diff --git a/app/dao/tokens_dao.py b/app/dao/tokens_dao.py new file mode 100644 index 000000000..54a5248d9 --- /dev/null +++ b/app/dao/tokens_dao.py @@ -0,0 +1,51 @@ +from flask import current_app +from itsdangerous import URLSafeSerializer + +from app import db +from app.models import Token + + +def save_model_token(token, update_dict={}): + if update_dict: + del update_dict['id'] + db.session.query(Token).filter_by(id=token.id).update(update_dict) + else: + token.token = _generate_token() + db.session.add(token) + db.session.commit() + + +def get_model_tokens(service_id=None, raise_=True): + """ + :param raise_: when True query tokens using one() which will raise NoResultFound exception + when False query tokens usong first() which will return None and not raise an exception. + """ + if service_id: + # If expiry date is None the token is active + if raise_: + return Token.query.filter_by(service_id=service_id, expiry_date=None).one() + else: + return Token.query.filter_by(service_id=service_id, expiry_date=None).first() + return Token.query.filter_by().all() + + +def get_unsigned_token(service_id): + """ + There should only be one valid token for each service. + This method can only be exposed to the Authentication of the api calls. + """ + token = Token.query.filter_by(service_id=service_id, expiry_date=None).one() + return _get_token(token.token) + + +def _generate_token(token=None): + import uuid + if not token: + token = uuid.uuid4() + serializer = URLSafeSerializer(current_app.config.get('SECRET_KEY')) + return serializer.dumps(str(token), current_app.config.get('DANGEROUS_SALT')) + + +def _get_token(token): + serializer = URLSafeSerializer(current_app.config.get('SECRET_KEY')) + return serializer.loads(token, salt=current_app.config.get('DANGEROUS_SALT')) diff --git a/app/models.py b/app/models.py index fd11d36d6..0e4b13609 100644 --- a/app/models.py +++ b/app/models.py @@ -61,6 +61,16 @@ class Service(db.Model): restricted = db.Column(db.Boolean, index=False, unique=False, nullable=False) +class Token(db.Model): + __tablename__ = 'tokens' + + id = db.Column(db.Integer, primary_key=True) + token = db.Column(db.String(255), unique=True, nullable=False) + service_id = db.Column(db.Integer, db.ForeignKey('services.id'), index=True, nullable=False) + service = db.relationship('Service', backref=db.backref('tokens', lazy='dynamic')) + expiry_date = db.Column(db.DateTime) + + TEMPLATE_TYPES = ['sms', 'email', 'letter'] diff --git a/app/schemas.py b/app/schemas.py index a06fff497..71bc14377 100644 --- a/app/schemas.py +++ b/app/schemas.py @@ -19,7 +19,7 @@ class UserSchema(ma.ModelSchema): class ServiceSchema(ma.ModelSchema): class Meta: model = models.Service - exclude = ("updated_at", "created_at", "templates") + exclude = ("updated_at", "created_at", "tokens", "templates") class TemplateSchema(ma.ModelSchema): @@ -28,9 +28,17 @@ class TemplateSchema(ma.ModelSchema): exclude = ("updated_at", "created_at", "service_id") +class TokenSchema(ma.ModelSchema): + class Meta: + model = models.Token + exclude = ["service"] + + user_schema = UserSchema() users_schema = UserSchema(many=True) service_schema = ServiceSchema() services_schema = ServiceSchema(many=True) template_schema = TemplateSchema() templates_schema = TemplateSchema(many=True) +token_schema = TokenSchema() +tokens_schema = TokenSchema(many=True) diff --git a/app/service/views/rest.py b/app/service/views/rest.py index 1df38bd15..ffd570d7e 100644 --- a/app/service/views/rest.py +++ b/app/service/views/rest.py @@ -1,16 +1,20 @@ +from datetime import datetime + from flask import (jsonify, request) from sqlalchemy.exc import DataError from sqlalchemy.orm.exc import NoResultFound + +from app import db +from app.dao import DAOException from app.dao.services_dao import ( save_model_service, get_model_services, delete_model_service) from app.dao.templates_dao import ( - save_model_template, get_model_templates) -from app.dao.users_dao import get_model_users -from app.dao import DAOException -from .. import service -from app import db + save_model_template, get_model_templates, delete_model_template) +from app.dao.tokens_dao import (save_model_token, get_model_tokens, get_unsigned_token) +from app.models import Token from app.schemas import ( - services_schema, service_schema, template_schema, templates_schema) + services_schema, service_schema, template_schema) +from .. import service # TODO auth to be added. @@ -24,9 +28,10 @@ def create_service(): # db.session.commit try: save_model_service(service) + save_model_token(Token(service_id=service.id)) except DAOException as e: return jsonify(result="error", message=str(e)), 400 - return jsonify(data=service_schema.dump(service).data), 201 + return jsonify(data=service_schema.dump(service).data, token=get_unsigned_token(service.id)), 201 # TODO auth to be added @@ -72,6 +77,44 @@ def get_service(service_id=None): return jsonify(data=data) +# TODO auth to be added +@service.route('//token/renew', methods=['POST']) +def renew_token(service_id=None): + try: + get_model_services(service_id=service_id) + except DataError: + return jsonify(result="error", message="Invalid service id"), 400 + except NoResultFound: + return jsonify(result="error", message="Service not found"), 404 + + try: + service_token = get_model_tokens(service_id=service_id, raise_=False) + if service_token: + # expire existing token + save_model_token(service_token, update_dict={'id': service_token.id, 'expiry_date': datetime.now()}) + # create a new one + save_model_token(Token(service_id=service_id)) + except DAOException as e: + return jsonify(result='error', message=str(e)), 400 + unsigned_token = get_unsigned_token(service_id) + return jsonify(data=unsigned_token), 201 + + +@service.route('//token/revoke', methods=['POST']) +def revoke_token(service_id): + try: + get_model_services(service_id=service_id) + except DataError: + return jsonify(result="error", message="Invalid service id"), 400 + except NoResultFound: + return jsonify(result="error", message="Service not found"), 404 + + service_token = get_model_tokens(service_id=service_id, raise_=False) + if service_token: + save_model_token(service_token, update_dict={'id': service_token.id, 'expiry_date': datetime.now()}) + return jsonify(), 202 + + # TODO auth to be added. @service.route('//template/', methods=['POST']) def create_template(service_id): diff --git a/config.py b/config.py index 23cb9ad05..0efe7286c 100644 --- a/config.py +++ b/config.py @@ -1,4 +1,3 @@ - class Config(object): DEBUG = False NOTIFY_LOG_LEVEL = 'DEBUG' @@ -11,11 +10,15 @@ class Config(object): class Development(Config): DEBUG = True + SECRET_KEY = 'secret-key' + DANGEROUS_SALT = 'dangerous-salt' class Test(Config): DEBUG = True SQLALCHEMY_DATABASE_URI = 'postgresql://localhost/test_notification_api' + SECRET_KEY = 'secret-key' + DANGEROUS_SALT = 'dangerous-salt' class Live(Config): diff --git a/migrations/versions/0003_create_tokens.py b/migrations/versions/0003_create_tokens.py new file mode 100644 index 000000000..b850980e3 --- /dev/null +++ b/migrations/versions/0003_create_tokens.py @@ -0,0 +1,36 @@ +"""empty message + +Revision ID: 0003_create_tokens +Revises: 0001_initialise_data +Create Date: 2016-01-13 17:07:49.061776 + +""" + +# revision identifiers, used by Alembic. +revision = '0003_create_tokens' +down_revision = '0002_add_templates' + +from alembic import op +import sqlalchemy as sa + + +def upgrade(): + ### commands auto generated by Alembic - please adjust! ### + op.create_table('tokens', + sa.Column('id', sa.Integer(), nullable=False), + sa.Column('token', sa.String(length=255), nullable=False), + sa.Column('service_id', sa.Integer(), nullable=False), + sa.Column('expiry_date', sa.DateTime(), nullable=True), + sa.ForeignKeyConstraint(['service_id'], ['services.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('token') + ) + op.create_index(op.f('ix_tokens_service_id'), 'tokens', ['service_id'], unique=False) + ### end Alembic commands ### + + +def downgrade(): + ### commands auto generated by Alembic - please adjust! ### + op.drop_index(op.f('ix_tokens_service_id'), table_name='tokens') + op.drop_table('tokens') + ### end Alembic commands ### diff --git a/requirements.txt b/requirements.txt index c66faae28..5112e5b2f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,6 +9,7 @@ PyJWT==1.4.0 marshmallow==2.4.2 marshmallow-sqlalchemy==0.8.0 flask-marshmallow==0.6.2 +itsdangerous==0.24 git+https://github.com/alphagov/notifications-python-client.git@0.1.5#egg=notifications-python-client==0.1.5 diff --git a/tests/app/conftest.py b/tests/app/conftest.py index b2d8b92e0..560e3bf38 100644 --- a/tests/app/conftest.py +++ b/tests/app/conftest.py @@ -1,8 +1,9 @@ import pytest -from app.models import (User, Service, Template) -from app.dao.users_dao import (save_model_user, get_model_users) +from app.models import (User, Service, Template, Token) +from app.dao.users_dao import (save_model_user) from app.dao.services_dao import save_model_service from app.dao.templates_dao import save_model_template +from app.dao.tokens_dao import save_model_token @pytest.fixture(scope='function') @@ -50,3 +51,16 @@ def sample_template(notify_db, template = Template(**data) save_model_template(template) return template + + +@pytest.fixture(scope='function') +def sample_token(notify_db, + notify_db_session, + service=None): + import uuid + if service is None: + service = sample_service(notify_db, notify_db_session) + data = {'service_id': service.id} + token = Token(**data) + save_model_token(token) + return token diff --git a/tests/app/dao/test_tokens_dao.py b/tests/app/dao/test_tokens_dao.py new file mode 100644 index 000000000..f7747367e --- /dev/null +++ b/tests/app/dao/test_tokens_dao.py @@ -0,0 +1,62 @@ +import uuid +from app.dao.tokens_dao import (save_model_token, get_model_tokens, get_unsigned_token, _generate_token, _get_token) +from datetime import datetime +from app.models import Token +from pytest import fail +from sqlalchemy.orm.exc import NoResultFound + + +def test_token_is_signed_and_can_be_read_again(notify_api): + import uuid + with notify_api.test_request_context(): + token = str(uuid.uuid4()) + signed_token = _generate_token(token=token) + assert token == _get_token(signed_token) + assert signed_token != token + + +def test_save_token_should_create_new_token(notify_api, notify_db, notify_db_session, sample_service): + api_token = Token(**{'service_id': sample_service.id}) + save_model_token(api_token) + + all_tokens = get_model_tokens() + assert len(all_tokens) == 1 + assert all_tokens[0] == api_token + + +def test_save_token_should_update_the_token(notify_api, notify_db, notify_db_session, sample_token): + now = datetime.utcnow() + saved_token = get_model_tokens(sample_token.service_id) + save_model_token(saved_token, update_dict={'id': saved_token.id, 'expiry_date': now}) + all_tokens = get_model_tokens() + assert len(all_tokens) == 1 + assert all_tokens[0].expiry_date == now + assert all_tokens[0].token == saved_token.token + assert all_tokens[0].id == saved_token.id + assert all_tokens[0].service_id == saved_token.service_id + + +def test_get_token_should_raise_exception_when_service_does_not_exist(notify_api, notify_db, notify_db_session, + sample_service): + try: + get_model_tokens(sample_service.id) + fail("Should have thrown a NoResultFound exception") + except NoResultFound: + pass + + +def test_get_token_should_return_none_when_service_does_not_exist(notify_api, notify_db, notify_db_session, + sample_service): + assert get_model_tokens(service_id=sample_service.id, raise_=False) is None + + +def test_should_return_token_for_service(notify_api, notify_db, notify_db_session, sample_token): + token = get_model_tokens(sample_token.service_id) + assert token == sample_token + + +def test_should_return_unsigned_token_for_service_id(notify_api, notify_db, notify_db_session, + sample_token): + unsigned_token = get_unsigned_token(sample_token.service_id) + assert sample_token.token != unsigned_token + assert unsigned_token == _get_token(sample_token.token) diff --git a/tests/app/service/views/test_rest.py b/tests/app/service/views/test_rest.py index 6b971127a..3b4f4f018 100644 --- a/tests/app/service/views/test_rest.py +++ b/tests/app/service/views/test_rest.py @@ -1,9 +1,11 @@ import json -from app.models import (Service, User, Template) -from app.dao.services_dao import save_model_service -from tests.app.conftest import sample_user as create_sample_user + from flask import url_for +from app.dao.services_dao import save_model_service +from app.models import (Service, User, Token, Template) +from tests.app.conftest import sample_user as create_sample_user + def test_get_service_list(notify_api, notify_db, notify_db_session, sample_service): """ @@ -57,6 +59,7 @@ def test_post_service(notify_api, notify_db, notify_db_session, sample_user): json_resp = json.loads(resp.get_data(as_text=True)) assert json_resp['data']['name'] == service.name assert json_resp['data']['limit'] == service.limit + assert json_resp['token'] is not None def test_post_service_multiple_users(notify_api, notify_db, notify_db_session, sample_user): @@ -263,6 +266,79 @@ def test_delete_service_not_exists(notify_api, notify_db, notify_db_session, sam assert Service.query.count() == 1 +def test_renew_token_should_return_token_when_service_does_not_have_a_valid_token(notify_api, notify_db, + notify_db_session, sample_service): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + response = client.post(url_for('service.renew_token', service_id=sample_service.id), + headers=[('Content-Type', 'application/json')]) + assert response.status_code == 201 + assert response.get_data is not None + saved_token = Token.query.first() + assert saved_token.service_id == sample_service.id + + +def test_renew_token_should_expire_the_old_token_and_create_a_new_token(notify_api, notify_db, notify_db_session, + sample_service): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + response = client.post(url_for('service.renew_token', service_id=sample_service.id), + headers=[('Content-Type', 'application/json')]) + assert response.status_code == 201 + assert len(Token.query.all()) == 1 + saved_token = Token.query.first() + + response = client.post(url_for('service.renew_token', service_id=sample_service.id), + headers=[('Content-Type', 'application/json')]) + assert response.status_code == 201 + all_tokens = Token.query.all() + assert len(all_tokens) == 2 + for x in all_tokens: + if x.id == saved_token.id: + assert x.expiry_date is not None + else: + assert x.expiry_date is None + assert x.token is not saved_token.token + + +def test_create_token_should_return_error_when_service_does_not_exist(notify_api, notify_db, notify_db_session, + sample_service): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + response = client.post(url_for('service.renew_token', service_id=123), + headers=[('Content-Type', 'application/json')]) + assert response.status_code == 404 + + +def test_revoke_token_should_expire_token_for_service(notify_api, notify_db, notify_db_session, sample_token): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + assert len(Token.query.all()) == 1 + response = client.post(url_for('service.revoke_token', service_id=sample_token.service_id)) + assert response.status_code == 202 + all_tokens = Token.query.all() + assert len(all_tokens) == 1 + assert all_tokens[0].expiry_date is not None + + +def test_create_service_should_create_new_token_for_service(notify_api, notify_db, notify_db_session, sample_user): + with notify_api.test_request_context(): + with notify_api.test_client() as client: + data = { + 'name': 'created service', + 'users': [sample_user.id], + 'limit': 1000, + 'restricted': False, + 'active': False} + headers = [('Content-Type', 'application/json')] + assert len(Token.query.all()) == 0 + resp = client.post(url_for('service.create_service'), + data=json.dumps(data), + headers=headers) + assert resp.status_code == 201 + assert len(Token.query.all()) == 1 + + def test_create_template(notify_api, notify_db, notify_db_session, sample_service): """ Tests POST endpoint '//template' a template can be created