FUZ-22 - API Token improvements - Tool Segmentation

[gitstart-app]

This PR was created by GitStart to address the requirements from this ticket: FUZ-22.

---

Description:

This PR adds tool-specific segmentation to API tokens to enhance security in FuzzManager. Currently, API tokens have unrestricted access across all tools, creating potential security risks if compromised.

The changes:

• Restrict API tokens to specific tools
• Add Django command add_tool_to_token remove_tool_from_token for token-tool management.
• Implement user restrictions based on tool access
• Prevent unauthorized tool access

This segmentation limits the impact of potential token leaks and provides better access control for crash/coverage reporting.

Demo
https://www.loom.com/share/bcde5c97bec54761a8a11b0f72a54850?sid=0b52a794-a0ad-478b-af24-5c254827e80b

Test Plan

1. Assign Tool to Token:

   • Run the add_tool_to_token management command to assign a specific tool to a token.
   • Example:
     • python manage.py add_tool_to_token <token_string> <tool_name>

2. Verify Token Restrictions:

   • Use curl to submit crash reports using the segmented token for the assigned tool.
     • Example:
       • curl -H "Authorization: Token <token_string>" -X POST http://<server>/api/crashes/ -d '{"tool": "<tool_name>", "crash_data": "..." }'
   • Attempt to submit a crash report for a tool not assigned to the token and verify that the request is denied with an appropriate error message.
   • Example:
     • curl -H "Authorization: Token <token_string>" -X POST http://<server>/api/crashes/ -d '{"tool": "unauthorized_tool", "crash_data": "..." }'
   • Expected Response: 403 Forbidden with a message indicating lack of permission.

3. Ensure User Restrictions:

   • Verify that the user associated with the token is marked as restricted after their token is assigned a tool.
   • Check that restricted users can only submit crash/coverage report for their assigned tools.
   • Attempt to access data for tools outside the user's permissions and confirm access is denied.

4. Tool Assignment:

   • Use management command below to add tool to token:
     • python manage.py add_tool_to_token <token_string> <tool_name>
   • Use management command below to remove tool from token
     • python manage.py remove_tool_from_token <token_string> <tool_name>

[community-tc-integration]

No Taskcluster jobs started for this pull request

The allowPullRequests configuration for this repository (in .taskcluster.yml on the default branch) does not allow starting tasks for this pull request.

[gitstart-app]

This PR is estimated to cost 30 credits.
🟡 By merging this PR you agree to this estimate. If you disagree, click here.