def test_get_ctms_with_unknown_client_fails(example_contact, anon_client,
test_token_settings,
client_id_and_secret):
"""A token with an unknown (deleted?) API client name is an error"""
client_id = client_id_and_secret[0]
token = create_access_token({"sub": f"api_client:not_{client_id}"},
**test_token_settings)
with capture_logs() as caplog:
resp = anon_client.get(
f"/ctms/{example_contact.email.email_id}",
headers={"Authorization": f"Bearer {token}"},
)
assert resp.status_code == 401
assert resp.json() == {"detail": "Could not validate credentials"}
assert caplog[0]["auth_fail"] == "No client record"
def test_get_ctms_with_invalid_namespace_fails(example_contact, anon_client,
test_token_settings,
client_id_and_secret):
"""Calling an authenticated API with an unexpected namespace is an error"""
client_id = client_id_and_secret[0]
token = create_access_token({"sub": f"unknown:{client_id}"},
**test_token_settings)
with capture_logs() as caplog:
resp = anon_client.get(
f"/ctms/{example_contact.email.email_id}",
headers={"Authorization": f"Bearer {token}"},
)
assert resp.status_code == 401
assert resp.json() == {"detail": "Could not validate credentials"}
assert caplog[0]["auth_fail"] == "Bad namespace"
def test_get_ctms_with_token(example_contact, anon_client, test_token_settings,
client_id_and_secret):
"""An authenticated API can be fetched with a valid token"""
client_id = client_id_and_secret[0]
token = create_access_token({"sub": f"api_client:{client_id}"},
**test_token_settings)
token_headers = jwt.get_unverified_headers(token)
assert token_headers == {
"alg": "HS256",
"typ": "JWT",
}
resp = anon_client.get(
f"/ctms/{example_contact.email.email_id}",
headers={"Authorization": f"Bearer {token}"},
)
assert resp.status_code == 200
def test_get_ctms_with_expired_token_fails(example_contact, anon_client,
test_token_settings,
client_id_and_secret):
"""Calling an authenticated API with an expired token is an error"""
yesterday = datetime.now(timezone.utc) - timedelta(days=1)
client_id = client_id_and_secret[0]
token = create_access_token({"sub": f"api_client:{client_id}"},
**test_token_settings,
now=yesterday)
with capture_logs() as caplog:
resp = anon_client.get(
f"/ctms/{example_contact.email.email_id}",
headers={"Authorization": f"Bearer {token}"},
)
assert resp.status_code == 401
assert resp.json() == {"detail": "Could not validate credentials"}
assert caplog[0]["auth_fail"] == "No or bad token"
def test_get_ctms_with_invalid_token_fails(example_contact, anon_client,
test_token_settings,
client_id_and_secret):
"""Calling an authenticated API with an invalid token is an error"""
client_id = client_id_and_secret[0]
token = create_access_token(
{"sub": f"api_client:{client_id}"},
secret_key="secret_key_from_other_deploy",
expires_delta=test_token_settings["expires_delta"],
)
with capture_logs() as caplog:
resp = anon_client.get(
f"/ctms/{example_contact.email.email_id}",
headers={"Authorization": f"Bearer {token}"},
)
assert resp.status_code == 401
assert resp.json() == {"detail": "Could not validate credentials"}
assert caplog[0]["auth_fail"] == "No or bad token"
def test_get_ctms_with_disabled_client_fails(dbsession, example_contact,
anon_client, test_token_settings,
client_id_and_secret):
"""Calling an authenticated API with a valid token for an expired client is an error."""
client_id = client_id_and_secret[0]
token = create_access_token({"sub": f"api_client:{client_id}"},
**test_token_settings)
api_client = get_api_client_by_id(dbsession, client_id)
api_client.enabled = False
dbsession.commit()
with capture_logs() as caplog:
resp = anon_client.get(
f"/ctms/{example_contact.email.email_id}",
headers={"Authorization": f"Bearer {token}"},
)
assert resp.status_code == 400
assert resp.json() == {"detail": "API Client has been disabled"}
assert caplog[0]["auth_fail"] == "Client disabled"