Use project-scoped temporal tokens to interact with the API from the builders #10378
Conversation
For #10289 we are going to need to pass a new argument (build_api_key). And since we deploy webs first, builders will have the old task that doesn't match the new signature, and the task will fail. To avoid this, we can just accept any kwargs, this obviously only works if the change is backwards compatible with the old code from the builders (in this case it will be).
We aren't using the LocalEnvironment class, only the BuildEnvironment, so there is no need to keep BaseEnvironment seperated from BuildEnvironment.
…d-api-token-access
With #10378 we now need to always pass an environment, we can't just create a default one.
With #10378 we now need to always pass an environment, we can't just create a default one.
stsewd
changed the title
There was a problem hiding this comment.
This looks like a good start, I think there's some places where we need to be more clear about how auth is done in comments and perhaps dev docs somewhere? I don't fully understand where the actual flow of auth is getting checked, likely because some of that logic is living in the API key package? But how do we easily explain to readers of our code what it's depending on the API key package for?
| @@ -65,3 +67,37 @@ def has_permission(self, request, view): | |||
| .exists() | |||
| ) | |||
| return has_access | |||
|
|
|||
|
|
|||
| class TokenKeyParser(KeyParser): | |||
There was a problem hiding this comment.
Odd this isn't builtin... seems pretty standard?
There was a problem hiding this comment.
They default to Api-Key {token}
| @@ -151,7 +155,7 @@ class ProjectViewSet(DisableListEndpoint, UpdateModelMixin, UserSelectViewSet): | |||
|
|
|||
| """List, filter, etc, Projects.""" | |||
|
|
|||
| permission_classes = [APIRestrictedPermission] | |||
| permission_classes = [HasBuildAPIKey | APIRestrictedPermission] | |||
There was a problem hiding this comment.
Weird syntax... I feel like this could use a comment explaining the logic. Guessing it means either can be used to validate permissions (eg. OR)?
There was a problem hiding this comment.
Yeah, this is an or (it supports & too), it's standard from REST framework. I can add a comment if it's useful.
| return Response({ | ||
| 'url': project.get_docs_url(), | ||
| }) | ||
|
|
||
| def get_queryset(self): |
There was a problem hiding this comment.
Could use a docstring, since it seems like this is the core of the logic that checks authz in the queryset?
| build_api_key = request.build_api_key | ||
| if build_api_key: | ||
| if project_slug != build_api_key.project.slug: | ||
| raise Http404() |
There was a problem hiding this comment.
We should probably have a log message here, at least for our debugging use.
Why isn't this check performed in other places, because the queryset filter is doing the work there, and this code isn't using the get_queryset method for some reason?
There was a problem hiding this comment.
yeah, all others just use the queryset.
|
|
||
| def has_permission(self, request, view): | ||
| build_api_key = None | ||
| has_permission = super().has_permission(request, view) |
There was a problem hiding this comment.
I don't fully understand what code this is calling... What is actually being validated here? Is it in our code, or a third-party package? And is it checking the project matches the API key somehow?
There was a problem hiding this comment.
We rely on the permission class from the package to make sure that the API key given is valid, we just override it to attach the key to the request, otherwise we need to parse the key and get it from the db every time we want to use from a view.
readthedocs.org/readthedocs/api/v2/permissions.py
Lines 85 to 91 in f261ecc
There was a problem hiding this comment.
Gotcha, so it's basically just checking that the key exists? Not checking it against any specific user or anything.
There was a problem hiding this comment.
yeah, api keys aren't attached to a user, authorization for a given project is done via the queryset.
|
|
||
| project = models.ForeignKey( | ||
| Project, | ||
| on_delete=models.CASCADE, |
There was a problem hiding this comment.
This adds more overhead to the deletion of the project. We may want to make this SET_NULL or similar. See #10040
| def perform_create(self, serializer): | ||
| """Restrict creation to builds attached to the project from the api key.""" | ||
| build_pk = serializer.validated_data["build"].pk | ||
| api_key = self.request.build_api_key | ||
| if api_key and not api_key.project.builds.filter(pk=build_pk).exists(): | ||
| raise PermissionDenied() | ||
| # If the request isn't attached to a build api key, | ||
| # the user doing the request is a superuser, so it has access to all projects. | ||
| return super().perform_create(serializer) |
There was a problem hiding this comment.
Why do we need this only for this view but it's not required when updating a Version or Build object via the API from the builder as well?
There was a problem hiding this comment.
When updating, we know the object (since it already exists), so the queryset already filters the objects the token has access to. When creating, we don't know where the object belongs since it hasn't been created, but we know that it should be attached to the project the token grants access to.
| try: | ||
| self.data.api_client.revoke.post() | ||
| except Exception: | ||
| log.exception("Failed to revoke build api key.", exc_info=True) |
There was a problem hiding this comment.
I would make this just an INFO. There is no need to log this as an exception. The key will expire anyways in 3 hours.
This implements the design document from https://dev.readthedocs.io/en/latest/design/secure-api-access-from-builders.html
/api/v2/revoke/endpoint was added to revoke an API key after it has been used.that code can be removed in the next deploy.
Closes https://github.com/readthedocs/meta/issues/21