hackforla · ethanstrominger · Jun 26, 2024 · Jun 28, 2024 · Jun 30, 2024 · Jun 30, 2024
diff --git a/app/.env.docker-example b/app/.env.docker-example
@@ -36,5 +36,3 @@ DATABASE=postgres
 COGNITO_DOMAIN=peopledepot
 COGNITO_AWS_REGION=us-west-2
 COGNITO_USER_POOL=us-west-2_Fn4rkZpuB
-
-PEOPLE_DEPOT_API_SECRET=people-depot-api-secret
diff --git a/app/core/api/api_key_views.py b/app/core/api/api_key_views.py
@@ -0,0 +1,61 @@
+# from rest_framework import serializers as rest_serializers
+from drf_spectacular.utils import extend_schema
+from drf_spectacular.utils import extend_schema_view
+from rest_framework import viewsets
+from rest_framework.permissions import IsAuthenticatedOrReadOnly
+from rest_framework_api_key.permissions import HasAPIKey
+
+from core.api.serializers import PracticeAreaSerializer
+from core.api.serializers import UserSerializer
+from core.models import PracticeArea
+from core.models import User
+
+
+@extend_schema_view(
+    list=extend_schema(
+        description="""
+Lists all users and the associated groups for the user
+
+Requires
+- API keys have been added using the API key screen in the People depot App.
+Check with People Depot admin.
+- Requires X-Api-Key be set when submitting request
+For curl, it would look like this:
+```http
+curl -L -X GET "localhost:8001/api/v1/apikey/getusers/"
+-H "X-Api-Key: *************"
+-H "Content-Type: application/json"
+```
+
+
+For python, it would look like this:
+```bash
+import requests
+
+API_KEY = os.environ.get("API_KEY")
+BASE_URL = "http:8000"
+HEADERS = {
+    'X-Api-Key': API_KEY,
+    'Content-Type': 'application/json'
+}
+response = requests.get(f"{BASE_URL}/api/v1/apikey/getusers/", headers=HEADERS)
+```
+        """
+    )
+)
+class ApiKeyUserViewSet(viewsets.ReadOnlyModelViewSet):
+    # HasAPIKey checks if value of X-API-KEY is in API keys table
+    permission_classes = [IsAuthenticatedOrReadOnly, HasAPIKey]
+    queryset = PracticeArea.objects.all()
+    serializer_class = PracticeAreaSerializer  # HasAPIKey checks against keys stored in
+    queryset = User.objects.all()
+
+    # when instantiated, get_serializer_context will be called
+    serializer_class = UserSerializer
+
+    # get_serializer_context called to set include_groups to True
+    # to include groups in the response
+    def get_serializer_context(self):
+        context = super().get_serializer_context()
+        context["include_groups"] = True
+        return context
diff --git a/app/core/api/serializers.py b/app/core/api/serializers.py
@@ -1,3 +1,4 @@
+from django.contrib.auth.models import Group
 from rest_framework import serializers
 from timezone_field.rest_framework import TimeZoneSerializerField
 
@@ -39,6 +40,12 @@ class Meta:
         )
 
 
+class GroupSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Group
+        fields = ("id", "name")
+
+
 class UserPermissionSerializer(serializers.ModelSerializer):
     """Used to retrieve user permissions"""
 
@@ -61,9 +68,16 @@ class Meta:
 
 
 class UserSerializer(serializers.ModelSerializer):
-    """Used to retrieve user info"""
+    """
+    Serializer for User model.
+
+    Parameters:
+    - include_groups (bool): Flag to include user groups in the serialized output.
+    """
 
     time_zone = TimeZoneSerializerField(use_pytz=False)
+    # see get_groups method
+    groups = serializers.SerializerMethodField()
 
     class Meta:
         model = User
@@ -87,6 +101,7 @@ class Meta:
             "phone",
             "texting_ok",
             "time_zone",
+            "groups",
         )
         read_only_fields = (
             "uuid",
@@ -96,6 +111,12 @@ class Meta:
             "email",
         )
 
+    def get_groups(self, obj):
+        include_groups = self.context.get("include_groups", False)
+        if include_groups:
+            return GroupSerializer(obj.groups.all(), many=True).data
+        return None
+
 
 class ProjectSerializer(serializers.ModelSerializer):
     """Used to retrieve project info"""

diff --git a/app/core/api/urls.py b/app/core/api/urls.py
@@ -1,6 +1,7 @@
 from django.urls import path
 from rest_framework import routers
 
+from .api_key_views import ApiKeyUserViewSet
 from .views import AffiliateViewSet
 from .views import AffiliationViewSet
 from .views import CheckTypeViewSet
@@ -37,6 +38,8 @@
 router.register(
     r"stack-element-types", StackElementTypeViewSet, basename="stack-element-type"
 )
+router.register(r"apikey/getusers", ApiKeyUserViewSet, basename="apikey-getusers")
+router.register(r"sdgs", SdgViewSet, basename="sdg")
 router.register(r"sdgs", SdgViewSet, basename="sdg")
 router.register(
     r"affiliations",

diff --git a/app/core/tests/test_api_key.py b/app/core/tests/test_api_key.py
@@ -0,0 +1,29 @@
+import datetime
+
+from django.urls import reverse
+from rest_framework import status
+from rest_framework.test import APITestCase
+from rest_framework_api_key.models import APIKey
+
+api_key_url = reverse("apikey-getusers-list")
+
+
+class ApiKeyUserViewSetTests(APITestCase):
+    def test_succeeds(self):
+        _, api_key = APIKey.objects.create_key(name="test")
+        response = self.client.get(
+            api_key_url,
+            HTTP_X_API_KEY=api_key,  # Uppercase X-API-KEY
+            Content_Type="application/json",
+        )
+        assert response.status_code == status.HTTP_200_OK
+
+    def test_expired_fails(self):
+        expired_date = datetime.datetime.now() - datetime.timedelta(days=2)
+        _, api_key = APIKey.objects.create_key(name="test", expiry_date=expired_date)
+        response = self.client.get(
+            api_key_url,
+            HTTP_X_API_KEY=api_key,  # Uppercase X-API-KEY
+            Content_Type="application/json",
+        )
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
diff --git a/app/peopledepot/settings.py b/app/peopledepot/settings.py
@@ -18,13 +18,16 @@
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
 
+# Used by djangorestframework-api-key
+API_KEY_CUSTOM_HEADER = "HTTP_X_API_KEY"
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/4.0/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
 SECRET_KEY = os.environ.get("SECRET_KEY")
 
+
 DJANGO_SUPERUSER_USERNAME = os.environ.get("DJANGO_SUPERUSER_USERNAME")
 DJANGO_SUPERUSER_EMAIL = os.environ.get("DJANGO_SUPERUSER_EMAIL")
 DJANGO_SUPERUSER_PASSWORD = os.environ.get("DJANGO_SUPERUSER_PASSWORD")
@@ -70,6 +73,7 @@
     # 3rd party
     "django_extensions",
     "rest_framework",
+    "rest_framework_api_key",
     "drf_spectacular",
     "phonenumber_field",
     "timezone_field",
@@ -175,7 +179,10 @@
 ]
 
 REST_FRAMEWORK = {
-    "DEFAULT_PERMISSION_CLASSES": ("core.api.permissions.DenyAny",),
+    "DEFAULT_PERMISSION_CLASSES": (
+        "core.api.permissions.DenyAny",
+        "rest_framework_api_key.permissions.HasAPIKey",
+    ),
     "DEFAULT_AUTHENTICATION_CLASSES": (
         "rest_framework_jwt.authentication.JSONWebTokenAuthentication",
     ),

diff --git a/app/requirements.txt b/app/requirements.txt
@@ -30,6 +30,7 @@ djangorestframework==3.14.0
     # via
     #   drf-jwt
     #   drf-spectacular
+djangorestframework-api-key>=3.0
 drf-jwt==1.19.2
 drf-spectacular==0.27.1
 flake8==7.0.0
@@ -59,6 +60,7 @@ platformdirs==4.2.0
     # via black
 pluggy==1.4.0
     # via pytest
+pre-commit==3.7.1
 psycopg2-binary==2.9.9
 pycodestyle==2.11.1
     # via flake8