From 7c8b08fd724723dcbd5d1776af444c8b6eba98d4 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Sat, 17 Mar 2018 10:40:09 +0100
Subject: [PATCH 8/8] notifications: add a listing API

- listing API allow showing notifications on a remote site
- each notification description contains signed ack and forget URL
  allowing direct interfaction between the browser and combo from a remote
  site, based on CORS AJAX calls (authorizations are opened)
- ack and forget web-services are also still usable with classi Django
  session authentication.
- first test done using django-webtest&pytest-django
---
 combo/apps/notifications/api_views.py              | 79 +++++++++++++++++++---
 combo/apps/notifications/models.py                 | 12 +++-
 .../templates/combo/notificationscell.html         |  4 +-
 combo/apps/notifications/urls.py                   |  8 ++-
 tests/test_notification.py                         | 57 +++++++++++++---
 5 files changed, 136 insertions(+), 24 deletions(-)

diff --git a/combo/apps/notifications/api_views.py b/combo/apps/notifications/api_views.py
index 8737241..1b92db3 100644
--- a/combo/apps/notifications/api_views.py
+++ b/combo/apps/notifications/api_views.py
@@ -14,6 +14,10 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import hmac
+
+from django.conf import settings
+
 from rest_framework import serializers, permissions, status
 from rest_framework.generics import GenericAPIView
 from rest_framework.response import Response
@@ -21,6 +25,28 @@ from rest_framework.response import Response
 from .models import Notification
 
 
+class IsAuthenticatedOrSignedPermission(object):
+    @classmethod
+    def signature(self, url):
+        return hmac.HMAC(settings.SECRET_KEY, url).hexdigest()
+
+    @classmethod
+    def sign_url(cls, url):
+        signature = cls.signature(url)
+        separator = '&' if '?' in url else '?'
+        return '%s%ssignature=%s' % (url, separator, signature)
+
+    def has_permission(self, request, view):
+        if request.user and request.user.is_authenticated:
+            if 'user_id' in view.kwargs and str(request.user.id) == view.kwargs['user_id']:
+                return True
+        full_path = request.build_absolute_uri()
+        if not ('&signature=' in full_path or '?signature=' in full_path):
+            return False
+        payload, signature = full_path.rsplit('signature=', 1)
+        return self.signature(payload[:-1]) == signature
+
+
 class NotificationSerializer(serializers.Serializer):
     summary = serializers.CharField(required=True, allow_blank=False, max_length=140)
     id = serializers.CharField(required=False, allow_null=True)
@@ -32,6 +58,34 @@ class NotificationSerializer(serializers.Serializer):
     duration = serializers.IntegerField(required=False, allow_null=True, min_value=0)
 
 
+class Get(GenericAPIView):
+    permission_classes = (permissions.IsAuthenticated,)
+    serializer_class = NotificationSerializer
+
+    def get(self, request, *args, **kwargs):
+        notifications = Notification.objects.visible(request.user)
+        data = []
+        response = {'err': 0, 'data': data}
+        for notification in notifications:
+            id = notification.public_id,
+            data.append({
+                'id': id,
+                'acked': notification.acked,
+                'summary': notification.summary,
+                'body': notification.body,
+                'url': notification.url,
+                'origin': notification.origin,
+                'end_timestamp': notification.end_timestamp,
+                'ack_url': IsAuthenticatedOrSignedPermission.sign_url(
+                    request.build_absolute_uri(notification.ack_url)),
+                'forget_url': IsAuthenticatedOrSignedPermission.sign_url(
+                    request.build_absolute_uri(notification.forget_url)),
+            })
+        return Response(response)
+
+get = Get.as_view()
+
+
 class Add(GenericAPIView):
     permission_classes = (permissions.IsAuthenticated,)
     serializer_class = NotificationSerializer
@@ -56,29 +110,36 @@ class Add(GenericAPIView):
             )
         except ValueError as e:
             response = {'err': 1, 'err_desc': {'id': [unicode(e)]}}
-            return Response(response, status.HTTP_400_BAD_REQUEST)
+            return Response(response, status.HTTP_404_NOT_FOUND)
         else:
             response = {'err': 0, 'data': {'id': notification.public_id}}
             return Response(response)
 
 add = Add.as_view()
 
+class CORSApi(object):
+    def options(self, request, *args, **kwargs):
+        response = super(CORSApi, self).options(request, *args, **kwargs)
+        response['Access-Control-Request-Method'] = 'GET'
+        response['Access-Control-Allow-Origin'] = '*'
+        return response
 
-class Ack(GenericAPIView):
-    permission_classes = (permissions.IsAuthenticated,)
 
-    def get(self, request, notification_id, *args, **kwargs):
-        Notification.objects.find(request.user, notification_id).ack()
+class Ack(CORSApi, GenericAPIView):
+    permission_classes = (IsAuthenticatedOrSignedPermission,)
+
+    def get(self, request, user_id, notification_id, *args, **kwargs):
+        Notification.objects.find(user_id, notification_id).ack()
         return Response({'err': 0})
 
 ack = Ack.as_view()
 
 
-class Forget(GenericAPIView):
-    permission_classes = (permissions.IsAuthenticated,)
+class Forget(CORSApi, GenericAPIView):
+    permission_classes = (IsAuthenticatedOrSignedPermission,)
 
-    def get(self, request, notification_id, *args, **kwargs):
-        Notification.objects.find(request.user, notification_id).forget()
+    def get(self, request, user_id, notification_id, *args, **kwargs):
+        Notification.objects.find(user_id, notification_id).forget()
         return Response({'err': 0})
 
 forget = Forget.as_view()
diff --git a/combo/apps/notifications/models.py b/combo/apps/notifications/models.py
index 5422b05..2a1032f 100644
--- a/combo/apps/notifications/models.py
+++ b/combo/apps/notifications/models.py
@@ -22,6 +22,7 @@ from django.utils.translation import ugettext_lazy as _
 from django.utils.timezone import now, timedelta
 from django.db.models import Q
 from django.db.models.query import QuerySet
+from django.core.urlresolvers import reverse
 
 from combo.data.models import CellBase
 from combo.data.library import register_cell_class
@@ -72,7 +73,6 @@ class Notification(models.Model):
     acked = models.BooleanField(_('Acked'), default=False)
     external_id = models.SlugField(_('External identifier'), null=True)
 
-
     class Meta:
         verbose_name = _('Notification')
         unique_together = (
@@ -152,6 +152,16 @@ class Notification(models.Model):
         self.acked = True
         self.save(update_fields=['acked'])
 
+    @property
+    def ack_url(self):
+        return reverse('api-notification-ack', kwargs={
+            'user_id': self.user_id, 'notification_id': self.public_id})
+
+    @property
+    def forget_url(self):
+        return reverse('api-notification-forget', kwargs={
+            'user_id': self.user_id, 'notification_id': self.public_id})
+
 
 @register_cell_class
 class NotificationsCell(CellBase):
diff --git a/combo/apps/notifications/templates/combo/notificationscell.html b/combo/apps/notifications/templates/combo/notificationscell.html
index b815597..999661f 100644
--- a/combo/apps/notifications/templates/combo/notificationscell.html
+++ b/combo/apps/notifications/templates/combo/notificationscell.html
@@ -4,7 +4,9 @@
 <ul>
   {% for notification in notifications %}
   <li class="combo-notification {% if notification.acked %}combo-notification-acked{% endif %}"
-      data-combo-notification-id="{{ notification.public_id }}">
+      data-combo-notification-id="{{ notification.public_id }}"
+      data-combo-notification-ack-url="{{ notification.ack_url }}"
+      data-combo-notification-forget-url="{{ notification.forget_url }}">
     <a href="{{ notification.url|default:"#" }}">{{ notification.summary }}</a>
     {% if notification.body %}
     <div class="description">
diff --git a/combo/apps/notifications/urls.py b/combo/apps/notifications/urls.py
index 5542a7b..dc44b67 100644
--- a/combo/apps/notifications/urls.py
+++ b/combo/apps/notifications/urls.py
@@ -16,13 +16,15 @@
 
 from django.conf.urls import url
 
-from .api_views import add, ack, forget
+from .api_views import add, get, ack, forget
 
 urlpatterns = [
     url('^api/notification/add/$', add,
         name='api-notification-add'),
-    url(r'^api/notification/ack/(?P<notification_id>[\w-]+)/$', ack,
+    url('^api/notification/get/$', get,
+        name='api-notification-get'),
+    url(r'^api/notification/ack/(?P<user_id>\d{1,15})/(?P<notification_id>[\w-]+)/$', ack,
         name='api-notification-ack'),
-    url(r'^api/notification/forget/(?P<notification_id>[\w-]+)/$', forget,
+    url(r'^api/notification/forget/(?P<user_id>\d{1,15})/(?P<notification_id>[\w-]+)/$', forget,
         name='api-notification-forget'),
 ]
diff --git a/tests/test_notification.py b/tests/test_notification.py
index f19ce45..e5008f1 100644
--- a/tests/test_notification.py
+++ b/tests/test_notification.py
@@ -170,19 +170,19 @@ def test_notification_ws(user):
 
     del notif['end_timestamp']
     notif['duration'] = 3600
-    result = notify(notif, '5', 5)
-    assert result.end_timestamp.isoformat()[:19] == '2016-11-11T12:11:00'
+    result1 = notify(notif, '5', 5)
+    assert result1.end_timestamp.isoformat()[:19] == '2016-11-11T12:11:00'
 
     notif['duration'] = '3600'
-    result = notify(notif, '6', 6)
-    assert result.end_timestamp.isoformat()[:19] == '2016-11-11T12:11:00'
+    result2 = notify(notif, '6', 6)
+    assert result2.end_timestamp.isoformat()[:19] == '2016-11-11T12:11:00'
 
-    resp = client.get(reverse('api-notification-ack', kwargs={'notification_id': '6'}))
+    resp = client.get(result2.ack_url)
     assert resp.status_code == 200
     assert Notification.objects.filter(acked=True).count() == 1
     assert Notification.objects.filter(acked=True).get().public_id == '6'
 
-    resp = client.get(reverse('api-notification-forget', kwargs={'notification_id': '5'}))
+    resp = client.get(result1.forget_url)
     assert resp.status_code == 200
     assert Notification.objects.filter(acked=True).count() == 2
     notif = Notification.objects.find(user, '5').get()
@@ -220,17 +220,17 @@ def test_notification_ws_deny():
                        json.dumps({'summary': 'ok'}),
                        content_type='application/json').status_code == 403
     assert client.get(reverse('api-notification-ack',
-                              kwargs={'notification_id': '1'})).status_code == 403
+                              kwargs={'user_id': 1, 'notification_id': '1'})).status_code == 403
     assert client.get(reverse('api-notification-forget',
-                              kwargs={'notification_id': '1'})).status_code == 403
+                              kwargs={'user_id': 1, 'notification_id': '1'})).status_code == 403
 
 
 def test_notification_ws_check_urls():
     assert reverse('api-notification-add') == '/api/notification/add/'
     assert reverse('api-notification-ack',
-                   kwargs={'notification_id': 'noti1'}) == '/api/notification/ack/noti1/'
+                   kwargs={'user_id': '1', 'notification_id': 'noti1'}) == '/api/notification/ack/1/noti1/'
     assert reverse('api-notification-forget',
-                   kwargs={'notification_id': 'noti1'}) == '/api/notification/forget/noti1/'
+                   kwargs={'user_id': '2', 'notification_id': 'noti1'}) == '/api/notification/forget/2/noti1/'
 
 
 def test_notification_id_and_origin(user):
@@ -255,3 +255,40 @@ def test_notification_id_and_origin(user):
 
     result = notify({'summary': 'foo', 'id': 'foo:foo', 'origin': 'bar'})
     assert result['err'] == 0
+
+
+def test_notification_ws_get(app, user):
+    Notification.notify(user, 'foo')
+    Notification.notify(user, 'bar')
+
+    app.set_user(user)
+
+    response = app.get(reverse('api-notification-get'))
+    result = response.json
+    assert result['err'] == 0
+    assert len(result['data']) == 2
+
+    app.set_user(None)
+    app.session.flush()
+
+    app.get(reverse('api-notification-get'), status=403)
+    assert Notification.objects.visible(user).new().count() == 2
+
+    for notif in result['data']:
+        response = app.options(notif['ack_url'])
+        assert response['Access-Control-Allow-Origin'] == '*'
+        assert response['Access-Control-Request-Method'] == 'GET'
+        assert app.get(notif['ack_url'])
+        assert app.get(notif['ack_url'])
+
+    assert Notification.objects.visible(user).new().count() == 0
+    assert Notification.objects.visible(user).count() == 2
+
+    for notif in result['data']:
+        response = app.options(notif['forget_url'])
+        assert response['Access-Control-Allow-Origin'] == '*'
+        assert response['Access-Control-Request-Method'] == 'GET'
+        assert app.get(notif['forget_url'])
+        assert app.get(notif['forget_url'])
+
+    assert Notification.objects.visible(user).count() == 0
-- 
2.14.2