mamba-org · AndreasAlbertQC · Jul 31, 2023 · Jun 9, 2023 · Jun 22, 2023
diff --git a/quetz/authorization.py b/quetz/authorization.py
@@ -39,19 +39,59 @@ def __init__(self, API_key: Optional[str], session: dict, db: Session):
         self.session = session
         self.db = db
 
+    def get_valid_api_key(self) -> Optional[ApiKey]:
+        if not self.API_key:
+            return None
+        return (
+            self.db.query(ApiKey)
+            .filter(ApiKey.key == self.API_key, ~ApiKey.deleted)
+            .filter(
+                ApiKey.key == self.API_key,
+                or_(ApiKey.expire_at >= date.today(), ApiKey.expire_at.is_(None)),
+            )
+            .one_or_none()
+        )
+
+    def get_owner(self) -> Optional[bytes]:
+        """
+        gets the id of the owner of the authenticated session, if any. Either:
+          a) the owner of the API key that is used for authentication
+          b) the user_id of the encrypted session cookie
+        """
+        owner_id = None
+
+        if self.API_key:
+            api_key = self.get_valid_api_key()
+            if api_key:
+                owner_id = api_key.owner_id
+        else:
+            user_id = self.session.get("user_id")
+            if user_id:
+                owner_id = uuid.UUID(user_id).bytes
+
+        return owner_id
+
+    def assert_owner(self) -> bytes:
+        owner_id = self.get_owner()
+
+        if not owner_id or not self.db.query(User).filter(User.id == owner_id).count():
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Not logged in",
+            )
+
+        return owner_id
+
     def get_user(self) -> Optional[bytes]:
+        """
+        gets the id of the user of the authenticated session, if any. Either:
+          a) the user_id of the API key (not its owner!) that is used for authentication
+          b) the user_id of the encrypted session cookie
+        """
         user_id = None
 
         if self.API_key:
-            api_key = (
-                self.db.query(ApiKey)
-                .filter(ApiKey.key == self.API_key, ~ApiKey.deleted)
-                .filter(
-                    ApiKey.key == self.API_key,
-                    or_(ApiKey.expire_at >= date.today(), ApiKey.expire_at.is_(None)),
-                )
-                .one_or_none()
-            )
+            api_key = self.get_valid_api_key()
             if api_key:
                 user_id = api_key.user_id
         else:

diff --git a/quetz/main.py b/quetz/main.py
@@ -912,7 +912,11 @@ def post_package(
     auth: authorization.Rules = Depends(get_rules),
     dao: Dao = Depends(get_dao),
 ):
-    user_id = auth.assert_user()
+    # here we use the owner_id as user_id. In case the authentication
+    # was done using an API Key, we want to attribute the uploaded package
+    # to the owner of that API Key and not the anonymous API Key itself.
+    user_id = auth.assert_owner()
+
     auth.assert_create_package(channel.name)
     pm.hook.validate_new_package(
         channel_name=channel.name,
@@ -1382,7 +1386,11 @@ async def post_upload(
             status_code=status.HTTP_406_NOT_ACCEPTABLE, detail="Wrong SHA256 checksum"
         )
 
-    user_id = auth.assert_user()
+    # here we use the owner_id as user_id. In case the authentication
+    # was done using an API Key, we want to attribute the uploaded package
+    # to the owner of that API Key and not the anonymous API Key itself.
+    user_id = auth.assert_owner()
+
     auth.assert_create_package(channel_name)
     condainfo = CondaInfo((body), filename)
     dest = os.path.join(condainfo.info["subdir"], filename)
@@ -1504,7 +1512,10 @@ def handle_package_files(
     package=None,
     is_mirror_op=False,
 ):
-    user_id = auth.assert_user()
+    # here we use the owner_id as user_id. In case the authentication
+    # was done using an API Key, we want to attribute the uploaded package
+    # to the owner of that API Key and not the anonymous API Key itself.
+    user_id = auth.assert_owner()
 
     # quick fail if not allowed to upload
     # note: we're checking later that `parts[0] == conda_info.package_name`

diff --git a/quetz/tests/api/test_main_packages.py b/quetz/tests/api/test_main_packages.py
@@ -7,11 +7,13 @@
 import pytest
 
 from quetz import hookimpl
-from quetz.authorization import MAINTAINER, MEMBER, OWNER
+from quetz.authorization import MAINTAINER, MEMBER, OWNER, SERVER_OWNER
 from quetz.condainfo import CondaInfo
 from quetz.config import Config
+from quetz.dao import Dao
 from quetz.db_models import ChannelMember, Package, PackageMember, PackageVersion
 from quetz.errors import ValidationError
+from quetz.rest_models import BaseApiKey, Channel
 from quetz.tasks.indexing import update_indexes
 
 
@@ -732,3 +734,140 @@ def test_package_channel_data_attributes(
     content = response.json()
     assert content['platforms'] == ['linux-64']
     assert content['url'].startswith("https://")
+
+
+@pytest.fixture
+def owner(db, dao: Dao):
+    # create an owner with OWNER role
+    owner = dao.create_user_with_role("owner", role=SERVER_OWNER)
+
+    yield owner
+
+    db.delete(owner)
+    db.commit()
+
+
+@pytest.fixture
+def private_channel(db, dao: Dao, owner):
+    # create a channel
+    channel_data = Channel(name='private-channel', private=True)
+    channel = dao.create_channel(channel_data, owner.id, "owner")
+
+    yield channel
+
+    db.delete(channel)
+    db.commit()
+
+
+@pytest.fixture
+def private_package(db, owner, private_channel, dao):
+    package_data = Package(name='test-package')
+
+    package = dao.create_package(private_channel.name, package_data, owner.id, "owner")
+
+    yield package
+
+    db.delete(package)
+    db.commit()
+
+
+@pytest.fixture
+def api_key(db, dao: Dao, owner, private_channel):
+    # create an api key with restriction
+    key = dao.create_api_key(
+        owner.id,
+        BaseApiKey.parse_obj(
+            dict(
+                description="test api key",
+                expire_at="2099-12-31",
+                roles=[
+                    {
+                        'role': 'maintainer',
+                        'package': None,
+                        'channel': private_channel.name,
+                    }
+                ],
+            )
+        ),
+        "API key with role restruction",
+    )
+
+    yield key
+
+    # delete API Key
+    key.deleted = True
+    db.commit()
+
+
+def test_upload_package_with_api_key(client, dao: Dao, owner, private_channel, api_key):
+    # set api key of the anonymous user 'owner_key' to headers
+    client.headers['X-API-Key'] = api_key.key
+
+    # post new package
+    response = client.post(
+        f"/api/channels/{private_channel.name}/packages",
+        json={"name": "test-package", "summary": "none", "description": "none"},
+    )
+    assert response.status_code == 201
+
+    # we used the anonymous user of the API key for upload,
+    # but expect the owner to be the package owner
+    member = dao.get_package_member(
+        private_channel.name, 'test-package', username=owner.username
+    )
+    assert member
+
+
+def test_upload_file_to_package_with_api_key(
+    dao: Dao, client, owner, private_channel, private_package, api_key
+):
+    # set api key of the anonymous user 'owner_key' to headers
+    client.headers['X-API-Key'] = api_key.key
+
+    package_filename = "test-package-0.1-0.tar.bz2"
+    with open(package_filename, "rb") as fid:
+        files = {"files": (package_filename, fid)}
+        response = client.post(
+            f"/api/channels/{private_channel.name}/packages/"
+            f"{private_package.name}/files/",
+            files=files,
+        )
+        assert response.status_code == 201
+
+    # we used the anonymous user of the API key for upload,
+    # but expect the owner to be the package owner
+    version = dao.get_package_version_by_filename(
+        channel_name=private_channel.name,
+        package_name=private_package.name,
+        filename=package_filename,
+        platform='linux-64',
+    )
+    assert version
+    assert version.uploader == owner
+
+
+def test_upload_file_to_channel_with_api_key(
+    dao: Dao, client, owner, private_channel, api_key
+):
+    # set api key of the anonymous user 'owner_key' to headers
+    client.headers['X-API-Key'] = api_key.key
+
+    package_filename = "test-package-0.1-0.tar.bz2"
+    with open(package_filename, "rb") as fid:
+        files = {"files": (package_filename, fid)}
+        response = client.post(
+            f"/api/channels/{private_channel.name}/files/",
+            files=files,
+        )
+        assert response.status_code == 201
+
+    # we used the anonymous user of the API key for upload,
+    # but expect the owner to be the package owner
+    version = dao.get_package_version_by_filename(
+        channel_name=private_channel.name,
+        package_name='test-package',
+        filename=package_filename,
+        platform='linux-64',
+    )
+    assert version
+    assert version.uploader == owner