move shared secret to authorization header (bug 870976)

2013-07-08 11:26:40 -07:00 · 2013-07-08 11:26:40 -07:00 · c8abfa1f79
--- a/migrations/624-shared-secret-waffle.sql
+++ b/migrations/624-shared-secret-waffle.sql
@ -0,0 +1,3 @@
+INSERT INTO waffle_switch_mkt (name, active, created, modified, note)
+VALUES ('shared-secret-in-url', 1, NOW(), NOW(),
+        'Whether to accept the fireplace shared secret as an URL query parameter');
--- a/mkt/api/authentication.py
+++ b/mkt/api/authentication.py
@ -9,6 +9,7 @@ import commonware.log
 from rest_framework.authentication import BaseAuthentication
 from tastypie import http
 from tastypie.authentication import Authentication
+import waffle

 from access.middleware import ACLMiddleware
 from users.models import UserProfile
@ -144,7 +145,13 @@ class OptionalOAuthAuthentication(OAuthAuthentication):
 class SharedSecretAuthentication(Authentication):

    def is_authenticated(self, request, **kwargs):
-        auth = request.GET.get('_user')
+        header = request.META.get('HTTP_AUTHORIZATION', '').split(None, 1)
+        if header and header[0].lower() == 'mkt-shared-secret':
+            auth = header[1]
+        elif waffle.switch_is_active('shared-secret-in-url'):
+            auth = request.GET.get('_user')
+        else:
+            auth = ''
        if not auth:
            log.info('API request made without shared-secret auth token')
            return False
--- a/mkt/api/tests/test_authentication.py
+++ b/mkt/api/tests/test_authentication.py
@ -162,7 +162,8 @@ class TestSharedSecretAuthentication(TestCase):
        self.profile = UserProfile.objects.get(pk=2519)
        self.profile.update(email=self.profile.user.email)

-    def test_session_auth(self):
+    def test_session_auth_query(self):
+        self.create_switch('shared-secret-in-url')
        req = RequestFactory().get('/?_user=cfinke@m.com,56b6f1a3dd735d962c56'
                                   'ce7d8f46e02ec1d4748d2c00c407d75f0969d08bb'
                                   '9c68c31b3371aa8130317815c89e5072e31bb94b4'
@ -171,11 +172,39 @@ class TestSharedSecretAuthentication(TestCase):
        ok_(self.auth.is_authenticated(req))
        eq_(self.profile.user.pk, req.amo_user.pk)

-    def test_failed_session_auth(self):
+    def test_failed_session_auth_query(self):
+        self.create_switch('shared-secret-in-url')
        req = RequestFactory().get('/?_user=bogus')
        ok_(not self.auth.is_authenticated(req))
        assert not getattr(req, 'amo_user', None)

+    def test_session_auth_query_disabled(self):
+        req = RequestFactory().get('/?_user=cfinke@m.com,56b6f1a3dd735d962c56'
+                                   'ce7d8f46e02ec1d4748d2c00c407d75f0969d08bb'
+                                   '9c68c31b3371aa8130317815c89e5072e31bb94b4'
+                                   '121c5c165f3515838d4d6c60c4,165d631d3c3045'
+                                   '458b4516242dad7ae')
+        ok_(not self.auth.is_authenticated(req))
+
+    def test_session_auth(self):
+        req = RequestFactory().get(
+            '/',
+            HTTP_AUTHORIZATION='mkt-shared-secret '
+            'cfinke@m.com,56b6f1a3dd735d962c56'
+            'ce7d8f46e02ec1d4748d2c00c407d75f0969d08bb'
+            '9c68c31b3371aa8130317815c89e5072e31bb94b4'
+            '121c5c165f3515838d4d6c60c4,165d631d3c3045'
+            '458b4516242dad7ae')
+        ok_(self.auth.is_authenticated(req))
+        eq_(self.profile.user.pk, req.amo_user.pk)
+
+    def test_failed_session_auth(self):
+        req = RequestFactory().get(
+            '/',
+            HTTP_AUTHORIZATION='mkt-shared-secret bogus')
+        ok_(not self.auth.is_authenticated(req))
+        assert not getattr(req, 'amo_user', None)
+
    def test_session_auth_no_post(self):
        req = RequestFactory().post('/')
        req.user = self.profile.user
@ -211,11 +240,14 @@ class TestMultipleAuthentication(TestCase):
        self.profile.update(email=self.profile.user.email)

    def test_single(self):
-        req = RequestFactory().get('/?_user=cfinke@m.com,56b6f1a3dd735d962c56'
-                                   'ce7d8f46e02ec1d4748d2c00c407d75f0969d08bb'
-                                   '9c68c31b3371aa8130317815c89e5072e31bb94b4'
-                                   '121c5c165f3515838d4d6c60c4,165d631d3c3045'
-                                   '458b4516242dad7ae')
+        req = RequestFactory().get(
+            '/',
+            HTTP_AUTHORIZATION='mkt-shared-secret '
+            'cfinke@m.com,56b6f1a3dd735d962c56'
+            'ce7d8f46e02ec1d4748d2c00c407d75f0969d08bb'
+            '9c68c31b3371aa8130317815c89e5072e31bb94b4'
+            '121c5c165f3515838d4d6c60c4,165d631d3c3045'
+            '458b4516242dad7ae')
        self.resource._meta.authentication = (
                authentication.SharedSecretAuthentication())
        eq_(self.resource.is_authenticated(req), None)