Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extract security to middleware #1514

Merged
merged 12 commits into from
Apr 27, 2022
Merged

Conversation

RobbeSneyders
Copy link
Member

Part of #1489.
Fixes #1120.

This PR adds the SecurityMiddleware, which checks the security for incoming requests.

Changes proposed in this pull request:

  • Extract security from AbstractAPI and FlaskApi to SecurityApi
  • Replace werkzeug exceptions with starlette.HTTPException subclasses
  • Remove SecureOperation base class and extract security from all operations to separate SecurityOperation class only used in middleware
  • Collapse all security handler factory classes into a single async SecurityHandlerFactory class.
  • Split security and general operation tests.

It's quite a big one, but unfortunately it wasn't possible to split this into smaller PRs that would still pass the tests.

connexion/__init__.py Show resolved Hide resolved
@@ -390,6 +385,17 @@ def function(self):

return function

@property
def _request_response_decorator(self):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lifted from the removed SecureOperation as it's not actually related to security.

@@ -36,7 +36,6 @@ def test_security(oauth_requests, secure_endpoint_app):
assert get_bye_no_auth.status_code == 401
assert get_bye_no_auth.content_type == 'application/problem+json'
get_bye_no_auth_reponse = json.loads(get_bye_no_auth.data.decode('utf-8', 'replace')) # type: dict
assert get_bye_no_auth_reponse['title'] == 'Unauthorized'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

starlette.HTTPException does not have a title attribute.


monkeypatch.setattr('connexion.security.flask_security_handler_factory.session.get', fake_get)

class FakeClient:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refactored to work with httpx instead of requests.

definitions=DEFINITIONS,
parameter_definitions=PARAMETER_DEFINITIONS,
resolver=Resolver())
assert isinstance(operation.function, types.FunctionType)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed intermediate security checks for tests not related to security.


assert operation.method == 'GET'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use SecurityOperation and remove intermediate checks not related to security for tests related to security.

**kwargs
):
super().__init__(specification, *args, **kwargs)
self.security_handler_factory = SecurityHandlerFactory('context')
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoded pass_context_arg_name here.
Would propose to get rid of the parameter and choose a fixed name, but to do so in a follow-up PR.

@RobbeSneyders RobbeSneyders force-pushed the feature/security-middleware branch from 16d4faf to 3f34999 Compare April 19, 2022 23:02
@RobbeSneyders RobbeSneyders force-pushed the feature/security-middleware branch from 3f34999 to 2ef49d7 Compare April 20, 2022 07:15
@RobbeSneyders RobbeSneyders force-pushed the feature/security-middleware branch from 2ef49d7 to e5dfc52 Compare April 20, 2022 07:37
@coveralls
Copy link

coveralls commented Apr 20, 2022

Pull Request Test Coverage Report for Build 2222571101

  • 189 of 220 (85.91%) changed or added relevant lines in 12 files are covered.
  • 11 unchanged lines in 2 files lost coverage.
  • Overall coverage increased (+1.04%) to 94.332%

Changes Missing Coverage Covered Lines Changed/Added Lines %
connexion/middleware/exceptions.py 5 7 71.43%
connexion/security/security_handler_factory.py 26 30 86.67%
connexion/middleware/security.py 119 144 82.64%
Files with Coverage Reduction New Missed Lines %
connexion/exceptions.py 1 95.12%
connexion/security/security_handler_factory.py 10 79.24%
Totals Coverage Status
Change from base Build 2192132070: 1.04%
Covered Lines: 2713
Relevant Lines: 2876

💛 - Coveralls

Copy link
Member

@Ruwann Ruwann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First review - some initial comments/questions, but still need to go over it again and have a better look at test_operation2.py

connexion/security/security_handler_factory.py Outdated Show resolved Hide resolved
setup.py Outdated Show resolved Hide resolved
connexion/apis/flask_api.py Show resolved Hide resolved
connexion/apis/flask_api.py Outdated Show resolved Hide resolved
connexion/exceptions.py Outdated Show resolved Hide resolved
connexion/middleware/exceptions.py Show resolved Hide resolved
connexion/middleware/security.py Outdated Show resolved Hide resolved
Copy link
Collaborator

@nielsbox nielsbox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed half of the PR, left some questions and nitpicks. Will do the rest this weekend.

connexion/middleware/exceptions.py Show resolved Hide resolved
connexion/middleware/security.py Outdated Show resolved Hide resolved
connexion/middleware/security.py Outdated Show resolved Hide resolved
for path, methods in paths.items():
for method, operation in methods.items():
if method not in METHODS:
continue
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it make more sense to handle this more upstream when parsing the spec? If not, we should warn here that a method is being skipped.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is validated when parsing the spec, but there are other valid keys at this level. For instance for common parameters for a path. We want to skip those.

@RobbeSneyders RobbeSneyders force-pushed the feature/security-middleware branch from c1f076d to d20ef93 Compare April 25, 2022 20:04
@RobbeSneyders
Copy link
Member Author

Thanks @Ruwann @nielsbox, all comments should be addressed.

@RobbeSneyders RobbeSneyders merged commit 4603e06 into main Apr 27, 2022
@RobbeSneyders RobbeSneyders deleted the feature/security-middleware branch April 27, 2022 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Is it possible to disable security?
4 participants