TT#15305 build: fix detection of build permissions

* calling build from API was always unauthorized
* drfapikey only supports Django until 1.10 version
* https://florimondmanca.github.io/djangorestframework-api-key/
  supports modern Python and Django versions

- remove useless BUILD_KEY_AUTH preference, it's True always

Change-Id: I5521b07532dba12abea52982d376eb83293f6a38

build/test/test_conf.py

@@ -1,27 +0,0 @@
-# Copyright (C) 2015 The Sipwise Team - http://sipwise.com
-#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the Free
-# Software Foundation, either version 3 of the License, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
-# more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program.  If not, see <http://www.gnu.org/licenses/>.
-from django.test import SimpleTestCase
-
-
-class TestBuildConf(SimpleTestCase):
-    def test_django_settings(self):
-        from django.conf import settings
-
-        self.assertEqual(settings.BUILD_KEY_AUTH, True)
-
-    def test_build_settings(self):
-        from build.conf import settings
-
-        self.assertEqual(settings.BUILD_KEY_AUTH, True)

build/views.py

@@ -19,23 +19,14 @@ from rest_framework import generics
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 from rest_framework.views import APIView
-from rest_framework_api_key.permissions import HasAPIAccess
+from rest_framework_api_key.permissions import HasAPIKey
 
 from . import models
 from . import serializers
 from . import tasks
-from .conf import settings
 from repoapi.serializers import JenkinsBuildInfoSerializer as JBISerializer
 
 
-class BuildAccess(HasAPIAccess, IsAuthenticated):
-    def has_permission(self, request, view):
-        res = IsAuthenticated.has_permission(self, request, view)
-        if settings.BUILD_KEY_AUTH and not res:
-            res = HasAPIAccess.has_permission(self, request, view)
-        return res
-
-
 class BuildReleaseFilter(django_filters.FilterSet):
     class Meta:
         model = models.BuildRelease
@@ -46,14 +37,14 @@ class BuildReleaseFilter(django_filters.FilterSet):
 
 
 class BuildReleaseList(generics.ListCreateAPIView):
-    permission_classes = (BuildAccess,)
+    permission_classes = [HasAPIKey | IsAuthenticated]
     queryset = models.BuildRelease.objects.all().order_by("id")
     serializer_class = serializers.BuildReleaseSerializer
     filter_class = BuildReleaseFilter
 
 
 class BuildReleaseDetail(generics.RetrieveDestroyAPIView):
-    permission_classes = (BuildAccess,)
+    permission_classes = [HasAPIKey | IsAuthenticated]
     queryset = models.BuildRelease.objects.all().order_by("id")
     serializer_class = serializers.BuildReleaseSerializer
 
@@ -78,7 +69,7 @@ class BuildReleaseDetail(generics.RetrieveDestroyAPIView):
 
 
 class BuildProject(APIView):
-    permission_classes = (BuildAccess,)
+    permission_classes = [HasAPIKey | IsAuthenticated]
 
     def post(self, request, release_uuid, project):
         br = get_object_or_404(models.BuildRelease, uuid=release_uuid)

release_dashboard/views/api.py

@@ -1,4 +1,4 @@
-# Copyright (C) 2020 The Sipwise Team - http://sipwise.com
+# Copyright (C) 2020-2022 The Sipwise Team - http://sipwise.com
 #
 # This program is free software: you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the Free
@@ -13,14 +13,15 @@
 # You should have received a copy of the GNU General Public License along
 # with this program.  If not, see <http://www.gnu.org/licenses/>.
 from django.http import JsonResponse
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.views import APIView
+from rest_framework_api_key.permissions import HasAPIKey
 
 from .. import tasks
-from build.views import BuildAccess
 
 
 class RefreshGerritInfo(APIView):
-    permission_classes = (BuildAccess,)
+    permission_classes = [HasAPIKey | IsAuthenticated]
 
     def post(self, request):
         res = tasks.gerrit_fetch_all.delay()

repoapi/settings/common.py

@@ -182,3 +182,5 @@ CELERY_TASK_SERIALIZER = "json"
 CELERY_RESULT_SERIALIZER = "json"
 CELERY_ACCEPT_CONTENT = ["application/json"]
 CELERY_RESULT_BACKEND = "django-db"
+
+API_KEY_CUSTOM_HEADER = "HTTP_API_KEY"

repoapi/settings/prod.py

@@ -93,7 +93,6 @@ WORKFRONT_CREDENTIALS = BASE_DIR / "/etc/jenkins_jobs/workfront.ini"
 WORKFRONT_NOTE = True
 
 # build app
-BUILD_KEY_AUTH = True
 BUILD_REPOS_SCRIPTS_CONFIG_DIR = Path(
     "/usr/share/sipwise-repos-scripts/config"
 )

repoapi/settings/test.py

@@ -94,7 +94,6 @@ RELEASE_DASHBOARD_DOCKER_IMAGES = {
 }
 
 # build app
-BUILD_KEY_AUTH = True
 BUILD_REPOS_SCRIPTS_CONFIG_DIR = BASE_DIR.joinpath(
     "build", "fixtures", "config"
 )

repoapi/test/base.py

@@ -20,7 +20,6 @@ from tempfile import mkdtemp
 from django.test import override_settings
 from django.test import TestCase
 from rest_framework.test import APITestCase
-from rest_framework_api_key.helpers import generate_key
 from rest_framework_api_key.models import APIKey
 
 JBI_BASEDIR = Path(mkdtemp(dir=os.environ.get("RESULTS")))
@@ -49,7 +48,5 @@ class APIAuthenticatedTestCase(BaseTest, APITestCase):
 
     def setUp(self):
         super(APIAuthenticatedTestCase, self).setUp()
-        self.app_key = APIKey.objects.create(
-            name=self.APP_NAME, key=generate_key()
-        )
-        self.client.credentials(HTTP_API_KEY=self.app_key.key)
+        self.app_key, key = APIKey.objects.create_key(name=self.APP_NAME)
+        self.client.credentials(HTTP_API_KEY=key)

requirements/common.txt

@@ -12,8 +12,8 @@ django-jsonify
 django-structlog
 django-timezone-field
 djangorestframework>=3.6
+djangorestframework-api-key==2.*
 drf-spectacular
-drfapikey
 flower>=0.9.5
 markdown
 natsort

t/Dockerfile

@@ -5,7 +5,7 @@ FROM docker.mgm.sipwise.com/sipwise-bullseye:latest
 # is updated with the current date. It will force refresh of all
 # of the base images and things like `apt-get update` won't be using
 # old cached versions when the Dockerfile is built.
-ENV REFRESHED_AT 2022-05-26
+ENV REFRESHED_AT 2022-05-27
 
 RUN apt-get update && apt-get install --assume-yes python3 python3-dev \
 	python3-pytest python3-pytest-pep8 \