Merge pull request #1252 from travis-ci/fix_log_token_am

Fix disable job logs issues

Author: murtaza-swati

lib/travis/api/app/endpoint/logs.rb

@@ -14,8 +14,13 @@ class Logs < Endpoint
         repo = Travis::API::V3::Models::Repository.find(job.repository.id)
         repo_can_write = current_user ? !!repo.users.where(id: current_user.id, permissions: { push: true }).first : false
 
-        raise LogExpired if repo.user_settings.job_log_time_based_limit && job.started_at && job.started_at < Time.now - repo.user_settings.job_log_access_older_than_days.days
-        raise LogAccessDenied if repo.user_settings.job_log_access_based_limit && !repo_can_write
+        if !repo.user_settings.job_log_time_based_limit && job.started_at && job.started_at < Time.now - repo.user_settings.job_log_access_older_than_days.days
+          halt 403, { error: { message: "We're sorry, but this data is not available anymore. Please check the repository settings in Travis CI." } }
+        end
+
+        if repo.user_settings.job_log_access_based_limit && !repo_can_write
+          halt 403, { error: { message: "We're sorry, but this data is not available. Please check the repository settings in Travis CI." } }
+        end
 
         if !resource || ((job.try(:private?) || !allow_public?) && !has_permission?(job))
           halt 404

lib/travis/api/v3/access_control/log_token.rb

@@ -5,14 +5,15 @@ module Travis::API::V3
   class AccessControl::LogToken < AccessControl::Generic
     auth_type('log.token')
 
-    attr_accessor :token
+    attr_accessor :token, :repo_can_write
 
     def self.for_request(type, token, env)
       new(token)
     end
 
     def initialize(token)
       self.token = token
+      self.repo_can_write = Travis::API::V3::LogToken.find(token).repo_can_write
     end
 
     def temp_access?

lib/travis/api/v3/log_token.rb

@@ -1,14 +1,18 @@
 module Travis::API::V3
   class LogToken
-    attr_accessor :job_id
+    attr_accessor :job_id, :repo_can_write
 
     def self.find(token)
-      new(redis.get("l:#{token}").to_i)
+      key = "l:#{token}"
+      new(redis.hget(key, :job_id).to_i, !!redis.hget(key, :repo_can_write))
     end
 
-    def self.create(job)
+    def self.create(job, user_id)
+      repo_can_write = !!job.repository.users.where(id: user_id, permissions: { push: true }).first
+
       token = SecureRandom.urlsafe_base64(16)
-      redis.set("l:#{token}", job.id)
+      redis.hset("l:#{token}", :job_id, job.id)
+      redis.hset("l:#{token}", :repo_can_write, repo_can_write)
       redis.expire("l:#{token}", 1.day)
       token
     end
@@ -17,8 +21,9 @@ def self.redis
       Travis.redis
     end
 
-    def initialize(job_id)
+    def initialize(job_id, repo_can_write)
       self.job_id = job_id
+      self.repo_can_write = repo_can_write
     end
 
     def matches?(job)

lib/travis/api/v3/models/log.rb

@@ -27,6 +27,10 @@ def repository_private?
       job.repository.private?
     end
 
+    def repository
+      @repository ||= Travis::API::V3::Models::Repository.find(job.repository.id)
+    end
+
     private
 
     def archived_log_part

lib/travis/api/v3/renderer/log.rb

@@ -25,8 +25,8 @@ def render(representation)
       if raw_log_href !~ /^\/v3/
         raw_log_href = "/v3#{raw_log_href}"
       end
-      if enterprise? || model.repository_private?
-        token = LogToken.create(model.job)
+      if enterprise? || model.repository_private? || model.repository.user_settings.job_log_access_based_limit
+        token = LogToken.create(model.job, access_control&.user&.id)
         raw_log_href += "?log.token=#{token}"
       end
       result['@raw_log_href'] = raw_log_href

lib/travis/api/v3/services/log/find.rb

@@ -4,11 +4,16 @@ class Services::Log::Find < Service
 
     def run!
       job = Models::Job.find(params['job.id'])
-      repo_can_write = access_control.user ? !!job.repository.users.where(id: access_control.user.id, permissions: { push: true }).first : false
-
       log = query.find(job)
+      repo_can_write = false
+      if access_control.is_a?(Travis::API::V3::AccessControl::LogToken)
+        repo_can_write = access_control.repo_can_write
+      elsif access_control.user
+        repo_can_write = !!job.repository.users.where(id: access_control.user.id, permissions: { push: true }).first
+      end
+
       raise(NotFound, :log) unless access_control.visible? log
-      raise LogExpired if job.repository.user_settings.job_log_time_based_limit && job.started_at && job.started_at < Time.now - job.repository.user_settings.job_log_access_older_than_days.days
+      raise LogExpired if !job.repository.user_settings.job_log_time_based_limit && job.started_at && job.started_at < Time.now - job.repository.user_settings.job_log_access_older_than_days.days
       raise LogAccessDenied if job.repository.user_settings.job_log_access_based_limit && !repo_can_write
 
       result log

spec/auth/v1/logs_spec.rb

@@ -6,7 +6,12 @@
   let(:log)   { double(id: 1) }
 
   let(:log_url) { "#{Travis.config[:logs_api][:url]}/logs/1?by=id&source=api" }
-  before { stub_request(:get, log_url).to_return(status: 200, body: %({"job_id": #{job.id}, "content": "content"})) }
+  before do
+    stub_request(:get, log_url).to_return(status: 200, body: %({"job_id": #{job.id}, "content": "content"}))
+    repository = Travis::API::V3::Models::Repository.find(repo.id)
+    repository.user_settings.update(:job_log_time_based_limit, true)
+    repository.save!
+  end
 
   describe 'in public mode, with a private repo', mode: :public, repo: :private do
     describe 'GET /logs/%{log.id}' do

spec/auth/v2.1/logs_spec.rb

@@ -32,6 +32,9 @@
     allow(remote).to receive(:find_by_job_id).and_return(Travis::RemoteLog.new(log_from_api))
     allow(remote).to receive(:find_by_id).and_return(Travis::RemoteLog.new(log_from_api))
     allow(remote).to receive(:fetch_archived_log_content).and_return(archived_content)
+    repository = Travis::API::V3::Models::Repository.find(repo.id)
+    repository.user_settings.update(:job_log_time_based_limit, true)
+    repository.save!
   end
 
   describe 'in public mode, with a private repo', mode: :public, repo: :private do

spec/auth/v2/logs_spec.rb

@@ -32,6 +32,9 @@
     allow(remote).to receive(:find_by_job_id).and_return(Travis::RemoteLog.new(log_from_api))
     allow(remote).to receive(:find_by_id).and_return(Travis::RemoteLog.new(log_from_api))
     allow(remote).to receive(:fetch_archived_log_content).and_return(archived_content)
+    repository = Travis::API::V3::Models::Repository.find(repo.id)
+    repository.user_settings.update(:job_log_time_based_limit, true)
+    repository.save!
   end
 
   describe 'in public mode, with a private repo', mode: :public, repo: :private do

spec/integration/visibility_spec.rb

@@ -16,6 +16,11 @@
   before { requests[0].update_attributes(private: false) }
   before { builds[0].update_attributes(private: false) }
   before { jobs[0].update_attributes(private: false) }
+  before do
+    repository = Travis::API::V3::Models::Repository.find(repo.id)
+    repository.user_settings.update(:job_log_time_based_limit, true)
+    repository.save!
+  end
   before :each do
     Fog.mock!
     storage = Fog::Storage.new({