mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-12 08:12:27 -05:00
229 lines
7.8 KiB
Python
229 lines
7.8 KiB
Python
import os
|
|
import uuid
|
|
|
|
from flask import current_app, g, request
|
|
from sqlalchemy.orm.exc import NoResultFound
|
|
|
|
from app.serialised_models import SerialisedService
|
|
from notifications_python_client.authentication import (
|
|
decode_jwt_token,
|
|
get_token_issuer,
|
|
)
|
|
from notifications_python_client.errors import (
|
|
TokenAlgorithmError,
|
|
TokenDecodeError,
|
|
TokenError,
|
|
TokenExpiredError,
|
|
TokenIssuerError,
|
|
)
|
|
from notifications_utils import request_helper
|
|
|
|
# stvnrlly - this is silly, but bandit has a multiline string bug (https://github.com/PyCQA/bandit/issues/658)
|
|
# and flake8 wants a multiline quote here. TODO: check on bug status and restore sanity once possible
|
|
TOKEN_MESSAGE_ONE = (
|
|
"Invalid token: make sure your API token matches the example " # nosec B105
|
|
)
|
|
TOKEN_MESSAGE_TWO = "at https://docs.notifications.service.gov.uk/rest-api.html#authorisation-header" # nosec B105
|
|
GENERAL_TOKEN_ERROR_MESSAGE = TOKEN_MESSAGE_ONE + TOKEN_MESSAGE_TWO
|
|
|
|
|
|
class AuthError(Exception):
|
|
def __init__(self, message, code, service_id=None, api_key_id=None):
|
|
self.message = {"token": [message]}
|
|
self.short_message = message
|
|
self.code = code
|
|
self.service_id = service_id
|
|
self.api_key_id = api_key_id
|
|
|
|
def __str__(self):
|
|
return "AuthError({message}, {code}, service_id={service_id}, api_key_id={api_key_id})".format(
|
|
**self.__dict__
|
|
)
|
|
|
|
def to_dict_v2(self):
|
|
return {
|
|
"status_code": self.code,
|
|
"errors": [{"error": "AuthError", "message": self.short_message}],
|
|
}
|
|
|
|
|
|
class InternalApiKey:
|
|
def __init__(self, client_id, secret):
|
|
self.secret = secret
|
|
self.id = client_id
|
|
self.expiry_date = None
|
|
|
|
|
|
def requires_no_auth():
|
|
pass
|
|
|
|
|
|
def requires_admin_auth():
|
|
requires_internal_auth(current_app.config.get("ADMIN_CLIENT_ID"))
|
|
|
|
|
|
def requires_internal_auth(expected_client_id):
|
|
|
|
# Looks like we are hitting this for some reason
|
|
# expected_client_id looks like ADMIN_CLIENT_USERNAME on the admin side, and
|
|
# INTERNAL_CLIENT_API_KEYS is a dict
|
|
keys = current_app.config.get("INTERNAL_CLIENT_API_KEYS")
|
|
if keys.get(expected_client_id) is None:
|
|
err_msg = "Unknown client_id for internal auth"
|
|
current_app.logger.error(err_msg)
|
|
raise TypeError(err_msg)
|
|
|
|
request_helper.check_proxy_header_before_request()
|
|
auth_token = _get_auth_token(request)
|
|
client_id = _get_token_issuer(auth_token)
|
|
if client_id != expected_client_id:
|
|
current_app.logger.info("client_id: %s", client_id)
|
|
current_app.logger.info("expected_client_id: %s", expected_client_id)
|
|
err_msg = "Unauthorized: not allowed to perform this action"
|
|
current_app.logger.error(err_msg)
|
|
raise AuthError(err_msg, 401)
|
|
|
|
api_keys = [
|
|
InternalApiKey(client_id, secret)
|
|
for secret in current_app.config.get("INTERNAL_CLIENT_API_KEYS")[client_id]
|
|
]
|
|
|
|
_decode_jwt_token(auth_token, api_keys, client_id)
|
|
g.service_id = client_id
|
|
|
|
|
|
def requires_auth():
|
|
request_helper.check_proxy_header_before_request()
|
|
|
|
auth_token = _get_auth_token(request)
|
|
issuer = _get_token_issuer(
|
|
auth_token
|
|
) # ie the `iss` claim which should be a service ID
|
|
|
|
try:
|
|
service_id = uuid.UUID(issuer)
|
|
except Exception:
|
|
raise AuthError("Invalid token: service id is not the right data type", 403)
|
|
|
|
try:
|
|
service = SerialisedService.from_id(service_id)
|
|
except NoResultFound:
|
|
raise AuthError("Invalid token: service not found", 403)
|
|
|
|
if not service.api_keys:
|
|
raise AuthError(
|
|
"Invalid token: service has no API keys", 403, service_id=service.id
|
|
)
|
|
|
|
if not service.active:
|
|
raise AuthError(
|
|
"Invalid token: service is archived", 403, service_id=service.id
|
|
)
|
|
|
|
api_key = _decode_jwt_token(auth_token, service.api_keys, service.id)
|
|
|
|
current_app.logger.info(
|
|
"API authorised for service {} with api key {}, using issuer {} for URL: {}".format(
|
|
service_id, api_key.id, request.headers.get("User-Agent"), request.base_url
|
|
)
|
|
)
|
|
|
|
g.api_user = api_key
|
|
g.service_id = service_id
|
|
g.authenticated_service = service
|
|
|
|
|
|
def _decode_jwt_token(auth_token, api_keys, service_id=None):
|
|
# Temporary expedient to get e2e tests working. If we are in
|
|
# the development or staging environments, just return the first
|
|
# api key.
|
|
if os.getenv("NOTIFY_ENVIRONMENT") in ["development", "staging"]:
|
|
for api_key in api_keys:
|
|
return api_key
|
|
|
|
for api_key in api_keys:
|
|
try:
|
|
decode_jwt_token(auth_token, api_key.secret)
|
|
except TypeError:
|
|
err_msg = "Invalid token: type error"
|
|
current_app.logger.exception(err_msg)
|
|
raise AuthError(
|
|
"Invalid token: type error",
|
|
403,
|
|
service_id=service_id,
|
|
api_key_id=api_key.id,
|
|
)
|
|
except TokenExpiredError:
|
|
if not current_app.config.get("ALLOW_EXPIRED_API_TOKEN", False):
|
|
err_msg = (
|
|
"Error: Your system clock must be accurate to within 30 seconds"
|
|
)
|
|
current_app.logger.exception(err_msg)
|
|
raise AuthError(
|
|
err_msg, 403, service_id=service_id, api_key_id=api_key.id
|
|
)
|
|
except TokenAlgorithmError:
|
|
err_msg = "Invalid token: algorithm used is not HS256"
|
|
current_app.logger.exception(err_msg)
|
|
raise AuthError(err_msg, 403, service_id=service_id, api_key_id=api_key.id)
|
|
except TokenDecodeError:
|
|
# we attempted to validate the token but it failed meaning it was not signed using this api key.
|
|
# Let's try the next one
|
|
# TODO: Change this so it doesn't also catch `TokenIssuerError` or `TokenIssuedAtError` exceptions (which
|
|
# are children of `TokenDecodeError`) as these should cause an auth error immediately rather than
|
|
# continue on to check the next API key
|
|
current_app.logger.exception(
|
|
"TokenDecodeError. Couldn't decode auth token for given api key"
|
|
)
|
|
continue
|
|
except TokenError:
|
|
current_app.logger.exception("TokenError")
|
|
# General error when trying to decode and validate the token
|
|
raise AuthError(
|
|
GENERAL_TOKEN_ERROR_MESSAGE,
|
|
403,
|
|
service_id=service_id,
|
|
api_key_id=api_key.id,
|
|
)
|
|
|
|
if api_key.expiry_date:
|
|
err_msg = "Invalid token: API key revoked"
|
|
current_app.logger.error(err_msg, exc_info=True)
|
|
raise AuthError(
|
|
err_msg,
|
|
403,
|
|
service_id=service_id,
|
|
api_key_id=api_key.id,
|
|
)
|
|
|
|
return api_key
|
|
else:
|
|
# service has API keys, but none matching the one the user provided
|
|
# if we get here, we probably hit TokenDecodeErrors earlier
|
|
err_msg = "Invalid token: API key not found"
|
|
current_app.logger.error(err_msg, exc_info=True)
|
|
raise AuthError(err_msg, 403, service_id=service_id)
|
|
|
|
|
|
def _get_auth_token(req):
|
|
auth_header = req.headers.get("Authorization", None)
|
|
if not auth_header:
|
|
raise AuthError("Unauthorized: authentication token must be provided", 401)
|
|
|
|
auth_scheme = auth_header[:7].title()
|
|
|
|
if auth_scheme != "Bearer ":
|
|
raise AuthError("Unauthorized: authentication bearer scheme must be used", 401)
|
|
|
|
return auth_header[7:]
|
|
|
|
|
|
def _get_token_issuer(auth_token):
|
|
try:
|
|
issuer = get_token_issuer(auth_token)
|
|
except TokenIssuerError:
|
|
raise AuthError("Invalid token: iss field not provided", 403)
|
|
except TokenDecodeError:
|
|
raise AuthError(GENERAL_TOKEN_ERROR_MESSAGE, 403)
|
|
return issuer
|