studio/people
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(dimail) automate allows requests to dimail

Browse Source 
Automatically send user creation and allow creation requests to dimail
upon creating domain access.
This commit is contained in:
Marie PUPO JEAMMET
2024-11-20 19:14:48 +01:00
committed by Marie
parent cf155dc033
commit 54120eb179
6 changed files with 384 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -10,6 +10,7 @@ and this project adheres to
### Added ### Added
- ✨(dimail) automate allows requests to dimail
- ✨(contacts) add notes & force full_name #565 - ✨(contacts) add notes & force full_name #565
### Changed ### Changed

20
src/backend/mailbox_manager/api/client/serializers.py
View File

@@ -99,7 +99,7 @@ class MailDomainSerializer(serializers.ModelSerializer):
client.create_domain(validated_data["name"], self.context["request"].user.sub) client.create_domain(validated_data["name"], self.context["request"].user.sub)
# no exception raised ? Then actually save domain on our database # no exception raised ? Then actually save domain on our database
return models.MailDomain.objects.create(**validated_data) return super().create(validated_data)
class MailDomainAccessSerializer(serializers.ModelSerializer): class MailDomainAccessSerializer(serializers.ModelSerializer):
@@ -169,6 +169,7 @@ class MailDomainAccessSerializer(serializers.ModelSerializer):
raise exceptions.PermissionDenied( raise exceptions.PermissionDenied(
"You are not allowed to manage accesses for this domain." "You are not allowed to manage accesses for this domain."
) )
# only an owner can set an owner role to another user # only an owner can set an owner role to another user
if ( if (
role == enums.MailDomainRoleChoices.OWNER role == enums.MailDomainRoleChoices.OWNER
@@ -183,6 +184,23 @@ class MailDomainAccessSerializer(serializers.ModelSerializer):
) )
return attrs return attrs
def create(self, validated_data):
"""
Override create function to fire requests to dimail on access creation.
"""
dimail = DimailAPIClient()
if validated_data["role"] in [
enums.MailDomainRoleChoices.ADMIN,
enums.MailDomainRoleChoices.OWNER,
]:
dimail.create_user(validated_data["user"].sub)
dimail.create_allow(
validated_data["user"].sub, validated_data["domain"].name
)
return super().create(validated_data)
class MailDomainAccessReadOnlySerializer(MailDomainAccessSerializer): class MailDomainAccessReadOnlySerializer(MailDomainAccessSerializer):
"""Serialize mail domain access for list and retrieve actions.""" """Serialize mail domain access for list and retrieve actions."""

10
src/backend/mailbox_manager/api/client/viewsets.py
View File

@@ -51,10 +51,12 @@ class MailDomainViewSet(
"""Set the current user as owner of the newly created mail domain.""" """Set the current user as owner of the newly created mail domain."""
domain = serializer.save() domain = serializer.save()
models.MailDomainAccess.objects.create( serializers.MailDomainAccessSerializer().create(
user=self.request.user, validated_data={
domain=domain, "user": self.request.user,
role=core_models.RoleChoices.OWNER, "domain": domain,
"role": str(core_models.RoleChoices.OWNER),
}
) )

68
src/backend/mailbox_manager/tests/api/mail_domain/test_api_mail_domains_create.py
View File

@@ -2,9 +2,8 @@
Tests for MailDomains API endpoint in People's app mailbox_manager. Focus on "create" action. Tests for MailDomains API endpoint in People's app mailbox_manager. Focus on "create" action.
""" """
import logging
import re import re
from logging import Logger
from unittest import mock
import pytest import pytest
import responses import responses
@@ -77,6 +76,27 @@ def test_api_mail_domains__create_authenticated():
status=status.HTTP_201_CREATED, status=status.HTTP_201_CREATED,
content_type="application/json", content_type="application/json",
) )
rsps.add(
rsps.POST,
re.compile(r".*/users/"),
body=str(
{
"name": "request-user-sub",
"is_admin": "false",
"uuid": "user-uuid-on-dimail",
"perms": [],
}
),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
rsps.add(
rsps.POST,
re.compile(r".*/allows/"),
body=str({"user": "request-user-sub", "domain": str(domain_name)}),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
response = client.post( response = client.post(
"/api/v1.0/mail-domains/", "/api/v1.0/mail-domains/",
{"name": domain_name, "context": "null", "features": ["webmail"]}, {"name": domain_name, "context": "null", "features": ["webmail"]},
@@ -103,13 +123,13 @@ def test_api_mail_domains__create_authenticated():
## SYNC TO DIMAIL ## SYNC TO DIMAIL
@mock.patch.object(Logger, "info") def test_api_mail_domains__create_dimail_domain(caplog):
def test_api_mail_domains__create_dimail_domain(mock_info):
""" """
Creating a domain should trigger a call to create a domain on dimail too. Creating a domain should trigger a call to create a domain on dimail too.
""" """
user = core_factories.UserFactory() caplog.set_level(logging.INFO)
user = core_factories.UserFactory()
client = APIClient() client = APIClient()
client.force_login(user) client.force_login(user)
domain_name = "test.fr" domain_name = "test.fr"
@@ -126,6 +146,27 @@ def test_api_mail_domains__create_dimail_domain(mock_info):
status=status.HTTP_201_CREATED, status=status.HTTP_201_CREATED,
content_type="application/json", content_type="application/json",
) )
rsps.add(
rsps.POST,
re.compile(r".*/users/"),
body=str(
{
"name": "request-user-sub",
"is_admin": "false",
"uuid": "user-uuid-on-dimail",
"perms": [],
}
),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
rsps.add(
rsps.POST,
re.compile(r".*/allows/"),
body=str({"user": "request-user-sub", "domain": str(domain_name)}),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
response = client.post( response = client.post(
"/api/v1.0/mail-domains/", "/api/v1.0/mail-domains/",
{ {
@@ -138,13 +179,18 @@ def test_api_mail_domains__create_dimail_domain(mock_info):
assert rsp.call_count == 1 # endpoint was called assert rsp.call_count == 1 # endpoint was called
# Logger # Logger
assert len(caplog.records) == 4 # should be 3. Last empty info still here.
assert ( assert (
mock_info.call_count == 2 caplog.records[0].message
) # should be 1. A new empty info has been added. To be investigated == f"Domain {domain_name} successfully created on dimail by user {user.sub}"
assert mock_info.call_args_list[0][0] == ( )
"Domain %s successfully created on dimail by user %s", assert (
domain_name, caplog.records[1].message
user.sub, == f'[DIMAIL] User "{user.sub}" successfully created on dimail'
)
assert (
caplog.records[2].message
== f'[DIMAIL] Permissions granted for user "{user.sub}" on domain {domain_name}.'
) )

248
src/backend/mailbox_manager/tests/api/mail_domain_accesses/test_api_mail_domain_accesses_create.py
View File

@@ -2,9 +2,12 @@
Test for mail domain accesses API endpoints in People's core app : create Test for mail domain accesses API endpoints in People's core app : create
""" """
import logging
import random import random
import re
import pytest import pytest
import responses
from rest_framework import status from rest_framework import status
from rest_framework.test import APIClient from rest_framework.test import APIClient
@@ -105,15 +108,16 @@ def test_api_mail_domain__accesses_create_authenticated_administrator():
client = APIClient() client = APIClient()
client.force_login(authenticated_user) client.force_login(authenticated_user)
# It should not be allowed to create an owner access with responses.RequestsMock() as rsps:
response = client.post( # It should not be allowed to create an owner access
f"/api/v1.0/mail-domains/{mail_domain.slug}/accesses/", response = client.post(
{ f"/api/v1.0/mail-domains/{mail_domain.slug}/accesses/",
"user": str(other_user.id), {
"role": enums.MailDomainRoleChoices.OWNER, "user": str(other_user.id),
}, "role": enums.MailDomainRoleChoices.OWNER,
format="json", },
) format="json",
)
assert response.status_code == status.HTTP_403_FORBIDDEN assert response.status_code == status.HTTP_403_FORBIDDEN
assert response.json() == { assert response.json() == {
@@ -123,14 +127,38 @@ def test_api_mail_domain__accesses_create_authenticated_administrator():
# It should be allowed to create a lower access # It should be allowed to create a lower access
for role in [enums.MailDomainRoleChoices.ADMIN, enums.MailDomainRoleChoices.VIEWER]: for role in [enums.MailDomainRoleChoices.ADMIN, enums.MailDomainRoleChoices.VIEWER]:
other_user = core_factories.UserFactory() other_user = core_factories.UserFactory()
response = client.post( with responses.RequestsMock() as rsps:
f"/api/v1.0/mail-domains/{mail_domain.slug}/accesses/", if role != enums.MailDomainRoleChoices.VIEWER:
{ # viewers don't have allows in dimail
"user": str(other_user.id), rsps.add(
"role": role, rsps.POST,
}, re.compile(r".*/users/"),
format="json", body=str(
) {
"name": str(other_user.sub),
"is_admin": "false",
"uuid": "71f60d74-a3ad-46bc-bc2b-20d79a2e36fb",
"perms": [],
}
),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
rsps.add(
rsps.POST,
re.compile(r".*/allows/"),
body=str({"user": other_user.sub, "domain": str(mail_domain.name)}),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
response = client.post(
f"/api/v1.0/mail-domains/{mail_domain.slug}/accesses/",
{
"user": str(other_user.id),
"role": role,
},
format="json",
)
assert response.status_code == status.HTTP_201_CREATED assert response.status_code == status.HTTP_201_CREATED
new_mail_domain_access = models.MailDomainAccess.objects.filter( new_mail_domain_access = models.MailDomainAccess.objects.filter(
user=other_user user=other_user
@@ -150,19 +178,41 @@ def test_api_mail_domain__accesses_create_authenticated_owner():
users=[(authenticated_user, enums.MailDomainRoleChoices.OWNER)] users=[(authenticated_user, enums.MailDomainRoleChoices.OWNER)]
) )
other_user = core_factories.UserFactory() other_user = core_factories.UserFactory()
role = random.choice([role[0] for role in enums.MailDomainRoleChoices.choices]) role = random.choice([role[0] for role in enums.MailDomainRoleChoices.choices])
client = APIClient() client = APIClient()
client.force_login(authenticated_user) client.force_login(authenticated_user)
response = client.post( with responses.RequestsMock() as rsps:
f"/api/v1.0/mail-domains/{mail_domain.slug}/accesses/", if role != enums.MailDomainRoleChoices.VIEWER:
{ rsps.add(
"user": str(other_user.id), rsps.POST,
"role": role, re.compile(r".*/users/"),
}, body=str(
format="json", {
) "name": str(other_user.sub),
"is_admin": "false",
"uuid": "71f60d74-a3ad-46bc-bc2b-20d79a2e36fb",
"perms": [],
}
),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
rsps.add(
rsps.POST,
re.compile(r".*/allows/"),
body=str({"user": other_user.sub, "domain": str(mail_domain.name)}),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
response = client.post(
f"/api/v1.0/mail-domains/{mail_domain.slug}/accesses/",
{
"user": str(other_user.id),
"role": role,
},
format="json",
)
assert response.status_code == status.HTTP_201_CREATED assert response.status_code == status.HTTP_201_CREATED
assert models.MailDomainAccess.objects.filter(user=other_user).count() == 1 assert models.MailDomainAccess.objects.filter(user=other_user).count() == 1
@@ -171,3 +221,149 @@ def test_api_mail_domain__accesses_create_authenticated_owner():
).get() ).get()
assert response.json()["id"] == str(new_mail_domain_access.id) assert response.json()["id"] == str(new_mail_domain_access.id)
assert response.json()["role"] == role assert response.json()["role"] == role
## INTEROP WITH DIMAIL
def test_api_mail_domains_accesses__create_dimail_allows(caplog):
"""
Creating a domain access on our API should trigger a request to create an access on dimail too.
"""
caplog.set_level(logging.INFO)
authenticated_user = core_factories.UserFactory()
domain = factories.MailDomainFactory(status="enabled")
factories.MailDomainAccessFactory(
domain=domain, user=authenticated_user, role=enums.MailDomainRoleChoices.OWNER
)
client = APIClient()
client.force_login(authenticated_user)
allowed_user = core_factories.UserFactory()
with responses.RequestsMock() as rsps:
rsps.add(
rsps.POST,
re.compile(r".*/users/"),
body=str(
{
"name": str(allowed_user.sub),
"is_admin": "false",
"uuid": "71f60d74-a3ad-46bc-bc2b-20d79a2e36fb",
"perms": [],
}
),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
rsps.add(
rsps.POST,
re.compile(r".*/allows/"),
body=str({"user": allowed_user.sub, "domain": str(domain.name)}),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
response = client.post(
f"/api/v1.0/mail-domains/{domain.slug}/accesses/",
{
"user": str(allowed_user.id),
"role": enums.MailDomainRoleChoices.ADMIN,
},
format="json",
)
assert response.status_code == status.HTTP_201_CREATED
# check logs
assert (
caplog.records[0].message
== f'[DIMAIL] User "{allowed_user.sub}" successfully created on dimail'
)
assert (
caplog.records[1].message
== f'[DIMAIL] Permissions granted for user "{allowed_user.sub}" on domain {domain.name}.'
)
def test_api_mail_domains_accesses__dont_create_dimail_allows_for_viewer(caplog):
"""Dimail should not be called when creating an access to a simple viewer."""
caplog.set_level(logging.INFO)
authenticated_user = core_factories.UserFactory()
domain = factories.MailDomainFactory(status="enabled")
factories.MailDomainAccessFactory(
domain=domain, user=authenticated_user, role=enums.MailDomainRoleChoices.OWNER
)
client = APIClient()
client.force_login(authenticated_user)
allowed_user = core_factories.UserFactory()
with responses.RequestsMock():
# No call expected
response = client.post(
f"/api/v1.0/mail-domains/{domain.slug}/accesses/",
{
"user": str(allowed_user.id),
"role": enums.MailDomainRoleChoices.VIEWER,
},
format="json",
)
assert response.status_code == status.HTTP_201_CREATED
# check logs
assert len(caplog.records) == 1 # should be 0, investigate this damn empty message
def test_api_mail_domains_accesses__user_already_on_dimail(caplog):
"""The expected allow should be created when an user already exists on dimail
(i.e. previous admin/owner of same domain or current on another domain)."""
caplog.set_level(logging.INFO)
authenticated_user = core_factories.UserFactory()
domain = factories.MailDomainFactory()
factories.MailDomainAccessFactory(
domain=domain, user=authenticated_user, role=enums.MailDomainRoleChoices.OWNER
)
client = APIClient()
client.force_login(authenticated_user)
allowed_user = core_factories.UserFactory()
with responses.RequestsMock() as rsps:
# No call expected
rsps.add(
rsps.POST,
re.compile(r".*/users/"),
body=str(
{"detail": "User already exists"}
), # the user is already on dimail
status=status.HTTP_409_CONFLICT,
content_type="application/json",
)
rsps.add(
rsps.POST,
re.compile(r".*/allows/"),
body=str({"user": allowed_user.sub, "domain": str(domain.name)}),
status=status.HTTP_201_CREATED,
content_type="application/json",
)
response = client.post(
f"/api/v1.0/mail-domains/{domain.slug}/accesses/",
{
"user": str(allowed_user.id),
"role": enums.MailDomainRoleChoices.ADMIN,
},
format="json",
)
assert response.status_code == status.HTTP_201_CREATED
# check logs
assert len(caplog.records) == 3 # should be 2, investigate this damn empty message
assert (
caplog.records[0].message
== f'[DIMAIL] Attempt to create user "{allowed_user.sub}" which already exists.'
)
assert (
caplog.records[1].message
== f'[DIMAIL] Permissions granted for user "{allowed_user.sub}" on domain {domain.name}.'
)

79
src/backend/mailbox_manager/utils/dimail.py
View File

@@ -157,6 +157,85 @@ class DimailAPIClient:
return self.raise_exception_for_unexpected_response(response) return self.raise_exception_for_unexpected_response(response)
def create_user(self, user_sub):
"""Send a request to dimail, to create a new user there."""
payload = {"name": user_sub, "password": "no", "is_admin": "false", "perms": []}
try:
response = session.post(
f"{self.API_URL}/users/",
headers={"Authorization": f"Basic {self.API_CREDENTIALS}"},
json=payload,
verify=True,
timeout=10,
)
except requests.exceptions.ConnectionError as error:
logger.error(
"Connection error while trying to reach %s.",
self.API_URL,
exc_info=error,
)
raise error
if response.status_code == status.HTTP_201_CREATED:
logger.info(
'[DIMAIL] User "%s" successfully created on dimail',
user_sub,
)
return response
if response.status_code == status.HTTP_409_CONFLICT:
logger.info(
'[DIMAIL] Attempt to create user "%s" which already exists.',
user_sub,
)
return response
return self.raise_exception_for_unexpected_response(response)
def create_allow(self, user_sub, domain_name):
"""Send a request to dimail for a new 'allow' between user and the domain."""
payload = {
"user": user_sub,
"domain": domain_name,
}
try:
response = session.post(
f"{self.API_URL}/allows/",
headers={"Authorization": f"Basic {self.API_CREDENTIALS}"},
json=payload,
verify=True,
timeout=10,
)
except requests.exceptions.ConnectionError as error:
logger.error(
"Connection error while trying to reach %s.",
self.API_URL,
exc_info=error,
)
raise error
if response.status_code == status.HTTP_201_CREATED:
logger.info(
'[DIMAIL] Permissions granted for user "%s" on domain %s.',
user_sub,
domain_name,
)
return response
if response.status_code == status.HTTP_409_CONFLICT:
logger.info(
'[DIMAIL] Attempt to create already existing permission between "%s" and "%s".',
user_sub,
domain_name,
)
return response
return self.raise_exception_for_unexpected_response(response)
def raise_exception_for_unexpected_response(self, response): def raise_exception_for_unexpected_response(self, response):
"""Raise error when encountering an unexpected error in dimail.""" """Raise error when encountering an unexpected error in dimail."""
try: try: