Page MenuHomeSoftware Heritage

api/throttling: Lift rate limit when user has special permission
ClosedPublic

Authored by anlambert on Wed, Jun 17, 5:42 PM.

Details

Summary

If a Django user has the "swh.web.api.throttling_exempted" permission, he
will not be rate limited.

Related to T1927

Depends on D3304.

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

anlambert created this revision.Wed, Jun 17, 5:42 PM

Build is green

Patch application report for D3309 (id=11716)

Could not rebase; Attempt merge onto e926cadb92...

Updating e926cadb..644fcc01
Fast-forward
 swh/web/api/throttling.py            |  6 +++++-
 swh/web/auth/backends.py             |  5 +++++
 swh/web/auth/models.py               | 39 +++++++++++++++++++++++++++++++++-
 swh/web/tests/api/test_throttling.py | 35 ++++++++++++++++++++++++++++--
 swh/web/tests/auth/keycloak_mock.py  | 20 ++++++++++++++----
 swh/web/tests/auth/sample_data.py    | 27 ++++++++++++++++++++++++
 swh/web/tests/auth/test_backends.py  | 41 ++++++++++++++++++++++++++++++++----
 7 files changed, 161 insertions(+), 12 deletions(-)
Changes applied before test
commit 644fcc014b1faa5003400dcaee5a831147feba6d
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Jun 17 17:40:18 2020 +0200

    api/throttling: Lift rate limit when user has special permission
    
    If a Django user has the "swh.web.api.throttling_exempted" permission, he
    will not be rate limited.
    
    Related to T1927

commit 7e719461588132fdaf854e20ccf244b83bc607da
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Jun 17 16:02:08 2020 +0200

    auth: Map Keycloak user permissions to Django ones
    
    Keycloak user permissions are named Roles in Keycloak semantics.
    
    Extract them from each decoded access token and override methods from
    django.contrib.auth.models.PermissionsMixin in order to manipulate them
    as Django user permissions.
    
    Closes T2247

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/189/ for more details.

zack added a subscriber: zack.Wed, Jun 17, 6:06 PM

thumbs up for a dedicated permission for API throttling, thanks !

ardumont accepted this revision.Thu, Jun 18, 9:26 AM
ardumont added a subscriber: ardumont.

Looks good.

I have questions above ;)

swh/web/tests/api/test_throttling.py
202

Is that to override a variable from django settings?

it's neat if it is ;)

213

I thought i read permissions were stored in keycloak and map to django model (as per my understanding on another task descriptions linked to diff description)?

Oh or is that to avoid having to mock keycloack too much?

This revision is now accepted and ready to land.Thu, Jun 18, 9:26 AM
anlambert added inline comments.Thu, Jun 18, 11:43 AM
swh/web/tests/api/test_throttling.py
202

yes, I had new endpoints in that test module and was forced to override settings to take them into account.

213

Oh or is that to avoid having to mock keycloack too much?

Indeed and as we stick to Django User API, we can still use classical database backed permission. The way to create them programmatically is just awful.