LAVA-195 Allow authentication with result export

Support putting the token and the username into the query string
of the result export REST URLs and document the usage and security
implications of doing so.

Change-Id: I47d83300a60cdb3251cec11509737e49f9810055

1 files changed, 27 insertions, 0 deletions

diff --git a/lava_results_app/utils.py b/lava_results_app/utils.py
index e429d474b..a420150e4 100644
--- a/lava_results_app/utils.py
+++ b/lava_results_app/utils.py
@@ -3,6 +3,8 @@ import yaml
 import logging
 from django.utils.translation import ungettext_lazy
 from django.conf import settings
+from django.http import Http404
+from linaro_django_xmlrpc.models import AuthToken
 
 
 def help_max_length(max_length):
@@ -37,3 +39,28 @@ def description_data(job_id):
     if not data:
         return {}
     return data
+
+
+def anonymous_token(request, job):
+    querydict = request.GET
+    user = querydict.get('user', default=None)
+    token = querydict.get('token', default=None)
+    # safe to call with (None, None) - returns None
+    auth_user = AuthToken.get_user_for_secret(username=user, secret=token)
+    if not user and not job.is_public:
+        raise Http404("Job %d requires authentication to view." % job.id)
+    if not auth_user:
+        raise Http404("User '%s' is not able to view job %d" % (user, job.id))
+    return auth_user
+
+
+def check_request_auth(request, job):
+    if not request.user and job.is_public:
+        return
+    if not request.user.is_authenticated():
+        # handle anonymous access
+        auth_user = anonymous_token(request, job)
+        if not auth_user or not job.can_view(auth_user):
+            raise Http404("User '%s' is not able to view job %d" % (request.user, job.id))
+    elif not job.can_view(request.user):
+        raise Http404("User '%s' is not able to view job %d" % (request.user.username, job.id))