Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract security to middleware #1514

Merged
merged 12 commits into from
Apr 27, 2022
Merged

Extract security to middleware #1514

merged 12 commits into from
Apr 27, 2022

Conversation

RobbeSneyders
Copy link
Member

Part of #1489.
Fixes #1120.

This PR adds the SecurityMiddleware, which checks the security for incoming requests.

Changes proposed in this pull request:

  • Extract security from AbstractAPI and FlaskApi to SecurityApi
  • Replace werkzeug exceptions with starlette.HTTPException subclasses
  • Remove SecureOperation base class and extract security from all operations to separate SecurityOperation class only used in middleware
  • Collapse all security handler factory classes into a single async SecurityHandlerFactory class.
  • Split security and general operation tests.

It's quite a big one, but unfortunately it wasn't possible to split this into smaller PRs that would still pass the tests.

RobbeSneyders
RobbeSneyders commented Apr 19, 2022
View reviewed changes
connexion/__init__.py Show resolved Hide resolved
connexion/operations/abstract.py
@@ -390,6 +385,17 @@ def function(self):

return function

@property
def _request_response_decorator(self):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lifted from the removed SecureOperation as it's not actually related to security.

tests/api/test_secure_api.py
@@ -36,7 +36,6 @@ def test_security(oauth_requests, secure_endpoint_app):
assert get_bye_no_auth.status_code == 401
assert get_bye_no_auth.content_type == 'application/problem+json'
get_bye_no_auth_reponse = json.loads(get_bye_no_auth.data.decode('utf-8', 'replace')) # type: dict
assert get_bye_no_auth_reponse['title'] == 'Unauthorized'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

starlette.HTTPException does not have a title attribute.

tests/conftest.py

monkeypatch.setattr('connexion.security.flask_security_handler_factory.session.get', fake_get)

class FakeClient:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refactored to work with httpx instead of requests.

tests/test_operation2.py
definitions=DEFINITIONS,
parameter_definitions=PARAMETER_DEFINITIONS,
resolver=Resolver())
assert isinstance(operation.function, types.FunctionType)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed intermediate security checks for tests not related to security.

tests/test_operation2.py

assert operation.method == 'GET'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use SecurityOperation and remove intermediate checks not related to security for tests related to security.

connexion/middleware/security.py
**kwargs
):
super().__init__(specification, *args, **kwargs)
self.security_handler_factory = SecurityHandlerFactory('context')
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoded pass_context_arg_name here.
Would propose to get rid of the parameter and choose a fixed name, but to do so in a follow-up PR.

@coveralls
Copy link

coveralls commented Apr 20, 2022
edited

Pull Request Test Coverage Report for Build 2222571101

  • 189 of 220 (85.91%) changed or added relevant lines in 12 files are covered.
  • 11 unchanged lines in 2 files lost coverage.
  • Overall coverage increased (+1.04%) to 94.332%
Changes Missing Coverage Covered Lines Changed/Added Lines %
connexion/middleware/exceptions.py 5 7 71.43%
connexion/security/security_handler_factory.py 26 30 86.67%
connexion/middleware/security.py 119 144 82.64%
Files with Coverage Reduction New Missed Lines %
connexion/exceptions.py 1 95.12%
connexion/security/security_handler_factory.py 10 79.24%
Totals Coverage Status
Change from base Build 2192132070: 1.04%
Covered Lines: 2713
Relevant Lines: 2876
💛 - Coveralls

@RobbeSneyders RobbeSneyders mentioned this pull request Apr 20, 2022
Closed
6 tasks
Ruwann
Ruwann reviewed Apr 20, 2022
View reviewed changes
Copy link
Member

@Ruwann Ruwann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First review - some initial comments/questions, but still need to go over it again and have a better look at test_operation2.py

connexion/security/security_handler_factory.py Outdated Show resolved Hide resolved
setup.py Outdated Show resolved Hide resolved
connexion/apis/flask_api.py Show resolved Hide resolved
connexion/apis/flask_api.py Outdated Show resolved Hide resolved
connexion/exceptions.py Outdated Show resolved Hide resolved
connexion/middleware/exceptions.py Show resolved Hide resolved
connexion/security/security_handler_factory.py Show resolved Hide resolved
connexion/middleware/security.py Outdated Show resolved Hide resolved
nielsbox
nielsbox reviewed Apr 22, 2022
View reviewed changes
Copy link
Collaborator

@nielsbox nielsbox left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed half of the PR, left some questions and nitpicks. Will do the rest this weekend.

connexion/middleware/exceptions.py Show resolved Hide resolved
connexion/middleware/security.py Outdated Show resolved Hide resolved
connexion/middleware/security.py Outdated Show resolved Hide resolved
connexion/middleware/security.py
for path, methods in paths.items():
for method, operation in methods.items():
if method not in METHODS:
continue
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it make more sense to handle this more upstream when parsing the spec? If not, we should warn here that a method is being skipped.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is validated when parsing the spec, but there are other valid keys at this level. For instance for common parameters for a path. We want to skip those.

@RobbeSneyders
Copy link
Member Author

Thanks @Ruwann @nielsbox, all comments should be addressed.

@RobbeSneyders RobbeSneyders merged commit 4603e06 into main Apr 27, 2022
@RobbeSneyders RobbeSneyders deleted the feature/security-middleware branch April 27, 2022 20:20
@RobbeSneyders RobbeSneyders mentioned this pull request May 10, 2022
Merged
@RobbeSneyders RobbeSneyders mentioned this pull request Jun 11, 2022
Merged
@RobbeSneyders RobbeSneyders mentioned this pull request Feb 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ruwann Ruwann Ruwann left review comments

@nielsbox nielsbox nielsbox approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Is it possible to disable security?
4 participants
@RobbeSneyders @coveralls @Ruwann @nielsbox