Mpt 6538 fix missing bearer token check proceeding with the creation of a cloud account (#30)

* [WIP] Add initial logic for managing DataSources.
Move the service's APIs and files to the API folder.
Add Custom Exceptions to handle DataSources errors

* Add initial check for validating the Bearer Token passed to the POST `modifier/v1/organizations/{org_id/cloud_accounts`.
 This prevents the service from returning a 403 with an indication about a not-allowed cloud type instead of processing the wrong authorization as the first thing.
Change the error returned in the case of a not-allowed cloud type to 400

* Rename valide_authorization to check_user_allowed_to_create_cloud_account
Remove the returned response.
Adjust tests

Author: antoniodimariano

app/api/cloud_account/cloud_accounts_manager.py

@@ -58,7 +58,7 @@ def select_strategy(self):
                 error_code="OE0436",
                 reason=f"{self.type} is not supported",
                 params=[f"{self.type}"],
-                status_code=http_status.HTTP_403_FORBIDDEN,
+                status_code=http_status.HTTP_400_BAD_REQUEST,
             )
 
         strategy_class = self.ALLOWED_PROVIDERS[self.type]

app/api/organizations/api.py

@@ -110,8 +110,16 @@ async def link_cloud_account(
     org_id: str,
     data: AddCloudAccount,
     user_access_token: Annotated[str, Depends(get_bearer_token)],
+    auth_client: Annotated[OptScaleAuth, Depends(get_auth_client)],
 ):
     try:
+        # here, we need to validate the bearer token to ensure that any authorization
+        # related errors will be checked first. In case of an invalid/expired token,
+        # an APIResponseError with a http statu 401 will re raised
+
+        await auth_client.check_user_allowed_to_create_cloud_account(
+            bearer_token=user_access_token, org_id=org_id
+        )
         response = await link_cloud_account_to_org(
             name=data.name,
             type=data.type,

app/optscale_api/auth_api.py

@@ -7,6 +7,7 @@
 from app.core.exceptions import UserAccessTokenError, raise_api_response_exception
 
 AUTH_TOKEN_ENDPOINT = "/auth/v2/tokens"  # nosec B105
+AUTH_TOKEN_AUTHORIZE_ENDPOINT = "/auth/v2/authorize"  # nosec B105"
 logger = logging.getLogger(__name__)
 
 
@@ -34,6 +35,37 @@ class OptScaleAuth:
     def __init__(self):
         self.api_client = APIClient(base_url=settings.opt_scale_api_url)
 
+    async def check_user_allowed_to_create_cloud_account(
+        self, bearer_token: str, org_id: str
+    ) -> None | Exception:
+        """
+         It validates the given bearer_token by making a request
+         to auth/v2/authorize.
+         This is used to protect the /organization/{org_id}/cloud_accounts
+         endpoint from being consumed with a not valid bearer token and fix
+         the following corner case scenario:
+         - Wrong Authentication Bearer Token or an expired one.
+        -  Wrong value in the type field of the payload.
+        Result: The service will return a 403 with an indication about a
+        not-allowed cloud type instead of processing the wrong authorization
+        as the first thing.
+        :param bearer_token: The user access's token
+        :param org_id: The org ID that owned by the user identified by the bearer_token
+        :return:
+        """
+        payload = {
+            "action": "MANAGE_CLOUD_CREDENTIALS",
+            "resource_type": "organization",
+            "uuid": org_id,
+        }
+        headers = build_bearer_token_header(bearer_token=bearer_token)
+        response = await self.api_client.post(
+            endpoint=AUTH_TOKEN_AUTHORIZE_ENDPOINT, headers=headers, data=payload
+        )
+        if response.get("error"):
+            logger.error("Failed validate the given bearer token")
+            return raise_api_response_exception(response)
+
     async def obtain_user_auth_token_with_admin_api_key(
         self, user_id: str, admin_api_key: str
     ) -> str | Exception:

tests/data/data.json

@@ -123,6 +123,22 @@
         "error": "HTTP error: 401 - {\"error\": {\"status_code\": 401, \"error_code\": \"OE0235\", \"reason\": \"Unauthorized\", \"params\": []}}",
         "status_code": 401
       }
+    },
+    "authorize": {
+      "error_response": {"data":
+        {"error": {
+        "error_code": "OA0010", "params": [],
+        "reason": "Token not found", "status_code": 401}},
+        "error": "HTTP error: 401 - {\"error\": {\"status_code\": 401, \"error_code\": \"OA0010\", \"reason\": \"Token not found\", \"params\": []}}",
+        "status_code": 401},
+      "valid_response": {"data":
+      {"assignments": [
+        {"id": "user_id",
+          "resource": "org_id",
+          "role": "Manager",
+          "type": "organization",
+          "user": "peter.parker@spiderman.com"}],
+          "status": "ok"}, "status_code": 200}
     }
   },
   "invitation": {

tests/test_modifier_cloud_accounts_api.py

@@ -8,6 +8,22 @@
     CloudStrategyManager,
 )
 from app.core.exceptions import APIResponseError
+from app.optscale_api.auth_api import OptScaleAuth
+
+
+@pytest.fixture
+def opt_scale_auth():
+    return OptScaleAuth()
+
+
+@pytest.fixture
+def mock_auth_post():
+    patcher = patch.object(
+        OptScaleAuth, "check_user_allowed_to_create_cloud_account", new=AsyncMock()
+    )
+    mock = patcher.start()
+    yield mock
+    patcher.stop()
 
 
 @pytest.fixture
@@ -19,10 +35,10 @@ def mock_add_cloud_account():
 
 
 async def test_link_cloud_account(
-    async_client: AsyncClient,
-    test_data: dict,
-    mock_add_cloud_account,
+    async_client: AsyncClient, test_data: dict, mock_add_cloud_account, mock_auth_post
 ):
+    mock_response = test_data["auth_token"]["authorize"]["valid_response"]
+    mock_auth_post.return_value = mock_response
     payload = test_data["cloud_accounts_conf"]["create"]["data"]["azure"]["conf"]
     mocked_response = {
         "data": test_data["cloud_accounts_conf"]["create"]["data"]["azure"]["response"]
@@ -44,10 +60,10 @@ async def test_link_cloud_account(
 
 
 async def test_create_datasource_with_inject_conf(
-    async_client: AsyncClient,
-    test_data: dict,
-    mock_add_cloud_account,
+    async_client: AsyncClient, test_data: dict, mock_add_cloud_account, mock_auth_post
 ):
+    mock_response = test_data["auth_token"]["authorize"]["valid_response"]
+    mock_auth_post.return_value = mock_response
     payload = test_data["cloud_accounts_conf"]["create"]["data"]["azure"]["conf"]
     mocked_response = {
         "data": test_data["cloud_accounts_conf"]["create"]["data"]["azure"]["response"]
@@ -73,15 +89,18 @@ async def test_not_allowed_datasource_exception_handling(
     test_data: dict,
     caplog,
     mock_add_cloud_account,
+    mock_auth_post,
 ):
+    mock_response = test_data["auth_token"]["authorize"]["valid_response"]
+    mock_auth_post.return_value = mock_response
     payload = test_data["cloud_accounts_conf"]["create"]["data"]["azure"]["conf"]
     payload["type"] = "blalbla"
     response = await async_client.post(
         "/organizations/my_org_id/cloud_accounts",
         json=payload,
         headers={"Authorization": "Bearer good token"},
     )
-    assert response.status_code == 403
+    assert response.status_code == 400
     got = response.json()
     assert got.get("error").get("reason") == "blalbla is not supported"
     assert got.get("error").get("error_code") == "OE0436"
@@ -92,7 +111,10 @@ async def test_exception_handling(
     test_data: dict,
     caplog,
     mock_add_cloud_account,
+    mock_auth_post,
 ):
+    mock_response = test_data["auth_token"]["authorize"]["valid_response"]
+    mock_auth_post.return_value = mock_response
     mock_add_cloud_account.side_effect = APIResponseError(
         title="Error response from OptScale",
         reason="Test Exception",
@@ -121,7 +143,10 @@ async def test_no_auth(
     test_data: dict,
     caplog,
     mock_add_cloud_account,
+    mock_auth_post,
 ):
+    mock_response = test_data["auth_token"]["authorize"]["error_response"]
+    mock_auth_post.return_value = mock_response
     mock_add_cloud_account.side_effect = APIResponseError(
         title="Error response from OptScale",
         reason="Test Exception",

tests/test_optscle_auth_api.py

@@ -25,6 +25,57 @@ def mock_get(mocker, opt_scale_auth):
     return mock_get
 
 
+async def test_authorize_valid_bearer_token(
+    async_client: AsyncClient, test_data: dict, mock_post, opt_scale_auth
+):
+    mock_response = test_data["auth_token"]["authorize"]["valid_response"]
+    mock_post.return_value = mock_response
+    response = await opt_scale_auth.check_user_allowed_to_create_cloud_account(
+        bearer_token="good token", org_id="my_org_id"
+    )
+    assert response is None
+    mock_post.assert_called_once_with(
+        endpoint="/auth/v2/authorize",
+        headers={
+            "Authorization": "Bearer good token",
+        },
+        data={
+            "action": "MANAGE_CLOUD_CREDENTIALS",
+            "resource_type": "organization",
+            "uuid": "my_org_id",
+        },
+    )
+
+
+async def test_authorize_bearer_token_with_error(
+    async_client: AsyncClient, mock_post, test_data: dict, opt_scale_auth, caplog
+):
+    mock_response = test_data["auth_token"]["authorize"]["error_response"]
+    mock_post.return_value = mock_response
+    with caplog.at_level(logging.ERROR):
+        with pytest.raises(APIResponseError) as exc_info:
+            await opt_scale_auth.check_user_allowed_to_create_cloud_account(
+                bearer_token="no good token", org_id="my_org_id"
+            )
+        exception = exc_info.value
+        assert exception.error.get("error_code") == "OA0010"
+        assert exception.error.get("reason") == "Token not found"
+        assert exception.error.get("status_code") == 401
+        # check the logging message printed by the obtain_user_auth_token_with_admin_api_key
+        assert "Failed validate the given bearer token" == caplog.messages[0]
+        mock_post.assert_called_once_with(
+            endpoint="/auth/v2/authorize",
+            headers={
+                "Authorization": "Bearer no good token",
+            },
+            data={
+                "action": "MANAGE_CLOUD_CREDENTIALS",
+                "resource_type": "organization",
+                "uuid": "my_org_id",
+            },
+        )
+
+
 async def test_user_auth_token_with_admin_api_key(
     async_client: AsyncClient, test_data: dict, mock_post, opt_scale_auth
 ):