Projet

Général

Profil

0003-api-search-api-keys-from-dedicated-storage-objects-t.patch

Nicolas Roche, 29 novembre 2020 19:35

Télécharger (3,88 ko)

Voir les différences:

Subject: [PATCH 3/3] api: search api keys from dedicated storage objects too
 (#48751)

 tests/test_api.py | 26 ++++++++++++++++++++++++++
 wcs/api_utils.py  |  3 ++-
 2 files changed, 28 insertions(+), 1 deletion(-)
tests/test_api.py
294 294
            )
295 295
    url = signed_url[len('http://example.net'):]
296 296
    output = get_app(pub).get(url)
297 297
    assert output.json['user_display_name'] == u'Jean Darmette'
298 298
    assert [x['name'] for x in output.json['user_roles']] == ['Foo bar']
299 299
    assert [x['slug'] for x in output.json['user_roles']] == ['foo-bar']
300 300

  
301 301

  
302
def test_api_access_from_xml_storable_object(pub, local_user, admin_user):
303
    app = login(get_app(pub))
304
    resp = app.get('/backoffice/settings/api-access/new')
305
    resp.form['name'] = 'Salut API access key'
306
    resp.form['access_identifier'] = 'salut'
307
    resp.form['access_key'] = '5678'
308
    resp = resp.form.submit('submit')
309

  
310
    Role.wipe()
311
    role = Role(name='Foo bar')
312
    role.store()
313
    local_user.roles = [role.id]
314
    local_user.store()
315
    signed_url = sign_url('http://example.net/api/user/?format=json&orig=UNKNOWN_ACCESS&email=%s' % (
316
        urllib.quote(local_user.email)), '5678')
317
    url = signed_url[len('http://example.net'):]
318
    output = get_app(pub).get(url, status=403)
319
    assert output.json['err_desc'] == 'invalid orig'
320

  
321
    signed_url = sign_url('http://example.net/api/user/?format=json&orig=salut&email=%s' % (
322
        urllib.quote(local_user.email)), '5678')
323
    url = signed_url[len('http://example.net'):]
324
    output = get_app(pub).get(url)
325
    assert output.json['user_display_name'] == u'Jean Darmette'
326

  
327

  
302 328
def test_is_url_signed_check_nonce(pub, local_user, freezer):
303 329
    ORIG = 'xxx'
304 330
    KEY = 'xxx'
305 331

  
306 332
    pub.site_options.add_section('api-secrets')
307 333
    pub.site_options.set('api-secrets', ORIG, KEY)
308 334
    pub.site_options.write(open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w'))
309 335
    # test clean_nonces do not bark when nonces directory is empty
wcs/api_utils.py
24 24
import calendar
25 25

  
26 26
from django.utils import six
27 27
from django.utils.encoding import force_bytes, force_text
28 28
from django.utils.six.moves.urllib import parse as urllib
29 29
from django.utils.six.moves.urllib import parse as urlparse
30 30

  
31 31
from quixote import get_request, get_publisher
32
from .api_access import ApiAccess
32 33
from .qommon.errors import (AccessForbiddenError, HttpResponse401Error, UnknownNameIdAccessForbiddenError)
33 34
import qommon.misc
34 35

  
35 36
DEFAULT_DURATION = 30
36 37

  
37 38

  
38 39
def is_url_signed(utcnow=None, duration=DEFAULT_DURATION):
39 40
    if get_request().signed:
......
44 45
    signature = get_request().form.get('signature')
45 46
    if not isinstance(signature, six.string_types):
46 47
        return False
47 48
    signature = force_bytes(signature)
48 49
    # verify signature
49 50
    orig = get_request().form.get('orig')
50 51
    if not isinstance(orig, six.string_types):
51 52
        raise AccessForbiddenError('missing/multiple orig field')
52
    key = get_publisher().get_site_option(orig, 'api-secrets')
53
    key = ApiAccess.get_access_key(orig) or get_publisher().get_site_option(orig, 'api-secrets')
53 54
    if not key:
54 55
        raise AccessForbiddenError('invalid orig')
55 56
    algo = get_request().form.get('algo')
56 57
    if not isinstance(algo, six.string_types):
57 58
        raise AccessForbiddenError('missing/multiple algo field')
58 59
    if algo not in hashlib.algorithms_guaranteed:
59 60
        raise AccessForbiddenError('invalid algo')
60 61
    try:
61
-