Merge branch 'release/19.23.0'

Author: pattisdr

CHANGELOG

@@ -2,6 +2,12 @@
 
 We follow the CalVer (https://calver.org/) versioning scheme: YY.MINOR.MICRO.
 
+19.23.0 (2019-08-19)
+===================
+- Represents scopes as an m2m field on personal access tokens instead of a CharField
+- APIv2.17 treats scopes as relationships on tokens instead of attributes.  Earlier
+API versions still serialize scopes as attributes.
+
 19.22.0 (2019-08-14)
 ===================
 - APIv2: Editable registrations

api/base/settings/defaults.py

@@ -167,6 +167,7 @@
         '2.14',
         '2.15',
         '2.16',
+        '2.17',
     ),
     'DEFAULT_FILTER_BACKENDS': ('api.base.filters.OSFOrderingFilter',),
     'DEFAULT_PAGINATION_CLASS': 'api.base.pagination.JSONAPIPagination',

api/scopes/permissions.py

@@ -1,8 +1,8 @@
 from rest_framework import permissions
-from api.scopes.serializers import Scope
+from osf.models.oauth import ApiOAuth2Scope
 
 class IsPublicScope(permissions.BasePermission):
 
     def has_object_permission(self, request, view, obj):
-        assert isinstance(obj, Scope), 'obj must be an Scope got {}'.format(obj)
+        assert isinstance(obj, ApiOAuth2Scope), 'obj must be an ApiOAuth2Scope got {}'.format(obj)
         return obj.is_public

api/scopes/serializers.py

@@ -1,28 +1,19 @@
 from rest_framework import serializers as ser
-from website import settings
-from urlparse import urljoin
 
 from api.base.serializers import (
     JSONAPISerializer,
     LinksField,
 )
 
-
-class Scope(object):
-    def __init__(self, id, scope):
-        scope = scope or {}
-        self.id = id
-        self.description = scope.description
-        self.is_public = scope.is_public
-
-    def absolute_url(self):
-        return urljoin(settings.API_DOMAIN, '/v2/scopes/{}/'.format(self.id))
+# With this API version, scopes are a M2M field on ApiOAuth2PersonalToken, and
+# serialized as relationship.
+SCOPES_RELATIONSHIP_VERSION = '2.17'
 
 class ScopeSerializer(JSONAPISerializer):
 
     filterable_fields = frozenset(['id'])
 
-    id = ser.CharField(read_only=True)
+    id = ser.CharField(read_only=True, source='name')
     description = ser.CharField(read_only=True)
     links = LinksField({'self': 'get_absolute_url'})
 

api/scopes/views.py

@@ -1,13 +1,14 @@
 from rest_framework import generics, permissions as drf_permissions
 from rest_framework.exceptions import NotFound
-from framework.auth.oauth_scopes import CoreScopes, public_scopes
+from framework.auth.oauth_scopes import CoreScopes
 
 from api.base.filters import ListFilterMixin
 from api.base import permissions as base_permissions
-from api.scopes.serializers import ScopeSerializer, Scope
+from api.scopes.serializers import ScopeSerializer
 from api.scopes.permissions import IsPublicScope
 from api.base.views import JSONAPIBaseView
 from api.base.pagination import MaxSizePagination
+from osf.models.oauth import ApiOAuth2Scope
 
 
 class ScopeDetail(JSONAPIBaseView, generics.RetrieveAPIView):
@@ -30,14 +31,14 @@ class ScopeDetail(JSONAPIBaseView, generics.RetrieveAPIView):
     # overrides RetrieveAPIView
     def get_object(self):
         id = self.kwargs[self.lookup_url_kwarg]
-        scope_item = public_scopes.get(id, None)
-        if scope_item:
-            scope = Scope(id=id, scope=scope_item)
-            self.check_object_permissions(self.request, scope)
-            return scope
-        else:
+        try:
+            scope = ApiOAuth2Scope.objects.get(name=id)
+        except ApiOAuth2Scope.DoesNotExist:
             raise NotFound
 
+        self.check_object_permissions(self.request, scope)
+        return scope
+
 
 class ScopeList(JSONAPIBaseView, generics.ListAPIView, ListFilterMixin):
     """Private endpoint for gathering scope information. Do not expect this to be stable.
@@ -59,11 +60,7 @@ class ScopeList(JSONAPIBaseView, generics.ListAPIView, ListFilterMixin):
     ordering = ('id', )  # default ordering
 
     def get_default_queryset(self):
-        scopes = []
-        for key, value in public_scopes.items():
-            if value.is_public:
-                scopes.append(Scope(id=key, scope=value))
-        return scopes
+        return ApiOAuth2Scope.objects.filter(is_public=True)
 
     def get_queryset(self):
         return self.get_queryset_from_request()

api/tokens/serializers.py

@@ -1,17 +1,47 @@
 from rest_framework import serializers as ser
 from rest_framework import exceptions
 
-from framework.auth.oauth_scopes import public_scopes
 from osf.exceptions import ValidationError
-from osf.models import ApiOAuth2PersonalToken
+from osf.models import ApiOAuth2PersonalToken, ApiOAuth2Scope
 
 from api.base.exceptions import format_validation_error
-from api.base.serializers import JSONAPISerializer, LinksField, IDField, TypeField
+from api.base.serializers import JSONAPISerializer, LinksField, IDField, TypeField, RelationshipField, StrictVersion
+from api.scopes.serializers import SCOPES_RELATIONSHIP_VERSION
+
+
+class TokenScopesRelationshipField(RelationshipField):
+
+    def to_internal_value(self, data):
+        return {'scopes': data}
 
 
 class ApiOAuth2PersonalTokenSerializer(JSONAPISerializer):
     """Serialize data about a registered personal access token"""
 
+    def __init__(self, *args, **kwargs):
+        super(ApiOAuth2PersonalTokenSerializer, self).__init__(*args, **kwargs)
+
+        request = kwargs['context']['request']
+
+        # Dynamically adding scopes field here, depending on the version
+        if expect_scopes_as_relationships(request):
+            field = TokenScopesRelationshipField(
+                related_view='tokens:token-scopes-list',
+                related_view_kwargs={'_id': '<_id>'},
+                always_embed=True,
+                read_only=False,
+            )
+            self.fields['scopes'] = field
+            self.fields['owner'] = RelationshipField(
+                related_view='users:user-detail',
+                related_view_kwargs={'user_id': '<owner._id>'},
+            )
+            # Making scopes embeddable
+            self.context['embed']['scopes'] = self.context['view']._get_embed_partial('scopes', field)
+        else:
+            self.fields['scopes'] = ser.SerializerMethodField()
+            self.fields['owner'] = ser.SerializerMethodField()
+
     id = IDField(source='_id', read_only=True, help_text='The object ID for this token (automatically generated)')
     type = TypeField()
 
@@ -20,17 +50,6 @@ class ApiOAuth2PersonalTokenSerializer(JSONAPISerializer):
         required=True,
     )
 
-    owner = ser.CharField(
-        help_text='The user who owns this token',
-        read_only=True,  # Don't let user register a token in someone else's name
-        source='owner._id',
-    )
-
-    scopes = ser.CharField(
-        help_text='Governs permissions associated with this token',
-        required=True,
-    )
-
     token_id = ser.CharField(read_only=True, allow_blank=True)
 
     class Meta:
@@ -40,6 +59,12 @@ class Meta:
         'html': 'absolute_url',
     })
 
+    def get_owner(self, obj):
+        return obj.owner._id
+
+    def get_scopes(self, obj):
+        return ' '.join([scope.name for scope in obj.scopes.all()])
+
     def absolute_url(self, obj):
         return obj.absolute_url
 
@@ -58,17 +83,21 @@ def to_representation(self, obj, envelope='data'):
         return data
 
     def create(self, validated_data):
-        validate_requested_scopes(validated_data)
+        scopes = validate_requested_scopes(validated_data.pop('scopes', None))
+        if not scopes:
+            raise exceptions.ValidationError('Cannot create a token without scopes.')
         instance = ApiOAuth2PersonalToken(**validated_data)
         try:
             instance.save()
         except ValidationError as e:
             detail = format_validation_error(e)
             raise exceptions.ValidationError(detail=detail)
+        for scope in scopes:
+            instance.scopes.add(scope)
         return instance
 
     def update(self, instance, validated_data):
-        validate_requested_scopes(validated_data)
+        scopes = validate_requested_scopes(validated_data.pop('scopes', None))
         assert isinstance(instance, ApiOAuth2PersonalToken), 'instance must be an ApiOAuth2PersonalToken'
 
         instance.deactivate(save=False)  # This will cause CAS to revoke the existing token but still allow it to be used in the future, new scopes will be updated properly at that time.
@@ -79,15 +108,66 @@ def update(self, instance, validated_data):
                 continue
             else:
                 setattr(instance, attr, value)
+        if scopes:
+            update_scopes(instance, scopes)
         try:
             instance.save()
         except ValidationError as e:
             detail = format_validation_error(e)
             raise exceptions.ValidationError(detail=detail)
         return instance
 
-def validate_requested_scopes(validated_data):
-    scopes_set = set(validated_data.get('scopes', '').split(' '))
-    for scope in scopes_set:
-        if scope not in public_scopes or not public_scopes[scope].is_public:
-            raise exceptions.ValidationError('User requested invalid scope')
+
+class ApiOAuth2PersonalTokenWritableSerializer(ApiOAuth2PersonalTokenSerializer):
+    def __init__(self, *args, **kwargs):
+        super(ApiOAuth2PersonalTokenWritableSerializer, self).__init__(*args, **kwargs)
+        request = kwargs['context']['request']
+
+        # Dynamically overriding scopes field for early versions to make scopes writable via an attribute
+        if not expect_scopes_as_relationships(request):
+            self.fields['scopes'] = ser.CharField(write_only=True, required=False)
+
+    def to_representation(self, obj, envelope='data'):
+        """
+        Overriding to_representation allows using different serializers for the request and response.
+
+        This will allow scopes to be a serializer method field if an early version, or a relationship field for a later version
+        """
+        context = self.context
+        return ApiOAuth2PersonalTokenSerializer(instance=obj, context=context).data
+
+
+def expect_scopes_as_relationships(request):
+    """Whether serializer should expect scopes to be a relationship instead of an attribute
+
+    Scopes were previously an attribute on the serializer to mirror that they were a CharField on the model.
+    Now that scopes are an m2m field with tokens, later versions of the serializer represent scopes as relationships.
+    """
+    return StrictVersion(getattr(request, 'version', '2.0')) >= StrictVersion(SCOPES_RELATIONSHIP_VERSION)
+
+def update_scopes(token, scopes):
+    to_remove = token.scopes.difference(scopes)
+    to_add = scopes.difference(token.scopes.all())
+    for scope in to_remove:
+        token.scopes.remove(scope)
+    for scope in to_add:
+        token.scopes.add(scope)
+    return
+
+def validate_requested_scopes(data):
+    if not data:
+        return []
+
+    if type(data) != list:
+        data = data.split(' ')
+    scopes = ApiOAuth2Scope.objects.filter(name__in=data)
+
+    if len(scopes) != len(data):
+        raise exceptions.NotFound('Scope names must be one of: {}.'.format(
+            ', '.join(ApiOAuth2Scope.objects.values_list('name', flat=True)),
+        ))
+
+    if scopes.filter(is_public=False):
+        raise exceptions.ValidationError('User requested invalid scope.')
+
+    return scopes

api/tokens/urls.py

@@ -7,4 +7,5 @@
 urlpatterns = [
     url(r'^$', views.TokenList.as_view(), name='token-list'),
     url(r'^(?P<_id>\w+)/$', views.TokenDetail.as_view(), name='token-detail'),
+    url(r'^(?P<_id>\w+)/scopes/$', views.TokenScopesList.as_view(), name='token-scopes-list'),
 ]

api/tokens/views.py

@@ -14,8 +14,10 @@
 from api.base.filters import ListFilterMixin
 from api.base.utils import get_object_or_error
 from api.base.views import JSONAPIBaseView
+from api.base.parsers import JSONAPIMultipleRelationshipsParser, JSONAPIMultipleRelationshipsParserForRegularJSON
 from api.base import permissions as base_permissions
-from api.tokens.serializers import ApiOAuth2PersonalTokenSerializer
+from api.scopes.serializers import ScopeSerializer
+from api.tokens.serializers import ApiOAuth2PersonalTokenWritableSerializer
 
 from osf.models import ApiOAuth2PersonalToken
 
@@ -33,13 +35,14 @@ class TokenList(JSONAPIBaseView, generics.ListCreateAPIView, ListFilterMixin):
     required_read_scopes = [CoreScopes.TOKENS_READ]
     required_write_scopes = [CoreScopes.TOKENS_WRITE]
 
-    serializer_class = ApiOAuth2PersonalTokenSerializer
+    serializer_class = ApiOAuth2PersonalTokenWritableSerializer
     view_category = 'tokens'
     view_name = 'token-list'
 
     renderer_classes = [JSONRendererWithESISupport, JSONAPIRenderer, ]  # Hide from web-browsable API tool
 
     ordering = ('-id',)
+    parser_classes = (JSONAPIMultipleRelationshipsParser, JSONAPIMultipleRelationshipsParserForRegularJSON,)
 
     def get_default_queryset(self):
         return ApiOAuth2PersonalToken.objects.filter(owner=self.request.user, is_active=True)
@@ -69,11 +72,12 @@ class TokenDetail(JSONAPIBaseView, generics.RetrieveUpdateDestroyAPIView):
     required_read_scopes = [CoreScopes.TOKENS_READ]
     required_write_scopes = [CoreScopes.TOKENS_WRITE]
 
-    serializer_class = ApiOAuth2PersonalTokenSerializer
+    serializer_class = ApiOAuth2PersonalTokenWritableSerializer
     view_category = 'tokens'
     view_name = 'token-detail'
 
     renderer_classes = [JSONRendererWithESISupport, JSONAPIRenderer, ]  # Hide from web-browsable API tool
+    parser_classes = (JSONAPIMultipleRelationshipsParser, JSONAPIMultipleRelationshipsParserForRegularJSON,)
 
     # overrides RetrieveAPIView
     def get_object(self):
@@ -97,3 +101,37 @@ def perform_update(self, serializer):
         """Necessary to prevent owner field from being blanked on updates"""
         serializer.validated_data['owner'] = self.request.user
         serializer.save(owner=self.request.user)
+
+
+class TokenScopesList(JSONAPIBaseView, generics.ListAPIView):
+    """
+    Get information about the scopes associated with a personal access token
+
+    Should not return information if the token belongs to a different user
+    """
+    permission_classes = (
+        drf_permissions.IsAuthenticated,
+        base_permissions.OwnerOnly,
+        base_permissions.TokenHasScope,
+    )
+
+    required_read_scopes = [CoreScopes.TOKENS_READ]
+    required_write_scopes = [CoreScopes.TOKENS_WRITE]
+
+    serializer_class = ScopeSerializer
+    view_category = 'tokens'
+    view_name = 'token-scopes-list'
+
+    renderer_classes = [JSONRendererWithESISupport, JSONAPIRenderer, ]  # Hide from web-browsable API tool
+
+    def get_default_queryset(self):
+        try:
+            obj = get_object_or_error(ApiOAuth2PersonalToken, Q(_id=self.kwargs['_id'], is_active=True), self.request)
+        except ApiOAuth2PersonalToken.DoesNotExist:
+            raise NotFound
+        self.check_object_permissions(self.request, obj)
+        return obj.scopes.all()
+
+    # overrides ListAPIView
+    def get_queryset(self):
+        return self.get_default_queryset()