From bf2d01696ebbd486f177dcac977d2d50aca52760 Mon Sep 17 00:00:00 2001 From: Eric Holscher Date: Tue, 19 Feb 2019 15:36:20 -0300 Subject: [PATCH 1/3] Add basic auth to the generic webhook API. This: * Replaces #5009 * Fixes #4986 --- readthedocs/restapi/views/integrations.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/readthedocs/restapi/views/integrations.py b/readthedocs/restapi/views/integrations.py index 7f44fb4f11a..9f74f4de106 100644 --- a/readthedocs/restapi/views/integrations.py +++ b/readthedocs/restapi/views/integrations.py @@ -8,6 +8,7 @@ from django.shortcuts import get_object_or_404 from rest_framework import permissions, status +from rest_framework.authentication import BasicAuthentication from rest_framework.exceptions import NotFound, ParseError from rest_framework.renderers import JSONRenderer from rest_framework.response import Response @@ -367,6 +368,7 @@ class APIWebhookView(WebhookMixin, APIView): integration_type = Integration.API_WEBHOOK permission_classes = [IsAuthenticatedOrHasToken] + authentication_classes = [BasicAuthentication] def get_project(self, **kwargs): """ From a6981d1312a691b6d96ff9be6492ae0432c320f7 Mon Sep 17 00:00:00 2001 From: Eric Holscher Date: Tue, 19 Feb 2019 15:37:47 -0300 Subject: [PATCH 2/3] Readd comment --- readthedocs/restapi/views/integrations.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/readthedocs/restapi/views/integrations.py b/readthedocs/restapi/views/integrations.py index 9f74f4de106..c189ff60201 100644 --- a/readthedocs/restapi/views/integrations.py +++ b/readthedocs/restapi/views/integrations.py @@ -368,6 +368,8 @@ class APIWebhookView(WebhookMixin, APIView): integration_type = Integration.API_WEBHOOK permission_classes = [IsAuthenticatedOrHasToken] + # This is to support curl requests with a shared user across projects + # curl -X POST -d "branches=branch" -u user:pass -e URL /api/v2/webhook/test-builds/{pk}/ authentication_classes = [BasicAuthentication] def get_project(self, **kwargs): From f888d8306459aeea7760fb54b9695e68494aca0b Mon Sep 17 00:00:00 2001 From: Eric Holscher Date: Tue, 19 Feb 2019 16:11:56 -0300 Subject: [PATCH 3/3] Another better fix. --- readthedocs/restapi/views/integrations.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/readthedocs/restapi/views/integrations.py b/readthedocs/restapi/views/integrations.py index c189ff60201..5ea947e85ee 100644 --- a/readthedocs/restapi/views/integrations.py +++ b/readthedocs/restapi/views/integrations.py @@ -8,7 +8,6 @@ from django.shortcuts import get_object_or_404 from rest_framework import permissions, status -from rest_framework.authentication import BasicAuthentication from rest_framework.exceptions import NotFound, ParseError from rest_framework.renderers import JSONRenderer from rest_framework.response import Response @@ -350,7 +349,7 @@ class IsAuthenticatedOrHasToken(permissions.IsAuthenticated): """ def has_permission(self, request, view): - has_perm = (super().has_permission(request, view)) + has_perm = super().has_permission(request, view) return has_perm or 'token' in request.data @@ -368,9 +367,6 @@ class APIWebhookView(WebhookMixin, APIView): integration_type = Integration.API_WEBHOOK permission_classes = [IsAuthenticatedOrHasToken] - # This is to support curl requests with a shared user across projects - # curl -X POST -d "branches=branch" -u user:pass -e URL /api/v2/webhook/test-builds/{pk}/ - authentication_classes = [BasicAuthentication] def get_project(self, **kwargs): """ @@ -424,8 +420,18 @@ class WebhookView(APIView): ever get webhook requests for established webhooks on our side. The other views can receive webhooks for unknown webhooks, as all legacy webhooks will be. + + .. warning:: + We're turning off Authenication for this view. + This fixes a bug where we were double-authenticating these views, + because of the way we're passing the request along to the subviews. + + If at any time we add real logic to this view, + it will be completely unauthenticated. """ + authentication_classes = [] + VIEW_MAP = { Integration.GITHUB_WEBHOOK: GitHubWebhookView, Integration.GITLAB_WEBHOOK: GitLabWebhookView,