diff --git a/app/authentication/auth.py b/app/authentication/auth.py index 64e1074b3..0f4100e6d 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -57,7 +57,7 @@ def fetch_client(client): if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'): return { "client": client, - "secret": current_app.config.get('ADMIN_CLIENT_SECRET') + "secret": [current_app.config.get('ADMIN_CLIENT_SECRET')] } else: return { diff --git a/app/service/rest.py b/app/service/rest.py index cb0a6f7a9..2d7fe2626 100644 --- a/app/service/rest.py +++ b/app/service/rest.py @@ -85,10 +85,6 @@ def renew_api_key(service_id=None): return jsonify(result="error", message="Service not found"), 404 try: - service_api_key = get_model_api_keys(service_id=service_id, raise_=False) - if service_api_key: - # expire existing api_key - save_model_api_key(service_api_key, update_dict={'id': service_api_key.id, 'expiry_date': datetime.now()}) # create a new one # TODO: what validation should be done here? secret_name = request.get_json()['name'] diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index f98e8cb5a..578dfc169 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -1,8 +1,9 @@ -from client.authentication import create_jwt_token -from flask import json, url_for +from datetime import datetime, timedelta -from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key -from app.models import ApiKey +from client.authentication import create_jwt_token +from flask import json, url_for, current_app +from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key, get_unsigned_secret +from app.models import ApiKey, Service def test_should_not_allow_request_with_no_token(notify_api): @@ -92,28 +93,37 @@ def test_should_allow_valid_token_when_service_has_multiple_keys(notify_api, not headers={'Authorization': 'Bearer {}'.format(token)}) assert response.status_code == 200 + JSON_BODY = json.dumps({ - 'name': 'new name' + "key1": "value1", + "key2": "value2", + "key3": "value3" }) -# def test_should_allow_valid_token_with_post_body( -# notify_api, notify_db, notify_db_session, sample_api_key): -# with notify_api.test_request_context(): -# with notify_api.test_client() as client: -# token = create_jwt_token( -# request_method="PUT", -# request_path=url_for('service.update_service', service_id=sample_api_key.service_id), -# secret=get_unsigned_secret(sample_api_key.service_id), -# client_id=sample_api_key.service_id, -# request_body=JSON_BODY -# ) -# response = client.put( -# url_for('service.update_service', service_id=sample_api_key.service_id), -# data=JSON_BODY, -# headers=[('Content-type', 'application-json'), ('Authorization', 'Bearer {}'.format(token))] -# ) -# assert response.status_code == 200 +def test_should_allow_valid_token_with_post_body(notify_api, notify_db, notify_db_session, sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + service = Service.query.get(sample_api_key.service_id) + data = {'name': 'new name', + 'users': [service.users[0].id], + 'limit': 1000, + 'restricted': False, + 'active': False} + + token = create_jwt_token( + request_method="PUT", + request_path=url_for('service.update_service', service_id=sample_api_key.service_id), + secret=get_unsigned_secret(sample_api_key.id), + client_id=sample_api_key.service_id, + request_body=json.dumps(data) + ) + headers = [('Content-Type', 'application/json'), ('Authorization', 'Bearer {}'.format(token))] + response = client.put( + url_for('service.update_service', service_id=service.id), + data=json.dumps(data), + headers=headers) + assert response.status_code == 200 def test_should_not_allow_valid_token_with_invalid_post_body(notify_api, notify_db, notify_db_session, sample_api_key): @@ -128,6 +138,72 @@ def test_should_not_allow_valid_token_with_invalid_post_body(notify_api, notify_ assert data['error'] == 'Invalid token: payload' +def test_authentication_passes_admin_client_token(notify_api, + notify_db, + notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + token = create_jwt_token(request_method="GET", + request_path=url_for('service.get_service'), + secret=current_app.config.get('ADMIN_CLIENT_SECRET'), + client_id=current_app.config.get('ADMIN_CLIENT_USER_NAME')) + response = client.get(url_for('service.get_service'), + headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 200 + + +def test_authentication_passes_when_service_has_multiple_keys_some_expired(notify_api, + notify_db, + notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + exprired_key = {'service_id': sample_api_key.service_id, 'name': 'expired_key', + 'expiry_date': datetime.now()} + expired_api_key = ApiKey(**exprired_key) + save_model_api_key(expired_api_key) + another_key = {'service_id': sample_api_key.service_id, 'name': 'another_key'} + api_key = ApiKey(**another_key) + save_model_api_key(api_key) + token = create_jwt_token(request_method="GET", + request_path=url_for('service.get_service'), + secret=get_unsigned_secret(api_key.id), + client_id=sample_api_key.service_id) + response = client.get(url_for('service.get_service'), + headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 200 + + +def test_authentication_returns_token_expired_when_service_uses_expired_key_and_has_multiple_keys(notify_api, + notify_db, + notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + expired_key = {'service_id': sample_api_key.service_id, 'name': 'expired_key'} + expired_api_key = ApiKey(**expired_key) + save_model_api_key(expired_api_key) + another_key = {'service_id': sample_api_key.service_id, 'name': 'another_key'} + api_key = ApiKey(**another_key) + save_model_api_key(api_key) + token = create_jwt_token(request_method="GET", + request_path=url_for('service.get_service'), + secret=get_unsigned_secret(expired_api_key.id), + client_id=sample_api_key.service_id) + # expire the key + expire_the_key = {'id': expired_api_key.id, + 'service_id': sample_api_key.service_id, + 'name': 'expired_key', + 'expiry_date': datetime.now() + timedelta(hours=-2)} + save_model_api_key(expired_api_key, expire_the_key) + response = client.get(url_for('service.get_service'), + headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 403 + data = json.loads(response.get_data()) + assert data['error'] == 'Invalid token: signature' + + def __create_get_token(service_id): return create_jwt_token(request_method="GET", request_path=url_for('service.get_service'), diff --git a/tests/app/service/test_api_key_endpoints.py b/tests/app/service/test_api_key_endpoints.py new file mode 100644 index 000000000..dd01052a8 --- /dev/null +++ b/tests/app/service/test_api_key_endpoints.py @@ -0,0 +1,81 @@ +import json + +from flask import url_for + +from app.models import ApiKey +from tests import create_authorization_header + + +def test_api_key_should_create_new_api_key_for_service(notify_api, notify_db, + notify_db_session, + sample_service): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + data = {'name': 'some secret name'} + auth_header = create_authorization_header(path=url_for('service.renew_api_key', + service_id=sample_service.id), + method='POST', + request_body=json.dumps(data)) + response = client.post(url_for('service.renew_api_key', service_id=sample_service.id), + data=json.dumps(data), + headers=[('Content-Type', 'application/json'), auth_header]) + assert response.status_code == 201 + assert response.get_data is not None + saved_api_key = ApiKey.query.filter_by(service_id=sample_service.id).first() + assert saved_api_key.service_id == sample_service.id + assert saved_api_key.name == 'some secret name' + + +def test_api_key_should_return_error_when_service_does_not_exist(notify_api, notify_db, notify_db_session, + sample_service): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + auth_header = create_authorization_header(path=url_for('service.renew_api_key', service_id="123"), + method='POST') + response = client.post(url_for('service.renew_api_key', service_id=123), + headers=[('Content-Type', 'application/json'), auth_header]) + assert response.status_code == 404 + + +def test_revoke_should_expire_api_key_for_service(notify_api, notify_db, notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + assert ApiKey.query.count() == 1 + auth_header = create_authorization_header(path=url_for('service.revoke_api_key', + service_id=sample_api_key.service_id), + method='POST') + response = client.post(url_for('service.revoke_api_key', service_id=sample_api_key.service_id), + headers=[auth_header]) + assert response.status_code == 202 + api_keys_for_service = ApiKey.query.filter_by(service_id=sample_api_key.service_id).first() + assert api_keys_for_service.expiry_date is not None + + +def test_api_key_should_create_multiple_new_api_key_for_service(notify_api, notify_db, + notify_db_session, + sample_service): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + assert ApiKey.query.count() == 0 + data = {'name': 'some secret name'} + auth_header = create_authorization_header(path=url_for('service.renew_api_key', + service_id=sample_service.id), + method='POST', + request_body=json.dumps(data)) + response = client.post(url_for('service.renew_api_key', service_id=sample_service.id), + data=json.dumps(data), + headers=[('Content-Type', 'application/json'), auth_header]) + assert response.status_code == 201 + assert ApiKey.query.count() == 1 + data = {'name': 'another secret name'} + auth_header = create_authorization_header(path=url_for('service.renew_api_key', + service_id=sample_service.id), + method='POST', + request_body=json.dumps(data)) + response2 = client.post(url_for('service.renew_api_key', service_id=sample_service.id), + data=json.dumps(data), + headers=[('Content-Type', 'application/json'), auth_header]) + assert response2.status_code == 201 + assert response2.get_data != response.get_data + assert ApiKey.query.count() == 2 diff --git a/tests/app/service/test_rest.py b/tests/app/service/test_rest.py index 350e03283..491366f93 100644 --- a/tests/app/service/test_rest.py +++ b/tests/app/service/test_rest.py @@ -310,82 +310,6 @@ def test_delete_service_not_exists(notify_api, notify_db, notify_db_session, sam assert Service.query.count() == 2 -def test_renew_api_key_should_create_new_api_key_for_service(notify_api, notify_db, - notify_db_session, - sample_service, - sample_admin_service_id): - with notify_api.test_request_context(): - with notify_api.test_client() as client: - data = {'name': 'some secret name'} - auth_header = create_authorization_header(service_id=sample_admin_service_id, - path=url_for('service.renew_api_key', - service_id=sample_service.id), - method='POST', - request_body=json.dumps(data)) - response = client.post(url_for('service.renew_api_key', service_id=sample_service.id), - data=json.dumps(data), - headers=[('Content-Type', 'application/json'), auth_header]) - assert response.status_code == 201 - assert response.get_data is not None - saved_api_key = ApiKey.query.filter_by(service_id=sample_service.id).first() - assert saved_api_key.service_id == sample_service.id - assert saved_api_key.name == 'some secret name' - - -def test_renew_api_key_should_expire_the_old_api_key_and_create_a_new_api_key(notify_api, notify_db, notify_db_session, - sample_api_key, sample_admin_service_id): - with notify_api.test_request_context(): - with notify_api.test_client() as client: - assert ApiKey.query.count() == 2 - data = {'name': 'some secret name'} - auth_header = create_authorization_header(service_id=sample_admin_service_id, - path=url_for('service.renew_api_key', - service_id=sample_api_key.service_id), - method='POST', - request_body=json.dumps(data)) - - response = client.post(url_for('service.renew_api_key', service_id=sample_api_key.service_id), - data=json.dumps(data), - headers=[('Content-Type', 'application/json'), auth_header]) - assert response.status_code == 201 - assert ApiKey.query.count() == 3 - all_api_keys = ApiKey.query.filter_by(service_id=sample_api_key.service_id).all() - for x in all_api_keys: - if x.id == sample_api_key.id: - assert x.expiry_date is not None - else: - assert x.expiry_date is None - assert x.secret is not sample_api_key.secret - - -def test_renew_api_key_should_return_error_when_service_does_not_exist(notify_api, notify_db, notify_db_session, - sample_service, sample_admin_service_id): - with notify_api.test_request_context(): - with notify_api.test_client() as client: - auth_header = create_authorization_header(service_id=sample_admin_service_id, - path=url_for('service.renew_api_key', service_id="123"), - method='POST') - response = client.post(url_for('service.renew_api_key', service_id=123), - headers=[('Content-Type', 'application/json'), auth_header]) - assert response.status_code == 404 - - -def test_revoke_api_key_should_expire_api_key_for_service(notify_api, notify_db, notify_db_session, - sample_api_key, sample_admin_service_id): - with notify_api.test_request_context(): - with notify_api.test_client() as client: - assert ApiKey.query.count() == 2 - auth_header = create_authorization_header(service_id=sample_admin_service_id, - path=url_for('service.revoke_api_key', - service_id=sample_api_key.service_id), - method='POST') - response = client.post(url_for('service.revoke_api_key', service_id=sample_api_key.service_id), - headers=[auth_header]) - assert response.status_code == 202 - api_keys_for_service = ApiKey.query.filter_by(service_id=sample_api_key.service_id).first() - assert api_keys_for_service.expiry_date is not None - - def test_create_service_should_create_new_service_for_user(notify_api, notify_db, notify_db_session, sample_user, sample_admin_service_id): with notify_api.test_request_context():