Merge latest main branch

pombredanne · pombredanne · commit e4d508ee2f01 · 2022-11-08T23:50:55.000+01:00
Signed-off-by: Philippe Ombredanne &lt;pombredanne@nexb.com&gt;
diff --git a/vulnerabilities/api.py b/vulnerabilities/api.py
@@ -23,6 +23,7 @@
 from vulnerabilities.models import VulnerabilityReference
 from vulnerabilities.models import VulnerabilitySeverity
 from vulnerabilities.models import get_purl_query_lookups
+from vulnerabilities.throttling import StaffUserRateThrottle
 
 
 class VulnerabilitySeveritySerializer(serializers.ModelSerializer):
@@ -228,9 +229,11 @@ class PackageViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = PackageSerializer
     filter_backends = (filters.DjangoFilterBackend,)
     filterset_class = PackageFilterSet
+    throttle_classes = [StaffUserRateThrottle]
+    throttle_scope = "packages"
 
     # TODO: Fix the swagger documentation for this endpoint
-    @action(detail=False, methods=["post"])
+    @action(detail=False, methods=["post"], throttle_scope="bulk_search_packages")
     def bulk_search(self, request):
         """
         Lookup for vulnerable packages using many Package URLs at once.
@@ -254,15 +257,15 @@ def bulk_search(self, request):
             if purl_data:
                 purl_response = PackageSerializer(purl_data[0], context={"request": request}).data
             else:
-                purl_response = purl
+                purl_response = purl.to_dict()
                 purl_response["unresolved_vulnerabilities"] = []
                 purl_response["resolved_vulnerabilities"] = []
                 purl_response["purl"] = purl_string
             response.append(purl_response)
 
         return Response(response)
 
-    @action(detail=False, methods=["get"])
+    @action(detail=False, methods=["get"], throttle_scope="vulnerable_packages")
     def all(self, request):
         """
         Return the Package URLs of all packages known to be vulnerable.
@@ -314,6 +317,8 @@ def get_queryset(self):
     serializer_class = VulnerabilitySerializer
     filter_backends = (filters.DjangoFilterBackend,)
     filterset_class = VulnerabilityFilterSet
+    throttle_classes = [StaffUserRateThrottle]
+    throttle_scope = "vulnerabilities"
 
 
 class CPEFilterSet(filters.FilterSet):
@@ -334,9 +339,11 @@ class CPEViewSet(viewsets.ReadOnlyModelViewSet):
     ).distinct()
     serializer_class = VulnerabilitySerializer
     filter_backends = (filters.DjangoFilterBackend,)
+    throttle_classes = [StaffUserRateThrottle]
     filterset_class = CPEFilterSet
+    throttle_scope = "cpes"
 
-    @action(detail=False, methods=["post"])
+    @action(detail=False, methods=["post"], throttle_scope="bulk_search_cpes")
     def bulk_search(self, request):
         """
         Lookup for vulnerabilities using many CPEs at once.
@@ -378,3 +385,5 @@ class AliasViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = VulnerabilitySerializer
     filter_backends = (filters.DjangoFilterBackend,)
     filterset_class = AliasFilterSet
+    throttle_classes = [StaffUserRateThrottle]
+    throttle_scope = "aliases"
diff --git a/vulnerabilities/forms.py b/vulnerabilities/forms.py
@@ -41,24 +41,24 @@ class ApiUserCreationForm(forms.ModelForm):
     class Meta:
         model = ApiUser
         fields = (
-            "username",
+            "email",
             "first_name",
             "last_name",
         )
 
     def __init__(self, *args, **kwargs):
         super(ApiUserCreationForm, self).__init__(*args, **kwargs)
-        self.fields["username"].help_text = f"<ul><li>{self.fields['username'].help_text}</li></ul>"
+        self.fields["email"].required = True
 
     def save(self, commit=True):
         return ApiUser.objects.create_api_user(
-            username=self.cleaned_data["username"],
+            username=self.cleaned_data["email"],
             first_name=self.cleaned_data["first_name"],
             last_name=self.cleaned_data["last_name"],
         )
 
     def clean_username(self):
-        username = self.cleaned_data["username"]
+        username = self.cleaned_data["email"]
         validate_email(username)
         return username
 
diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py
@@ -12,7 +12,6 @@
 import logging
 from contextlib import suppress
 
-from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import UserManager
 from django.core import exceptions
@@ -24,7 +23,6 @@
 from django.db.models import Q
 from django.db.models.functions import Length
 from django.db.models.functions import Trim
-from django.dispatch import receiver
 from django.urls import reverse
 from packageurl import PackageURL
 from packageurl.contrib.django.models import PackageURLMixin
diff --git a/vulnerabilities/templates/api_user_creation_form.html b/vulnerabilities/templates/api_user_creation_form.html
@@ -4,6 +4,13 @@
 
 {% block content %}
     <section class="section pt-0">
+        {% for message in messages %}
+        <article class="message is-{% if message.level_tag == 'error' %}danger{% else %}{{ message.level_tag }}{% endif %}">
+          <div class="message-body">
+            {{ message|linebreaksbr }}
+          </div>
+        </article>
+      {% endfor %}
     {% block title %}
     VulnerableCode API key request
     {% endblock %}
diff --git a/vulnerabilities/tests/test_auth.py b/vulnerabilities/tests/test_auth.py
@@ -24,9 +24,7 @@
 
 class VulnerableCodeAuthTest(TestCase):
     def setUp(self):
-        self.basic_user = ApiUser.objects.create_api_user(
-            username="basic_user@foo.com", password=TEST_PASSWORD
-        )
+        self.basic_user = ApiUser.objects.create_api_user(username="basic_user@foo.com")
 
     def test_vulnerablecode_auth_api_required_authentication(self):
         response = self.client.get(api_package_url)
diff --git a/vulnerabilities/views.py b/vulnerabilities/views.py
@@ -7,9 +7,11 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
+from django.contrib import messages
+from django.core.exceptions import ValidationError
 from django.core.mail import send_mail
-from django.http import HttpResponse
 from django.http.response import Http404
+from django.shortcuts import redirect
 from django.shortcuts import render
 from django.urls import reverse_lazy
 from django.views import View
@@ -40,6 +42,11 @@ def get_context_data(self, **kwargs):
         return context
 
     def get_queryset(self, query=None):
+        """
+        Return a Package queryset for the ``query``.
+        Make a best effort approach to find matching packages either based
+        on exact purl, partial purl or just name and namespace.
+        """
         query = query or self.request.GET.get("search") or ""
         return self.model.objects.search(query).with_vulnerability_counts().prefetch_related()
 
@@ -140,18 +147,26 @@ class ApiUserCreateView(generic.CreateView):
     template_name = "api_user_creation_form.html"
 
     def form_valid(self, form):
-        super().form_valid(form)
+
+        try:
+            response = super().form_valid(form)
+        except ValidationError:
+            messages.error(self.request, "Email is invalid or already taken")
+            return redirect(self.get_success_url())
 
         send_mail(
             subject="VulnerableCode.io API key token",
             message=f"Here is your VulnerableCode.io API key token: {self.object.auth_token}",
             from_email=env.str("FROM_EMAIL", default=""),
             recipient_list=[self.object.email],
+            fail_silently=True,
         )
 
-        return HttpResponse(
-            f"Check your email for VulnerableCode.io API key token: {self.object.email}"
+        messages.success(
+            self.request, f"API key token sent to your email address {self.object.email}."
         )
 
+        return response
+
     def get_success_url(self):
-        return reverse_lazy("home")
+        return reverse_lazy("api_user_request")
diff --git a/vulnerablecode/settings.py b/vulnerablecode/settings.py
@@ -65,11 +65,11 @@
     "vulnerabilities",
     # Django built-in
     "django.contrib.auth",
-    "django.contrib.admin",
     "django.contrib.contenttypes",
     "django.contrib.sessions",
     "django.contrib.messages",
     "django.contrib.staticfiles",
+    "django.contrib.admin",
     "django.contrib.humanize",
     # Third-party apps
     "django_filters",
@@ -161,10 +161,6 @@
 
 USE_I18N = True
 
-USE_L10N = True
-
-USE_TZ = True
-
 IS_TESTS = False
 
 if len(sys.argv) > 0:
@@ -200,6 +196,10 @@
     }
 
 
+USE_L10N = True
+
+USE_TZ = True
+
 # Static files (CSS, JavaScript, Images)
 
 STATIC_URL = "/static/"
@@ -210,6 +210,7 @@
     str(PROJECT_DIR / "static"),
 ]
 
+
 CRISPY_TEMPLATE_PACK = "bootstrap4"
 
 # Third-party apps
@@ -293,9 +294,11 @@
     "TAGS_SORTER": False,
 }
 
+
 if not VULNERABLECODEIO_REQUIRE_AUTHENTICATION:
     REST_FRAMEWORK["DEFAULT_PERMISSION_CLASSES"] = ("rest_framework.permissions.AllowAny",)
 
+
 if DEBUG_TOOLBAR:
     INSTALLED_APPS += ("debug_toolbar",)
 
