add api_secret auth and (mostly) finalize firmware endpoint

2023-11-05 19:09:36 +01:00 · 2023-11-05 19:09:36 +01:00 · aa2df8d3c5
commit aa2df8d3c5
parent 9e9e41fb3f
6 changed files with 123 additions and 4 deletions
--- a/src/c3nav/api/auth.py
+++ b/src/c3nav/api/auth.py
@ -0,0 +1,20 @@
+from django.utils.translation import gettext_lazy as _
+from rest_framework.authentication import TokenAuthentication
+from rest_framework.exceptions import AuthenticationFailed
+
+
+class APISecretAuthentication(TokenAuthentication):
+    def authenticate_credentials(self, key):
+        from c3nav.control.models import UserPermissions
+
+        try:
+            user_perms = UserPermissions.objects.exclude(api_secret='').exclude(api_secret__isnull=True).filter(
+                api_secret=key
+            ).get()
+        except UserPermissions.DoesNotExist:
+            raise AuthenticationFailed(_('Invalid token.'))
+
+        if not user_perms.user.is_active:
+            raise AuthenticationFailed(_('User inactive or deleted.'))
+
+        return (user_perms.user, user_perms)
--- a/src/c3nav/control/views/users.py
+++ b/src/c3nav/control/views/users.py
@ -76,7 +76,7 @@ def user_detail(request, user):  # todo: make class based view

            with transaction.atomic():
                if api_secret_action in ('generate', 'regenerate'):
-                    api_secret = get_random_string(64, string.ascii_letters+string.digits)
+                    api_secret = '%d-%s' % (user.pk, get_random_string(64, string.ascii_letters+string.digits))
                    permissions.api_secret = api_secret
                    permissions.save()

--- a/src/c3nav/mesh/api.py
+++ b/src/c3nav/mesh/api.py
@ -0,0 +1,91 @@
+import hashlib
+import json
+
+from django.db import transaction
+from rest_framework.authentication import SessionAuthentication
+from rest_framework.exceptions import ParseError, PermissionDenied
+from rest_framework.mixins import CreateModelMixin
+from rest_framework.response import Response
+from rest_framework.status import HTTP_201_CREATED
+from rest_framework.viewsets import ReadOnlyModelViewSet
+
+from c3nav.control.models import UserPermissions
+from c3nav.mesh.messages import ChipType
+from c3nav.mesh.models import FirmwareVersion
+
+
+class FirmwareViewSet(CreateModelMixin, ReadOnlyModelViewSet):
+    """
+    List and download firmwares, ordered by last update descending. Use ?offset= to specify an offset.
+    Don't forget to set X-Csrftoken for POST requests!
+    """
+    queryset = FirmwareVersion.objects.all()
+
+    def get_queryset(self):
+        # todo: permissions
+        return FirmwareVersion.objects.all()
+
+    def _list(self, request, qs):
+        offset = 0
+        if 'offset' in request.GET:
+            if not request.GET['offset'].isdigit():
+                raise ParseError('offset has to be a positive integer.')
+            offset = int(request.GET['offset'])
+        return Response([obj.serialize() for obj in qs.order_by('-created')[offset:offset+20]])
+
+    def list(self, request, *args, **kwargs):
+        return self._list(request, self.get_queryset())
+
+    def create(self, request, *args, **kwargs):
+
+        # todo: this should probably be tested
+        if not isinstance(request._auth, UserPermissions):
+            # check only for not-secret auth
+            SessionAuthentication().enforce_csrf(request)
+
+        print(request.user)
+        if not request.user.is_superuser:
+            # todo: make this proper
+            raise PermissionDenied()
+
+        # todo: permissions
+        try:
+            with transaction.atomic():
+                version_data = json.loads(request.data["version"])
+
+                version = FirmwareVersion.objects.create(
+                    project_name=version_data["project_name"],
+                    version=version_data["version"],
+                    idf_version=version_data["idf_version"],
+                    uploader=request.user,
+                )
+
+                for variant, build_data in version_data["builds"].items():
+                    bin_file = request.data[f"build_{variant}"]
+
+                    if bin_file.size > 4*1024*1024:
+                        raise ValueError  # todo: better error
+
+                    h = hashlib.sha256()
+                    h.update(bin_file.open('rb').read())
+                    sha256_bin_file = h.hexdigest()
+
+                    if sha256_bin_file != build_data["sha256_hash"]:
+                        raise ValueError
+
+                    build = version.builds.create(
+                        variant=variant,
+                        chip=[chiptype.value for chiptype in ChipType
+                              if chiptype.name.replace('_', '').lower() == build_data["chip"]][0],
+                        sha256_hash=sha256_bin_file,
+                        project_description=build_data["project_description"],
+                        binary=bin_file,
+                    )
+
+                    for board in build_data["boards"]:
+                        build.firmwarebuildboard_set.create(board=board)
+
+        except:  # noqa
+            raise  # todo: better error handling
+
+        return Response(version.serialize(), status=HTTP_201_CREATED)
--- a/src/c3nav/mesh/migrations/0008_firmwarebuild_firmwarebuildboard_firmwareversion_and_more.py
+++ b/src/c3nav/mesh/migrations/0008_firmwarebuild_firmwarebuildboard_firmwareversion_and_more.py
@ -1,5 +1,6 @@
-# Generated by Django 4.2.1 on 2023-11-05 17:31
+# Generated by Django 4.2.1 on 2023-11-05 18:07

+import c3nav.mesh.models
 from django.conf import settings
 from django.db import migrations, models
 import django.db.models.deletion
@ -42,10 +43,16 @@ class Migration(migrations.Migration):
                        max_length=64, unique=True, verbose_name="SHA256 hash"
                    ),
                ),
+                (
+                    "project_description",
+                    models.JSONField(verbose_name="project_description.json"),
+                ),
                (
                    "binary",
                    models.FileField(
-                        null=True, upload_to="", verbose_name="firmware file"
+                        null=True,
+                        upload_to=c3nav.mesh.models.firmware_upload_path,
+                        verbose_name="firmware file",
                    ),
                ),
            ],
--- a/src/c3nav/mesh/models.py
+++ b/src/c3nav/mesh/models.py
@ -155,7 +155,7 @@ class FirmwareBuild(models.Model):
    variant = models.CharField(_('variant name'), max_length=64)
    chip = models.SmallIntegerField(_('chip'), db_index=True, choices=CHIPS)
    sha256_hash = models.CharField(_('SHA256 hash'), unique=True, max_length=64)
-    project_description = models.JSONField
+    project_description = models.JSONField(verbose_name=_('project_description.json'))
    binary = models.FileField(_('firmware file'), null=True, upload_to=firmware_upload_path)

    class Meta:
--- a/src/c3nav/settings.py
+++ b/src/c3nav/settings.py
@ -317,6 +317,7 @@ USE_TZ = True
 REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
+        'c3nav.api.auth.APISecretAuthentication',
    ),
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.AllowAny',