From dcba6c89955726b9d2f03845cd0770bcf89aac5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Kadl=C4=8D=C3=ADk?= <frostyx@email.cz>
Date: Thu, 30 Mar 2017 12:21:01 +0200
Subject: [PATCH] Support NO_AUTH changing owner in patch method

---
 module_build_service/views.py  | 18 ++++++++++++------
 tests/test_views/test_views.py | 29 +++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/module_build_service/views.py b/module_build_service/views.py
index dcb788ba..1d25ea85 100644
--- a/module_build_service/views.py
+++ b/module_build_service/views.py
@@ -114,6 +114,18 @@ class ModuleBuildAPI(MethodView):
     def patch(self, id):
         username, groups = module_build_service.auth.get_user(request)
 
+        try:
+            r = json.loads(request.get_data().decode("utf-8"))
+        except:
+            log.error('Invalid JSON submitted')
+            raise ValidationError('Invalid JSON submitted')
+
+        if "owner" in r:
+            if conf.no_auth is not True:
+                raise ValidationError("The request contains 'owner' parameter, however NO_AUTH is not allowed")
+            elif username == "anonymous":
+                username = r["owner"]
+
         if conf.allowed_groups and not (conf.allowed_groups & groups):
             raise Forbidden("%s is not in any of  %r, only %r" % (
                 username, conf.allowed_groups, groups))
@@ -126,12 +138,6 @@ class ModuleBuildAPI(MethodView):
             raise Forbidden('You are not owner of this build and '
                             'therefore cannot modify it.')
 
-        try:
-            r = json.loads(request.get_data().decode("utf-8"))
-        except:
-            log.error('Invalid JSON submitted')
-            raise ValidationError('Invalid JSON submitted')
-
         if not r.get('state'):
             log.error('Invalid JSON submitted')
             raise ValidationError('Invalid JSON submitted')
diff --git a/tests/test_views/test_views.py b/tests/test_views/test_views.py
index e56401de..16d59cb2 100644
--- a/tests/test_views/test_views.py
+++ b/tests/test_views/test_views.py
@@ -668,3 +668,32 @@ class TestViews(unittest.TestCase):
 
         build = ModuleBuild.query.filter(ModuleBuild.id == result['id']).one()
         self.assertTrue(build.owner == result['owner'] == 'foo')
+
+    @patch('module_build_service.auth.get_user', return_value=anonymous_user)
+    @patch('module_build_service.scm.SCM')
+    @patch("module_build_service.config.Config.no_auth", new_callable=PropertyMock)
+    def test_patch_set_different_owner(self, mocked_no_auth, mocked_scm, mocked_get_user):
+        MockedSCM(mocked_scm, 'testmodule', 'testmodule.yaml',
+                  '620ec77321b2ea7b0d67d82992dda3e1d67055b4')
+
+        mocked_no_auth.return_value = True
+        data = {
+            'branch': 'master',
+            'scmurl': 'git://pkgs.stg.fedoraproject.org/modules/'
+                      'testmodule.git?#68931c90de214d9d13feefbd35246a81b6cb8d49',
+            'owner': 'foo',
+        }
+        rv = self.client.post('/module-build-service/1/module-builds/', data=json.dumps(data))
+        r1 = json.loads(rv.data)
+
+        url = '/module-build-service/1/module-builds/' + str(r1['id'])
+        r2 = self.client.patch(url, data=json.dumps({'state': 'failed'}))
+        self.assertEquals(r2.status_code, 403)
+
+        r3 = self.client.patch(url, data=json.dumps({'state': 'failed', 'owner': 'foo'}))
+        self.assertEquals(r3.status_code, 200)
+
+        mocked_no_auth.return_value = False
+        r3 = self.client.patch(url, data=json.dumps({'state': 'failed', 'owner': 'foo'}))
+        self.assertEquals(r3.status_code, 400)
+        self.assertIn("The request contains 'owner' parameter", json.loads(r3.data)['message'])