Merge pull request #44 from sei-vsarvepalli/github-vss-main

BugFix for API key generation issue reported by a user.
CERTCC · Aug 15, 2022 · 5a7284d · 5a7284d
2 parents b986a86 + 6fb0ef9
commit 5a7284d
Show file tree

Hide file tree

Showing 5 changed files with 172 additions and 87 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # VINCE Changelog
 
+Version 1.50.1: 2022-08-08
+==========================
+
+BugFix for API key generation issue. The generate_key method was disabled accidentally
+
+
 # Version 1.50.0: 2022-07-19
 ============================
 

diff --git a/cogauth/templates/cogauth/profile.html b/cogauth/templates/cogauth/profile.html
@@ -1,4 +1,4 @@
-{% extends VINCECOMM_BASE_TEMPLATE %}
+{% extends 'vinny/base.html' %}
 {% load i18n static %}
 {% block js %}
 {{ block.super }}
@@ -27,6 +27,34 @@ <h2>User Profile</h2>
   </div>
 </div>
 <div class="reveal" data-reveal id="modal" data-close-on-click='false'></div>
+<div id="confirm" style="display:none"> 
+  <div class="fullmodal">
+    <div class="modal-content">
+      <div class="modal-header">
+	<h5 class="modal-title"></h5>
+      </div>
+      <form method="GET" action="#areusure">
+	<div class="modal-body">
+	  <p class="cmessage">
+	  </p>
+	</div>
+	<div class="modal-footer">
+	  <div class="row column text-right">
+            <button type="button" class="primary button getaction">
+	      OK
+	    </button>
+            <button type="button" data-close="" class="alert button">
+	      Cancel
+	    </button>	
+	  </div>
+	</div>
+      </form>
+    </div>
+    <button class="close-button" data-close="" aria-label="Close modal" type="button">
+      <span aria-hidden="true">X</span>
+    </button>
+  </div>
+</div>
 <div class="card-profile-stats">
   <div class="row column">
     <div class="card-profile-stats-intro">
@@ -84,7 +112,7 @@ <h3>{{ coguser.preferred_username }}</h3>
       </tr>
       <tr>
 	<td>Multi-factor Authentication (MFA)</td>
-	<td>{% if coguser.mfa %}{{ coguser.mfa|mfafilter }} <button action="{% url 'cogauth:rmmfa' %}" id="rmmfa" class="button default">Change MFA Method</button>{% else %}<button action="{% url 'cogauth:mfa' %}" id="enablemfa" class="button default">Enable MFA</button>{% endif %}</td>
+	<td>{% if coguser.mfa %}{{ coguser.mfa|mfafilter }} <button action="{% url 'cogauth:rmmfa' %}" id="rmmfa" class="button default getaction">Change MFA Method</button>{% else %}<button action="{% url 'cogauth:mfa' %}" id="enablemfa" class="button default getaction">Enable MFA</button>{% endif %}</td>
       </tr>
       {% if mfa_on %}
       <tr>
@@ -94,9 +122,15 @@ <h3>{{ coguser.preferred_username }}</h3>
       {% endif %}
       <tr>
 	<td>API Key</td>
-	<td>{% if coguser.api_key %}ENABLED{% endif %} <button id="gentoken" action="{% url 'cogauth:gentoken' %}" class="button default">{% if coguser.api_key %}Generate New Key{% else %}Generate API Key{% endif %}</button></td>
+	<td>
+<<<<<<< HEAD
+	  <button id="gentoken" action="{% url 'cogauth:gentoken' %}" {% if coguser.api_key %} preaction="{% url 'cogauth:deltoken' %}" class="button default getaction" data-confirm="Would you like to create a new API key and revoke your old API key?">Refresh API Key{% else %}>Generate API Key{% endif %}</button>
+=======
+	  <button id="gentoken" class="button default getaction" action="{% url 'cogauth:gentoken' %}" {% if coguser.api_key %} preaction="{% url 'cogauth:deltoken' %}" data-confirm="Would you like to create a new API key and revoke your old API key?">Refresh API Key{% else %}>Generate API Key{% endif %}</button>
+>>>>>>> 8a48f75ae87 (Fix API generate as a synchronous Delete and Create for)
+	</td>
       </tr>
-  </table>
-</div>
+    </table>
+  </div>
 
-{% endblock %}
+  {% endblock %}
diff --git a/cogauth/urls.py b/cogauth/urls.py
@@ -50,6 +50,7 @@
     path('verify/error/', views.LimitExceededView.as_view(), name='limitexceeded'),
     path('register/', views.RegisterView.as_view(), name='register'),
     path('genapikey/', views.GenerateTokenView.as_view(), name='gentoken'),
+    path('delapikey/', views.DeleteTokenView.as_view(), name='deltoken'),    
     re_path(r'^genapikey/service/(?P<vendor_id>\d+)/', views.GenerateServiceTokenView.as_view(), name='genservicetoken'),
     path('account/help/', views.LoginHelpView.as_view(), name='loginhelp'),
     path('confirmed/', TemplateView.as_view(template_name='cogauth/account_confirmed.html'), name='account_confirmed'),

diff --git a/cogauth/views.py b/cogauth/views.py
@@ -35,7 +35,6 @@
 from django.utils.translation import ugettext as _
 from django.utils.decorators import method_decorator
 from django.core.exceptions import PermissionDenied
-from urllib.parse import urlparse
 try:
     from django.urls import reverse_lazy, reverse
 except ImportError:
@@ -67,6 +66,7 @@
 from boto3.exceptions import Boto3Error
 from botocore.exceptions import ClientError, ParamValidationError
 from django.utils.http import is_safe_url
+from django.http.response import JsonResponse
 
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.DEBUG)
@@ -329,6 +329,24 @@ def post(self, request, *args, **kwargs):
                 return redirect(settings.MFA_REDIRECT_URL)
         messages.error(request, "Password was incorrect.  MFA not removed")
         return redirect("cogauth:profile")
+
+
+class DeleteTokenView(LoginRequiredMixin,TokenMixin,GetUserMixin,TemplateView):
+
+    template_name = 'cogauth/gentoken.html'
+    login_url = "cogauth:login"
+
+    def get(self, request, *args, **kwargs):
+        dresponse = {"delete": 0}
+        try:
+            token = VinceAPIToken.objects.get(user=self.request.user)
+            token.delete()
+            dresponse['delete'] = 1
+            logger.info(f"The User's previous token was deleted  { self.request.user.username }")            
+        except VinceAPIToken.DoesNotExist:
+            logger.debug(f"The User's token does not exist { self.request.user.username }")
+            dresponse['delete'] = 0
+        return JsonResponse(dresponse)
 
 class GenerateTokenView(LoginRequiredMixin,TokenMixin,GetUserMixin,TemplateView):
     template_name = 'cogauth/gentoken.html'
@@ -337,18 +355,17 @@ class GenerateTokenView(LoginRequiredMixin,TokenMixin,GetUserMixin,TemplateView)
     def get_context_data(self, **kwargs):
         context = super(GenerateTokenView, self).get_context_data(**kwargs)
         context['coguser'] = self.get_user()
-        # generate a token        context['token'] = generate_key()
-        # does user already have a token
-        try:
-            token = VinceAPIToken.objects.get(user=self.request.user)
-            token.delete()
-        except VinceAPIToken.DoesNotExist:
-            pass
-
+        # generate a token
+        context['token'] = generate_key()
+        # If the user already has a token
+        # the action to check and delete key happens
+        # in Javascript by request /delapikey url
+        # identified by var vinny:deltoken
         token = VinceAPIToken(user=self.request.user)
         token.save(context['token'])
         c = get_cognito(self.request)
         c.update_profile({'custom:api_key':str(token)})
+        logger.debug(f"New API key generated for { self.request.user.username }")        
         return context
 
 
@@ -426,28 +443,43 @@ def post(self, request, *args, **kwargs):
         return redirect("cogauth:mfa")
 
 
-def pretty_request(request):
-    headers = ''
-    for header, value in request.META.items():
-        if not header.startswith('HTTP'):
-            continue
-        header = '-'.join([h.capitalize() for h in header[5:].lower().split('_')])
-        headers += '{}: {}\n'.format(header, value)
-
-    return (
-        '{method} HTTP/1.1\n'
-        'Content-Length: {content_length}\n'
-        'Content-Type: {content_type}\n'
-        '{headers}\n\n'
-        '{body}'
-    ).format(
-        method=request.method,
-        content_length=request.META.get('CONTENT_LENGTH'),
-        content_type=request.META.get('CONTENT_TYPE'),
-        headers=headers,
-        body=request.body,
-    )
-
+class IndexView(TemplateView):
+
+    def get_context_data(self, **kwargs):
+        context = super(IndexView, self).get_context_data(**kwargs)
+        code = self.request.GET.get('code', False)
+        logger.debug(code)
+        if code:
+            headers={'Content-Type': 'application/x-www-form-urlencoded'}
+            data = {
+                'grant_type': 'authorization_code',
+                'client_id': settings.COGNITO_APP_ID,
+                'redirect_uri':settings.COGNITO_REDIRECT_TO,
+                'code':code
+                }
+            r = requests.post(COGNITO_OAUTH_URL, headers=headers,data=data)
+            if not(r == None or (r.status_code != requests.codes.ok)):
+                rj = r.json()
+                access_token = rj['access_token']
+                refresh_token =	rj['refresh_token']
+                id_token=rj['id_token']
+                u = Cognito(settings.COGNITO_USER_POOL_ID, settings.COGNITO_APP_ID,
+                            user_pool_region=settings.COGNITO_REGION,
+                            id_token=id_token, refresh_token=refresh_token,
+                            access_token=access_token)
+
+                u.check_token()
+                self.request.session['ACCESS_TOKEN'] = access_token
+                self.request.session['ID_TOKEN'] = id_token
+                self.request.session['REFRESH_TOKEN'] = refresh_token
+                self.request.session.save()
+                client= boto3.client('cognito-idp', region_name=settings.COGNITO_REGION)
+                user = client.get_user(AccessToken=access_token)
+                userauth = authenticate(self.request, username=user['Username'])
+                if userauth:
+                    redirect("vinny:dashboard")
+        return context
+
 class COGLoginView(FormView):
     template_name = 'cogauth/login.html'
     form_class = COGAuthenticationForm
@@ -459,9 +491,6 @@ def get_success_url(self):
     def get_context_data(self, **kwargs):
         context = super(COGLoginView, self).get_context_data(**kwargs)
         logger.debug("IN COGLOGIN")
-        logger.debug(self.request.META.get('HTTP_REFERER'))
-        referer = self.request.META.get('HTTP_REFERER')
-        referer = urlparse(referer)
         if settings.DEBUG:
             context['token_login'] = True
 
@@ -963,7 +992,7 @@ def form_valid(self, form):
                 return redirect('cogauth:password_change')
             else:
                 form._errors.setdefault("username", ErrorList([
-                    u"Error Occurred. Please try again."
+                    u"Error Occurred. Please contact [email protected]"
                 ]))
                 return super().form_invalid(form)        
 

diff --git a/vinny/static/vinny/js/profile.js b/vinny/static/vinny/js/profile.js
@@ -27,52 +27,67 @@
 # DM21-1126
 ########################################################################
 */
-$(document).ready(function() {
-
-    var modal = $("#modal");
-
-    $(document).on("click", "#enablemfa", function(event) {
-	event.preventDefault();
-        var url = $(this).attr("action");
-
-        $.ajax({
-            url: url,
-            type: "GET",
-            success: function(data) {
-                modal.html(data).foundation('open');
-            }
-        });
-
-    });
-
-
-    $(document).on("click", "#rmmfa", function(event) {
-        event.preventDefault();
-        var url = $(this).attr("action");
-
-        $.ajax({
-            url: url,
-            type: "GET",
-            success: function(data) {
-                modal.html(data).foundation('open');
-            }
-        });
-
+$.ajaxSetup({
+    error : function(jqXHR, textStatus, errorThrown) {
+        console.log(arguments);
+        check_confirm("Sorry the request failed. Please contact "+
+		      " the administrator or your support channel "+
+		      " with the browser console log!");
+    }
+});
+function check_confirm(msg,url,nexturl) {
+    /*
+      Script to alert a message and allow for OK to proceed or Cancel
+      If action urls is not provided this will just be an alert. 
+     */
+    $('#modal').html($('#confirm').html()).foundation("open");
+    $('#modal .cmessage').html(msg);
+    if(url) {
+	$('#modal .getaction').attr("action",url);
+	$('#modal .getaction').attr("nextaction",nexturl);	
+	$('#modal .getaction').on("click", getaction);	
+	$('#modal .modal-title').html("Are You Sure?");
+    }
+    else {
+	$('#modal .modal-title').html("Alert!");	
+	$('#modal .modal-footer').hide();
+    }
+};
+function getaction(event) {
+    event.preventDefault();
+    var url = $(event.target).attr("action");
+    var preaction = $(event.target).attr("preaction");
+    var nextaction = $(event.target).attr("nextaction");
+    if(!url) {
+	console.log("Dummy button return");
+	return;
+    }
+    if(preaction) {
+	var msg = $(event.target).data("confirm");
+	return check_confirm(msg,preaction,url);
+    } else if(nextaction) {
+	$.ajax({url: url,
+		type: "GET",
+		success: function(data) {
+		    console.log(data);
+		    doaction(nextaction);
+		}
+	       });
+    } else {
+	doaction(url);
+    }
+};
+function doaction(url) {
+    var modal = $('#modal');	
+    $.ajax({
+        url: url,
+        type: "GET",
+        success: function(data) {
+	    modal.html(data).foundation("open");
+        }
     });
+};
 
-
-    $(document).on("click", "#gentoken", function(event) {
-        event.preventDefault();
-        var url = $(this).attr("action");
-
-        $.ajax({
-            url: url,
-            type: "GET",
-            success: function(data) {
-                modal.html(data).foundation('open');
-            }
-        });
-
-    });
-
+$(document).ready(function() {
+    $('.getaction').on("click", getaction);
 });