Merge pull request #3399 from Joshua-Anderson/registrationMode

feat(controller): Allow adminOnly registration

Author: mboersma

client/deis.py

@@ -756,8 +756,14 @@ def auth_register(self, args):
             email = raw_input('email: ')
         url = urlparse.urljoin(controller, '/v1/auth/register')
         payload = {'username': username, 'password': password, 'email': email}
+        headers = {}
+
+        token = self._settings.get('token')
+        if token:
+            headers.update({'Authorization': 'token {}'.format(token)})
+
         response = self._session.post(url, data=payload, allow_redirects=False,
-                                      verify=ssl_verify)
+                                      verify=ssl_verify, headers=headers)
         if response.status_code == requests.codes.created:
             self._settings['controller'] = controller
             self._settings.save()

controller/api/authentication.py

@@ -1,5 +1,6 @@
 from django.contrib.auth.models import AnonymousUser
 from rest_framework import authentication
+from rest_framework.authentication import TokenAuthentication
 
 
 class AnonymousAuthentication(authentication.BaseAuthentication):
@@ -9,3 +10,15 @@ def authenticate(self, request):
         Authenticate the request for anyone!
         """
         return AnonymousUser(), None
+
+
+class AnonymousOrAuthenticatedAuthentication(authentication.BaseAuthentication):
+
+    def authenticate(self, request):
+        """
+        Authenticate the request for anyone or if a valid token is provided, a user.
+        """
+        try:
+            return TokenAuthentication.authenticate(TokenAuthentication(), request)
+        except:
+            return AnonymousUser(), None

controller/api/permissions.py

@@ -97,7 +97,22 @@ class HasRegistrationAuth(permissions.BasePermission):
     Checks to see if registration is enabled
     """
     def has_permission(self, request, view):
-        return settings.REGISTRATION_ENABLED
+        """
+        If settings.REGISTRATION_MODE does not exist, such as during a test, return True
+        Return `True` if permission is granted, `False` otherwise.
+        """
+        try:
+            if settings.REGISTRATION_MODE == 'disabled':
+                return False
+            if settings.REGISTRATION_MODE == 'enabled':
+                return True
+            elif settings.REGISTRATION_MODE == 'admin_only':
+                return request.user.is_superuser
+            else:
+                raise Exception("{} is not a valid registation mode"
+                                .format(settings.REGISTRATION_MODE))
+        except AttributeError:
+            return True
 
 
 class HasBuilderAuth(permissions.BasePermission):

controller/api/tests/test_auth.py

@@ -63,7 +63,7 @@ def test_auth(self):
                                     content_type='application/x-www-form-urlencoded')
         self.assertEqual(response.status_code, 200)
 
-    @override_settings(REGISTRATION_ENABLED=False)
+    @override_settings(REGISTRATION_MODE="disabled")
     def test_auth_registration_disabled(self):
         """test that a new user cannot register when registration is disabled."""
         url = '/v1/auth/register'
@@ -79,6 +79,89 @@ def test_auth_registration_disabled(self):
         response = self.client.post(url, json.dumps(submit), content_type='application/json')
         self.assertEqual(response.status_code, 403)
 
+    @override_settings(REGISTRATION_MODE="admin_only")
+    def test_auth_registration_admin_only_fails_if_not_admin(self):
+        """test that a non superuser cannot register when registration is admin only."""
+        url = '/v1/auth/register'
+        submit = {
+            'username': 'testuser',
+            'password': 'password',
+            'first_name': 'test',
+            'last_name': 'user',
+            'email': 'test@user.com',
+            'is_superuser': False,
+            'is_staff': False,
+        }
+        response = self.client.post(url, json.dumps(submit), content_type='application/json')
+        self.assertEqual(response.status_code, 403)
+
+    @override_settings(REGISTRATION_MODE="admin_only")
+    def test_auth_registration_admin_only_works(self):
+        """test that a superuser can register when registration is admin only."""
+
+        user = User.objects.get(username='autotest')
+        token = Token.objects.get(user=user)
+
+        url = '/v1/auth/register'
+
+        username, password = 'newuser_by_admin', 'password'
+        first_name, last_name = 'Otto', 'Test'
+        email = 'autotest@deis.io'
+
+        submit = {
+            'username': username,
+            'password': password,
+            'first_name': first_name,
+            'last_name': last_name,
+            'email': email,
+            # try to abuse superuser/staff level perms (not the first signup!)
+            'is_superuser': True,
+            'is_staff': True,
+        }
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(token))
+
+        self.assertEqual(response.status_code, 201)
+        for key in response.data.keys():
+            self.assertIn(key, ['id', 'last_login', 'is_superuser', 'username', 'first_name',
+                                'last_name', 'email', 'is_active', 'is_superuser', 'is_staff',
+                                'date_joined', 'groups', 'user_permissions'])
+        expected = {
+            'username': username,
+            'email': email,
+            'first_name': first_name,
+            'last_name': last_name,
+            'is_active': True,
+            'is_superuser': False,
+            'is_staff': False
+        }
+        self.assertDictContainsSubset(expected, response.data)
+        # test login
+        url = '/v1/auth/login/'
+        payload = urllib.urlencode({'username': username, 'password': password})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 200)
+
+    @override_settings(REGISTRATION_MODE="not_a_mode")
+    def test_auth_registration_fails_with_nonexistant_mode(self):
+        """test that a registration should fail with a nonexistant mode"""
+        url = '/v1/auth/register'
+        submit = {
+            'username': 'testuser',
+            'password': 'password',
+            'first_name': 'test',
+            'last_name': 'user',
+            'email': 'test@user.com',
+            'is_superuser': False,
+            'is_staff': False,
+        }
+
+        try:
+            self.client.post(url, json.dumps(submit), content_type='application/json')
+        except Exception, e:
+            self.assertEqual(str(e), 'not_a_mode is not a valid registation mode')
+
     def test_cancel(self):
         """Test that a registered user can cancel her account."""
         # test registration workflow

controller/api/views.py

@@ -20,8 +20,8 @@
 class UserRegistrationViewSet(GenericViewSet,
                               mixins.CreateModelMixin):
     """ViewSet to handle registering new users. The logic is in the serializer."""
-    authentication_classes = [authentication.AnonymousAuthentication]
-    permission_classes = [permissions.IsAnonymous, permissions.HasRegistrationAuth]
+    authentication_classes = [authentication.AnonymousOrAuthenticatedAuthentication]
+    permission_classes = [permissions.HasRegistrationAuth]
     serializer_class = serializers.UserSerializer
 
 

controller/bin/boot

@@ -47,7 +47,7 @@ function etcd_safe_mkdir {
 etcd_set_default protocol ${DEIS_PROTOCOL:-http}
 etcd_set_default secretKey ${DEIS_SECRET_KEY:-`openssl rand -base64 64 | tr -d '\n'`}
 etcd_set_default builderKey ${DEIS_BUILDER_KEY:-`openssl rand -base64 64 | tr -d '\n'`}
-etcd_set_default registrationEnabled 1
+etcd_set_default registrationMode "enabled"
 etcd_set_default webEnabled 0
 etcd_set_default unitHostname default
 

controller/migrations/data/0002.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+ETCD_PORT=${ETCD_PORT:-4001}
+ETCD="$HOST:$ETCD_PORT"
+ETCDCTL="etcdctl -C $ETCD"
+
+# April 8, 2015: If registrationEnabled key exists, migrate it to registrationMode and delete it.
+
+if [[ "$($ETCDCTL get /deis/migrations/data/0002 2> /dev/null)" != "done" ]];
+then
+    if $ETCDCTL ls /deis/controller | grep -q '/deis/controller/registrationEnabled'
+    then
+        if [[ "$($ETCDCTL get /deis/controller/registrationEnabled 2> /dev/null)" == "false" ]]
+        then
+        $ETCDCTL set /deis/controller/registrationMode "disabled"
+        else
+          $ETCDCTL set /deis/controller/registrationMode "enabled"
+        fi
+
+        $ETCDCTL rm /deis/controller/registrationEnabled
+    else
+        echo "registrationEnabled key doesn't exist, skipping migration"
+    fi
+
+    $ETCDCTL set /deis/migrations/data/0002 "done"
+fi

controller/templates/confd_settings.py

@@ -37,8 +37,8 @@
 # move log directory out of /app/deis
 DEIS_LOG_DIR = '/data/logs'
 
-{{ if exists "/deis/controller/registrationEnabled" }}
-REGISTRATION_ENABLED = bool({{ getv "/deis/controller/registrationEnabled" }})
+{{ if exists "/deis/controller/registrationMode" }}
+REGISTRATION_MODE = '{{ getv "/deis/controller/registrationMode" }}'
 {{ end }}
 
 {{ if exists "/deis/controller/webEnabled" }}

docs/customizing_deis/controller_settings.rst

@@ -39,7 +39,7 @@ The following etcd keys are used by the controller component.
 ====================================      ======================================================
 setting                                   description
 ====================================      ======================================================
-/deis/controller/registrationEnabled      enable registration for new Deis users (default: true)
+/deis/controller/registrationMode         set registration to "enabled", "disabled", or "admin_only" (default: "enabled")
 /deis/controller/webEnabled               enable controller web UI (default: false)
 /deis/cache/host                          host of the cache component (set by cache)
 /deis/cache/port                          port of the cache component (set by cache)
@@ -77,9 +77,9 @@ Deis. Specifically, ensure that it sets and reads appropriate etcd keys.
 
 Unit hostname
 -------------
-Per default, Docker automatically generates a hostname for your application unit, such as: 
-``5c149b397cd6``. Auto generated hostnames is not always preferred. For instance, 
-New Relic would classify each Docker container as an unique server since they use hostname 
+Per default, Docker automatically generates a hostname for your application unit, such as:
+``5c149b397cd6``. Auto generated hostnames is not always preferred. For instance,
+New Relic would classify each Docker container as an unique server since they use hostname
 for grouping applications running on the same server together.
 
 Deis supports configuring hostname assignment through the ``unitHostname`` setting.
@@ -98,12 +98,12 @@ application
     The hostname is assigned based on the unit name. Example: ``dancing-cat.v2.web.1``
 
 server
-    The hostname is assigned based on the CoreOS hostname. Example: 
+    The hostname is assigned based on the CoreOS hostname. Example:
     ``ip-10-21-2-168.eu-west-1.compute.internal``
 
 .. note::
 
-    Changes to ``/deis/controller/unitHostname`` requires either pushing a new build to 
+    Changes to ``/deis/controller/unitHostname`` requires either pushing a new build to
     every application or scaling them down and up.
     The change is only detected when a container unit is deployed.