Implement users approval flow, add mailer

gi0baro · gi0baro · commit 3c7a72f10013 · 2021-11-19T11:10:20.000+01:00
diff --git a/fe/components/src/components/UserManage.ce.vue b/fe/components/src/components/UserManage.ce.vue
@@ -22,8 +22,11 @@
         {{ roleLabel }}
       </div>
     </div>
-    <div class="ctl">
-      <confirm-button v-if="editable" @tap="deleteAction">
+    <div :class="`ctl ${pending ? 'large' : ''}`">
+      <confirm-button class="approve" v-if="editable && pending" @tap="approveAction">
+        Approve
+      </confirm-button>
+      <confirm-button class="delete" v-if="editable" @tap="deleteAction">
         Delete
       </confirm-button>
       <div v-else class="label">
@@ -54,9 +57,16 @@ export default {
     edit_url: {
       type: String
     },
+    approve_url: {
+      type: String
+    },
     editable: {
       type: Boolean,
       default: false
+    },
+    pending: {
+      type: Boolean,
+      default: false
     }
   },
   data() {
@@ -81,6 +91,9 @@ export default {
     }
   },
   methods: {
+    approveAction() {
+      window.location.href = this.approve_url
+    },
     editAction() {
       window.location.href = `${this.edit_url}?role=${this.selectedRole}`
     },
@@ -116,11 +129,20 @@ export default {
 .element .ctl {
   @apply w-32 flex items-center justify-end;
 }
+.element .ctl.large {
+  @apply w-64;
+}
 .element .ctl .label {
   @apply py-1 text-gray-400;
 }
 .element .ctl:deep() .btn {
-  @apply py-1 px-4 flex items-center cursor-pointer border border-solid border-pink-500 text-pink-500 dark:border-pink-400 dark:text-pink-400 rounded focus:outline-none;
+  @apply ml-4 py-1 px-4 flex items-center cursor-pointer border border-solid rounded focus:outline-none;
+}
+.element .ctl .approve:deep() .btn {
+  @apply border-indigo-500 text-indigo-500 dark:border-indigo-300 dark:text-indigo-300;
+}
+.element .ctl .delete:deep() .btn {
+  @apply border-pink-500 text-pink-500 dark:border-pink-400 dark:text-pink-400;
 }
 .element .ctl:deep() .btn.confirm {
   @apply bg-pink-200 dark:bg-pink-600 dark:text-gray-50;
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "tfstater"
-version = "0.1.2"
+version = "0.2.0"
 description = "An HTTP Terraform state backend with locking support"
 authors = ["Giovanni Barillari <gi0baro@d4net.org>"]
 license = "BSD-3-Clause"
diff --git a/tfstater/__init__.py b/tfstater/__init__.py
@@ -1,7 +1,7 @@
 from emmett import App
 from emmett.orm import Database
 from emmett.sessions import SessionManager
-from emmett.tools.auth import Auth
+from emmett.tools import Auth, Mailer
 from emmett_rest import REST
 
 from .config import load_config
@@ -10,6 +10,8 @@
 app = App(__name__)
 load_config(app)
 
+mailer = Mailer(app)
+
 rest = app.use_extension(REST)
 
 db = Database(app)
diff --git a/tfstater/commands.py b/tfstater/commands.py
@@ -8,9 +8,12 @@
 @click.argument("password")
 def cmd_create_maintainer(email, password):
     with db.connection():
-        User.create(
+        res = User.create(
             email=email,
             password=password,
-            role=User.ROLES.maintainer
+            role=User.ROLES.maintainer.value
         )
+        if not res.id:
+            return
+        res.id.allow()
         db.commit()
diff --git a/tfstater/config.py b/tfstater/config.py
@@ -1,9 +1,41 @@
 from .idp import Providers
 
 
+class ConfigurationError(RuntimeError):
+    def __init__(self, msg: str):
+        super().__init__(f"Configuration error: {msg}")
+
+
 def load_config(app):
     app.config_from_yaml("app.yml")
 
+    if any (not v for v in [app.config.auth.hmac_key, app.config.auth.cookies_key]):
+        raise ConfigurationError(
+            "auth.hmac_key and auth.cookies_key values required"
+        )
+
+    if app.config.auth.allow_email_login and all(not v for v in [
+        app.config.auth.registration_verification,
+        app.config.auth.registration_approval
+    ]):
+        raise ConfigurationError(
+            "auth.allow_email_login requires auth.registration_verification "
+            "or auth.registration_approval"
+        )
+
+    if (
+        app.config.auth.registration_verification and
+        not app.config.auth.restrict_email_domain
+    ):
+        raise ConfigurationError(
+            "auth.registration_verification requires auth.restrict_email_domain"
+        )
+
+    if app.config.auth.registration_verification and not app.config.smtp.server:
+        raise ConfigurationError(
+            "auth.registration_verification requires smtp.server"
+        )
+
     auth_disabled_routes = ["profile", "download"]
     if not app.config.auth.allow_email_login:
         auth_disabled_routes.extend([
@@ -18,6 +50,7 @@ def load_config(app):
     app.config.auth.single_template = False
     app.config.db.adapter = "postgres"
     app.config.db.big_id_fields = True
+    app.config.mailer = app.config.smtp
 
     idp = {}
     for key in set(
diff --git a/tfstater/config/app.yml.example b/tfstater/config/app.yml.example
@@ -10,7 +10,17 @@ auth:
   cookies_key: anothersecret
   allow_email_login: true
   restrict_email_domain: "@my.tld"
-  registration_verification: true
+  registration_verification: false
+  registration_approval: true
+
+smtp:
+  sender: "noreply@tfstater.local"
+  server:
+  port: 25
+  username: tfstater
+  password: ""
+  use_tls: false
+  use_ssl: false
 
 object_storage:
   bucket: states
diff --git a/tfstater/templates/auth/login.html b/tfstater/templates/auth/login.html
@@ -3,6 +3,10 @@
 
 <div class="w-full font-semibold text-lg text-center mb-12">Sign in</div>
 
+{{ if message: }}
+<div class="message-wrapper">{{ =message }}</div>
+{{ pass }}
+
 {{ if auth_helpers.allow_email_login: }}
 {{ =form.custom.begin }}
 <div class="grid grid-flow-row grid-cols-4 gap-4 my-8 fields">
diff --git a/tfstater/templates/auth/registration.html b/tfstater/templates/auth/registration.html
@@ -3,6 +3,10 @@
 
 <div class="w-full font-semibold text-lg text-center mb-12">Sign up</div>
 
+{{ if message: }}
+<div class="message-wrapper">{{ =message }}</div>
+{{ pass }}
+
 {{ if auth_helpers.allow_email_login: }}
 {{ =form.custom.begin }}
 <div class="grid grid-flow-row grid-cols-4 gap-4 my-8 fields">
diff --git a/tfstater/templates/settings.html b/tfstater/templates/settings.html
@@ -44,10 +44,14 @@
             email="{{ =user.email }}"
             role="{{ =user.role }}"
             edit_url="{{ =url('views.actions.edit_user', user.id) }}"
+            approve_url="{{ =url('views.actions.allow_user', user.id) }}"
             delete_url="{{ =url('views.actions.delete_user', user.id) }}"
             {{ if user.id != ctx.user.id: }}
             editable
             {{ pass }}
+            {{ if user.registration_key: }}
+            pending
+            {{ pass }}
         ></tfstater-user-manage>
         {{ pass }}
     </div>
diff --git a/tfstater/views/accounts.py b/tfstater/views/accounts.py
@@ -35,7 +35,6 @@ def _after_login(form):
 def _after_registration(form, user, logged_in):
     if logged_in:
         redirect(url("views.index"))
-    redirect(url("account.login"))
 
 
 @auth_routes.after_email_verification
diff --git a/tfstater/views/main.py b/tfstater/views/main.py
@@ -50,6 +50,19 @@ async def delete_identity(identity_id):
     redirect(url('views.settings'))
 
 
+@actions.route("/allow_user/<int:user_id>")
+@requires(
+    lambda: auth.user.role == User.ROLES.maintainer,
+    lambda: redirect((url("view.settings")))
+)
+async def allow_user(user_id):
+    if user_id != auth.user.id:
+        User.where(lambda u: u.id == user_id).update(
+            registration_key=""
+        )
+    redirect(url('views.settings'))
+
+
 @actions.route("/edit_user/<int:user_id>")
 @requires(
     lambda: auth.user.role == User.ROLES.maintainer,
