fix: remove service account role check on sync requests (#5355)

External service accounts do not have a role set so async triggered periodic org syncs were rejected. Improving role/perm check in a later PR instead (restriction wasn't originally there).
2024-12-11 16:08:10 -03:00 · 2024-12-11 16:08:10 -03:00 · b8dc7af14a
commit b8dc7af14a
parent ec874440ba
2 changed files with 3 additions and 35 deletions
--- a/engine/apps/auth_token/auth.py
+++ b/engine/apps/auth_token/auth.py
@ -135,11 +135,9 @@ class BasePluginAuthentication(BaseAuthentication):
            user_id = context["UserID"]

        if context.get("IsServiceAccount", False):
-            # no user involved in service account requests
-            logger.info(f"serviceaccount request - id={user_id}")
            service_account_role = context.get("Role", "None")
-            if service_account_role.lower() != "admin":
-                raise exceptions.AuthenticationFailed("Service account requests must have Admin or Editor role.")
+            # no user involved in service account requests
+            logger.info(f"serviceaccount request - id={user_id} - role={service_account_role}")
            return None

        try:
--- a/engine/apps/auth_token/tests/test_plugin_auth.py
+++ b/engine/apps/auth_token/tests/test_plugin_auth.py
@ -6,7 +6,7 @@ from django.utils import timezone
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.test import APIRequestFactory

-from apps.auth_token.auth import BasePluginAuthentication, PluginAuthentication
+from apps.auth_token.auth import PluginAuthentication

 INSTANCE_CONTEXT = '{"stack_id": 42, "org_id": 24, "grafana_token": "abc"}'

@ -176,33 +176,3 @@ def test_plugin_authentication_self_hosted_setup_new_user(make_organization, mak
    assert ret_user.user_id == 12
    assert ret_token.organization == organization
    assert organization.users.count() == 1
-
-
-@pytest.mark.django_db
-@pytest.mark.parametrize(
-    "role,expected_raises", [("Admin", False), ("Editor", True), ("Viewer", True), ("Other", True)]
-)
-def test_plugin_authentication_service_account(make_organization, role, expected_raises):
-    # Setting gcom_token_org_last_time_synced to now, so it doesn't try to sync with gcom
-    organization = make_organization(
-        stack_id=42, org_id=24, gcom_token="123", api_token="abc", gcom_token_org_last_time_synced=timezone.now()
-    )
-
-    headers = {
-        "HTTP_AUTHORIZATION": "gcom:123",
-        "HTTP_X-Instance-Context": INSTANCE_CONTEXT,
-        "HTTP_X-Grafana-Context": json.dumps({"UserId": 12, "Role": role, "IsServiceAccount": True}),
-    }
-    request = APIRequestFactory().get("/", **headers)
-
-    if expected_raises:
-        with pytest.raises(AuthenticationFailed):
-            BasePluginAuthentication().authenticate(request)
-    else:
-        ret_user, ret_token = BasePluginAuthentication().authenticate(request)
-        assert ret_user is None
-        assert ret_token.organization == organization
-
-    # PluginAuthentication should always raise an exception if the request comes from a service account
-    with pytest.raises(AuthenticationFailed):
-        PluginAuthentication().authenticate(request)