Add ODKToken Authentication Method

onadata/apps/api/migrations/0005_auto_20191018_0735.py

@@ -0,0 +1,29 @@
+# Generated by Django 2.2.1 on 2019-10-18 11:35
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('api', '0004_auto_20190125_0517'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='team',
+            options={},
+        ),
+        migrations.CreateModel(
+            name='ODKToken',
+            fields=[
+                ('key', models.CharField(max_length=150, primary_key=True, serialize=False)),
+                ('status', models.CharField(choices=[('1', 'Active'), ('2', 'Inactive')], default='1', max_length=1, verbose_name='Status')),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('user', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, related_name='odk_token', to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]

onadata/apps/api/migrations/0006_auto_20191025_0730.py

@@ -0,0 +1,20 @@
+# Generated by Django 2.1.7 on 2019-10-25 11:30
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0005_auto_20191018_0735'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='odktoken',
+            name='user',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL),
+        ),
+    ]

onadata/apps/api/models/odk_token.py

@@ -0,0 +1,103 @@
+"""
+ODK token model module
+"""
+import binascii
+import os
+from datetime import timedelta
+
+from django.conf import settings
+from django.db import models
+from django.db.models.signals import post_save
+from django.utils.translation import ugettext_lazy as _
+
+from cryptography.fernet import Fernet
+from django_digest.models import (_persist_partial_digests,
+                                  _prepare_partial_digests)
+
+AUTH_USER_MODEL = getattr(settings, 'AUTH_USER_MODEL', 'auth.User')
+ODK_TOKEN_LENGTH = getattr(settings, 'ODK_TOKEN_LENGTH', 7)
+ODK_TOKEN_FERNET_KEY = getattr(settings, 'ODK_TOKEN_FERNET_KEY')
+ODK_TOKEN_LIFETIME = getattr(settings, "ODK_KEY_LIFETIME", 7)
+
+
+class ODKToken(models.Model):
+    """
+    ODK Token class
+    """
+    ACTIVE = '1'
+    INACTIVE = '2'
+    STATUS_CHOICES = (
+        (ACTIVE, _('Active')),
+        (INACTIVE, _('Inactive'))
+    )
+
+    key = models.CharField(max_length=150, primary_key=True)
+    user = models.ForeignKey(
+        AUTH_USER_MODEL, on_delete=models.CASCADE)
+    status = models.CharField(
+        'Status',
+        choices=STATUS_CHOICES,
+        default=ACTIVE,
+        max_length=1)
+    created = models.DateTimeField(auto_now_add=True)
+
+    class Meta:
+        app_label = 'api'
+
+    def _generate_partial_digest(self, raw_key):
+        """
+        Generates the partial digests for ODK Authentication
+        """
+        _prepare_partial_digests(self.user, raw_key)
+
+    def check_key(self, key):
+        """
+        Check that the passed in key matches the stored hashed key
+        """
+        return self.raw_key == key
+
+    def save(self, *args, **kwargs):  # pylint: disable=arguments-differ
+        if not self.key:
+            self.key = self.generate_key()
+        return super(ODKToken, self).save(*args, **kwargs)
+
+    def generate_key(self):
+        key = binascii.hexlify(os.urandom(ODK_TOKEN_LENGTH)).decode()
+        self._generate_partial_digest(key)
+        return _encrypt_key(key)
+
+    def __str__(self):
+        return self.key
+
+    @property
+    def expires(self):
+        """
+        This property holds the datetime of when the Token expires
+        """
+        return self.created + timedelta(days=ODK_TOKEN_LIFETIME)
+
+    @property
+    def raw_key(self):
+        """
+        Decrypts the key and returns it in its Raw Form
+        """
+        fernet = Fernet(ODK_TOKEN_FERNET_KEY)
+        return fernet.decrypt(self.key.encode('utf-8'))
+
+
+def _encrypt_key(raw_key):
+    """
+    Encrypts the ODK Token using the ODK_TOKEN_SECRET through
+    the fernet cryptography scheme
+    """
+    fernet = Fernet(ODK_TOKEN_FERNET_KEY)
+    return fernet.encrypt(raw_key.encode('utf-8')).decode('utf-8')
+
+
+def _post_save_persist_partial_digests(sender, instance=None, **kwargs):
+    if instance:
+        _persist_partial_digests(instance.user)
+
+
+post_save.connect(
+    _post_save_persist_partial_digests, sender=ODKToken)

onadata/apps/api/storage.py

@@ -0,0 +1,65 @@
+"""
+Backends module for th API app
+"""
+import logging
+
+from django.conf import settings
+from django.db import connection
+from django.utils import timezone
+
+from django_digest.backend.storage import AccountStorage
+
+from onadata.apps.api.models.odk_token import ODKToken
+
+_l = logging.getLogger(__name__)
+_l.setLevel(logging.DEBUG)
+
+ODK_KEY_LIFETIME_IN_SEC = getattr(settings, 'ODK_KEY_LIFETIME', 7) * 86400
+
+
+class ODKTokenAccountStorage(AccountStorage):
+    """
+    Digest Account Backend class
+
+    In order to utilize this storage as the default account storage for
+    Digest Authentication set the DIGEST_ACCOUNT_BACKEND variable in
+    your local_settings to 'onadata.apps.api.storage.ODKTokenAccountStorage'
+    """
+    GET_PARTIAL_DIGEST_QUERY = f"""
+    SELECT django_digest_partialdigest.login,
+     django_digest_partialdigest.partial_digest
+      FROM django_digest_partialdigest
+      INNER JOIN auth_user ON
+        auth_user.id = django_digest_partialdigest.user_id
+      INNER JOIN api_odktoken ON
+        api_odktoken.user_id = django_digest_partialdigest.user_id
+      WHERE django_digest_partialdigest.login = %s
+        AND django_digest_partialdigest.confirmed
+        AND auth_user.is_active
+        AND api_odktoken.status='{ODKToken.ACTIVE}'
+    """
+
+    def get_partial_digest(self, username):
+        """
+        Checks that the returned partial digest is associated with a
+        Token that isn't past it's expire date.
+
+        Sets an ODK Token to Inactive if the associate token has passed
+        its expiry date
+        """
+        cursor = connection.cursor()
+        cursor.execute(self.GET_PARTIAL_DIGEST_QUERY, [username])
+        # In MySQL, string comparison is case-insensitive by default.
+        # Therefore a second round of filtering is required.
+        partial_digest = [(row[1]) for row in cursor.fetchall()
+                          if row[0] == username]
+        if not partial_digest:
+            return None
+
+        token = ODKToken.objects.get(user__username=username)
+
+        if timezone.now() > token.expires:
+            token.status = ODKToken.INACTIVE
+            return None
+
+        return partial_digest

onadata/apps/api/tests/models/test_odk_token.py

@@ -0,0 +1,19 @@
+"""
+Test ODK Token module
+"""
+from onadata.apps.api.models.odk_token import ODKToken
+from onadata.apps.api.tests.models.test_abstract_models import \
+    TestAbstractModels
+
+
+class TestODKToken(TestAbstractModels):
+    def test_create_odk_token(self):
+        """
+        Test that ODK Tokens can be created
+        """
+        self._create_user_and_login()
+        initial_count = ODKToken.objects.count()
+
+        ODKToken.objects.create(user=self.user)
+
+        self.assertEqual(initial_count + 1, ODKToken.objects.count())

onadata/apps/api/tests/viewsets/test_connect_viewset.py

@@ -15,6 +15,7 @@
 from rest_framework.authtoken.models import Token
 
 from onadata.apps.api.models.temp_token import TempToken
+from onadata.apps.api.models.odk_token import ODKToken
 from onadata.apps.api.tests.viewsets.test_abstract_viewset import \
     TestAbstractViewSet
 from onadata.apps.api.viewsets.connect_viewset import ConnectViewSet
@@ -480,3 +481,62 @@ def test_login_attempts(self, send_account_lockout_email):
         # clear cache
         cache.delete(safe_key("login_attempts-bob"))
         cache.delete(safe_key("lockout_user-bob"))
+
+    def test_generate_odk_token(self):
+        """
+        Test that ODK Tokens can be created
+        """
+        view = ConnectViewSet.as_view({'post': 'odk_token'})
+        request = self.factory.post('/', **self.extra)
+        request.session = self.client.session
+        response = view(request)
+        self.assertEqual(response.status_code, 201)
+
+    def test_regenerate_odk_token(self):
+        """
+        Test that ODK Tokens can be regenerated and old tokens
+        are set to Inactive after regeneration
+        """
+        view = ConnectViewSet.as_view({'post': 'odk_token'})
+        request = self.factory.post('/', **self.extra)
+        request.session = self.client.session
+        response = view(request)
+        self.assertEqual(response.status_code, 201)
+        old_token = response.data['odk_token']
+
+        with self.assertRaises(ODKToken.DoesNotExist):
+            ODKToken.objects.get(
+                user=self.user, status=ODKToken.INACTIVE)
+
+        request = self.factory.post('/', **self.extra)
+        request.session = self.client.session
+        response = view(request)
+        self.assertEqual(response.status_code, 201)
+        self.assertNotEqual(response.data['odk_token'], old_token)
+
+        # Test that the previous token was set to inactive
+        inactive_token = ODKToken.objects.get(
+            user=self.user, status=ODKToken.INACTIVE)
+        self.assertEqual(inactive_token.raw_key, old_token)
+
+    def test_retrieve_odk_token(self):
+        """
+        Test that ODK Tokens can be retrieved
+        """
+        view = ConnectViewSet.as_view({
+            'post': 'odk_token',
+            'get': 'odk_token'
+        })
+        request = self.factory.post('/', **self.extra)
+        request.session = self.client.session
+        response = view(request)
+        self.assertEqual(response.status_code, 201)
+        odk_token = response.data['odk_token']
+        expires = response.data['expires']
+
+        request = self.factory.get('/', **self.extra)
+        request.session = self.client.session
+        response = view(request)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data['odk_token'], odk_token)
+        self.assertEqual(response.data['expires'], expires)

onadata/apps/api/viewsets/connect_viewset.py

@@ -1,3 +1,4 @@
+from django.utils import timezone
 from django.utils.decorators import classonlymethod
 from django.utils.translation import ugettext as _
 from django.views.decorators.cache import never_cache
@@ -8,6 +9,7 @@
 from rest_framework.response import Response
 from rest_framework import mixins
 
+from onadata.apps.api.models.odk_token import ODKToken
 from onadata.apps.api.models.temp_token import TempToken
 from onadata.apps.api.permissions import ConnectViewsetPermissions
 from onadata.apps.main.models.user_profile import UserProfile
@@ -114,6 +116,38 @@ def regenerate_auth_token(self, request, *args, **kwargs):
 
         return Response(data=new_token.key, status=status.HTTP_201_CREATED)
 
+    @action(methods=['GET', 'POST'], detail=False)
+    def odk_token(self, request, *args, **kwargs):
+        user = request.user
+
+        if request.method == 'GET':
+            token, created = ODKToken.objects.get_or_create(
+                user=user, status=ODKToken.ACTIVE)
+
+            if not created and timezone.now() > token.expires:
+                token.status = ODKToken.INACTIVE
+                token.save()
+                token = ODKToken.objects.create(user=user)
+
+            return Response(data={
+                'odk_token': token.raw_key,
+                'expires': token.expires}, status=status.HTTP_200_OK)
+        elif request.method == 'POST':
+            # Regenerates the ODK Token if one is already existant
+            try:
+                old_token = ODKToken.objects.get(user=user)
+                old_token.status = ODKToken.INACTIVE
+                old_token.save()
+            except ODKToken.DoesNotExist:
+                pass
+
+            token = ODKToken.objects.create(user=user)
+
+            return Response(data={
+                'odk_token': token.raw_key,
+                'expires': token.expires
+            }, status=status.HTTP_201_CREATED)
+
     @classonlymethod
     def as_view(cls, actions=None, **initkwargs):
         view = super(ConnectViewSet, cls).as_view(actions, **initkwargs)