diff --git a/arkindex/documents/management/commands/bootstrap.py b/arkindex/documents/management/commands/bootstrap.py
index 3ca2dacd4a0fbdfc5e63450c7c7c5e2d4664dbd2..a5024cc46239ed76f36d7a4725f06a0c1e64d616 100644
--- a/arkindex/documents/management/commands/bootstrap.py
+++ b/arkindex/documents/management/commands/bootstrap.py
@@ -6,12 +6,10 @@ from django.core.management.base import BaseCommand
from django.db import transaction
from django.db.models import Q
from django.db.utils import IntegrityError
-from rest_framework.authtoken.models import Token
from arkindex.images.models import ImageServer
from arkindex.ponos.models import Farm
from arkindex.process.models import FeatureUsage, Repository, Worker, WorkerType, WorkerVersion, WorkerVersionState
-from arkindex.users.models import User
# Constants used in architecture project
UPLOADS_IMAGE_SERVER_ID = 12345
@@ -30,7 +28,6 @@ IMPORT_WORKER_SLUG = "file_import"
IMPORT_WORKER_REPO = "https://gitlab.teklia.com/arkindex/tasks"
IMPORT_WORKER_REVISION_MESSAGE = "File import worker bootstrap"
IMPORT_WORKER_REVISION_AUTHOR = "Dev Bootstrap"
-ADMIN_API_TOKEN = "deadbeefTestToken"
class Command(BaseCommand):
@@ -48,15 +45,6 @@ class Command(BaseCommand):
"""Helper to display error messages"""
self.stdout.write(self.style.ERROR(f"⌠{msg}"))
- def check_user(self, user):
- """Ensure a user is admin"""
- if user.is_admin:
- self.success(f"Admin user for legacy worker API tokens {user} is valid")
- else:
- user.is_admin = True
- user.save()
- self.warn(f"Updated user {user} to admin")
-
def create_image_server(self, id, url, bucket, region, display_name):
try:
server = ImageServer.objects.get(Q(id=id) | Q(url=url))
@@ -129,29 +117,6 @@ class Command(BaseCommand):
)
self.success("Ponos farm created")
- # An admin API user with a specific token
- try:
- token = Token.objects.get(key=ADMIN_API_TOKEN)
- self.check_user(token.user)
- except Token.DoesNotExist:
- # Create a new internal user
- user, _ = User.objects.get_or_create(
- email="internal+bootstrap@teklia.com",
- defaults={
- "display_name": "Bootstrap Admin user",
- "is_admin": True,
- }
- )
- self.success("Created internal user")
- self.check_user(user)
-
- # Finally create a specific token for that user
- if hasattr(user, "auth_token"):
- # Support One-To-One relation
- user.auth_token.delete()
- Token.objects.create(key=ADMIN_API_TOKEN, user=user)
- self.success(f"Created token {ADMIN_API_TOKEN}")
-
# an image server for local cantaloupe https://ark.localhost/iiif/2
uploads_server = self.create_image_server(UPLOADS_IMAGE_SERVER_ID , UPLOADS_IMAGE_SERVER_URL, UPLOADS_IMAGE_SERVER_BUCKET , UPLOADS_IMAGE_SERVER_REGION , "Local IIIF server for user uploaded files through frontend")
if uploads_server is None:
diff --git a/arkindex/project/checks.py b/arkindex/project/checks.py
index 4e9845fcb7e19005e75f3c48d2da7f3f7e9febfe..956d7da0de2307054ab0bafc8ac42625ad2017d9 100644
--- a/arkindex/project/checks.py
+++ b/arkindex/project/checks.py
@@ -87,7 +87,7 @@ def ponos_env_check(*args, **kwargs):
errors = []
env = settings.PONOS_DEFAULT_ENV.copy()
- for variable in ("ARKINDEX_API_URL", "ARKINDEX_API_TOKEN", "ARKINDEX_API_CSRF_COOKIE"):
+ for variable in ("ARKINDEX_API_URL", "ARKINDEX_API_CSRF_COOKIE"):
if variable not in env:
errors.append(Warning(
f"The {variable} environment variable should be defined "
@@ -96,6 +96,14 @@ def ponos_env_check(*args, **kwargs):
id="arkindex.W006",
))
+ if "ARKINDEX_API_TOKEN" in env:
+ errors.append(Warning(
+ "Defining a default value for the ARKINDEX_API_TOKEN variable may introduce a security issue "
+ "by allowing Ponos tasks to bypass the Ponos task authentication. Consider removing it.",
+ hint=f"`ponos.default_env.ARKINDEX_API_TOKEN` in {settings.CONFIG_PATH}",
+ id="arkindex.W013",
+ ))
+
return errors
diff --git a/arkindex/project/settings.py b/arkindex/project/settings.py
index 238fd4906b9b39338291b4c573b9a9109425dc13..b3c25f74170d7ee09e6c2920950135926f4d544b 100644
--- a/arkindex/project/settings.py
+++ b/arkindex/project/settings.py
@@ -492,7 +492,6 @@ if DEBUG:
# In dev, include overridable API info
_ponos_env.update({
"ARKINDEX_API_URL": "http://localhost:8000/api/v1/",
- "ARKINDEX_API_TOKEN": "deadbeefTestToken",
})
_ponos_env.update(conf["ponos"]["default_env"])
PONOS_DEFAULT_ENV = _ponos_env
diff --git a/arkindex/project/tests/test_checks.py b/arkindex/project/tests/test_checks.py
index ecac2f6810813a55a045eb4f6546af6084bd44c5..d5089af5a45c1c0d9ca21a8c2cadaab38f5d1df8 100644
--- a/arkindex/project/tests/test_checks.py
+++ b/arkindex/project/tests/test_checks.py
@@ -66,7 +66,9 @@ class ChecksTestCase(TestCase):
self.assertListEqual(ponos_env_check(), [])
settings.CONFIG_PATH = Path("/somewhere/config.yml")
- settings.PONOS_DEFAULT_ENV = {}
+ settings.PONOS_DEFAULT_ENV = {
+ "ARKINDEX_API_TOKEN": "oh no",
+ }
self.assertListEqual(ponos_env_check(), [
Warning(
"The ARKINDEX_API_URL environment variable should be defined "
@@ -75,16 +77,16 @@ class ChecksTestCase(TestCase):
id="arkindex.W006",
),
Warning(
- "The ARKINDEX_API_TOKEN environment variable should be defined "
+ "The ARKINDEX_API_CSRF_COOKIE environment variable should be defined "
"to allow API client autoconfiguration in Ponos tasks",
hint="`ponos.default_env` in /somewhere/config.yml",
id="arkindex.W006",
),
Warning(
- "The ARKINDEX_API_CSRF_COOKIE environment variable should be defined "
- "to allow API client autoconfiguration in Ponos tasks",
- hint="`ponos.default_env` in /somewhere/config.yml",
- id="arkindex.W006",
+ "Defining a default value for the ARKINDEX_API_TOKEN variable may introduce a security issue "
+ "by allowing Ponos tasks to bypass the Ponos task authentication. Consider removing it.",
+ hint="`ponos.default_env.ARKINDEX_API_TOKEN` in /somewhere/config.yml",
+ id="arkindex.W013",
),
])
diff --git a/config.yml.sample b/config.yml.sample
index 539c78314dd191721d662aa4dad56088111b1bef..5f902f82ec50a78227f2a99e28e8548474809df0 100644
--- a/config.yml.sample
+++ b/config.yml.sample
@@ -10,10 +10,6 @@ s3:
endpoint: https://minio.ark.localhost
region: localdev
-ponos:
- default_env:
- ARKINDEX_API_TOKEN: deadbeefTestToken
-
features:
signup: yes
search: yes