feat(passport): add change user confirm

Author: duanhongyi

charts/passport/templates/_helpers.tpl

@@ -13,6 +13,7 @@ rbac.authorization.k8s.io/v1
 
 {{/* Generate passport deployment envs */}}
 {{- define "passport.envs" }}
+{{ $redisNodeCount := .Values.redis.replicas | int }}
 env:
 - name: "TZ"
   value: {{ .Values.time_zone | default "UTC" | quote }}
@@ -22,6 +23,11 @@ env:
 {{- else }}
   value: http://drycc.{{ .Values.global.platform_domain }}
 {{- end }}
+- name: DRYCC_SECRET_KEY
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: django-secret-key
 - name: SOCIAL_AUTH_DRYCC_CONTROLLER_KEY
   valueFrom:
     secretKeyRef:
@@ -87,6 +93,21 @@ env:
 - name: DRYCC_DATABASE_URL
   value: "postgres://$(DRYCC_DATABASE_USER):$(DRYCC_DATABASE_PASSWORD)@$(DRYCC_DATABASE_SERVICE_HOST):$(DRYCC_DATABASE_SERVICE_PORT)/$(DRYCC_DATABASE_NAME)"
 {{- end }}
+{{- if eq .Values.global.redis_location "on-cluster"}}
+- name: DRYCC_REDIS_ADDRS
+  value: "{{range $i := until $redisNodeCount}}drycc-redis-{{$i}}.drycc-redis.{{$.Release.Namespace}}.svc.{{$.Values.global.cluster_domain}}:6379{{if lt (add 1 $i) $redisNodeCount}},{{end}}{{end}}"
+{{- else if eq .Values.global.redis_location "off-cluster" }}
+- name: DRYCC_REDIS_ADDRS
+  valueFrom:
+    secretKeyRef:
+      name: redis-creds
+      key: addrs
+{{- end }}
+- name: DRYCC_REDIS_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: redis-creds
+      key: password
 {{- range $key, $value := .Values.environment }}
 - name: {{ $key }}
   value: {{ $value | quote }}

rootfs/Dockerfile

@@ -19,6 +19,7 @@ RUN apk add --update --virtual .build-deps \
     openssl-dev \
     cargo \
     rust \
+  && ln /usr/lib/libldap.so /usr/lib/libldap_r.so \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \

rootfs/Dockerfile.test

@@ -17,6 +17,7 @@ RUN echo https://dl-cdn.alpinelinux.org/alpine/edge/testing >>/etc/apk/repositor
     openssl-dev \
     cargo \
     rust \
+  && ln /usr/lib/libldap.so /usr/lib/libldap_r.so \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \

rootfs/api/serializers.py

@@ -3,15 +3,13 @@
 """
 import logging
 
-from django.conf import settings
 from django.contrib.admin.models import LogEntry
 from django.contrib.auth.forms import UserCreationForm
 from django.contrib.auth.models import User
 from oauth2_provider.models import Grant, AccessToken
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from rest_framework import serializers
 
-from api.exceptions import DryccException
 from api.utils import timestamp2datetime
 
 logger = logging.getLogger(__name__)
@@ -24,28 +22,12 @@ class Meta(UserCreationForm.Meta):
 
 
 class UserSerializer(serializers.ModelSerializer):
-    username = serializers.CharField(max_length=150, required=False)
-    email = serializers.CharField(max_length=254, required=False)
-
     class Meta:
         model = User
-        fields = ('id', 'username', 'email', "first_name", "last_name",
-                  "is_staff", "is_active", "is_superuser")
-
-    def update(self, instance, validated_data):
-        if settings.LDAP_ENDPOINT:
-            raise DryccException(
-                "You cannot change user info when ldap is enabled.")
-        if validated_data.get('username'):
-            qs = User.objects.filter(username=validated_data.get('username')).\
-                exclude(username=instance.username)
-            if qs:
-                raise DryccException("new username already exists.")
-            instance.username = validated_data.get('username')
-        if validated_data.get('email'):
-            instance.email = validated_data.get('email')
-        instance.save()
-        return instance
+        fields = ('id', 'username', 'email', 'first_name', 'last_name',
+                  'is_staff', 'is_active', 'is_superuser')
+        read_only_fields = ('id', 'username', 'is_staff', 'is_active',
+                            'is_superuser')
 
 
 class UserEmailSerializer(serializers.ModelSerializer):

rootfs/api/settings/production.py

@@ -21,10 +21,10 @@
 # https://docs.djangoproject.com/en/2.2/ref/settings/#debug-propagate-exceptions
 DEBUG_PROPAGATE_EXCEPTIONS = True
 # Enable Django admin
-ADMIN_ENABLED = bool(os.environ.get('ADMIN_ENABLED', False))
+ADMIN_ENABLED = os.environ.get('ADMIN_ENABLED', 'false') != 'false'
 # Enable Registration
 # If this function is enabled, please set Django email related parameters
-REGISTRATION_ENABLED = bool(os.environ.get('REGISTRATION_ENABLED', False))
+REGISTRATION_ENABLED = os.environ.get('REGISTRATION_ENABLED', 'false') != 'false'
 # Silence two security messages around SSL as router takes care of them
 # https://docs.djangoproject.com/en/2.2/ref/checks/#security
 SILENCED_SYSTEM_CHECKS = [
@@ -267,6 +267,8 @@
 STATIC_ROOT = os.path.abspath(os.path.join(BASE_DIR, '..', 'web', 'dist', 'assets'))
 STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'
 
+# Avatar URL
+AVATAR_URL = "https://cravatar.cn/avatar/"
 # see: https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html?highlight=oidc.key#creating-rsa-private-key  # noqa
 with open('/var/run/secrets/drycc/passport/oidc-rsa-private-key') as f:
     OIDC_RSA_PRIVATE_KEY = f.read()
@@ -295,6 +297,22 @@
     'rest_framework.authentication.BasicAuthentication',
 )
 
+# Redis Configuration
+DRYCC_REDIS_ADDRS = os.environ.get('DRYCC_REDIS_ADDRS', '127.0.0.1:6379').split(",")
+DRYCC_REDIS_PASSWORD = os.environ.get('DRYCC_REDIS_PASSWORD', '')
+
+# Cache Configuration
+CACHES = {
+    "default": {
+        "BACKEND": "django_redis.cache.RedisCache",
+        "LOCATION": ['redis://:{}@{}'.format(DRYCC_REDIS_PASSWORD, DRYCC_REDIS_ADDR) \
+                     for DRYCC_REDIS_ADDR in DRYCC_REDIS_ADDRS],  # noqa
+        "OPTIONS": {
+            "CLIENT_CLASS": "django_redis.client.ShardClient",
+        }
+    }
+}
+
 # LDAP settings taken from environment variables.
 LDAP_ENDPOINT = os.environ.get('LDAP_ENDPOINT', '')
 LDAP_BIND_DN = os.environ.get('LDAP_BIND_DN', '')
@@ -354,5 +372,5 @@
 DEFAULT_FROM_EMAIL = os.environ.get('DEFAULT_FROM_EMAIL', '')
 EMAIL_HOST_USER = os.environ.get('EMAIL_HOST_USER', '')
 EMAIL_HOST_PASSWORD = os.environ.get('EMAIL_HOST_PASSWORD', '')
-EMAIL_USE_TLS = os.environ.get('EMAIL_USE_TLS', True)
-EMAIL_USE_SSL = os.environ.get('EMAIL_USE_SSL', True)
+EMAIL_USE_TLS = os.environ.get('EMAIL_USE_TLS', 'false').lower() != 'false'
+EMAIL_USE_SSL = os.environ.get('EMAIL_USE_SSL', 'false').lower() != 'false'

rootfs/api/templates/user/account_update_done.html

@@ -0,0 +1,6 @@
+{% extends 'user/message.html' %}
+{% block title %}Account update successful{% endblock %}
+{% block message %}
+Your account has been update successfully.
+Please go to the <a href="/">main</a> page.
+{% endblock %}

rootfs/api/templates/user/account_update_email.html

@@ -0,0 +1,7 @@
+{% autoescape off %}
+Hi {{ user.username }},
+
+Please click on the link below to confirm your update:
+
+{{ domain }}{% url 'user_update_account' uidb64=uid token=token%}
+{% endautoescape %}

rootfs/api/templates/user/account_update_fail.html

@@ -0,0 +1,6 @@
+{% extends 'user/message.html' %}
+{% block title %}Account update fail{% endblock %}
+{% block message %}
+The confirmation link was invalid, possibly it has already been expired.
+Please go to the <a href="/">main</a> page.
+{% endblock %}

rootfs/api/urls.py

@@ -3,23 +3,25 @@
 from rest_framework.routers import DefaultRouter
 
 from api import views
-from api.views import RegistrationView, ActivateAccount, RegistrationDoneView, \
-    ActivateAccountDoneView, ActivateAccountFailView, LoginDoneView
 
 router = DefaultRouter(trailing_slash=False)
 
 urlpatterns = [
     re_path(r'^', include(router.urls)),
     re_path(r'^info/?$',
             views.UserDetailView.as_view({'get': 'retrieve', 'put': 'update'})),
-    re_path(r'registration/?$', RegistrationView.as_view(), name='registration'),
+    re_path(r'update/(?P<uidb64>.+)/(?P<token>.+)/?$',
+            views.UpdateAccount.as_view(), name='user_update_account'),
+    re_path(r'^avatar/(?P<username>[-_\w]+)/?$',
+        views.UserAvatarViewSet.as_view({'get': 'avatar'})),
+    re_path(r'registration/?$', views.RegistrationView.as_view(), name='registration'),
     re_path(r'activate/(?P<uidb64>.+)/(?P<token>.+)/?$',
-            ActivateAccount.as_view(), name='user_activate_account'),
-    re_path(r'registration/done/?$', RegistrationDoneView.as_view(),
+            views.ActivateAccount.as_view(), name='user_activate_account'),
+    re_path(r'registration/done/?$', views.RegistrationDoneView.as_view(),
             name='user_registration_done'),
-    re_path(r'activate/done/?$', ActivateAccountDoneView.as_view(),
+    re_path(r'activate/done/?$', views.ActivateAccountDoneView.as_view(),
             name='user_activate_account_done'),
-    re_path(r'activate/fail/?$', ActivateAccountFailView.as_view(),
+    re_path(r'activate/fail/?$', views.ActivateAccountFailView.as_view(),
             name='user_activate_account_done'),
     re_path(r'password_reset/?$', views.UserPasswordResetView.as_view(),
             name='user_password_reset'),
@@ -33,7 +35,7 @@
             views.UserPasswordResetCompleteView.as_view(),
             name='user_password_reset_complete'),
     re_path(r'login/?$', views.UserLoginView.as_view(), name='user_login'),
-    re_path(r'login/done/?$', LoginDoneView.as_view(), name='login_done'),
+    re_path(r'login/done/?$', views.LoginDoneView.as_view(), name='login_done'),
     re_path(r'logout/?$', views.UserLogoutView.as_view(), name='user_logout'),
 
     re_path(r'tokens/?$',

rootfs/api/utils.py

@@ -35,12 +35,12 @@ def __decorator(request, *args, **kwargs):
 class TokenGenerator(PasswordResetTokenGenerator):
     def _make_hash_value(self, user, timestamp):
         return (
-                six.text_type(user.pk) + six.text_type(timestamp) +
-                six.text_type(user.is_active)
+            six.text_type(user.pk) + six.text_type(timestamp) +
+            six.text_type(user.is_active)
         )
 
 
-account_activation_token = TokenGenerator()
+token_generator = TokenGenerator()
 
 
 def get_local_host(request):