Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test creation of API keys for other principals #609

Merged
merged 7 commits into from
Nov 28, 2023
Merged

Test creation of API keys for other principals #609

merged 7 commits into from
Nov 28, 2023

Conversation

padraic-shafer
Copy link
Contributor

This PR adds a test to verify that an admin can create API keys using the route /principal/{uuid}/apikey and that non-admins cannot. This test also verifies that a user cannot bypass the scopes checks by passing an empty scopes list when creating an API key and/or when requesting an admin resource.

The test is fairly long (in lines of code, not in execution speed). I could probably break it into several individual tests that are backed by some common fixtures. Do you have advice on keeping this more concise or clear?

@danielballan
Copy link
Member

danielballan commented Nov 20, 2023
edited
Loading

To my taste, a long-ish test that "tells a story" is more readable than lots of small tests that tell part of a story. This one is borderline too long, I agree, but I don't see a clean place to break it out or any obvious resusable abstraction that would be a natural fixture.

I do wonder if we should take this moment to promote create_api_key_other_principal to a method on Context. (I mentioned on Slack that I've found reasons to do this, and I usually end up doing it via the Swagger UI or via the http CLI, writing URLs by hand.)

I had in the back of my mind the idea of making an admin namespace hanging off of context, like c.context.admin.create_api_key_other_principal. First, this make the c.context.<TAB> namespace less cluttered with methods that will not be applicable to most users. Second, it communicates that not just any user can impersonate another user, which might otherwise prompt confusion or concern.

@padraic-shafer
Copy link
Contributor Author

I had in the back of my mind the idea of making an admin namespace hanging off of context, like c.context.admin.create_api_key_other_principal. First, this make the c.context. namespace less cluttered with methods that will not be applicable to most users. Second, it communicates that not just any user can impersonate another user, which might otherwise prompt confusion or concern.

This sounds like a good idea to me.

@padraic-shafer
Copy link
Contributor Author

To my taste, a long-ish test that "tells a story" is more readable than lots of small tests that tell part of a story. This one is borderline too long, I agree, but I don't see a clean place to break it out or any obvious resusable abstraction that would be a natural fixture.

Thanks for affirming this. I have two thoughts on how to simplify this, without too much effort. I'm out of time for now though. I'll move this PR to draft and attempt to resume it later this week.

@padraic-shafer padraic-shafer marked this pull request as draft November 20, 2023 23:21
@padraic-shafer
Copy link
Contributor Author

I've split the new long test into several smaller tests, that I think are easier to digest. This PR is ready for review.

@padraic-shafer padraic-shafer marked this pull request as ready for review November 22, 2023 19:10
danielballan
danielballan requested changes Nov 27, 2023
View reviewed changes
Copy link
Member

@danielballan danielballan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good.

I left some suggestions for future-proofing and streamlining a bit.

tiled/_tests/test_authentication.py Show resolved Hide resolved
tiled/_tests/test_authentication.py Outdated Show resolved Hide resolved
tiled/_tests/test_authentication.py Outdated Show resolved Hide resolved
tiled/_tests/test_authentication.py Outdated Show resolved Hide resolved
tiled/_tests/test_authentication.py Outdated Show resolved Hide resolved
tiled/_tests/utils.py Show resolved Hide resolved
@padraic-shafer
Copy link
Contributor Author

Thanks for the reviews! I'll make these changes.

@padraic-shafer
Send api_key via context headers, q_params as dict
366408c 
* Applied suggested changes from PR review
* Use `context.api_key` to send API key via request headers,
  rather than via URL query parameters
* Pass query parameters as dict using httpx request argument
@padraic-shafer
Remove unnecessary, commented 'logout' in test
bdbeb70
@padraic-shafer
Copy link
Contributor Author

@danielballan All recommendations have been incorporated. This is ready for review.

@danielballan danielballan merged commit 978ff09 into bluesky:main Nov 28, 2023
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dylanmcreynolds dylanmcreynolds dylanmcreynolds approved these changes

@danielballan danielballan danielballan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@padraic-shafer @danielballan @dylanmcreynolds