert api_key == sample_api_key
|
||||
|
||||
|
||||
def test_should_return_unsigned_api_key_for_service_id(notify_api,
|
||||
def test_should_return_unsigned_api_keys_for_service_id(notify_api,
|
||||
notify_db,
|
||||
notify_db_session,
|
||||
sample_api_key):
|
||||
unsigned_api_key = get_unsigned_secret(sample_api_key.service_id)
|
||||
unsigned_api_key = get_unsigned_secrets(sample_api_key.service_id)
|
||||
assert len(unsigned_api_key) == 1
|
||||
assert sample_api_key.secret != unsigned_api_key[0]
|
||||
assert unsigned_api_key[0] == _get_secret(sample_api_key.secret)
|
||||
|
||||
|
||||
def test_get_unsigned_secret_returns_key(notify_api,
|
||||
notify_db,
|
||||
notify_db_session,
|
||||
sample_api_key):
|
||||
unsigned_api_key = get_unsigned_secret(sample_api_key.id)
|
||||
assert sample_api_key.secret != unsigned_api_key
|
||||
assert unsigned_api_key == _get_secret(sample_api_key.secret)
|
||||
|
||||
Reference in New Issue
Block a user