From ee8e1aa5eec67e9ecd727a6a62ef59035eb0c685 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Wed, 16 Jan 2019 18:23:31 +0100 Subject: [PATCH] Added very basic read/write authentication. Auth is performed via basic auth, create a user in the admin if you want to get access. Change-Id: Ie6a4f7e440387b4472661284408213872f453473 --- ara/api/auth.py | 26 +++++++++++++ ara/api/tests/tests_auth.py | 74 +++++++++++++++++++++++++++++++++++++ ara/server/settings.py | 8 ++++ 3 files changed, 108 insertions(+) create mode 100644 ara/api/auth.py create mode 100644 ara/api/tests/tests_auth.py diff --git a/ara/api/auth.py b/ara/api/auth.py new file mode 100644 index 00000000..c98a3ff5 --- /dev/null +++ b/ara/api/auth.py @@ -0,0 +1,26 @@ +# Copyright (c) 2019 Red Hat, Inc. +# +# This file is part of ARA Records Ansible. +# +# ARA is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# ARA is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with ARA. If not, see . + +from django.conf import settings +from rest_framework import permissions + + +class APIAccessPermission(permissions.BasePermission): + def has_permission(self, request, view): + if request.method in permissions.SAFE_METHODS: + return request.user.is_authenticated if settings.READ_LOGIN_REQUIRED else True + return request.user.is_authenticated if settings.WRITE_LOGIN_REQUIRED else True diff --git a/ara/api/tests/tests_auth.py b/ara/api/tests/tests_auth.py new file mode 100644 index 00000000..69523dbd --- /dev/null +++ b/ara/api/tests/tests_auth.py @@ -0,0 +1,74 @@ +# Copyright (c) 2019 Red Hat, Inc. +# +# This file is part of ARA Records Ansible. +# +# ARA is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# ARA is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with ARA. If not, see . + +from django.conf import settings +from django.test import RequestFactory, TestCase, override_settings + +from ara.api.auth import APIAccessPermission + + +class User: + is_authenticated = True + + +class AnonymousUser(User): + is_authenticated = False + + +class PermissionBackendTestCase(TestCase): + def setUp(self): + factory = RequestFactory() + self.anon_get_request = factory.get("/") + self.anon_get_request.user = AnonymousUser() + self.anon_post_request = factory.post("/") + self.anon_post_request.user = AnonymousUser() + + self.authed_get_request = factory.get("/") + self.authed_get_request.user = User() + self.authed_post_request = factory.post("/") + self.authed_post_request.user = User() + + @override_settings(READ_LOGIN_REQUIRED=False, WRITE_LOGIN_REQUIRED=True) + def test_anonymous_read_access(self): + backend = APIAccessPermission() + + # Writes are blocked (just to show it has no affect on read) + self.assertFalse(backend.has_permission(self.anon_post_request, None)) + + # Reads are allowed based on READ_LOGIN_REQUIRED + self.assertTrue(backend.has_permission(self.anon_get_request, None)) + settings.READ_LOGIN_REQUIRED = True + self.assertFalse(backend.has_permission(self.anon_get_request, None)) + + @override_settings(READ_LOGIN_REQUIRED=True, WRITE_LOGIN_REQUIRED=False) + def test_anonymous_write_access(self): + backend = APIAccessPermission() + + # Reads are blocked (just to show it has no affect on write) + self.assertFalse(backend.has_permission(self.anon_get_request, None)) + + # Writes are allowed based on WRITE_LOGIN_REQUIRED + self.assertTrue(backend.has_permission(self.anon_post_request, None)) + settings.WRITE_LOGIN_REQUIRED = True + self.assertFalse(backend.has_permission(self.anon_post_request, None)) + + @override_settings(READ_LOGIN_REQUIRED=True, WRITE_LOGIN_REQUIRED=True) + def test_auth_access(self): + backend = APIAccessPermission() + + self.assertTrue(backend.has_permission(self.authed_get_request, None)) + self.assertTrue(backend.has_permission(self.authed_post_request, None)) diff --git a/ara/server/settings.py b/ara/server/settings.py index 32c8b355..ba529627 100644 --- a/ara/server/settings.py +++ b/ara/server/settings.py @@ -152,6 +152,10 @@ MEDIA_ROOT = settings.get("MEDIA_ROOT", os.path.join(BASE_DIR, "www", "media")) WSGI_APPLICATION = "ara.server.wsgi.application" ROOT_URLCONF = "ara.server.urls" APPEND_SLASH = False + +READ_LOGIN_REQUIRED = settings.get("READ_LOGIN_REQUIRED", False, "@bool") +WRITE_LOGIN_REQUIRED = settings.get("WRITE_LOGIN_REQUIRED", False, "@bool") + REST_FRAMEWORK = { "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.LimitOffsetPagination", "PAGE_SIZE": 100, @@ -165,6 +169,8 @@ REST_FRAMEWORK = { "rest_framework.parsers.FormParser", "rest_framework.parsers.MultiPartParser", ), + "DEFAULT_AUTHENTICATION_CLASSES": ("rest_framework.authentication.BasicAuthentication",), + "DEFAULT_PERMISSION_CLASSES": ("ara.api.auth.APIAccessPermission",), "TEST_REQUEST_DEFAULT_FORMAT": "json", } @@ -193,6 +199,8 @@ if not os.path.exists(DEFAULT_SETTINGS) and "ARA_SETTINGS" not in os.environ: DEBUG=DEBUG, LOG_LEVEL=LOG_LEVEL, LOGGING=LOGGING, + READ_LOGIN_REQUIRED=READ_LOGIN_REQUIRED, + WRITE_LOGIN_REQUIRED=WRITE_LOGIN_REQUIRED, ) with open(DEFAULT_SETTINGS, "w+") as settings_file: comment = f"""