api team creation + long hmac window (#393)

2025-11-26 23:10:47 +02:00 · 2023-05-03 14:39:18 -05:00
parent 2a7f073e02
commit dae434f980
2 changed files with 18 additions and 3 deletions
--- a/src/oncall/api/v0/teams.py
+++ b/src/oncall/api/v0/teams.py
@@ -129,6 +129,7 @@ def on_post(req, resp):
            "email": "team-foo@example.com",
            "slack_channel": "#team-foo",
            "slack_channel_notifications": "#team-foo-alerts",
+            "admin": "user_foo"
        }

    **Example response:**
@@ -142,9 +143,6 @@ def on_post(req, resp):
    :statuscode 400: Error in creating team. Possible errors: API key auth not allowed, invalid attributes, missing required attributes
    :statuscode 422: Duplicate team name
    '''
-    if 'user' not in req.context:
-        # ban API auth because we don't know who to set as team admin
-        raise HTTPBadRequest('invalid login', 'API key auth is not allowed for team creation')

    data = load_json_body(req)
    if not data.get('name'):
@@ -181,6 +179,16 @@ def on_post(req, resp):

    connection = db.connect()
    cursor = connection.cursor()
+    # if team creation request is coming from api use the username from the admin field in lieu of the user context var
+    if 'user' not in req.context:
+        if not data.get('admin'):
+            raise HTTPBadRequest('invalid admin', 'API requests must specify a team admin username in the admin field')
+        user = data.get('admin')
+        cursor.execute('''SELECT `id` FROM `user` WHERE `name` = %s LIMIT 1''', (user, ))
+        if cursor.rowcount == 0:
+            raise HTTPBadRequest('invalid admin', 'admin username %s was not found in db' % user)
+        req.context['user'] = user
+
    try:
        cursor.execute('''INSERT INTO `team` (`name`, `slack_channel`, `slack_channel_notifications`, `email`, `scheduling_timezone`,
                                              `iris_plan`, `iris_enabled`, `override_phone_number`)
--- a/src/oncall/auth/init.py
+++ b/src/oncall/auth/init.py
@@ -154,12 +154,19 @@ def authenticate_application(auth_token, req):
            cursor.close()
            connection.close()
            window = int(time.time()) // 5
+            long_window = int(time.time()) // 30
            if is_client_digest_valid(client_digest, api_key, window, method, path, body):
                req.context['app'] = app_name
                return
            elif is_client_digest_valid(client_digest, api_key, window - 1, method, path, body):
                req.context['app'] = app_name
                return
+            elif is_client_digest_valid(client_digest, api_key, long_window, method, path, body):
+                req.context['app'] = app_name
+                return
+            elif is_client_digest_valid(client_digest, api_key, long_window - 1, method, path, body):
+                req.context['app'] = app_name
+                return
            else:
                raise HTTPUnauthorized('Authentication failure', 'Wrong digest', '')
        else: