Disable anonymous result upload

This patch disables anonymous test result uploads. It also fixes a python35 incompatability uncovered by more extensive testing of signing uploads (bytes can no longer be decoded). Also updated coverage tests to not include tests in coverage. Co-Authored-By: megan guiney <meganmguiney@gmail.com> Change-Id: I3f19f1399eb2948eaf8340b5c4be18b698c7e139
2017-09-26 15:12:08 -07:00 · 2017-09-26 15:12:08 -07:00 · 4595c1f0b6
commit 4595c1f0b6
parent 2afff3094a
6 changed files with 163 additions and 26 deletions
--- a/etc/refstack.conf.sample
+++ b/etc/refstack.conf.sample
@ -154,6 +154,11 @@
 # contents of that file. (string value)
 #github_raw_base_url = https://raw.githubusercontent.com/openstack/interop/master/
 # Enable or disable anonymous uploads. If set to False, all clients
 # will need to authenticate and sign with a public/private keypair
 # previously uploaded to their user account.
 #enable_anonymous_upload = true
 # Number of results for one page (integer value)
 #results_per_page = 20
--- a/refstack/api/app.py
+++ b/refstack/api/app.py
@ -94,7 +94,14 @@ API_OPTS = [
               help='This is the base URL that is used for retrieving '
                    'specific capability files. Capability file names will '
                    'be appended to this URL to get the contents of that file.'
-               )
+               ),
    cfg.BoolOpt('enable_anonymous_upload',
                default=True,
                help='Enable or disable anonymous uploads. If set to False, '
                     'all clients will need to authenticate and sign with a '
                     'public/private keypair previously uploaded to their '
                     'user account.'
                )
 ]
 CONF = cfg.CONF
--- a/refstack/api/controllers/results.py
+++ b/refstack/api/controllers/results.py
@ -103,6 +103,40 @@ class ResultsController(validation.BaseRestControllerWithValidation):
    meta = MetadataController()
    def _check_authentication(self):
        x_public_key = pecan.request.headers.get('X-Public-Key')
        if x_public_key:
            public_key = x_public_key.strip().split()[1]
            stored_public_key = db.get_pubkey(public_key)
            if not stored_public_key:
                pecan.abort(401, 'User with specified key not found. '
                                 'Please log into the RefStack server to '
                                 'upload your key.')
        else:
            stored_public_key = None
        if not CONF.api.enable_anonymous_upload and not stored_public_key:
            pecan.abort(401, 'Anonymous result uploads are disabled. '
                             'Please create a user account and an api '
                             'key at https://refstack.openstack.org/#/')
        return stored_public_key
    def _auto_version_associate(self, test, test_, pubkey):
        if test.get('cpid'):
            version = db.get_product_version_by_cpid(
                test['cpid'], allowed_keys=['id', 'product_id'])
            # Only auto-associate if there is a single product version
            # with the given cpid.
            if len(version) == 1:
                is_foundation = api_utils.check_user_is_foundation_admin(
                    pubkey.openid)
                is_product_admin = api_utils.check_user_is_product_admin(
                    version[0]['product_id'], pubkey.openid)
                if is_foundation or is_product_admin:
                    test_['product_version_id'] = version[0]['id']
        return test_
    @pecan.expose('json')
    @api_utils.check_permissions(level=const.ROLE_USER)
    def get_one(self, test_id):
@ -125,7 +159,8 @@ class ResultsController(validation.BaseRestControllerWithValidation):
        if user_role not in (const.ROLE_FOUNDATION, const.ROLE_OWNER):
            # Don't expose product information if product is not public.
            if (test_info.get('product_version') and
-               not test_info['product_version']['product_info']['public']):
+                    not test_info['product_version']
                    ['product_info']['public']):
                test_info['product_version'] = None
@ -137,30 +172,16 @@ class ResultsController(validation.BaseRestControllerWithValidation):
    def store_item(self, test):
        """Handler for storing item. Should return new item id."""
        # If we need a key, or the key isn't available, this will throw
        # an exception with a 401
        pubkey = self._check_authentication()
        test_ = test.copy()
-        if pecan.request.headers.get('X-Public-Key'):
+        if pubkey:
            key = pecan.request.headers.get('X-Public-Key').strip().split()[1]
            if 'meta' not in test_:
                test_['meta'] = {}
            pubkey = db.get_pubkey(key)
            if not pubkey:
                pecan.abort(400, 'User with specified key not found. '
                                 'Please log into the RefStack server to '
                                 'upload your key.')
            test_['meta'][const.USER] = pubkey.openid
-            if test.get('cpid'):
+            test_ = self._auto_version_associate(test, test_, pubkey)
-                version = db.get_product_version_by_cpid(
+
                    test['cpid'], allowed_keys=['id', 'product_id'])
                # Only auto-associate if there is a single product version
                # with the given cpid.
                if len(version) == 1:
                    is_foundation = api_utils.check_user_is_foundation_admin(
                        pubkey.openid)
                    is_product_admin = api_utils.check_user_is_product_admin(
                        version[0]['product_id'], pubkey.openid)
                    if is_foundation or is_product_admin:
                        test_['product_version_id'] = version[0]['id']
        test_id = db.store_results(test_)
        return {'test_id': test_id,
                'url': parse.urljoin(CONF.ui_url,
@ -224,7 +245,8 @@ class ResultsController(validation.BaseRestControllerWithValidation):
                    # Don't expose product info if the product is not public.
                    if (result.get('product_version') and not
-                       result['product_version']['product_info']['public']):
+                            result['product_version']['product_info']
                            ['public']):
                        result['product_version'] = None
                    # Only show all metadata if the user is the owner or a
--- a/refstack/db/sqlalchemy/api.py
+++ b/refstack/db/sqlalchemy/api.py
@ -323,7 +323,7 @@ def get_pubkey(key):
    The md5 hash of the key is used for the query for quicker lookups.
    """
    session = get_session()
-    md5_hash = hashlib.md5(base64.b64decode(key.encode('ascii'))).hexdigest()
+    md5_hash = hashlib.md5(base64.b64decode(key)).hexdigest()
    pubkeys = session.query(models.PubKey).filter_by(md5_hash=md5_hash).all()
    if len(pubkeys) == 1:
        return pubkeys[0]
@ -342,7 +342,7 @@ def store_pubkey(pubkey_info):
    pubkey.pubkey = pubkey_info['pubkey']
    pubkey.md5_hash = hashlib.md5(
        base64.b64decode(
-            pubkey_info['pubkey'].encode('ascii')
+            pubkey_info['pubkey']
        )
    ).hexdigest()
    pubkey.comment = pubkey_info['comment']
--- a/refstack/tests/api/test_results.py
+++ b/refstack/tests/api/test_results.py
@ -25,6 +25,14 @@ from refstack.api import validators
 from refstack import db
 from refstack.tests import api
 import binascii
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
 FAKE_TESTS_RESULT = {
    'cpid': 'foo',
    'duration_seconds': 10,
@ -407,3 +415,98 @@ class TestResultsEndpoint(api.FunctionalTest):
        db.update_test({'id': test_id, 'verification_status': 0})
        resp = self.delete(url, expect_errors=True)
        self.assertEqual(204, resp.status_code)
 class TestResultsEndpointNoAnonymous(api.FunctionalTest):
    URL = '/v1/results/'
    def _generate_keypair_(self):
        return rsa.generate_private_key(
            public_exponent=65537,
            key_size=1024,
            backend=default_backend()
        )
    def _sign_body_(self, keypair, body):
        signer = keypair.signer(padding.PKCS1v15(), hashes.SHA256())
        signer.update(body)
        return signer.finalize()
    def _get_public_key_(self, keypair):
        pubkey = keypair.public_key().public_bytes(
            serialization.Encoding.OpenSSH,
            serialization.PublicFormat.OpenSSH
        )
        return pubkey
    def setUp(self):
        super(TestResultsEndpointNoAnonymous, self).setUp()
        self.config_fixture = config_fixture.Config()
        self.CONF = self.useFixture(self.config_fixture).conf
        self.CONF.api.enable_anonymous_upload = False
        self.user_info = {
            'openid': 'test-open-id',
            'email': 'foo@bar.com',
            'fullname': 'Foo Bar'
        }
        db.user_save(self.user_info)
        good_key = self._generate_keypair_()
        self.body = json.dumps(FAKE_TESTS_RESULT).encode()
        signature = self._sign_body_(good_key, self.body)
        pubkey = self._get_public_key_(good_key)
        x_signature = binascii.b2a_hex(signature)
        self.good_headers = {
            'X-Signature': x_signature,
            'X-Public-Key': pubkey
        }
        self.pubkey_info = {
            'openid': 'test-open-id',
            'format': 'ssh-rsa',
            'pubkey': pubkey.split()[1],
            'comment': 'comment'
        }
        db.store_pubkey(self.pubkey_info)
        bad_key = self._generate_keypair_()
        bad_signature = self._sign_body_(bad_key, self.body)
        bad_pubkey = self._get_public_key_(bad_key)
        x_bad_signature = binascii.b2a_hex(bad_signature)
        self.bad_headers = {
            'X-Signature': x_bad_signature,
            'X-Public-Key': bad_pubkey
        }
    def test_post_with_no_token(self):
        """Test results endpoint with post request."""
        results = json.dumps(FAKE_TESTS_RESULT)
        actual_response = self.post_json(self.URL, expect_errors=True,
                                         params=results)
        self.assertEqual(actual_response.status_code, 401)
    def test_post_with_valid_token(self):
        """Test results endpoint with post request."""
        results = json.dumps(FAKE_TESTS_RESULT)
        actual_response = self.post_json(self.URL,
                                         headers=self.good_headers,
                                         params=results)
        self.assertIn('test_id', actual_response)
        try:
            uuid.UUID(actual_response.get('test_id'), version=4)
        except ValueError:
            self.fail("actual_response doesn't contain test_id")
    def test_post_with_invalid_token(self):
        results = json.dumps(FAKE_TESTS_RESULT)
        actual_response = self.post_json(self.URL,
                                         headers=self.bad_headers,
                                         expect_errors=True,
                                         params=results)
        self.assertEqual(actual_response.status_code, 401)
--- a/tox.ini
+++ b/tox.ini
@ -57,7 +57,7 @@ commands = {posargs}
 [testenv:gen-cover]
 commands = python setup.py testr --coverage \
-    --omit='{toxinidir}/refstack/tests*,{toxinidir}/refstack/api/config.py,{toxinidir}/refstack/db/migrations/alembic/*,{toxinidir}/refstack/opts.py' \
+    --omit='{toxinidir}/refstack/tests/unit/*,{toxinidir}/refstack/tests/api/*,{toxinidir}/refstack/api/config.py,{toxinidir}/refstack/db/migrations/alembic/*,{toxinidir}/refstack/opts.py' \
    --testr-args='{posargs}'
 [testenv:cover]