Merge pull request #4976 from linuxfoundation/unicron-4975-make-v2-user-require-auth-token

Add token requirement for /v2/user/{uuid} API

Author: lukaszgryglicki

cla-backend/cla/routes.py

@@ -652,7 +652,7 @@ def get_health(request):
 
 # LG: This is ported to golang and no longer used in dev (still used in prod)
 @hug.get("/user/{user_id}", versions=2)
-def get_user(user_id: hug.types.uuid):
+def get_user(auth_user: check_auth, user_id: hug.types.uuid):
     """
     GET: /user/{user_id}
 

tests/functional/cypress/e2e/v2/user.cy.ts

@@ -29,12 +29,15 @@ describe('To Validate & test User APIs via API call (V2)', function () {
   // POSITIVE TEST CASES - EXPECT ONLY 2xx STATUS CODES
   // ============================================================================
 
-  it('GET /user/{user_id} - Get user by ID (No authentication required)', function () {
+  it('GET /user/{user_id} - Get user by ID (Requires authentication)', function () {
     cy.request({
       method: 'GET',
       url: `${claEndpoint}user/${validUserID}`,
       timeout: timeout,
       failOnStatusCode: allowFail,
+      headers: {
+        Authorization: `Bearer ${bearerToken}`,
+      },
     }).then((response) => {
       return cy.logJson('GET /user/{user_id} response', response).then(() => {
         validate_200_Status(response);
@@ -101,6 +104,7 @@ describe('To Validate & test User APIs via API call (V2)', function () {
   describe('Expected failures', () => {
     it('Returns 401 for User APIs that require authentication when called without token', () => {
       const authenticatedEndpoints = [
+        { method: 'GET', url: `${claEndpoint}user/${validUserID}` },
         { method: 'GET', url: `${claEndpoint}user-from-token` },
         { method: 'POST', url: `${claEndpoint}clear-cache` },
       ];
@@ -133,12 +137,14 @@ describe('To Validate & test User APIs via API call (V2)', function () {
         expectedCode?: number;
         expectedMessage?: string;
         expectedMessageContains?: boolean;
+        headers?: any;
       }> = [
         {
           title: 'GET /user/{user_id} with invalid UUID format',
           method: 'GET',
           url: `${claEndpoint}user/invalid-uuid`,
           expectedStatus: 400,
+          headers: { Authorization: `Bearer ${bearerToken}` },
         },
         {
           title: 'POST /user/{user_id}/request-company-whitelist/{company_id} with missing parameters',
@@ -181,6 +187,7 @@ describe('To Validate & test User APIs via API call (V2)', function () {
             method: c.method,
             url: c.url,
             body: c.body,
+            headers: c.headers,
             failOnStatusCode: false,
             timeout,
           })

tests/py2go/api_test.go

@@ -927,18 +927,35 @@ func TestAllUserActiveSignatureAPI(t *testing.T) {
 	}
 }
 
-func runUserCompatAPIForUser(t *testing.T, userId string) {
-	apiURL := PY_API_URL + fmt.Sprintf(UserCompatAPIPath[0], userId)
-	Debugf("Py API call: %s\n", apiURL)
-	oldResp, err := http.Get(apiURL)
+func authGet(t *testing.T, apiURL string) *http.Response {
+	t.Helper()
+	if TOKEN == "" {
+		t.Fatalf("TOKEN environment variable is required for authenticated /v2/user tests")
+	}
+	req, err := http.NewRequest("GET", apiURL, nil)
+	if err != nil {
+		t.Fatalf("Failed to create request: %v", err)
+	}
+	req.Header.Set("Authorization", "Bearer "+TOKEN)
+	if XACL != "" {
+		req.Header.Set("X-ACL", XACL)
+	}
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("Failed to call API: %v", err)
 	}
+	return resp
+}
+
+func runUserCompatAPIForUser(t *testing.T, userId string) {
+	apiURL := PY_API_URL + fmt.Sprintf(UserCompatAPIPath[0], userId)
+	Debugf("Py API call: %s\n", apiURL)
+	oldResp := authGet(t, apiURL)
 	assert.Equal(t, http.StatusOK, oldResp.StatusCode, "Expected 200 from PY API")
 	defer oldResp.Body.Close()
 	oldBody, _ := io.ReadAll(oldResp.Body)
 	var oldJSON interface{}
-	err = json.Unmarshal(oldBody, &oldJSON)
+	err := json.Unmarshal(oldBody, &oldJSON)
 	assert.NoError(t, err)
 	Debugf("Py raw response: %+v\n", string(oldBody))
 	Debugf("Py response: %+v\n", oldJSON)
@@ -985,15 +1002,12 @@ func runUserCompatAPIForUser(t *testing.T, userId string) {
 func runUserCompatAPIForUserExpectFail(t *testing.T, userId string) {
 	apiURL := PY_API_URL + fmt.Sprintf(UserCompatAPIPath[0], userId)
 	Debugf("Py API call: %s\n", apiURL)
-	oldResp, err := http.Get(apiURL)
-	if err != nil {
-		t.Fatalf("Failed to call API: %v", err)
-	}
+	oldResp := authGet(t, apiURL)
 	assert.Equal(t, http.StatusBadRequest, oldResp.StatusCode, "Expected 400 from Py API")
 	defer oldResp.Body.Close()
 	oldBody, _ := io.ReadAll(oldResp.Body)
 	var oldJSON interface{}
-	err = json.Unmarshal(oldBody, &oldJSON)
+	err := json.Unmarshal(oldBody, &oldJSON)
 	assert.NoError(t, err)
 	Debugf("Py raw response: %+v\n", string(oldBody))
 	Debugf("Py response: %+v\n", oldJSON)

utils/get_user_py.sh

@@ -8,6 +8,18 @@ then
 fi
 export user_id="$1"
 
+if [ -z "$TOKEN" ]
+then
+  # source ./auth0_token.secret
+  TOKEN="$(cat ./auth0.token.secret)"
+fi
+
+if [ -z "$TOKEN" ]
+then
+  echo "$0: TOKEN not specified and unable to obtain one"
+  exit 1
+fi
+
 if [ -z "$API_URL" ]
 then
   export API_URL="http://localhost:5000"
@@ -17,8 +29,8 @@ API="${API_URL}/v2/user/${user_id}"
 
 if [ ! -z "$DEBUG" ]
 then
-  echo "curl -s -XGET -H \"Content-Type: application/json\" \"${API}\""
-  curl -s -XGET -H "Content-Type: application/json" "${API}"
+  echo "curl -s -XGET -H \"Authorization: Bearer ${TOKEN}\" -H \"Content-Type: application/json\" \"${API}\""
+  curl -s -XGET -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" "${API}"
 else
-  curl -s -XGET -H "Content-Type: application/json" "${API}" | jq -r '.'
+  curl -s -XGET -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" "${API}" | jq -r '.'
 fi