Compare revisions

Erwan Rouchet · Erwan Rouchet · Bastien Abadie · 6652b69d · 6652b69d · 6652b69d
--- a/arkindex/documents/management/commands/bootstrap.py
+++ b/arkindex/documents/management/commands/bootstrap.py
@@ -6,12 +6,10 @@ from django.core.management.base import BaseCommand
 from django.db import transaction
 from django.db.models import Q
 from django.db.utils import IntegrityError
-from rest_framework.authtoken.models import Token

 from arkindex.images.models import ImageServer
 from arkindex.ponos.models import Farm
 from arkindex.process.models import FeatureUsage, Repository, Worker, WorkerType, WorkerVersion, WorkerVersionState
-from arkindex.users.models import User

 # Constants used in architecture project
 UPLOADS_IMAGE_SERVER_ID = 12345
@@ -30,7 +28,6 @@ IMPORT_WORKER_SLUG = "file_import"
 IMPORT_WORKER_REPO = "https://gitlab.teklia.com/arkindex/tasks"
 IMPORT_WORKER_REVISION_MESSAGE = "File import worker bootstrap"
 IMPORT_WORKER_REVISION_AUTHOR = "Dev Bootstrap"
-ADMIN_API_TOKEN = "deadbeefTestToken"


 class Command(BaseCommand):
@@ -48,15 +45,6 @@ class Command(BaseCommand):
        """Helper to display error messages"""
        self.stdout.write(self.style.ERROR(f"❌ {msg}"))

-    def check_user(self, user):
-        """Ensure a user is admin"""
-        if user.is_admin:
-            self.success(f"Admin user for legacy worker API tokens {user} is valid")
-        else:
-            user.is_admin = True
-            user.save()
-            self.warn(f"Updated user {user} to admin")
-
    def create_image_server(self, id, url, bucket, region, display_name):
        try:
            server = ImageServer.objects.get(Q(id=id) | Q(url=url))
@@ -129,29 +117,6 @@ class Command(BaseCommand):
            )
            self.success("Ponos farm created")

-        # An admin API user with a specific token
-        try:
-            token = Token.objects.get(key=ADMIN_API_TOKEN)
-            self.check_user(token.user)
-        except Token.DoesNotExist:
-            # Create a new internal user
-            user, _ = User.objects.get_or_create(
-                email="internal+bootstrap@teklia.com",
-                defaults={
-                    "display_name": "Bootstrap Admin user",
-                    "is_admin": True,
-                }
-            )
-            self.success("Created internal user")
-            self.check_user(user)
-
-            # Finally create a specific token for that user
-            if hasattr(user, "auth_token"):
-                # Support One-To-One relation
-                user.auth_token.delete()
-            Token.objects.create(key=ADMIN_API_TOKEN, user=user)
-            self.success(f"Created token {ADMIN_API_TOKEN}")
-
        # an image server for local cantaloupe https://ark.localhost/iiif/2
        uploads_server = self.create_image_server(UPLOADS_IMAGE_SERVER_ID , UPLOADS_IMAGE_SERVER_URL, UPLOADS_IMAGE_SERVER_BUCKET , UPLOADS_IMAGE_SERVER_REGION , "Local IIIF server for user uploaded files through frontend")
        if uploads_server is None:

--- a/arkindex/documents/management/commands/build_fixtures.py
+++ b/arkindex/documents/management/commands/build_fixtures.py
@@ -49,7 +49,7 @@ class Command(BaseCommand):
        img5 = Image.objects.create(path="img5", width=1000, height=1000, server=imgsrv)
        img6 = Image.objects.create(path="img6", width=1000, height=1000, server=imgsrv)

-        # Create an admin, an internal and a normal user
+        # Create an admin and a normal user
        superuser = User.objects.create_superuser("root@root.fr", "Pa$$w0rd", display_name="Admin")
        superuser.verified_email = True
        superuser.save()

--- a/arkindex/project/checks.py
+++ b/arkindex/project/checks.py
@@ -87,7 +87,7 @@ def ponos_env_check(*args, **kwargs):
    errors = []

    env = settings.PONOS_DEFAULT_ENV.copy()
-    for variable in ("ARKINDEX_API_URL", "ARKINDEX_API_TOKEN", "ARKINDEX_API_CSRF_COOKIE"):
+    for variable in ("ARKINDEX_API_URL", "ARKINDEX_API_CSRF_COOKIE"):
        if variable not in env:
            errors.append(Warning(
                f"The {variable} environment variable should be defined "
@@ -96,6 +96,14 @@ def ponos_env_check(*args, **kwargs):
                id="arkindex.W006",
            ))

+    if "ARKINDEX_API_TOKEN" in env:
+        errors.append(Warning(
+            "Defining a default value for the ARKINDEX_API_TOKEN variable may introduce a security issue "
+            "by allowing Ponos tasks to bypass the Ponos task authentication. Consider removing it.",
+            hint=f"`ponos.default_env.ARKINDEX_API_TOKEN` in {settings.CONFIG_PATH}",
+            id="arkindex.W013",
+        ))
+
    return errors



--- a/arkindex/project/config.py
+++ b/arkindex/project/config.py
@@ -79,7 +79,6 @@ def add_s3_parser(parser, name, **kwargs):
 def get_settings_parser(base_dir):
    parser = ConfigParser()
    parser.add_option("arkindex_env", type=str, default="dev")
-    parser.add_option("internal_group_id", type=int, default=2)
    parser.add_option("local_imageserver_id", type=int, default=1)
    parser.add_option("allowed_hosts", type=str, many=True, default=[])
    parser.add_option("imports_worker_version", type=uuid.UUID, default=None)

--- a/arkindex/project/settings.py
+++ b/arkindex/project/settings.py
@@ -492,7 +492,6 @@ if DEBUG:
    # In dev, include overridable API info
    _ponos_env.update({
        "ARKINDEX_API_URL": "http://localhost:8000/api/v1/",
-        "ARKINDEX_API_TOKEN": "deadbeefTestToken",
    })
 _ponos_env.update(conf["ponos"]["default_env"])
 PONOS_DEFAULT_ENV = _ponos_env
@@ -537,10 +536,6 @@ ARCHIVE_MIME_TYPES = {
    "application/zstd",
 }

-# User groups with special permissions
-# Deprecated, left there only to run the users.0004 migration
-INTERNAL_GROUP_ID = conf["internal_group_id"]
-
 # CDN Assets URL to use for arkindex remote CSS/JS/Images assets
 CDN_ASSETS_URL = conf["static"]["cdn_assets_url"]
 if CDN_ASSETS_URL is not None:

--- a/arkindex/project/tests/config_samples/defaults.yaml
+++ b/arkindex/project/tests/config_samples/defaults.yaml
@@ -51,7 +51,6 @@ ingest:
  prefix_by_bucket_name: true
  region: null
  secret_access_key: null
-internal_group_id: 2
 job_timeouts:
  corpus_delete: 7200
  element_trash: 3600

--- a/arkindex/project/tests/config_samples/errors.yaml
+++ b/arkindex/project/tests/config_samples/errors.yaml
@@ -29,7 +29,6 @@ features:
 gitlab:
  app_id: yes
  app_secret: []
-internal_group_id: 2
 ingest:
  endpoint: https://ohno
  access_key_id: a

--- a/arkindex/project/tests/config_samples/override.yaml
+++ b/arkindex/project/tests/config_samples/override.yaml
@@ -65,7 +65,6 @@ ingest:
  prefix_by_bucket_name: false
  region: middle-earth-1
  secret_access_key: hunter2
-internal_group_id: 4
 job_timeouts:
  corpus_delete: 1
  element_trash: 2

--- a/arkindex/project/tests/test_checks.py
+++ b/arkindex/project/tests/test_checks.py
@@ -66,7 +66,9 @@ class ChecksTestCase(TestCase):
        self.assertListEqual(ponos_env_check(), [])

        settings.CONFIG_PATH = Path("/somewhere/config.yml")
-        settings.PONOS_DEFAULT_ENV = {}
+        settings.PONOS_DEFAULT_ENV = {
+            "ARKINDEX_API_TOKEN": "oh no",
+        }
        self.assertListEqual(ponos_env_check(), [
            Warning(
                "The ARKINDEX_API_URL environment variable should be defined "
@@ -75,16 +77,16 @@ class ChecksTestCase(TestCase):
                id="arkindex.W006",
            ),
            Warning(
-                "The ARKINDEX_API_TOKEN environment variable should be defined "
+                "The ARKINDEX_API_CSRF_COOKIE environment variable should be defined "
                "to allow API client autoconfiguration in Ponos tasks",
                hint="`ponos.default_env` in /somewhere/config.yml",
                id="arkindex.W006",
            ),
            Warning(
-                "The ARKINDEX_API_CSRF_COOKIE environment variable should be defined "
-                "to allow API client autoconfiguration in Ponos tasks",
-                hint="`ponos.default_env` in /somewhere/config.yml",
-                id="arkindex.W006",
+                "Defining a default value for the ARKINDEX_API_TOKEN variable may introduce a security issue "
+                "by allowing Ponos tasks to bypass the Ponos task authentication. Consider removing it.",
+                hint="`ponos.default_env.ARKINDEX_API_TOKEN` in /somewhere/config.yml",
+                id="arkindex.W013",
            ),
        ])


--- a/config.yml.sample
+++ b/config.yml.sample
@@ -10,10 +10,6 @@ s3:
  endpoint: https://minio.ark.localhost
  region: localdev

-ponos:
-  default_env:
-    ARKINDEX_API_TOKEN: deadbeefTestToken
-
 features:
  signup: yes
  search: yes
No results found