Only allow access to files s3_url to files processes

e51e44d4 · ml bonhomme · Erwan Rouchet · 121651ad · e51e44d4 · e51e44d4
Commit e51e44d4 authored 1 year ago by ml bonhomme Committed by Erwan Rouchet 1 year ago
--- a/arkindex/process/serializers/files.py
+++ b/arkindex/process/serializers/files.py
@@ -2,8 +2,8 @@ from drf_spectacular.utils import extend_schema_field
 from rest_framework import serializers

 from arkindex.documents.models import Corpus
-from arkindex.ponos.utils import is_admin_or_ponos_task
-from arkindex.process.models import DataFile
+from arkindex.ponos.utils import get_process_from_task_auth, is_admin_or_ponos_task
+from arkindex.process.models import DataFile, ProcessMode
 from arkindex.project.aws import S3FileStatus
 from arkindex.project.serializer_fields import EnumField

@@ -41,9 +41,12 @@ class DataFileSerializer(serializers.ModelSerializer):
    def get_s3_url(self, obj):
        if 'request' not in self.context:
            return
-        # Only allow the S3 URL for internal users or admins
-        if is_admin_or_ponos_task(self.context['request']):
-            return obj.s3_url
+        # Only allow the S3 URL for ponos tasks of Files processes or admins
+        request = self.context['request']
+        if is_admin_or_ponos_task(request):
+            request_process = get_process_from_task_auth(request)
+            if not request_process or request_process.mode == ProcessMode.Files:
+                return obj.s3_url


 class DataFileCreateSerializer(serializers.ModelSerializer):

--- a/arkindex/process/tests/test_datafile_api.py
+++ b/arkindex/process/tests/test_datafile_api.py
@@ -7,6 +7,7 @@ from arkindex.documents.models import Corpus
 from arkindex.process.models import DataFile, Process, ProcessMode, WorkerVersion
 from arkindex.project.aws import S3FileStatus
 from arkindex.project.tests import FixtureAPITestCase
+from arkindex.users.models import User


 class TestDataFileApi(FixtureAPITestCase):
@@ -152,6 +153,42 @@ class TestDataFileApi(FixtureAPITestCase):
        data = response.json()
        self.assertEqual(data['s3_url'], 'http://somewhere')

+    @patch('arkindex.project.aws.s3.meta.client.generate_presigned_url')
+    def test_retrieve_datafile_s3_url_task_process_mode(self, gen_url_mock):
+        """
+        Ponos task authentication allows access to the S3 URL, only if the task's
+        parent process is of Files ProcessMode.
+        """
+        user = User.objects.create(email='user2@test.test', display_name='User 2', verified_email=True)
+        gen_url_mock.return_value = 'http://somewhere'
+        process = Process.objects.create(
+            corpus=self.corpus,
+            creator=user,
+            mode=ProcessMode.Workers,
+        )
+        process.files.add(self.df)
+        with self.settings(IMPORTS_WORKER_VERSION=str(self.import_worker_version.id)):
+            process.start()
+        cases = [
+            (process_mode, 'http://somewhere' if process_mode == ProcessMode.Files else None)
+            for process_mode in ProcessMode
+        ]
+        for process_mode, s3_url in cases:
+            process.mode = process_mode
+            if process_mode in [ProcessMode.Local, ProcessMode.Repository]:
+                process.corpus = None
+            else:
+                process.corpus = self.corpus
+            process.save()
+            task = process.tasks.first()
+            response = self.client.get(
+                reverse('api:file-retrieve', kwargs={'pk': self.df.id}),
+                HTTP_AUTHORIZATION=f'Ponos {task.token}',
+            )
+            self.assertEqual(response.status_code, status.HTTP_200_OK)
+            data = response.json()
+            self.assertEqual(data['s3_url'], s3_url)
+
    @patch('arkindex.project.aws.s3.meta.client.generate_presigned_url')
    def test_retrieve_datafile_s3_url_task(self, gen_url_mock):
        """