darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-17 02:32:32 -05:00
Code Issues Packages Projects Releases Wiki Activity

Simplify tests for get auth token / issuer

Browse Source 
This switches to testing the two functions directly as trying to
test them through the top-level "requires_..." functions or calls
to endpoints doesn't scale as we add more of them.

While this has a slight risk that a "requires_..." function might
not be using these helpers, it seems unlikely and we can always
add a mock to check this if we're concerned in future.
This commit is contained in:
Ben Thorner
2021-07-28 13:55:55 +01:00
parent 1d806d65eb
commit 2c568698d1
2 changed files with 35 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
app/authentication/auth.py
View File

@@ -56,19 +56,6 @@ class InternalApiKey():
self.expiry_date = None
def get_auth_token(req):
auth_header = req.headers.get('Authorization', None)
if not auth_header:
raise AuthError('Unauthorized: authentication token must be provided', 401)
auth_scheme = auth_header[:7].title()
if auth_scheme != 'Bearer ':
raise AuthError('Unauthorized: authentication bearer scheme must be used', 401)
return auth_header[7:]
def requires_no_auth():
pass
@@ -82,8 +69,8 @@ def requires_internal_auth(expected_client_id):
raise TypeError("Unknown client_id for internal auth")
request_helper.check_proxy_header_before_request()
auth_token = get_auth_token(request)
client_id = __get_token_issuer(auth_token)
auth_token = _get_auth_token(request)
client_id = _get_token_issuer(auth_token)
if client_id != expected_client_id:
raise AuthError("Unauthorized: not allowed to perform this action", 401)
@@ -100,8 +87,8 @@ def requires_internal_auth(expected_client_id):
def requires_auth():
request_helper.check_proxy_header_before_request()
auth_token = get_auth_token(request)
issuer = __get_token_issuer(auth_token) # ie the `iss` claim which should be a service ID
auth_token = _get_auth_token(request)
issuer = _get_token_issuer(auth_token) # ie the `iss` claim which should be a service ID
try:
service_id = uuid.UUID(issuer)
@@ -164,7 +151,20 @@ def _decode_jwt_token(auth_token, api_keys, service_id=None):
raise AuthError("Invalid token: API key not found", 403, service_id=service_id)
def __get_token_issuer(auth_token):
def _get_auth_token(req):
auth_header = req.headers.get('Authorization', None)
if not auth_header:
raise AuthError('Unauthorized: authentication token must be provided', 401)
auth_scheme = auth_header[:7].title()
if auth_scheme != 'Bearer ':
raise AuthError('Unauthorized: authentication bearer scheme must be used', 401)
return auth_header[7:]
def _get_token_issuer(auth_token):
try:
issuer = get_token_issuer(auth_token)
except TokenIssuerError: