Make ADMIN_CLIENT_SECRET a list of a single secret

And support this change across our code. Note, this is a halfway step where it is not a list rather than a string but still only supports a single secret, ie one item in the list.
2026-01-30 06:21:50 -05:00 · 2020-02-19 16:42:40 +00:00
parent f7f6be56c7
commit 52d3df49d4
4 changed files with 16 additions and 11 deletions
--- a/tests/init.py
+++ b/tests/init.py
@@ -28,7 +28,7 @@ def create_authorization_header(service_id=None, key_type=KEY_TYPE_NORMAL):

    else:
        client_id = current_app.config['ADMIN_CLIENT_USER_NAME']
-        secret = current_app.config['ADMIN_CLIENT_SECRET']
+        secret = current_app.config['ADMIN_CLIENT_SECRETS'][0]

    token = create_jwt_token(secret=secret, client_id=client_id)
    return 'Authorization', 'Bearer {}'.format(token)
--- a/tests/app/authentication/test_authentication.py
+++ b/tests/app/authentication/test_authentication.py
@@ -188,7 +188,7 @@ def test_should_allow_valid_token_for_request_with_path_params_for_public_url(cl


 def test_should_allow_valid_token_for_request_with_path_params_for_admin_url(client):
-    token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRET'], current_app.config['ADMIN_CLIENT_USER_NAME'])
+    token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'])
    response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)})
    assert response.status_code == 200

@@ -264,13 +264,13 @@ def test_authentication_returns_token_expired_when_service_uses_expired_key_and_


 def test_authentication_returns_error_when_admin_client_has_no_secrets(client):
-    api_secret = current_app.config.get('ADMIN_CLIENT_SECRET')
+    api_secret = current_app.config.get('ADMIN_CLIENT_SECRETS')[0]
    api_service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
    token = create_jwt_token(
        secret=api_secret,
        client_id=api_service_id
    )
-    with set_config(client.application, 'ADMIN_CLIENT_SECRET', ''):
+    with set_config(client.application, 'ADMIN_CLIENT_SECRETS', []):
        response = client.get(
            '/service',
            headers={'Authorization': 'Bearer {}'.format(token)})
@@ -280,19 +280,19 @@ def test_authentication_returns_error_when_admin_client_has_no_secrets(client):


 def test_authentication_returns_error_when_admin_client_secret_is_invalid(client):
-    api_secret = current_app.config.get('ADMIN_CLIENT_SECRET')
+    api_secret = current_app.config.get('ADMIN_CLIENT_SECRETS')[0]
    token = create_jwt_token(
        secret=api_secret,
        client_id=current_app.config.get('ADMIN_CLIENT_USER_NAME')
    )
-    current_app.config['ADMIN_CLIENT_SECRET'] = 'something-wrong'
+    current_app.config['ADMIN_CLIENT_SECRETS'][0] = 'something-wrong'
    response = client.get(
        '/service',
        headers={'Authorization': 'Bearer {}'.format(token)})
    assert response.status_code == 403
    error_message = json.loads(response.get_data())
    assert error_message['message'] == {"token": ["Invalid token: could not decode your API token"]}
-    current_app.config['ADMIN_CLIENT_SECRET'] = api_secret
+    current_app.config['ADMIN_CLIENT_SECRETS'][0] = api_secret


 def test_authentication_returns_error_when_service_doesnt_exit(
@@ -397,7 +397,7 @@ def test_proxy_key_non_auth_endpoint(notify_api, check_proxy_header, header_valu
    (False, 'wrong_key', 200),
 ])
 def test_proxy_key_on_admin_auth_endpoint(notify_api, check_proxy_header, header_value, expected_status):
-    token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRET'], current_app.config['ADMIN_CLIENT_USER_NAME'])
+    token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'])

    with set_config_values(notify_api, {
        'ROUTE_SECRET_KEY_1': 'key_1',