Merge branch '547-failed-to-download-module' into 'main'

Resolve "Failed to download module"

Closes #547

See merge request pub/terrareg!433

Author: MatthewJohn

terrareg/models.py

@@ -3946,31 +3946,28 @@ def get_source_download_url(self, request_domain: str, direct_http_request: bool
 
         # If a git URL is not present, revert to using built-in module hosting
         if config.ALLOW_MODULE_HOSTING is not terrareg.config.ModuleHostingMode.DISALLOW:
-            url = '/v1/terrareg/modules/{0}/{1}'.format(self.id, self.archive_name_zip)
+            url = f'/v1/terrareg/modules/{self.id}'
+
+            # If authentication is required, generate pre-signed URL
+            if not config.ALLOW_UNAUTHENTICATED_ACCESS:
+                presign_key = TerraformSourcePresignedUrl.generate_presigned_key(url=url)
+                url = f'{url}/{presign_key}'
+            
+            url += f'/{self.archive_name_zip}'
 
             # If archive does not contain just the git_path,
             # check if git_path has been set and prepend to path, if set.
             if not self.archive_git_path:
                 path = os.path.join(self.git_path or '', path or '')
 
-            # Check if path is present for module
-            if path:
-                # Remove any trailing slashes from path
-                path = path.lstrip('/').rstrip('/')
+                # Check if path is present for module
+                if path:
+                    # Remove any trailing slashes from path
+                    path = path.lstrip('/').rstrip('/')
 
-                rendered_url = '{rendered_url}//{path}'.format(
-                    rendered_url=rendered_url,
-                    path=path)
-            if path:
-                url = '{url}//{path}'.format(
-                    url=url,
-                    path=path
-                )
-
-            # If authentication is required, generate pre-signed URL
-            if not config.ALLOW_UNAUTHENTICATED_ACCESS:
-                presign_key = TerraformSourcePresignedUrl.generate_presigned_key(url=url)
-                url = f'{url}?presign={presign_key}'
+                    url = '{url}//{path}'.format(
+                        url=url,
+                        path=path)
 
             # If request is a direct HTTP request,
             # i.e. Terraform has been configured with a HTTP URL

terrareg/server/__init__.py

@@ -590,7 +590,8 @@ def _register_routes(self):
         )
         self._api.add_resource(
             ApiModuleVersionSourceDownload,
-            '/v1/terrareg/modules/<string:namespace>/<string:name>/<string:provider>/<string:version>/source.zip'
+            '/v1/terrareg/modules/<string:namespace>/<string:name>/<string:provider>/<string:version>/source.zip',
+            '/v1/terrareg/modules/<string:namespace>/<string:name>/<string:provider>/<string:version>/<string:presign>/source.zip'
         )
         self._api.add_resource(
             ApiTerraregModuleVersionPublish,

terrareg/server/api/module_version_source_download.py

@@ -1,10 +1,10 @@
 
 
 import os
-from flask import send_file, request
+import flask
 
 from terrareg.errors import InvalidPresignedUrlKeyError
-from terrareg.presigned_url import TerraformSourcePresignedUrl
+import terrareg.presigned_url
 from terrareg.server.error_catching_resource import ErrorCatchingResource
 import terrareg.config
 import terrareg.file_storage
@@ -13,16 +13,28 @@
 class ApiModuleVersionSourceDownload(ErrorCatchingResource):
     """Return source package of module version"""
 
-    def _get(self, namespace, name, provider, version):
+    def _get(self, namespace, name, provider, version, presign=None):
         """Return static file."""
         config = terrareg.config.Config()
         if config.ALLOW_MODULE_HOSTING is terrareg.config.ModuleHostingMode.DISALLOW:
             return {'message': 'Module hosting is disbaled'}, 500
 
         # If authentication is required, check pre-signed URL
         if not config.ALLOW_UNAUTHENTICATED_ACCESS:
+            presign = flask.request.args.get("presign", presign)
+
+            path = flask.request.path
+            path_parts = path.split('/')
+            # Remove last section of path (i.e. the file name)
+            del path_parts[-1]
+
+            # If path ends with the pre-sign key, remove it
+            if presign and path_parts[-1] == presign:
+                del path_parts[-1]
+            path = '/'.join(path_parts)
+
             try:
-                TerraformSourcePresignedUrl.validate_presigned_key(url=request.path, payload=request.args.get("presign"))
+                terrareg.presigned_url.TerraformSourcePresignedUrl.validate_presigned_key(url=path, payload=presign)
             except InvalidPresignedUrlKeyError as exc:
                 return {'message': str(exc)}, 403
 
@@ -31,7 +43,8 @@ def _get(self, namespace, name, provider, version):
             return error
 
         file_storage = terrareg.file_storage.FileStorageFactory().get_file_storage()
-        return send_file(
+        return flask.send_file(
             file_storage.read_file(os.path.join(module_version.base_directory, module_version.archive_name_zip), bytes_mode=True),
-            download_name=module_version.archive_name_zip
+            download_name=module_version.archive_name_zip,
+            mimetype='application/zip'
         )

test/integration/terrareg/models/test_module_version.py

@@ -1680,7 +1680,7 @@ def test_get_source_download_url_git_sha(self, git_sha, module_version_use_git_c
     @pytest.mark.parametrize('module_name, module_version, git_path, expected_source_download_url, allow_unauthenticated_access, expect_presigned, should_prefix_domain', [
         # Test no clone URL in any configuration, defaulting to source archive download
         ('no-git-provider', '1.0.0', None, '/v1/terrareg/modules/repo_url_tests/no-git-provider/test/1.0.0/source.zip', True, False, True),
-        ('no-git-provider', '1.0.0', None, '/v1/terrareg/modules/repo_url_tests/no-git-provider/test/1.0.0/source.zip?presign=unittest-presign-key', False, True, True),
+        ('no-git-provider', '1.0.0', None, '/v1/terrareg/modules/repo_url_tests/no-git-provider/test/1.0.0/unittest-presign-key/source.zip', False, True, True),
         # Test clone URL only configured in module version, with public access allowed/disabled
         ('no-git-provider', '1.4.0', None, 'git::ssh://mv-clone-url.com/repo_url_tests/no-git-provider-test?ref=1.4.0', True, False, False),
         ('no-git-provider', '1.4.0', None, 'git::ssh://mv-clone-url.com/repo_url_tests/no-git-provider-test?ref=1.4.0', True, False, False),
@@ -1725,7 +1725,7 @@ def test_get_source_download_url_presigned(self, module_name, module_version, gi
                     ) == expected_source_download_url
 
             if expect_presigned:
-                mock_generate_presigned_key.assert_called_once_with(url='/v1/terrareg/modules/repo_url_tests/no-git-provider/test/1.0.0/source.zip')
+                mock_generate_presigned_key.assert_called_once_with(url='/v1/terrareg/modules/repo_url_tests/no-git-provider/test/1.0.0')
             else:
                 mock_generate_presigned_key.assert_not_called()
 

test/unit/terrareg/server/test_api_module_version_source_download.py

@@ -0,0 +1,144 @@
+
+import unittest.mock
+
+import pytest
+
+from terrareg.analytics import AnalyticsEngine
+import terrareg.errors
+from test.unit.terrareg import (
+    mock_models,
+    setup_test_data, TerraregUnitTest
+)
+import terrareg.models
+import terrareg.config
+from test import client, mock_create_audit_event
+from . import mock_record_module_version_download
+
+
+class TestApiModuleVersionSourceDownload(TerraregUnitTest):
+    """Test ApiModuleVersionDownload resource."""
+
+            # '/v1/terrareg/modules/<string:namespace>/<string:name>/<string:provider>/<string:version>/source.zip',
+            # '/v1/terrareg/modules/<string:namespace>/<string:name>/<string:provider>/<string:version>/<string:presign>/source.zip'
+
+    @setup_test_data()
+    def test_disable_module_hosting(self, client, mock_models, mock_record_module_version_download):
+        """Test module version download with invalid analytics token"""
+        with unittest.mock.patch('terrareg.config.Config.ALLOW_MODULE_HOSTING', terrareg.config.ModuleHostingMode.DISALLOW):
+            res = client.get(f"/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/source.zip")
+        assert res.status_code == 500
+        assert res.json == {'message': 'Module hosting is disbaled'}
+
+    @setup_test_data()
+    @pytest.mark.parametrize('namespace, module, provider, version, error', [
+        # Non-existent version
+        ('testnamespace', 'testmodulename', 'testprovider', '2.4.2', 'Module version does not exist'),
+        ('testnamespace', 'testmodulename', 'nonexistent', '2.4.2', 'Module provider does not exist'),
+        ('testnamespace', 'nonexistent', 'nonexistent', '2.4.2', 'Module provider does not exist'),
+        ('nonexistent', 'nonexistent', 'nonexistent', '2.4.2', 'Namespace does not exist'),
+    ])
+    def test_non_existent(self, namespace, module, provider, version, error, client, mock_models):
+        """Test module version download with invalid analytics token"""
+        with unittest.mock.patch('terrareg.config.Config.ALLOW_MODULE_HOSTING', terrareg.config.ModuleHostingMode.ENFORCE):
+            res = client.get(f"/v1/terrareg/modules/{namespace}/{module}/{provider}/{version}/source.zip")
+        assert res.status_code == 400
+        assert res.json == {'message': error}
+
+    @setup_test_data()
+    @pytest.mark.parametrize('url, expected_presign_key', [
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/source.zip', None),
+
+        # Pre-sign key in URL
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/unittest-presign-key/source.zip', 'unittest-presign-key'),
+
+        # Presign key in params
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/source.zip?presign=unittest-presign-key', 'unittest-presign-key'),
+    ])
+    def test_invalid_presign_key(self, url, expected_presign_key, client, mock_models):
+        """Ensure invalid pre-sign key throws an error"""
+        def raise_exception(*args, **kwargs):
+            raise terrareg.errors.InvalidPresignedUrlKeyError('Invalid pre-sign key')
+
+        mock_validate_presigned_key = unittest.mock.MagicMock(side_effect=raise_exception)
+        with unittest.mock.patch('terrareg.config.Config.ALLOW_MODULE_HOSTING', terrareg.config.ModuleHostingMode.ALLOW), \
+                unittest.mock.patch('terrareg.config.Config.ALLOW_UNAUTHENTICATED_ACCESS', False), \
+                unittest.mock.patch('terrareg.presigned_url.TerraformSourcePresignedUrl.validate_presigned_key', mock_validate_presigned_key):
+            res = client.get(url)
+        assert res.status_code == 403
+        assert res.json == {'message': 'Invalid pre-sign key'}
+
+        mock_validate_presigned_key.assert_called_once_with(url='/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1', payload=expected_presign_key)
+
+    @setup_test_data()
+    @pytest.mark.parametrize('url, expected_presign_key', [
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/source.zip', None),
+
+        # Pre-sign key in URL
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/unittest-presign-key/source.zip', 'unittest-presign-key'),
+
+        # Presign key in params
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/source.zip?presign=unittest-presign-key', 'unittest-presign-key'),
+    ])
+    def test_presign_validation_disabled(self, url, expected_presign_key, client, mock_models):
+        """Ensure pre-sign validation is not performed when unauthenticated access is allowed"""
+        def raise_exception(*args, **kwargs):
+            raise terrareg.errors.InvalidPresignedUrlKeyError('Invalid pre-sign key')
+
+        mock_get_file_storage = unittest.mock.MagicMock()
+        mock_send_file = unittest.mock.MagicMock(return_value="UNIT TEST BINARY OUTPUT")
+
+        mock_validate_presigned_key = unittest.mock.MagicMock(side_effect=raise_exception)
+        with unittest.mock.patch('terrareg.config.Config.ALLOW_MODULE_HOSTING', terrareg.config.ModuleHostingMode.ALLOW), \
+                unittest.mock.patch('terrareg.config.Config.ALLOW_UNAUTHENTICATED_ACCESS', True), \
+                unittest.mock.patch('terrareg.presigned_url.TerraformSourcePresignedUrl.validate_presigned_key', mock_validate_presigned_key), \
+                unittest.mock.patch('flask.send_file', mock_send_file), \
+                unittest.mock.patch('terrareg.file_storage.FileStorageFactory.get_file_storage', mock_get_file_storage):
+            res = client.get(url)
+
+        assert res.status_code == 200
+        assert res.json == "UNIT TEST BINARY OUTPUT"
+
+        mock_validate_presigned_key.assert_not_called()
+
+    @setup_test_data()
+    @pytest.mark.parametrize('url, allow_unauthenticated_access', [
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/source.zip', True),
+
+        # Pre-sign key in URL
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/unittest-presign-key/source.zip', False),
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/unittest-presign-key/source.zip', True),
+
+        # Presign key in params
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/source.zip?presign=unittest-presign-key', False),
+        ('/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1/source.zip?presign=unittest-presign-key', True),
+    ])
+    def test_send_file(self, url, allow_unauthenticated_access, client, mock_models):
+        """Ensure send file and file storage is handled correctly"""
+        mock_file_storage = unittest.mock.MagicMock()
+        mock_get_file_storage = unittest.mock.MagicMock(return_value=mock_file_storage)
+        mock_read_file_response = unittest.mock.MagicMock()
+        mock_read_file = unittest.mock.MagicMock(return_value=mock_read_file_response)
+        mock_file_storage.read_file = mock_read_file
+
+        mock_validate_presigned_key = unittest.mock.MagicMock()
+
+        mock_send_file = unittest.mock.MagicMock(return_value="UNIT TEST BINARY OUTPUT")
+
+        with unittest.mock.patch('terrareg.config.Config.ALLOW_MODULE_HOSTING', terrareg.config.ModuleHostingMode.ALLOW), \
+                unittest.mock.patch('terrareg.config.Config.ALLOW_UNAUTHENTICATED_ACCESS', allow_unauthenticated_access), \
+                unittest.mock.patch('flask.send_file', mock_send_file), \
+                unittest.mock.patch('terrareg.presigned_url.TerraformSourcePresignedUrl.validate_presigned_key', mock_validate_presigned_key), \
+                unittest.mock.patch('terrareg.file_storage.FileStorageFactory.get_file_storage', mock_get_file_storage):
+            res = client.get(url)
+
+        assert res.status_code == 200
+        assert res.json == "UNIT TEST BINARY OUTPUT"
+
+        mock_get_file_storage.assert_called_once()
+        mock_read_file.assert_called_once_with('/modules/testnamespace/testmodulename/testprovider/2.4.1/source.zip', bytes_mode=True)
+        mock_send_file.assert_called_once_with(mock_read_file_response, download_name='source.zip', mimetype='application/zip')
+
+        if not allow_unauthenticated_access:
+            mock_validate_presigned_key.assert_called_once_with(url='/v1/terrareg/modules/testnamespace/testmodulename/testprovider/2.4.1', payload='unittest-presign-key')
+        else:
+            mock_validate_presigned_key.assert_not_called()