# -*- coding: utf-8 -*- # from django.utils.translation import ugettext_lazy as _ from rest_framework import serializers from common.utils import validate_ssh_public_key from common.mixins import BulkSerializerMixin from common.serializers import AdaptedBulkListSerializer from common.permissions import CanUpdateDeleteUser from ..models import User __all__ = [ 'UserSerializer', 'UserPKUpdateSerializer', 'ChangeUserPasswordSerializer', 'ResetOTPSerializer', 'UserProfileSerializer', 'UserDisplaySerializer', ] class UserOrgSerializer(serializers.Serializer): id = serializers.CharField() name = serializers.CharField() class UserSerializer(BulkSerializerMixin, serializers.ModelSerializer): EMAIL_SET_PASSWORD = _('Reset link will be generated and sent to the user') CUSTOM_PASSWORD = _('Set password') PASSWORD_STRATEGY_CHOICES = ( (0, EMAIL_SET_PASSWORD), (1, CUSTOM_PASSWORD) ) password_strategy = serializers.ChoiceField( choices=PASSWORD_STRATEGY_CHOICES, required=True, initial=0, label=_('Password strategy'), write_only=True ) class Meta: model = User list_serializer_class = AdaptedBulkListSerializer fields = [ 'id', 'name', 'username', 'password', 'email', 'public_key', 'groups', 'role', 'wechat', 'phone', 'mfa_level', 'comment', 'source', 'is_valid', 'is_expired', 'is_active', 'created_by', 'is_first_login', 'password_strategy', 'date_password_last_updated', 'date_expired', 'avatar_url', ] extra_kwargs = { 'password': {'write_only': True, 'required': False, 'allow_null': True, 'allow_blank': True}, 'public_key': {'write_only': True}, 'is_first_login': {'label': _('Is first login'), 'read_only': True}, 'is_valid': {'label': _('Is valid')}, 'is_expired': {'label': _('Is expired')}, 'avatar_url': {'label': _('Avatar url')}, 'created_by': {'read_only': True, 'allow_blank': True}, } def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.set_role_choices() def set_role_choices(self): role = self.fields['role'] choices = role.choices choices.pop('App', None) role.choices = choices def validate_role(self, value): request = self.context.get('request') if not request.user.is_superuser and value != User.ROLE_USER: role_display = dict(User.ROLE_CHOICES)[User.ROLE_USER] msg = _("Role limit to {}".format(role_display)) raise serializers.ValidationError(msg) return value def validate_password(self, password): from ..utils import check_password_rules password_strategy = self.initial_data.get('password_strategy') if password_strategy == '0': return if password_strategy is None and not password: return if not check_password_rules(password): msg = _('Password does not match security rules') raise serializers.ValidationError(msg) return password def validate_groups(self, groups): role = self.initial_data.get('role') if self.instance: role = role or self.instance.role if role == User.ROLE_AUDITOR: return [] return groups @staticmethod def change_password_to_raw(attrs): password = attrs.pop('password', None) if password: attrs['password_raw'] = password return attrs @staticmethod def clean_auth_fields(attrs): for field in ('password', 'public_key'): value = attrs.get(field) if not value: attrs.pop(field, None) return attrs def validate(self, attrs): attrs = self.change_password_to_raw(attrs) attrs = self.clean_auth_fields(attrs) attrs.pop('password_strategy', None) return attrs class UserDisplaySerializer(UserSerializer): can_update = serializers.SerializerMethodField() can_delete = serializers.SerializerMethodField() class Meta(UserSerializer.Meta): fields = UserSerializer.Meta.fields + [ 'groups_display', 'role_display', 'source_display', 'can_update', 'can_delete', ] def get_can_update(self, obj): return CanUpdateDeleteUser.has_update_object_permission( self.context['request'], self.context['view'], obj ) def get_can_delete(self, obj): return CanUpdateDeleteUser.has_delete_object_permission( self.context['request'], self.context['view'], obj ) def get_extra_kwargs(self): kwargs = super().get_extra_kwargs() kwargs.update({ 'can_update': {'read_only': True}, 'can_delete': {'read_only': True}, 'groups_display': {'label': _('Groups name')}, 'source_display': {'label': _('Source name')}, 'role_display': {'label': _('Role name')}, }) return kwargs class UserPKUpdateSerializer(serializers.ModelSerializer): class Meta: model = User fields = ['id', 'public_key'] @staticmethod def validate_public_key(value): if not validate_ssh_public_key(value): raise serializers.ValidationError(_('Not a valid ssh public key')) return value class ChangeUserPasswordSerializer(serializers.ModelSerializer): class Meta: model = User fields = ['password'] class ResetOTPSerializer(serializers.Serializer): msg = serializers.CharField(read_only=True) def create(self, validated_data): pass def update(self, instance, validated_data): pass class UserProfileSerializer(serializers.ModelSerializer): admin_orgs = UserOrgSerializer(many=True, read_only=True) class Meta: model = User fields = [ 'id', 'name', 'username', 'email', 'role', 'wechat', 'phone', 'mfa_level', 'comment', 'source', 'is_valid', 'is_expired', 'is_active', 'created_by', 'is_first_login', 'date_password_last_updated', 'date_expired', 'avatar_url', 'groups', 'admin_orgs', ]