Merge branch 'fix-apitokens-community' into 'main'

Fix API token authentication in community edition See merge request reportcreator/reportcreator!618
Syslifters · Jul 10, 2024 · d0b1259 · d0b1259
2 parents c5a85df + efe14bf
commit d0b1259
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## v2024.58 - 2024-07-10
+* Fix API token authentication in community edition
+
+
 ## v2024.57 - 2024-07-10
 * Fix set assignee in notes, findings and sections
 * Fix error when setting note checkboxes

diff --git a/api/src/reportcreator_api/tests/test_license.py b/api/src/reportcreator_api/tests/test_license.py
@@ -41,7 +41,11 @@ def setUp(self):
         self.user = create_user(is_superuser=True, password=self.password)
         self.user_regular = create_user(password=self.password)
         self.user_system = create_user(is_system_user=True, password=self.password)
+
         self.client = api_client(self.user)
+        session = self.client.session
+        session.setdefault('authentication_info', {})['reauth_time'] = timezone.now().isoformat()
+        session.save()
 
         with mock.patch('reportcreator_api.utils.license.check_license', return_value={'type': license.LicenseType.COMMUNITY, 'users': 2, 'error': None}):
             yield
@@ -178,15 +182,15 @@ def test_user_count_limit(self):
             self.user_regular.save()
 
     def test_apitoken_limit(self):
-        APIToken.objects.create(user=self.user_regular)
+        res1 = self.client.post(reverse('apitoken-list', kwargs={'pentestuser_pk': 'self'}), data={'name': 'test'})
+        assert res1.status_code == 201
+        res_token = api_client().get(reverse('pentestuser-detail', kwargs={'pk': 'self'}), HTTP_AUTHORIZATION='Bearer ' + res1.data['token'])
+        assert res_token.status_code == 200
 
         with pytest.raises(license.LicenseLimitExceededError):
-            APIToken.objects.create(user=self.user_regular)
+            APIToken.objects.create(user=self.user)
 
     def test_apitoken_no_expiry(self):
-        session = self.client.session
-        session.setdefault('authentication_info', {})['reauth_time'] = timezone.now().isoformat()
-        session.save()
         assert_api_license_error(self.client.post(reverse('apitoken-list', kwargs={'pentestuser_pk': 'self'}), data={'name': 'test', 'expire_date': timezone.now().date().isoformat()}))
 
 

diff --git a/api/src/reportcreator_api/users/signals.py b/api/src/reportcreator_api/users/signals.py
@@ -46,7 +46,7 @@ def user_count_license_check(sender, instance, *args, **kwargs):
 
 @receiver(signals.pre_save, sender=APIToken)
 def api_token_license_limit(sender, instance, *args, **kwargs):
-    if license.is_professional():
+    if license.is_professional() or not instance._state.adding:
         return
 
     current_apitoken_count = APIToken.objects \