Use signed cookies in integration tests [RHELDST-8860] #323
Conversation
dichn
force-pushed
the
RHELDST-8860
branch
4 times, most recently
from
0d003c0
to
782ac0b
Compare
|
@negillett @crungehottman @rohanpm |
Yeah, I think a lot of this depends on RHELDST-8859. |
tests/test_utils/utils.py
Outdated
|
|
||
| def generate_cookies(): |
There was a problem hiding this comment.
I've implemented signing code in exodus_lambda/functions/signer.py in #324
There was a problem hiding this comment.
That PR may enable deployment of testing key(s) for the integration tests.
There was a problem hiding this comment.
@negillett
if using the exodus_lambda/functions/signer.py and its signer.cookies_for_policy().
cookies_content = signer.cookies_for_policy(
append="; Secure; Path=/content/; Max-Age=%s"
% int(expiration.total_seconds()),
resource="https://%s/content/*" % domain,
I think it requires integration tests ask for cookies for every request (r = requests.get(url, cookies=TEST_COOKIES))
The AC for integration tests is one cookies for all requests, so maybe not using the new cookies endpoint in #324, WDYT?
CC: @crungehottman @rohanpm
There was a problem hiding this comment.
Yeah, it wasn't the intent of this issue to use the new cookies endpoint for all the tests. (There could be one or two integration tests explicitly targeted at that endpoint though).
In fact, you can't directly use it anyway. Remember the new cookies endpoint is itself protected - you must have a signed URL or cookies in order to get there. So, for exodus-gw => cookies endpoint => any content, that's OK as exodus-gw can generate signed URLs. For the tests, in order to use the cookies endpoint they'd have to replace exodus-gw in that process, meaning there would be two layers of signing unnecessarily. (The only reason we have two layers in the exodus-gw case is that one domain isn't allowed to set cookies for another domain.)
There was a problem hiding this comment.
@dichn,
My point is only that some of the stuff from #324 can be reused here.
I.e., you could adapt the generate_cookies function. Something like this should work;
def generate_test_cookies():
key = os.environ.get("EXODUS_CDN_PRIVATE_KEY")
key_id = os.environ.get("EXODUS_CDN_KEY_ID")
if not key_id or not key:
return {}
signer = Signer(key, key_id)
expiration = datetime.utcnow() + timedelta(minutes=60)
return signer.cookies_for_policy(append="", date_less_than=expiration)
tests/test_utils/utils.py
Outdated
|
|
||
| def generate_cookies(): | ||
| # Env var for using signed cookies | ||
| CDN_PRIVATE_KEY = os.environ.get("EXODUS_CDN_PRIVATE_KEY") |
There was a problem hiding this comment.
Minor: local vars shouldn't be named in all caps. You'd name these CDN_PRIVATE_KEY etc if they were globals, which they aren't.
dichn
force-pushed
the
RHELDST-8860
branch
8 times, most recently
from
7b1cf06
to
79e8616
Compare
|
Status:
|
dichn
force-pushed
the
RHELDST-8860
branch
2 times, most recently
from
a99a207
to
edc06d0
Compare
This works but seems unnecessary. Instead of doing all that to omit/remove resource from the policy, you just needed to add one accepted by all test requests, e.g., "https://*". |
|
@negillett many thanks!!! It works and much simpler than the previous change. |
tests/test_utils/utils.py
Outdated
| # envvar absent, requests will not be signed | ||
| return {} | ||
|
|
||
| # The cookies expire in 1 hour |
There was a problem hiding this comment.
Minor: it's a bit funny to write "expire in 1 hour", then "timedelta(seconds=3600)" when you could just write "timedelta(hours=1)". The main point of that class seems to be it allows you to deal with units other than seconds if you want.
If tests are run without the two env vars "EXODUS_CDN_PRIVATE_KEY" and "EXODUS_CDN_KEY_ID", requests will not be signed.
If tests are run without the two env vars "EXODUS_CDN_PRIVATE_KEY"
and "EXODUS_CDN_PRIVATE_KEY", requests will not be signed.