Add an API for authentication in Matrix (#1397)

fpierfed · web-flow · commit c6d9c520899a · 2021-05-17T09:26:10.000+02:00
* initial * renamed to something more sensible * Add a required checkbox to the CfP proposal submission page. The checkbox content is not stored in the database, but submission will fail unless checked. * added test to verify that speakers do have to agree to the speaker release agreement * initial * renamed to something more sensible * Added a template simple_tag to list a user tickets for the current conference. Uses functionality already implemented. * Added documentation * Added a template simple_tag to list a user tickets for the current conference. Uses functionality already implemented. * Upgraded jquery-flot to v0.8.3 for compatibility with django admin jquery version - v3.5.1 * Squashed commit of the following: commit d382a85 Author: Marc-Andre Lemburg <mal@lemburg.com> Date: Tue May 11 12:18:14 2021 +0200 Update bulk coupon docs (#1396) * Add update functionality to the bulk coupon script * Update create coupon script docs. commit ad14175 Author: Marc-Andre Lemburg <mal@lemburg.com> Date: Tue May 11 11:52:08 2021 +0200 Add update functionality to the bulk coupon script (#1395) commit 3ad73b5 Author: Marc-Andre Lemburg <mal@lemburg.com> Date: Mon May 10 23:06:34 2021 +0200 Fix bulk coupon script (#1394) commit 7d2e20d Author: Marc-Andre Lemburg <mal@lemburg.com> Date: Tue May 4 15:22:53 2021 +0200 Fix a few additional corner cases for the automatic anchor generation (#1387) commit f7e2193 Author: Marc-Andre Lemburg <mal@lemburg.com> Date: Tue May 4 14:59:38 2021 +0200 Have the TOC script cleanup headers even more (#1385) They will now also ignore leading and trailing hyphens as well as non-breaking spaces. commit e09f78a Author: Marc-Andre Lemburg <mal@lemburg.com> Date: Tue May 4 14:11:12 2021 +0200 Scroll to the anchor, if given, after processing the TOC. (#1384) Fixes #1380. * initial * Added simple authentication api for matrix * forcing the use of HTTPS * better query to check is somebody is a speaker * quick fix * better documentation, slight improvement in the ticket query and somewhat more modular in case we want to develop more endpoints. * silly bug and fix * initial * cleaned things up a bit and added check for content type to ensure that we only process JSON data * typo * moved matrix auth api settings in pycon/settings.py and/or .env file (installation-specific)
diff --git a/conference/api.py b/conference/api.py
@@ -0,0 +1,227 @@
+"""
+Matrix/Synapse custom authentication provider backend.
+
+This allows a Matrix/Synapse installation to use a custom backaned (not part of
+this API) to authenticate users against epcon database.
+
+The main (and currently the only) endpoint is
+
+    /api/v1/isauth
+
+For more information about developing a custom auth backend for matrix/synapse
+please refer to https://github.com/matrix-org/synapse/blob/master/docs/\
+    password_auth_providers.md
+"""
+from enum import Enum
+import json
+from functools import wraps
+from django.conf.urls import url as re_path
+from django.contrib.auth.hashers import check_password
+from django.db.models import Q
+from django.http import JsonResponse
+from django.views.decorators.csrf import csrf_exempt
+from conference.models import (
+    AttendeeProfile,
+    Conference,
+    Speaker,
+    TalkSpeaker,
+    Ticket,
+)
+from pycon.settings import MATRIX_AUTH_API_DEBUG as DEBUG
+from pycon.settings import MATRIX_AUTH_API_ALLOWED_IPS as ALLOWED_IPS
+
+
+# Error Codes
+class ApiError(Enum):
+    WRONG_METHOD = 1
+    AUTH_ERROR = 2
+    INPUT_ERROR = 3
+    UNAUTHORIZED = 4
+    WRONG_SCHEME = 5
+    BAD_REQUEST = 6
+
+
+def _error(error: ApiError, msg: str) -> JsonResponse:
+    return JsonResponse({
+        'error': error.value,
+        'message': f'{error.name}: {msg}'
+    })
+
+
+def get_client_ip(request) -> str:
+    """
+    Return the client IP.
+
+    This is a best effort way of fetching the client IP which does not protect
+    against spoofing and hich tries to understand some proxying.
+
+    This should NOT be relied upon for serius stuff.
+    """
+    x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
+    if x_forwarded_for:
+        ip = x_forwarded_for.split(',')[0]
+    else:
+        ip = request.META.get('REMOTE_ADDR')
+    return ip
+
+
+# Checkers
+def request_checker(checker, error_msg):
+    """
+    Generic sanity check decorator on views.
+
+    It accepts two parameters:
+        `checker`: a function that accepts a request and returns True if valid
+        `error_msg`: what to return as error message if request is invalid
+
+    In case of invalid requests, it returns a BAD_REQUEST error.
+    """
+    def decorator(fn):
+        @wraps(fn)
+        def wrapper(request, *args, **kwargs):
+            if not checker(request):
+                return _error(ApiError.BAD_REQUEST, error_msg)
+            return fn(request, *args, **kwargs)
+        return wrapper
+    return decorator
+
+
+# Ensure that the view is called via an HTTPS request and return a JSON error
+# payload if not. If DEBUG = True, it has no effect.
+ensure_https_in_ops = request_checker(
+    lambda r: DEBUG or r.is_secure(), 'please use HTTPS'
+)
+
+# We use this instead of the bult-in decorator to return a JSON error
+# payload instead of a simple 405.
+ensure_post = request_checker(lambda r: r.method == 'POST', 'please use POST')
+
+ensure_json_content_type = request_checker(
+    lambda r: r.content_type == 'application/json', 'please send JSON'
+)
+
+
+def restrict_client_ip_to_allowed_list(fn):
+    @wraps(fn)
+    def wrapper(request, *args, **kwargs):
+        # This is really a best effort attempt at detecting the client IP. It
+        # does NOT handle IP spooding or any similar attack.
+        best_effort_ip = get_client_ip(request)
+        if ALLOWED_IPS and best_effort_ip not in ALLOWED_IPS:
+            return _error(ApiError.UNAUTHORIZED, 'you are not authorized here')
+        return fn(request, *args, **kwargs)
+    return wrapper
+
+
+@csrf_exempt
+@ensure_post
+@ensure_https_in_ops
+@ensure_json_content_type
+@restrict_client_ip_to_allowed_list
+def isauth(request):
+    """
+    Return whether or not the given email and password (sent via POST) are
+    valid. If they are indeed valid, return the number and type of tickets
+    assigned to the user, together with some other user metadata (see below).
+
+    Input via POST:
+    {
+        "email": str,
+        "password": str (not encrypted)
+    }
+
+    Output (JSON)
+    {
+        "username": str,
+        "first_name": str,
+        "last_name": str,
+        "email": str,
+        "is_staff": bool,
+        "is_speaker": bool,
+        "is_active": bool,
+        "is_minor": bool,
+        "tickets": [{"fare_name": str, "fare_code": str}*]
+    }
+
+    Tickets, if any, are returned only for the currently active conference and
+    only if ASSIGNED to the user identified by `email`.
+
+    In case of any error (including but not limited to if either email or
+    password are incorrect/unknown), return
+    {
+        "message": str,
+        "error": int
+    }
+    """
+    required_fields = {'email', 'password'}
+
+    try:
+        data = json.loads(request.body)
+    except json.decoder.JSONDecodeError as ex:
+        return _error(ApiError.INPUT_ERROR, ex.msg)
+
+    if not isinstance(data, dict) or not required_fields.issubset(data.keys()):
+        return _error(ApiError.INPUT_ERROR,
+                      'please provide credentials in JSON format')
+
+    # First, let's find the user/account profile given the email address
+    try:
+        profile = AttendeeProfile.objects.get(user__email=data['email'])
+    except AttendeeProfile.DoesNotExist:
+        return _error(ApiError.AUTH_ERROR, 'unknown user')
+
+    # Is the password OK?
+    if not check_password(data['password'], profile.user.password):
+        return _error(ApiError.AUTH_ERROR, 'authentication error')
+
+    # Get the tickets **assigned** to the user
+    conference = Conference.objects.current()
+
+    tickets = Ticket.objects.filter(
+        Q(fare__conference=conference.code)
+        & Q(frozen=False)                   # i.e. the ticket was not cancelled
+        & Q(orderitem__order___complete=True)       # i.e. they paid
+        & Q(user=profile.user)                      # i.e. assigned to user
+    )
+
+    # A speaker is a user with at least one accepted talk in the current
+    # conference.
+    try:
+        speaker = profile.user.speaker
+    except Speaker.DoesNotExist:
+        is_speaker = False
+    else:
+        is_speaker = TalkSpeaker.objects.filter(
+            speaker=speaker,
+            talk__conference=conference.code,
+            talk__status='accepted'
+        ).count() > 0
+
+    payload = {
+        "username": profile.user.username,
+        "first_name": profile.user.first_name,
+        "last_name": profile.user.last_name,
+        "email": profile.user.email,
+        "is_staff": profile.user.is_staff,
+        "is_speaker": is_speaker,
+        "is_active": profile.user.is_active,
+        "is_minor": profile.is_minor,
+        "tickets": [
+            {"fare_name": t.fare.name, "fare_code": t.fare.code}
+            for t in tickets
+        ]
+    }
+
+    # Just a little nice to have thing when debugging: we can send in the POST
+    # payload, all the fields that we want to override in the answer and they
+    # will just be passed through regardless of what is in the DB. We just
+    # remove the password to be on the safe side.
+    if DEBUG:
+        data.pop('password')
+        payload.update(data)
+    return JsonResponse(payload)
+
+
+urlpatterns = [
+    re_path(r"^v1/isauth/$", isauth, name="isauth"),
+]
diff --git a/pycon/settings.py b/pycon/settings.py
@@ -726,3 +726,15 @@ def CONFERENCE_SCHEDULE_ATTENDEES(schedule, forecast):
 # Complete project setup.
 if not os.path.exists(LOGS_DIR):
     os.makedirs(LOGS_DIR)
+
+# Matrix Auth API settings
+MATRIX_AUTH_API_DEBUG = config(
+    'MATRIX_AUTH_API_DEBUG',
+    default=False,
+    cast=bool
+)
+MATRIX_AUTH_API_ALLOWED_IPS = config(
+    'MATRIX_AUTH_API_ALLOWED_IPS',
+    default='',
+    cast=lambda v: [s.strip() for s in v.split(',')]
+)
diff --git a/pycon/urls.py b/pycon/urls.py
@@ -6,6 +6,7 @@
 from filebrowser.sites import site as fsite
 
 from conference.accounts import urlpatterns as accounts_urls
+from conference.api import urlpatterns as api_urls
 from conference.cart import urlpatterns as cart_urls
 from conference.cfp import urlpatterns as cfp_urls
 from conference.debug_panel import urlpatterns as debugpanel_urls
@@ -29,6 +30,7 @@
     re_path(r'^generic-content-page/with-sidebar/$', generic_content_page_with_sidebar),
     re_path(r'^user-panel/', include((user_panel_urls, 'conference'), namespace="user_panel")),
     re_path(r'^accounts/', include((accounts_urls, 'conference'), namespace="accounts")),
+    re_path(r'^api/', include((api_urls, 'conference'), namespace="api")),
     re_path(r'^cfp/', include((cfp_urls, 'conference'), namespace="cfp")),
     re_path(r'^talks/', include((talks_urls, 'conference'), namespace="talks")),
     re_path(r'^profiles/', include((profiles_urls, 'conference'), namespace="profiles")),
diff --git a/tests/test_matrix_auth_api.py b/tests/test_matrix_auth_api.py
@@ -0,0 +1,114 @@
+from pytest import mark
+from django.urls import reverse
+from conference.api import ApiError
+from conference.models import TALK_STATUS
+from .common_tools import (
+    get_default_conference,
+    make_user,
+)
+from .factories import (
+    TalkFactory,
+    TalkSpeakerFactory,
+)
+
+
+@mark.django_db
+def test_non_post_error(client):
+    payload = {'key': 'does not matter'}
+    response = client.get(reverse('api:isauth'), payload,
+                          content_type='Application/json')
+    result = response.json()
+    assert result['error'] == ApiError.BAD_REQUEST.value
+
+
+@mark.django_db
+def test_non_json_post_error(client):
+    payload = {'key': 'does not matter'}
+    response = client.post(reverse('api:isauth'), payload)
+    result = response.json()
+    assert result['error'] == ApiError.BAD_REQUEST.value
+
+
+@mark.django_db
+def test_user_does_not_exist(client):
+    payload = {'email': 'does.not@exist.com', 'password': 'hahahaha'}
+    response = client.post(reverse('api:isauth'), payload,
+                           content_type='application/json')
+    result = response.json()
+    assert result['error'] == ApiError.AUTH_ERROR.value
+
+
+@mark.django_db
+def test_user_password_error(client):
+    user = make_user(is_staff=False)
+    payload = {'email': user.email, 'password': user.password + 'hahahaha'}
+    response = client.post(reverse('api:isauth'), payload,
+                           content_type='application/json')
+    result = response.json()
+    assert result['error'] == ApiError.AUTH_ERROR.value
+
+
+@mark.django_db
+def test_non_staff_non_speaker_user_auth_success(client):
+    get_default_conference()
+    user = make_user(is_staff=False)
+    payload = {'email': user.email, 'password': 'password123'}
+    response = client.post(reverse('api:isauth'), payload,
+                           content_type='application/json')
+    result = response.json()
+    assert result['email'] == user.email
+    assert result['first_name'] == user.first_name
+    assert result['last_name'] == user.last_name
+    assert result['is_staff'] is False
+    assert result['is_speaker'] is False
+
+
+@mark.django_db
+def test_staff_non_speaker_user_auth_success(client):
+    get_default_conference()
+    user = make_user(is_staff=True)
+    payload = {'email': user.email, 'password': 'password123'}
+    response = client.post(reverse('api:isauth'), payload,
+                           content_type='application/json')
+    result = response.json()
+    assert result['email'] == user.email
+    assert result['first_name'] == user.first_name
+    assert result['last_name'] == user.last_name
+    assert result['is_staff'] is True
+    assert result['is_speaker'] is False
+
+
+@mark.django_db
+def test_staff_speaker_user_auth_success(client):
+    get_default_conference()
+    user = make_user(is_staff=True)
+    talk = TalkFactory(created_by=user, status=TALK_STATUS.accepted)
+    TalkSpeakerFactory(talk=talk, speaker__user=user)
+
+    payload = {'email': user.email, 'password': 'password123'}
+    response = client.post(reverse('api:isauth'), payload,
+                           content_type='application/json')
+    result = response.json()
+    assert result['email'] == user.email
+    assert result['first_name'] == user.first_name
+    assert result['last_name'] == user.last_name
+    assert result['is_staff'] is True
+    assert result['is_speaker'] is True
+
+
+@mark.django_db
+def test_staff_proposed_speaker_user_auth_success(client):
+    get_default_conference()
+    user = make_user(is_staff=True)
+    talk = TalkFactory(created_by=user, status=TALK_STATUS.proposed)
+    TalkSpeakerFactory(talk=talk, speaker__user=user)
+
+    payload = {'email': user.email, 'password': 'password123'}
+    response = client.post(reverse('api:isauth'), payload,
+                           content_type='application/json')
+    result = response.json()
+    assert result['email'] == user.email
+    assert result['first_name'] == user.first_name
+    assert result['last_name'] == user.last_name
+    assert result['is_staff'] is True
+    assert result['is_speaker'] is False
