api: search api keys from dedicated storage objects too (#48751)

2020-11-28 16:17:49 +01:00 · 2020-11-28 16:17:49 +01:00 · 7138d09c3b
parent 119288b7cd
commit 7138d09c3b
2 changed files with 28 additions and 1 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -299,6 +299,32 @@ def test_get_user(pub, local_user):
    assert [x['slug'] for x in output.json['user_roles']] == ['foo-bar']


+def test_api_access_from_xml_storable_object(pub, local_user, admin_user):
+    app = login(get_app(pub))
+    resp = app.get('/backoffice/settings/api-access/new')
+    resp.form['name'] = 'Salut API access key'
+    resp.form['access_identifier'] = 'salut'
+    resp.form['access_key'] = '5678'
+    resp = resp.form.submit('submit')
+
+    Role.wipe()
+    role = Role(name='Foo bar')
+    role.store()
+    local_user.roles = [role.id]
+    local_user.store()
+    signed_url = sign_url('http://example.net/api/user/?format=json&orig=UNKNOWN_ACCESS&email=%s' % (
+        urllib.quote(local_user.email)), '5678')
+    url = signed_url[len('http://example.net'):]
+    output = get_app(pub).get(url, status=403)
+    assert output.json['err_desc'] == 'invalid orig'
+
+    signed_url = sign_url('http://example.net/api/user/?format=json&orig=salut&email=%s' % (
+        urllib.quote(local_user.email)), '5678')
+    url = signed_url[len('http://example.net'):]
+    output = get_app(pub).get(url)
+    assert output.json['user_display_name'] == u'Jean Darmette'
+
+
 def test_is_url_signed_check_nonce(pub, local_user, freezer):
    ORIG = 'xxx'
    KEY = 'xxx'
--- a/wcs/api_utils.py
+++ b/wcs/api_utils.py
@ -29,6 +29,7 @@ from django.utils.six.moves.urllib import parse as urllib
 from django.utils.six.moves.urllib import parse as urlparse

 from quixote import get_request, get_publisher
+from .api_access import ApiAccess
 from .qommon.errors import (AccessForbiddenError, HttpResponse401Error, UnknownNameIdAccessForbiddenError)
 import qommon.misc

@ -49,7 +50,7 @@ def is_url_signed(utcnow=None, duration=DEFAULT_DURATION):
    orig = get_request().form.get('orig')
    if not isinstance(orig, six.string_types):
        raise AccessForbiddenError('missing/multiple orig field')
-    key = get_publisher().get_site_option(orig, 'api-secrets')
+    key = ApiAccess.get_access_key(orig) or get_publisher().get_site_option(orig, 'api-secrets')
    if not key:
        raise AccessForbiddenError('invalid orig')
    algo = get_request().form.get('algo')