From 6652b69db026364e43de7b1153a9b2f07bc1aa5f Mon Sep 17 00:00:00 2001
From: Erwan Rouchet <rouchet@teklia.com>
Date: Tue, 16 Apr 2024 15:32:10 +0200
Subject: [PATCH] Discourage usage of ARKINDEX_API_TOKEN
---
.../management/commands/bootstrap.py | 35 -------------------
arkindex/project/checks.py | 10 +++++-
arkindex/project/settings.py | 1 -
arkindex/project/tests/test_checks.py | 14 ++++----
config.yml.sample | 4 ---
5 files changed, 17 insertions(+), 47 deletions(-)
diff --git a/arkindex/documents/management/commands/bootstrap.py b/arkindex/documents/management/commands/bootstrap.py
index 3ca2dacd4a..a5024cc462 100644
--- a/arkindex/documents/management/commands/bootstrap.py
+++ b/arkindex/documents/management/commands/bootstrap.py
@@ -6,12 +6,10 @@ from django.core.management.base import BaseCommand
from django.db import transaction
from django.db.models import Q
from django.db.utils import IntegrityError
-from rest_framework.authtoken.models import Token
from arkindex.images.models import ImageServer
from arkindex.ponos.models import Farm
from arkindex.process.models import FeatureUsage, Repository, Worker, WorkerType, WorkerVersion, WorkerVersionState
-from arkindex.users.models import User
# Constants used in architecture project
UPLOADS_IMAGE_SERVER_ID = 12345
@@ -30,7 +28,6 @@ IMPORT_WORKER_SLUG = "file_import"
IMPORT_WORKER_REPO = "https://gitlab.teklia.com/arkindex/tasks"
IMPORT_WORKER_REVISION_MESSAGE = "File import worker bootstrap"
IMPORT_WORKER_REVISION_AUTHOR = "Dev Bootstrap"
-ADMIN_API_TOKEN = "deadbeefTestToken"
class Command(BaseCommand):
@@ -48,15 +45,6 @@ class Command(BaseCommand):
"""Helper to display error messages"""
self.stdout.write(self.style.ERROR(f"⌠{msg}"))
- def check_user(self, user):
- """Ensure a user is admin"""
- if user.is_admin:
- self.success(f"Admin user for legacy worker API tokens {user} is valid")
- else:
- user.is_admin = True
- user.save()
- self.warn(f"Updated user {user} to admin")
-
def create_image_server(self, id, url, bucket, region, display_name):
try:
server = ImageServer.objects.get(Q(id=id) | Q(url=url))
@@ -129,29 +117,6 @@ class Command(BaseCommand):
)
self.success("Ponos farm created")
- # An admin API user with a specific token
- try:
- token = Token.objects.get(key=ADMIN_API_TOKEN)
- self.check_user(token.user)
- except Token.DoesNotExist:
- # Create a new internal user
- user, _ = User.objects.get_or_create(
- email="internal+bootstrap@teklia.com",
- defaults={
- "display_name": "Bootstrap Admin user",
- "is_admin": True,
- }
- )
- self.success("Created internal user")
- self.check_user(user)
-
- # Finally create a specific token for that user
- if hasattr(user, "auth_token"):
- # Support One-To-One relation
- user.auth_token.delete()
- Token.objects.create(key=ADMIN_API_TOKEN, user=user)
- self.success(f"Created token {ADMIN_API_TOKEN}")
-
# an image server for local cantaloupe https://ark.localhost/iiif/2
uploads_server = self.create_image_server(UPLOADS_IMAGE_SERVER_ID , UPLOADS_IMAGE_SERVER_URL, UPLOADS_IMAGE_SERVER_BUCKET , UPLOADS_IMAGE_SERVER_REGION , "Local IIIF server for user uploaded files through frontend")
if uploads_server is None:
diff --git a/arkindex/project/checks.py b/arkindex/project/checks.py
index 4e9845fcb7..956d7da0de 100644
--- a/arkindex/project/checks.py
+++ b/arkindex/project/checks.py
@@ -87,7 +87,7 @@ def ponos_env_check(*args, **kwargs):
errors = []
env = settings.PONOS_DEFAULT_ENV.copy()
- for variable in ("ARKINDEX_API_URL", "ARKINDEX_API_TOKEN", "ARKINDEX_API_CSRF_COOKIE"):
+ for variable in ("ARKINDEX_API_URL", "ARKINDEX_API_CSRF_COOKIE"):
if variable not in env:
errors.append(Warning(
f"The {variable} environment variable should be defined "
@@ -96,6 +96,14 @@ def ponos_env_check(*args, **kwargs):
id="arkindex.W006",
))
+ if "ARKINDEX_API_TOKEN" in env:
+ errors.append(Warning(
+ "Defining a default value for the ARKINDEX_API_TOKEN variable may introduce a security issue "
+ "by allowing Ponos tasks to bypass the Ponos task authentication. Consider removing it.",
+ hint=f"`ponos.default_env.ARKINDEX_API_TOKEN` in {settings.CONFIG_PATH}",
+ id="arkindex.W013",
+ ))
+
return errors
diff --git a/arkindex/project/settings.py b/arkindex/project/settings.py
index 238fd4906b..b3c25f7417 100644
--- a/arkindex/project/settings.py
+++ b/arkindex/project/settings.py
@@ -492,7 +492,6 @@ if DEBUG:
# In dev, include overridable API info
_ponos_env.update({
"ARKINDEX_API_URL": "http://localhost:8000/api/v1/",
- "ARKINDEX_API_TOKEN": "deadbeefTestToken",
})
_ponos_env.update(conf["ponos"]["default_env"])
PONOS_DEFAULT_ENV = _ponos_env
diff --git a/arkindex/project/tests/test_checks.py b/arkindex/project/tests/test_checks.py
index ecac2f6810..d5089af5a4 100644
--- a/arkindex/project/tests/test_checks.py
+++ b/arkindex/project/tests/test_checks.py
@@ -66,7 +66,9 @@ class ChecksTestCase(TestCase):
self.assertListEqual(ponos_env_check(), [])
settings.CONFIG_PATH = Path("/somewhere/config.yml")
- settings.PONOS_DEFAULT_ENV = {}
+ settings.PONOS_DEFAULT_ENV = {
+ "ARKINDEX_API_TOKEN": "oh no",
+ }
self.assertListEqual(ponos_env_check(), [
Warning(
"The ARKINDEX_API_URL environment variable should be defined "
@@ -75,16 +77,16 @@ class ChecksTestCase(TestCase):
id="arkindex.W006",
),
Warning(
- "The ARKINDEX_API_TOKEN environment variable should be defined "
+ "The ARKINDEX_API_CSRF_COOKIE environment variable should be defined "
"to allow API client autoconfiguration in Ponos tasks",
hint="`ponos.default_env` in /somewhere/config.yml",
id="arkindex.W006",
),
Warning(
- "The ARKINDEX_API_CSRF_COOKIE environment variable should be defined "
- "to allow API client autoconfiguration in Ponos tasks",
- hint="`ponos.default_env` in /somewhere/config.yml",
- id="arkindex.W006",
+ "Defining a default value for the ARKINDEX_API_TOKEN variable may introduce a security issue "
+ "by allowing Ponos tasks to bypass the Ponos task authentication. Consider removing it.",
+ hint="`ponos.default_env.ARKINDEX_API_TOKEN` in /somewhere/config.yml",
+ id="arkindex.W013",
),
])
diff --git a/config.yml.sample b/config.yml.sample
index 539c78314d..5f902f82ec 100644
--- a/config.yml.sample
+++ b/config.yml.sample
@@ -10,10 +10,6 @@ s3:
endpoint: https://minio.ark.localhost
region: localdev
-ponos:
- default_env:
- ARKINDEX_API_TOKEN: deadbeefTestToken
-
features:
signup: yes
search: yes
--
GitLab