attach api_key to app

we previously attached the service id and the key's secret
also more refactoring of auth.py

app/authentication/auth.py

@@ -2,7 +2,7 @@ from flask import request, jsonify, _request_ctx_stack, current_app
 from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
 from notifications_python_client.errors import TokenDecodeError, TokenExpiredError
 
-from app.dao.api_key_dao import get_unsigned_secrets
+from app.dao.api_key_dao import get_model_api_keys
 
 
 def authentication_response(message, code):
@@ -23,37 +23,36 @@ def requires_auth():
 
     auth_token = auth_header[7:]
     try:
-        api_client = fetch_client(get_token_issuer(auth_token))
+        client = get_token_issuer(auth_token)
     except TokenDecodeError:
         return authentication_response("Invalid token: signature", 403)
 
-    for secret in api_client['secret']:
-        try:
-            decode_jwt_token(
-                auth_token,
-                secret
-            )
-            _request_ctx_stack.top.api_user = api_client
-            return
-        except TokenExpiredError:
-            errors_resp = authentication_response("Invalid token: expired", 403)
-        except TokenDecodeError:
-            errors_resp = authentication_response("Invalid token: signature", 403)
+    if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
+        errors_resp = get_decode_errors(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'), expiry_date=None)
+        return errors_resp
 
-    if not api_client['secret']:
+    secret_keys = get_model_api_keys(client)
+    for api_key in secret_keys:
+        errors_resp = get_decode_errors(auth_token, api_key.unsigned_secret, api_key.expiry_date)
+        if not errors_resp:
+            if api_key.expiry_date:
+                return authentication_response("Invalid token: revoked", 403)
+            else:
+                _request_ctx_stack.top.api_user = api_key
+                return
+
+    if not secret_keys:
         errors_resp = authentication_response("Invalid token: no api keys for service", 403)
     current_app.logger.info(errors_resp)
     return errors_resp
 
 
-def fetch_client(client):
-    if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
-        return {
-            "client": client,
-            "secret": [current_app.config.get('ADMIN_CLIENT_SECRET')]
-        }
+def get_decode_errors(auth_token, unsigned_secret, expiry_date=None):
+    try:
+        decode_jwt_token(auth_token, unsigned_secret)
+    except TokenExpiredError:
+        return authentication_response("Invalid token: expired", 403)
+    except TokenDecodeError:
+        return authentication_response("Invalid token: signature", 403)
     else:
-        return {
-            "client": client,
-            "secret": get_unsigned_secrets(client)
-        }
+        return None

app/notifications/rest.py

@@ -169,7 +169,7 @@ def process_firetext_response():
 
 @notifications.route('/notifications/<uuid:notification_id>', methods=['GET'])
 def get_notifications(notification_id):
-    notification = notifications_dao.get_notification(api_user['client'], notification_id)
+    notification = notifications_dao.get_notification(str(api_user.service_id), notification_id)
     return jsonify(data={"notification": notification_status_schema.dump(notification).data}), 200
 
 
@@ -181,7 +181,7 @@ def get_all_notifications():
     limit_days = data.get('limit_days')
 
     pagination = notifications_dao.get_notifications_for_service(
-        api_user['client'],
+        str(api_user.service_id),
         filter_dict=data,
         page=page,
         page_size=page_size,
@@ -203,8 +203,8 @@ def send_notification(notification_type):
     if notification_type not in ['sms', 'email']:
         assert False
 
-    service_id = api_user['client']
-    service = services_dao.dao_fetch_service_by_id(api_user['client'])
+    service_id = str(api_user.service_id)
+    service = services_dao.dao_fetch_service_by_id(service_id)
 
     service_stats = notifications_dao.dao_get_notification_statistics_for_service_and_day(
         service_id,

tests/app/authentication/test_authentication.py

@@ -1,6 +1,10 @@
 from datetime import datetime
-from notifications_python_client.authentication import create_jwt_token
+
+import pytest
 from flask import json, current_app
+from notifications_python_client.authentication import create_jwt_token
+
+from app import api_user
 from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key, get_unsigned_secret, expire_api_key
 from app.models import ApiKey, KEY_TYPE_NORMAL, KEY_TYPE_TEAM
 
@@ -164,7 +168,7 @@ def test_authentication_returns_token_expired_when_service_uses_expired_key_and_
                 headers={'Authorization': 'Bearer {}'.format(token)})
             assert response.status_code == 403
             data = json.loads(response.get_data())
-            assert data['message'] == {"token": ['Invalid token: signature']}
+            assert data['message'] == {"token": ['Invalid token: revoked']}
 
 
 def test_authentication_returns_error_when_api_client_has_no_secrets(notify_api,
@@ -220,3 +224,17 @@ def __create_post_token(service_id, request_body):
         secret=get_unsigned_secrets(service_id)[0],
         client_id=str(service_id)
     )
+
+
+def test_should_attach_the_current_api_key_to_current_app(notify_api, sample_service, sample_api_key):
+    with notify_api.test_request_context() as context, notify_api.test_client() as client:
+        with pytest.raises(AttributeError):
+            print(api_user)
+
+        token = __create_get_token(sample_api_key.service_id)
+        response = client.get(
+            '/service/{}'.format(str(sample_api_key.service_id)),
+            headers={'Authorization': 'Bearer {}'.format(token)}
+        )
+        assert response.status_code == 200
+        assert api_user == sample_api_key