def validate_token(token):
"""Check whether the passed token is valid."""
serializer = URLSafeTimedSerializer(CONFIG.EMAIL_TOKEN_SECRET_KEY)
token_valid_for = int(
CONFIG.TOKEN_EXPIRY_PERIOD
) * 3600 * 24 if CONFIG.TOKEN_EXPIRY_PERIOD else 3600 * 24 * 7
try:
invitation_id = serializer.loads(
token,
salt=CONFIG.EMAIL_SECURITY_PASSWORD_SALT,
max_age=token_valid_for).get('id')
except: # noqa: E722
raise BusinessException(Error.EXPIRED_INVITATION, None)
invitation: InvitationModel = InvitationModel.find_invitation_by_id(
invitation_id)
if invitation is None:
raise BusinessException(Error.DATA_NOT_FOUND, None)
if invitation.invitation_status_code == 'ACCEPTED':
raise BusinessException(Error.ACTIONED_INVITATION, None)
if invitation.invitation_status_code == 'EXPIRED':
raise BusinessException(Error.EXPIRED_INVITATION, None)
return Invitation(invitation)
def notify_admin(user, invitation_id, membership_id, invitation_origin):
"""Admins should be notified if user has responded to invitation."""
current_app.logger.debug('<notify_admin')
admin_list = UserService.get_admins_for_membership(membership_id)
invitation: InvitationModel = InvitationModel.find_invitation_by_id(
invitation_id)
context_path = CONFIG.AUTH_WEB_TOKEN_CONFIRM_PATH
# Don't send email in case no admin exist in the org. (staff sent invitation)
if len(admin_list) >= 1:
admin_emails = ','.join([
str(x.contacts[0].contact.email) for x in admin_list
if x.contacts
])
else:
# No admin, find Sender email to notify sender (staff)
admin_emails = invitation.sender.email
if admin_emails != '':
Invitation.send_admin_notification(
user.as_dict(), '{}/{}'.format(invitation_origin,
context_path), admin_emails,
invitation.membership[0].org.name,
invitation.membership[0].org.id)
current_app.logger.debug('>notify_admin')
return Invitation(invitation)
def accept_invitation(invitation_id, user: UserService, origin, add_membership: bool = True,
token_info: Dict = None):
"""Add user, role and org from the invitation to membership."""
current_app.logger.debug('>accept_invitation')
invitation: InvitationModel = InvitationModel.find_invitation_by_id(invitation_id)
if invitation is None:
raise BusinessException(Error.DATA_NOT_FOUND, None)
if invitation.invitation_status_code == 'ACCEPTED':
raise BusinessException(Error.ACTIONED_INVITATION, None)
if invitation.invitation_status_code == 'EXPIRED':
raise BusinessException(Error.EXPIRED_INVITATION, None)
if getattr(token_info, 'loginSource', None) is not None: # bcros comes with out token
login_source = token_info.get('loginSource', None)
if invitation.login_source != login_source:
raise BusinessException(Error.INVALID_USER_CREDENTIALS, None)
if add_membership:
for membership in invitation.membership:
membership_model = MembershipModel()
membership_model.org_id = membership.org_id
membership_model.user_id = user.identifier
membership_model.membership_type = membership.membership_type
# check to ensure an invitation for this user/org has not already been processed
existing_membership = MembershipService \
.get_membership_for_org_and_user(org_id=membership_model.org_id, user_id=membership_model.user_id)
if existing_membership:
raise BusinessException(Error.DATA_ALREADY_EXISTS, None)
org_model: OrgModel = OrgModel.find_by_org_id(membership.org_id)
# GOVM users gets direct approval since they are IDIR users.
membership_model.status = Invitation._get_status_based_on_org(org_model)
membership_model.save()
try:
Invitation.notify_admin(user, invitation_id, membership_model.id, origin)
except BusinessException as exception:
current_app.logger.error('<send_notification_to_admin failed', exception.message)
invitation.accepted_date = datetime.now()
invitation.invitation_status = InvitationStatusModel.get_status_by_code('ACCEPTED')
invitation.save()
# Call keycloak to add the user to the group.
if user:
group_name: str = KeycloakService.join_users_group(token_info)
KeycloakService.join_account_holders_group(user.keycloak_guid)
if group_name == GROUP_GOV_ACCOUNT_USERS:
# TODO Remove this if gov account users needs Terms of Use.
tos_document = DocumentsModel.fetch_latest_document_by_type(DocumentType.TERMS_OF_USE.value)
user.update_terms_of_use(token_info, True, tos_document.version_id)
# Add contact to the user.
user.add_contact(token_info, dict(email=token_info.get('email', None)))
current_app.logger.debug('<accept_invitation')
return Invitation(invitation)
def test_find_invitation_by_id(session): # pylint:disable=unused-argument
"""Assert that an Invitation can retrieved by its id."""
invitation = factory_invitation_model(session=session, status='PENDING')
session.add(invitation)
session.commit()
retrieved_invitation = InvitationModel.find_invitation_by_id(invitation.id)
assert retrieved_invitation
assert retrieved_invitation.id == invitation.id
def delete_invitation(invitation_id, token_info: Dict = None):
"""Delete the specified invitation."""
# Ensure that the current user is ADMIN or COORDINATOR for each org in the invitation
invitation = InvitationModel.find_invitation_by_id(invitation_id)
if invitation is None:
raise BusinessException(Error.DATA_NOT_FOUND, None)
for membership in invitation.membership:
org_id = membership.org_id
check_auth(token_info, org_id=org_id, one_of_roles=(ADMIN, COORDINATOR, STAFF))
invitation.delete()
def notify_admin(user, invitation_id, membership_id, invitation_origin):
"""Admins should be notified if user has responded to invitation."""
current_app.logger.debug('<notify_admin')
admin_list = UserService.get_admins_for_membership(membership_id)
invitation: InvitationModel = InvitationModel.find_invitation_by_id(invitation_id)
context_path = CONFIG.AUTH_WEB_TOKEN_CONFIRM_PATH
admin_emails = ','.join([str(x.contacts[0].contact.email) for x in admin_list if x.contacts])
Invitation.send_admin_notification(user.as_dict(),
'{}/{}'.format(invitation_origin, context_path),
admin_emails, invitation.membership[0].org.name)
current_app.logger.debug('>notify_admin')
return Invitation(invitation)
def accept_invitation(invitation_id,
user,
origin,
add_membership: bool = True):
"""Add user, role and org from the invitation to membership."""
current_app.logger.debug('>accept_invitation')
invitation: InvitationModel = InvitationModel.find_invitation_by_id(
invitation_id)
if invitation is None:
raise BusinessException(Error.DATA_NOT_FOUND, None)
if invitation.invitation_status_code == 'ACCEPTED':
raise BusinessException(Error.ACTIONED_INVITATION, None)
if invitation.invitation_status_code == 'EXPIRED':
raise BusinessException(Error.EXPIRED_INVITATION, None)
if add_membership:
for membership in invitation.membership:
membership_model = MembershipModel()
membership_model.org_id = membership.org_id
membership_model.user_id = user.identifier
membership_model.membership_type = membership.membership_type
# check to ensure an invitation for this user/org has not already been processed
existing_membership = MembershipService \
.get_membership_for_org_and_user(org_id=membership_model.org_id, user_id=membership_model.user_id)
if existing_membership:
raise BusinessException(Error.DATA_ALREADY_EXISTS, None)
# user needs to get approval
is_auto_approval = OrgSettingsModel.is_admin_auto_approved_invitees(
membership.org_id)
if is_auto_approval:
membership_model.status = Status.ACTIVE.value
else:
membership_model.status = Status.PENDING_APPROVAL.value
membership_model.save()
if not is_auto_approval:
try:
Invitation.notify_admin(user, invitation_id,
membership_model.id, origin)
except BusinessException as exception:
current_app.logger.error(
'<send_notification_to_admin failed',
exception.message)
invitation.accepted_date = datetime.now()
invitation.invitation_status = InvitationStatusModel.get_status_by_code(
'ACCEPTED')
invitation.save()
current_app.logger.debug('<accept_invitation')
return Invitation(invitation)
def accept_invitation(invitation_id,
user,
origin,
add_membership: bool = True,
token_info: Dict = None):
"""Add user, role and org from the invitation to membership."""
current_app.logger.debug('>accept_invitation')
invitation: InvitationModel = InvitationModel.find_invitation_by_id(
invitation_id)
if invitation is None:
raise BusinessException(Error.DATA_NOT_FOUND, None)
if invitation.invitation_status_code == 'ACCEPTED':
raise BusinessException(Error.ACTIONED_INVITATION, None)
if invitation.invitation_status_code == 'EXPIRED':
raise BusinessException(Error.EXPIRED_INVITATION, None)
if getattr(token_info, 'loginSource',
None) is not None: # bcros comes with out token
login_source = token_info.get('loginSource', None)
if invitation.login_source != login_source:
raise BusinessException(Error.INVALID_USER_CREDENTIALS, None)
if add_membership:
for membership in invitation.membership:
membership_model = MembershipModel()
membership_model.org_id = membership.org_id
membership_model.user_id = user.identifier
membership_model.membership_type = membership.membership_type
# check to ensure an invitation for this user/org has not already been processed
existing_membership = MembershipService \
.get_membership_for_org_and_user(org_id=membership_model.org_id, user_id=membership_model.user_id)
if existing_membership:
raise BusinessException(Error.DATA_ALREADY_EXISTS, None)
membership_model.status = Status.PENDING_APPROVAL.value
membership_model.save()
try:
Invitation.notify_admin(user, invitation_id,
membership_model.id, origin)
except BusinessException as exception:
current_app.logger.error(
'<send_notification_to_admin failed',
exception.message)
invitation.accepted_date = datetime.now()
invitation.invitation_status = InvitationStatusModel.get_status_by_code(
'ACCEPTED')
invitation.save()
current_app.logger.debug('<accept_invitation')
return Invitation(invitation)
def find_invitation_by_id(invitation_id, token_info: Dict = None):
"""Find an existing invitation with the provided id."""
if invitation_id is None:
return None
invitation = InvitationModel.find_invitation_by_id(invitation_id)
if not invitation:
return None
# Ensure that the current user is an ADMIN or COORDINATOR on each org in the invite being retrieved
for membership in invitation.membership:
org_id = membership.org_id
check_auth(token_info, org_id=org_id, one_of_roles=(ADMIN, COORDINATOR, STAFF))
return Invitation(invitation)
def accept_invitation(invitation_id, user, origin):
"""Add user, role and org from the invitation to membership."""
current_app.logger.debug('>accept_invitation')
invitation: InvitationModel = InvitationModel.find_invitation_by_id(
invitation_id)
if invitation is None:
raise BusinessException(Error.DATA_NOT_FOUND, None)
if invitation.invitation_status_code == 'ACCEPTED':
raise BusinessException(Error.ACTIONED_INVITATION, None)
if invitation.invitation_status_code == 'EXPIRED':
raise BusinessException(Error.EXPIRED_INVITATION, None)
# TODO : isnt this only one?remove for loop
for membership in invitation.membership:
membership_model = MembershipModel()
membership_model.org_id = membership.org_id
membership_model.user_id = user.identifier
membership_model.membership_type = membership.membership_type
# user needs to get approval
is_auto_approval = OrgSettingsModel.is_admin_auto_approved_invitees(
membership.org_id)
if is_auto_approval:
membership_model.status = Status.ACTIVE.value
else:
membership_model.status = Status.PENDING_APPROVAL.value
membership_model.save()
if not is_auto_approval:
try:
Invitation.notify_admin(user, invitation_id,
membership_model.id, origin)
except BusinessException as exception:
current_app.logger.error(
'<send_notification_to_admin failed',
exception.message)
invitation.accepted_date = datetime.now()
invitation.invitation_status = InvitationStatusModel.get_status_by_code(
'ACCEPTED')
invitation.save()
current_app.logger.debug('<accept_invitation')
return Invitation(invitation)
def accept_invitation(invitation_id,
user: UserService,
origin,
add_membership: bool = True,
**kwargs):
"""Add user, role and org from the invitation to membership."""
current_app.logger.debug('>accept_invitation')
user_from_context: UserContext = kwargs['user_context']
invitation: InvitationModel = InvitationModel.find_invitation_by_id(
invitation_id)
if invitation is None:
raise BusinessException(Error.DATA_NOT_FOUND, None)
if invitation.invitation_status_code == 'ACCEPTED':
raise BusinessException(Error.ACTIONED_INVITATION, None)
if invitation.invitation_status_code == 'EXPIRED':
raise BusinessException(Error.EXPIRED_INVITATION, None)
if (login_source := user_from_context.login_source
) is not None: # bcros comes with out token
if invitation.login_source != login_source:
raise BusinessException(Error.INVALID_USER_CREDENTIALS, None)
