bug: Trap for missing Vapid AUTH header token

* Fix some flake8 spacing closes #902
mozilla-services · May 23, 2017 · 2fccec6 · 2fccec6
1 parent e6081e8
commit 2fccec6
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 22 deletions.
diff --git a/autopush/tests/test_endpoint.py b/autopush/tests/test_endpoint.py
@@ -423,10 +423,10 @@ def test_no_auth(self):
     @inlineCallbacks
     def test_bad_body(self):
         resp = yield self.client.post(
-                self.url(router_type="webpush",
-                         uaid=dummy_uaid.hex,
-                         chid=str(dummy_chid)),
-                body="{invalid"
+            self.url(router_type="webpush",
+                     uaid=dummy_uaid.hex,
+                     chid=str(dummy_chid)),
+            body="{invalid"
         )
         self._check_error(resp, 401, 108, "Unauthorized")
 
@@ -534,9 +534,9 @@ def test_put(self, *args):
 
         uri = self.url(router_type='test', uaid=dummy_uaid.hex)
         resp = yield self.client.put(
-                uri,
-                headers={"Authorization": self.auth},
-                body=json.dumps(data),
+            uri,
+            headers={"Authorization": self.auth},
+            body=json.dumps(data),
         )
         payload = json.loads(resp.content)
         eq_(payload, {})
@@ -556,8 +556,8 @@ def test_put_bad_auth(self, *args):
         self.patch('uuid.uuid4', return_value=dummy_uaid)
 
         resp = yield self.client.put(
-                self.url(router_type="test", uaid=dummy_uaid.hex),
-                headers={"Authorization": "Fred Smith"}
+            self.url(router_type="test", uaid=dummy_uaid.hex),
+            headers={"Authorization": "Fred Smith"}
         )
         self._check_error(resp, 401, 109, "Unauthorized")
 
@@ -566,12 +566,12 @@ def test_put_bad_arguments(self, *args):
         self.patch('uuid.uuid4', return_value=dummy_chid)
 
         resp = yield self.client.put(
-                self.url(router_type='foo', uaid=dummy_uaid.hex),
-                headers={"Authorization": self.auth},
-                body=json.dumps(dict(
-                    type="test",
-                    data=dict(token="some_token"),
-                ))
+            self.url(router_type='foo', uaid=dummy_uaid.hex),
+            headers={"Authorization": self.auth},
+            body=json.dumps(dict(
+                type="test",
+                data=dict(token="some_token"),
+            ))
         )
         self._check_error(resp, 400, 108, "Bad Request")
 
@@ -693,10 +693,10 @@ def test_get(self):
         self.settings.message.all_channels = Mock()
         self.settings.message.all_channels.return_value = (True, chids)
         resp = yield self.client.get(
-                self.url(router_type="test",
-                         router_token="test",
-                         uaid=dummy_uaid.hex),
-                headers={"Authorization": self.auth}
+            self.url(router_type="test",
+                     router_token="test",
+                     uaid=dummy_uaid.hex),
+            headers={"Authorization": self.auth}
         )
         self.settings.message.all_channels.assert_called_with(str(dummy_uaid))
         payload = json.loads(resp.content)
@@ -706,7 +706,7 @@ def test_get(self):
     @inlineCallbacks
     def test_get_no_uaid(self):
         resp = yield self.client.get(
-                self.url(router_type="test", router_token="test"),
-                headers={"Authorization": self.auth}
+            self.url(router_type="test", router_token="test"),
+            headers={"Authorization": self.auth}
         )
         eq_(resp.get_status(), 410)
diff --git a/autopush/tests/test_integration.py b/autopush/tests/test_integration.py
@@ -934,6 +934,18 @@ def test_basic_delivery_with_invalid_vapid_exp(self):
             status=401)
         yield self.shut_down(client)
 
+    @inlineCallbacks
+    def test_basic_delivery_with_invalid_vapid_auth(self):
+        data = str(uuid.uuid4())
+        client = yield self.quick_register(use_webpush=True)
+        vapid_info = _get_vapid()
+        vapid_info['auth'] = ""
+        yield client.send_notification(
+            data=data,
+            vapid=vapid_info,
+            status=401)
+        yield self.shut_down(client)
+
     @inlineCallbacks
     def test_basic_delivery_with_invalid_signature(self):
         data = str(uuid.uuid4())

diff --git a/autopush/utils.py b/autopush/utils.py
@@ -566,6 +566,8 @@ def websocket_format(self):
 def parse_auth_header(header):
     vapid_auth = {}
     scheme_bits = header.split(' ', 1)
+    if len(scheme_bits) < 2:
+        raise VapidAuthException("Missing Auth Token")
     scheme = scheme_bits[0].lower()
     if scheme not in AUTH_SCHEMES:
         return vapid_auth

diff --git a/autopush/web/webpush.py b/autopush/web/webpush.py
@@ -327,7 +327,8 @@ def validate_auth(self, d):
             else:
                 public_key = d["subscription"].get("public_key")
             jwt = extract_jwt(token, public_key)
-        except (KeyError, ValueError, InvalidSignature, TypeError):
+        except (KeyError, ValueError, InvalidSignature, TypeError,
+                VapidAuthException):
             raise InvalidRequest("Invalid Authorization Header",
                                  status_code=401, errno=109,
                                  headers={"www-authenticate": PREF_SCHEME})