darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2026-01-31 23:26:23 -05:00
Code Issues Packages Projects Releases Wiki Activity

Move proxy header check to auth-requiring endpoints

Browse Source 
The main drive behind this is to allow us to enable http healthchecks on
the `/_status` endpoint. The healthcheck requests are happening directly
on the instances without going to the proxy to get the header properly
set.

In any case, endpoints like `/_status` should be generally accessible by
anything without requiring any form of authorization.
This commit is contained in:
Athanasios Voutsadakis
2018-03-27 17:37:09 +01:00
parent 45aca51d4d
commit 463f1eefaf
3 changed files with 33 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
tests/app/authentication/test_authentication.py
View File

@@ -325,11 +325,11 @@ def __create_token(service_id):
@pytest.mark.parametrize('check_proxy_header,header_value,expected_status', [
(True, 'key_1', 200),
(True, 'wrong_key', 403),
(True, 'wrong_key', 200),
(False, 'key_1', 200),
(False, 'wrong_key', 200),
])
def test_route_correct_secret_key(notify_api, check_proxy_header, header_value, expected_status):
def test_proxy_key_non_auth_endpoint(notify_api, check_proxy_header, header_value, expected_status):
with set_config_values(notify_api, {
'ROUTE_SECRET_KEY_1': 'key_1',
'ROUTE_SECRET_KEY_2': '',
@@ -344,3 +344,29 @@ def test_route_correct_secret_key(notify_api, check_proxy_header, header_value,
]
)
assert response.status_code == expected_status
@pytest.mark.parametrize('check_proxy_header,header_value,expected_status', [
(True, 'key_1', 200),
(True, 'wrong_key', 403),
(False, 'key_1', 200),
(False, 'wrong_key', 200),
])
def test_proxy_key_on_admin_auth_endpoint(notify_api, check_proxy_header, header_value, expected_status):
token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRET'], current_app.config['ADMIN_CLIENT_USER_NAME'])
with set_config_values(notify_api, {
'ROUTE_SECRET_KEY_1': 'key_1',
'ROUTE_SECRET_KEY_2': '',
'CHECK_PROXY_HEADER': check_proxy_header,
}):
with notify_api.test_client() as client:
response = client.get(
path='/service',
headers=[
('X-Custom-Forwarder', header_value),
('Authorization', 'Bearer {}'.format(token))
]
)
assert response.status_code == expected_status