GitLab

I updated the download view and restrict it with the
`JobAuthorizationMixin`. I updated as well the link generated for the
files to download by removing the sha1 in the URL that isn't relevant
anymore. I deleted as well the `api/v1` from the url because the
datastore has no meaning to change location in the future therefore the
numerotation of the API in the url isn't necessary.

I deleted the `sha1file` function that isn't used anymore.

I updated the `urls.py` file accordingly.
Signed-off-by: Matthieu Berjon <matthieu.berjon@inria.fr>

I rewrote the job view in the CBV paradigm using the generic `View`
view. By doing this, I use the `JobAuthorizationMixin` to restrict the
visibility of a job to its creator. I updated as well the `urls.py` file
to call this new class.
Signed-off-by: Matthieu Berjon <matthieu.berjon@inria.fr>

I created a new mixin related to the API. This is almost the same mixin
used for the front-end, except that the dispatch function has a
decorator to disable the CSRF verification. The authorization is
different as well by checking the token.
Signed-off-by: Matthieu Berjon <matthieu.berjon@inria.fr>

In order to use it in several files, I decided to move the `get_user`
function in the `helpers.py` file. It's mainly used in the API but I
needed it to create a new mixin too.
Signed-off-by: Matthieu Berjon <matthieu.berjon@inria.fr>

# Conflicts:
#   django/allgo/main/views.py

Resolve "we should systematically enforce model constraints on .save()"

Closes #251

See merge request !128

Resolve "implement webapp memory limit in django"

Closes #263

See merge request !125

Various url fixes

Closes #261 and #249

See merge request !127

By convention urls ending with a '/' are meant for listing a directory.
Thus it is menaningful to put a slash on all urls that list resources
(i.e. XxxxxList views) but not on simple actions on a resource (eg:
update, delete, ...).

close #249

close #261

- add config key ALLGO_WEBAPP_DEFAULT_MEMORY_LIMIT_MB to set the
  default memory limit for newly created webapps

- add memory limit field in WebappUpdate

- display memory_limit in megabytes in the UI (through the
  memory_limit_mb form field)

- disable the memory_limit_mb widget and ignored the posted value
  when user is not superuser

- forbid negative value in the model

- make the memory limit field required in the forms

Fix job downloads (mostly the generated .zip file)

Closes #268, #270, #269, and #272

See merge request !124

Resolve "increase isolation of job containers"

Closes #218

See merge request !123

port the ssh container to the django models

See merge request !122

restore /usr/bin/sshd in the toolbox

See merge request !121

Resolve "disable registry push/pull in the UI"

Closes #267

See merge request !120

fix race condition in the webapp events channel

See merge request !119

Resolve "include the WebappVersion.id in docker image tags"

Closes #265 and #217

See merge request !118

because following the link breaks the json-event channel (if the job is
still running)

close #272

close #269, #270

Note: checking os.path.exists(job.data_dir) is no longer required
      since the data dir is always created (even if the job has
      no input files)

- fix url conflict for .zip archive download
- fix empty zip file

close #268

Previous code put the job files into /tmp and used this directory
as the current directory for running the job, which is disturbing
because we do not have a standard place where to put temporary files.

It is essential to change this now because since jobs are no longer
run as the root user, it is no longer possible to create arbitrary tmp
directories during the job.

BTW app developers should consider that the job execution dir is
undefined.

This is no longer needed because we can now configure the UID:GID
running the job.

The "UID:GID" is configurable in the JOB_USER environment.

This config is the same for all the jobs. In production this has
to be set to the squashed uid/gid configured in the NFS exports
so that we can read/write job files.

This partially reverts 607e56fb
(it is unclear why this symlink was removed).

Without this link we are unable to run the sshd daemon inside
the sandboxes.

(was not used at all)

because django sets a foreign key constraint on sandbox_version_id
we may have issues if it refers to a version we want to delete