Skip to content

Commit 74cc71b

Browse files
Merge pull request #4976 from linuxfoundation/unicron-4975-make-v2-user-require-auth-token
Add token requirement for /v2/user/{uuid} API
2 parents 09a01ca + 3771bfe commit 74cc71b

4 files changed

Lines changed: 48 additions & 15 deletions

File tree

cla-backend/cla/routes.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -652,7 +652,7 @@ def get_health(request):
652652

653653
# LG: This is ported to golang and no longer used in dev (still used in prod)
654654
@hug.get("/user/{user_id}", versions=2)
655-
def get_user(user_id: hug.types.uuid):
655+
def get_user(auth_user: check_auth, user_id: hug.types.uuid):
656656
"""
657657
GET: /user/{user_id}
658658

tests/functional/cypress/e2e/v2/user.cy.ts

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,12 +29,15 @@ describe('To Validate & test User APIs via API call (V2)', function () {
2929
// POSITIVE TEST CASES - EXPECT ONLY 2xx STATUS CODES
3030
// ============================================================================
3131

32-
it('GET /user/{user_id} - Get user by ID (No authentication required)', function () {
32+
it('GET /user/{user_id} - Get user by ID (Requires authentication)', function () {
3333
cy.request({
3434
method: 'GET',
3535
url: `${claEndpoint}user/${validUserID}`,
3636
timeout: timeout,
3737
failOnStatusCode: allowFail,
38+
headers: {
39+
Authorization: `Bearer ${bearerToken}`,
40+
},
3841
}).then((response) => {
3942
return cy.logJson('GET /user/{user_id} response', response).then(() => {
4043
validate_200_Status(response);
@@ -101,6 +104,7 @@ describe('To Validate & test User APIs via API call (V2)', function () {
101104
describe('Expected failures', () => {
102105
it('Returns 401 for User APIs that require authentication when called without token', () => {
103106
const authenticatedEndpoints = [
107+
{ method: 'GET', url: `${claEndpoint}user/${validUserID}` },
104108
{ method: 'GET', url: `${claEndpoint}user-from-token` },
105109
{ method: 'POST', url: `${claEndpoint}clear-cache` },
106110
];
@@ -133,12 +137,14 @@ describe('To Validate & test User APIs via API call (V2)', function () {
133137
expectedCode?: number;
134138
expectedMessage?: string;
135139
expectedMessageContains?: boolean;
140+
headers?: any;
136141
}> = [
137142
{
138143
title: 'GET /user/{user_id} with invalid UUID format',
139144
method: 'GET',
140145
url: `${claEndpoint}user/invalid-uuid`,
141146
expectedStatus: 400,
147+
headers: { Authorization: `Bearer ${bearerToken}` },
142148
},
143149
{
144150
title: 'POST /user/{user_id}/request-company-whitelist/{company_id} with missing parameters',
@@ -181,6 +187,7 @@ describe('To Validate & test User APIs via API call (V2)', function () {
181187
method: c.method,
182188
url: c.url,
183189
body: c.body,
190+
headers: c.headers,
184191
failOnStatusCode: false,
185192
timeout,
186193
})

tests/py2go/api_test.go

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -927,18 +927,35 @@ func TestAllUserActiveSignatureAPI(t *testing.T) {
927927
}
928928
}
929929

930-
func runUserCompatAPIForUser(t *testing.T, userId string) {
931-
apiURL := PY_API_URL + fmt.Sprintf(UserCompatAPIPath[0], userId)
932-
Debugf("Py API call: %s\n", apiURL)
933-
oldResp, err := http.Get(apiURL)
930+
func authGet(t *testing.T, apiURL string) *http.Response {
931+
t.Helper()
932+
if TOKEN == "" {
933+
t.Fatalf("TOKEN environment variable is required for authenticated /v2/user tests")
934+
}
935+
req, err := http.NewRequest("GET", apiURL, nil)
936+
if err != nil {
937+
t.Fatalf("Failed to create request: %v", err)
938+
}
939+
req.Header.Set("Authorization", "Bearer "+TOKEN)
940+
if XACL != "" {
941+
req.Header.Set("X-ACL", XACL)
942+
}
943+
resp, err := http.DefaultClient.Do(req)
934944
if err != nil {
935945
t.Fatalf("Failed to call API: %v", err)
936946
}
947+
return resp
948+
}
949+
950+
func runUserCompatAPIForUser(t *testing.T, userId string) {
951+
apiURL := PY_API_URL + fmt.Sprintf(UserCompatAPIPath[0], userId)
952+
Debugf("Py API call: %s\n", apiURL)
953+
oldResp := authGet(t, apiURL)
937954
assert.Equal(t, http.StatusOK, oldResp.StatusCode, "Expected 200 from PY API")
938955
defer oldResp.Body.Close()
939956
oldBody, _ := io.ReadAll(oldResp.Body)
940957
var oldJSON interface{}
941-
err = json.Unmarshal(oldBody, &oldJSON)
958+
err := json.Unmarshal(oldBody, &oldJSON)
942959
assert.NoError(t, err)
943960
Debugf("Py raw response: %+v\n", string(oldBody))
944961
Debugf("Py response: %+v\n", oldJSON)
@@ -985,15 +1002,12 @@ func runUserCompatAPIForUser(t *testing.T, userId string) {
9851002
func runUserCompatAPIForUserExpectFail(t *testing.T, userId string) {
9861003
apiURL := PY_API_URL + fmt.Sprintf(UserCompatAPIPath[0], userId)
9871004
Debugf("Py API call: %s\n", apiURL)
988-
oldResp, err := http.Get(apiURL)
989-
if err != nil {
990-
t.Fatalf("Failed to call API: %v", err)
991-
}
1005+
oldResp := authGet(t, apiURL)
9921006
assert.Equal(t, http.StatusBadRequest, oldResp.StatusCode, "Expected 400 from Py API")
9931007
defer oldResp.Body.Close()
9941008
oldBody, _ := io.ReadAll(oldResp.Body)
9951009
var oldJSON interface{}
996-
err = json.Unmarshal(oldBody, &oldJSON)
1010+
err := json.Unmarshal(oldBody, &oldJSON)
9971011
assert.NoError(t, err)
9981012
Debugf("Py raw response: %+v\n", string(oldBody))
9991013
Debugf("Py response: %+v\n", oldJSON)

utils/get_user_py.sh

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,18 @@ then
88
fi
99
export user_id="$1"
1010

11+
if [ -z "$TOKEN" ]
12+
then
13+
# source ./auth0_token.secret
14+
TOKEN="$(cat ./auth0.token.secret)"
15+
fi
16+
17+
if [ -z "$TOKEN" ]
18+
then
19+
echo "$0: TOKEN not specified and unable to obtain one"
20+
exit 1
21+
fi
22+
1123
if [ -z "$API_URL" ]
1224
then
1325
export API_URL="http://localhost:5000"
@@ -17,8 +29,8 @@ API="${API_URL}/v2/user/${user_id}"
1729

1830
if [ ! -z "$DEBUG" ]
1931
then
20-
echo "curl -s -XGET -H \"Content-Type: application/json\" \"${API}\""
21-
curl -s -XGET -H "Content-Type: application/json" "${API}"
32+
echo "curl -s -XGET -H \"Authorization: Bearer ${TOKEN}\" -H \"Content-Type: application/json\" \"${API}\""
33+
curl -s -XGET -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" "${API}"
2234
else
23-
curl -s -XGET -H "Content-Type: application/json" "${API}" | jq -r '.'
35+
curl -s -XGET -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" "${API}" | jq -r '.'
2436
fi

0 commit comments

Comments
 (0)