Merge pull request #3134 from getsentry/perms

Fixed API keys not correctly reflecting scopes

Author: mattrobenolt

src/sentry/models/apikey.py

@@ -95,7 +95,7 @@ def get_audit_log_data(self):
         }
 
     def get_scopes(self):
-        return self.scopes.keys()
+        return [k for k, v in self.scopes.iteritems() if v]
 
 
 class SystemKey(object):
@@ -117,5 +117,8 @@ def get_scopes(self):
         # All scopes!
         return ApiKey.scopes
 
+    def has_scope(self, scope):
+        return True
+
 
 ROOT_KEY = SystemKey()

tests/sentry/api/bases/test_organization.py

@@ -19,7 +19,10 @@ def has_object_perm(self, method, obj, auth=None, user=None, is_superuser=None):
         request.user = user
         request.method = method
         request.is_superuser = lambda: is_superuser if is_superuser is not None else user.is_superuser
-        return perm.has_object_permission(request, None, obj)
+        return (
+            perm.has_permission(request, None) and
+            perm.has_object_permission(request, None, obj)
+        )
 
 
 class OrganizationPermissionTest(OrganizationPermissionBase):
@@ -44,11 +47,34 @@ def test_org_member(self):
     def test_api_key_with_org_access(self):
         key = ApiKey.objects.create(
             organization=self.org,
+            scopes=getattr(ApiKey.scopes, 'org:read'),
         )
         assert self.has_object_perm('GET', self.org, auth=key)
 
     def test_api_key_without_org_access(self):
         key = ApiKey.objects.create(
             organization=self.create_organization(),
+            scopes=getattr(ApiKey.scopes, 'org:read')
+        )
+        assert not self.has_object_perm('GET', self.org, auth=key)
+
+    def test_api_key_without_access(self):
+        key = ApiKey.objects.create(
+            organization=self.org,
+            scopes=0,
         )
         assert not self.has_object_perm('GET', self.org, auth=key)
+
+    def test_api_key_with_wrong_access(self):
+        key = ApiKey.objects.create(
+            organization=self.org,
+            scopes=getattr(ApiKey.scopes, 'team:read'),
+        )
+        assert not self.has_object_perm('GET', self.org, auth=key)
+
+    def test_api_key_with_wrong_access_for_method(self):
+        key = ApiKey.objects.create(
+            organization=self.org,
+            scopes=getattr(ApiKey.scopes, 'org:read'),
+        )
+        assert not self.has_object_perm('PUT', self.org, auth=key)

tests/sentry/api/bases/test_project.py

@@ -21,7 +21,10 @@ def has_object_perm(self, method, obj, auth=None, user=None, is_superuser=None):
         request.user = user
         request.method = method
         request.is_superuser = lambda: is_superuser if is_superuser is not None else user.is_superuser
-        return perm.has_object_permission(request, None, obj)
+        return (
+            perm.has_permission(request, None) and
+            perm.has_object_permission(request, None, obj)
+        )
 
 
 class ProjectPermissionTest(ProjectPermissionBase):
@@ -76,11 +79,34 @@ def test_member_with_team_access(self):
     def test_api_key_with_org_access(self):
         key = ApiKey.objects.create(
             organization=self.org,
+            scopes=getattr(ApiKey.scopes, 'project:read'),
         )
         assert self.has_object_perm('GET', self.project, auth=key)
 
     def test_api_key_without_org_access(self):
         key = ApiKey.objects.create(
             organization=self.create_organization(),
+            scopes=getattr(ApiKey.scopes, 'project:read'),
+        )
+        assert not self.has_object_perm('GET', self.project, auth=key)
+
+    def test_api_key_without_access(self):
+        key = ApiKey.objects.create(
+            organization=self.org,
+            scopes=0,
         )
         assert not self.has_object_perm('GET', self.project, auth=key)
+
+    def test_api_key_with_wrong_access(self):
+        key = ApiKey.objects.create(
+            organization=self.org,
+            scopes=getattr(ApiKey.scopes, 'team:read'),
+        )
+        assert not self.has_object_perm('GET', self.project, auth=key)
+
+    def test_api_key_with_wrong_access_for_method(self):
+        key = ApiKey.objects.create(
+            organization=self.org,
+            scopes=getattr(ApiKey.scopes, 'project:read'),
+        )
+        assert not self.has_object_perm('PUT', self.project, auth=key)

tests/sentry/api/bases/test_team.py

@@ -20,7 +20,10 @@ def has_object_perm(self, method, obj, auth=None, user=None, is_superuser=None):
         request.user = user
         request.method = method
         request.is_superuser = lambda: is_superuser if is_superuser is not None else user.is_superuser
-        return perm.has_object_permission(request, None, obj)
+        return (
+            perm.has_permission(request, None) and
+            perm.has_object_permission(request, None, obj)
+        )
 
 
 class TeamPermissionTest(TeamPermissionBase):
@@ -55,11 +58,34 @@ def test_get_with_team_membership(self):
     def test_get_api_key_with_org_access(self):
         key = ApiKey.objects.create(
             organization=self.org,
+            scopes=getattr(ApiKey.scopes, 'team:read'),
         )
         assert self.has_object_perm('GET', self.team, auth=key)
 
     def test_get_api_key_without_org_access(self):
         key = ApiKey.objects.create(
             organization=self.create_organization(),
+            scopes=getattr(ApiKey.scopes, 'team:read'),
         )
         assert not self.has_object_perm('GET', self.team, auth=key)
+
+    def test_api_key_without_access(self):
+        key = ApiKey.objects.create(
+            organization=self.org,
+            scopes=0,
+        )
+        assert not self.has_object_perm('GET', self.org, auth=key)
+
+    def test_api_key_with_wrong_access(self):
+        key = ApiKey.objects.create(
+            organization=self.org,
+            scopes=getattr(ApiKey.scopes, 'project:read'),
+        )
+        assert not self.has_object_perm('GET', self.org, auth=key)
+
+    def test_api_key_with_wrong_access_for_method(self):
+        key = ApiKey.objects.create(
+            organization=self.org,
+            scopes=getattr(ApiKey.scopes, 'team:read'),
+        )
+        assert not self.has_object_perm('PUT', self.project, auth=key)