diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ab99d0b..4fb6e59 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -38,7 +38,7 @@ jobs: cache-service: [redis] db-service: [postgresql14] mq-service: [rabbitmq] - search-service: [opensearch2, elasticsearch7] + search-service: [opensearch2] env: CACHE: ${{ matrix.cache-service }} diff --git a/docs/conf.py b/docs/conf.py index bfc9b3c..e8066cd 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -333,3 +333,6 @@ # Autodoc configuraton. autoclass_content = "both" + + +nitpick_ignore = [("py:class", "types.StrSequenceOrSet")] diff --git a/invenio_users_resources/config.py b/invenio_users_resources/config.py index fa9e070..ff25de5 100644 --- a/invenio_users_resources/config.py +++ b/invenio_users_resources/config.py @@ -10,7 +10,9 @@ """Invenio module providing management APIs for users and roles/groups.""" from invenio_i18n import lazy_gettext as _ +from marshmallow import Schema, fields, validate +from invenio_users_resources.services.domains import facets as domainfacets from invenio_users_resources.services.schemas import UserSchema from invenio_users_resources.services.users import facets @@ -48,36 +50,54 @@ """Schema used by the users service.""" USERS_RESOURCES_SEARCH = { - "sort": [ - "email", - "username", - "email_domain", - ], - "facets": ["email_domain", "affiliations"], + "sort": ["bestmatch", "username", "email", "domain", "newest", "oldest", "updated"], + "facets": ["status", "visibility", "domain_status", "domain", "affiliations"], } -"""User search configuration (i.e list of banners).""" +"""User search configuration.""" USERS_RESOURCES_SORT_OPTIONS = { + "bestmatch": dict( + title=_("Best match"), + fields=["_score"], + ), "username": dict( title=_("Username"), - fields=["username"], + fields=["username", "-created"], ), "email": dict( title=_("Email"), - fields=["email"], + fields=["email_hidden", "-created"], + ), + "domain": dict( + title=_("Domain"), + fields=["domain", "-created"], ), - "email_domain": dict( - title=_("Email domain"), - fields=["email.domain"], + "newest": dict( + title=_("Newest"), + fields=["-created"], + ), + "oldest": dict( + title=_("Oldest"), + fields=["created"], + ), + "updated": dict( + title=_("Recently updated"), + fields=["-updated"], ), } """Definitions of available Users sort options. """ USERS_RESOURCES_SEARCH_FACETS = { - "email_domain": { - "facet": facets.email_domain, + "domain": { + "facet": facets.domain, + "ui": { + "field": "domain", + }, + }, + "domain_status": { + "facet": facets.domain_status, "ui": { - "field": "email.domain", + "field": "domain_status", }, }, "affiliations": { @@ -86,6 +106,18 @@ "field": "profile.affiliations.keyword", }, }, + "status": { + "facet": facets.status, + "ui": { + "field": "status", + }, + }, + "visibility": { + "facet": facets.visibility, + "ui": { + "field": "visibility", + }, + }, } """Invenio requests facets.""" @@ -97,3 +129,114 @@ USERS_RESOURCES_MODERATION_LOCK_RENEWAL_TIMEOUT = 120 """Renewal timeout, in seconds, to increase the lock time for a user when moderating.""" + + +USERS_RESOURCES_DOMAINS_SEARCH = { + "sort": [ + "bestmatch", + "domain", + "newest", + "oldest", + "updated", + "num-users", + "num-active", + "num-inactive", + "num-confirmed", + "num-verified", + "num-blocked", + ], + "facets": ["status", "flagged", "category", "organisation", "tld"], +} +"""User search configuration.""" + +USERS_RESOURCES_DOMAINS_SORT_OPTIONS = { + "bestmatch": dict( + title=_("Best match"), + fields=["_score"], + ), + "domain": dict( + title=_("Domain"), + fields=["domain", "-created"], + ), + "newest": dict( + title=_("Newest"), + fields=["-created"], + ), + "oldest": dict( + title=_("Oldest"), + fields=["created"], + ), + "updated": dict( + title=_("Recently updated"), + fields=["-updated"], + ), + "num-users": dict( + title=_("# Users"), + fields=["-num_users"], + ), + "num-active": dict( + title=_("# Active"), + fields=["-num_active"], + ), + "num-inactive": dict( + title=_("# Inactive"), + fields=["-num_inactive"], + ), + "num-confirmed": dict( + title=_("# Confirmed"), + fields=["-num_confirmed"], + ), + "num-verified": dict( + title=_("# Verified"), + fields=["-num_verified"], + ), + "num-blocked": dict( + title=_("# Blocked"), + fields=["-num_blocked"], + ), +} +"""Definitions of available Users sort options. """ + +USERS_RESOURCES_DOMAINS_SEARCH_FACETS = { + "status": { + "facet": domainfacets.status, + "ui": { + "field": "status", + }, + }, + "flagged": { + "facet": domainfacets.flagged, + "ui": { + "field": "flagged", + }, + }, + "category": { + "facet": domainfacets.category, + "ui": { + "field": "category", + }, + }, + "organisation": { + "facet": domainfacets.organisation, + "ui": { + "field": "organisation", + }, + }, + "tld": { + "facet": domainfacets.tld, + "ui": { + "field": "tld", + }, + }, +} +"""Invenio domains facets.""" + + +class OrgPropsSchema(Schema): + """Schema for validating domain org properties.""" + + country = fields.String(validate=validate.Length(min=2, max=3)) + + +USERS_RESOURCES_DOMAINS_ORG_SCHEMA = OrgPropsSchema +"""Domains organisation schema config.""" diff --git a/invenio_users_resources/ext.py b/invenio_users_resources/ext.py index 91bbda0..817c605 100644 --- a/invenio_users_resources/ext.py +++ b/invenio_users_resources/ext.py @@ -18,12 +18,16 @@ from . import config from .records.hooks import post_commit, pre_commit from .resources import ( + DomainsResource, + DomainsResourceConfig, GroupsResource, GroupsResourceConfig, UsersResource, UsersResourceConfig, ) from .services import ( + DomainsService, + DomainsServiceConfig, GroupsService, GroupsServiceConfig, UsersService, @@ -58,6 +62,7 @@ def init_services(self, app): """Initialize the services for users and user groups.""" self.users_service = UsersService(config=UsersServiceConfig.build(app)) self.groups_service = GroupsService(config=GroupsServiceConfig) + self.domains_service = DomainsService(config=DomainsServiceConfig.build(app)) def init_resources(self, app): """Initialize the resources for users and user groups.""" @@ -70,6 +75,11 @@ def init_resources(self, app): config=GroupsResourceConfig, ) + self.domains_resource = DomainsResource( + service=self.domains_service, + config=DomainsResourceConfig, + ) + def init_db_hooks(self): """Initialize the database hooks for reindexing updated users/roles.""" # make sure that the hooks are only registered once per DB connection diff --git a/invenio_users_resources/proxies.py b/invenio_users_resources/proxies.py index bd0c3a5..3db4281 100644 --- a/invenio_users_resources/proxies.py +++ b/invenio_users_resources/proxies.py @@ -26,6 +26,11 @@ ) """Proxy for the currently instantiated user groups service.""" +current_domains_service = LocalProxy( + lambda: current_app.extensions["invenio-users-resources"].domains_service +) +"""Proxy for the currently instantiated user groups service.""" + current_actions_registry = LocalProxy( lambda: current_app.extensions["invenio-users-resources"].actions_registry ) diff --git a/invenio_users_resources/records/api.py b/invenio_users_resources/records/api.py index c0d457b..1d906e5 100644 --- a/invenio_users_resources/records/api.py +++ b/invenio_users_resources/records/api.py @@ -8,62 +8,111 @@ # details. """API classes for user and group management in Invenio.""" -import random + import unicodedata +from collections import namedtuple +from datetime import datetime from flask import current_app +from invenio_accounts.models import Domain from invenio_accounts.proxies import current_datastore from invenio_db import db -from invenio_records.dumpers import SearchDumper -from invenio_records.systemfields import DictField, ModelField +from invenio_records.dumpers import SearchDumper, SearchDumperExt +from invenio_records.dumpers.indexedat import IndexedAtDumperExt +from invenio_records.systemfields import ModelField from invenio_records_resources.records.api import Record from invenio_records_resources.records.systemfields import IndexField +from sqlalchemy.exc import NoResultFound from .dumpers import EmailFieldDumperExt -from .models import GroupAggregateModel, UserAggregateModel - - -def parse_user_data(user): - """Parse the user's information into a dictionary.""" - data = { - "id": user.id, - "email": user.email, - "username": user.username, - "active": user.active, - "confirmed": user.confirmed_at is not None, - "preferences": dict(user.preferences or {}), - "profile": dict(user.user_profile or {}), - "blocked_at": user.blocked_at, - "verified_at": user.verified_at, - } - - data["preferences"].setdefault("visibility", "restricted") - data["preferences"].setdefault("email_visibility", "restricted") - default_locale = current_app.config.get("BABEL_DEFAULT_LOCALE", "en") - data["preferences"].setdefault("locale", default_locale) - data["preferences"].setdefault("timezone", "Europe/Zurich") - data["preferences"].setdefault( - "notifications", - { - "enabled": True, - }, - ) +from .models import DomainAggregateModel, GroupAggregateModel, UserAggregateModel +from .systemfields import ( + AccountStatusField, + AccountVisibilityField, + DomainCategoryNameField, + DomainField, + DomainOrgField, + DomainStatusNameField, + IsNotNoneField, + UserIdentitiesField, +) + +EmulatedPID = namedtuple("EmulatedPID", ["pid_value"]) +"""Emulated PID""" + + +class AggregatePID: + """Helper emulate a PID field.""" + + def __init__(self, pid_field): + """Constructor.""" + self._pid_field = pid_field + + def __get__(self, record, owner=None): + """Evaluate the property.""" + if record is None: + return GetRecordResolver(owner) + return EmulatedPID(record[self._pid_field]) + + +class GetRecordResolver(object): + """Resolver that simply uses get record.""" + + def __init__(self, record_cls): + """Initialize resolver.""" + self._record_cls = record_cls + + def resolve(self, pid_value): + """Simply get the record.""" + return self._record_cls.get_record(pid_value) + + +class BaseAggregate(Record): + """An aggregate of information about a user group/role.""" + + metadata = None + """Disabled metadata field from the base class.""" + + def __getitem__(self, name): + """Get a dict key item.""" + try: + return getattr(self.model, name) + except AttributeError: + raise KeyError(name) + + def __repr__(self): + """Create string representation.""" + return f"<{self.__class__.__name__}: {self.model.data}>" - return data + def __unicode__(self): + """Create string representation.""" + return self.__repr__() + @classmethod + def from_model(cls, sa_model): + """Create an aggregate from an SQL Alchemy model.""" + return cls({}, model=cls.model_cls(model_obj=sa_model)) + + def _validate(self, *args, **kwargs): + """Skip the validation.""" + pass -def parse_role_data(role): - """Parse the role's information into a dictionary.""" - data = { - "id": role.id, - "name": role.name, - "description": role.description, - "is_managed": role.is_managed, - } - return data + def commit(self): + """Update the aggregate data on commit.""" + # You can only commit if you have an underlying model object. + if self.model._model_obj is None: + raise ValueError(f"{self.__class__.__name__} not backed by a model.") + if self.model._model_obj not in db.session: + with db.session.begin_nested(): + # make sure we get an id assigned + db.session.add(self.model._model_obj) + # Basically re-parses the model object. + model = self.model_cls(model_obj=self.model._model_obj) + self.model = model + return self -class UserAggregate(Record): +class UserAggregate(BaseAggregate): """An aggregate of information about a user.""" model_cls = UserAggregateModel @@ -72,49 +121,75 @@ class UserAggregate(Record): # NOTE: the "uuid" isn't a UUID but contains the same value as the "id" # field, which is currently an integer for User objects! dumper = SearchDumper( - extensions=[EmailFieldDumperExt("email")], - model_fields={"id": ("uuid", int)}, + extensions=[ + EmailFieldDumperExt("email"), + IndexedAtDumperExt(), + ], + model_fields={ + "id": ("uuid", int), + }, ) """Search dumper with configured extensions.""" - metadata = None - """Disabled metadata field from the base class.""" - - index = IndexField("users-user-v1.0.0", search_alias="users") + index = IndexField("users-user-v2.0.0", search_alias="users") """The search engine index to use.""" - # TODO - id = ModelField("id") - """The data-layer id.""" + id = ModelField("id", dump_type=int) + """The user identifier.""" - email = DictField("email") + active = ModelField("active", dump_type=bool) + """Determine is user is active and can login.""" + + # Profile fields + username = ModelField("username", dump_type=str) """The user's email address.""" - username = DictField("username") + email = ModelField("email", dump_type=str) """The user's email address.""" - profile = DictField("profile") + domain = ModelField("domain", dump_type=str) + """The domain of the users' email address.""" + + profile = ModelField("profile", dump_type=dict) """The user's profile.""" - active = DictField("active") + preferences = ModelField("preferences", dump_type=dict) + """User preferences.""" - confirmed = DictField("confirmed") + # Timestamps fields + confirmed_at = ModelField("confirmed_at", dump_type=datetime) + """Timestamp for when account was confirmed.""" - preferences = DictField("preferences") + verified_at = ModelField("verified_at", dump_type=datetime) + """Timestamp for when account was verified.""" - blocked_at = DictField("blocked_at") + blocked_at = ModelField("blocked_at", dump_type=datetime) + """Timestamp for when account was blocked.""" - verified_at = DictField("verified_at") + current_login_at = ModelField("current_login_at", dump_type=datetime) + """Timestamp for when account was blocked.""" - @property - def is_verified(self): - """Computed property for user verification status.""" - return self.verified_at is not None + confirmed = IsNotNoneField("confirmed_at", index=True) + """Boolean to determine if verified.""" - @property - def is_blocked(self): - """Computed property for blocked status.""" - return self.blocked_at is not None + verified = IsNotNoneField("verified_at", index=True) + """Boolean to determine if verified.""" + + blocked = IsNotNoneField("blocked_at", index=True) + """Boolean to determine if verified.""" + + # Status fields + status = AccountStatusField(index=True) + """Combined account status attribute.""" + + visibility = AccountVisibilityField(index=True) + """Combined profile visibility attribute.""" + + domaininfo = DomainField(use_cache=True, index=True) + """Domain information.""" + + identities = UserIdentitiesField("identities", use_cache=True, index=True) + """User identities.""" @property def avatar_chars(self): @@ -145,71 +220,52 @@ def create(cls, data, id_=None, validator=None, format_checker=None, **kwargs): # create_user() will already take care of creating the profile # for us, if it's specified in the data user = current_datastore.create_user(**data) - user_aggregate = cls.from_user(user) - return user_aggregate - - def _validate(self, *args, **kwargs): - """Skip the validation.""" - pass - - def commit(self): - """Update the aggregate data on commit.""" - # TODO this does not allow us to set properties via the UserAggregate? - # because everything's taken from the User object... - data = parse_user_data(self.model.model_obj) - self.update(data) - self.model.update(data) - return self + return cls.from_model(user) - @classmethod - def activate(cls, id_): + def verify(self): """Activates the current user. Activation of the user is proxied through the datastore. """ - with db.session.no_autoflush: - user = current_datastore.get_user(id_) + user = self.model.model_obj if user is None: return False - return current_datastore.activate_user(user) + return current_datastore.verify_user(user) - @classmethod - def deactivate(cls, id_): - """Deactivates the current user. - - Deactivation of the user is proxied through the datastore. - """ - with db.session.no_autoflush: - user = current_datastore.get_user(id_) + def block(self): + """Blocks a user.""" + user = self.model.model_obj if user is None: return False - return current_datastore.deactivate_user(user) + return current_datastore.block_user(user) - @classmethod - def from_user(cls, user): - """Create the user aggregate from the given user.""" - # TODO - data = parse_user_data(user) + def activate(self): + """Activate a previously deactivated user.""" + user = self.model.model_obj + if user is None: + return False + return current_datastore.activate_user(user) - with db.session.no_autoflush: - model = cls.model_cls(data, model_obj=user) - user_agg = cls(data, model=model) - return user_agg + def deactivate(self): + """Deactivates the current user.""" + user = self.model.model_obj + if user is None: + return False + return current_datastore.deactivate_user(user) @classmethod def get_record(cls, id_): """Get the user via the specified ID.""" - # TODO the the datastore.get_user() method will resolve both - # ID as well as email, which we do not necessarily want with db.session.no_autoflush: - user = current_datastore.get_user(id_) + user = current_datastore.get_user_by_id(id_) if user is None: return None - return cls.from_user(user) + with db.session.no_autoflush: + return cls.from_model(user) -class GroupAggregate(Record): +class GroupAggregate(BaseAggregate): """An aggregate of information about a user group/role.""" model_cls = GroupAggregateModel @@ -218,29 +274,23 @@ class GroupAggregate(Record): # NOTE: the "uuid" isn't a UUID but contains the same value as the "id" # field, which is currently a str for Role objects (role.name)! dumper = SearchDumper(extensions=[], model_fields={"id": ("uuid", str)}) - - metadata = None - """Disabled metadata field from the base class.""" + """Search index dumper.""" index = IndexField("groups-group-v2.0.0", search_alias="groups") """The search engine index to use.""" - # TODO - id = ModelField("id") - """The data-layer id.""" + id = ModelField("id", dump_type=str) + """ID of group.""" - name = DictField("name") + name = ModelField("name", dump_type=str) """The group's name.""" - description = DictField("description") + description = ModelField("description", dump_type=str) """The group's description.""" - is_managed = DictField("is_managed") + is_managed = ModelField("is_managed", dump_type=bool) """If the group is managed manually.""" - _role = None - """The cached Role entity.""" - @property def avatar_chars(self): """Get avatar characters for user.""" @@ -255,55 +305,131 @@ def avatar_color(self): ) return colors[int(normalized_group_initial, base=36) % len(colors)] - @property - def role(self): - """Cache for the associated role object.""" - role = self._role - if role is None: - if role is None and self.id is not None: - role = current_datastore.find_role(self.id) + @classmethod + def get_record(cls, id_): + """Get the user group via the specified ID.""" + # TODO how do we want to resolve the roles? via ID or name? + with db.session.no_autoflush: + role = current_datastore.role_model.query.get(id_) + if role is None: + return None + return cls.from_model(role) + + @classmethod + def get_record_by_name(cls, name): + """Get the user group via the specified ID.""" + # TODO how do we want to resolve the roles? via ID or name? + with db.session.no_autoflush: + role = current_datastore.role_model.query.filter_by(name=name).one_or_none() + if role is None: + return None + return cls.from_model(role) - self._role = role - return role +class OrgNameDumperExt(SearchDumperExt): + """Custom fields dumper extension.""" - def commit(self): - """Update the aggregate data on commit.""" - # TODO this does not allow us to set properties via the aggregate? - # because everything's taken from the Role object... - data = parse_role_data(self.role) - self.update(data) - self.model.update(data) - return self + def dump(self, record, data): + """Dump for faceting.""" + org = data.get("org", None) + if org and len(org) > 0: + data["org_names"] = [o["name"] for o in org] - @classmethod - def from_role(cls, role): - """Create the user group aggregate from the given role.""" - # TODO - data = parse_role_data(role) + def load(self, data, record_cls): + """Remove data from object.""" + data.pop("org_names", None) - with db.session.no_autoflush: - model = cls.model_cls(data, model_obj=role) - role_agg = cls(data, model=model) - role_agg._role = role - return role_agg + +class DomainAggregate(BaseAggregate): + """An aggregate of information about a user.""" + + model_cls = DomainAggregateModel + """The model class for the request.""" + + # NOTE: the "uuid" isn't a UUID but contains the same value as the "id" + # field, which is currently an integer for User objects! + dumper = SearchDumper( + extensions=[ + IndexedAtDumperExt(), + OrgNameDumperExt(), + ], + model_fields={ + "id": ("uuid", int), + }, + ) + """Search dumper with configured extensions.""" + + index = IndexField("domains-domain-v1.0.0", search_alias="domains") + """The search engine index to use.""" + + pid = AggregatePID("domain") + """Needed to emulate pid access.""" + + id = ModelField("id", dump_type=int) + """The user identifier.""" + + domain = ModelField("domain", dump_type=str) + """The domain of the users' email address.""" + + tld = ModelField("tld", dump_type=str) + """Top level domain.""" + + status = ModelField("status", dump_type=int) + """Domain status.""" + + status_name = DomainStatusNameField(index=True) + """Domain status name.""" + + flagged = ModelField("flagged", dump_type=bool) + """Flagged.""" + + flagged_source = ModelField("flagged_source", dump_type=str) + """Source of flagging.""" + + category = ModelField("category", dump_type=int) + """Domain category.""" + + category_name = DomainCategoryNameField(use_cache=True, index=True) + """Domain category name.""" + + org_id = ModelField("org_id", dump_type=int) + """Number of users.""" + + org = DomainOrgField("org", use_cache=True, index=True) + """Organization behind the domain.""" + + num_users = ModelField("num_users", dump_type=int) + """Number of users.""" + + num_active = ModelField("num_active", dump_type=int) + """Number of active users.""" + + num_inactive = ModelField("num_inactive", dump_type=int) + """Number of inactive users.""" + + num_confirmed = ModelField("num_confirmed", dump_type=int) + """Number of confirmed users.""" + + num_verified = ModelField("num_verified", dump_type=int) + """Number of verified users.""" + + num_blocked = ModelField("num_blocked", dump_type=int) + """Number of blocked users.""" @classmethod def get_record(cls, id_): - """Get the user group via the specified ID.""" - # TODO how do we want to resolve the roles? via ID or name? - role = current_datastore.role_model.query.get(id_) - if role is None: - return None - - return cls.from_role(role) + """Get the user via the specified ID.""" + with db.session.no_autoflush: + domain = current_datastore.find_domain(id_) + if domain is None: + raise NoResultFound() + return cls.from_model(domain) @classmethod - def get_record_by_name(cls, name): - """Get the user group via the specified ID.""" - # TODO how do we want to resolve the roles? via ID or name? - role = current_datastore.role_model.query.filter_by(name=name).one_or_none() - if role is None: - return None + def create(cls, data, id_=None, **kwargs): + """Create a domain.""" + return DomainAggregate(data, model=DomainAggregateModel(model_obj=Domain())) - return cls.from_role(role) + def delete(self, force=True): + """Delete the domain.""" + db.session.delete(self.model.model_obj) diff --git a/invenio_users_resources/records/dumpers/email.py b/invenio_users_resources/records/dumpers/email.py index 7ccea7d..4fe6c15 100644 --- a/invenio_users_resources/records/dumpers/email.py +++ b/invenio_users_resources/records/dumpers/email.py @@ -28,8 +28,7 @@ def dump(self, record, data): email_visible = record.preferences["email_visibility"] if email_visible == "public": data[self.field] = email - else: - data[self.hidden_field] = email + data[self.hidden_field] = email def load(self, data, record_cls): """Load the data.""" diff --git a/invenio_users_resources/records/hooks.py b/invenio_users_resources/records/hooks.py index d5fe544..a115811 100644 --- a/invenio_users_resources/records/hooks.py +++ b/invenio_users_resources/records/hooks.py @@ -9,9 +9,10 @@ """Invenio users DB hooks.""" -from invenio_accounts.models import Role, User +from invenio_accounts.models import Domain, Role, User from invenio_accounts.proxies import current_db_change_history +from ..services.domains.tasks import delete_domains, reindex_domains from ..services.groups.tasks import reindex_groups, unindex_groups from ..services.users.tasks import reindex_users, unindex_users @@ -36,12 +37,16 @@ def pre_commit(sender, session): current_db_change_history.add_updated_user(sid, item.id) if isinstance(item, Role): current_db_change_history.add_updated_role(sid, item.id) + if isinstance(item, Domain): + current_db_change_history.add_updated_domain(sid, item.id) for item in deleted: if isinstance(item, User): current_db_change_history.add_deleted_user(sid, item.id) if isinstance(item, Role): current_db_change_history.add_deleted_role(sid, item.id) + if isinstance(item, Domain): + current_db_change_history.add_deleted_domain(sid, item.id) def post_commit(sender, session): @@ -54,14 +59,30 @@ def post_commit(sender, session): if current_db_change_history.sessions.get(sid): # Handle updates user_ids_updated = list(current_db_change_history.sessions[sid].updated_users) - reindex_users.delay(user_ids_updated) + if user_ids_updated: + reindex_users.delay(user_ids_updated) group_ids_updated = list(current_db_change_history.sessions[sid].updated_roles) - reindex_groups.delay(group_ids_updated) + if group_ids_updated: + reindex_groups.delay(group_ids_updated) + + domain_ids_updated = list( + current_db_change_history.sessions[sid].updated_domains + ) + if domain_ids_updated: + reindex_domains.delay(domain_ids_updated) # Handle deletes user_ids_deleted = list(current_db_change_history.sessions[sid].deleted_users) - unindex_users.delay(user_ids_deleted) + if user_ids_deleted: + unindex_users.delay(user_ids_deleted) group_ids_deleted = list(current_db_change_history.sessions[sid].deleted_roles) - unindex_groups.delay(group_ids_deleted) + if group_ids_deleted: + unindex_groups.delay(group_ids_deleted) + + domain_ids_deleted = list( + current_db_change_history.sessions[sid].deleted_domains + ) + if domain_ids_deleted: + delete_domains.delay(domain_ids_deleted) diff --git a/invenio_users_resources/records/mappings/os-v1/domains/domain-v1.0.0.json b/invenio_users_resources/records/mappings/os-v1/domains/domain-v1.0.0.json new file mode 100644 index 0000000..4c8e45e --- /dev/null +++ b/invenio_users_resources/records/mappings/os-v1/domains/domain-v1.0.0.json @@ -0,0 +1,105 @@ +{ + "mappings": { + "dynamic": "strict", + "dynamic_templates": [ + { + "org": { + "path_match": "org.props", + "mapping": { + "type": "keyword" + } + } + } + ], + "properties": { + "uuid": { + "type": "integer" + }, + "id": { + "type": "integer" + }, + "version_id" : { + "type": "integer" + }, + "domain": { + "type": "keyword" + }, + "tld": { + "type": "keyword" + }, + "status": { + "type": "integer" + }, + "status_name": { + "type": "keyword" + }, + "flagged": { + "type": "boolean" + }, + "flagged_source": { + "type": "keyword" + }, + "org_names": { + "type": "keyword" + }, + "org_id": { + "type": "keyword" + }, + "org": { + "type" : "nested", + "properties": { + "id" : { + "type": "integer" + }, + "pid" : { + "type": "keyword" + }, + "name" : { + "type": "text" + }, + "props" : { + "type": "object", + "properties": {}, + "dynamic": true + }, + "is_parent" : { + "type": "boolean" + } + } + }, + "category": { + "type": "integer" + }, + "category_name": { + "type": "keyword" + }, + "num_users": { + "type": "integer" + }, + "num_active": { + "type": "integer" + }, + "num_inactive": { + "type": "integer" + }, + "num_confirmed": { + "type": "integer" + }, + "num_verified": { + "type": "integer" + }, + "num_blocked": { + "type": "integer" + }, + "created": { + "type": "date" + }, + "updated": { + "type": "date" + }, + "indexed_at": { + "type": "date" + } + } + } +} diff --git a/invenio_users_resources/records/mappings/os-v1/users/user-v2.0.0.json b/invenio_users_resources/records/mappings/os-v1/users/user-v2.0.0.json new file mode 100644 index 0000000..412df19 --- /dev/null +++ b/invenio_users_resources/records/mappings/os-v1/users/user-v2.0.0.json @@ -0,0 +1,158 @@ +{ + "mappings": { + "dynamic": "strict", + "dynamic_templates": [ + { + "profile": { + "path_match": "profile.*", + "mapping": { + "type": "keyword" + } + } + }, + { + "preferences": { + "path_match": "preferences.*", + "mapping": { + "type": "keyword" + } + } + }, + { + "identities": { + "path_match": "identities.*", + "mapping": { + "type": "keyword" + } + } + } + ], + "properties": { + "$schema": { + "type": "keyword", + "index": "false" + }, + "id": { + "type": "keyword" + }, + "version_id": { + "type": "integer" + }, + "uuid": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "updated": { + "type": "date" + }, + "current_login_at": { + "type": "date" + }, + "active": { + "type": "boolean" + }, + "confirmed_at": { + "type": "date" + }, + "indexed_at": { + "type": "date" + }, + "confirmed": { + "type": "boolean" + }, + "blocked_at": { + "type": "date" + }, + "blocked": { + "type": "boolean" + }, + "verified_at": { + "type": "date" + }, + "verified": { + "type": "boolean" + }, + "username": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "email_hidden": { + "type": "keyword" + }, + "domain": { + "type": "keyword" + }, + "domaininfo": { + "properties": { + "status": { + "type": "integer" + }, + "flagged": { + "type": "boolean" + }, + "category": { + "type": "integer" + }, + "tld": { + "type": "keyword" + } + } + }, + "identities": { + "type": "object", + "properties": {}, + "dynamic": true + }, + "profile": { + "properties": { + "full_name": { + "type": "text" + }, + "affiliations": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + }, + "dynamic": true + }, + "preferences": { + "properties": { + "visibility": { + "type": "keyword" + }, + "email_visibility": { + "type": "keyword" + }, + "locale": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "notifications": { + "properties": { + "enabled": { + "type": "boolean" + } + } + } + }, + "dynamic": true + }, + "status": { + "type": "keyword" + }, + "visibility": { + "type": "keyword" + } + } + } +} diff --git a/invenio_users_resources/records/mappings/os-v2/domains/domain-v1.0.0.json b/invenio_users_resources/records/mappings/os-v2/domains/domain-v1.0.0.json new file mode 100644 index 0000000..4c8e45e --- /dev/null +++ b/invenio_users_resources/records/mappings/os-v2/domains/domain-v1.0.0.json @@ -0,0 +1,105 @@ +{ + "mappings": { + "dynamic": "strict", + "dynamic_templates": [ + { + "org": { + "path_match": "org.props", + "mapping": { + "type": "keyword" + } + } + } + ], + "properties": { + "uuid": { + "type": "integer" + }, + "id": { + "type": "integer" + }, + "version_id" : { + "type": "integer" + }, + "domain": { + "type": "keyword" + }, + "tld": { + "type": "keyword" + }, + "status": { + "type": "integer" + }, + "status_name": { + "type": "keyword" + }, + "flagged": { + "type": "boolean" + }, + "flagged_source": { + "type": "keyword" + }, + "org_names": { + "type": "keyword" + }, + "org_id": { + "type": "keyword" + }, + "org": { + "type" : "nested", + "properties": { + "id" : { + "type": "integer" + }, + "pid" : { + "type": "keyword" + }, + "name" : { + "type": "text" + }, + "props" : { + "type": "object", + "properties": {}, + "dynamic": true + }, + "is_parent" : { + "type": "boolean" + } + } + }, + "category": { + "type": "integer" + }, + "category_name": { + "type": "keyword" + }, + "num_users": { + "type": "integer" + }, + "num_active": { + "type": "integer" + }, + "num_inactive": { + "type": "integer" + }, + "num_confirmed": { + "type": "integer" + }, + "num_verified": { + "type": "integer" + }, + "num_blocked": { + "type": "integer" + }, + "created": { + "type": "date" + }, + "updated": { + "type": "date" + }, + "indexed_at": { + "type": "date" + } + } + } +} diff --git a/invenio_users_resources/records/mappings/os-v2/users/user-v2.0.0.json b/invenio_users_resources/records/mappings/os-v2/users/user-v2.0.0.json new file mode 100644 index 0000000..412df19 --- /dev/null +++ b/invenio_users_resources/records/mappings/os-v2/users/user-v2.0.0.json @@ -0,0 +1,158 @@ +{ + "mappings": { + "dynamic": "strict", + "dynamic_templates": [ + { + "profile": { + "path_match": "profile.*", + "mapping": { + "type": "keyword" + } + } + }, + { + "preferences": { + "path_match": "preferences.*", + "mapping": { + "type": "keyword" + } + } + }, + { + "identities": { + "path_match": "identities.*", + "mapping": { + "type": "keyword" + } + } + } + ], + "properties": { + "$schema": { + "type": "keyword", + "index": "false" + }, + "id": { + "type": "keyword" + }, + "version_id": { + "type": "integer" + }, + "uuid": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "updated": { + "type": "date" + }, + "current_login_at": { + "type": "date" + }, + "active": { + "type": "boolean" + }, + "confirmed_at": { + "type": "date" + }, + "indexed_at": { + "type": "date" + }, + "confirmed": { + "type": "boolean" + }, + "blocked_at": { + "type": "date" + }, + "blocked": { + "type": "boolean" + }, + "verified_at": { + "type": "date" + }, + "verified": { + "type": "boolean" + }, + "username": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "email_hidden": { + "type": "keyword" + }, + "domain": { + "type": "keyword" + }, + "domaininfo": { + "properties": { + "status": { + "type": "integer" + }, + "flagged": { + "type": "boolean" + }, + "category": { + "type": "integer" + }, + "tld": { + "type": "keyword" + } + } + }, + "identities": { + "type": "object", + "properties": {}, + "dynamic": true + }, + "profile": { + "properties": { + "full_name": { + "type": "text" + }, + "affiliations": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + }, + "dynamic": true + }, + "preferences": { + "properties": { + "visibility": { + "type": "keyword" + }, + "email_visibility": { + "type": "keyword" + }, + "locale": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "notifications": { + "properties": { + "enabled": { + "type": "boolean" + } + } + } + }, + "dynamic": true + }, + "status": { + "type": "keyword" + }, + "visibility": { + "type": "keyword" + } + } + } +} diff --git a/invenio_users_resources/records/mappings/v7/users/user-v2.0.0.json b/invenio_users_resources/records/mappings/v7/users/user-v2.0.0.json new file mode 100644 index 0000000..412df19 --- /dev/null +++ b/invenio_users_resources/records/mappings/v7/users/user-v2.0.0.json @@ -0,0 +1,158 @@ +{ + "mappings": { + "dynamic": "strict", + "dynamic_templates": [ + { + "profile": { + "path_match": "profile.*", + "mapping": { + "type": "keyword" + } + } + }, + { + "preferences": { + "path_match": "preferences.*", + "mapping": { + "type": "keyword" + } + } + }, + { + "identities": { + "path_match": "identities.*", + "mapping": { + "type": "keyword" + } + } + } + ], + "properties": { + "$schema": { + "type": "keyword", + "index": "false" + }, + "id": { + "type": "keyword" + }, + "version_id": { + "type": "integer" + }, + "uuid": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "updated": { + "type": "date" + }, + "current_login_at": { + "type": "date" + }, + "active": { + "type": "boolean" + }, + "confirmed_at": { + "type": "date" + }, + "indexed_at": { + "type": "date" + }, + "confirmed": { + "type": "boolean" + }, + "blocked_at": { + "type": "date" + }, + "blocked": { + "type": "boolean" + }, + "verified_at": { + "type": "date" + }, + "verified": { + "type": "boolean" + }, + "username": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "email_hidden": { + "type": "keyword" + }, + "domain": { + "type": "keyword" + }, + "domaininfo": { + "properties": { + "status": { + "type": "integer" + }, + "flagged": { + "type": "boolean" + }, + "category": { + "type": "integer" + }, + "tld": { + "type": "keyword" + } + } + }, + "identities": { + "type": "object", + "properties": {}, + "dynamic": true + }, + "profile": { + "properties": { + "full_name": { + "type": "text" + }, + "affiliations": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + }, + "dynamic": true + }, + "preferences": { + "properties": { + "visibility": { + "type": "keyword" + }, + "email_visibility": { + "type": "keyword" + }, + "locale": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "notifications": { + "properties": { + "enabled": { + "type": "boolean" + } + } + } + }, + "dynamic": true + }, + "status": { + "type": "keyword" + }, + "visibility": { + "type": "keyword" + } + } + } +} diff --git a/invenio_users_resources/records/models.py b/invenio_users_resources/records/models.py index 55f2271..92bc756 100644 --- a/invenio_users_resources/records/models.py +++ b/invenio_users_resources/records/models.py @@ -10,12 +10,14 @@ from abc import ABC, abstractmethod +from flask import current_app from invenio_accounts.proxies import current_datastore +from invenio_accounts.utils import DomainStatus from invenio_db import db -class MockModel(dict, ABC): - """Model class that does not correspondond to a database table. +class AggregateMetadata(ABC): + """Model class that does not corresponds to a database table. Since we already have all information about the required entities stored in the database and just want to provide a central API to @@ -25,11 +27,25 @@ class MockModel(dict, ABC): that's expected by API classes as far as necessary. """ - def __init__(self, data=None, model_obj=None, **kwargs): + _properties = [] + """Properties of this object that can be accessed.""" + + _set_properties = [] + """Properties of this object that can be set.""" + + _data = None + + def __init__(self, model_obj=None, **kwargs): """Constructor.""" - data.update(kwargs) - super().__init__(data) - self._model_obj = model_obj + super().__setattr__("_data", {}) + if model_obj is not None: + # E.g. when data is loaded from database + self.from_model(model_obj) + super().__setattr__("_model_obj", model_obj) + else: + # E.g. when data is loaded from the search index + self.from_kwargs(kwargs) + super().__setattr__("_model_obj", None) @property @abstractmethod @@ -37,91 +53,187 @@ def model_obj(self): """The actual model object behind this mock model.""" return None - @property - def id(self): - """User identifier.""" - return self.data["id"] - - @property - def created(self): - """When the user was created.""" - return self.model_obj.created - - @property - def updated(self): - """When the user was last updated.""" - return self.model_obj.updated - - @property - def version_id(self): - """Used by SQLAlchemy for optimistic concurrency control.""" - return self.model_obj.version_id - - @property - def data(self): - """Get the user's data by decoding the JSON.""" - return dict(self) - - @property - def json(self): - """Provide the user's data as a JSON/dict blob.""" - return dict(self) - + def from_kwargs(self, kwargs): + """Extract information from kwargs.""" + for p in self._properties: + self._data[p] = kwargs.get(p, None) + + def from_model(self, model_obj): + """Extract information from a user/role object.""" + # Edit self._properties if you need to add more properties + for p in self._properties: + self._data[p] = getattr(model_obj, p, None) + + def __getattr__(self, name): + """Get an attribute from the model.""" + if name in self._properties: + return self._data[name] + else: + raise AttributeError(name) + + def __setattr__(self, name, value): + """Set an attribute from the model.""" + if name not in self._set_properties: + raise AttributeError(name) + super().__setattr__(name, value) + setattr(self.model_obj, name, value) + + # Methods required to make it a record. @property def is_deleted(self): - """Boolean flag to determine if a user is soft deleted.""" - # TODO + """Method needed for the record API.""" return False @property - def blocked_at(self): - """Date when the user was blocked, if any.""" - return self.model_obj.blocked_at - - @blocked_at.setter - def blocked_at(self, value): - self.model_obj.blocked_at = value + def json(self): + """Method needed for the record API.""" + return {p: getattr(self, p, None) for p in self._properties} @property - def verified_at(self): - """Date when the user was verified, if any.""" - return self.model_obj.verified_at - - @verified_at.setter - def verified_at(self, value): - self.model_obj.verified_at = value + def data(self): + """Method needed for the record API.""" + return {p: getattr(self, p, None) for p in self._properties} + + +class UserAggregateModel(AggregateMetadata): + """User aggregate data model.""" + + # If you add properties here you likely also want to add a ModelField on + # the UserAggregate API class. + _properties = [ + "id", + "version_id", + "email", + "domain", + "username", + "active", + "preferences", + "profile", + "confirmed_at", + "blocked_at", + "verified_at", + "created", + "updated", + "current_login_at", + ] + """Properties of this object that can be accessed.""" + + _set_properties = [ + "active", + "blocked_at", + "confirmed_at", + "verified_at", + ] + """Properties of this object that can be set.""" + + def from_model(self, user): + """Extract information from a user object.""" + super().from_model(user) + self._data["profile"] = dict(user.user_profile or {}) + + # Set defaults + self._data["preferences"] = dict(self._data["preferences"] or {}) + self._data["preferences"].setdefault("visibility", "restricted") + self._data["preferences"].setdefault("email_visibility", "restricted") + default_locale = current_app.config.get("BABEL_DEFAULT_LOCALE", "en") + self._data["preferences"].setdefault("locale", default_locale) + self._data["preferences"].setdefault("timezone", "Europe/Zurich") + self._data["preferences"].setdefault( + "notifications", + { + "enabled": True, + }, + ) @property - def active(self): - """Boolean flag to determine if a user is active.""" - return self.model_obj.active + def model_obj(self): + """The actual model object behind this user aggregate.""" + if self._model_obj is None: + id_ = self._data.get("id") + with db.session.no_autoflush: + self._model_obj = current_datastore.get_user_by_id(id_) + return self._model_obj + - @active.setter - def active(self, value): - self.model_obj.active = value +class GroupAggregateModel(AggregateMetadata): + """Mock model for glueing together various parts of user group info.""" + _properties = [ + "id", + "version_id", + "name", + "description", + "is_managed", + "created", + "updated", + ] + """Properties of this object that can be accessed.""" -class UserAggregateModel(MockModel): - """Mock model for glueing together various parts of user info.""" + _set_properties = [] + """Properties of this object that can be set.""" @property def model_obj(self): """The actual model object behind this mock model.""" if self._model_obj is None: - id_ = self.data.get("id") - email = self.data.get("email") + name = self.data.get("id") with db.session.no_autoflush: - self._model_obj = current_datastore.get_user(id_ or email) + self._model_obj = current_datastore.find_role(name) return self._model_obj -class GroupAggregateModel(MockModel): +class DomainAggregateModel(AggregateMetadata): """Mock model for glueing together various parts of user group info.""" + _properties = [ + "category", + "created", + "domain", + "flagged_source", + "flagged", + "id", + "num_active", + "num_blocked", + "num_confirmed", + "num_inactive", + "num_users", + "num_verified", + "org_id", + "status", + "tld", + "updated", + "version_id", + ] + """Properties of this object that can be accessed.""" + + _set_properties = [ + "category", + "domain", + "flagged_source", + "flagged", + "org_id", + "status", + "tld", + ] + """Properties of this object that can be set.""" + + def from_model(self, domain): + """Extract information from a user object.""" + super().from_model(domain) + # Hardcoding version id to 1 since domain model doesn't have + # a version id because we update the table often outside + # of sqlalchemy ORM. + self._data["version_id"] = 1 + # Convert enum + status = self._data.get("status", None) + if status and isinstance(status, DomainStatus): + self._data["status"] = status.value + @property def model_obj(self): """The actual model object behind this mock model.""" if self._model_obj is None: - name = self.data.get("id") - self._model_obj = current_datastore.find_role(name) + domain = self.data.get("domain") + with db.session.no_autoflush: + self._model_obj = current_datastore.find_domain(domain) return self._model_obj diff --git a/invenio_users_resources/records/systemfields/__init__.py b/invenio_users_resources/records/systemfields/__init__.py new file mode 100644 index 0000000..0704884 --- /dev/null +++ b/invenio_users_resources/records/systemfields/__init__.py @@ -0,0 +1,167 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2024 CERN +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Data-layer definitions for user and group management in Invenio.""" + +from invenio_accounts.models import DomainOrg, UserIdentity +from invenio_accounts.proxies import current_datastore +from invenio_accounts.utils import DomainStatus +from invenio_records_resources.records.systemfields.calculated import CalculatedField + + +class CalculatedIndexedField(CalculatedField): + """Field that also indexes it's calculated value.""" + + def __init__(self, key=None, use_cache=False, index=False): + """Constructor.""" + super().__init__(key, use_cache=use_cache) + self._index = index + + def pre_dump(self, record, data, dumper=None): + """Called after a record is dumped.""" + if self._index: + data[self.attr_name] = self.obj(record) + + def post_load(self, record, data, loader=None): + """Called after a record is loaded.""" + if self._index: + value = data.pop(self.attr_name, None) + # Store on cache so if cache is used we don't fetch the object again. + self._set_cache(record, value) + + +class AccountStatusField(CalculatedIndexedField): + """Dump a combined account status value.""" + + def calculate(self, user_record): + """Logic for calculating the record's property.""" + status = "new" + if user_record.active: + if user_record.confirmed_at and user_record.verified_at: + status = "verified" + elif user_record.confirmed_at: + status = "confirmed" + else: + if user_record.blocked_at: + status = "blocked" + else: + status = "inactive" + return status + + +class AccountVisibilityField(CalculatedIndexedField): + """Dump a combined visibility status value.""" + + def calculate(self, user_record): + """Logic for calculating visibility status.""" + if user_record.preferences["email_visibility"] == "public": + return "full" + elif user_record.preferences["visibility"] == "public": + return "profile" + else: + return "hidden" + + +class IsNotNoneField(CalculatedIndexedField): + """Dump a bool for easier checking if a value is set.""" + + def __init__(self, field, *args, **kwargs): + """Constructor.""" + self._field = field + super().__init__(*args, **kwargs) + + def calculate(self, user_record): + """Checks if a timestamp is not none.""" + return getattr(user_record, self._field, None) is not None + + +class DomainField(CalculatedIndexedField): + """Get information about the user's domain.""" + + def calculate(self, user_record): + """Checks if a timestamp is not none.""" + domain = current_datastore.find_domain(user_record.domain) + if domain is None: + return { + "tld": "", + "status": "1", + "category": None, + "flagged": False, + } + else: + return { + "tld": domain.tld, + "status": domain.status.value, + "category": domain.category, + "flagged": domain.flagged, + } + + +class UserIdentitiesField(CalculatedIndexedField): + """Get a user's different linked account identities.""" + + def calculate(self, user_record): + """Checks if a timestamp is not none.""" + identities = UserIdentity.query.filter_by(id_user=user_record.id).all() + data = {i.method: i.id for i in identities} + return data + + +class DomainOrgField(CalculatedIndexedField): + """Get information about the user's domain.""" + + def calculate(self, domain_record): + """Checks if a timestamp is not none.""" + if not domain_record.model.org_id: + return None + + org = domain_record.model.model_obj.org + + parent_org = None + if org.parent_id is not None: + parent_org = org.parent + + data = [ + { + "id": org.id, + "pid": org.pid, + "name": org.name, + "props": org.json or {}, + "is_parent": False, + } + ] + if parent_org: + data.append( + { + "id": parent_org.id, + "pid": parent_org.pid, + "name": parent_org.name, + "props": parent_org.json or {}, + "is_parent": True, + } + ) + return data + + +class DomainCategoryNameField(CalculatedIndexedField): + """Dump the name of the category.""" + + def calculate(self, domain_record): + """Logic for calculating.""" + if domain_record.model.model_obj.category: + return domain_record.model.model_obj.category_name.label + else: + return None + + +class DomainStatusNameField(CalculatedIndexedField): + """Dump the name of the category.""" + + def calculate(self, domain_record): + """Logic for calculating.""" + return DomainStatus(domain_record.status).name diff --git a/invenio_users_resources/resources/__init__.py b/invenio_users_resources/resources/__init__.py index 1e7bb65..eb569dd 100644 --- a/invenio_users_resources/resources/__init__.py +++ b/invenio_users_resources/resources/__init__.py @@ -8,10 +8,13 @@ """Resources for users and roles/groups.""" +from .domains import DomainsResource, DomainsResourceConfig from .groups import GroupsResource, GroupsResourceConfig from .users import UsersResource, UsersResourceConfig __all__ = ( + "DomainsResource", + "DomainsResourceConfig", "GroupsResource", "GroupsResourceConfig", "UsersResource", diff --git a/invenio_users_resources/resources/domains/__init__.py b/invenio_users_resources/resources/domains/__init__.py new file mode 100644 index 0000000..a262177 --- /dev/null +++ b/invenio_users_resources/resources/domains/__init__.py @@ -0,0 +1,17 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2022 TU Wien. +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Resources for user roles/groups.""" + +from .config import DomainsResourceConfig +from .resource import DomainsResource + +__all__ = ( + "DomainsResource", + "DomainsResourceConfig", +) diff --git a/invenio_users_resources/resources/domains/config.py b/invenio_users_resources/resources/domains/config.py new file mode 100644 index 0000000..e6b4bfd --- /dev/null +++ b/invenio_users_resources/resources/domains/config.py @@ -0,0 +1,43 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2024 CERN. +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Domains resource config.""" + +import marshmallow as ma +from flask_resources import ( + JSONDeserializer, + JSONSerializer, + RequestBodyParser, + ResponseHandler, +) +from invenio_records_resources.resources import RecordResourceConfig + + +# +# Resource config +# +class DomainsResourceConfig(RecordResourceConfig): + """User groups resource configuration.""" + + blueprint_name = "domains" + url_prefix = "/domains" + + # Request parsing + request_headers = {} + request_body_parsers = { + "application/vnd.inveniordm.v1+json": RequestBodyParser(JSONDeserializer()), + "application/json": RequestBodyParser(JSONDeserializer()), + } + default_content_type = "application/vnd.inveniordm.v1+json" + + # Response handling + response_handlers = { + "application/vnd.inveniordm.v1+json": ResponseHandler(JSONSerializer()), + "application/json": ResponseHandler(JSONSerializer()), + } + default_accept_mimetype = "application/vnd.inveniordm.v1+json" diff --git a/invenio_users_resources/resources/domains/resource.py b/invenio_users_resources/resources/domains/resource.py new file mode 100644 index 0000000..211bf4a --- /dev/null +++ b/invenio_users_resources/resources/domains/resource.py @@ -0,0 +1,32 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2024 CERN +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Domains resource.""" + + +from flask_resources import HTTPJSONException, create_error_handler +from invenio_i18n import lazy_gettext as _ +from invenio_records_resources.resources import RecordResource +from sqlalchemy.exc import IntegrityError + + +# +# Resource +# +class DomainsResource(RecordResource): + """Resource for domains.""" + + error_handlers = { + **RecordResource.error_handlers, + IntegrityError: create_error_handler( + lambda e: HTTPJSONException( + code=400, + description=_("Domain already exists."), + ) + ), + } diff --git a/invenio_users_resources/resources/users/config.py b/invenio_users_resources/resources/users/config.py index 1356f60..6bf3d38 100644 --- a/invenio_users_resources/resources/users/config.py +++ b/invenio_users_resources/resources/users/config.py @@ -10,10 +10,14 @@ """Users resource config.""" import marshmallow as ma +from flask_resources import HTTPJSONException, create_error_handler +from invenio_cache.errors import LockAcquireFailed +from invenio_i18n import lazy_gettext as _ from invenio_records_resources.resources import ( RecordResourceConfig, SearchRequestArgsSchema, ) +from invenio_records_resources.resources.errors import ErrorHandlersMixin from marshmallow import fields @@ -35,12 +39,13 @@ class UsersResourceConfig(RecordResourceConfig): url_prefix = "/users" routes = { "list": "", - "moderation_search": "/moderation", + "search_all": "/all", "item": "/", "item-avatar": "//avatar.svg", "approve": "//approve", "block": "//block", "restore": "//restore", + "activate": "//activate", "deactivate": "//deactivate", "impersonate": "//impersonate", } @@ -50,3 +55,17 @@ class UsersResourceConfig(RecordResourceConfig): } request_search_args = UsersSearchRequestArgsSchema + + error_handlers = { + **ErrorHandlersMixin.error_handlers, + LockAcquireFailed: create_error_handler( + lambda e: ( + HTTPJSONException( + code=400, + description=_( + "User is locked due to concurrent running operation." + ), + ) + ) + ), + } diff --git a/invenio_users_resources/resources/users/resource.py b/invenio_users_resources/resources/users/resource.py index cb491a6..8c71095 100644 --- a/invenio_users_resources/resources/users/resource.py +++ b/invenio_users_resources/resources/users/resource.py @@ -42,8 +42,9 @@ def create_url_rules(self): route("POST", routes["block"], self.block), route("POST", routes["restore"], self.restore), route("POST", routes["deactivate"], self.deactivate), + route("POST", routes["activate"], self.activate), route("POST", routes["impersonate"], self.impersonate), - route("GET", routes["moderation_search"], self.search_all), + route("GET", routes["search_all"], self.search_all), ] @request_search_args @@ -133,6 +134,15 @@ def deactivate(self): ) return "", 200 + @request_view_args + def activate(self): + """Deactive user.""" + self.service.activate( + id_=resource_requestctx.view_args["id"], + identity=g.identity, + ) + return "", 200 + @request_view_args def impersonate(self): """Impersonate the user.""" diff --git a/invenio_users_resources/services/__init__.py b/invenio_users_resources/services/__init__.py index ad368ca..71ac7da 100644 --- a/invenio_users_resources/services/__init__.py +++ b/invenio_users_resources/services/__init__.py @@ -8,10 +8,13 @@ """Services for users and user roles/groups.""" +from .domains import DomainsService, DomainsServiceConfig from .groups import GroupsService, GroupsServiceConfig from .users import UsersService, UsersServiceConfig __all__ = ( + "DomainsService", + "DomainsServiceConfig", "GroupsService", "GroupsServiceConfig", "UsersService", diff --git a/invenio_users_resources/services/domains/__init__.py b/invenio_users_resources/services/domains/__init__.py new file mode 100644 index 0000000..4025518 --- /dev/null +++ b/invenio_users_resources/services/domains/__init__.py @@ -0,0 +1,17 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2024 CERN. +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Services for domains.""" + +from .config import DomainsServiceConfig +from .service import DomainsService + +__all__ = ( + "DomainsService", + "DomainsServiceConfig", +) diff --git a/invenio_users_resources/services/domains/components.py b/invenio_users_resources/services/domains/components.py new file mode 100644 index 0000000..9202ba1 --- /dev/null +++ b/invenio_users_resources/services/domains/components.py @@ -0,0 +1,56 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2024 CERN. +# +# Invenio-Records-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Domains service component.""" + +from invenio_accounts.models import DomainOrg +from invenio_db import db +from invenio_records_resources.services.records.components import ServiceComponent + + +class DomainComponent(ServiceComponent): + """Service component for metadata.""" + + def create(self, identity, data=None, record=None, errors=None, **kwargs): + """Inject fields into the record.""" + # Note, DB model takes care of setting tld + record.domain = data["domain"] + record.status = data["status"] + # Optional values + record.flagged = data.get("flagged", False) + record.flagged_source = data.get("flagged_source", "") + record.category = data.get("category", None) + self._handle_org(data, record) + + def update(self, identity, data=None, record=None, **kwargs): + """Inject update fields into the domain.""" + # Main part of the validation happens in the schema hence here we just + # pass on already validated properties. + + # Required values + record.status = data["status"] + # Optional values + record.flagged = data.get("flagged", record.flagged) + record.flagged_source = data.get("flagged_source", record.flagged_source) + record.category = data.get("category", record.category) + self._handle_org(data, record) + + def _handle_org(self, data, record): + # Handle organisation + if "org" in data: + if data["org"] is None: + record.org_id = None + else: + org = data["org"] + obj = DomainOrg.query.filter_by(pid=org["pid"]).one_or_none() + if obj is None: + with db.session.begin_nested(): + obj = DomainOrg.create( + org["pid"], org["name"], json=org.get("props", None) + ) + record.org_id = obj.id diff --git a/invenio_users_resources/services/domains/config.py b/invenio_users_resources/services/domains/config.py new file mode 100644 index 0000000..8d130e3 --- /dev/null +++ b/invenio_users_resources/services/domains/config.py @@ -0,0 +1,103 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2022 TU Wien. +# Copyright (C) 2024 CERN. +# Copyright (C) 2023 Graz University of Technology. +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Domains service configuration.""" + +from invenio_i18n import lazy_gettext as _ +from invenio_records_resources.services import ( + RecordServiceConfig, + SearchOptions, + pagination_links, +) +from invenio_records_resources.services.base.config import ( + ConfiguratorMixin, + FromConfigSearchOptions, + SearchOptionsMixin, +) +from invenio_records_resources.services.records.params import ( + FacetsParam, + PaginationParam, + QueryStrParam, + SortParam, +) +from invenio_records_resources.services.records.queryparser import QueryParser + +from ...records.api import DomainAggregate +from ..common import Link +from ..permissions import DomainPermissionPolicy +from ..schemas import DomainSchema +from .components import DomainComponent + + +class DomainsSearchOptions(SearchOptions, SearchOptionsMixin): + """Search options.""" + + pagination_options = { + "default_results_per_page": 30, + "default_max_results": 1000, + } + + query_parser_cls = QueryParser.factory( + fields=[ + "id", + "domain^3", + ], + ) + + sort_default = "bestmatch" + sort_default_no_query = "newest" + + params_interpreters_cls = [ + QueryStrParam, + SortParam, + PaginationParam, + FacetsParam, + ] + + +def domainvar(obj, vars): + """Add domain into link vars.""" + vars["domain"] = obj.domain + + +class DomainsServiceConfig(RecordServiceConfig, ConfiguratorMixin): + """Requests service configuration.""" + + # common configuration + permission_policy_cls = DomainPermissionPolicy + search = FromConfigSearchOptions( + "USERS_RESOURCES_DOMAINS_SEARCH", + "USERS_RESOURCES_DOMAINS_SORT_OPTIONS", + "USERS_RESOURCES_DOMAINS_SEARCH_FACETS", + search_option_cls=DomainsSearchOptions, + ) + + # specific configuration + service_id = "domains" + record_cls = DomainAggregate + schema = DomainSchema + indexer_queue_name = "domains" + index_dumper = None + + # links configuration + links_item = { + "self": Link("{+api}/domains/{domain}", vars=domainvar), + "admin_self_html": Link( + "{+ui}/administration/domains/{domain}", vars=domainvar + ), + "admin_users_html": Link( + "{+ui}/administration/users?q=domain:{domain}", vars=domainvar + ), + } + links_search = pagination_links("{+api}/domains{?args*}") + + components = [ + DomainComponent, + ] diff --git a/invenio_users_resources/services/domains/facets.py b/invenio_users_resources/services/domains/facets.py new file mode 100644 index 0000000..b2d9bd2 --- /dev/null +++ b/invenio_users_resources/services/domains/facets.py @@ -0,0 +1,51 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2024 CERN. +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Domains search facets definitions.""" + +from invenio_i18n import gettext as _ +from invenio_records_resources.services.records.facets import TermsFacet + +status = TermsFacet( + field="status_name", + label=_("Status"), + value_labels={ + "new": _("New"), + "moderated": _("Moderated"), + "verified": _("Verified"), + "blocked": _("Blocked"), + }, +) + + +flagged = TermsFacet( + field="flagged", + label=_("Flagged"), + value_labels={ + True: _("Yes"), + False: _("No"), + }, +) + + +category = TermsFacet( + field="category_name", + label=_("Category"), +) + + +organisation = TermsFacet( + field="org_names", + label=_("Organisation"), +) + + +tld = TermsFacet( + field="tld", + label=_("Top-level domain"), +) diff --git a/invenio_users_resources/services/domains/service.py b/invenio_users_resources/services/domains/service.py new file mode 100644 index 0000000..25cb690 --- /dev/null +++ b/invenio_users_resources/services/domains/service.py @@ -0,0 +1,26 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2022 KTH Royal Institute of Technology +# Copyright (C) 2022 TU Wien. +# Copyright (C) 2024 CERN. +# Copyright (C) 2022 European Union. +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Domains service.""" + +from invenio_accounts.models import Domain +from invenio_db import db +from invenio_records_resources.services import RecordService + + +class DomainsService(RecordService): + """Domains service.""" + + def rebuild_index(self, identity, uow=None): + """Reindex all user groups managed by this service.""" + domains = db.session.query(Domain.domain).yield_per(1000) + self.indexer.bulk_index([r[0] for r in domains]) + return True diff --git a/invenio_users_resources/services/domains/tasks.py b/invenio_users_resources/services/domains/tasks.py new file mode 100644 index 0000000..9409518 --- /dev/null +++ b/invenio_users_resources/services/domains/tasks.py @@ -0,0 +1,38 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2024 CERN. +# Copyright (C) 2022 TU Wien. +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Users service tasks.""" + +from celery import shared_task +from flask import current_app +from invenio_search.engine import search + +from ...proxies import current_domains_service + + +@shared_task(ignore_result=True) +def reindex_domains(domain_ids): + """Reindex the given domains.""" + index = current_domains_service.record_cls.index + if current_domains_service.indexer.exists(index): + try: + current_domains_service.indexer.bulk_index(domain_ids) + except search.exceptions.ConflictError as e: + current_app.logger.warn(f"Could not bulk-reindex groups: {e}") + + +@shared_task(ignore_result=True) +def delete_domains(domain_ids): + """Delete domains from index.""" + index = current_domains_service.record_cls.index + if current_domains_service.indexer.exists(index): + try: + current_domains_service.indexer.bulk_delete(domain_ids) + except search.exceptions.ConflictError as e: + current_app.logger.warn(f"Could not bulk-unindex groups: {e}") diff --git a/invenio_users_resources/services/permissions.py b/invenio_users_resources/services/permissions.py index a1eac30..a2d3d23 100644 --- a/invenio_users_resources/services/permissions.py +++ b/invenio_users_resources/services/permissions.py @@ -61,3 +61,13 @@ class GroupsPermissionPolicy(BasePermissionPolicy): can_search = [AuthenticatedUser(), SystemProcess()] can_update = [SystemProcess()] can_delete = [SystemProcess()] + + +class DomainPermissionPolicy(BasePermissionPolicy): + """Permission policy for users and user groups.""" + + can_create = [UserManager, SystemProcess()] + can_read = [UserManager, SystemProcess()] + can_search = [UserManager, SystemProcess()] + can_update = [UserManager, SystemProcess()] + can_delete = [UserManager, SystemProcess()] diff --git a/invenio_users_resources/services/schemas.py b/invenio_users_resources/services/schemas.py index 85f5d1b..958b808 100644 --- a/invenio_users_resources/services/schemas.py +++ b/invenio_users_resources/services/schemas.py @@ -9,22 +9,49 @@ """User and user group schemas.""" +from flask import current_app from invenio_access.permissions import system_user_id +from invenio_accounts.models import DomainCategory from invenio_accounts.profiles.schemas import ( validate_locale, validate_timezone, validate_visibility, ) +from invenio_accounts.utils import DomainStatus from invenio_i18n import lazy_gettext as _ from invenio_records_resources.services.records.schema import ( BaseGhostSchema, BaseRecordSchema, ) -from marshmallow import Schema, ValidationError, fields -from marshmallow_utils.fields import ISODateString, SanitizedUnicode +from marshmallow import ( + EXCLUDE, + Schema, + ValidationError, + fields, + post_load, + pre_load, + validate, + validates_schema, +) +from marshmallow_utils.fields import Links, SanitizedUnicode, TZDateTime from marshmallow_utils.permissions import FieldPermissionsMixin +class DomainInfoSchema(Schema): + """Schema for domain info.""" + + status = fields.String() + tld = fields.String() + flagged = fields.Boolean() + + +class IdentitiesSchema(Schema): + """Schema for domain info.""" + + github = fields.String() + orcid = fields.String() + + class UserPreferencesSchema(Schema): """Schema for user preferences.""" @@ -46,30 +73,47 @@ class UserSchema(BaseRecordSchema, FieldPermissionsMixin): field_dump_permissions = { "email": "read_email", + "domain": "read_details", "created": "read_details", "updated": "read_details", "revision_id": "read_details", "active": "read_details", + "status": "read_system_details", + "visibility": "read_system_details", "confirmed": "read_details", + "verified": "read_details", + "blocked": "read_details", "preferences": "read_details", + "domaininfo": "read_system_details", "blocked_at": "read_system_details", "verified_at": "read_system_details", "confirmed_at": "read_system_details", + "current_login_at": "read_system_details", } # NOTE: API should only deliver users that are active & confirmed active = fields.Boolean() confirmed = fields.Boolean(dump_only=True) + blocked = fields.Boolean(dump_only=True) + verified = fields.Boolean(dump_only=True) + status = fields.Str(dump_only=True) + visibility = fields.Str(dump_only=True) is_current_user = fields.Method("is_self", dump_only=True) email = fields.String() + domain = fields.String() + domaininfo = fields.Nested(DomainInfoSchema) + identities = fields.Nested(IdentitiesSchema, default={}) username = fields.String() profile = fields.Dict() preferences = fields.Nested(UserPreferencesSchema) - blocked_at = ISODateString() - verified_at = ISODateString() - confirmed_at = ISODateString() + blocked_at = TZDateTime(dump_only=True) + verified_at = TZDateTime(dump_only=True) + confirmed_at = TZDateTime(dump_only=True) + current_login_at = TZDateTime(dump_only=True) + created = TZDateTime(dump_only=True) + updated = TZDateTime(dump_only=True) def is_self(self, obj): """Determine if identity is the current identity.""" @@ -124,3 +168,112 @@ class NotificationPreferences(Schema): """Schema for notification preferences.""" enabled = fields.Bool() + + +class DomainOrgSchema(Schema): + """Schema for domain orgs.""" + + id = fields.Integer(dump_only=True) + pid = fields.String(validate=validate.Length(min=1, max=255), required=True) + name = fields.String(validate=validate.Length(min=1, max=255), required=True) + props = fields.Dict( + keys=fields.String(required=True), + values=fields.String(validate=validate.Length(max=255)), + ) + is_parent = fields.Boolean(dump_only=True, dump_default=False) + + @validates_schema + def validate_props(self, data, **kwargs): + """Apply instance specific validation on props.""" + schema = current_app.config["USERS_RESOURCES_DOMAINS_ORG_SCHEMA"] + props = data.get("props", {}) + if props: + schema.load(props) + + +def validate_domain(value): + """Domain validation.""" + # Basic validation - zenodo has some pretty funky domains so we are not too + # strict here. + if len(value) > 255: + raise ValidationError("Length must be less than 255.") + value = value.lower().strip() + if "." not in value: + raise ValidationError("Not a domain name.") + prefix, tld = value.rsplit(".", 1) + if tld == "": + raise ValidationError("Not a domain name.") + + +class DomainSchema(Schema): + """Schema for user groups.""" + + id = fields.Str(dump_only=True) + domain = fields.String( + validate=validate_domain, required=True, metadata={"create_only": True} + ) + tld = fields.String(dump_only=True) + status = fields.Integer(dump_only=True) + status_name = fields.String( + validate=validate.OneOf([s.name for s in list(DomainStatus)]), + load_default=DomainStatus.new.name, + ) + category = fields.Integer(dump_only=True, metadata={"read_only": True}) + category_name = fields.String(validate=validate.Length(min=1, max=255)) + flagged = fields.Boolean(default=False, metadata={"checked": False}) + flagged_source = fields.Str(validate=validate.Length(max=255), load_default="") + org = fields.List( + fields.Nested(DomainOrgSchema), dump_default=None, load_default=None + ) + num_users = fields.Integer(dump_only=True) + num_active = fields.Integer(dump_only=True) + num_inactive = fields.Integer(dump_only=True) + num_confirmed = fields.Integer(dump_only=True) + num_verified = fields.Integer(dump_only=True) + num_blocked = fields.Integer(dump_only=True) + created = TZDateTime(dump_only=True) + updated = TZDateTime(dump_only=True) + links = Links(dump_only=True) + + class Meta: + """Schema meta.""" + + unknown = EXCLUDE + + @pre_load + def preprocess(self, data, **kwargs): + """Preprocess form data.""" + # Handle misbehaving clients. + if "org" in data and data["org"] == "": + del data["org"] + return data + + @post_load + def postprocess(self, data, **kwargs): + """Process output data.""" + data["domain"] = data["domain"].lower().strip() + data["domain"].strip() + data["status_name"] = DomainStatus[data["status_name"]] + data["status"] = data["status_name"].value + if "category_name" in data: + if data["category_name"] is None: + data["category"] = None + else: + category = DomainCategory.get(data["category_name"]) + data["category"] = category.id + if "org" in data: + org = data["org"] + if org is None or len(org) == 0: + data["org"] = None + else: + # discard parent + data["org"] = org[0] + return data + + @validates_schema + def validate_category(self, data, **kwargs): + """Validate category data.""" + if "category_name" in data and data["category_name"] is not None: + category = DomainCategory.get(data["category_name"]) + if category is None: + raise ValidationError("Invalid category_name.") diff --git a/invenio_users_resources/services/users/config.py b/invenio_users_resources/services/users/config.py index 3f19c7b..5542d5e 100644 --- a/invenio_users_resources/services/users/config.py +++ b/invenio_users_resources/services/users/config.py @@ -9,6 +9,7 @@ """Users service configuration.""" +from invenio_accounts.utils import DomainStatus from invenio_records_resources.services import RecordServiceConfig, pagination_links from invenio_records_resources.services.base.config import ( ConfiguratorMixin, @@ -24,20 +25,36 @@ SortParam, ) from invenio_records_resources.services.records.queryparser import ( + FieldValueMapper, QueryParser, SearchFieldTransformer, ) +from luqum.tree import Word from ...records.api import UserAggregate from ..common import Link from ..params import FixedPagination from ..permissions import UsersPermissionPolicy from ..schemas import UserSchema -from ..users import facets from .results import UserItem, UserList from .search_params import ModerationFilterParam +def can_manage(obj, ctx): + """Check if user can manage.""" + from invenio_users_resources.proxies import current_users_service + + return current_users_service.check_permission(ctx["identity"], "manage") + + +def word_domain_status(node): + """Quote DOIs.""" + val = node.value + if val in ["verified", "blocked", "moderated", "new"]: + val = DomainStatus[node.value].value + return Word(f"{val}") + + class UserSearchOptions(SearchOptions, SearchOptionsMixin): """Search options.""" @@ -45,10 +62,15 @@ class UserSearchOptions(SearchOptions, SearchOptionsMixin): "default_results_per_page": 10, "default_max_results": 10, } + # ATTENTION: Risk of leaking account information!!! + # The user search needs to be highly restricted to avoid leaking + # account information, hence do not edit here unless you are + # absolutely sure what you're doing. query_parser_cls = QueryParser.factory( tree_transformer_cls=SearchFieldTransformer, fields=["username^2", "email^2", "profile.full_name^3", "profile.affiliations"], - allow_list=["username", "email"], # mapped fields are added on the query parser + # Only public emails because hidden emails are stored in email_hidden field. + allow_list=["username", "email"], mapping={ "affiliation": "profile.affiliations", "affiliations": "profile.affiliations", @@ -63,41 +85,69 @@ class UserSearchOptions(SearchOptions, SearchOptionsMixin): SortParam, FixedPagination, FacetsParam, - ModerationFilterParam.factory(param="is_blocked", field="blocked_at"), - ModerationFilterParam.factory(param="is_verified", field="verified_at"), - ModerationFilterParam.factory(param="is_active", field="active"), ] - facets = { - "email_domain": facets.email_domain, - "affiliations": facets.affiliations, - } - class AdminUserSearchOptions(UserSearchOptions): """Admin Search options.""" pagination_options = { - "default_results_per_page": 10, + "default_results_per_page": 20, "default_max_results": 100, } query_parser_cls = QueryParser.factory( tree_transformer_cls=SearchFieldTransformer, fields=[ - "id", - "username^2", - "email^2", + "username^3", + "email_hidden^3", + "domain^2", "profile.full_name^3", + ], + allow_list=[ + "id", + "username", + "domain", + "email_hidden", + "profile.full_name", "profile.affiliations", + "created", + "updated", + "confirmed", + "confirmed_at", + "blocked_at", + "verified_at", + "preferences.visibility", + "preferences.email_visibility", + "visibility", + "status", + "current_login_at", + "identities.github", + "identities.orcid", + "identities.openaire", + "domaininfo.status", + "domaininfo.flagged", + "domaininfo.tld", + "domaininfo.category", ], - allow_list=["id", "username", "email"], mapping={ "affiliation": "profile.affiliations", "affiliations": "profile.affiliations", "full_name": "profile.full_name", "fullname": "profile.full_name", "name": "profile.full_name", + "email": "email_hidden", + "visibility": "preferences.visibility", + "email_visibility": "preferences.email_visibility", + "github": "identities.github", + "orcid": "identities.orcid", + "openaire": "identities.openaire", + "domain.status": FieldValueMapper( + "domaininfo.status", word=word_domain_status + ), + "domain.tld": "domaininfo.tld", + "domain.category": "domaininfo.category", + "domain.flagged": "domaininfo.flagged", }, ) @@ -119,12 +169,10 @@ class UsersServiceConfig(RecordServiceConfig, ConfiguratorMixin): permission_policy_cls = UsersPermissionPolicy result_item_cls = UserItem result_list_cls = UserList - search = FromConfigSearchOptions( - "USERS_RESOURCES_SEARCH", - "USERS_RESOURCES_SORT_OPTIONS", - "USERS_RESOURCES_SEARCH_FACETS", - search_option_cls=UserSearchOptions, - ) + # We're not allowing override of options to prevent risk of + # leaking account information. + search = UserSearchOptions + # For admin user search_all = FromConfigSearchOptions( "USERS_RESOURCES_SEARCH", @@ -144,6 +192,16 @@ class UsersServiceConfig(RecordServiceConfig, ConfiguratorMixin): links_item = { "self": Link("{+api}/users/{id}"), "avatar": Link("{+api}/users/{id}/avatar.svg"), + "records_html": Link("{+ui}/search/records?q=user:{id}"), + "admin_records_html": Link( + "{+ui}/administration/records?q=user:{id}&f=allversions", when=can_manage + ), + "admin_drafts_html": Link( + "{+ui}/administration/drafts?q=user:{id}&f=allversions", when=can_manage + ), + "admin_moderation_html": Link( + "{+ui}/administration/moderation?q=topic.user:{id}", when=can_manage + ), # TODO missing moderation actions based on permissions } links_search = pagination_links("{+api}/users{?args*}") diff --git a/invenio_users_resources/services/users/facets.py b/invenio_users_resources/services/users/facets.py index 640fc08..598bdfe 100644 --- a/invenio_users_resources/services/users/facets.py +++ b/invenio_users_resources/services/users/facets.py @@ -11,12 +11,45 @@ from invenio_i18n import gettext as _ from invenio_records_resources.services.records.facets import TermsFacet -email_domain = TermsFacet( - field="email.domain", - label=_("Email domain"), +domain = TermsFacet( + field="domain", + label=_("Domain"), +) + +domain_status = TermsFacet( + field="domaininfo.status", + label=_("Domain status"), + value_labels={ + 1: _("New"), + 2: _("Moderated"), + 3: _("Verified"), + 4: _("Blocked"), + }, ) affiliations = TermsFacet( field="profile.affiliations.keyword", label=_("Affiliations"), ) + +status = TermsFacet( + field="status", + label=_("Account status"), + value_labels={ + "new": _("New"), + "verified": _("Verified"), + "confirmed": _("Confirmed"), + "blocked": _("Blocked"), + "inactive": _("Inactive"), + }, +) + +visibility = TermsFacet( + field="visibility", + label=_("Profile visibility"), + value_labels={ + "hidden": _("Hidden"), + "profile": _("Profile"), + "full": _("Full"), + }, +) diff --git a/invenio_users_resources/services/users/service.py b/invenio_users_resources/services/users/service.py index 8c395a9..970c431 100644 --- a/invenio_users_resources/services/users/service.py +++ b/invenio_users_resources/services/users/service.py @@ -10,21 +10,14 @@ # details. """Users service.""" -from datetime import datetime -from flask import current_app from invenio_accounts.models import User from invenio_db import db from invenio_records_resources.resources.errors import PermissionDeniedError from invenio_records_resources.services import RecordService -from invenio_records_resources.services.uow import ( - RecordCommitOp, - RecordIndexOp, - TaskOp, - unit_of_work, -) +from invenio_records_resources.services.uow import RecordCommitOp, TaskOp, unit_of_work from invenio_search.engine import dsl -from werkzeug.local import LocalProxy +from marshmallow import ValidationError from invenio_users_resources.services.results import AvatarResult from invenio_users_resources.services.users.tasks import execute_moderation_actions @@ -145,16 +138,13 @@ def block(self, identity, id_, uow=None): self.require_permission(identity, "manage", record=user) + if user.blocked: + raise ValidationError("User is already blocked.") + # Throws if not acquired ModerationMutex(id_).acquire() - - UserAggregate.deactivate(id_) - user.model.blocked_at = datetime.utcnow() - user.model.verified_at = None - - user.commit() - - uow.register(RecordIndexOp(user, indexer=self.indexer, index_refresh=True)) + user.block() + uow.register(RecordCommitOp(user, indexer=self.indexer, index_refresh=True)) # Register a task to execute callback actions asynchronously, after committing the user uow.register( @@ -172,17 +162,14 @@ def restore(self, identity, id_, uow=None): self.require_permission(identity, "manage", record=user) + if not user.blocked: + raise ValidationError("User is not blocked.") + # Throws if not acquired ModerationMutex(id_).acquire() - - UserAggregate.activate(id_) - user.model.blocked_at = None - user.model.verified_at = datetime.utcnow() - - user.commit() - + user.activate() # User is blocked from now on, "after" actions are executed separately. - uow.register(RecordIndexOp(user, indexer=self.indexer, index_refresh=True)) + uow.register(RecordCommitOp(user, indexer=self.indexer, index_refresh=True)) # Register a task to execute callback actions asynchronously, after committing the user uow.register( @@ -200,16 +187,13 @@ def approve(self, identity, id_, uow=None): self.require_permission(identity, "manage", record=user) + if user.verified: + raise ValidationError("User is already verified.") + # Throws if not acquired ModerationMutex(id_).acquire() - - UserAggregate.activate(id_) - user.model.blocked_at = None - user.model.verified_at = datetime.utcnow() - - user.commit() - - uow.register(RecordIndexOp(user, indexer=self.indexer, index_refresh=True)) + user.verify() + uow.register(RecordCommitOp(user, indexer=self.indexer, index_refresh=True)) # Register a task to execute callback actions asynchronously, after committing the user uow.register( @@ -224,19 +208,27 @@ def deactivate(self, identity, id_, uow=None): if user is None: # return 403 even on empty resource due to security implications raise PermissionDeniedError() - self.require_permission(identity, "manage", record=user) - # Throws if not acquired - ModerationMutex(id_).acquire() - - UserAggregate.deactivate(id_) - user.model.blocked_at = None - user.model.verified_at = None + if not user.active: + raise ValidationError("User is already inactive.") - user.commit() + user.deactivate() + uow.register(RecordCommitOp(user, indexer=self.indexer, index_refresh=True)) + return True - uow.register(RecordIndexOp(user, indexer=self.indexer, index_refresh=True)) + @unit_of_work() + def activate(self, identity, id_, uow=None): + """Activate a user.""" + user = UserAggregate.get_record(id_) + if user is None: + # return 403 even on empty resource due to security implications + raise PermissionDeniedError() + self.require_permission(identity, "manage", record=user) + if user.active and user.confirmed: + raise ValidationError("User is already active.") + user.activate() + uow.register(RecordCommitOp(user, indexer=self.indexer, index_refresh=True)) return True def can_impersonate(self, identity, id_): diff --git a/invenio_users_resources/views.py b/invenio_users_resources/views.py index 88c23b9..3af93ff 100644 --- a/invenio_users_resources/views.py +++ b/invenio_users_resources/views.py @@ -32,9 +32,11 @@ def init(state): # services rr_ext.registry.register(ext.users_service) rr_ext.registry.register(ext.groups_service) + rr_ext.registry.register(ext.domains_service) idx_ext.registry.register(ext.users_service.indexer, indexer_id="users") idx_ext.registry.register(ext.groups_service.indexer, indexer_id="groups") + idx_ext.registry.register(ext.domains_service.indexer, indexer_id="domains") def create_users_resources_bp(app): @@ -47,3 +49,9 @@ def create_groups_resources_bp(app): """Create the user groups resource blueprint.""" ext = app.extensions["invenio-users-resources"] return ext.groups_resource.as_blueprint() + + +def create_domains_resources_bp(app): + """Create the domains resource blueprint.""" + ext = app.extensions["invenio-users-resources"] + return ext.domains_resource.as_blueprint() diff --git a/setup.cfg b/setup.cfg index 56b5478..3efda01 100644 --- a/setup.cfg +++ b/setup.cfg @@ -56,12 +56,14 @@ invenio_base.api_apps = invenio_base.api_blueprints = invenio_users = invenio_users_resources.views:create_users_resources_bp invenio_groups = invenio_users_resources.views:create_groups_resources_bp + invenio_domains = invenio_users_resources.views:create_domains_resources_bp invenio_users_resources = invenio_users_resources.views:blueprint invenio_base.blueprints = invenio_users_resources = invenio_users_resources.views:blueprint invenio_search.mappings = users = invenio_users_resources.records.mappings groups = invenio_users_resources.records.mappings + domains = invenio_users_resources.records.mappings invenio_i18n.translations = messages = invenio_users_resources invenio_access.actions = diff --git a/tests/conftest.py b/tests/conftest.py index 94c0927..aee749d 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -19,7 +19,8 @@ from flask_principal import AnonymousIdentity from invenio_access.models import ActionRoles from invenio_access.permissions import any_user as any_user_need -from invenio_accounts.models import Role +from invenio_access.permissions import system_identity +from invenio_accounts.models import Domain, DomainCategory, DomainOrg, Role from invenio_accounts.proxies import current_datastore from invenio_app.factory import create_api from invenio_cache.proxies import current_cache @@ -27,6 +28,7 @@ from invenio_users_resources.permissions import user_management_action from invenio_users_resources.proxies import ( + current_domains_service, current_groups_service, current_users_service, ) @@ -257,7 +259,6 @@ def _create_group(id, name, description, is_managed, database): id=id, name=name, description=description, is_managed=is_managed ) current_datastore.commit() - return r @@ -365,3 +366,102 @@ def clear_cache(): Locking is done using cache, therefore the cache must be cleared after each test to make sure that locks from previous tests are cleared. """ current_cache.cache.clear() + + +@pytest.fixture(scope="module") +def domains_data(): + """Data for domains.""" + return [ + { + "domain": "cern.ch", + "tld": "ch", + "status": 3, + "flagged": False, + "flagged_source": "", + "category": 1, + "org_id": 1, + }, + { + "domain": "inveniosoftware.org", + "tld": "org", + "status": 3, + "flagged": False, + "flagged_source": "", + "org_id": 2, + }, + { + "domain": "new.org", + "tld": "org", + "status": 1, + "flagged": False, + "flagged_source": "", + }, + { + "domain": "moderated.org", + "tld": "org", + "status": 2, + "flagged": True, + "flagged_source": "disposable", + "category": 3, + }, + { + "domain": "spammer.com", + "tld": "com", + "status": 4, + "flagged": True, + "flagged_source": "", + "category": 4, + }, + ] + + +@pytest.fixture(scope="module") +def domaincategories_data(): + """Data for domains.""" + return [ + {"id": 1, "label": "organization"}, + {"id": 2, "label": "company"}, + {"id": 3, "label": "mail-provider"}, + {"id": 4, "label": "spammer"}, + ] + + +@pytest.fixture(scope="module") +def domainorgs_data(): + """Data for domains.""" + return [ + { + "id": 1, + "pid": "https://ror.org/01ggx4157", + "name": "CERN", + "json": {"country": "ch"}, + }, + { + "id": 2, + "pid": "https://ror.org/01ggx4157::it", + "name": "IT department", + "json": {"country": "ch"}, + "parent_id": 1, + }, + ] + + +@pytest.fixture(scope="module") +def domains(app, database, domainorgs_data, domaincategories_data, domains_data): + """Test domains.""" + for d in domaincategories_data: + database.session.add(DomainCategory(**d)) + for d in domainorgs_data: + database.session.add(DomainOrg(**d)) + database.session.commit() + + domains = {} + for d in domains_data: + database.session.add(Domain(**d)) + domains[d["domain"]] = d + database.session.commit() + + current_domains_service.rebuild_index(system_identity) + current_domains_service.indexer.process_bulk_queue() + current_domains_service.record_cls.index.refresh() + return domains diff --git a/tests/resources/test_resources_domains.py b/tests/resources/test_resources_domains.py new file mode 100644 index 0000000..e0a60f5 --- /dev/null +++ b/tests/resources/test_resources_domains.py @@ -0,0 +1,193 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2024 CERN. +# +# Invenio-Users-Resources is free software; you can redistribute it and/or +# modify it under the terms of the MIT License; see LICENSE file for more +# details. + +"""Domains resource tests.""" + +import pytest + + +def test_domains_access(app, client, domains, user_moderator, user_pub): + res = client.get(f"/domains") + assert res.status_code == 403 + + user_pub.login(client) + res = client.get(f"/domains") + assert res.status_code == 403 + + +def test_domains_search(app, client, domains, user_moderator, user_pub): + user_moderator.login(client) + res = client.get(f"/domains") + assert res.status_code == 200 + data = res.json + assert len(data["hits"]["hits"]) == 5 + + # Props + props = [ + "id", + "domain", + "created", + "updated", + "domain", + "tld", + "status", + "status_name", + "category", + "category_name", + "flagged", + "flagged_source", + "org", + "num_users", + "num_active", + "num_inactive", + "num_confirmed", + "num_verified", + "num_blocked", + ] + cern = data["hits"]["hits"][0] + assert cern["domain"] == "cern.ch" + for p in props: + assert p in cern + + # Check aggregations and that they have content + aggs = ["status", "flagged", "category", "organisation", "tld"] + for a in aggs: + assert a in data["aggregations"] + assert ( + len(data["aggregations"][a]["buckets"]) > 0 + ), f"'{a}' is missing bucket values" + assert len(data["hits"]["hits"]) == 5 + + +def test_domains_read(app, client, domains, user_moderator): + res = client.get(f"/domains/cern.ch") + assert res.status_code == 403 + + user_moderator.login(client) + res = client.get(f"/domains/cern.ch") + assert res.json["links"]["self"].endswith("/domains/cern.ch") + assert res.status_code == 200 + d = res.json + assert d["domain"] == "cern.ch" + assert d["tld"] == "ch" + assert d["status"] == 3 + assert d["status_name"] == "verified" + assert d["flagged"] == False + assert d["flagged_source"] == "" + assert d["category"] == 1 + assert d["category_name"] == "organization" + assert d["org"] == [ + { + "id": 1, + "pid": "https://ror.org/01ggx4157", + "name": "CERN", + "props": {"country": "ch"}, + "is_parent": False, + } + ] + stats = ["users", "active", "inactive", "confirmed", "verified", "blocked"] + for s in stats: + assert f"num_{s}" in d, f"num_{s} is missing from payload" + + +def test_domains_delete(app, client, domains, user_moderator): + res = client.delete(f"/domains/cern.ch") + assert res.status_code == 403 + + user_moderator.login(client) + res = client.delete(f"/domains/cern.ch") + assert res.status_code == 204 + res = client.get(f"/domains/cern.ch") + assert res.status_code == 404 + + +def test_domains_create(app, client, domains, user_moderator): + res = client.post( + f"/domains", + json={ + "domain": "zenodo.org", + }, + headers={"content-type": "application/vnd.inveniordm.v1+json"}, + ) + assert res.status_code == 403 + + user_moderator.login(client) + # Make an update + res = client.post( + f"/domains", + json={ + "domain": "zenodo.org", + }, + headers={"content-type": "application/vnd.inveniordm.v1+json"}, + ) + assert res.status_code == 201 + # Re-read to check that it was updated + data = client.get(f"/domains/zenodo.org").json + assert data["domain"] == "zenodo.org" + assert data["tld"] == "org" + assert data["status_name"] == "new" + assert data["category_name"] == None + assert data["flagged"] == False + assert data["flagged_source"] == "" + assert data["org"] is None + + +@pytest.mark.parametrize( + "status_code,json", + [ + (400, {"status": "new"}), # missing domain + (400, {"domain": "test.com", "status_name": "invalid"}), # invalid status + (400, {"domain": "spammer.com"}), # duplicate domain + (400, {"domain": "test.com", "category_name": "invalid"}), # invalid category + ], +) +def test_domains_create_failure( + app, client, domains, user_moderator, status_code, json +): + user_moderator.login(client) + # Make an update + res = client.post( + f"/domains", + json=json, + headers={"content-type": "application/vnd.inveniordm.v1+json"}, + ) + assert res.status_code == status_code + + +def test_domains_update(app, client, domains, user_moderator): + user_moderator.login(client) + data = client.get(f"/domains/moderated.org").json + assert data["domain"] == "moderated.org" + assert data["status_name"] == "moderated" + assert data["category_name"] == "mail-provider" + assert data["flagged"] == True + assert data["flagged_source"] == "disposable" + assert data["org"] is None + # Make an update + res = client.put( + f"/domains/moderated.org", + json={ + "domain": "moderated.org", + "status_name": "verified", + "category_name": "spammer", + "flagged": False, + "flagged_source": "test", + "org": None, + }, + headers={"content-type": "application/vnd.inveniordm.v1+json"}, + ) + assert res.status_code == 200 + # Re-read to check that it was updated + data = client.get(f"/domains/moderated.org").json + assert data["domain"] == "moderated.org" + assert data["tld"] == "org" + assert data["status_name"] == "verified" + assert data["category_name"] == "spammer" + assert data["flagged"] == False + assert data["flagged_source"] == "test" + assert data["org"] is None diff --git a/tests/resources/test_resources_users.py b/tests/resources/test_resources_users.py index 2d79d37..30c456c 100644 --- a/tests/resources/test_resources_users.py +++ b/tests/resources/test_resources_users.py @@ -41,10 +41,22 @@ def test_read_self_serialization(client, headers, users, user_pub): } assert "created" in data assert "updated" in data + assert "domain" in data assert "revision_id" in data + + assert "blocked_at" not in data + assert "confirmed_at" not in data + assert "current_login_at" not in data + assert "domaininfo" not in data + assert "status" not in data + assert "verified_at" not in data + assert "verified_at" not in data + assert "visibility" not in data + assert data["links"] == { "self": f"https://127.0.0.1:5000/api/users/{user_pub.id}", "avatar": f"https://127.0.0.1:5000/api/users/{user_pub.id}/avatar.svg", + "records_html": f"https://127.0.0.1:5000/search/records?q=user:{user_pub.id}", } @@ -75,6 +87,7 @@ def test_read_anon_serialization(client, headers, users, username, public_email) assert data["links"] == { "self": f"https://127.0.0.1:5000/api/users/{u.id}", "avatar": f"https://127.0.0.1:5000/api/users/{u.id}/avatar.svg", + "records_html": f"https://127.0.0.1:5000/search/records?q=user:{u.id}", } for k in [ diff --git a/tests/services/users/test_service_users.py b/tests/services/users/test_service_users.py index 1b95e84..7afe142 100644 --- a/tests/services/users/test_service_users.py +++ b/tests/services/users/test_service_users.py @@ -276,8 +276,9 @@ def test_restore(app, db, user_service, user_res, user_moderator, clear_cache): ur = user_service.read(user_moderator.identity, user_res.id) assert ur.data["active"] == True - assert ur.data["verified_at"] is not None - assert not "blocked_at" in ur.data + assert ur.data["confirmed_at"] is not None + assert ur.data["verified_at"] is None + assert ur.data["blocked_at"] is None # TODO Clear the cache to test actions without locking side-effects diff --git a/tests/services/users/test_user_moderation.py b/tests/services/users/test_user_moderation.py index 134364f..9fdbcbc 100644 --- a/tests/services/users/test_user_moderation.py +++ b/tests/services/users/test_user_moderation.py @@ -16,17 +16,24 @@ import pytest from invenio_access.permissions import system_identity -from invenio_cache.lock import CachedMutex +from marshmallow import ValidationError from invenio_users_resources.proxies import current_actions_registry from invenio_users_resources.services.users.lock import ModerationMutex +@pytest.fixture() +def unblocked(user_service, user_res): + try: + user_service.activate(system_identity, user_res.id) + except ValidationError: + pass + + def test_moderation_callbacks_success( - user_service, user_res, user_moderator, monkeypatch, clear_cache + user_service, user_res, user_moderator, monkeypatch, unblocked, clear_cache ): """Test moderation actions (post block / restore).""" - mocked_method = MagicMock(return_value=True) monkeypatch.setitem(current_actions_registry, "block", [mocked_method]) blocked = user_service.block(user_moderator.identity, user_res.id) @@ -37,7 +44,7 @@ def test_moderation_callbacks_success( def test_moderation_callbacks_failure( - user_service, user_res, user_moderator, monkeypatch, clear_cache + user_service, user_res, user_moderator, monkeypatch, unblocked, clear_cache ): """Test moderation actions (post block). @@ -69,7 +76,7 @@ def _block_action_failure(user_id, uow=None): def test_moderation_callbacks_lock( - app, user_service, user_res, user_moderator, monkeypatch, clear_cache + app, user_service, user_res, user_moderator, monkeypatch, unblocked, clear_cache ): """Tests the 'simplest' flow for user moderation in terms of locks (e.g. mutex). @@ -113,6 +120,7 @@ def test_moderation_callbacks_lock_renewal( renewal_timeout, expected_lock_state, clear_cache, + unblocked, ): """Tests whether the lock is renewed after moderating a user. diff --git a/tests/test_notifications.py b/tests/test_notifications.py index 5691fc5..ad409de 100644 --- a/tests/test_notifications.py +++ b/tests/test_notifications.py @@ -13,6 +13,7 @@ from invenio_users_resources.notifications.filters import UserPreferencesRecipientFilter from invenio_users_resources.notifications.generators import UserRecipient from invenio_users_resources.records.api import UserAggregate +from invenio_users_resources.records.models import UserAggregateModel def test_user_recipient_generator( @@ -21,10 +22,10 @@ def test_user_recipient_generator( generator_disabled = UserRecipient(key="disabled") generator_enabled = UserRecipient(key="enabled") - user_notifications_disabled = UserAggregate.from_user( + user_notifications_disabled = UserAggregate.from_model( user_notification_disabled.user ).dumps() - user_notifications_enabled = UserAggregate.from_user( + user_notifications_enabled = UserAggregate.from_model( user_notification_enabled.user ).dumps() @@ -61,10 +62,10 @@ def test_user_recipient_generator( def test_user_recipient_filter(user_notification_disabled, user_notification_enabled): """Test user recipient filter for notifications.""" - user_notifications_disabled = UserAggregate.from_user( + user_notifications_disabled = UserAggregate.from_model( user_notification_disabled.user ).dumps() - user_notifications_enabled = UserAggregate.from_user( + user_notifications_enabled = UserAggregate.from_model( user_notification_enabled.user ).dumps()