Merge branch 'ep2021' into issue-823-improve-textcha-for-registration

Author: malemburg

assopy/migrations/0016_null_has_no_effect_on_vat_manytomay_relationship.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.19 on 2021-05-17 07:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assopy', '0015_remove_refund_models'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='vat',
+            name='fares',
+            field=models.ManyToManyField(blank=True, through='assopy.VatFare', to='conference.Fare'),
+        ),
+    ]

assopy/models.py

@@ -511,7 +511,7 @@ def create(self, user, payment, items, billing_notes='', coupons=None, country=N
 class Vat(models.Model):
     fares = models.ManyToManyField(Fare,
                                    through='VatFare',
-                                   null=True, blank=True)
+                                   blank=True)
     value = models.DecimalField(max_digits=5, decimal_places=2)
     description = models.CharField(null=True, blank=True, max_length=125)
     invoice_notice = models.TextField(null=True, blank=True)

conference/api.py

@@ -0,0 +1,227 @@
+"""
+Matrix/Synapse custom authentication provider backend.
+
+This allows a Matrix/Synapse installation to use a custom backaned (not part of
+this API) to authenticate users against epcon database.
+
+The main (and currently the only) endpoint is
+
+    /api/v1/isauth
+
+For more information about developing a custom auth backend for matrix/synapse
+please refer to https://github.com/matrix-org/synapse/blob/master/docs/\
+    password_auth_providers.md
+"""
+from enum import Enum
+import json
+from functools import wraps
+from django.conf.urls import url as re_path
+from django.contrib.auth.hashers import check_password
+from django.db.models import Q
+from django.http import JsonResponse
+from django.views.decorators.csrf import csrf_exempt
+from conference.models import (
+    AttendeeProfile,
+    Conference,
+    Speaker,
+    TalkSpeaker,
+    Ticket,
+)
+from pycon.settings import MATRIX_AUTH_API_DEBUG as DEBUG
+from pycon.settings import MATRIX_AUTH_API_ALLOWED_IPS as ALLOWED_IPS
+
+
+# Error Codes
+class ApiError(Enum):
+    WRONG_METHOD = 1
+    AUTH_ERROR = 2
+    INPUT_ERROR = 3
+    UNAUTHORIZED = 4
+    WRONG_SCHEME = 5
+    BAD_REQUEST = 6
+
+
+def _error(error: ApiError, msg: str) -> JsonResponse:
+    return JsonResponse({
+        'error': error.value,
+        'message': f'{error.name}: {msg}'
+    })
+
+
+def get_client_ip(request) -> str:
+    """
+    Return the client IP.
+
+    This is a best effort way of fetching the client IP which does not protect
+    against spoofing and hich tries to understand some proxying.
+
+    This should NOT be relied upon for serius stuff.
+    """
+    x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
+    if x_forwarded_for:
+        ip = x_forwarded_for.split(',')[0]
+    else:
+        ip = request.META.get('REMOTE_ADDR')
+    return ip
+
+
+# Checkers
+def request_checker(checker, error_msg):
+    """
+    Generic sanity check decorator on views.
+
+    It accepts two parameters:
+        `checker`: a function that accepts a request and returns True if valid
+        `error_msg`: what to return as error message if request is invalid
+
+    In case of invalid requests, it returns a BAD_REQUEST error.
+    """
+    def decorator(fn):
+        @wraps(fn)
+        def wrapper(request, *args, **kwargs):
+            if not checker(request):
+                return _error(ApiError.BAD_REQUEST, error_msg)
+            return fn(request, *args, **kwargs)
+        return wrapper
+    return decorator
+
+
+# Ensure that the view is called via an HTTPS request and return a JSON error
+# payload if not. If DEBUG = True, it has no effect.
+ensure_https_in_ops = request_checker(
+    lambda r: DEBUG or r.is_secure(), 'please use HTTPS'
+)
+
+# We use this instead of the bult-in decorator to return a JSON error
+# payload instead of a simple 405.
+ensure_post = request_checker(lambda r: r.method == 'POST', 'please use POST')
+
+ensure_json_content_type = request_checker(
+    lambda r: r.content_type == 'application/json', 'please send JSON'
+)
+
+
+def restrict_client_ip_to_allowed_list(fn):
+    @wraps(fn)
+    def wrapper(request, *args, **kwargs):
+        # This is really a best effort attempt at detecting the client IP. It
+        # does NOT handle IP spooding or any similar attack.
+        best_effort_ip = get_client_ip(request)
+        if ALLOWED_IPS and best_effort_ip not in ALLOWED_IPS:
+            return _error(ApiError.UNAUTHORIZED, 'you are not authorized here')
+        return fn(request, *args, **kwargs)
+    return wrapper
+
+
+@csrf_exempt
+@ensure_post
+@ensure_https_in_ops
+@ensure_json_content_type
+@restrict_client_ip_to_allowed_list
+def isauth(request):
+    """
+    Return whether or not the given email and password (sent via POST) are
+    valid. If they are indeed valid, return the number and type of tickets
+    assigned to the user, together with some other user metadata (see below).
+
+    Input via POST:
+    {
+        "email": str,
+        "password": str (not encrypted)
+    }
+
+    Output (JSON)
+    {
+        "username": str,
+        "first_name": str,
+        "last_name": str,
+        "email": str,
+        "is_staff": bool,
+        "is_speaker": bool,
+        "is_active": bool,
+        "is_minor": bool,
+        "tickets": [{"fare_name": str, "fare_code": str}*]
+    }
+
+    Tickets, if any, are returned only for the currently active conference and
+    only if ASSIGNED to the user identified by `email`.
+
+    In case of any error (including but not limited to if either email or
+    password are incorrect/unknown), return
+    {
+        "message": str,
+        "error": int
+    }
+    """
+    required_fields = {'email', 'password'}
+
+    try:
+        data = json.loads(request.body)
+    except json.decoder.JSONDecodeError as ex:
+        return _error(ApiError.INPUT_ERROR, ex.msg)
+
+    if not isinstance(data, dict) or not required_fields.issubset(data.keys()):
+        return _error(ApiError.INPUT_ERROR,
+                      'please provide credentials in JSON format')
+
+    # First, let's find the user/account profile given the email address
+    try:
+        profile = AttendeeProfile.objects.get(user__email=data['email'])
+    except AttendeeProfile.DoesNotExist:
+        return _error(ApiError.AUTH_ERROR, 'unknown user')
+
+    # Is the password OK?
+    if not check_password(data['password'], profile.user.password):
+        return _error(ApiError.AUTH_ERROR, 'authentication error')
+
+    # Get the tickets **assigned** to the user
+    conference = Conference.objects.current()
+
+    tickets = Ticket.objects.filter(
+        Q(fare__conference=conference.code)
+        & Q(frozen=False)                   # i.e. the ticket was not cancelled
+        & Q(orderitem__order___complete=True)       # i.e. they paid
+        & Q(user=profile.user)                      # i.e. assigned to user
+    )
+
+    # A speaker is a user with at least one accepted talk in the current
+    # conference.
+    try:
+        speaker = profile.user.speaker
+    except Speaker.DoesNotExist:
+        is_speaker = False
+    else:
+        is_speaker = TalkSpeaker.objects.filter(
+            speaker=speaker,
+            talk__conference=conference.code,
+            talk__status='accepted'
+        ).count() > 0
+
+    payload = {
+        "username": profile.user.username,
+        "first_name": profile.user.first_name,
+        "last_name": profile.user.last_name,
+        "email": profile.user.email,
+        "is_staff": profile.user.is_staff,
+        "is_speaker": is_speaker,
+        "is_active": profile.user.is_active,
+        "is_minor": profile.is_minor,
+        "tickets": [
+            {"fare_name": t.fare.name, "fare_code": t.fare.code}
+            for t in tickets
+        ]
+    }
+
+    # Just a little nice to have thing when debugging: we can send in the POST
+    # payload, all the fields that we want to override in the answer and they
+    # will just be passed through regardless of what is in the DB. We just
+    # remove the password to be on the safe side.
+    if DEBUG:
+        data.pop('password')
+        payload.update(data)
+    return JsonResponse(payload)
+
+
+urlpatterns = [
+    re_path(r"^v1/isauth/$", isauth, name="isauth"),
+]

p3/management/commands/create_bulk_coupons.py

@@ -1,9 +1,9 @@
 
-""" Create a batch of single use discount coupons from a CSV file.
+""" Create/update a batch of discount coupons from a CSV file.
 
     Parameters: <conference> <csv-file>
 
-    Creates coupons based on the CSV file contents:
+    Creates/updates coupons based on the CSV file contents:
     
 	code		- coupon code
         max_usage 	- max. number of uses
@@ -14,6 +14,9 @@
 
     Use --dry-run to test drive the script.
 
+    Existing coupon codes will get updated by the script.  Indexing is by
+    code.
+
 """
 import sys
 import csv
@@ -54,9 +57,9 @@ def handle(self, *args, **options):
         csv_filename = options['csv']
 
         # Get set of existing coupon codes
-        all_codes = set(c['code'] for c in Coupon.objects\
-            .filter(conference=conference.code)\
-            .values('code'))
+        all_codes = dict((c.code, c)
+            for c in Coupon.objects\
+                .filter(conference=conference.code))
 
         # Valid fares (conference fares only)
         all_fares = cmodels.Fare.objects\
@@ -70,23 +73,24 @@ def handle(self, *args, **options):
         with csv_file:
             reader = csv.DictReader(csv_file)
             for row in reader:
+                #print ('Row %r' % row)
                 code = row['code'].strip()
-                if not code:
+                if not code or code == '0':
                     # Skip lines without code
                     continue
                 if code in all_codes:
-                    # Skip coupons which already exist
-                    print ('Coupon %r already exists - skipping' % code)
-                    continue
-                c = Coupon(conference=conference)
-                c.code = code
+                    print ('Coupon %r already exists - updating' % code)
+                    c = all_codes[code]
+                else:
+                    print ('New coupon %r will be created' % c.code)
+                    c = Coupon(conference=conference)
+                    c.code = code
                 c.max_usage = int(row.get('max_usage', 1))
                 c.items_per_usage = int(row.get('items_per_usage', 1))
                 c.value = row['value']
                 c.description = row.get('description', '')
                 if not self.dry_run:
                     c.save()
-                    c.fares = all_fares.filter(
+                    c.fares.set(all_fares.filter(
                         code__in = [x.strip()
-                                    for x in row['fares'].split(',')])
-                print ('Coupond %r created' % c.code)
+                                    for x in row['fares'].split(',')]))

pycon/settings.py

@@ -726,3 +726,15 @@ def CONFERENCE_SCHEDULE_ATTENDEES(schedule, forecast):
 # Complete project setup.
 if not os.path.exists(LOGS_DIR):
     os.makedirs(LOGS_DIR)
+
+# Matrix Auth API settings
+MATRIX_AUTH_API_DEBUG = config(
+    'MATRIX_AUTH_API_DEBUG',
+    default=True,
+    cast=bool
+)
+MATRIX_AUTH_API_ALLOWED_IPS = config(
+    'MATRIX_AUTH_API_ALLOWED_IPS',
+    default='',
+    cast=lambda v: [s.strip() for s in v.split(',') if s.strip()]
+)

pycon/urls.py

@@ -6,6 +6,7 @@
 from filebrowser.sites import site as fsite
 
 from conference.accounts import urlpatterns as accounts_urls
+from conference.api import urlpatterns as api_urls
 from conference.cart import urlpatterns as cart_urls
 from conference.cfp import urlpatterns as cfp_urls
 from conference.debug_panel import urlpatterns as debugpanel_urls
@@ -29,6 +30,7 @@
     re_path(r'^generic-content-page/with-sidebar/$', generic_content_page_with_sidebar),
     re_path(r'^user-panel/', include((user_panel_urls, 'conference'), namespace="user_panel")),
     re_path(r'^accounts/', include((accounts_urls, 'conference'), namespace="accounts")),
+    re_path(r'^api/', include((api_urls, 'conference'), namespace="api")),
     re_path(r'^cfp/', include((cfp_urls, 'conference'), namespace="cfp")),
     re_path(r'^talks/', include((talks_urls, 'conference'), namespace="talks")),
     re_path(r'^profiles/', include((profiles_urls, 'conference'), namespace="profiles")),

requirements.txt

@@ -95,7 +95,7 @@ django-treebeard==4.4
     # via
     #   -r requirements.in
     #   django-cms
-django==2.2.19
+django==2.2.23
     # via
     #   -r requirements.in
     #   cmsplugin-filer