mirror of
				https://github.com/peeringdb/peeringdb.git
				synced 2024-05-11 05:55:09 +00:00 
			
		
		
		
	* install django-grainy * nsp to grainy first iteration * nsp to grainy second iteration * grainy and django-grainy pinned to latest releases * Fix typo * Update djangorestframework, peeringdb, django-ratelimit * Rewrite login view ratelimit decorator * Relock pipfile * add list() to make copy of dictionaries before iterating * relock pipfile with python3.9 change docker to use python3.9 * add ordering to admin search queryset for deskproticket and email * add org api key and begin to write tests * additional key tests * add drf-api-keys to pipfile * Wire orgapikey to modelviewsetpermissions * Update api key helper functions * add put test * Add Org API key tab to frontend * Add user api key model * Update user key handling and tests * Update APIPermissionsApplicator to make it work w requests * Add org api key perm panel * add org key permissions * Add user api key views * Add templates for handling user api key (adding, not revoking) * relock pipfile * assorted fixes and tweaks * Add general user group permissions and org user group perms * refactor org api key perms * Add tests for api keys * Add docstrings to permissions helpers * Add api key examples * squash migrations * remove custom api key header config * Change api key test setup * Update permissions for grainy change * Bump up pipfile and pipfile.lock * Add API Key to Verification Queue Item * Delete travis * Add workaround to Dockerfile * update pipfile and sort out migrations * Add comment to Dockerfile * Re-add API Key migrations * Add locale to .gitignore * remove suggest functionality from ix * Update test to recognize that IX api no longer has suggest function * Add test to outlaw POSTing an IX w its org equal to the suggest entity org * Add meta information geowarning * Add alert to demonstrate UI * Add error to fac update * Add template warning for geovalidation * Add geowarning meta js * cover absent meta_response test case * Update styles for geowarning * refactor geotag warning implementation * null lat and long on unsuccessful geo locate * modify geovalidation frontend update * Add deskproticket model email field * Add missing span * add email to org keys * Add email to org key tests * update serializer with rdap validation wrapper * update admin for api keys * Enable writing an email as part of org key creation * Add email validation to org api key form * fix css style on perm row * Add suggested info to api response * display suggested address on frontend * add needs geocode to serializer * save lat long on forward geonormalization * add address suggestion submit button * Add suggested address popin to ADD facility form * Fix css * add lat and long rounding to geocodenabled model clean method * add migration and regression test for lat long decimal db constraint * Add another regression test for model decimal places * Get deskpro functions passing isort and flake * Update ticket_queue_deletion_prevented * update ticket_queue_deletion_prevented for use with org api key * add template for org key dpt from asnauto skipvq * Update deskproticket for rdap error * add facility aka * add aka to serializer and views * black and isort test api keys * fix typo in org key deskpro template * skip or rewrite unapplicable org key tests, and add as_set tests * adjust api key test comments * Add vqi_notify to signals * Add reversion comments for api keys and helper function * update how org keys are added to verification queue items * rename verification queue item fk from api_key to org_key * fix group id error * update key tests with correct http header info * check both user and key, not just user * templates fiex * adapt deskpro integration to work with email only * make org api keys editable for desc and email * pipfile relock * edit test setupdata settings for groups * Change comment to signify we don't need to remove code * address untranslated accept button * Add docstrings to the serializer functions * Add loading shim * Add migration for all longname and aka * Add aka and long name to views and serializers * delete migration w decimals * standardize serializer lat and long fields * Add clean rounding for lat and long * fix serializer error * api key admin improvements * fix linebreak in user api key form * remove debug prints * Add rounding util * Add rounding to lat and long fields * remove 'clean' from geocode method (logic now in admin form) * remove erroneous tests * revert serializer changes * Fix migrations * Add long name and aka to admin models * Update API key docs * Add documentation for api keys * fix typo * fix org api key revoke broken by editable api keys * doc tweaks * doc tweaks * doc tweaks * black format * fix migration hierarchy * docs * docs * api key permissions screenshot * formatting * formatting * padding fixed * remove one image * fix get_user_from_request type checking take out POST only valdiator for entity suggest * didnt mean to commit the django-peeringdb mount * fix suggest on PUT net fix tests * black formatting * update org key permission template * install rust for cryptography * pipfile relock (django-peeringdb to 2.6) Co-authored-by: Stefan Pratter <stefan@20c.com> Co-authored-by: Elliot Frank <elliot@20c.com>
		
			
				
	
	
		
			467 lines
		
	
	
		
			16 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			467 lines
		
	
	
		
			16 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| from grainy.const import *
 | |
| from datetime import datetime, timezone
 | |
| import django.urls
 | |
| from django.db.models.signals import post_save, pre_delete, pre_save
 | |
| from django.contrib.contenttypes.models import ContentType
 | |
| from django_grainy.models import Group, GroupPermission
 | |
| from django.template import loader
 | |
| from django.conf import settings
 | |
| from django.dispatch import receiver
 | |
| import reversion
 | |
| from allauth.account.signals import user_signed_up
 | |
| 
 | |
| from corsheaders.signals import check_request_enabled
 | |
| 
 | |
| from django_peeringdb.models.abstract import AddressModel
 | |
| 
 | |
| from peeringdb_server.inet import RdapLookup, RdapException
 | |
| 
 | |
| from peeringdb_server.deskpro import (
 | |
|     ticket_queue,
 | |
|     ticket_queue_asnauto_affil,
 | |
|     ticket_queue_asnauto_create,
 | |
|     ticket_queue_vqi_notify,
 | |
| )
 | |
| 
 | |
| from peeringdb_server.models import (
 | |
|     QUEUE_ENABLED,
 | |
|     QUEUE_NOTIFY,
 | |
|     UserOrgAffiliationRequest,
 | |
|     is_suggested,
 | |
|     VerificationQueueItem,
 | |
|     Organization,
 | |
|     InternetExchange,
 | |
|     Facility,
 | |
|     Network,
 | |
|     NetworkContact,
 | |
|     NetworkIXLan,
 | |
|     NetworkFacility,
 | |
| )
 | |
| 
 | |
| from peeringdb_server.util import PERM_CRUD
 | |
| 
 | |
| import peeringdb_server.settings as pdb_settings
 | |
| 
 | |
| from django.utils.translation import ugettext_lazy as _
 | |
| from django.utils.translation import override
 | |
| 
 | |
| 
 | |
| def disable_auto_now_and_save(entity):
 | |
|     updated_field = entity._meta.get_field("updated")
 | |
|     updated_field.auto_now = False
 | |
|     entity.save()
 | |
|     updated_field.auto_now = True
 | |
| 
 | |
| 
 | |
| def update_network_attribute(instance, attribute):
 | |
|     """Updates 'attribute' field in Network whenever it's called."""
 | |
|     if getattr(instance, "id"):
 | |
|         network = instance.network
 | |
|         setattr(network, attribute, datetime.now(timezone.utc))
 | |
|         disable_auto_now_and_save(network)
 | |
| 
 | |
| 
 | |
| def network_post_revision_commit(**kwargs):
 | |
|     for vs in kwargs.get("versions"):
 | |
|         if vs.object.HandleRef.tag in ["netixlan", "poc", "netfac"]:
 | |
|             update_network_attribute(vs.object, f"{vs.object.HandleRef.tag}_updated")
 | |
| 
 | |
| 
 | |
| reversion.signals.post_revision_commit.connect(network_post_revision_commit)
 | |
| 
 | |
| 
 | |
| def addressmodel_save(sender, instance=None, **kwargs):
 | |
|     """
 | |
|     Mark address model objects for geocode sync if one of the address
 | |
|     fields is updated
 | |
|     """
 | |
| 
 | |
|     if instance.id:
 | |
|         # instance is being updated
 | |
|         old = sender.objects.get(id=instance.id)
 | |
|         for field in AddressModel._meta.get_fields():
 | |
|             if field.name in ["latitude", "longitude"]:
 | |
|                 continue
 | |
|             a = getattr(instance, field.name)
 | |
|             b = getattr(old, field.name)
 | |
|             if a != b:
 | |
|                 # print("Change in field '%s' - '%s'(%s) to '%s'(%s) - marking %s for geocode sync" % (field.name, a, type(a), b, type(b), instance))
 | |
|                 # address model field has changed, mark for geocode sync
 | |
|                 instance.geocode_status = False
 | |
| 
 | |
| 
 | |
| pre_save.connect(addressmodel_save, sender=Facility)
 | |
| 
 | |
| 
 | |
| def org_save(sender, **kwargs):
 | |
|     """
 | |
|     we want to create a user group for an organization when that
 | |
|     organization is created
 | |
|     """
 | |
| 
 | |
|     inst = kwargs.get("instance")
 | |
| 
 | |
|     # make the general member group for the org
 | |
|     try:
 | |
|         group = Group.objects.get(name=inst.group_name)
 | |
|     except Group.DoesNotExist:
 | |
|         group = Group(name=inst.group_name)
 | |
|         group.save()
 | |
| 
 | |
|         perm = GroupPermission(
 | |
|             group=group, namespace=inst.grainy_namespace, permission=PERM_READ
 | |
|         )
 | |
|         perm.save()
 | |
| 
 | |
|         GroupPermission(
 | |
|             group=group,
 | |
|             namespace=f"{inst.grainy_namespace}.network.*.poc_set.private",
 | |
|             permission=PERM_READ,
 | |
|         ).save()
 | |
| 
 | |
|         GroupPermission(
 | |
|             group=group,
 | |
|             namespace=f"{inst.grainy_namespace}.internetexchange.*.ixf_ixp_member_list_url.private",
 | |
|             permission=PERM_READ,
 | |
|         ).save()
 | |
| 
 | |
|     # make the admin group for the org
 | |
|     try:
 | |
|         group = Group.objects.get(name=inst.admin_group_name)
 | |
|     except Group.DoesNotExist:
 | |
|         group = Group(name=inst.admin_group_name)
 | |
|         group.save()
 | |
| 
 | |
|         perm = GroupPermission(
 | |
|             group=group, namespace=inst.grainy_namespace, permission=PERM_CRUD
 | |
|         )
 | |
|         perm.save()
 | |
| 
 | |
|         GroupPermission(
 | |
|             group=group, namespace=inst.grainy_namespace_manage, permission=PERM_CRUD
 | |
|         ).save()
 | |
| 
 | |
|         GroupPermission(
 | |
|             group=group,
 | |
|             namespace=f"{inst.grainy_namespace}.network.*.poc_set.private",
 | |
|             permission=PERM_CRUD,
 | |
|         ).save()
 | |
| 
 | |
|         GroupPermission(
 | |
|             group=group,
 | |
|             namespace=f"{inst.grainy_namespace}.internetexchange.*.ixf_ixp_member_list_url.private",
 | |
|             permission=PERM_CRUD,
 | |
|         ).save()
 | |
| 
 | |
|     if inst.status == "deleted":
 | |
|         for ar in inst.affiliation_requests.all():
 | |
|             ar.delete()
 | |
| 
 | |
| 
 | |
| post_save.connect(org_save, sender=Organization)
 | |
| 
 | |
| 
 | |
| def org_delete(sender, instance, **kwargs):
 | |
|     """
 | |
|     When an organization is HARD deleted we want to also remove any
 | |
|     usergroups tied to the organization
 | |
|     """
 | |
| 
 | |
|     try:
 | |
|         instance.usergroup.delete()
 | |
|     except Group.DoesNotExist:
 | |
|         pass
 | |
| 
 | |
|     try:
 | |
|         instance.admin_usergroup.delete()
 | |
|     except Group.DoesNotExist:
 | |
|         pass
 | |
| 
 | |
|     for ar in instance.affiliation_requests.all():
 | |
|         ar.delete()
 | |
| 
 | |
| 
 | |
| pre_delete.connect(org_delete, sender=Organization)
 | |
| 
 | |
| 
 | |
| @receiver(user_signed_up, dispatch_uid="allauth.user_signed_up")
 | |
| def new_user_to_guests(request, user, sociallogin=None, **kwargs):
 | |
|     """
 | |
|     When a user is created via oauth login put them in the guest
 | |
|     group for now.
 | |
| 
 | |
|     Unless pdb_settings.AUTO_VERIFY_USERS is toggled on in settings, in which
 | |
|     case users get automatically verified (note that this does
 | |
|     not include email verification, they will still need to do that)
 | |
|     """
 | |
| 
 | |
|     if pdb_settings.AUTO_VERIFY_USERS:
 | |
|         user.set_verified()
 | |
|     else:
 | |
|         user.set_unverified()
 | |
| 
 | |
| 
 | |
| # USER TO ORGANIZATION AFFILIATION
 | |
| 
 | |
| 
 | |
| def uoar_creation(sender, instance, created=False, **kwargs):
 | |
|     """
 | |
|     When a user to organization affiliation request is created
 | |
|     we want to notify the approporiate management entity
 | |
| 
 | |
|     We also want to attempt to derive the targeted organization
 | |
|     from the ASN the user provided
 | |
|     """
 | |
| 
 | |
|     if created:
 | |
| 
 | |
|         if instance.asn and not instance.org_id:
 | |
|             network = Network.objects.filter(asn=instance.asn).first()
 | |
|             if network:
 | |
|                 # network with targeted asn found, set org
 | |
|                 instance.org = network.org
 | |
| 
 | |
|         instance.status = "pending"
 | |
|         instance.save()
 | |
| 
 | |
|         if instance.org_id and instance.org.admin_usergroup.user_set.count() > 0:
 | |
| 
 | |
|             # check that user is not already a member of that org
 | |
|             if instance.user.groups.filter(name=instance.org.usergroup.name).exists():
 | |
|                 instance.approve()
 | |
|                 return
 | |
| 
 | |
|             # organization exists already and has admins, notify organization
 | |
|             # admins
 | |
|             for user in instance.org.admin_usergroup.user_set.all():
 | |
|                 with override(user.locale):
 | |
|                     user.email_user(
 | |
|                         _(
 | |
|                             "User %(u_name)s wishes to be affiliated to your Organization"
 | |
|                         )
 | |
|                         % {"u_name": instance.user.full_name},
 | |
|                         loader.get_template(
 | |
|                             "email/notify-org-admin-user-affil.txt"
 | |
|                         ).render(
 | |
|                             {
 | |
|                                 "user": instance.user,
 | |
|                                 "org": instance.org,
 | |
|                                 "org_management_url": "%s/org/%d#users"
 | |
|                                 % (settings.BASE_URL, instance.org.id),
 | |
|                             }
 | |
|                         ),
 | |
|                     )
 | |
|         else:
 | |
|             request_type = "be affiliated to"
 | |
|             rdap_data = {"emails": []}
 | |
|             org_created = False
 | |
|             net_created = False
 | |
|             rdap_lookup = None
 | |
|             if instance.asn and not instance.org_id:
 | |
|                 # ASN specified in request, but no network found
 | |
|                 # Lookup RDAP information
 | |
|                 try:
 | |
|                     rdap_lookup = rdap = RdapLookup().get_asn(instance.asn)
 | |
|                     ok = rdap_lookup.emails
 | |
|                 except RdapException as inst:
 | |
|                     instance.deny()
 | |
|                     raise
 | |
| 
 | |
|                 # create organization
 | |
|                 instance.org, org_created = Organization.create_from_rdap(
 | |
|                     rdap, instance.asn, instance.org_name
 | |
|                 )
 | |
|                 instance.save()
 | |
| 
 | |
|                 # create network
 | |
|                 net, net_created = Network.create_from_rdap(
 | |
|                     rdap, instance.asn, instance.org
 | |
|                 )
 | |
| 
 | |
|                 # if affiliate auto appove is on, auto approve at this point
 | |
|                 if pdb_settings.AUTO_APPROVE_AFFILIATION:
 | |
|                     instance.approve()
 | |
|                     return
 | |
| 
 | |
|                 ticket_queue_asnauto_create(
 | |
|                     instance.user,
 | |
|                     instance.org,
 | |
|                     net,
 | |
|                     rdap,
 | |
|                     net.asn,
 | |
|                     org_created=org_created,
 | |
|                     net_created=net_created,
 | |
|                 )
 | |
| 
 | |
|                 # if user's relationship to network can be validated now
 | |
|                 # we can approve the ownership request right away
 | |
|                 if instance.user.validate_rdap_relationship(rdap):
 | |
|                     instance.approve()
 | |
|                     ticket_queue_asnauto_affil(instance.user, instance.org, net, rdap)
 | |
|                     return
 | |
| 
 | |
|             if instance.org:
 | |
|                 # organization has been set on affiliation request
 | |
|                 entity_name = instance.org.name
 | |
|                 if not instance.org.owned:
 | |
|                     # organization is currently not owned
 | |
|                     request_type = "request ownership of"
 | |
| 
 | |
|                     # if affiliate auto appove is on, auto approve at this point
 | |
|                     if pdb_settings.AUTO_APPROVE_AFFILIATION:
 | |
|                         instance.approve()
 | |
|                         return
 | |
| 
 | |
|                     # if user's relationship to the org can be validated by
 | |
|                     # checking the rdap information of the org's networks
 | |
|                     # we can approve the affiliation (ownership) request right away
 | |
|                     for asn, rdap in list(instance.org.rdap_collect.items()):
 | |
|                         rdap_data["emails"].extend(rdap.emails)
 | |
|                         if instance.user.validate_rdap_relationship(rdap):
 | |
|                             ticket_queue_asnauto_affil(
 | |
|                                 instance.user,
 | |
|                                 instance.org,
 | |
|                                 Network.objects.get(asn=asn),
 | |
|                                 rdap,
 | |
|                             )
 | |
|                             instance.approve()
 | |
|                             return
 | |
|             else:
 | |
|                 entity_name = instance.org_name
 | |
| 
 | |
|                 if pdb_settings.AUTO_APPROVE_AFFILIATION:
 | |
|                     org = Organization.objects.create(
 | |
|                         name=instance.org_name, status="ok"
 | |
|                     )
 | |
|                     instance.org = org
 | |
|                     instance.approve()
 | |
|                     return
 | |
| 
 | |
|             # organization has no owners and RDAP information could not verify the user's relationship to the organization, notify pdb staff for review
 | |
|             ticket_queue(
 | |
|                 "User %s wishes to %s %s"
 | |
|                 % (instance.user.username, request_type, entity_name),
 | |
|                 loader.get_template("email/notify-pdb-admin-user-affil.txt").render(
 | |
|                     {
 | |
|                         "user": instance.user,
 | |
|                         "instance": instance,
 | |
|                         "base_url": settings.BASE_URL,
 | |
|                         "org_add_url": "%s%s"
 | |
|                         % (
 | |
|                             settings.BASE_URL,
 | |
|                             django.urls.reverse(
 | |
|                                 "admin:peeringdb_server_organization_add"
 | |
|                             ),
 | |
|                         ),
 | |
|                         "net_add_url": "%s%s"
 | |
|                         % (
 | |
|                             settings.BASE_URL,
 | |
|                             django.urls.reverse("admin:peeringdb_server_network_add"),
 | |
|                         ),
 | |
|                         "review_url": "%s%s"
 | |
|                         % (
 | |
|                             settings.BASE_URL,
 | |
|                             django.urls.reverse(
 | |
|                                 "admin:peeringdb_server_user_change",
 | |
|                                 args=(instance.user.id,),
 | |
|                             ),
 | |
|                         ),
 | |
|                         "approve_url": "%s%s"
 | |
|                         % (
 | |
|                             settings.BASE_URL,
 | |
|                             django.urls.reverse(
 | |
|                                 "admin:peeringdb_server_userorgaffiliationrequest_actions",
 | |
|                                 args=(instance.id, "approve_and_notify"),
 | |
|                             ),
 | |
|                         ),
 | |
|                         "emails": list(set(rdap_data["emails"])),
 | |
|                         "rdap_lookup": rdap_lookup,
 | |
|                     }
 | |
|                 ),
 | |
|                 instance.user,
 | |
|             )
 | |
| 
 | |
|     elif instance.status == "approved" and instance.org_id:
 | |
| 
 | |
|         # uoar was not created, and status is now approved, call approve
 | |
|         # to finalize
 | |
| 
 | |
|         instance.approve()
 | |
| 
 | |
| 
 | |
| post_save.connect(uoar_creation, sender=UserOrgAffiliationRequest)
 | |
| 
 | |
| # VERIFICATION QUEUE
 | |
| 
 | |
| if getattr(settings, "DISABLE_VERIFICATION_QUEUE", False) is False:
 | |
| 
 | |
|     def verification_queue_update(sender, instance, **kwargs):
 | |
|         if instance.status == "pending":
 | |
|             try:
 | |
|                 VerificationQueueItem.objects.get(
 | |
|                     content_type=ContentType.objects.get_for_model(sender),
 | |
|                     object_id=instance.id,
 | |
|                 )
 | |
|             except VerificationQueueItem.DoesNotExist:
 | |
|                 q = VerificationQueueItem(item=instance)
 | |
|                 q.save()
 | |
|         else:
 | |
|             try:
 | |
|                 q = VerificationQueueItem.objects.get(
 | |
|                     content_type=ContentType.objects.get_for_model(sender),
 | |
|                     object_id=instance.id,
 | |
|                 )
 | |
|                 q.delete()
 | |
|             except VerificationQueueItem.DoesNotExist:
 | |
|                 pass
 | |
| 
 | |
|     def verification_queue_delete(sender, instance, **kwargs):
 | |
|         try:
 | |
|             q = VerificationQueueItem.objects.get(
 | |
|                 content_type=ContentType.objects.get_for_model(sender),
 | |
|                 object_id=instance.id,
 | |
|             )
 | |
|             q.delete()
 | |
|         except VerificationQueueItem.DoesNotExist:
 | |
|             pass
 | |
| 
 | |
|     def verification_queue_notify(sender, instance, **kwargs):
 | |
|         # notification was already sent
 | |
|         if instance.notified:
 | |
|             return
 | |
| 
 | |
|         # no contact point exists
 | |
|         if not instance.user_id and not instance.org_key:
 | |
|             return
 | |
| 
 | |
|         item = instance.item
 | |
| 
 | |
|         if type(item) in QUEUE_NOTIFY and not getattr(
 | |
|             settings, "DISABLE_VERIFICATION_QUEUE_EMAILS", False
 | |
|         ):
 | |
| 
 | |
|             if type(item) == Network:
 | |
|                 rdap = RdapLookup().get_asn(item.asn)
 | |
|             else:
 | |
|                 rdap = None
 | |
| 
 | |
|             ticket_queue_vqi_notify(instance, rdap)
 | |
|             instance.notified = True
 | |
|             instance.save()
 | |
| 
 | |
|     post_save.connect(verification_queue_notify, sender=VerificationQueueItem)
 | |
| 
 | |
|     for model in QUEUE_ENABLED:
 | |
|         post_save.connect(verification_queue_update, sender=model)
 | |
|         pre_delete.connect(verification_queue_delete, sender=model)
 | |
| 
 | |
| 
 | |
| def cors_allow_api_get_to_everyone(sender, request, **kwargs):
 | |
|     # FIXME: path name to look for should come from config
 | |
|     return (
 | |
|         request.path == "/api" or request.path.startswith("/api/")
 | |
|     ) and request.method in ["GET", "OPTIONS"]
 | |
| 
 | |
| 
 | |
| check_request_enabled.connect(cors_allow_api_get_to_everyone)
 |