Add tests

stsewd · stsewd · commit 475fee75e2b9 · 2023-06-15T15:44:02.000-05:00
diff --git a/readthedocs/api/v2/views/model_views.py b/readthedocs/api/v2/views/model_views.py
@@ -4,6 +4,7 @@
 import structlog
 from allauth.socialaccount.models import SocialAccount
 from django.conf import settings
+from django.core.exceptions import PermissionDenied
 from django.db.models import BooleanField, Case, Value, When
 from django.http import Http404
 from django.shortcuts import get_object_or_404
@@ -251,7 +252,7 @@ def concurrent(self, request, **kwargs):
         build_api_key = request.build_api_key
         if build_api_key:
             if project_slug != build_api_key.project.slug:
-                raise Http404
+                raise Http404()
             project = build_api_key.project
         else:
             project = get_object_or_404(Project, slug=project_slug)
@@ -326,6 +327,16 @@ class BuildCommandViewSet(DisableListEndpoint, CreateModelMixin, UserSelectViewS
     serializer_class = BuildCommandSerializer
     model = BuildCommandResult
 
+    def perform_create(self, serializer):
+        """Restrict creation to builds attached to the project from the api key."""
+        build_pk = serializer.validated_data["build"].pk
+        api_key = self.request.build_api_key
+        if api_key and not api_key.project.builds.filter(pk=build_pk).exists():
+            raise PermissionDenied()
+        # If the request isn't attached to a build api key,
+        # the user doing the request is a superuser, so it has access to all projects.
+        return super().perform_create(serializer)
+
     def get_queryset(self):
         api_key = self.request.build_api_key
         if api_key:
diff --git a/readthedocs/rtd_tests/tests/test_api.py b/readthedocs/rtd_tests/tests/test_api.py
@@ -14,6 +14,7 @@
 from rest_framework import status
 from rest_framework.test import APIClient
 
+from readthedocs.api.v2.models import BuildAPIKey
 from readthedocs.api.v2.views.integrations import (
     GITHUB_CREATE,
     GITHUB_DELETE,
@@ -604,6 +605,31 @@ def test_build_filter_by_commit(self):
 class APITests(TestCase):
     fixtures = ['eric.json', 'test_data.json']
 
+    def test_revoke_build_api_key(self):
+        user = get(User)
+        project = get(Project, users=[user])
+        _, build_api_key = BuildAPIKey.objects.create_key(project)
+        client = APIClient()
+        revoke_url = "/api/v2/revoke/"
+        self.assertTrue(BuildAPIKey.objects.is_valid(build_api_key))
+
+        # Anonymous request.
+        client.logout()
+        resp = client.post(revoke_url)
+        self.assertEqual(resp.status_code, 403)
+        self.assertTrue(BuildAPIKey.objects.is_valid(build_api_key))
+
+        # Using user/password.
+        client.force_login(user)
+        resp = client.post(revoke_url)
+        self.assertEqual(resp.status_code, 403)
+        self.assertTrue(BuildAPIKey.objects.is_valid(build_api_key))
+
+        client.logout()
+        resp = client.post(revoke_url, HTTP_AUTHORIZATION=f"Token {build_api_key}")
+        self.assertEqual(resp.status_code, 204)
+        self.assertFalse(BuildAPIKey.objects.is_valid(build_api_key))
+
     def test_user_doesnt_get_full_api_return(self):
         user_normal = get(User, is_staff=False)
         user_admin = get(User, is_staff=True)
@@ -699,6 +725,52 @@ def test_project_read_and_write_endpoints_for_staff_user(self):
             resp = client.patch(f"/api/v2/project/{project.pk}/")
             self.assertEqual(resp.status_code, 200)
 
+    def test_project_read_and_write_endpoints_for_build_api_token(self):
+        user_normal = get(User, is_staff=False)
+        user_admin = get(User, is_staff=True)
+
+        project_a = get(Project, users=[user_normal], privacy_level=PUBLIC)
+        project_b = get(Project, users=[user_admin], privacy_level=PUBLIC)
+        project_c = get(Project, privacy_level=PUBLIC)
+        client = APIClient()
+
+        _, build_api_key = BuildAPIKey.objects.create_key(project_a)
+        client.credentials(HTTP_AUTHORIZATION=f"Token {build_api_key}")
+
+        # List operations without a filter aren't allowed.
+        resp = client.get("/api/v2/project/")
+        self.assertEqual(resp.status_code, 410)
+
+        # We don't allow creating projects.
+        resp = client.post("/api/v2/project/")
+        self.assertEqual(resp.status_code, 405)
+
+        # The key grants access to project_a only.
+        resp = client.get(f"/api/v2/project/{project_a.pk}/")
+        self.assertEqual(resp.status_code, 200)
+
+        # We don't allow deleting projects.
+        resp = client.delete(f"/api/v2/project/{project_a.pk}/")
+        self.assertEqual(resp.status_code, 405)
+
+        # Update is fine.
+        resp = client.patch(f"/api/v2/project/{project_a.pk}/")
+        self.assertEqual(resp.status_code, 200)
+
+        disallowed_projects = [
+            project_b,
+            project_c,
+        ]
+        for project in disallowed_projects:
+            resp = client.get(f"/api/v2/project/{project.pk}/")
+            self.assertEqual(resp.status_code, 404)
+
+            resp = client.delete(f"/api/v2/project/{project.pk}/")
+            self.assertEqual(resp.status_code, 405)
+
+            resp = client.patch(f"/api/v2/project/{project.pk}/")
+            self.assertEqual(resp.status_code, 404)
+
     def test_build_read_only_endpoints_for_normal_user(self):
         user_normal = get(User, is_staff=False)
         user_admin = get(User, is_staff=True)
@@ -775,6 +847,55 @@ def test_build_read_and_write_endpoints_for_staff_user(self):
             resp = client.patch(f"/api/v2/build/{build.pk}/")
             self.assertEqual(resp.status_code, 200)
 
+    def test_build_read_and_write_endpoints_for_build_api_token(self):
+        user_normal = get(User, is_staff=False)
+        user_admin = get(User, is_staff=True)
+
+        project_a = get(Project, users=[user_normal], privacy_level=PUBLIC)
+        project_b = get(Project, users=[user_admin], privacy_level=PUBLIC)
+        project_c = get(Project, privacy_level=PUBLIC)
+        client = APIClient()
+
+        _, build_api_key = BuildAPIKey.objects.create_key(project_a)
+        client.credentials(HTTP_AUTHORIZATION=f"Token {build_api_key}")
+
+        # List operations without a filter aren't allowed.
+        resp = client.get("/api/v2/build/")
+        self.assertEqual(resp.status_code, 410)
+
+        # We don't allow to create builds.
+        resp = client.post("/api/v2/build/")
+        self.assertEqual(resp.status_code, 405)
+
+        Version.objects.all().update(privacy_level=PUBLIC)
+
+        # The key grants access to builds form project_a only.
+        build = get(Build, project=project_a, version=project_a.versions.first())
+        resp = client.get(f"/api/v2/build/{build.pk}/")
+        self.assertEqual(resp.status_code, 200)
+
+        # We don't allow deleting builds.
+        resp = client.delete(f"/api/v2/build/{build.pk}/")
+        self.assertEqual(resp.status_code, 405)
+
+        # Update them is fine.
+        resp = client.patch(f"/api/v2/build/{build.pk}/")
+        self.assertEqual(resp.status_code, 200)
+
+        disallowed_builds = [
+            get(Build, project=project_b, version=project_b.versions.first()),
+            get(Build, project=project_c, version=project_c.versions.first()),
+        ]
+        for build in disallowed_builds:
+            resp = client.get(f"/api/v2/build/{build.pk}/")
+            self.assertEqual(resp.status_code, 404)
+
+            resp = client.delete(f"/api/v2/build/{build.pk}/")
+            self.assertEqual(resp.status_code, 405)
+
+            resp = client.patch(f"/api/v2/build/{build.pk}/")
+            self.assertEqual(resp.status_code, 404)
+
     def test_build_commands_read_only_endpoints_for_normal_user(self):
         user_normal = get(User, is_staff=False)
         user_admin = get(User, is_staff=True)
@@ -865,6 +986,82 @@ def test_build_commands_read_and_write_endpoints_for_staff_user(self):
             resp = client.patch(f"/api/v2/command/{command.pk}/")
             self.assertEqual(resp.status_code, 405)
 
+    def test_build_commands_read_and_write_endpoints_for_build_api_token(self):
+        user_normal = get(User, is_staff=False)
+        user_admin = get(User, is_staff=True)
+
+        project_a = get(Project, users=[user_normal], privacy_level=PUBLIC)
+        project_b = get(Project, users=[user_admin], privacy_level=PUBLIC)
+        project_c = get(Project, privacy_level=PUBLIC)
+        client = APIClient()
+
+        _, build_api_key = BuildAPIKey.objects.create_key(project_a)
+        client.credentials(HTTP_AUTHORIZATION=f"Token {build_api_key}")
+
+        # List operations without a filter aren't allowed.
+        resp = client.get("/api/v2/command/")
+        self.assertEqual(resp.status_code, 410)
+
+        Version.objects.all().update(privacy_level=PUBLIC)
+
+        build = get(Build, project=project_a, version=project_a.versions.first())
+        command = get(BuildCommandResult, build=build)
+
+        # We allow creating build commands.
+        resp = client.post(
+            "/api/v2/command/",
+            {
+                "build": build.pk,
+                "command": "test",
+                "output": "test",
+                "exit_code": 0,
+                "start_time": datetime.datetime.utcnow(),
+                "end_time": datetime.datetime.utcnow(),
+            },
+        )
+        self.assertEqual(resp.status_code, 201)
+
+        resp = client.get(f"/api/v2/command/{command.pk}/")
+        self.assertEqual(resp.status_code, 200)
+
+        # We don't allow deleting commands.
+        resp = client.delete(f"/api/v2/command/{command.pk}/")
+        self.assertEqual(resp.status_code, 405)
+
+        # Neither updating them.
+        resp = client.patch(f"/api/v2/command/{command.pk}/")
+        self.assertEqual(resp.status_code, 405)
+
+        disallowed_builds = [
+            get(Build, project=project_b, version=project_b.versions.first()),
+            get(Build, project=project_c, version=project_c.versions.first()),
+        ]
+        disallowed_build_commands = [
+            get(BuildCommandResult, build=build) for build in disallowed_builds
+        ]
+        for command in disallowed_build_commands:
+            resp = client.post(
+                "/api/v2/command/",
+                {
+                    "build": command.build.pk,
+                    "command": "test",
+                    "output": "test",
+                    "exit_code": 0,
+                    "start_time": datetime.datetime.utcnow(),
+                    "end_time": datetime.datetime.utcnow(),
+                },
+            )
+            self.assertEqual(resp.status_code, 403)
+
+            resp = client.get(f"/api/v2/command/{command.pk}/")
+            self.assertEqual(resp.status_code, 404)
+
+            resp = client.delete(f"/api/v2/command/{command.pk}/")
+            self.assertEqual(resp.status_code, 405)
+
+            resp = client.patch(f"/api/v2/command/{command.pk}/")
+            self.assertEqual(resp.status_code, 405)
+
     def test_versions_read_only_endpoints_for_normal_user(self):
         user_normal = get(User, is_staff=False)
         user_admin = get(User, is_staff=True)
@@ -943,6 +1140,55 @@ def test_versions_read_and_write_endpoints_for_staff_user(self):
             resp = client.patch(f"/api/v2/version/{version.pk}/")
             self.assertEqual(resp.status_code, 200)
 
+    def test_versions_read_and_write_endpoints_for_build_api_token(self):
+        user_normal = get(User, is_staff=False)
+        user_admin = get(User, is_staff=True)
+
+        project_a = get(Project, users=[user_normal], privacy_level=PUBLIC)
+        project_b = get(Project, users=[user_admin], privacy_level=PUBLIC)
+        project_c = get(Project, privacy_level=PUBLIC)
+        Version.objects.all().update(privacy_level=PUBLIC)
+
+        client = APIClient()
+        _, build_api_key = BuildAPIKey.objects.create_key(project_a)
+        client.credentials(HTTP_AUTHORIZATION=f"Token {build_api_key}")
+
+        # List operations without a filter aren't allowed.
+        resp = client.get("/api/v2/version/")
+        self.assertEqual(resp.status_code, 410)
+
+        # We don't allow to create versions.
+        resp = client.post("/api/v2/version/")
+        self.assertEqual(resp.status_code, 405)
+
+        version = project_a.versions.first()
+        resp = client.get(f"/api/v2/version/{version.pk}/")
+        self.assertEqual(resp.status_code, 200)
+
+        # We don't allow deleting versions.
+        resp = client.delete(f"/api/v2/version/{version.pk}/")
+        self.assertEqual(resp.status_code, 405)
+
+        # Update them is fine.
+        resp = client.patch(f"/api/v2/version/{version.pk}/")
+        self.assertEqual(resp.status_code, 200)
+
+        disallowed_versions = [
+            project_b.versions.first(),
+            project_c.versions.first(),
+        ]
+        for version in disallowed_versions:
+            resp = client.get(f"/api/v2/version/{version.pk}/")
+            self.assertEqual(resp.status_code, 404)
+
+            # We don't allow deleting versions.
+            resp = client.delete(f"/api/v2/version/{version.pk}/")
+            self.assertEqual(resp.status_code, 405)
+
+            # Update them is fine.
+            resp = client.patch(f"/api/v2/version/{version.pk}/")
+            self.assertEqual(resp.status_code, 404)
+
     def test_domains_read_only_endpoints_for_normal_user(self):
         user_normal = get(User, is_staff=False)
         user_admin = get(User, is_staff=True)
@@ -1021,6 +1267,45 @@ def test_domains_read_and_write_endpoints_for_staff_user(self):
             resp = client.patch(f"/api/v2/domain/{domain.pk}/")
             self.assertEqual(resp.status_code, 405)
 
+    def test_domains_read_and_write_endpoints_for_build_api_token(self):
+        # Build API tokens don't grant access to the domain endpoints.
+        user_normal = get(User, is_staff=False)
+        user_admin = get(User, is_staff=True)
+
+        project_a = get(Project, users=[user_normal], privacy_level=PUBLIC)
+        project_b = get(Project, users=[user_admin], privacy_level=PUBLIC)
+        project_c = get(Project, privacy_level=PUBLIC)
+        Version.objects.all().update(privacy_level=PUBLIC)
+
+        client = APIClient()
+        _, build_api_key = BuildAPIKey.objects.create_key(project_a)
+        client.credentials(HTTP_AUTHORIZATION=f"Token {build_api_key}")
+
+        # List operations without a filter aren't allowed.
+        resp = client.get("/api/v2/domain/")
+        self.assertEqual(resp.status_code, 410)
+
+        # We don't allow to create domains.
+        resp = client.post("/api/v2/domain/")
+        self.assertEqual(resp.status_code, 403)
+
+        domains = [
+            get(Domain, project=project_a),
+            get(Domain, project=project_b),
+            get(Domain, project=project_c),
+        ]
+        for domain in domains:
+            resp = client.get(f"/api/v2/domain/{domain.pk}/")
+            self.assertEqual(resp.status_code, 200)
+
+            # We don't allow deleting domains.
+            resp = client.delete(f"/api/v2/domain/{domain.pk}/")
+            self.assertEqual(resp.status_code, 403)
+
+            # Neither update them.
+            resp = client.patch(f"/api/v2/domain/{domain.pk}/")
+            self.assertEqual(resp.status_code, 403)
+
     def test_project_features(self):
         user = get(User, is_staff=True)
         project = get(Project, main_language_project=None)
