Avoid unauthenticated access to admin area

replaceafill · sevein · sevein · commit f08d36f24247 · 2021-12-13T08:25:52.000+01:00
* Fix urlpatterns of administration package
* Fix LOGIN_EXEMPT_URLS regexps

Co-authored-by: Jesús García Crespo &lt;jesus@sevein.com&gt;
diff --git a/src/dashboard/src/components/administration/urls.py b/src/dashboard/src/components/administration/urls.py
@@ -29,72 +29,72 @@
 urlpatterns = [
     url(r"^$", views.administration, name="administration_index"),
     url(
-        r"reports/failures/delete/(?P<report_id>\w+)/$",
+        r"^reports/failures/delete/(?P<report_id>\w+)/$",
         views.failure_report_delete,
         name="failure_report_delete",
     ),
     url(
-        r"reports/failures/(?P<report_id>\w+)/$",
+        r"^reports/failures/(?P<report_id>\w+)/$",
         views.failure_report,
         name="failure_report",
     ),
-    url(r"reports/failures/$", views.failure_report, name="reports_failures_index"),
-    url(r"dips/as/$", views_dip_upload.admin_as, name="dips_as"),
-    url(r"dips/atom/$", views_dip_upload.admin_atom, name="dips_atom_index"),
+    url(r"^reports/failures/$", views.failure_report, name="reports_failures_index"),
+    url(r"^dips/as/$", views_dip_upload.admin_as, name="dips_as"),
+    url(r"^dips/atom/$", views_dip_upload.admin_atom, name="dips_atom_index"),
     url(
-        r"dips/atom/edit_levels/$",
+        r"^dips/atom/edit_levels/$",
         views.atom_levels_of_description,
         name="atom_levels_of_description",
     ),
     url(r"^i18n/", include("django.conf.urls.i18n", namespace="django_i18n")),
     url(
-        r"language/$",
+        r"^language/$",
         TemplateView.as_view(template_name="administration/language.html"),
         name="admin_set_language",
     ),
-    url(r"storage/$", views.storage, name="storage"),
-    url(r"usage/$", views.usage, name="usage"),
-    url(r"usage/clear/(?P<dir_id>\w+)/$", views.usage_clear, name="usage_clear"),
-    url(r"processing/$", views_processing.list, name="processing"),
-    url(r"processing/add/$", views_processing.edit, name="processing_add"),
+    url(r"^storage/$", views.storage, name="storage"),
+    url(r"^usage/$", views.usage, name="usage"),
+    url(r"^usage/clear/(?P<dir_id>\w+)/$", views.usage_clear, name="usage_clear"),
+    url(r"^processing/$", views_processing.list, name="processing"),
+    url(r"^processing/add/$", views_processing.edit, name="processing_add"),
     url(
-        r"processing/edit/{}/$".format(ProcessingConfigurationForm.NAME_URL_REGEX),
+        r"^processing/edit/{}/$".format(ProcessingConfigurationForm.NAME_URL_REGEX),
         views_processing.edit,
         name="processing_edit",
     ),
     url(
-        r"processing/reset/{}/$".format(ProcessingConfigurationForm.NAME_URL_REGEX),
+        r"^processing/reset/{}/$".format(ProcessingConfigurationForm.NAME_URL_REGEX),
         views_processing.reset,
         name="processing_reset",
     ),
     url(
-        r"processing/delete/{}/$".format(ProcessingConfigurationForm.NAME_URL_REGEX),
+        r"^processing/delete/{}/$".format(ProcessingConfigurationForm.NAME_URL_REGEX),
         views_processing.delete,
         name="processing_delete",
     ),
     url(
-        r"processing/download/{}/$".format(ProcessingConfigurationForm.NAME_URL_REGEX),
+        r"^processing/download/{}/$".format(ProcessingConfigurationForm.NAME_URL_REGEX),
         views_processing.download,
         name="processing_download",
     ),
-    url(r"premis/agent/$", views.premis_agent, name="premis_agent"),
-    url(r"handle/$", views.handle_config, name="handle"),
-    url(r"api/$", views.api, name="api"),
-    url(r"general/$", views.general, name="general"),
-    url(r"version/$", views.version, name="version"),
+    url(r"^premis/agent/$", views.premis_agent, name="premis_agent"),
+    url(r"^handle/$", views.handle_config, name="handle"),
+    url(r"^api/$", views.api, name="api"),
+    url(r"^general/$", views.general, name="general"),
+    url(r"^version/$", views.version, name="version"),
     url(
-        r"taxonomy/term/(?P<term_uuid>" + settings.UUID_REGEX + ")/$",
+        r"^taxonomy/term/(?P<term_uuid>" + settings.UUID_REGEX + ")/$",
         views.term_detail,
         name="term",
     ),
     url(
-        r"taxonomy/term/(?P<term_uuid>" + settings.UUID_REGEX + ")/delete/$",
+        r"^taxonomy/term/(?P<term_uuid>" + settings.UUID_REGEX + ")/delete/$",
         views.term_delete,
     ),
     url(
-        r"taxonomy/(?P<taxonomy_uuid>" + settings.UUID_REGEX + ")/$",
+        r"^taxonomy/(?P<taxonomy_uuid>" + settings.UUID_REGEX + ")/$",
         views.terms,
         name="terms",
     ),
-    url(r"taxonomy/$", views.taxonomy, name="taxonomy"),
+    url(r"^taxonomy/$", views.taxonomy, name="taxonomy"),
 ]
diff --git a/src/dashboard/src/components/api/urls.py b/src/dashboard/src/components/api/urls.py
@@ -26,7 +26,7 @@
 urlpatterns = [
     url(r"transfer/approve", views.approve_transfer),
     url(r"transfer/unapproved", views.unapproved_transfers),
-    url(r"transfer/completed", views.completed_transfers),
+    url(r"transfer/completed", views.completed_transfers, name="completed_transfers"),
     url(
         r"transfer/status/(?P<unit_uuid>" + settings.UUID_REGEX + ")",
         views.status,
@@ -49,9 +49,13 @@
     url(r"^(?P<unit_type>transfer|ingest)/delete/", views.mark_completed_hidden),
     url(r"^ingest/reingest/approve", views.reingest_approve),
     url(r"^ingest/reingest", views.reingest, {"target": "ingest"}),
-    url(r"^ingest/completed", views.completed_ingests),
+    url(r"^ingest/completed", views.completed_ingests, name="completed_ingests"),
     url(r"^ingest/copy_metadata_files/$", views.copy_metadata_files_api),
-    url(r"administration/dips/atom/levels/$", views.get_levels_of_description),
+    url(
+        r"administration/dips/atom/levels/$",
+        views.get_levels_of_description,
+        name="get_levels_of_description",
+    ),
     url(
         r"administration/dips/atom/fetch_levels/$",
         views.fetch_levels_of_description_from_atom,
diff --git a/src/dashboard/src/installer/middleware.py b/src/dashboard/src/installer/middleware.py
@@ -32,7 +32,7 @@
 
 def _load_exempt_urls():
     global EXEMPT_URLS
-    EXEMPT_URLS = [re_compile(settings.LOGIN_URL.lstrip("/"))]
+    EXEMPT_URLS = [re_compile("{}$".format(settings.LOGIN_URL.lstrip("/")))]
     if hasattr(settings, "LOGIN_EXEMPT_URLS"):
         EXEMPT_URLS += [re_compile(expr) for expr in settings.LOGIN_EXEMPT_URLS]
 
diff --git a/src/dashboard/src/settings/base.py b/src/dashboard/src/settings/base.py
@@ -484,7 +484,15 @@ def _get_settings_from_file(path):
 # login-related settings
 LOGIN_URL = "/administration/accounts/login/"
 LOGIN_REDIRECT_URL = "/"
-LOGIN_EXEMPT_URLS = [r"^administration/accounts/login", r"^api", r"^jsi18n"]
+LOGIN_EXEMPT_URLS = [
+    # Allow users to authenticate via the log-in page.
+    r"^administration/accounts/login$",
+    # Authentication in the API namespace is handled by components.api.views
+    # using Tastypie's MultiAuthentication. We don't match the end of the
+    # string here purposely.
+    r"^api",
+    r"^jsi18n",
+]
 # Django debug toolbar
 try:
     import debug_toolbar  # noqa: F401
diff --git a/src/dashboard/tests/test_auth.py b/src/dashboard/tests/test_auth.py
@@ -0,0 +1,93 @@
+# -*- coding: utf-8 -*-
+
+from __future__ import unicode_literals
+
+import json
+
+from django.conf import settings
+from django.contrib.auth import get_user_model
+from django.core.urlresolvers import reverse
+from django.test import TestCase
+from django.test.client import Client
+from tastypie.models import ApiKey
+
+from components import helpers
+from components.helpers import generate_api_key
+
+
+class TestAuth(TestCase):
+    """Authentication sanity checks."""
+
+    fixtures = ["test_user"]
+
+    API_URLS = (
+        reverse("api:completed_transfers"),
+        reverse("api:completed_ingests"),
+        reverse("api:get_levels_of_description"),
+    )
+
+    def setUp(self):
+        helpers.set_setting("dashboard_uuid", "test-uuid")
+
+    def authenticate(self):
+        self.client = Client()
+        self.client.login(username="test", password="test")
+
+    def test_site_requires_auth(self):
+        for url in [
+            reverse("transfer:transfer_index"),
+            reverse("ingest:ingest_index"),
+            reverse("administration:api"),
+            reverse("administration:general"),
+            reverse("administration:premis_agent"),
+            # Verify that exempted URLs cannot be used to access other areas
+            # that are restricted.
+            "{}/{}".format(settings.LOGIN_URL.rstrip("/"), "transfer/"),
+            "{}/{}".format(settings.LOGIN_URL.rstrip("/"), "abcdefgh/api/"),
+            "{}/{}".format(settings.LOGIN_URL.rstrip("/"), "version"),
+        ]:
+            response = self.client.get(url)
+
+            self.assertRedirects(response, settings.LOGIN_URL)
+
+    def test_site_performs_session_auth(self):
+        self.authenticate()
+
+        for url in [
+            reverse("transfer:transfer_index"),
+            reverse("ingest:ingest_index"),
+            reverse("administration:api"),
+        ]:
+            response = self.client.get(url, follow=False)
+
+            self.assertEqual(response.status_code, 200)
+
+    def test_api_requires_auth(self):
+        for url in self.API_URLS:
+            response = self.client.get(url)
+
+            self.assertEqual(response.status_code, 403)
+            self.assertEqual(
+                response.content.decode("utf8"),
+                json.dumps({"message": "API key not valid.", "error": True}),
+            )
+
+    def test_api_authenticates_via_key(self):
+        user = get_user_model().objects.get(pk=1)
+        generate_api_key(user)
+        key = ApiKey.objects.get(user=user).key
+
+        for url in self.API_URLS:
+            response = self.client.get(
+                url, HTTP_AUTHORIZATION="ApiKey test:{}".format(key), follow=False
+            )
+
+            self.assertEqual(response.status_code, 200)
+
+    def test_api_authenticates_via_session(self):
+        self.authenticate()
+
+        for url in self.API_URLS:
+            response = self.client.get(url, follow=False)
+
+            self.assertEqual(response.status_code, 200)
diff --git a/src/dashboard/tests/test_middleware.py b/src/dashboard/tests/test_middleware.py
@@ -36,6 +36,10 @@ def test_unauthenticated_user_can_access_exempt_url(self):
 
         self.assertEqual(response.status_code, 404)
 
+        # installer.middleware.EXEMPT_URLS is a global *list*
+        # that has been mutated in this test, this restores it back
+        _load_exempt_urls()
+
     def test_unauthenticated_user_is_sent_to_login_page(self):
         helpers.set_setting("dashboard_uuid", "test-uuid")
 
