import base64
import binascii
from django.conf import settings
from django.contrib.auth import user_logged_in
from django.contrib.auth.hashers import is_password_usable
from django.core.cache import cache
from django.core.mail import EmailMessage
from django.http import Http404
from django.shortcuts import redirect
from django.template.loader import get_template
from rest_framework import generics, mixins, status, viewsets
from rest_framework.authentication import get_authorization_header
from rest_framework.exceptions import (NotAcceptable, NotFound, PermissionDenied, ValidationError)
from rest_framework.permissions import IsAuthenticated, SAFE_METHODS
from rest_framework.renderers import JSONRenderer, StaticHTMLRenderer
from rest_framework.response import Response
from rest_framework.reverse import reverse
from rest_framework.views import APIView
import desecapi.authentication as auth
from desecapi import metrics, models, serializers
from desecapi.exceptions import ConcurrencyException
from desecapi.pdns import get_serials
from desecapi.pdns_change_tracker import PDNSChangeTracker
from desecapi.permissions import IsDomainOwner, IsOwner, IsVPNClient, WithinDomainLimitOnPOST
from desecapi.renderers import PlainTextRenderer
class EmptyPayloadMixin:
def initialize_request(self, request, *args, **kwargs):
request = super().initialize_request(request, *args, **kwargs)
try:
no_data = request.stream is None
except:
no_data = True
if no_data:
# In this case, data and files are both empty, so we can set request.data=None (instead of the default {}).
# This allows distinguishing missing payload from empty dict payload.
# See https://github.com/encode/django-rest-framework/pull/7195
request._full_data = None
return request
class IdempotentDestroyMixin:
def destroy(self, request, *args, **kwargs):
try:
# noinspection PyUnresolvedReferences
super().destroy(request, *args, **kwargs)
except Http404:
pass
return Response(status=status.HTTP_204_NO_CONTENT)
class DomainViewMixin:
def initial(self, request, *args, **kwargs):
# noinspection PyUnresolvedReferences
super().initial(request, *args, **kwargs)
try:
# noinspection PyAttributeOutsideInit, PyUnresolvedReferences
self.domain = self.request.user.domains.get(name=self.kwargs['name'])
except models.Domain.DoesNotExist:
raise Http404
class TokenViewSet(IdempotentDestroyMixin, viewsets.ModelViewSet):
serializer_class = serializers.TokenSerializer
permission_classes = (IsAuthenticated,)
throttle_scope = 'account_management_passive'
def get_queryset(self):
return self.request.user.auth_tokens.all()
def get_serializer(self, *args, **kwargs):
# When creating a new token, return the plaintext representation
if self.request.method == 'POST':
kwargs.setdefault('include_plain', True)
return super().get_serializer(*args, **kwargs)
def perform_create(self, serializer):
serializer.save(user=self.request.user)
class DomainViewSet(IdempotentDestroyMixin,
mixins.CreateModelMixin,
mixins.RetrieveModelMixin,
mixins.DestroyModelMixin,
mixins.ListModelMixin,
viewsets.GenericViewSet):
serializer_class = serializers.DomainSerializer
permission_classes = (IsAuthenticated, IsOwner, WithinDomainLimitOnPOST)
lookup_field = 'name'
lookup_value_regex = r'[^/]+'
@property
def throttle_scope(self):
return 'dns_api_read' if self.request.method in SAFE_METHODS else 'dns_api_write'
def get_queryset(self):
return self.request.user.domains
def get_serializer(self, *args, **kwargs):
include_keys = (self.action in ['create', 'retrieve'])
return super().get_serializer(*args, include_keys=include_keys, **kwargs)
def perform_create(self, serializer):
with PDNSChangeTracker():
domain = serializer.save(owner=self.request.user)
# TODO this line raises if the local public suffix is not in our database!
PDNSChangeTracker.track(lambda: self.auto_delegate(domain))
@staticmethod
def auto_delegate(domain: models.Domain):
if domain.is_locally_registrable:
parent_domain = models.Domain.objects.get(name=domain.parent_domain_name)
parent_domain.update_delegation(domain)
def perform_destroy(self, instance: models.Domain):
with PDNSChangeTracker():
instance.delete()
if instance.is_locally_registrable:
parent_domain = models.Domain.objects.get(name=instance.parent_domain_name)
with PDNSChangeTracker():
parent_domain.update_delegation(instance)
class SerialList(generics.ListAPIView):
permission_classes = (IsVPNClient,)
throttle_classes = [] # don't break slaves when they ask too often (our cached responses are cheap)
def list(self, request):
key = 'desecapi.views.serials'
serials = cache.get(key)
if serials is None:
serials = get_serials()
cache.get_or_set(key, serials, timeout=15)
return Response(serials)
class RRsetDetail(IdempotentDestroyMixin, DomainViewMixin, generics.RetrieveUpdateDestroyAPIView):
serializer_class = serializers.RRsetSerializer
permission_classes = (IsAuthenticated, IsDomainOwner,)
@property
def throttle_scope(self):
return 'dns_api_read' if self.request.method in SAFE_METHODS else 'dns_api_write'
def get_queryset(self):
return self.domain.rrset_set
def get_object(self):
queryset = self.filter_queryset(self.get_queryset())
filter_kwargs = {k: self.kwargs[k] for k in ['subname', 'type']}
obj = generics.get_object_or_404(queryset, **filter_kwargs)
# May raise a permission denied
self.check_object_permissions(self.request, obj)
return obj
def get_serializer(self, *args, **kwargs):
return super().get_serializer(domain=self.domain, *args, **kwargs)
def update(self, request, *args, **kwargs):
response = super().update(request, *args, **kwargs)
if response.data is None:
response.status_code = 204
return response
def perform_update(self, serializer):
with PDNSChangeTracker():
super().perform_update(serializer)
def perform_destroy(self, instance):
with PDNSChangeTracker():
super().perform_destroy(instance)
class RRsetList(EmptyPayloadMixin, DomainViewMixin, generics.ListCreateAPIView, generics.UpdateAPIView):
serializer_class = serializers.RRsetSerializer
permission_classes = (IsAuthenticated, IsDomainOwner,)
@property
def throttle_scope(self):
return 'dns_api_read' if self.request.method in SAFE_METHODS else 'dns_api_write'
def get_queryset(self):
rrsets = models.RRset.objects.filter(domain=self.domain)
for filter_field in ('subname', 'type'):
value = self.request.query_params.get(filter_field)
if value is not None:
# TODO consider moving this
if filter_field == 'type' and value in models.RRset.RESTRICTED_TYPES:
raise PermissionDenied("You cannot tinker with the %s RRset." % value)
rrsets = rrsets.filter(**{'%s__exact' % filter_field: value})
return rrsets
def get_object(self):
# For this view, the object we're operating on is the queryset that one can also GET. Serializing a queryset
# is fine as per https://www.django-rest-framework.org/api-guide/serializers/#serializing-multiple-objects.
# We skip checking object permissions here to avoid evaluating the queryset. The user can access all his RRsets
# anyways.
return self.filter_queryset(self.get_queryset())
def get_serializer(self, *args, **kwargs):
kwargs = kwargs.copy()
if 'many' not in kwargs:
if self.request.method in ['POST']:
kwargs['many'] = isinstance(kwargs.get('data'), list)
elif self.request.method in ['PATCH', 'PUT']:
kwargs['many'] = True
return super().get_serializer(domain=self.domain, *args, **kwargs)
def perform_create(self, serializer):
with PDNSChangeTracker():
serializer.save()
def perform_update(self, serializer):
with PDNSChangeTracker():
serializer.save()
class Root(APIView):
def get(self, request, *_):
if self.request.user.is_authenticated:
routes = {
'account': {
'show': reverse('account', request=request),
'delete': reverse('account-delete', request=request),
'change-email': reverse('account-change-email', request=request),
'reset-password': reverse('account-reset-password', request=request),
},
'logout': reverse('logout', request=request),
'tokens': reverse('token-list', request=request),
'domains': reverse('domain-list', request=request),
}
else:
routes = {
'register': reverse('register', request=request),
'login': reverse('login', request=request),
'reset-password': reverse('account-reset-password', request=request),
}
return Response(routes)
class DynDNS12Update(APIView):
authentication_classes = (auth.TokenAuthentication, auth.BasicTokenAuthentication, auth.URLParamAuthentication,)
renderer_classes = [PlainTextRenderer]
throttle_scope = 'dyndns'
def _find_domain(self, request):
def find_domain_name(r):
# 1. hostname parameter
if 'hostname' in r.query_params and r.query_params['hostname'] != 'YES':
return r.query_params['hostname']
# 2. host_id parameter
if 'host_id' in r.query_params:
return r.query_params['host_id']
# 3. http basic auth username
try:
domain_name = base64.b64decode(
get_authorization_header(r).decode().split(' ')[1].encode()).decode().split(':')[0]
if domain_name and '@' not in domain_name:
return domain_name
except IndexError:
pass
except UnicodeDecodeError:
pass
except binascii.Error:
pass
# 4. username parameter
if 'username' in r.query_params:
return r.query_params['username']
# 5. only domain associated with this user account
if len(r.user.domains.all()) == 1:
return r.user.domains.all()[0].name
if len(r.user.domains.all()) > 1:
ex = ValidationError(detail={
"detail": "Request does not specify domain unambiguously.",
"code": "domain-ambiguous"
})
ex.status_code = status.HTTP_409_CONFLICT
raise ex
return None
name = find_domain_name(request).lower()
try:
return self.request.user.domains.get(name=name)
except models.Domain.DoesNotExist:
return None
@staticmethod
def find_ip(request, params, version=4):
if version == 4:
look_for = '.'
elif version == 6:
look_for = ':'
else:
raise Exception
# Check URL parameters
for p in params:
if p in request.query_params:
if not len(request.query_params[p]):
return None
if look_for in request.query_params[p]:
return request.query_params[p]
# Check remote IP address
client_ip = request.META.get('REMOTE_ADDR')
if look_for in client_ip:
return client_ip
# give up
return None
def _find_ip_v4(self, request):
return self.find_ip(request, ['myip', 'myipv4', 'ip'])
def _find_ip_v6(self, request):
return self.find_ip(request, ['myipv6', 'ipv6', 'myip', 'ip'], version=6)
def get(self, request, *_):
domain = self._find_domain(request)
if domain is None:
metrics.get('desecapi_dynDNS12_domain_not_found').inc()
raise NotFound('nohost')
ipv4 = self._find_ip_v4(request)
ipv6 = self._find_ip_v6(request)
data = [
{'type': 'A', 'subname': '', 'ttl': 60, 'records': [ipv4] if ipv4 else []},
{'type': 'AAAA', 'subname': '', 'ttl': 60, 'records': [ipv6] if ipv6 else []},
]
instances = domain.rrset_set.filter(subname='', type__in=['A', 'AAAA']).all()
serializer = serializers.RRsetSerializer(instances, domain=domain, data=data, many=True, partial=True)
try:
serializer.is_valid(raise_exception=True)
except ValidationError as e:
if any('ttl' in error for error in e.detail):
raise PermissionDenied({'detail': 'Domain not eligible for dynamic updates, please contact support.'})
if any(
any(
getattr(non_field_error, 'code', '') == 'unique'
for non_field_error
in err.get('non_field_errors', [])
)
for err in e.detail
):
raise ConcurrencyException from e
raise e
with PDNSChangeTracker():
serializer.save()
return Response('good', content_type='text/plain')
class DonationList(generics.CreateAPIView):
serializer_class = serializers.DonationSerializer
def perform_create(self, serializer):
instance = self.serializer_class.Meta.model(**serializer.validated_data)
context = {
'donation': instance,
'creditoridentifier': settings.SEPA['CREDITOR_ID'],
'creditorname': settings.SEPA['CREDITOR_NAME'],
}
# internal desec notification
content_tmpl = get_template('emails/donation/desec-content.txt')
subject_tmpl = get_template('emails/donation/desec-subject.txt')
attachment_tmpl = get_template('emails/donation/desec-attachment-jameica.txt')
from_tmpl = get_template('emails/from.txt')
email = EmailMessage(subject_tmpl.render(context),
content_tmpl.render(context),
from_tmpl.render(context),
['donation@desec.io'],
attachments=[
('jameica-directdebit.xml',
attachment_tmpl.render(context),
'text/xml')
])
email.send()
# donor notification
if instance.email:
content_tmpl = get_template('emails/donation/donor-content.txt')
subject_tmpl = get_template('emails/donation/donor-subject.txt')
footer_tmpl = get_template('emails/footer.txt')
email = EmailMessage(subject_tmpl.render(context),
content_tmpl.render(context) + footer_tmpl.render(),
from_tmpl.render(context),
[instance.email])
email.send()
class AccountCreateView(generics.CreateAPIView):
serializer_class = serializers.RegisterAccountSerializer
throttle_scope = 'account_management_active'
def create(self, request, *args, **kwargs):
# Create user and send trigger email verification.
# Alternative would be to create user once email is verified, but this could be abused for bulk email.
serializer = self.get_serializer(data=request.data)
activation_required = settings.USER_ACTIVATION_REQUIRED
try:
serializer.is_valid(raise_exception=True)
except ValidationError as e:
# Hide existing users
email_detail = e.detail.pop('email', [])
email_detail = [detail for detail in email_detail if detail.code != 'unique']
if email_detail:
e.detail['email'] = email_detail
if e.detail:
raise e
else:
# create user
user = serializer.save(is_active=(not activation_required))
# send email if needed
domain = serializer.validated_data.get('domain')
if domain or activation_required:
action = models.AuthenticatedActivateUserAction(user=user, domain=domain)
verification_code = serializers.AuthenticatedActivateUserActionSerializer(action).data['code']
user.send_email('activate-with-domain' if domain else 'activate', context={
'confirmation_link': reverse('confirm-activate-account', request=request, args=[verification_code]),
'domain': domain,
})
# This request is unauthenticated, so don't expose whether we did anything.
message = 'Welcome! Please check your mailbox.' if activation_required else 'Welcome!'
return Response(data={'detail': message}, status=status.HTTP_202_ACCEPTED)
class AccountView(generics.RetrieveAPIView):
permission_classes = (IsAuthenticated,)
serializer_class = serializers.UserSerializer
throttle_scope = 'account_management_passive'
def get_object(self):
return self.request.user
class AccountDeleteView(generics.GenericAPIView):
authentication_classes = (auth.EmailPasswordPayloadAuthentication,)
permission_classes = (IsAuthenticated,)
response_still_has_domains = Response(
data={'detail': 'To delete your user account, first delete all of your domains.'},
status=status.HTTP_409_CONFLICT,
)
throttle_scope = 'account_management_active'
def post(self, request, *args, **kwargs):
if self.request.user.domains.exists():
return self.response_still_has_domains
action = models.AuthenticatedDeleteUserAction(user=self.request.user)
verification_code = serializers.AuthenticatedDeleteUserActionSerializer(action).data['code']
request.user.send_email('delete-user', context={
'confirmation_link': reverse('confirm-delete-account', request=request, args=[verification_code])
})
return Response(data={'detail': 'Please check your mailbox for further account deletion instructions.'},
status=status.HTTP_202_ACCEPTED)
class AccountLoginView(generics.GenericAPIView):
authentication_classes = (auth.EmailPasswordPayloadAuthentication,)
permission_classes = (IsAuthenticated,)
throttle_scope = 'account_management_passive'
def post(self, request, *args, **kwargs):
user = self.request.user
token = models.Token.objects.create(user=user, name="login")
user_logged_in.send(sender=user.__class__, request=self.request, user=user)
data = serializers.TokenSerializer(token, include_plain=True).data
return Response(data)
class AccountLogoutView(generics.GenericAPIView, mixins.DestroyModelMixin):
authentication_classes = (auth.TokenAuthentication,)
permission_classes = (IsAuthenticated,)
throttle_classes = [] # always allow people to log out
def get_object(self):
# self.request.auth contains the hashed key as it is stored in the database
return models.Token.objects.get(key=self.request.auth)
def post(self, request, *args, **kwargs):
return self.destroy(request, *args, **kwargs)
class AccountChangeEmailView(generics.GenericAPIView):
authentication_classes = (auth.EmailPasswordPayloadAuthentication,)
permission_classes = (IsAuthenticated,)
serializer_class = serializers.ChangeEmailSerializer
throttle_scope = 'account_management_active'
def post(self, request, *args, **kwargs):
# Check password and extract email
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
new_email = serializer.validated_data['new_email']
action = models.AuthenticatedChangeEmailUserAction(user=request.user, new_email=new_email)
verification_code = serializers.AuthenticatedChangeEmailUserActionSerializer(action).data['code']
request.user.send_email('change-email', recipient=new_email, context={
'confirmation_link': reverse('confirm-change-email', request=request, args=[verification_code]),
'old_email': request.user.email,
'new_email': new_email,
})
# At this point, we know that we are talking to the user, so we can tell that we sent an email.
return Response(data={'detail': 'Please check your mailbox to confirm email address change.'},
status=status.HTTP_202_ACCEPTED)
class AccountResetPasswordView(generics.GenericAPIView):
serializer_class = serializers.ResetPasswordSerializer
throttle_scope = 'account_management_active'
def post(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
try:
email = serializer.validated_data['email']
user = models.User.objects.get(email=email, is_active=True)
except models.User.DoesNotExist:
pass
else:
self.send_reset_token(user, request)
# This request is unauthenticated, so don't expose whether we did anything.
return Response(data={'detail': 'Please check your mailbox for further password reset instructions. '
'If you did not receive an email, please contact support.'},
status=status.HTTP_202_ACCEPTED)
@staticmethod
def send_reset_token(user, request):
action = models.AuthenticatedResetPasswordUserAction(user=user)
verification_code = serializers.AuthenticatedResetPasswordUserActionSerializer(action).data['code']
user.send_email('reset-password', context={
'confirmation_link': reverse('confirm-reset-password', request=request, args=[verification_code])
})
class AuthenticatedActionView(generics.GenericAPIView):
"""
Abstract class. Deserializes the given payload according the serializers specified by the view extending
this class. If the `serializer.is_valid`, `act` is called on the action object.
"""
action = None
authentication_classes = (auth.AuthenticatedActionAuthentication,)
html_url = None
http_method_names = ['get', 'post'] # GET is for redirect only
renderer_classes = [JSONRenderer, StaticHTMLRenderer]
@property
def throttle_scope(self):
return 'account_management_passive' if self.request.method in SAFE_METHODS else 'account_management_active'
def get_serializer_context(self):
return {**super().get_serializer_context(), 'code': self.kwargs['code']}
def perform_authentication(self, request):
# Delay authentication until request.auth or request.user is first accessed.
# This allows returning a redirect or status 405 without validating the action code.
pass
def get(self, request, *args, **kwargs):
# Redirect browsers to frontend if available
is_redirect = (request.accepted_renderer.format == 'html') and self.html_url is not None
if is_redirect:
# Careful: This can generally lead to an open redirect if values contain slashes!
# However, it cannot happen for Django view kwargs.
return redirect(self.html_url.format(**kwargs))
else:
raise NotAcceptable
def post(self, request, *args, **kwargs):
super().perform_authentication(request)
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
try:
self.action = serializer.Meta.model(**serializer.validated_data)
except ValueError: # this happens when state cannot be verified
raise ValidationError('Invalid code.')
self.action.act()
return self.finalize()
def finalize(self):
raise NotImplementedError
class AuthenticatedActivateUserActionView(AuthenticatedActionView):
html_url = '/confirm/activate-account/{code}/'
serializer_class = serializers.AuthenticatedActivateUserActionSerializer
def finalize(self):
if not self.action.domain:
return self._finalize_without_domain()
else:
domain = self._create_domain()
return self._finalize_with_domain(domain)
def _create_domain(self):
serializer = serializers.DomainSerializer(
data={'name': self.action.domain},
context=self.get_serializer_context()
)
try:
serializer.is_valid(raise_exception=True)
except ValidationError as e: # e.g. domain name unavailable
self.action.user.delete()
reasons = ', '.join([detail.code for detail in e.detail.get('name', [])])
raise ValidationError(
f'The requested domain {self.action.domain} could not be registered (reason: {reasons}). '
f'Please start over and sign up again.'
)
# TODO the following line is subject to race condition and can fail, as for the domain name, we have that
# time-of-check != time-of-action
return PDNSChangeTracker.track(lambda: serializer.save(owner=self.action.user))
def _finalize_without_domain(self):
if not is_password_usable(self.action.user.password):
AccountResetPasswordView.send_reset_token(self.action.user, self.request)
return Response({
'detail': 'Success! We sent you instructions on how to set your password.'
})
login_url = self.request.build_absolute_uri(reverse('v1:login'))
return Response({
'detail': f'Success! Please log in at {login_url}.'
})
def _finalize_with_domain(self, domain):
if domain.is_locally_registrable:
# TODO the following line raises Domain.DoesNotExist under unknown conditions
PDNSChangeTracker.track(lambda: DomainViewSet.auto_delegate(domain))
token = models.Token.objects.create(user=domain.owner, name='dyndns')
return Response({
'detail': 'Success! Here is the password ("token") to configure your router (or any other dynDNS '
'client). This password is different from your account password for security reasons.',
'domain': serializers.DomainSerializer(domain).data,
**serializers.TokenSerializer(token, include_plain=True).data,
})
else:
return Response({
'detail': 'Success! Please check the docs for the next steps, https://desec.readthedocs.io/.',
'domain': serializers.DomainSerializer(domain, include_keys=True).data,
})
class AuthenticatedChangeEmailUserActionView(AuthenticatedActionView):
html_url = '/confirm/change-email/{code}/'
serializer_class = serializers.AuthenticatedChangeEmailUserActionSerializer
def finalize(self):
return Response({
'detail': f'Success! Your email address has been changed to {self.action.user.email}.'
})
class AuthenticatedResetPasswordUserActionView(AuthenticatedActionView):
html_url = '/confirm/reset-password/{code}/'
serializer_class = serializers.AuthenticatedResetPasswordUserActionSerializer
def finalize(self):
login_url = self.request.build_absolute_uri(reverse('v1:login'))
return Response({'detail': f'Success! Your password has been changed. Log in at {login_url}.'})
class AuthenticatedDeleteUserActionView(AuthenticatedActionView):
html_url = '/confirm/delete-account/{code}/'
serializer_class = serializers.AuthenticatedDeleteUserActionSerializer
def post(self, request, *args, **kwargs):
if self.request.user.domains.exists():
return AccountDeleteView.response_still_has_domains
return super().post(request, *args, **kwargs)
def finalize(self):
return Response({'detail': 'All your data has been deleted. Bye bye, see you soon! <3'})
class CaptchaView(generics.CreateAPIView):
serializer_class = serializers.CaptchaSerializer
throttle_scope = 'account_management_passive'
