Allow tree owner creation (#379)

* Implement tree owner token & creation endpoints

* Prevent tree owner creation for different tree in single-tree setup

Author: DavidMStraub

gramps_webapi/api/resources/token.py

@@ -1,7 +1,7 @@
 #
 # Gramps Web API - A RESTful API for the Gramps genealogy program
 #
-# Copyright (C) 2020      David Straub
+# Copyright (C) 2020-2023      David Straub
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -30,15 +30,16 @@
 from webargs import fields, validate
 
 from ...auth import (
+    authorized,
     get_all_user_details,
-    get_permissions,
     get_guid,
-    authorized,
     get_name,
+    get_permissions,
 )
-from ...auth.const import CLAIM_LIMITED_SCOPE, SCOPE_CREATE_ADMIN
+from ...auth.const import CLAIM_LIMITED_SCOPE, SCOPE_CREATE_ADMIN, SCOPE_CREATE_OWNER
+from ...const import TREE_MULTI
 from ..ratelimiter import limiter
-from ..util import get_tree_id, use_args
+from ..util import get_tree_id, tree_exists, use_args
 from . import RefreshProtectedResource, Resource
 
 
@@ -112,11 +113,12 @@ def post(self):
 
 
 class TokenCreateOwnerResource(Resource):
-    """Resource for getting a token that allows creating a site owner account."""
+    """Resource for getting a token that allows creating a site admin or tree owner account."""
 
     @limiter.limit("1/second")
     def get(self):
         """Get a token."""
+        # This GET method is deprecated and only kept for backward compatibility!
         if get_all_user_details(tree=None):
             # users already exist!
             abort(405)
@@ -127,3 +129,34 @@ def get(self):
             },
         )
         return {"access_token": token}
+
+    @limiter.limit("1/second")
+    @use_args(
+        {
+            "tree": fields.Str(required=False),
+        },
+        location="json",
+    )
+    def post(self, args):
+        """Get a token."""
+        tree = args.get("tree")
+        if (
+            tree
+            and current_app.config["TREE"] != TREE_MULTI
+            and tree != current_app.config["TREE"]
+        ):
+            abort(403)
+        if tree and not tree_exists(tree):
+            abort(404)
+        if get_all_user_details(tree=tree):
+            # users already exist!
+            abort(405)
+        if tree:
+            claims = {
+                CLAIM_LIMITED_SCOPE: SCOPE_CREATE_OWNER,
+                "tree": tree,
+            }
+        else:
+            claims = {CLAIM_LIMITED_SCOPE: SCOPE_CREATE_ADMIN}
+        token = create_access_token(identity="owner", additional_claims=claims)
+        return {"access_token": token}, 201

gramps_webapi/api/resources/user.py

@@ -1,7 +1,7 @@
 #
 # Gramps Web API - A RESTful API for the Gramps genealogy program
 #
-# Copyright (C) 2020      David Straub
+# Copyright (C) 2020-2023      David Straub
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -61,6 +61,7 @@
     ROLE_UNCONFIRMED,
     SCOPE_CONF_EMAIL,
     SCOPE_CREATE_ADMIN,
+    SCOPE_CREATE_OWNER,
     SCOPE_RESET_PW,
 )
 from ...const import TREE_MULTI
@@ -304,6 +305,12 @@ def post(self, args, user_name: str):
         # do not allow registration if no tree owner account exists!
         if get_number_users(tree=args.get("tree"), roles=(ROLE_OWNER,)) == 0:
             abort(405)
+        if (
+            "tree" in args
+            and current_app.config["TREE"] != TREE_MULTI
+            and args["tree"] != current_app.config["TREE"]
+        ):
+            abort(422)
         if "tree" in args and not tree_exists(args["tree"]):
             abort(422)
         try:
@@ -349,24 +356,47 @@ def post(self, args, user_name: str):
         if user_name == "-":
             # User name - is not allowed
             abort(404)
-        # FIXME what about multi-tree
-        if get_number_users() > 0:
-            # there is already a user in the user DB
-            abort(405)
         claims = get_jwt()
-        if claims[CLAIM_LIMITED_SCOPE] != SCOPE_CREATE_ADMIN:
-            # This is a wrong token!
-            abort(403)
         if "tree" in args and not tree_exists(args["tree"]):
             abort(422)
-        add_user(
-            name=user_name,
-            password=args["password"],
-            email=args["email"],
-            fullname=args["full_name"],
-            tree=args.get("tree"),
-            role=ROLE_ADMIN,
-        )
+        if (
+            "tree" in args
+            and current_app.config["TREE"] != TREE_MULTI
+            and args["tree"] != current_app.config["TREE"]
+        ):
+            abort(422)
+        if claims[CLAIM_LIMITED_SCOPE] == SCOPE_CREATE_ADMIN:
+            if get_number_users() > 0:
+                # there is already a user in the user DB
+                abort(405)
+            add_user(
+                name=user_name,
+                password=args["password"],
+                email=args["email"],
+                fullname=args["full_name"],
+                tree=args.get("tree"),
+                role=ROLE_ADMIN,
+            )
+        elif claims[CLAIM_LIMITED_SCOPE] == SCOPE_CREATE_OWNER:
+            tree = claims["tree"]
+            if "tree" in args and args["tree"] != tree:
+                abort(422)
+            if not tree_exists(tree_id=tree):
+                abort(422)
+            if get_number_users(tree=tree) > 0:
+                # there is already a user in this tree
+                abort(405)
+            add_user(
+                name=user_name,
+                password=args["password"],
+                email=args["email"],
+                fullname=args["full_name"],
+                tree=tree,
+                role=ROLE_OWNER,
+            )
+        else:
+            # This is a wrong token!
+            abort(403)
         return "", 201
 
 

gramps_webapi/auth/const.py

@@ -1,7 +1,7 @@
 #
 # Gramps Web API - A RESTful API for the Gramps genealogy program
 #
-# Copyright (C) 2020-2022      David Straub
+# Copyright (C) 2020-2023      David Straub
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -117,3 +117,4 @@
 SCOPE_RESET_PW = "reset_password"
 SCOPE_CONF_EMAIL = "confirm_email"
 SCOPE_CREATE_ADMIN = "create_admin"
+SCOPE_CREATE_OWNER = "create_owner"

gramps_webapi/data/apispec.yaml

@@ -145,13 +145,20 @@ paths:
           description: "Unprocessable Entity: Invalid token."
 
   /token/create_owner/:
-    get:
+    post:
       tags:
       - authentication
-      summary: "Obtain a JWT access token that allows creating an owner account if no other user exists yet."
+      summary: "Obtain a JWT access token that allows creating an admin or owner account if no other user exists yet."
       operationId: getTokenCreateOwner
+      parameters:
+      - name: tree
+        in: body
+        required: false
+        type: string
+        description: "If present, request a token for creating a tree owner. Otherwise, request a token for creating a site admin."
+        example: 0de59650-9bc5-4ee8-957d-4c3eb0851981
       responses:
-        200:
+        201:
           description: "OK: Successful operation."
           schema:
             $ref: "#/definitions/JWTAccessToken"
@@ -376,27 +383,30 @@ paths:
     post:
       tags:
       - users
-      summary: "Create an owner account if no other user exists yet."
+      summary: "Create an admin or owner account if no other user exists yet."
       operationId: createOwner
       parameters:
       - name: user_name
         in: path
         required: true
         type: string
-        description: "The user name for the owner account."
+        description: "The user name for the account."
       - name: user_details
         in: body
         schema:
           type: object
           properties:
             email:
-              description: "The owner's e-mail address."
+              description: "The new user's e-mail address."
               type: string
             full_name:
-              description: "The owner's full name."
+              description: "The new user's full name."
               type: string
             password:
-              description: "The owner's password."
+              description: "The new user's password."
+              type: string
+            tree:
+              description: "The new user's tree (optional)."
               type: string
       responses:
         201:

tests/test_endpoints/test_token.py

@@ -1,7 +1,7 @@
 #
 # Gramps Web API - A RESTful API for the Gramps genealogy program
 #
-# Copyright (C) 2020      David Straub
+# Copyright (C) 2020-2023      David Straub
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
@@ -22,15 +22,18 @@
 import unittest
 from unittest.mock import patch
 
+from flask_jwt_extended.utils import decode_token
 from gramps.cli.clidbman import CLIDbManager
 from gramps.gen.dbstate import DbState
 
 from gramps_webapi.app import create_app
 from gramps_webapi.auth import user_db
 from gramps_webapi.auth.const import ROLE_OWNER
 from gramps_webapi.const import ENV_CONFIG_FILE, TEST_AUTH_CONFIG
+from gramps_webapi.dbmanager import WebDbManager
 
 from . import BASE_URL, TEST_USERS, get_test_client
+from .util import fetch_header
 
 
 class TestToken(unittest.TestCase):
@@ -83,6 +86,20 @@ def test_create_owner_response(self):
         rv = self.client.get(f"{BASE_URL}/token/create_owner/")
         self.assertEqual(rv.status_code, 405)
 
+    def test_create_owner_post_response(self):
+        """Test response to create_owner."""
+        rv = self.client.post(f"{BASE_URL}/token/create_owner/")
+        self.assertEqual(rv.status_code, 405)
+
+    def test_create_owner_tree_response(self):
+        """Test response to create_owner."""
+        headers = fetch_header(self.client)
+        rv = self.client.get(f"{BASE_URL}/trees/-", headers=headers)
+        assert rv.status_code == 200
+        tree = rv.json["id"]
+        rv = self.client.post(f"{BASE_URL}/token/create_owner/", json={"tree": tree})
+        self.assertEqual(rv.status_code, 405)
+
 
 class TestTokenRefresh(unittest.TestCase):
     """Test cases for the /api/token/refresh endpoint."""
@@ -155,14 +172,58 @@ def setUpClass(cls):
         cls.client = cls.app.test_client()
         with cls.app.app_context():
             user_db.create_all()
+            db_manager = WebDbManager(name=cls.name, create_if_missing=False)
+            cls.tree_id = db_manager.dirname
 
     @classmethod
     def tearDownClass(cls):
         cls.dbman.remove_database(cls.name)
 
-    def test_create_owner_response(self):
+    def test_create_admin_response_get(self):
         """Test response to create_owner."""
-        # FIXME requires tree
         rv = self.client.get(f"{BASE_URL}/token/create_owner/")
         self.assertEqual(rv.status_code, 200)
         self.assertIn("access_token", rv.json)
+        encoded_token = rv.json["access_token"]
+        with self.app.app_context():
+            token = decode_token(encoded_token)
+        assert token["limited_scope"] == "create_admin"
+
+    def test_create_admin_response_post(self):
+        """Test response to create_owner."""
+        rv = self.client.post(f"{BASE_URL}/token/create_owner/")
+        self.assertEqual(rv.status_code, 201)
+        self.assertIn("access_token", rv.json)
+        encoded_token = rv.json["access_token"]
+        with self.app.app_context():
+            token = decode_token(encoded_token)
+        assert token["limited_scope"] == "create_admin"
+
+    def test_create_admin_response_post_tree_wrong(self):
+        """Test response to create_owner."""
+        rv = self.client.post(
+            f"{BASE_URL}/token/create_owner/", json={"tree": "idontexist"}
+        )
+        self.assertEqual(rv.status_code, 404)
+
+    def test_create_admin_response_post_tree_empty_string(self):
+        """Test response to create_owner."""
+        rv = self.client.post(f"{BASE_URL}/token/create_owner/", json={"tree": ""})
+        self.assertEqual(rv.status_code, 201)
+        self.assertIn("access_token", rv.json)
+        encoded_token = rv.json["access_token"]
+        with self.app.app_context():
+            token = decode_token(encoded_token)
+        assert token["limited_scope"] == "create_admin"
+
+    def test_create_admin_response_post_tree(self):
+        """Test response to create_owner."""
+        rv = self.client.post(
+            f"{BASE_URL}/token/create_owner/", json={"tree": self.tree_id}
+        )
+        self.assertEqual(rv.status_code, 201)
+        self.assertIn("access_token", rv.json)
+        encoded_token = rv.json["access_token"]
+        with self.app.app_context():
+            token = decode_token(encoded_token)
+        assert token["limited_scope"] == "create_owner"