Added very basic read/write authentication.

Auth is performed via basic auth, create a user in the admin if you want to get access. Change-Id: Ie6a4f7e440387b4472661284408213872f453473
2019-01-16 18:23:31 +01:00 · 2019-01-16 18:23:31 +01:00 · ee8e1aa5ee
commit ee8e1aa5ee
parent 3d5efff28c
3 changed files with 108 additions and 0 deletions
--- a/ara/api/auth.py
+++ b/ara/api/auth.py
@ -0,0 +1,26 @@
+#  Copyright (c) 2019 Red Hat, Inc.
+#
+#  This file is part of ARA Records Ansible.
+#
+#  ARA is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 3 of the License, or
+#  (at your option) any later version.
+#
+#  ARA is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with ARA.  If not, see <http://www.gnu.org/licenses/>.
+
+from django.conf import settings
+from rest_framework import permissions
+
+
+class APIAccessPermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.method in permissions.SAFE_METHODS:
+            return request.user.is_authenticated if settings.READ_LOGIN_REQUIRED else True
+        return request.user.is_authenticated if settings.WRITE_LOGIN_REQUIRED else True
--- a/ara/api/tests/tests_auth.py
+++ b/ara/api/tests/tests_auth.py
@ -0,0 +1,74 @@
+#  Copyright (c) 2019 Red Hat, Inc.
+#
+#  This file is part of ARA Records Ansible.
+#
+#  ARA is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 3 of the License, or
+#  (at your option) any later version.
+#
+#  ARA is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with ARA.  If not, see <http://www.gnu.org/licenses/>.
+
+from django.conf import settings
+from django.test import RequestFactory, TestCase, override_settings
+
+from ara.api.auth import APIAccessPermission
+
+
+class User:
+    is_authenticated = True
+
+
+class AnonymousUser(User):
+    is_authenticated = False
+
+
+class PermissionBackendTestCase(TestCase):
+    def setUp(self):
+        factory = RequestFactory()
+        self.anon_get_request = factory.get("/")
+        self.anon_get_request.user = AnonymousUser()
+        self.anon_post_request = factory.post("/")
+        self.anon_post_request.user = AnonymousUser()
+
+        self.authed_get_request = factory.get("/")
+        self.authed_get_request.user = User()
+        self.authed_post_request = factory.post("/")
+        self.authed_post_request.user = User()
+
+    @override_settings(READ_LOGIN_REQUIRED=False, WRITE_LOGIN_REQUIRED=True)
+    def test_anonymous_read_access(self):
+        backend = APIAccessPermission()
+
+        # Writes are blocked (just to show it has no affect on read)
+        self.assertFalse(backend.has_permission(self.anon_post_request, None))
+
+        # Reads are allowed based on READ_LOGIN_REQUIRED
+        self.assertTrue(backend.has_permission(self.anon_get_request, None))
+        settings.READ_LOGIN_REQUIRED = True
+        self.assertFalse(backend.has_permission(self.anon_get_request, None))
+
+    @override_settings(READ_LOGIN_REQUIRED=True, WRITE_LOGIN_REQUIRED=False)
+    def test_anonymous_write_access(self):
+        backend = APIAccessPermission()
+
+        # Reads are blocked (just to show it has no affect on write)
+        self.assertFalse(backend.has_permission(self.anon_get_request, None))
+
+        # Writes are allowed based on WRITE_LOGIN_REQUIRED
+        self.assertTrue(backend.has_permission(self.anon_post_request, None))
+        settings.WRITE_LOGIN_REQUIRED = True
+        self.assertFalse(backend.has_permission(self.anon_post_request, None))
+
+    @override_settings(READ_LOGIN_REQUIRED=True, WRITE_LOGIN_REQUIRED=True)
+    def test_auth_access(self):
+        backend = APIAccessPermission()
+
+        self.assertTrue(backend.has_permission(self.authed_get_request, None))
+        self.assertTrue(backend.has_permission(self.authed_post_request, None))
--- a/ara/server/settings.py
+++ b/ara/server/settings.py
@ -152,6 +152,10 @@ MEDIA_ROOT = settings.get("MEDIA_ROOT", os.path.join(BASE_DIR, "www", "media"))
 WSGI_APPLICATION = "ara.server.wsgi.application"
 ROOT_URLCONF = "ara.server.urls"
 APPEND_SLASH = False
+
+READ_LOGIN_REQUIRED = settings.get("READ_LOGIN_REQUIRED", False, "@bool")
+WRITE_LOGIN_REQUIRED = settings.get("WRITE_LOGIN_REQUIRED", False, "@bool")
+
 REST_FRAMEWORK = {
    "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.LimitOffsetPagination",
    "PAGE_SIZE": 100,
@ -165,6 +169,8 @@ REST_FRAMEWORK = {
        "rest_framework.parsers.FormParser",
        "rest_framework.parsers.MultiPartParser",
    ),
+    "DEFAULT_AUTHENTICATION_CLASSES": ("rest_framework.authentication.BasicAuthentication",),
+    "DEFAULT_PERMISSION_CLASSES": ("ara.api.auth.APIAccessPermission",),
    "TEST_REQUEST_DEFAULT_FORMAT": "json",
 }

@ -193,6 +199,8 @@ if not os.path.exists(DEFAULT_SETTINGS) and "ARA_SETTINGS" not in os.environ:
        DEBUG=DEBUG,
        LOG_LEVEL=LOG_LEVEL,
        LOGGING=LOGGING,
+        READ_LOGIN_REQUIRED=READ_LOGIN_REQUIRED,
+        WRITE_LOGIN_REQUIRED=WRITE_LOGIN_REQUIRED,
    )
    with open(DEFAULT_SETTINGS, "w+") as settings_file:
        comment = f"""