From 52d3df49d4190ba8acad4006b81ccd5dc612b4e3 Mon Sep 17 00:00:00 2001 From: David McDonald Date: Wed, 19 Feb 2020 16:42:40 +0000 Subject: [PATCH 1/4] Make `ADMIN_CLIENT_SECRET` a list of a single secret And support this change across our code. Note, this is a halfway step where it is not a list rather than a string but still only supports a single secret, ie one item in the list. --- app/authentication/auth.py | 7 ++++++- app/config.py | 4 ++-- tests/__init__.py | 2 +- tests/app/authentication/test_authentication.py | 14 +++++++------- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index 9f9df9436..c1b262b1c 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -61,7 +61,12 @@ def requires_admin_auth(): if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'): g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME') - return handle_admin_key(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET')) + + secret = "" + if len(current_app.config.get('ADMIN_CLIENT_SECRETS')): + secret = current_app.config.get('ADMIN_CLIENT_SECRETS')[0] + + return handle_admin_key(auth_token, secret) else: raise AuthError('Unauthorized: admin authentication token required', 401) diff --git a/app/config.py b/app/config.py index c53ef01e7..4a716d037 100644 --- a/app/config.py +++ b/app/config.py @@ -65,7 +65,7 @@ class Config(object): API_HOST_NAME = os.getenv('API_HOST_NAME') # admin app api key - ADMIN_CLIENT_SECRET = os.getenv('ADMIN_CLIENT_SECRET') + ADMIN_CLIENT_SECRETS = [os.getenv('ADMIN_CLIENT_SECRET')] if os.getenv('ADMIN_CLIENT_SECRET') else [] # encyption secret/salt SECRET_KEY = os.getenv('SECRET_KEY') @@ -369,7 +369,7 @@ class Development(Config): TRANSIENT_UPLOADED_LETTERS = 'development-transient-uploaded-letters' LETTER_SANITISE_BUCKET_NAME = 'development-letters-sanitise' - ADMIN_CLIENT_SECRET = 'dev-notify-secret-key' + ADMIN_CLIENT_SECRETS = ['dev-notify-secret-key'] SECRET_KEY = 'dev-notify-secret-key' DANGEROUS_SALT = 'dev-notify-salt' diff --git a/tests/__init__.py b/tests/__init__.py index 5077dbecf..0d5b4548c 100644 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -28,7 +28,7 @@ def create_authorization_header(service_id=None, key_type=KEY_TYPE_NORMAL): else: client_id = current_app.config['ADMIN_CLIENT_USER_NAME'] - secret = current_app.config['ADMIN_CLIENT_SECRET'] + secret = current_app.config['ADMIN_CLIENT_SECRETS'][0] token = create_jwt_token(secret=secret, client_id=client_id) return 'Authorization', 'Bearer {}'.format(token) diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index b3fec11e4..252c42739 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -188,7 +188,7 @@ def test_should_allow_valid_token_for_request_with_path_params_for_public_url(cl def test_should_allow_valid_token_for_request_with_path_params_for_admin_url(client): - token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRET'], current_app.config['ADMIN_CLIENT_USER_NAME']) + token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME']) response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)}) assert response.status_code == 200 @@ -264,13 +264,13 @@ def test_authentication_returns_token_expired_when_service_uses_expired_key_and_ def test_authentication_returns_error_when_admin_client_has_no_secrets(client): - api_secret = current_app.config.get('ADMIN_CLIENT_SECRET') + api_secret = current_app.config.get('ADMIN_CLIENT_SECRETS')[0] api_service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME') token = create_jwt_token( secret=api_secret, client_id=api_service_id ) - with set_config(client.application, 'ADMIN_CLIENT_SECRET', ''): + with set_config(client.application, 'ADMIN_CLIENT_SECRETS', []): response = client.get( '/service', headers={'Authorization': 'Bearer {}'.format(token)}) @@ -280,19 +280,19 @@ def test_authentication_returns_error_when_admin_client_has_no_secrets(client): def test_authentication_returns_error_when_admin_client_secret_is_invalid(client): - api_secret = current_app.config.get('ADMIN_CLIENT_SECRET') + api_secret = current_app.config.get('ADMIN_CLIENT_SECRETS')[0] token = create_jwt_token( secret=api_secret, client_id=current_app.config.get('ADMIN_CLIENT_USER_NAME') ) - current_app.config['ADMIN_CLIENT_SECRET'] = 'something-wrong' + current_app.config['ADMIN_CLIENT_SECRETS'][0] = 'something-wrong' response = client.get( '/service', headers={'Authorization': 'Bearer {}'.format(token)}) assert response.status_code == 403 error_message = json.loads(response.get_data()) assert error_message['message'] == {"token": ["Invalid token: could not decode your API token"]} - current_app.config['ADMIN_CLIENT_SECRET'] = api_secret + current_app.config['ADMIN_CLIENT_SECRETS'][0] = api_secret def test_authentication_returns_error_when_service_doesnt_exit( @@ -397,7 +397,7 @@ def test_proxy_key_non_auth_endpoint(notify_api, check_proxy_header, header_valu (False, 'wrong_key', 200), ]) def test_proxy_key_on_admin_auth_endpoint(notify_api, check_proxy_header, header_value, expected_status): - token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRET'], current_app.config['ADMIN_CLIENT_USER_NAME']) + token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME']) with set_config_values(notify_api, { 'ROUTE_SECRET_KEY_1': 'key_1', From 724630644732190bbeb692620fc41e1841a471d8 Mon Sep 17 00:00:00 2001 From: David McDonald Date: Wed, 19 Feb 2020 17:50:00 +0000 Subject: [PATCH 2/4] Support multiple secrets for ADMIN_CLIENT_SECRETS This will allow us to accept two different ones and therefore allow us to rotate the secret that the admin client is sending to the API Due to how the notifications-python-client throws exceptions, we run into exactly the same issue with not being able to distinguish if a `TokenDecodeError` is thrown because the token was encrypted with a different secret key or if because there was a different error when decoding. I've copied the TODO from `requires_auth` as this is exactly the same issue. I've also added a test case for functionality that was missing for an out of date admin token (old IAT). --- app/authentication/auth.py | 25 +++++---- app/config.py | 4 +- .../app/authentication/test_authentication.py | 56 ++++++++++++++++--- 3 files changed, 64 insertions(+), 21 deletions(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index c1b262b1c..4f85936f6 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -62,11 +62,21 @@ def requires_admin_auth(): if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'): g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME') - secret = "" if len(current_app.config.get('ADMIN_CLIENT_SECRETS')): - secret = current_app.config.get('ADMIN_CLIENT_SECRETS')[0] + for secret in current_app.config.get('ADMIN_CLIENT_SECRETS'): + try: + decode_jwt_token(auth_token, secret) + return + except TokenExpiredError: + raise AuthError("Invalid token: expired, check that your system clock is accurate", 403) + except TokenDecodeError: + # TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions + # (which are children of `TokenDecodeError`) as these should cause an auth error immediately rather + # than continue on to check the next API key + continue - return handle_admin_key(auth_token, secret) + # Either there are no admin client secrets or their token didn't match one of them so error + raise AuthError("Unauthorized: admin authentication token not found", 401) else: raise AuthError('Unauthorized: admin authentication token required', 401) @@ -135,12 +145,3 @@ def __get_token_issuer(auth_token): except TokenDecodeError: raise AuthError(GENERAL_TOKEN_ERROR_MESSAGE, 403) return issuer - - -def handle_admin_key(auth_token, secret): - try: - decode_jwt_token(auth_token, secret) - except TokenExpiredError: - raise AuthError("Invalid token: expired, check that your system clock is accurate", 403) - except TokenDecodeError: - raise AuthError("Invalid token: could not decode your API token", 403) diff --git a/app/config.py b/app/config.py index 4a716d037..a86cdd401 100644 --- a/app/config.py +++ b/app/config.py @@ -64,8 +64,8 @@ class Config(object): # URL of api app (on AWS this is the internal api endpoint) API_HOST_NAME = os.getenv('API_HOST_NAME') - # admin app api key - ADMIN_CLIENT_SECRETS = [os.getenv('ADMIN_CLIENT_SECRET')] if os.getenv('ADMIN_CLIENT_SECRET') else [] + # admin app api keys + ADMIN_CLIENT_SECRETS = json.loads(os.environ.get('ADMIN_CLIENT_SECRETS', '[]')) # encyption secret/salt SECRET_KEY = os.getenv('SECRET_KEY') diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index 252c42739..9bc6ed1ab 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -123,7 +123,30 @@ def test_admin_auth_should_not_allow_request_with_no_iat(client, sample_api_key) request.headers = {'Authorization': 'Bearer {}'.format(token)} with pytest.raises(AuthError) as exc: requires_admin_auth() - assert exc.value.short_message == "Invalid token: could not decode your API token" + assert exc.value.short_message == "Unauthorized: admin authentication token not found" + + +def test_admin_auth_should_not_allow_request_with_old_iat(client): + iss = current_app.config['ADMIN_CLIENT_USER_NAME'] + secret = current_app.config['ADMIN_CLIENT_SECRETS'][0] + + # code copied from notifications_python_client.authentication.py::create_jwt_token + headers = { + "typ": 'JWT', + "alg": 'HS256' + } + + claims = { + 'iss': iss, + 'iat': int(time.time()) - 60 + } + + token = jwt.encode(payload=claims, key=secret, headers=headers).decode() + + request.headers = {'Authorization': 'Bearer {}'.format(token)} + with pytest.raises(AuthError) as exc: + requires_admin_auth() + assert exc.value.short_message == "Invalid token: expired, check that your system clock is accurate" def test_auth_should_not_allow_request_with_extra_claims(client, sample_api_key): @@ -188,11 +211,28 @@ def test_should_allow_valid_token_for_request_with_path_params_for_public_url(cl def test_should_allow_valid_token_for_request_with_path_params_for_admin_url(client): - token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME']) + token = create_jwt_token( + current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'] + ) response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)}) assert response.status_code == 200 +def test_should_allow_valid_token_for_request_with_path_params_for_admin_url_with_second_secret(client): + with set_config(client.application, 'ADMIN_CLIENT_SECRETS', ["secret1", "secret2"]): + token = create_jwt_token( + current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'] + ) + response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 200 + + token = create_jwt_token( + current_app.config['ADMIN_CLIENT_SECRETS'][1], current_app.config['ADMIN_CLIENT_USER_NAME'] + ) + response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)}) + assert response.status_code == 200 + + def test_should_allow_valid_token_when_service_has_multiple_keys(client, sample_api_key): data = {'service': sample_api_key.service, 'name': 'some key name', @@ -274,9 +314,9 @@ def test_authentication_returns_error_when_admin_client_has_no_secrets(client): response = client.get( '/service', headers={'Authorization': 'Bearer {}'.format(token)}) - assert response.status_code == 403 + assert response.status_code == 401 error_message = json.loads(response.get_data()) - assert error_message['message'] == {"token": ["Invalid token: could not decode your API token"]} + assert error_message['message'] == {"token": ["Unauthorized: admin authentication token not found"]} def test_authentication_returns_error_when_admin_client_secret_is_invalid(client): @@ -289,9 +329,9 @@ def test_authentication_returns_error_when_admin_client_secret_is_invalid(client response = client.get( '/service', headers={'Authorization': 'Bearer {}'.format(token)}) - assert response.status_code == 403 + assert response.status_code == 401 error_message = json.loads(response.get_data()) - assert error_message['message'] == {"token": ["Invalid token: could not decode your API token"]} + assert error_message['message'] == {"token": ["Unauthorized: admin authentication token not found"]} current_app.config['ADMIN_CLIENT_SECRETS'][0] = api_secret @@ -397,7 +437,9 @@ def test_proxy_key_non_auth_endpoint(notify_api, check_proxy_header, header_valu (False, 'wrong_key', 200), ]) def test_proxy_key_on_admin_auth_endpoint(notify_api, check_proxy_header, header_value, expected_status): - token = create_jwt_token(current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME']) + token = create_jwt_token( + current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'] + ) with set_config_values(notify_api, { 'ROUTE_SECRET_KEY_1': 'key_1', From 2967fdce0877b7c265d49b6a86d56a9079f628ad Mon Sep 17 00:00:00 2001 From: David McDonald Date: Thu, 20 Feb 2020 13:25:06 +0000 Subject: [PATCH 3/4] Make test more accurate So we are really testing the functionality the test says it is, rather than potentially being misled by using an incorrect key as the secret --- tests/app/authentication/test_authentication.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index 9bc6ed1ab..c32a3ab14 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -104,8 +104,9 @@ def test_auth_should_not_allow_request_with_non_hs256_algorithm(client, sample_a assert exc.value.short_message == 'Invalid token: algorithm used is not HS256' -def test_admin_auth_should_not_allow_request_with_no_iat(client, sample_api_key): +def test_admin_auth_should_not_allow_request_with_no_iat(client): iss = current_app.config['ADMIN_CLIENT_USER_NAME'] + secret = current_app.config['ADMIN_CLIENT_SECRETS'][0] # code copied from notifications_python_client.authentication.py::create_jwt_token headers = { @@ -118,7 +119,7 @@ def test_admin_auth_should_not_allow_request_with_no_iat(client, sample_api_key) # 'iat': not provided } - token = jwt.encode(payload=claims, key=str(uuid.uuid4()), headers=headers).decode() + token = jwt.encode(payload=claims, key=secret, headers=headers).decode() request.headers = {'Authorization': 'Bearer {}'.format(token)} with pytest.raises(AuthError) as exc: From 2dc55501597f9f22ee08130590ad54e0ceabe410 Mon Sep 17 00:00:00 2001 From: David McDonald Date: Thu, 20 Feb 2020 15:16:37 +0000 Subject: [PATCH 4/4] Change variable name to make more descriptive Also remove unnecessary if statement Also add manifest change to make sure relevant environment variables makes it into the app --- app/authentication/auth.py | 23 +++++++++--------- app/config.py | 6 ++--- manifest.yml.j2 | 2 +- tests/__init__.py | 2 +- .../app/authentication/test_authentication.py | 24 +++++++++---------- 5 files changed, 28 insertions(+), 29 deletions(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index 4f85936f6..cb94d6c93 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -62,18 +62,17 @@ def requires_admin_auth(): if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'): g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME') - if len(current_app.config.get('ADMIN_CLIENT_SECRETS')): - for secret in current_app.config.get('ADMIN_CLIENT_SECRETS'): - try: - decode_jwt_token(auth_token, secret) - return - except TokenExpiredError: - raise AuthError("Invalid token: expired, check that your system clock is accurate", 403) - except TokenDecodeError: - # TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions - # (which are children of `TokenDecodeError`) as these should cause an auth error immediately rather - # than continue on to check the next API key - continue + for secret in current_app.config.get('API_INTERNAL_SECRETS'): + try: + decode_jwt_token(auth_token, secret) + return + except TokenExpiredError: + raise AuthError("Invalid token: expired, check that your system clock is accurate", 403) + except TokenDecodeError: + # TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions + # (which are children of `TokenDecodeError`) as these should cause an auth error immediately rather + # than continue on to check the next admin client secret + continue # Either there are no admin client secrets or their token didn't match one of them so error raise AuthError("Unauthorized: admin authentication token not found", 401) diff --git a/app/config.py b/app/config.py index a86cdd401..602f57f2c 100644 --- a/app/config.py +++ b/app/config.py @@ -64,8 +64,8 @@ class Config(object): # URL of api app (on AWS this is the internal api endpoint) API_HOST_NAME = os.getenv('API_HOST_NAME') - # admin app api keys - ADMIN_CLIENT_SECRETS = json.loads(os.environ.get('ADMIN_CLIENT_SECRETS', '[]')) + # secrets that internal apps, such as the admin app or document download, must use to authenticate with the API + API_INTERNAL_SECRETS = json.loads(os.environ.get('API_INTERNAL_SECRETS', '[]')) # encyption secret/salt SECRET_KEY = os.getenv('SECRET_KEY') @@ -369,7 +369,7 @@ class Development(Config): TRANSIENT_UPLOADED_LETTERS = 'development-transient-uploaded-letters' LETTER_SANITISE_BUCKET_NAME = 'development-letters-sanitise' - ADMIN_CLIENT_SECRETS = ['dev-notify-secret-key'] + API_INTERNAL_SECRETS = ['dev-notify-secret-key'] SECRET_KEY = 'dev-notify-secret-key' DANGEROUS_SALT = 'dev-notify-salt' diff --git a/manifest.yml.j2 b/manifest.yml.j2 index b601ddd85..1e4f97425 100644 --- a/manifest.yml.j2 +++ b/manifest.yml.j2 @@ -72,7 +72,7 @@ applications: # Credentials variables ADMIN_BASE_URL: '{{ ADMIN_BASE_URL }}' - ADMIN_CLIENT_SECRET: '{{ ADMIN_CLIENT_SECRET }}' + API_INTERNAL_SECRETS: '{{ API_INTERNAL_SECRETS }}' API_HOST_NAME: '{{ API_HOST_NAME }}' DANGEROUS_SALT: '{{ DANGEROUS_SALT }}' SECRET_KEY: '{{ SECRET_KEY }}' diff --git a/tests/__init__.py b/tests/__init__.py index 0d5b4548c..1dd349dcd 100644 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -28,7 +28,7 @@ def create_authorization_header(service_id=None, key_type=KEY_TYPE_NORMAL): else: client_id = current_app.config['ADMIN_CLIENT_USER_NAME'] - secret = current_app.config['ADMIN_CLIENT_SECRETS'][0] + secret = current_app.config['API_INTERNAL_SECRETS'][0] token = create_jwt_token(secret=secret, client_id=client_id) return 'Authorization', 'Bearer {}'.format(token) diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index c32a3ab14..3b6b086aa 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -106,7 +106,7 @@ def test_auth_should_not_allow_request_with_non_hs256_algorithm(client, sample_a def test_admin_auth_should_not_allow_request_with_no_iat(client): iss = current_app.config['ADMIN_CLIENT_USER_NAME'] - secret = current_app.config['ADMIN_CLIENT_SECRETS'][0] + secret = current_app.config['API_INTERNAL_SECRETS'][0] # code copied from notifications_python_client.authentication.py::create_jwt_token headers = { @@ -129,7 +129,7 @@ def test_admin_auth_should_not_allow_request_with_no_iat(client): def test_admin_auth_should_not_allow_request_with_old_iat(client): iss = current_app.config['ADMIN_CLIENT_USER_NAME'] - secret = current_app.config['ADMIN_CLIENT_SECRETS'][0] + secret = current_app.config['API_INTERNAL_SECRETS'][0] # code copied from notifications_python_client.authentication.py::create_jwt_token headers = { @@ -213,22 +213,22 @@ def test_should_allow_valid_token_for_request_with_path_params_for_public_url(cl def test_should_allow_valid_token_for_request_with_path_params_for_admin_url(client): token = create_jwt_token( - current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'] + current_app.config['API_INTERNAL_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'] ) response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)}) assert response.status_code == 200 def test_should_allow_valid_token_for_request_with_path_params_for_admin_url_with_second_secret(client): - with set_config(client.application, 'ADMIN_CLIENT_SECRETS', ["secret1", "secret2"]): + with set_config(client.application, 'API_INTERNAL_SECRETS', ["secret1", "secret2"]): token = create_jwt_token( - current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'] + current_app.config['API_INTERNAL_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'] ) response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)}) assert response.status_code == 200 token = create_jwt_token( - current_app.config['ADMIN_CLIENT_SECRETS'][1], current_app.config['ADMIN_CLIENT_USER_NAME'] + current_app.config['API_INTERNAL_SECRETS'][1], current_app.config['ADMIN_CLIENT_USER_NAME'] ) response = client.get('/service', headers={'Authorization': 'Bearer {}'.format(token)}) assert response.status_code == 200 @@ -305,13 +305,13 @@ def test_authentication_returns_token_expired_when_service_uses_expired_key_and_ def test_authentication_returns_error_when_admin_client_has_no_secrets(client): - api_secret = current_app.config.get('ADMIN_CLIENT_SECRETS')[0] + api_secret = current_app.config.get('API_INTERNAL_SECRETS')[0] api_service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME') token = create_jwt_token( secret=api_secret, client_id=api_service_id ) - with set_config(client.application, 'ADMIN_CLIENT_SECRETS', []): + with set_config(client.application, 'API_INTERNAL_SECRETS', []): response = client.get( '/service', headers={'Authorization': 'Bearer {}'.format(token)}) @@ -321,19 +321,19 @@ def test_authentication_returns_error_when_admin_client_has_no_secrets(client): def test_authentication_returns_error_when_admin_client_secret_is_invalid(client): - api_secret = current_app.config.get('ADMIN_CLIENT_SECRETS')[0] + api_secret = current_app.config.get('API_INTERNAL_SECRETS')[0] token = create_jwt_token( secret=api_secret, client_id=current_app.config.get('ADMIN_CLIENT_USER_NAME') ) - current_app.config['ADMIN_CLIENT_SECRETS'][0] = 'something-wrong' + current_app.config['API_INTERNAL_SECRETS'][0] = 'something-wrong' response = client.get( '/service', headers={'Authorization': 'Bearer {}'.format(token)}) assert response.status_code == 401 error_message = json.loads(response.get_data()) assert error_message['message'] == {"token": ["Unauthorized: admin authentication token not found"]} - current_app.config['ADMIN_CLIENT_SECRETS'][0] = api_secret + current_app.config['API_INTERNAL_SECRETS'][0] = api_secret def test_authentication_returns_error_when_service_doesnt_exit( @@ -439,7 +439,7 @@ def test_proxy_key_non_auth_endpoint(notify_api, check_proxy_header, header_valu ]) def test_proxy_key_on_admin_auth_endpoint(notify_api, check_proxy_header, header_value, expected_status): token = create_jwt_token( - current_app.config['ADMIN_CLIENT_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'] + current_app.config['API_INTERNAL_SECRETS'][0], current_app.config['ADMIN_CLIENT_USER_NAME'] ) with set_config_values(notify_api, {