From 1db57dca8cd8c67b6c91347878ab75dd6bce7e5a Mon Sep 17 00:00:00 2001 From: Rebecca Law Date: Tue, 19 Jan 2016 18:25:21 +0000 Subject: [PATCH 1/2] Allow for multiple api keys for a service. --- app/authentication/auth.py | 49 +++++++++++-------- app/dao/api_key_dao.py | 14 ++++-- app/service/rest.py | 7 +-- tests/__init__.py | 4 +- .../app/authentication/test_authentication.py | 23 +++++++-- tests/app/conftest.py | 2 +- tests/app/dao/test_api_key_dao.py | 21 ++++++-- 7 files changed, 80 insertions(+), 40 deletions(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index d6c2399b3..64e1074b3 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -1,8 +1,7 @@ from flask import request, jsonify, _request_ctx_stack from client.authentication import decode_jwt_token, get_token_issuer from client.errors import TokenDecodeError, TokenRequestError, TokenExpiredError, TokenPayloadError - -from app.dao.api_key_dao import get_unsigned_secret +from app.dao.api_key_dao import get_unsigned_secrets def authentication_response(message, code): @@ -21,28 +20,36 @@ def requires_auth(): if auth_scheme != 'Bearer ': return authentication_response('Unauthorized, authentication bearer scheme must be used', 401) + auth_token = auth_header[7:] try: - auth_token = auth_header[7:] api_client = fetch_client(get_token_issuer(auth_token)) - if api_client is None: - authentication_response("Invalid credentials", 403) - - decode_jwt_token( - auth_token, - api_client['secret'], - request.method, - request.path, - request.data.decode() if request.data else None - ) - _request_ctx_stack.top.api_user = api_client - except TokenRequestError: - return authentication_response("Invalid token: request", 403) - except TokenExpiredError: - return authentication_response("Invalid token: expired", 403) - except TokenPayloadError: - return authentication_response("Invalid token: payload", 403) except TokenDecodeError: return authentication_response("Invalid token: signature", 403) + if api_client is None: + authentication_response("Invalid credentials", 403) + # If the api_client does not have any secrets return response saying that + errors_resp = authentication_response("Invalid token: api client has no secrets", 403) + for secret in api_client['secret']: + try: + decode_jwt_token( + auth_token, + secret, + request.method, + request.path, + request.data.decode() if request.data else None + ) + _request_ctx_stack.top.api_user = api_client + return + except TokenRequestError: + errors_resp = authentication_response("Invalid token: request", 403) + except TokenExpiredError: + errors_resp = authentication_response("Invalid token: expired", 403) + except TokenPayloadError: + errors_resp = authentication_response("Invalid token: payload", 403) + except TokenDecodeError: + errors_resp = authentication_response("Invalid token: signature", 403) + + return errors_resp def fetch_client(client): @@ -55,5 +62,5 @@ def fetch_client(client): else: return { "client": client, - "secret": get_unsigned_secret(client) + "secret": get_unsigned_secrets(client) } diff --git a/app/dao/api_key_dao.py b/app/dao/api_key_dao.py index 3a1912a70..b53abb08e 100644 --- a/app/dao/api_key_dao.py +++ b/app/dao/api_key_dao.py @@ -30,12 +30,20 @@ def get_model_api_keys(service_id=None, raise_=True): return ApiKey.query.filter_by().all() -def get_unsigned_secret(service_id): +def get_unsigned_secrets(service_id): """ - There should only be one valid api_keys for each service. This method can only be exposed to the Authentication of the api calls. """ - api_key = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).one() + api_keys = ApiKey.query.filter_by(service_id=service_id, expiry_date=None).all() + keys = [_get_secret(x.secret) for x in api_keys] + return keys + + +def get_unsigned_secret(key_id): + """ + This method can only be exposed to the Authentication of the api calls. + """ + api_key = ApiKey.query.filter_by(id=key_id, expiry_date=None).one() return _get_secret(api_key.secret) diff --git a/app/service/rest.py b/app/service/rest.py index aa722a83c..cb0a6f7a9 100644 --- a/app/service/rest.py +++ b/app/service/rest.py @@ -75,7 +75,7 @@ def get_service(service_id=None): return jsonify(data=data) -@service.route('//api-key/renew', methods=['POST']) +@service.route('//api-key', methods=['POST']) def renew_api_key(service_id=None): try: service = get_model_services(service_id=service_id) @@ -92,10 +92,11 @@ def renew_api_key(service_id=None): # create a new one # TODO: what validation should be done here? secret_name = request.get_json()['name'] - save_model_api_key(ApiKey(service=service, name=secret_name)) + key = ApiKey(service=service, name=secret_name) + save_model_api_key(key) except DAOException as e: return jsonify(result='error', message=str(e)), 400 - unsigned_api_key = get_unsigned_secret(service_id) + unsigned_api_key = get_unsigned_secret(key.id) return jsonify(data=unsigned_api_key), 201 diff --git a/tests/__init__.py b/tests/__init__.py index b35e397d3..2fdb13ad3 100644 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -1,13 +1,13 @@ from flask import current_app from client.authentication import create_jwt_token -from app.dao.api_key_dao import get_unsigned_secret +from app.dao.api_key_dao import get_unsigned_secrets def create_authorization_header(path, method, request_body=None, service_id=None): if service_id: client_id = service_id - secret = get_unsigned_secret(service_id) + secret = get_unsigned_secrets(service_id)[0] else: client_id = current_app.config.get('ADMIN_CLIENT_USER_NAME') secret = current_app.config.get('ADMIN_CLIENT_SECRET') diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index c88c87163..f98e8cb5a 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -1,7 +1,8 @@ from client.authentication import create_jwt_token from flask import json, url_for -from app.dao.api_key_dao import get_unsigned_secret +from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key +from app.models import ApiKey def test_should_not_allow_request_with_no_token(notify_api): @@ -23,7 +24,7 @@ def test_should_not_allow_request_with_incorrect_header(notify_api): assert data['error'] == 'Unauthorized, authentication bearer scheme must be used' -def test_should_not_allow_request_with_incorrect_token(notify_api): +def test_should_not_allow_request_with_incorrect_token(notify_api, notify_db, notify_db_session, sample_api_key): with notify_api.test_request_context(): with notify_api.test_client() as client: response = client.get(url_for('service.get_service'), @@ -38,7 +39,7 @@ def test_should_not_allow_incorrect_path(notify_api, notify_db, notify_db_sessio with notify_api.test_client() as client: token = create_jwt_token(request_method="GET", request_path="/bad", - secret=get_unsigned_secret(sample_api_key.service_id), + secret=get_unsigned_secrets(sample_api_key.service_id)[0], client_id=sample_api_key.service_id) response = client.get(url_for('service.get_service'), headers={'Authorization': "Bearer {}".format(token)}) @@ -79,6 +80,18 @@ def test_should_allow_valid_token(notify_api, notify_db, notify_db_session, samp assert response.status_code == 200 +def test_should_allow_valid_token_when_service_has_multiple_keys(notify_api, notify_db, notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + data = {'service_id': sample_api_key.service_id, 'name': 'some key name'} + api_key = ApiKey(**data) + save_model_api_key(api_key) + token = __create_get_token(sample_api_key.service_id) + response = client.get(url_for('service.get_service'), + headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 200 + JSON_BODY = json.dumps({ 'name': 'new name' }) @@ -118,7 +131,7 @@ def test_should_not_allow_valid_token_with_invalid_post_body(notify_api, notify_ def __create_get_token(service_id): return create_jwt_token(request_method="GET", request_path=url_for('service.get_service'), - secret=get_unsigned_secret(service_id), + secret=get_unsigned_secrets(service_id)[0], client_id=service_id) @@ -126,7 +139,7 @@ def __create_post_token(service_id, request_body): return create_jwt_token( request_method="POST", request_path=url_for('service.create_service'), - secret=get_unsigned_secret(service_id), + secret=get_unsigned_secrets(service_id)[0], client_id=service_id, request_body=request_body ) diff --git a/tests/app/conftest.py b/tests/app/conftest.py index ced56de67..a45f8c994 100644 --- a/tests/app/conftest.py +++ b/tests/app/conftest.py @@ -69,7 +69,7 @@ def sample_api_key(notify_db, service=None): if service is None: service = sample_service(notify_db, notify_db_session) - data = {'service_id': service.id, 'name': service.name} + data = {'service_id': service.id, 'name': uuid.uuid4()} api_key = ApiKey(**data) save_model_api_key(api_key) return api_key diff --git a/tests/app/dao/test_api_key_dao.py b/tests/app/dao/test_api_key_dao.py index 0f4e374a5..4af1bd5e0 100644 --- a/tests/app/dao/test_api_key_dao.py +++ b/tests/app/dao/test_api_key_dao.py @@ -5,6 +5,7 @@ from sqlalchemy.orm.exc import NoResultFound from app.dao.api_key_dao import (save_model_api_key, get_model_api_keys, + get_unsigned_secrets, get_unsigned_secret, _generate_secret, _get_secret) @@ -60,10 +61,20 @@ def test_should_return_api_key_for_service(notify_api, notify_db, notify_db_sess assert api_key == sample_api_key -def test_should_return_unsigned_api_key_for_service_id(notify_api, - notify_db, - notify_db_session, - sample_api_key): - unsigned_api_key = get_unsigned_secret(sample_api_key.service_id) +def test_should_return_unsigned_api_keys_for_service_id(notify_api, + notify_db, + notify_db_session, + sample_api_key): + unsigned_api_key = get_unsigned_secrets(sample_api_key.service_id) + assert len(unsigned_api_key) == 1 + assert sample_api_key.secret != unsigned_api_key[0] + assert unsigned_api_key[0] == _get_secret(sample_api_key.secret) + + +def test_get_unsigned_secret_returns_key(notify_api, + notify_db, + notify_db_session, + sample_api_key): + unsigned_api_key = get_unsigned_secret(sample_api_key.id) assert sample_api_key.secret != unsigned_api_key assert unsigned_api_key == _get_secret(sample_api_key.secret) From 27a381c3e9e02f2765108436bb8d6889041e2d35 Mon Sep 17 00:00:00 2001 From: Rebecca Law Date: Wed, 20 Jan 2016 10:57:46 +0000 Subject: [PATCH 2/2] Allow services to have multiple api keys. /service//api-key/renew has been renamed to /service//api-key /service//api-key now creates a token and no longer expires the existing api key. Moved test for this endpoint to it's own file. --- app/authentication/auth.py | 2 +- app/service/rest.py | 4 - .../app/authentication/test_authentication.py | 120 ++++++++++++++---- tests/app/service/test_api_key_endpoints.py | 81 ++++++++++++ tests/app/service/test_rest.py | 76 ----------- 5 files changed, 180 insertions(+), 103 deletions(-) create mode 100644 tests/app/service/test_api_key_endpoints.py diff --git a/app/authentication/auth.py b/app/authentication/auth.py index 64e1074b3..0f4100e6d 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -57,7 +57,7 @@ def fetch_client(client): if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'): return { "client": client, - "secret": current_app.config.get('ADMIN_CLIENT_SECRET') + "secret": [current_app.config.get('ADMIN_CLIENT_SECRET')] } else: return { diff --git a/app/service/rest.py b/app/service/rest.py index cb0a6f7a9..2d7fe2626 100644 --- a/app/service/rest.py +++ b/app/service/rest.py @@ -85,10 +85,6 @@ def renew_api_key(service_id=None): return jsonify(result="error", message="Service not found"), 404 try: - service_api_key = get_model_api_keys(service_id=service_id, raise_=False) - if service_api_key: - # expire existing api_key - save_model_api_key(service_api_key, update_dict={'id': service_api_key.id, 'expiry_date': datetime.now()}) # create a new one # TODO: what validation should be done here? secret_name = request.get_json()['name'] diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index f98e8cb5a..578dfc169 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -1,8 +1,9 @@ -from client.authentication import create_jwt_token -from flask import json, url_for +from datetime import datetime, timedelta -from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key -from app.models import ApiKey +from client.authentication import create_jwt_token +from flask import json, url_for, current_app +from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key, get_unsigned_secret +from app.models import ApiKey, Service def test_should_not_allow_request_with_no_token(notify_api): @@ -92,28 +93,37 @@ def test_should_allow_valid_token_when_service_has_multiple_keys(notify_api, not headers={'Authorization': 'Bearer {}'.format(token)}) assert response.status_code == 200 + JSON_BODY = json.dumps({ - 'name': 'new name' + "key1": "value1", + "key2": "value2", + "key3": "value3" }) -# def test_should_allow_valid_token_with_post_body( -# notify_api, notify_db, notify_db_session, sample_api_key): -# with notify_api.test_request_context(): -# with notify_api.test_client() as client: -# token = create_jwt_token( -# request_method="PUT", -# request_path=url_for('service.update_service', service_id=sample_api_key.service_id), -# secret=get_unsigned_secret(sample_api_key.service_id), -# client_id=sample_api_key.service_id, -# request_body=JSON_BODY -# ) -# response = client.put( -# url_for('service.update_service', service_id=sample_api_key.service_id), -# data=JSON_BODY, -# headers=[('Content-type', 'application-json'), ('Authorization', 'Bearer {}'.format(token))] -# ) -# assert response.status_code == 200 +def test_should_allow_valid_token_with_post_body(notify_api, notify_db, notify_db_session, sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + service = Service.query.get(sample_api_key.service_id) + data = {'name': 'new name', + 'users': [service.users[0].id], + 'limit': 1000, + 'restricted': False, + 'active': False} + + token = create_jwt_token( + request_method="PUT", + request_path=url_for('service.update_service', service_id=sample_api_key.service_id), + secret=get_unsigned_secret(sample_api_key.id), + client_id=sample_api_key.service_id, + request_body=json.dumps(data) + ) + headers = [('Content-Type', 'application/json'), ('Authorization', 'Bearer {}'.format(token))] + response = client.put( + url_for('service.update_service', service_id=service.id), + data=json.dumps(data), + headers=headers) + assert response.status_code == 200 def test_should_not_allow_valid_token_with_invalid_post_body(notify_api, notify_db, notify_db_session, sample_api_key): @@ -128,6 +138,72 @@ def test_should_not_allow_valid_token_with_invalid_post_body(notify_api, notify_ assert data['error'] == 'Invalid token: payload' +def test_authentication_passes_admin_client_token(notify_api, + notify_db, + notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + token = create_jwt_token(request_method="GET", + request_path=url_for('service.get_service'), + secret=current_app.config.get('ADMIN_CLIENT_SECRET'), + client_id=current_app.config.get('ADMIN_CLIENT_USER_NAME')) + response = client.get(url_for('service.get_service'), + headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 200 + + +def test_authentication_passes_when_service_has_multiple_keys_some_expired(notify_api, + notify_db, + notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + exprired_key = {'service_id': sample_api_key.service_id, 'name': 'expired_key', + 'expiry_date': datetime.now()} + expired_api_key = ApiKey(**exprired_key) + save_model_api_key(expired_api_key) + another_key = {'service_id': sample_api_key.service_id, 'name': 'another_key'} + api_key = ApiKey(**another_key) + save_model_api_key(api_key) + token = create_jwt_token(request_method="GET", + request_path=url_for('service.get_service'), + secret=get_unsigned_secret(api_key.id), + client_id=sample_api_key.service_id) + response = client.get(url_for('service.get_service'), + headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 200 + + +def test_authentication_returns_token_expired_when_service_uses_expired_key_and_has_multiple_keys(notify_api, + notify_db, + notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + expired_key = {'service_id': sample_api_key.service_id, 'name': 'expired_key'} + expired_api_key = ApiKey(**expired_key) + save_model_api_key(expired_api_key) + another_key = {'service_id': sample_api_key.service_id, 'name': 'another_key'} + api_key = ApiKey(**another_key) + save_model_api_key(api_key) + token = create_jwt_token(request_method="GET", + request_path=url_for('service.get_service'), + secret=get_unsigned_secret(expired_api_key.id), + client_id=sample_api_key.service_id) + # expire the key + expire_the_key = {'id': expired_api_key.id, + 'service_id': sample_api_key.service_id, + 'name': 'expired_key', + 'expiry_date': datetime.now() + timedelta(hours=-2)} + save_model_api_key(expired_api_key, expire_the_key) + response = client.get(url_for('service.get_service'), + headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 403 + data = json.loads(response.get_data()) + assert data['error'] == 'Invalid token: signature' + + def __create_get_token(service_id): return create_jwt_token(request_method="GET", request_path=url_for('service.get_service'), diff --git a/tests/app/service/test_api_key_endpoints.py b/tests/app/service/test_api_key_endpoints.py new file mode 100644 index 000000000..dd01052a8 --- /dev/null +++ b/tests/app/service/test_api_key_endpoints.py @@ -0,0 +1,81 @@ +import json + +from flask import url_for + +from app.models import ApiKey +from tests import create_authorization_header + + +def test_api_key_should_create_new_api_key_for_service(notify_api, notify_db, + notify_db_session, + sample_service): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + data = {'name': 'some secret name'} + auth_header = create_authorization_header(path=url_for('service.renew_api_key', + service_id=sample_service.id), + method='POST', + request_body=json.dumps(data)) + response = client.post(url_for('service.renew_api_key', service_id=sample_service.id), + data=json.dumps(data), + headers=[('Content-Type', 'application/json'), auth_header]) + assert response.status_code == 201 + assert response.get_data is not None + saved_api_key = ApiKey.query.filter_by(service_id=sample_service.id).first() + assert saved_api_key.service_id == sample_service.id + assert saved_api_key.name == 'some secret name' + + +def test_api_key_should_return_error_when_service_does_not_exist(notify_api, notify_db, notify_db_session, + sample_service): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + auth_header = create_authorization_header(path=url_for('service.renew_api_key', service_id="123"), + method='POST') + response = client.post(url_for('service.renew_api_key', service_id=123), + headers=[('Content-Type', 'application/json'), auth_header]) + assert response.status_code == 404 + + +def test_revoke_should_expire_api_key_for_service(notify_api, notify_db, notify_db_session, + sample_api_key): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + assert ApiKey.query.count() == 1 + auth_header = create_authorization_header(path=url_for('service.revoke_api_key', + service_id=sample_api_key.service_id), + method='POST') + response = client.post(url_for('service.revoke_api_key', service_id=sample_api_key.service_id), + headers=[auth_header]) + assert response.status_code == 202 + api_keys_for_service = ApiKey.query.filter_by(service_id=sample_api_key.service_id).first() + assert api_keys_for_service.expiry_date is not None + + +def test_api_key_should_create_multiple_new_api_key_for_service(notify_api, notify_db, + notify_db_session, + sample_service): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + assert ApiKey.query.count() == 0 + data = {'name': 'some secret name'} + auth_header = create_authorization_header(path=url_for('service.renew_api_key', + service_id=sample_service.id), + method='POST', + request_body=json.dumps(data)) + response = client.post(url_for('service.renew_api_key', service_id=sample_service.id), + data=json.dumps(data), + headers=[('Content-Type', 'application/json'), auth_header]) + assert response.status_code == 201 + assert ApiKey.query.count() == 1 + data = {'name': 'another secret name'} + auth_header = create_authorization_header(path=url_for('service.renew_api_key', + service_id=sample_service.id), + method='POST', + request_body=json.dumps(data)) + response2 = client.post(url_for('service.renew_api_key', service_id=sample_service.id), + data=json.dumps(data), + headers=[('Content-Type', 'application/json'), auth_header]) + assert response2.status_code == 201 + assert response2.get_data != response.get_data + assert ApiKey.query.count() == 2 diff --git a/tests/app/service/test_rest.py b/tests/app/service/test_rest.py index 350e03283..491366f93 100644 --- a/tests/app/service/test_rest.py +++ b/tests/app/service/test_rest.py @@ -310,82 +310,6 @@ def test_delete_service_not_exists(notify_api, notify_db, notify_db_session, sam assert Service.query.count() == 2 -def test_renew_api_key_should_create_new_api_key_for_service(notify_api, notify_db, - notify_db_session, - sample_service, - sample_admin_service_id): - with notify_api.test_request_context(): - with notify_api.test_client() as client: - data = {'name': 'some secret name'} - auth_header = create_authorization_header(service_id=sample_admin_service_id, - path=url_for('service.renew_api_key', - service_id=sample_service.id), - method='POST', - request_body=json.dumps(data)) - response = client.post(url_for('service.renew_api_key', service_id=sample_service.id), - data=json.dumps(data), - headers=[('Content-Type', 'application/json'), auth_header]) - assert response.status_code == 201 - assert response.get_data is not None - saved_api_key = ApiKey.query.filter_by(service_id=sample_service.id).first() - assert saved_api_key.service_id == sample_service.id - assert saved_api_key.name == 'some secret name' - - -def test_renew_api_key_should_expire_the_old_api_key_and_create_a_new_api_key(notify_api, notify_db, notify_db_session, - sample_api_key, sample_admin_service_id): - with notify_api.test_request_context(): - with notify_api.test_client() as client: - assert ApiKey.query.count() == 2 - data = {'name': 'some secret name'} - auth_header = create_authorization_header(service_id=sample_admin_service_id, - path=url_for('service.renew_api_key', - service_id=sample_api_key.service_id), - method='POST', - request_body=json.dumps(data)) - - response = client.post(url_for('service.renew_api_key', service_id=sample_api_key.service_id), - data=json.dumps(data), - headers=[('Content-Type', 'application/json'), auth_header]) - assert response.status_code == 201 - assert ApiKey.query.count() == 3 - all_api_keys = ApiKey.query.filter_by(service_id=sample_api_key.service_id).all() - for x in all_api_keys: - if x.id == sample_api_key.id: - assert x.expiry_date is not None - else: - assert x.expiry_date is None - assert x.secret is not sample_api_key.secret - - -def test_renew_api_key_should_return_error_when_service_does_not_exist(notify_api, notify_db, notify_db_session, - sample_service, sample_admin_service_id): - with notify_api.test_request_context(): - with notify_api.test_client() as client: - auth_header = create_authorization_header(service_id=sample_admin_service_id, - path=url_for('service.renew_api_key', service_id="123"), - method='POST') - response = client.post(url_for('service.renew_api_key', service_id=123), - headers=[('Content-Type', 'application/json'), auth_header]) - assert response.status_code == 404 - - -def test_revoke_api_key_should_expire_api_key_for_service(notify_api, notify_db, notify_db_session, - sample_api_key, sample_admin_service_id): - with notify_api.test_request_context(): - with notify_api.test_client() as client: - assert ApiKey.query.count() == 2 - auth_header = create_authorization_header(service_id=sample_admin_service_id, - path=url_for('service.revoke_api_key', - service_id=sample_api_key.service_id), - method='POST') - response = client.post(url_for('service.revoke_api_key', service_id=sample_api_key.service_id), - headers=[auth_header]) - assert response.status_code == 202 - api_keys_for_service = ApiKey.query.filter_by(service_id=sample_api_key.service_id).first() - assert api_keys_for_service.expiry_date is not None - - def test_create_service_should_create_new_service_for_user(notify_api, notify_db, notify_db_session, sample_user, sample_admin_service_id): with notify_api.test_request_context():