REST: Enable token auth support

stephenfin · stephenfin · commit 274763e7b66d · 2017-06-14T09:38:25.000+01:00
Token authentication is generally viewed as a more secure option for API
authentication than storing a username and password.

Django REST Framework gives us a TokenAuthentication class and an authtoken
app that we can use to generate random tokens and authenticate to API
endpoints. Enable this support and add some tests to validate correct
behavior.

Signed-off-by: Andrew Donnellan &lt;andrew.donnellan@au1.ibm.com&gt;
Signed-off-by: Stephen Finucane &lt;stephen@that.guru&gt;
diff --git a/patchwork/models.py b/patchwork/models.py
@@ -37,6 +37,9 @@
 from patchwork.fields import HashField
 from patchwork.hasher import hash_diff
 
+if settings.ENABLE_REST_API:
+    from rest_framework.authtoken.models import Token
+
 
 @python_2_unicode_compatible
 class Person(models.Model):
@@ -162,6 +165,16 @@ def contributor_projects(self):
     def n_todo_patches(self):
         return self.todo_patches().count()
 
+    @property
+    def token(self):
+        if not settings.ENABLE_REST_API:
+            return
+
+        try:
+            return Token.objects.get(user=self.user)
+        except Token.DoesNotExist:
+            return
+
     def todo_patches(self, project=None):
         # filter on project, if necessary
         if project:
diff --git a/patchwork/settings/base.py b/patchwork/settings/base.py
@@ -143,6 +143,7 @@
 
     INSTALLED_APPS += [
         'rest_framework',
+        'rest_framework.authtoken',
         'django_filters',
     ]
 except ImportError:
@@ -158,6 +159,11 @@
         'rest_framework.filters.SearchFilter',
         'rest_framework.filters.OrderingFilter',
     ),
+    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'rest_framework.authentication.SessionAuthentication',
+        'rest_framework.authentication.BasicAuthentication',
+        'rest_framework.authentication.TokenAuthentication',
+    ),
     'SEARCH_PARAM': 'q',
     'ORDERING_PARAM': 'order',
 }
diff --git a/patchwork/tests/test_bundles.py b/patchwork/tests/test_bundles.py
@@ -37,6 +37,7 @@
 from patchwork.tests.utils import create_patches
 from patchwork.tests.utils import create_project
 from patchwork.tests.utils import create_user
+from patchwork.views import utils as view_utils
 
 
 def bundle_url(bundle):
@@ -311,6 +312,7 @@ def test_private_bundle(self):
         self.assertEqual(response.status_code, 404)
 
 
+@unittest.skipUnless(settings.ENABLE_REST_API, 'requires ENABLE_REST_API')
 class BundlePrivateViewMboxTest(BundlePrivateViewTest):
 
     """Ensure that non-owners can't view private bundle mboxes"""
@@ -342,6 +344,28 @@ def _get_auth_string(user):
         response = self.client.get(self.url, HTTP_AUTHORIZATION=auth_string)
         self.assertEqual(response.status_code, 404)
 
+    def test_private_bundle_mbox_token_auth(self):
+        self.client.logout()
+
+        # create tokens for both users
+        for user in [self.user, self.other_user]:
+            view_utils.regenerate_token(user)
+
+        def _get_auth_string(user):
+            return 'Token {}'.format(str(user.profile.token))
+
+        # Check we can view as owner
+        auth_string = _get_auth_string(self.user)
+        response = self.client.get(self.url, HTTP_AUTHORIZATION=auth_string)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, self.patches[0].name)
+
+        # Check we can't view as another user
+        auth_string = _get_auth_string(self.other_user)
+        response = self.client.get(self.url, HTTP_AUTHORIZATION=auth_string)
+        self.assertEqual(response.status_code, 404)
+
 
 class BundleCreateFromListTest(BundleTestBase):
 
diff --git a/patchwork/views/bundle.py b/patchwork/views/bundle.py
@@ -36,19 +36,23 @@
 from patchwork.views.utils import bundle_to_mbox
 
 if settings.ENABLE_REST_API:
-    from rest_framework.authentication import BasicAuthentication  # noqa
+    from rest_framework.authentication import SessionAuthentication
     from rest_framework.exceptions import AuthenticationFailed
+    from rest_framework.settings import api_settings
 
 
 def rest_auth(request):
     if not settings.ENABLE_REST_API:
         return request.user
-    try:
-        auth_result = BasicAuthentication().authenticate(request)
-        if auth_result:
-            return auth_result[0]
-    except AuthenticationFailed:
-        pass
+    for auth in api_settings.DEFAULT_AUTHENTICATION_CLASSES:
+        if auth == SessionAuthentication:
+            continue
+        try:
+            auth_result = auth().authenticate(request)
+            if auth_result:
+                return auth_result[0]
+        except AuthenticationFailed:
+            pass
     return request.user
 
 
diff --git a/patchwork/views/utils.py b/patchwork/views/utils.py
@@ -26,13 +26,17 @@
 import email.utils
 import re
 
+from django.conf import settings
 from django.http import Http404
 from django.utils import six
 
 from patchwork.models import Comment
 from patchwork.models import Patch
 from patchwork.models import Series
 
+if settings.ENABLE_REST_API:
+    from rest_framework.authtoken.models import Token
+
 
 class PatchMbox(MIMENonMultipart):
     patch_charset = 'utf-8'
@@ -181,3 +185,13 @@ def series_to_mbox(series):
         mbox.append(patch_to_mbox(dep.patch))
 
     return '\n'.join(mbox)
+
+
+def regenerate_token(user):
+    """Generate (or regenerate) user API tokens.
+
+    Arguments:
+        user: The User object to generate a token for.
+    """
+    Token.objects.filter(user=user).delete()
+    Token.objects.create(user=user)
