From e183336dcfb83621ee2533dd3b43c6d2e1308836 Mon Sep 17 00:00:00 2001
From: Erwan Rouchet <rouchet@teklia.com>
Date: Thu, 13 Jul 2023 11:06:24 +0000
Subject: [PATCH] Restrict ListAgents to verified users outside Ponos
---
arkindex/ponos/api.py | 3 ++-
arkindex/ponos/tests/test_api.py | 31 ++++++++++++++++++++++-
arkindex/project/tests/test_ponos_view.py | 22 ----------------
3 files changed, 32 insertions(+), 24 deletions(-)
diff --git a/arkindex/ponos/api.py b/arkindex/ponos/api.py
index 505eba9568..d112bccde8 100644
--- a/arkindex/ponos/api.py
+++ b/arkindex/ponos/api.py
@@ -167,8 +167,9 @@ class AgentsState(ListAPIView):
"""
List all agents on the system with their health state.
- Requires authentication with a verified e-mail address.
+ Requires authentication with a verified e-mail address. Cannot be used with Ponos agent or task authentication.
"""
+ authentication_classes = (TokenAuthentication, SessionAuthentication)
permission_classes = (IsVerified, )
serializer_class = AgentStateSerializer
diff --git a/arkindex/ponos/tests/test_api.py b/arkindex/ponos/tests/test_api.py
index 8316dc0889..0a277624b8 100644
--- a/arkindex/ponos/tests/test_api.py
+++ b/arkindex/ponos/tests/test_api.py
@@ -1859,7 +1859,36 @@ class TestAPI(FixtureAPITestCase):
},
)
- def test_list_agents_state(self):
+ def test_list_agents_requires_login(self):
+ with self.assertNumQueries(0):
+ response = self.client.get(reverse("api:agents-state"))
+ self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+ def test_list_agents_agent_forbidden(self):
+ with self.assertNumQueries(0):
+ response = self.client.get(
+ reverse("api:agents-state"),
+ HTTP_AUTHORIZATION=f'Bearer {self.agent.token.access_token}',
+ )
+ self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+ def test_list_agents_task_forbidden(self):
+ with self.assertNumQueries(0):
+ response = self.client.get(
+ reverse("api:agents-state"),
+ HTTP_AUTHORIZATION=f'Ponos {self.task1.token}',
+ )
+ self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+ def test_list_agents_requires_verified(self):
+ self.user.verified_email = False
+ self.user.save()
+ self.client.force_login(self.user)
+ with self.assertNumQueries(2):
+ response = self.client.get(reverse("api:agents-state"))
+ self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+ def test_list_agents(self):
"""
Lists agents from all farms with their status
"""
diff --git a/arkindex/project/tests/test_ponos_view.py b/arkindex/project/tests/test_ponos_view.py
index 120d6150d8..d30e5393f1 100644
--- a/arkindex/project/tests/test_ponos_view.py
+++ b/arkindex/project/tests/test_ponos_view.py
@@ -38,28 +38,6 @@ class TestPonosView(FixtureAPITestCase):
last_ping='1999-09-09',
)
- def test_list_agents_requires_login(self):
- """
- Only authenticated users should have the ability to list agents
- """
- response = self.client.get(reverse('api:agents-state'))
- self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-
- def test_list_agents_requires_verified(self):
- """
- Only verified users should have the ability to list agents
- """
- self.user.verified_email = False
- self.user.save()
- self.client.force_login(self.user)
- response = self.client.get(reverse('api:agents-state'))
- self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
-
- def test_list_agents(self):
- self.client.force_login(self.user)
- response = self.client.get(reverse('api:agents-state'))
- self.assertEqual(response.status_code, status.HTTP_200_OK)
-
def test_retrieve_agent_requires_login(self):
"""
Only authenticated users should have the ability to retrieve details of an agent
--
GitLab