darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-22 08:21:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

make sure all non-uuid service ids 403 in api keys

Browse Source 
previously 'invalid-strings' would be handled, but integers would just
return 500.
This commit is contained in:
Leo Hemsted
2021-04-29 18:48:59 +01:00
committed by Rebecca Law
parent 3702d4eae8
commit c1b08e4cbc
2 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
app/authentication/auth.py
View File

@@ -1,3 +1,5 @@
import uuid
from flask import _request_ctx_stack, current_app, g, request from flask import _request_ctx_stack, current_app, g, request
from gds_metrics import Histogram from gds_metrics import Histogram
from notifications_python_client.authentication import ( from notifications_python_client.authentication import (
@@ -12,7 +14,6 @@ from notifications_python_client.errors import (
TokenIssuerError, TokenIssuerError,
) )
from notifications_utils import request_helper from notifications_utils import request_helper
from sqlalchemy.exc import DataError
from sqlalchemy.orm.exc import NoResultFound from sqlalchemy.orm.exc import NoResultFound
from app.serialised_models import SerialisedService from app.serialised_models import SerialisedService
@@ -99,10 +100,13 @@ def requires_auth():
issuer = __get_token_issuer(auth_token) # ie the `iss` claim which should be a service ID issuer = __get_token_issuer(auth_token) # ie the `iss` claim which should be a service ID
try: try:
with AUTH_DB_CONNECTION_DURATION_SECONDS.time(): service_id = uuid.UUID(issuer)
service = SerialisedService.from_id(issuer) except Exception:
except DataError:
raise AuthError("Invalid token: service id is not the right data type", 403) raise AuthError("Invalid token: service id is not the right data type", 403)
try:
with AUTH_DB_CONNECTION_DURATION_SECONDS.time():
service = SerialisedService.from_id(service_id)
except NoResultFound: except NoResultFound:
raise AuthError("Invalid token: service not found", 403) raise AuthError("Invalid token: service not found", 403)

7
tests/app/authentication/test_authentication.py
View File

@@ -204,9 +204,10 @@ def test_should_allow_valid_token(client, sample_api_key, scheme):
assert response.status_code == 200 assert response.status_code == 200
def test_should_not_allow_service_id_that_is_not_the_wrong_data_type(client, sample_api_key): @pytest.mark.parametrize('service_id', ['not-a-valid-id', 1234])
def test_should_not_allow_service_id_that_is_not_the_wrong_data_type(client, sample_api_key, service_id):
token = create_jwt_token(secret=get_unsigned_secrets(sample_api_key.service_id)[0], token = create_jwt_token(secret=get_unsigned_secrets(sample_api_key.service_id)[0],
client_id=str('not-a-valid-id')) client_id=service_id)
response = client.get( response = client.get(
'/notifications', '/notifications',
headers={'Authorization': "Bearer {}".format(token)} headers={'Authorization': "Bearer {}".format(token)}
@@ -491,5 +492,5 @@ def test_should_cache_service_and_api_key_lookups(mocker, client, sample_api_key
call(str(sample_api_key.service_id)) call(str(sample_api_key.service_id))
] ]
assert mock_get_service.call_args_list == [ assert mock_get_service.call_args_list == [
call(str(sample_api_key.service_id)) call(sample_api_key.service_id)
] ]