feat(controller): Allow adminOnly registration

Author: Joshua-Anderson

api/authentication.py

@@ -1,5 +1,6 @@
 from django.contrib.auth.models import AnonymousUser
 from rest_framework import authentication
+from rest_framework.authentication import TokenAuthentication
 
 
 class AnonymousAuthentication(authentication.BaseAuthentication):
@@ -9,3 +10,15 @@ def authenticate(self, request):
         Authenticate the request for anyone!
         """
         return AnonymousUser(), None
+
+
+class AnonymousOrAuthenticatedAuthentication(authentication.BaseAuthentication):
+
+    def authenticate(self, request):
+        """
+        Authenticate the request for anyone or if a valid token is provided, a user.
+        """
+        try:
+            return TokenAuthentication.authenticate(TokenAuthentication(), request)
+        except:
+            return AnonymousUser(), None

api/permissions.py

@@ -97,7 +97,22 @@ class HasRegistrationAuth(permissions.BasePermission):
     Checks to see if registration is enabled
     """
     def has_permission(self, request, view):
-        return settings.REGISTRATION_ENABLED
+        """
+        If settings.REGISTRATION_MODE does not exist, such as during a test, return True
+        Return `True` if permission is granted, `False` otherwise.
+        """
+        try:
+            if settings.REGISTRATION_MODE == 'disabled':
+                return False
+            if settings.REGISTRATION_MODE == 'enabled':
+                return True
+            elif settings.REGISTRATION_MODE == 'admin_only':
+                return request.user.is_superuser
+            else:
+                raise Exception("{} is not a valid registation mode"
+                                .format(settings.REGISTRATION_MODE))
+        except AttributeError:
+            return True
 
 
 class HasBuilderAuth(permissions.BasePermission):

api/tests/test_auth.py

@@ -63,7 +63,7 @@ def test_auth(self):
                                     content_type='application/x-www-form-urlencoded')
         self.assertEqual(response.status_code, 200)
 
-    @override_settings(REGISTRATION_ENABLED=False)
+    @override_settings(REGISTRATION_MODE="disabled")
     def test_auth_registration_disabled(self):
         """test that a new user cannot register when registration is disabled."""
         url = '/v1/auth/register'
@@ -79,6 +79,89 @@ def test_auth_registration_disabled(self):
         response = self.client.post(url, json.dumps(submit), content_type='application/json')
         self.assertEqual(response.status_code, 403)
 
+    @override_settings(REGISTRATION_MODE="admin_only")
+    def test_auth_registration_admin_only_fails_if_not_admin(self):
+        """test that a non superuser cannot register when registration is admin only."""
+        url = '/v1/auth/register'
+        submit = {
+            'username': 'testuser',
+            'password': 'password',
+            'first_name': 'test',
+            'last_name': 'user',
+            'email': 'test@user.com',
+            'is_superuser': False,
+            'is_staff': False,
+        }
+        response = self.client.post(url, json.dumps(submit), content_type='application/json')
+        self.assertEqual(response.status_code, 403)
+
+    @override_settings(REGISTRATION_MODE="admin_only")
+    def test_auth_registration_admin_only_works(self):
+        """test that a superuser can register when registration is admin only."""
+
+        user = User.objects.get(username='autotest')
+        token = Token.objects.get(user=user)
+
+        url = '/v1/auth/register'
+
+        username, password = 'newuser_by_admin', 'password'
+        first_name, last_name = 'Otto', 'Test'
+        email = 'autotest@deis.io'
+
+        submit = {
+            'username': username,
+            'password': password,
+            'first_name': first_name,
+            'last_name': last_name,
+            'email': email,
+            # try to abuse superuser/staff level perms (not the first signup!)
+            'is_superuser': True,
+            'is_staff': True,
+        }
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(token))
+
+        self.assertEqual(response.status_code, 201)
+        for key in response.data.keys():
+            self.assertIn(key, ['id', 'last_login', 'is_superuser', 'username', 'first_name',
+                                'last_name', 'email', 'is_active', 'is_superuser', 'is_staff',
+                                'date_joined', 'groups', 'user_permissions'])
+        expected = {
+            'username': username,
+            'email': email,
+            'first_name': first_name,
+            'last_name': last_name,
+            'is_active': True,
+            'is_superuser': False,
+            'is_staff': False
+        }
+        self.assertDictContainsSubset(expected, response.data)
+        # test login
+        url = '/v1/auth/login/'
+        payload = urllib.urlencode({'username': username, 'password': password})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 200)
+
+    @override_settings(REGISTRATION_MODE="not_a_mode")
+    def test_auth_registration_fails_with_nonexistant_mode(self):
+        """test that a registration should fail with a nonexistant mode"""
+        url = '/v1/auth/register'
+        submit = {
+            'username': 'testuser',
+            'password': 'password',
+            'first_name': 'test',
+            'last_name': 'user',
+            'email': 'test@user.com',
+            'is_superuser': False,
+            'is_staff': False,
+        }
+
+        try:
+            self.client.post(url, json.dumps(submit), content_type='application/json')
+        except Exception, e:
+            self.assertEqual(str(e), 'not_a_mode is not a valid registation mode')
+
     def test_cancel(self):
         """Test that a registered user can cancel her account."""
         # test registration workflow

api/views.py

@@ -20,8 +20,8 @@
 class UserRegistrationViewSet(GenericViewSet,
                               mixins.CreateModelMixin):
     """ViewSet to handle registering new users. The logic is in the serializer."""
-    authentication_classes = [authentication.AnonymousAuthentication]
-    permission_classes = [permissions.IsAnonymous, permissions.HasRegistrationAuth]
+    authentication_classes = [authentication.AnonymousOrAuthenticatedAuthentication]
+    permission_classes = [permissions.HasRegistrationAuth]
     serializer_class = serializers.UserSerializer
 
 

bin/boot

@@ -47,7 +47,7 @@ function etcd_safe_mkdir {
 etcd_set_default protocol ${DEIS_PROTOCOL:-http}
 etcd_set_default secretKey ${DEIS_SECRET_KEY:-`openssl rand -base64 64 | tr -d '\n'`}
 etcd_set_default builderKey ${DEIS_BUILDER_KEY:-`openssl rand -base64 64 | tr -d '\n'`}
-etcd_set_default registrationEnabled 1
+etcd_set_default registrationMode "enabled"
 etcd_set_default webEnabled 0
 etcd_set_default unitHostname default
 

migrations/data/0002.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+ETCD_PORT=${ETCD_PORT:-4001}
+ETCD="$HOST:$ETCD_PORT"
+ETCDCTL="etcdctl -C $ETCD"
+
+# April 8, 2015: If registrationEnabled key exists, migrate it to registrationMode and delete it.
+
+if [[ "$($ETCDCTL get /deis/migrations/data/0002 2> /dev/null)" != "done" ]];
+then
+    if $ETCDCTL ls /deis/controller | grep -q '/deis/controller/registrationEnabled'
+    then
+        if [[ "$($ETCDCTL get /deis/controller/registrationEnabled 2> /dev/null)" == "false" ]]
+        then
+        $ETCDCTL set /deis/controller/registrationMode "disabled"
+        else
+          $ETCDCTL set /deis/controller/registrationMode "enabled"
+        fi
+
+        $ETCDCTL rm /deis/controller/registrationEnabled
+    else
+        echo "registrationEnabled key doesn't exist, skipping migration"
+    fi
+
+    $ETCDCTL set /deis/migrations/data/0002 "done"
+fi

templates/confd_settings.py

@@ -37,8 +37,8 @@
 # move log directory out of /app/deis
 DEIS_LOG_DIR = '/data/logs'
 
-{{ if exists "/deis/controller/registrationEnabled" }}
-REGISTRATION_ENABLED = bool({{ getv "/deis/controller/registrationEnabled" }})
+{{ if exists "/deis/controller/registrationMode" }}
+REGISTRATION_MODE = '{{ getv "/deis/controller/registrationMode" }}'
 {{ end }}
 
 {{ if exists "/deis/controller/webEnabled" }}