Check user permissions before he can access TaskUpdate ponos endpoint

arkindex/project/openapi/patch.yml

@@ -368,19 +368,35 @@ paths:
                 aTgNWsA3WFlqjSIEGz+PAVHSNMobBaJm
                 -----END PUBLIC KEY-----
   /ponos/v1/task/{id}/:
+    put:
+      description: Update a task, allowing humans to change the task's state
+      operationId: UpdateTask
+      security: []
+      tags:
+        - ponos
+    patch:
+      description: Partially update a task, allowing humans to change the task's state
+      operationId: PartialUpdateTask
+      security: []
+      tags:
+        - ponos
+  /ponos/v1/task/{id}/from-agent/:
     get:
       description: Retrieve a Ponos task status
+      operationId: RetrieveTaskFromAgent
       security: []
       tags:
         - ponos
     put:
-      description: Update a task
+      description: Update a task, from an agent
+      operationId: UpdateTaskFromAgent
       security:
         - agentAuth: []
       tags:
         - ponos
     patch:
-      description: Partially update a task
+      description: Partially update a task, from an agent
+      operationId: PartialUpdateTaskFromAgent
       security:
         - agentAuth: []
       tags:

arkindex/project/tests/test_ponos_view.py

@@ -5,8 +5,9 @@ from django.test import TestCase, override_settings
 from django.urls import reverse
 from rest_framework import status
 
+from arkindex.dataimport.models import DataImport, DataImportMode
 from arkindex.users.models import User
-from ponos.models import Agent, Farm, Secret, encrypt
+from ponos.models import Agent, Farm, Secret, Workflow, encrypt
 
 
 @override_settings(PONOS_PRIVATE_KEY='staging')
@@ -78,3 +79,30 @@ class TestPonosView(TestCase):
         self.client.force_login(User.objects.create())
         response = self.client.get(reverse('ponos-agent-details', kwargs={'pk': str(agent.id)}))
         self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_update_task(self):
+        """
+        Only admin users or the task creator should have the ability to update a task
+        """
+        creator = User.objects.create(email="creator@user.fr")
+        workflow = Workflow.objects.create(
+            recipe="tasks: {test: {image: alpine}}"
+        )
+        workflow.start()
+        task = workflow.tasks.get()
+        DataImport.objects.create(mode=DataImportMode.Repository, creator=creator, workflow=workflow)
+
+        response = self.client.patch(reverse('ponos-task-update', kwargs={'pk': str(task.id)}), json={"state": "stopping"})
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        self.client.force_login(User.objects.create(email="lambda@user.fr"))
+        response = self.client.patch(reverse('ponos-task-update', kwargs={'pk': str(task.id)}), json={"state": "stopping"})
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+        self.client.force_login(User.objects.create(email='admin@admin.fr', is_admin=True))
+        response = self.client.patch(reverse('ponos-task-update', kwargs={'pk': str(task.id)}), json={"state": "stopping"})
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        self.client.force_login(creator)
+        response = self.client.patch(reverse('ponos-task-update', kwargs={'pk': str(task.id)}), json={"state": "stopping"})
+        self.assertEqual(response.status_code, status.HTTP_200_OK)

arkindex/project/urls.py

@@ -11,6 +11,7 @@ from arkindex.project.views import (
     PonosAgentDetails,
     PonosAgentsState,
     PonosSecretDetails,
+    PonosTaskUpdate,
 )
 
 # Fallback to the dummy frontend view when CDN_ASSETS_URL is not set
@@ -23,6 +24,7 @@ urlpatterns = [
     path('ponos/v1/secret/<path:name>', PonosSecretDetails.as_view(), name='secret-details'),
     path('ponos/v1/agents/', PonosAgentsState.as_view(), name='ponos-agents'),
     path('ponos/v1/agent/<uuid:pk>/', PonosAgentDetails.as_view(), name='ponos-agent-details'),
+    path('ponos/v1/task/<uuid:pk>/', PonosTaskUpdate.as_view(), name='ponos-task-update'),
     path('ponos/', include('ponos.urls')),
     path('admin/', admin.site.urls),
     path('rq/', include('django_rq.urls')),

arkindex/project/views.py

@@ -4,7 +4,7 @@ from rest_framework import permissions
 
 from arkindex.project.mixins import CachedViewMixin
 from arkindex.project.permissions import IsVerified
-from ponos.api import AgentDetails, AgentsState, SecretDetails
+from ponos.api import AgentDetails, AgentsState, SecretDetails, TaskUpdate
 
 
 class FrontendView(View):
@@ -66,3 +66,15 @@ class PonosAgentDetails(AgentDetails):
     Allow any verified user to see the details of an agent including all its running tasks
     """
     permission_classes = (IsVerified, )
+
+
+class PonosTaskUpdate(TaskUpdate):
+    """
+    Allow any super admin or the task creator to update a task.
+    """
+    class IsAdminOrCreator(permissions.BasePermission):
+
+        def has_object_permission(self, request, view, obj):
+            return request.user.is_authenticated and (request.user.is_admin or request.user == obj.workflow.dataimport.creator)
+
+    permission_classes = (IsAdminOrCreator, )