harmacist/healthchecks
1
0
Fork 0
forked from GithubBackups/healthchecks
Code Issues Pull Requests Projects Releases Wiki Activity

Use the api keys from project, not user profile

Browse Source
This commit is contained in:
Pēteris Caune 2019-01-12 21:34:45 +02:00
parent 1c69cf7f89
commit 6b7f212c8a
No known key found for this signature in database
GPG Key ID: E28D7679E9A9EDE2
11 changed files with 42 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hc/accounts/tests/test_profile.py
View File

@ -193,7 +193,7 @@ class ProfileTestCase(BaseTestCase):
# to user's default team. # to user's default team.
self.bobs_profile.refresh_from_db() self.bobs_profile.refresh_from_db()
self.assertEqual(self.bobs_profile.current_team, self.bobs_profile) self.assertEqual(self.bobs_profile.current_team, self.bobs_profile)
self.assertEqual(self.bobs_profile.current_project, None) self.assertEqual(self.bobs_profile.current_project, self.bobs_project)
def test_it_sends_change_email_link(self): def test_it_sends_change_email_link(self):
self.client.login(username="alice@example.org", password="password") self.client.login(username="alice@example.org", password="password")

15
hc/api/decorators.py
View File

@ -4,6 +4,7 @@ from functools import wraps
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.db.models import Q from django.db.models import Q
from django.http import HttpResponse, JsonResponse from django.http import HttpResponse, JsonResponse
from hc.accounts.models import Project
from hc.lib.jsonschema import ValidationError, validate from hc.lib.jsonschema import ValidationError, validate
@ -23,9 +24,8 @@ def authorize(f):
return error("missing api key", 401) return error("missing api key", 401)
try: try:
request.user = User.objects.get(profile__api_key=api_key) request.project = Project.objects.get(api_key=api_key)
request.project = request.user.project_set.first() except Project.DoesNotExist:
except User.DoesNotExist:
return error("wrong api key", 401) return error("wrong api key", 401)
return f(request, *args, **kwds) return f(request, *args, **kwds)
@ -43,12 +43,11 @@ def authorize_read(f):
if len(api_key) != 32: if len(api_key) != 32:
return error("missing api key", 401) return error("missing api key", 401)
write_key_match = Q(profile__api_key=api_key) write_key_match = Q(api_key=api_key)
read_key_match = Q(profile__api_key_readonly=api_key) read_key_match = Q(api_key_readonly=api_key)
try: try:
request.user = User.objects.get(write_key_match | read_key_match) request.project = Project.objects.get(write_key_match | read_key_match)
request.project = request.user.project_set.first() except Project.DoesNotExist:
except User.DoesNotExist:
return error("wrong api key", 401) return error("wrong api key", 401)
return f(request, *args, **kwds) return f(request, *args, **kwds)

3
hc/api/tests/test_badge.py
View File

@ -12,7 +12,8 @@ class BadgeTestCase(BaseTestCase):
def setUp(self): def setUp(self):
super(BadgeTestCase, self).setUp() super(BadgeTestCase, self).setUp()
self.check = Check.objects.create(user=self.alice, tags="foo bar") self.check = Check.objects.create(user=self.alice, project=self.project,
tags="foo bar")
sig = base64_hmac(str(self.alice.username), "foo", settings.SECRET_KEY) sig = base64_hmac(str(self.alice.username), "foo", settings.SECRET_KEY)
sig = sig[:8] sig = sig[:8]

2
hc/api/tests/test_create_check.py
View File

@ -87,7 +87,7 @@ class CreateCheckTestCase(BaseTestCase):
self.assertEqual(check.channel_set.get(), channel) self.assertEqual(check.channel_set.get(), channel)
def test_it_supports_unique(self): def test_it_supports_unique(self):
existing = Check(user=self.alice, name="Foo") existing = Check(user=self.alice, name="Foo", project=self.project)
existing.save() existing.save()
r = self.post({ r = self.post({

2
hc/api/tests/test_delete_check.py
View File

@ -6,7 +6,7 @@ class DeleteCheckTestCase(BaseTestCase):
def setUp(self): def setUp(self):
super(DeleteCheckTestCase, self).setUp() super(DeleteCheckTestCase, self).setUp()
self.check = Check(user=self.alice) self.check = Check(user=self.alice, project=self.project)
self.check.save() self.check.save()
def test_it_works(self): def test_it_works(self):

9
hc/api/tests/test_list_channels.py
View File

@ -9,7 +9,7 @@ class ListChannelsTestCase(BaseTestCase):
def setUp(self): def setUp(self):
super(ListChannelsTestCase, self).setUp() super(ListChannelsTestCase, self).setUp()
self.c1 = Channel(user=self.alice) self.c1 = Channel(user=self.alice, project=self.project)
self.c1.kind = "email" self.c1.kind = "email"
self.c1.name = "Email to Alice" self.c1.name = "Email to Alice"
self.c1.save() self.c1.save()
@ -36,7 +36,8 @@ class ListChannelsTestCase(BaseTestCase):
self.assertIn("GET", r["Access-Control-Allow-Methods"]) self.assertIn("GET", r["Access-Control-Allow-Methods"])
def test_it_shows_only_users_channels(self): def test_it_shows_only_users_channels(self):
Channel.objects.create(user=self.bob, kind="email", name="Bob") Channel.objects.create(user=self.bob, kind="email", name="Bob",
project=self.bobs_project)
r = self.get() r = self.get()
data = r.json() data = r.json()
@ -53,8 +54,8 @@ class ListChannelsTestCase(BaseTestCase):
self.assertContains(r, "Email to Alice") self.assertContains(r, "Email to Alice")
def test_readonly_key_works(self): def test_readonly_key_works(self):
self.profile.api_key_readonly = "R" * 32 self.project.api_key_readonly = "R" * 32
self.profile.save() self.project.save()
r = self.client.get("/api/v1/channels/", HTTP_X_API_KEY="R" * 32) r = self.client.get("/api/v1/channels/", HTTP_X_API_KEY="R" * 32)
self.assertEqual(r.status_code, 200) self.assertEqual(r.status_code, 200)

11
hc/api/tests/test_list_checks.py
View File

@ -14,7 +14,7 @@ class ListChecksTestCase(BaseTestCase):
self.now = now().replace(microsecond=0) self.now = now().replace(microsecond=0)
self.a1 = Check(user=self.alice, name="Alice 1") self.a1 = Check(user=self.alice, name="Alice 1", project=self.project)
self.a1.timeout = td(seconds=3600) self.a1.timeout = td(seconds=3600)
self.a1.grace = td(seconds=900) self.a1.grace = td(seconds=900)
self.a1.n_pings = 0 self.a1.n_pings = 0
@ -22,7 +22,7 @@ class ListChecksTestCase(BaseTestCase):
self.a1.tags = "a1-tag a1-additional-tag" self.a1.tags = "a1-tag a1-additional-tag"
self.a1.save() self.a1.save()
self.a2 = Check(user=self.alice, name="Alice 2") self.a2 = Check(user=self.alice, name="Alice 2", project=self.project)
self.a2.timeout = td(seconds=86400) self.a2.timeout = td(seconds=86400)
self.a2.grace = td(seconds=3600) self.a2.grace = td(seconds=3600)
self.a2.last_ping = self.now self.a2.last_ping = self.now
@ -79,7 +79,8 @@ class ListChecksTestCase(BaseTestCase):
self.assertIn("GET", r["Access-Control-Allow-Methods"]) self.assertIn("GET", r["Access-Control-Allow-Methods"])
def test_it_shows_only_users_checks(self): def test_it_shows_only_users_checks(self):
bobs_check = Check(user=self.bob, name="Bob 1") bobs_check = Check(user=self.bob, name="Bob 1",
project=self.bobs_project)
bobs_check.save() bobs_check.save()
r = self.get() r = self.get()
@ -139,8 +140,8 @@ class ListChecksTestCase(BaseTestCase):
self.assertEqual(len(doc["checks"]), 0) self.assertEqual(len(doc["checks"]), 0)
def test_readonly_key_works(self): def test_readonly_key_works(self):
self.profile.api_key_readonly = "R" * 32 self.project.api_key_readonly = "R" * 32
self.profile.save() self.project.save()
r = self.client.get("/api/v1/checks/", HTTP_X_API_KEY="R" * 32) r = self.client.get("/api/v1/checks/", HTTP_X_API_KEY="R" * 32)
self.assertEqual(r.status_code, 200) self.assertEqual(r.status_code, 200)

6
hc/api/tests/test_pause.py
View File

@ -8,7 +8,7 @@ from hc.test import BaseTestCase
class PauseTestCase(BaseTestCase): class PauseTestCase(BaseTestCase):
def test_it_works(self): def test_it_works(self):
check = Check(user=self.alice, status="up") check = Check(user=self.alice, status="up", project=self.project)
check.save() check.save()
url = "/api/v1/checks/%s/pause" % check.code url = "/api/v1/checks/%s/pause" % check.code
@ -22,7 +22,7 @@ class PauseTestCase(BaseTestCase):
self.assertEqual(check.status, "paused") self.assertEqual(check.status, "paused")
def test_it_handles_options(self): def test_it_handles_options(self):
check = Check(user=self.alice, status="up") check = Check(user=self.alice, status="up", project=self.project)
check.save() check.save()
r = self.client.options("/api/v1/checks/%s/pause" % check.code) r = self.client.options("/api/v1/checks/%s/pause" % check.code)
@ -60,7 +60,7 @@ class PauseTestCase(BaseTestCase):
self.assertEqual(r.status_code, 404) self.assertEqual(r.status_code, 404)
def test_it_clears_last_start_alert_after(self): def test_it_clears_last_start_alert_after(self):
check = Check(user=self.alice, status="up") check = Check(user=self.alice, status="up", project=self.project)
check.last_start = now() check.last_start = now()
check.alert_after = check.last_start + td(hours=1) check.alert_after = check.last_start + td(hours=1)
check.save() check.save()

2
hc/api/tests/test_update_check.py
View File

@ -8,7 +8,7 @@ class UpdateCheckTestCase(BaseTestCase):
def setUp(self): def setUp(self):
super(UpdateCheckTestCase, self).setUp() super(UpdateCheckTestCase, self).setUp()
self.check = Check(user=self.alice) self.check = Check(user=self.alice, project=self.project)
self.check.save() self.check.save()
def post(self, code, data): def post(self, code, data):

23
hc/api/views.py
View File

@ -37,10 +37,10 @@ def ping(request, code, action="success"):
return response return response
def _lookup(user, spec): def _lookup(project, spec):
unique_fields = spec.get("unique", []) unique_fields = spec.get("unique", [])
if unique_fields: if unique_fields:
existing_checks = Check.objects.filter(user=user) existing_checks = Check.objects.filter(project=project)
if "name" in unique_fields: if "name" in unique_fields:
existing_checks = existing_checks.filter(name=spec.get("name")) existing_checks = existing_checks.filter(name=spec.get("name"))
if "tags" in unique_fields: if "tags" in unique_fields:
@ -105,7 +105,7 @@ def _update(check, spec):
@validate_json() @validate_json()
@authorize_read @authorize_read
def get_checks(request): def get_checks(request):
q = Check.objects.filter(user=request.user) q = Check.objects.filter(project=request.project)
q = q.prefetch_related("channel_set") q = q.prefetch_related("channel_set")
tags = set(request.GET.getlist("tag")) tags = set(request.GET.getlist("tag"))
@ -126,13 +126,14 @@ def get_checks(request):
@authorize @authorize
def create_check(request): def create_check(request):
created = False created = False
check = _lookup(request.user, request.json) check = _lookup(request.project, request.json)
if check is None: if check is None:
num_checks = Check.objects.filter(user=request.user).count() user = request.project.owner
if num_checks >= request.user.profile.check_limit: num_checks = Check.objects.filter(project__owner=user).count()
if num_checks >= user.profile.check_limit:
return HttpResponseForbidden() return HttpResponseForbidden()
check = Check(user=request.user, project=request.project) check = Check(user=request.project.owner, project=request.project)
created = True created = True
_update(check, request.json) _update(check, request.json)
@ -152,7 +153,7 @@ def checks(request):
@validate_json() @validate_json()
@authorize_read @authorize_read
def channels(request): def channels(request):
q = Channel.objects.filter(user=request.user) q = Channel.objects.filter(project=request.project)
channels = [ch.to_dict() for ch in q] channels = [ch.to_dict() for ch in q]
return JsonResponse({"channels": channels}) return JsonResponse({"channels": channels})
@ -163,7 +164,7 @@ def channels(request):
@authorize @authorize
def update(request, code): def update(request, code):
check = get_object_or_404(Check, code=code) check = get_object_or_404(Check, code=code)
if check.user != request.user: if check.project != request.project:
return HttpResponseForbidden() return HttpResponseForbidden()
if request.method == "POST": if request.method == "POST":
@ -185,7 +186,7 @@ def update(request, code):
@authorize @authorize
def pause(request, code): def pause(request, code):
check = get_object_or_404(Check, code=code) check = get_object_or_404(Check, code=code)
if check.user != request.user: if check.project != request.project:
return HttpResponseForbidden() return HttpResponseForbidden()
check.status = "paused" check.status = "paused"
@ -202,7 +203,7 @@ def badge(request, username, signature, tag, format="svg"):
return HttpResponseNotFound() return HttpResponseNotFound()
status = "up" status = "up"
q = Check.objects.filter(user__username=username) q = Check.objects.filter(project__owner__username=username)
if tag != "*": if tag != "*":
q = q.filter(tags__contains=tag) q = q.filter(tags__contains=tag)
label = tag label = tag

3
hc/test.py
View File

@ -27,6 +27,9 @@ class BaseTestCase(TestCase):
self.bob.set_password("password") self.bob.set_password("password")
self.bob.save() self.bob.save()
self.bobs_project = Project(owner=self.bob)
self.bobs_project.save()
self.bobs_profile = Profile(user=self.bob) self.bobs_profile = Profile(user=self.bob)
self.bobs_profile.current_team = self.profile self.bobs_profile.current_team = self.profile
self.bobs_profile.current_project = self.project self.bobs_profile.current_project = self.project