From 618258ca76fb00b8f2dabe2d68cd9d3519b403c2 Mon Sep 17 00:00:00 2001 From: Marius Lie Winger Date: Tue, 11 Jun 2024 11:13:20 +0200 Subject: [PATCH] test: mock authorization --- .pre-commit-config.yaml | 2 +- api/src/authentication/authentication.py | 15 ++----- api/src/config.py | 9 ++-- api/src/tests/conftest.py | 3 ++ .../features/whoami/test_whoami_feature.py | 4 +- .../integration/mock_authentication.py} | 45 +++++++++++++++---- 6 files changed, 49 insertions(+), 29 deletions(-) rename api/src/{authentication/mock_token_generator.py => tests/integration/mock_authentication.py} (66%) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f7fe4412..3a19d3a3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -26,7 +26,7 @@ repos: - id: mixed-line-ending exclude: ^.*\.(lock)$ - id: detect-private-key - exclude: api/src/authentication/mock_token_generator.py + exclude: api/src/tests/integration/mock_authentication.py - id: no-commit-to-branch args: [--branch, main, --branch, master] stages: [commit-msg] diff --git a/api/src/authentication/authentication.py b/api/src/authentication/authentication.py index ccc04216..8037817d 100644 --- a/api/src/authentication/authentication.py +++ b/api/src/authentication/authentication.py @@ -4,11 +4,10 @@ from fastapi import Security from fastapi.security import OAuth2AuthorizationCodeBearer -from authentication.mock_token_generator import mock_rsa_public_key from authentication.models import User from common.exceptions import credentials_exception from common.logger import logger -from config import config, default_user +from config import config oauth2_scheme = OAuth2AuthorizationCodeBearer( authorizationUrl=config.OAUTH_AUTH_ENDPOINT, @@ -18,7 +17,7 @@ @cached(cache=TTLCache(maxsize=32, ttl=86400)) -def fetch_openid_configuration() -> jwt.PyJWKClient: +def get_JWK_client() -> jwt.PyJWKClient: try: oid_conf_response = httpx.get(config.OAUTH_WELL_KNOWN) oid_conf_response.raise_for_status() @@ -30,17 +29,9 @@ def fetch_openid_configuration() -> jwt.PyJWKClient: def auth_with_jwt(jwt_token: str = Security(oauth2_scheme)) -> User: - if not config.AUTH_ENABLED: - return default_user if not jwt_token: raise credentials_exception - # If TEST_TOKEN is true, we are running tests. Use the self-signed keys. If not, get keys from auth server. - key = ( - mock_rsa_public_key - if config.TEST_TOKEN - else fetch_openid_configuration().get_signing_key_from_jwt(jwt_token).key - ) - + key = get_JWK_client().get_signing_key_from_jwt(jwt_token).key try: payload = jwt.decode(jwt_token, key, algorithms=["RS256"], audience=config.OAUTH_AUDIENCE) if config.MICROSOFT_AUTH_PROVIDER in payload["iss"]: diff --git a/api/src/config.py b/api/src/config.py index 859dea7a..27382efa 100644 --- a/api/src/config.py +++ b/api/src/config.py @@ -43,14 +43,13 @@ class Config(BaseSettings): raise ValueError("Authentication was enabled, but some auth configuration parameters are missing") if not config.AUTH_ENABLED: + print("\n") print("################ WARNING ################") print("# Authentication is disabled #") print("################ WARNING ################\n") default_user: User = User( - **{ - "user_id": "nologin", - "full_name": "Not Authenticated", - "email": "nologin@example.com", - } + user_id="nologin", + full_name="Not Authenticated", + email="nologin@example.com", ) diff --git a/api/src/tests/conftest.py b/api/src/tests/conftest.py index ea592eb6..e6e90b40 100644 --- a/api/src/tests/conftest.py +++ b/api/src/tests/conftest.py @@ -9,9 +9,11 @@ from starlette.testclient import TestClient from app import create_app +from authentication.authentication import auth_with_jwt from config import config from data_providers.clients.mongodb.mongo_database_client import MongoDatabaseClient from features.todo.repository.todo_repository import TodoRepository, get_todo_repository +from tests.integration.mock_authentication import mock_auth_with_jwt @pytest.fixture(scope="function") @@ -39,6 +41,7 @@ def use_todo_repository_mock(): return TodoRepository(client=test_client) app.dependency_overrides[get_todo_repository] = use_todo_repository_mock + app.dependency_overrides[auth_with_jwt] = mock_auth_with_jwt yield client diff --git a/api/src/tests/integration/features/whoami/test_whoami_feature.py b/api/src/tests/integration/features/whoami/test_whoami_feature.py index 95147ed7..9a8b5123 100644 --- a/api/src/tests/integration/features/whoami/test_whoami_feature.py +++ b/api/src/tests/integration/features/whoami/test_whoami_feature.py @@ -2,9 +2,9 @@ from starlette.status import HTTP_200_OK from starlette.testclient import TestClient -from authentication.mock_token_generator import generate_mock_token from authentication.models import User from config import config +from tests.integration.mock_authentication import get_mock_jwt_token pytestmark = pytest.mark.integration @@ -14,7 +14,7 @@ def test_whoami(self, test_app: TestClient): config.AUTH_ENABLED = True config.TEST_TOKEN = True user = User(user_id="1", email="foo@bar.baz", roles=["a"]) - headers = {"Authorization": f"Bearer {generate_mock_token(user)}"} + headers = {"Authorization": f"Bearer {get_mock_jwt_token(user)}"} response = test_app.get("/whoami", headers=headers) data = response.json() assert response.status_code == HTTP_200_OK diff --git a/api/src/authentication/mock_token_generator.py b/api/src/tests/integration/mock_authentication.py similarity index 66% rename from api/src/authentication/mock_token_generator.py rename to api/src/tests/integration/mock_authentication.py index 8600c67c..be91f535 100644 --- a/api/src/authentication/mock_token_generator.py +++ b/api/src/tests/integration/mock_authentication.py @@ -1,10 +1,18 @@ import jwt +from fastapi import Security +from authentication.authentication import oauth2_scheme from authentication.models import User -from config import default_user +from common.exceptions import credentials_exception +from config import config, default_user -# Generated with: 'openssl req -nodes -new -x509 -keyout server.key -out server.cert' -mock_rsa_private_key = """ + +def get_mock_rsa_private_key() -> str: + """ + Used for testing. + Generated with: 'openssl req -nodes -new -x509 -keyout server.key -out server.cert'. + """ + return """ -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDfsOW9ih/oBUwl LEH4t2C2GZeq3/dEXCkK54CNPZv979rir0nQQ5pLVcoohoVFe+QwC746xg8t7/YP @@ -35,9 +43,13 @@ -----END PRIVATE KEY----- """ -# Python-jose require public keys instead of x509 certs. -# Convert cert to pub key with: 'openssl x509 -pubkey -noout < server.cert' -mock_rsa_public_key = """ + +def get_mock_rsa_public_key() -> str: + """ + Used for testing. + Convert cert to pub key with: 'openssl x509 -pubkey -noout < server.cert' + """ + return """ -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA37DlvYof6AVMJSxB+Ldg thmXqt/3RFwpCueAjT2b/e/a4q9J0EOaS1XKKIaFRXvkMAu+OsYPLe/2D3Fh8HB1 @@ -50,7 +62,7 @@ """ -def generate_mock_token(user: User = default_user) -> str: +def get_mock_jwt_token(user: User = default_user) -> str: """ This function is for testing purposes only Used for behave testing @@ -59,10 +71,25 @@ def generate_mock_token(user: User = default_user) -> str: payload = { "name": user.full_name, "preferred_username": user.email, - "scp": "FoR_test_scope", + "scp": "testing", "sub": user.user_id, "roles": user.roles, "iss": "mock-auth-server", "aud": "TEST", } - return jwt.encode(payload, mock_rsa_private_key, algorithm="RS256") + # This absolutely returns a str, so this is possibly a mypy bug + return jwt.encode(payload, get_mock_rsa_private_key(), algorithm="RS256") # type: ignore[no-any-return] + + +def mock_auth_with_jwt(jwt_token: str = Security(oauth2_scheme)) -> User: + if not config.AUTH_ENABLED: + return default_user + try: + payload = jwt.decode(jwt_token, get_mock_rsa_public_key(), algorithms=["RS256"], audience="TEST") + print(payload) + user = User(user_id=payload["sub"], **payload) + except jwt.exceptions.InvalidTokenError as error: + raise credentials_exception from error + if user is None: + raise credentials_exception + return user