Merge pull request #64 from MauriceBoendermaker/GH-SECRETS-Apikeys

Gh secrets apikeys
MauriceBoendermaker · Jan 21, 2025 · ff6bff6 · ff6bff6 · github-actions · Jan 21, 2025
2 parents 04cbd60 + 4e58b4f
commit ff6bff6
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 32 deletions.
diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
@@ -76,6 +76,10 @@ jobs:
       run: echo "PYTHONPATH=$(pwd)" >> $GITHUB_ENV
 
     - name: run CargoHubV2 server
+      env:
+        WAREHOUSE_MANAGER: ${{ secrets.WAREHOUSE_MANAGER}}
+        FLOOR_MANAGER: ${{ secrets.FLOOR_MANAGER }}
+        EMPLOYEE: ${{ secrets.EMPLOYEE }}
       run: |
         uvicorn CargoHubV2.app.main:app --port 3000 &
         sleep 10

diff --git a/CargoHubV2/app/controllers/packinglist_controller.py b/CargoHubV2/app/controllers/packinglist_controller.py
@@ -11,6 +11,7 @@
     tags=["packinglist"]
 )
 
+
 @router.get("/api/v2/packinglist/{order_id}")
 def create_packing_list(
     order_id: int, 
@@ -24,10 +25,19 @@ def create_packing_list(
 
 
 @router.get("/get-pdf/{filename}")
-def get_pdf(filename: str):
+def get_pdf(filename: str, api_key: str = Header(...)):
     PDF_DIR = Path("generated_pdfs")
-    pdf_path = PDF_DIR/filename
+
+    # voorkomt path traversal
+    sanitized_filename = Path(filename).name
+    pdf_path = PDF_DIR/sanitized_filename
+
+    if not str(pdf_path).startswith(str(PDF_DIR)):
+        raise HTTPException(status_code=403, detail="Base path modified")
+
     if pdf_path.exists():
-        return FileResponse(pdf_path, media_type="application/pdf", filename=filename)
+        return FileResponse(
+            pdf_path, media_type="application/pdf",
+            filename=sanitized_filename)
     else:
-        raise HTTPException(status_code=404, detail="PDF not found")
+        raise HTTPException(status_code=404, detail="PDF not found")
diff --git a/CargoHubV2/app/controllers/reporting_controller.py b/CargoHubV2/app/controllers/reporting_controller.py
@@ -38,10 +38,18 @@ def generate_general_report(
 
 
 @router.get("/get-pdf/{filename}")
-def get_pdf(filename: str):
+def get_pdf(filename: str, api_key: str = Header(...)):
     PDF_DIR = Path("generated_pdfs")
-    pdf_path = PDF_DIR/filename
+    # voorkomt path traversal
+    sanitized_filename = Path(filename).name
+    pdf_path = PDF_DIR/sanitized_filename
+
+    if not str(pdf_path).startswith(str(PDF_DIR)):
+        raise HTTPException(status_code=403, detail="Base path modified")
+
     if pdf_path.exists():
-        return FileResponse(pdf_path, media_type="application/pdf", filename=filename)
+        return FileResponse(
+            pdf_path,
+            media_type="application/pdf", filename=sanitized_filename)
     else:
         raise HTTPException(status_code=404, detail="PDF not found")
diff --git a/CargoHubV2/app/main.py b/CargoHubV2/app/main.py
@@ -15,7 +15,9 @@
 from CargoHubV2.app.controllers import reporting_controller
 from CargoHubV2.app.controllers import packinglist_controller
 from CargoHubV2.app.controllers import docks_controller
-import time
+
+import os
+from dotenv import load_dotenv
 from starlette.responses import JSONResponse
 import logging
 
@@ -24,7 +26,7 @@
 # welke port hij runt kan je bij command aanpassen
 # default port is localhost:8000
 
-# router van de controller gebruiken
+# routers van de controllers gebruiken
 app.include_router(reporting_controller.router)
 app.include_router(item_groups.router)
 app.include_router(item_lines.router)
@@ -34,7 +36,6 @@
 app.include_router(transfers_controller.router)
 app.include_router(suppliers_controller.router)
 app.include_router(warehouses_controller.router)
-app.include_router(load_controller.router)
 app.include_router(clients_controller.router)
 app.include_router(shipments_controller.router)
 app.include_router(inventories_controller.router)
@@ -44,6 +45,19 @@
 
 logger = logging.getLogger("uvicorn.error")
 
+# haalt api keys uit env variabelen
+# in github werkt dit ook, uit GH secrets
+# voor lokaal runnen, moet er een .env zijn met deze 3 variabelen
+load_dotenv()
+warehouse_manager = os.getenv("WAREHOUSE_MANAGER")
+floor_manager = os.getenv("FLOOR_MANAGER")
+employee = os.getenv("EMPLOYEE")
+'''
+print(warehouse_manager)
+print(floor_manager)
+print(employee)
+'''
+
 
 @app.get("/")
 async def root():
@@ -63,10 +77,18 @@ async def shutdown():
 
 @app.middleware("http")
 async def api_key_middleware(request: Request, call_next):
+    # anders kan de documentatie niet bereikt worden
     excluded = ["/favicon.ico", "/openapi.json", "/docs"]
+
+    w_man_only = ["v2/reports", "v2/warehouses", "v2/clients", "v2/suppliers"]
+    all_managers = ["v2/item_groups", "v2/item_lines", "v2/item_types", "v2/items",
+                    "v2/shipments", "v2/docks"]
+    all = ["v2/locations", "v2/transfers", "v2/orders", "v2/inventories",
+           "v2/packinglist"]
+
     try:
         x_api_key = request.headers.get("api-key")
-        if request.url.path in excluded or "/get-pdf" in request.url.path:
+        if request.url.path in excluded:
             return await call_next(request)
         response: Response = await call_next(request)
 
@@ -75,10 +97,32 @@ async def api_key_middleware(request: Request, call_next):
             response.status_code = 422
             raise HTTPException(status_code=422, detail="Missing API key")
 
-        if x_api_key != "a1b2c3d4e5":
-            logger.warning("Invalid API key")
-            response.status_code = 403
-            raise HTTPException(status_code=403, detail="Invalid API key")
+        if any(path in request.url.path for path in w_man_only):
+
+            if x_api_key != warehouse_manager:
+                logger.warning("Invalid API key")
+                response.status_code = 403
+                raise HTTPException(
+                    status_code=403,
+                    detail="Invalid API key, need to be Warehouse manager")
+
+        if any(path in request.url.path for path in all_managers):
+
+            if x_api_key != warehouse_manager and x_api_key != floor_manager:
+                logger.warning("Invalid API key")
+                response.status_code = 403
+                raise HTTPException(
+                    status_code=403,
+                    detail="Invalid API key, only Floor/Warehouse managers")
+
+        if any(path in request.url.path for path in all):
+
+            if x_api_key != warehouse_manager and x_api_key != floor_manager and x_api_key != employee:
+                logger.warning("Invalid API key")
+                response.status_code = 403
+                raise HTTPException(
+                    status_code=403,
+                    detail="Invalid API key, need to be employee of CargoHub")
 
         return response
 
@@ -91,20 +135,3 @@ async def api_key_middleware(request: Request, call_next):
     except Exception as exc:
         logger.exception("Unexpected error occurred in middleware")
         raise exc
-
-'''
-
-# script voor migrations voor later
-from database import Base, engine
-from models import warehouse_model, items_model, location_model, transfers_model # alle models die je wil migraten
-
-
-# maakt alle tables
-def init_db():
-    Base.metadata.create_all(bind=engine)
-
-
-if __name__ == "__main__":
-    init_db()
-    print("Tables created successfully!")
-'''
File	Stmts	Miss	Cover	Missing
__init__.py	0	0	100%
clients_service.py	79	30	62%	23–25, 37, 39, 53–62, 80–83, 93, 100–102, 106–108, 119, 123–125
docks_service.py	70	18	74%	32–34, 52–55, 83, 102, 109–111, 115–117, 137–139
inventories_service.py	76	20	73%	25–27, 40, 58–61, 87–88, 107–108, 117–124
item_groups_service.py	40	4	90%	35–38
item_lines_service.py	44	7	84%	19–21, 43–46
item_types_service.py	40	4	90%	38–41
items_service.py	70	12	82%	20, 31–34, 44, 60–62, 99–101
locations_service.py	69	9	86%	24–27, 57, 59, 85–87
orders_service.py	144	75	47%	14–20, 24–26, 28–29, 31–38, 42–44, 48, 71–74, 88–94, 107–109, 121–127, 131–133, 182–184, 186–188, 190–192, 194, 198–210, 212–214, 216
packinglist_service.py	41	41	0%	1–6, 8–16, 19–20, 22, 25–26, 28–33, 36, 39, 52–53, 56–57, 60–61, 64, 67–72
shipments_service.py	98	49	50%	18–20, 24–26, 42, 60–63, 76, 80–82, 95, 102–104, 108–110, 118–120, 122–124, 126–128, 130, 135–136, 138–148, 150–152, 154
sorting_service.py	13	4	69%	11, 18, 20–21
suppliers_service.py	65	12	81%	48, 66–69, 104–110
transfers_service.py	68	12	82%	25–27, 41, 59–62, 87–88, 106–107
warehouses_service.py	67	13	80%	24–27, 40, 61–63, 80–82, 109–110
TOTAL	984	310	68%