Fix log token working with new log settings

AndriiMysko · AndriiMysko · commit 952cfd15754e · 2022-10-10T14:43:17.000+03:00
diff --git a/lib/travis/api/v3/access_control/log_token.rb b/lib/travis/api/v3/access_control/log_token.rb
@@ -5,14 +5,15 @@ module Travis::API::V3
   class AccessControl::LogToken < AccessControl::Generic
     auth_type('log.token')
 
-    attr_accessor :token
+    attr_accessor :token, :repo_can_write
 
     def self.for_request(type, token, env)
       new(token)
     end
 
     def initialize(token)
       self.token = token
+      self.repo_can_write = Travis::API::V3::LogToken.find(token).repo_can_write
     end
 
     def temp_access?
diff --git a/lib/travis/api/v3/log_token.rb b/lib/travis/api/v3/log_token.rb
@@ -1,14 +1,17 @@
 module Travis::API::V3
   class LogToken
-    attr_accessor :job_id
+    attr_accessor :job_id, :repo_can_write
 
     def self.find(token)
-      new(redis.get("l:#{token}").to_i)
+      values = redis.smembers("l:#{token}")
+      new(values[0].to_i, !!values[1])
     end
 
-    def self.create(job)
+    def self.create(job, user_id)
+      repo_can_write = !!job.repository.users.where(id: user_id, permissions: { push: true }).first
+
       token = SecureRandom.urlsafe_base64(16)
-      redis.set("l:#{token}", job.id)
+      redis.sadd("l:#{token}", [job.id, repo_can_write])
       redis.expire("l:#{token}", 1.day)
       token
     end
@@ -17,8 +20,9 @@ def self.redis
       Travis.redis
     end
 
-    def initialize(job_id)
+    def initialize(job_id, repo_can_write)
       self.job_id = job_id
+      self.repo_can_write = repo_can_write
     end
 
     def matches?(job)
diff --git a/lib/travis/api/v3/renderer/log.rb b/lib/travis/api/v3/renderer/log.rb
@@ -26,7 +26,7 @@ def render(representation)
         raw_log_href = "/v3#{raw_log_href}"
       end
       if enterprise? || model.repository_private?
-        token = LogToken.create(model.job)
+        token = LogToken.create(model.job, access_control&.user&.id)
         raw_log_href += "?log.token=#{token}"
       end
       result['@raw_log_href'] = raw_log_href
diff --git a/lib/travis/api/v3/services/log/find.rb b/lib/travis/api/v3/services/log/find.rb
@@ -4,9 +4,14 @@ class Services::Log::Find < Service
 
     def run!
       job = Models::Job.find(params['job.id'])
-      repo_can_write = access_control.user ? !!job.repository.users.where(id: access_control.user.id, permissions: { push: true }).first : false
-
       log = query.find(job)
+      repo_can_write = false
+      if access_control.is_a?(Travis::API::V3::AccessControl::LogToken)
+        repo_can_write = access_control.repo_can_write
+      elsif access_control.user
+        repo_can_write = !!job.repository.users.where(id: access_control.user.id, permissions: { push: true }).first
+      end
+
       raise(NotFound, :log) unless access_control.visible? log
       raise LogExpired if job.repository.user_settings.job_log_time_based_limit && job.started_at && job.started_at < Time.now - job.repository.user_settings.job_log_access_older_than_days.days
       raise LogAccessDenied if job.repository.user_settings.job_log_access_based_limit && !repo_can_write
diff --git a/spec/v3/services/job/find_spec.rb b/spec/v3/services/job/find_spec.rb
@@ -141,7 +141,7 @@
   end
 
   describe "fetching job on private repository, private API, with a log.token" do
-    let(:log_token) { Travis::API::V3::LogToken.create(job).to_s }
+    let(:log_token) { Travis::API::V3::LogToken.create(job, owner.id).to_s }
     before        { repo.update_attribute(:private, true)                   }
     before        { get("/v3/job/#{job.id}?log.token=#{log_token}", {}, {}) }
     after         { repo.update_attribute(:private, false)                  }
