FUZ-22 - API Token improvements - Tool Segmentation

[gitstart-app]

This PR was created by GitStart to address the requirements from this ticket: FUZ-22.

---

Description:

This PR adds tool-specific segmentation to users to enhance security in FuzzManager. Currently, API tokens (and thus users given the 1:1 mapping) have unrestricted access across all tools, creating potential security risks if compromised.

The changes:

- Restrict users to specific tools

- Add Django commands add_tool_to_user and remove_tool_from_user for user-tool management

- Implement user restrictions based on tool access

- Prevent unauthorized tool access

This segmentation limits the impact of potential token leaks and provides better access control for crash/coverage reporting.

Demo

https://www.loom.com/share/bcde5c97bec54761a8a11b0f72a54850?sid=0b52a794-a0ad-478b-af24-5c254827e80b

Test Plan

1. Assign Tool to User:

• Run the add_tool_to_user management command to assign a specific tool to a user.

• Example:

  • python manage.py add_tool_to_user <username> <tool_name>

2. Verify User Restrictions:

• Use curl to submit crash reports using tokens from the user for the assigned tool.

  • Example:

    • curl -H "Authorization: Token <token_string>" -X POST http://<server>/api/crashes/ -d '{"tool": "<tool_name>", "crash_data": "..." }'

• Attempt to submit a crash report for a tool not assigned to the user and verify that the request is denied with an appropriate error message.

  • Example:

    • curl -H "Authorization: Token <token_string>" -X POST http://<server>/api/crashes/ -d '{"tool": "unauthorized_tool", "crash_data": "..." }'

  • Expected Response: 403 Forbidden with a message indicating lack of permission.

3. Ensure User Restrictions:

• Verify that the user is marked as restricted after they are assigned a tool.

• Check that restricted users can only submit crash/coverage report for their assigned tools.

• Attempt to access data for tools outside the user's permissions and confirm access is denied.

4. Tool Assignment:

• Use management command below to add tool to user:

  • python manage.py add_tool_to_user <username> <tool_name>

• Use management command below to remove tool from user:

  • python manage.py remove_tool_from_user <username> <tool_name>

Additional Notes:

As part of implementing the tool segmentation security feature, the test suite has been updated to correctly reflect the new security model. In particular:

- Test fixtures were added to properly assign tools to restricted users before testing

- Previously, the tests assumed restricted users could report crashes for any tool, which contradicted the new security model

- The updated tests now correctly verify that restricted users can only report crashes for tools they have permission to use

This change ensures that our tests accurately validate the security constraints we're implementing, confirming that unauthorized tool access is properly prevented.

[community-tc-integration]

No Taskcluster jobs started for this pull request

The allowPullRequests configuration for this repository (in .taskcluster.yml on the default branch) does not allow starting tasks for this pull request.

[gitstart-app]

This PR is estimated to cost 30 credits.
🟡 By merging this PR you agree to this estimate. If you disagree, click here.

[gitstart-app]

This PR is estimated to cost 30 credits.
🟡 By merging this PR you agree to this estimate. If you disagree, click here.

[gitstart-app]

This PR is estimated to cost 30 credits.
🟡 By merging this PR you agree to this estimate. If you disagree, click here.

[gitstart-app]

This PR is estimated to cost 30 credits.
🟡 By merging this PR you agree to this estimate. If you disagree, click here.