def __create_get_token(service_id):
if service_id:
return create_jwt_token(request_method="GET",
request_path=url_for('service.get_service',
service_id=service_id),
secret=get_unsigned_secrets(service_id)[0],
client_id=service_id)
else:
return create_jwt_token(request_method="GET",
request_path=url_for('service.get_service'),
secret=get_unsigned_secrets(service_id)[0],
client_id=service_id)
def __create_get_token(service_id):
if service_id:
return create_jwt_token(
request_method="GET",
request_path=url_for("service.get_service", service_id=service_id),
secret=get_unsigned_secrets(service_id)[0],
client_id=service_id,
)
else:
return create_jwt_token(
request_method="GET",
request_path=url_for("service.get_service"),
secret=get_unsigned_secrets(service_id)[0],
client_id=service_id,
)
def fetch_client(client):
from flask import current_app
if client == current_app.config.get("ADMIN_CLIENT_USER_NAME"):
return {"client": client, "secret": [current_app.config.get("ADMIN_CLIENT_SECRET")]}
else:
return {"client": client, "secret": get_unsigned_secrets(client)}
def create_authorization_header(path,
method,
request_body=None,
service_id=None):
if service_id:
client_id = service_id
secret = get_unsigned_secrets(service_id)[0]
else:
client_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
secret = current_app.config.get('ADMIN_CLIENT_SECRET')
if request_body:
token = create_jwt_token(request_method=method,
request_path=path,
secret=secret,
client_id=client_id,
request_body=request_body)
else:
token = create_jwt_token(request_method=method,
request_path=path,
secret=secret,
client_id=client_id)
return 'Authorization', 'Bearer {}'.format(token)
def __create_post_token(service_id, request_body):
return create_jwt_token(
request_method="POST",
request_path=url_for("service.create_service"),
secret=get_unsigned_secrets(service_id)[0],
client_id=service_id,
request_body=request_body,
)
def test_should_return_unsigned_api_keys_for_service_id(notify_api,
notify_db,
notify_db_session,
sample_api_key):
unsigned_api_key = get_unsigned_secrets(sample_api_key.service_id)
assert len(unsigned_api_key) == 1
assert sample_api_key.secret != unsigned_api_key[0]
assert unsigned_api_key[0] == _get_secret(sample_api_key.secret)
def test_should_not_allow_service_id_that_is_not_the_wrong_data_type(client, sample_api_key):
token = create_jwt_token(secret=get_unsigned_secrets(sample_api_key.service_id)[0],
client_id=str('not-a-valid-id'))
response = client.get(
'/notifications',
headers={'Authorization': "Bearer {}".format(token)}
)
assert response.status_code == 403
data = json.loads(response.get_data())
assert data['message'] == {"token": ['Invalid token: service id is not the right data type']}
def test_should_not_allow_incorrect_path(notify_api, notify_db, notify_db_session, sample_api_key):
with notify_api.test_request_context():
with notify_api.test_client() as client:
token = create_jwt_token(
request_method="GET",
request_path="/bad",
secret=get_unsigned_secrets(sample_api_key.service_id)[0],
client_id=sample_api_key.service_id,
)
response = client.get(url_for("service.get_service"), headers={"Authorization": "Bearer {}".format(token)})
assert response.status_code == 403
data = json.loads(response.get_data())
assert data["error"] == "Invalid token: request"
def test_should_not_allow_incorrect_path(notify_api, notify_db,
notify_db_session, sample_api_key):
with notify_api.test_request_context():
with notify_api.test_client() as client:
token = create_jwt_token(request_method="GET",
request_path="/bad",
secret=get_unsigned_secrets(
sample_api_key.service_id)[0],
client_id=sample_api_key.service_id)
response = client.get(
url_for('service.get_service'),
headers={'Authorization': "Bearer {}".format(token)})
assert response.status_code == 403
data = json.loads(response.get_data())
assert data['error'] == 'Invalid token: request'
def test_auth_should_not_allow_request_with_extra_claims(
client, sample_api_key):
iss = str(sample_api_key.service_id)
key = get_unsigned_secrets(sample_api_key.service_id)[0]
headers = {"typ": 'JWT', "alg": 'HS256'}
claims = {
'iss': iss,
'iat': int(time.time()),
'aud':
'notifications.service.gov.uk' # extra claim that we don't support
}
token = jwt.encode(payload=claims, key=key, headers=headers)
request.headers = {'Authorization': 'Bearer {}'.format(token)}
with pytest.raises(AuthError) as exc:
requires_auth()
assert exc.value.short_message == GENERAL_TOKEN_ERROR_MESSAGE
def create_authorization_header(path, method, request_body=None, service_id=None):
if service_id:
client_id = service_id
secret = get_unsigned_secrets(service_id)[0]
else:
client_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
secret = current_app.config.get('ADMIN_CLIENT_SECRET')
if request_body:
token = create_jwt_token(
request_method=method,
request_path=path,
secret=secret,
client_id=client_id,
request_body=request_body)
else:
token = create_jwt_token(request_method=method,
request_path=path,
secret=secret,
client_id=client_id)
return 'Authorization', 'Bearer {}'.format(token)
def __create_token(service_id):
return create_jwt_token(secret=get_unsigned_secrets(service_id)[0],
client_id=str(service_id))
def __create_post_token(service_id, request_body):
return create_jwt_token(request_method="POST",
request_path=url_for('service.create_service'),
secret=get_unsigned_secrets(service_id)[0],
client_id=service_id,
request_body=request_body)
def test_should_return_unsigned_api_keys_for_service_id(sample_api_key):
unsigned_api_key = get_unsigned_secrets(sample_api_key.service_id)
assert len(unsigned_api_key) == 1
assert sample_api_key._secret != unsigned_api_key[0]
assert unsigned_api_key[0] == sample_api_key.secret
def test_should_return_unsigned_api_keys_for_service_id(sample_api_key):
unsigned_api_key = get_unsigned_secrets(sample_api_key.service_id)
assert len(unsigned_api_key) == 1
assert sample_api_key.secret != unsigned_api_key[0]
assert unsigned_api_key[0] == get_secret(sample_api_key.secret)
