Project creation and update API and diyexperiment logic

private_sharing/api_authentication.py

@@ -1,9 +1,15 @@
+from datetime import timedelta
+
 import arrow
 
 from django.contrib.auth import get_user_model
+from django.utils import timezone
 
-from oauth2_provider.models import AccessToken
 from oauth2_provider.contrib.rest_framework import OAuth2Authentication
+from oauth2_provider.models import AccessToken, RefreshToken
+from oauth2_provider.settings import oauth2_settings
+
+from oauthlib import common as oauth2lib_common
 
 from rest_framework import exceptions
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
@@ -13,6 +19,36 @@
 UserModel = get_user_model()
 
 
+def make_oauth2_tokens(project, user):
+ """
+ Returns a tuple, an AccessToken object and a RefreshToken object given a project and a user.
+ :param project: An oath2 project
+ :param user: The user for the access token and refresh token
+ If project is not a valid oauth2datarequestproject, returns None
+ """
+ if not project.__class__ == OAuth2DataRequestProject:
+ return None
+ expires = timezone.now() + timedelta(
+ seconds=oauth2_settings.ACCESS_TOKEN_EXPIRE_SECONDS
+ )
+ access_token = AccessToken(
+ user=user,
+ scope="",
+ expires=expires,
+ token=oauth2lib_common.generate_token(),
+ application=project.application,
+ )
+ access_token.save()
+ refresh_token = RefreshToken(
+ user=user,
+ token=oauth2lib_common.generate_token(),
+ application=project.application,
+ access_token=access_token,
+ )
+ refresh_token.save()
+ return (access_token, refresh_token)
+
+
 class MasterTokenAuthentication(BaseAuthentication):
  """
  Master token based authentication.

private_sharing/api_permissions.py

@@ -8,3 +8,21 @@ class HasValidProjectToken(BasePermission):
 
  def has_permission(self, request, view):
  return bool(request.auth)
+
+
+class CanProjectAccessData(BasePermission):
+ """
+ Return true if any of the following conditions are met:
+ On Site project
+ Approved OAuth2 project
+ UnApproved OAuth2 project with diyexperiment=False
+ """
+
+ def has_permission(self, request, view):
+ if hasattr(request.auth, "onsitedatarequestproject"):
+ return True
+ if request.auth.approved == True:
+ return True
+ if request.auth.oauth2datarequestproject.diyexperiment == False:
+ return True
+ return False

private_sharing/api_urls.py

@@ -24,6 +24,8 @@
  "project/files/upload/complete/",
  api_views.ProjectFileDirectUploadCompletionView.as_view(),
  ),
+ path("project/oauth2/create/", api_views.ProjectCreateAPIView.as_view()),
+ path("project/oauth2/update/", api_views.ProjectUpdateAPIView.as_view()),
 ]
 
 urlpatterns = format_suffix_patterns(urlpatterns)

private_sharing/api_views.py

@@ -18,9 +18,13 @@
 from data_import.serializers import DataFileSerializer
 from data_import.utils import get_upload_path
 
-from .api_authentication import CustomOAuth2Authentication, MasterTokenAuthentication
+from .api_authentication import (
+ make_oauth2_tokens,
+ CustomOAuth2Authentication,
+ MasterTokenAuthentication,
+)
 from .api_filter_backends import ProjectFilterBackend
-from .api_permissions import HasValidProjectToken
+from .api_permissions import CanProjectAccessData, HasValidProjectToken
 from .forms import (
  DeleteDataFileForm,
  DirectUploadDataFileForm,
@@ -35,11 +39,27 @@
  OAuth2DataRequestProject,
  ProjectDataFile,
 )
-from .serializers import ProjectDataSerializer, ProjectMemberDataSerializer
+from .serializers import (
+ ProjectAPISerializer,
+ ProjectDataSerializer,
+ ProjectMemberDataSerializer,
+)
 
 UserModel = get_user_model()
 
 
+def get_oauth2_member(request):
+ """
+ Return project member if auth by OAuth2 user access token, else None.
+ """
+ if request.auth.__class__ == OAuth2DataRequestProject:
+ proj_member = DataRequestProjectMember.objects.get(
+ member=request.user.member, project=request.auth
+ )
+ return proj_member
+ return None
+
+
 class ProjectAPIView(NeverCacheMixin):
  """
  The base class for all Project-related API views.
@@ -49,15 +69,7 @@ class ProjectAPIView(NeverCacheMixin):
  permission_classes = (HasValidProjectToken,)
 
  def get_oauth2_member(self):
- """
- Return project member if auth by OAuth2 user access token, else None.
- """
- if self.request.auth.__class__ == OAuth2DataRequestProject:
- proj_member = DataRequestProjectMember.objects.get(
- member=self.request.user.member, project=self.request.auth
- )
- return proj_member
- return None
+ return get_oauth2_member(self.request)
 
 
 class ProjectDetailView(ProjectAPIView, RetrieveAPIView):
@@ -99,6 +111,16 @@ class ProjectMemberExchangeView(NeverCacheMixin, ListAPIView):
  max_limit = 200
  default_limit = 100
 
+ def diy_approved(self):
+ """
+ Returns false if diyexperiment is set to True and approved is set to false,
+ otherwise returns True
+ """
+ if hasattr(self.obj.project, "oauth2datarequestproject"):
+ if self.obj.project.oauth2datarequestproject.diyexperiment:
+ return self.obj.project.approved
+ return True
+
  def get_object(self):
  """
  Get the project member related to the access_token.
@@ -117,6 +139,9 @@ def get_object(self):
  project_member = DataRequestProjectMember.objects.filter(
  project_member_id=project_member_id, project=self.request.auth
  )
+ else:
+ # We hit some weirdness if you inadvertantly use the master access token
+ project_member = DataRequestProjectMember.objects.none()
  if project_member.count() == 1:
  return project_member.get()
  # No or invalid project_member_id provided
@@ -134,7 +159,7 @@ def get_username(self):
  """
  Only return the username if the user has shared it with the project.
  """
- if self.obj.username_shared:
+ if self.obj.username_shared and self.diy_approved():
  return self.obj.member.user.username
 
  return None
@@ -144,6 +169,11 @@ def get_queryset(self):
  Get the queryset of DataFiles that belong to a member in a project
  """
  self.obj = self.get_object()
+
+ # If this is an unapproved DIY project, we need to not return anything
+ if not self.diy_approved():
+ return DataFile.objects.none()
+
  self.request.public_sources = list(
  self.obj.member.public_data_participant.publicdataaccess_set.filter(
  is_public=True
@@ -185,6 +215,7 @@ class ProjectMemberDataView(ProjectListView):
  """
 
  authentication_classes = (MasterTokenAuthentication,)
+ permission_classes = (CanProjectAccessData,)
  serializer_class = ProjectMemberDataSerializer
  max_limit = 20
  default_limit = 10
@@ -458,3 +489,102 @@ def post(self, request):
  data_file.delete()
 
  return Response({"ids": ids}, status=status.HTTP_200_OK)
+
+
+class ProjectCreateAPIView(APIView):
+ """
+ Create a project via API
+
+ Accepts project name, description, and redirect_url as (required) inputs
+
+ The other required fields are auto-populated:
+ is_study: set to False
+ leader: set to member.name from oauth2 token
+ coordinator: get from oauth2 token
+ is_academic_or_nonprofit: False
+ add_data: false
+ explore_share: false
+ short_description: first 139 chars of long_description plus an ellipsis
+ active: True
+ """
+
+ authentication_classes = (CustomOAuth2Authentication,)
+ permission_classes = (HasValidProjectToken,)
+
+ def get_short_description(self, long_description):
+ """
+ Return first 139 chars of long_description plus an elipse.
+ """
+ if len(long_description) > 140:
+ return "{0}…".format(long_description[0:139])
+ return long_description
+
+ def post(self, request):
+ """
+ Take incoming json and create a project from it
+ """
+ member = get_oauth2_member(request).member
+ serializer = ProjectAPISerializer(data=request.data)
+ if serializer.is_valid():
+ coordinator_join = serializer.validated_data.get("coordinator_join", False)
+ project = serializer.save(
+ is_study=False,
+ is_academic_or_nonprofit=False,
+ add_data=False,
+ explore_share=False,
+ active=True,
+ short_description=self.get_short_description(
+ serializer.validated_data["long_description"]
+ ),
+ coordinator=member,
+ leader=member.name,
+ request_username_access=False,
+ diyexperiment=True,
+ )
+ project.save()
+
+ # Coordinator join project
+ if coordinator_join:
+ project_member = project.project_members.create(member=member)
+ project_member.joined = True
+ project_member.authorized = True
+ project_member.save()
+
+ # Serialize project data for response
+ # Copy data dict so that we can easily append fields
+ serialized_project = ProjectDataSerializer(project).data
+
+ # append tokens to the serialized_project data
+ serialized_project["client_id"] = project.application.client_id
+ serialized_project["client_secret"] = project.application.client_secret
+
+ if coordinator_join:
+ access_token, refresh_token = make_oauth2_tokens(project, member.user)
+ serialized_project["coordinator_access_token"] = access_token.token
+ serialized_project["coordinator_refresh_token"] = refresh_token.token
+
+ return Response(serialized_project, status=status.HTTP_201_CREATED)
+
+ return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+
+class ProjectUpdateAPIView(APIView):
+ """
+ API Endpoint to update a project.
+ """
+
+ authentication_classes = (CustomOAuth2Authentication,)
+ permission_classes = (HasValidProjectToken,)
+
+ def post(self, request):
+ """
+ Take incoming json and update a project from it
+ """
+ project = OAuth2DataRequestProject.objects.get(pk=self.request.auth.pk)
+ serializer = ProjectAPISerializer(project, data=request.data)
+ if serializer.is_valid():
+ # serializer.save() returns the modified object, but it is not written
+ # to the database, hence the second save()
+ serializer.save().save()
+ return Response(serializer.validated_data, status=status.HTTP_200_OK)
+ return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

private_sharing/migrations/0022_oauth2datarequestproject_diyexperiment.py

@@ -0,0 +1,16 @@
+# Generated by Django 2.2 on 2019-04-23 20:01
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [("private_sharing", "0021_auto_20190412_1908")]
+
+ operations = [
+ migrations.AddField(
+ model_name="oauth2datarequestproject",
+ name="diyexperiment",
+ field=models.BooleanField(default=False),
+ )
+ ]

private_sharing/models.py

@@ -408,6 +408,8 @@ class Meta: # noqa: D101
  verbose_name="Deauthorization Webhook URL",
  )
 
+ diyexperiment = models.BooleanField(default=False)
+
  def save(self, *args, **kwargs):
  if hasattr(self, "application"):
  application = self.application

private_sharing/serializers.py

@@ -3,10 +3,14 @@
 from rest_framework import serializers
 
 from common.utils import full_url
-from data_import.models import DataFile, DataType
+from data_import.models import DataFile
 from data_import.serializers import DataFileSerializer
 
-from .models import DataRequestProject, DataRequestProjectMember
+from .models import (
+ DataRequestProject,
+ DataRequestProjectMember,
+ OAuth2DataRequestProject,
+)
 
 
 class ProjectDataSerializer(serializers.ModelSerializer):
@@ -156,3 +160,49 @@ def to_representation(self, obj):
  rep.pop("username")
 
  return rep
+
+
+class ProjectAPISerializer(serializers.Serializer):
+ """
+ Fields that we should be getting through the API:
+ name
+ long_description
+ redirect_url
+
+ Remainder of required fields; these are set at save() in the view.
+ is_study: set to False
+ leader: set to member.name from oauth2 token
+ coordinator: get from oauth2 token
+ is_academic_or_nonprofit: False
+ add_data: false
+ explore_share: false
+ short_description: first 139 chars of long_description plus an elipse
+ active: True
+ coordinator: from oauth2 token
+ """
+
+ id = serializers.IntegerField(required=False)
+ name = serializers.CharField(max_length=100)
+ long_description = serializers.CharField(max_length=1000)
+ redirect_url = serializers.URLField()
+ diyexperiment = serializers.BooleanField(required=False)
+ coordinator_join = serializers.BooleanField(default=False, required=False)
+
+ def create(self, validated_data):
+ """
+ Returns a new OAuth2DataRequestProject
+ """
+ # Remove coordinator_join field as that doesn't actually exist in the model
+ validated_data.pop("coordinator_join")
+ return OAuth2DataRequestProject.objects.create(**validated_data)
+
+ def update(self, instance, validated_data):
+ """
+ Updates existing OAuth2DataRequestProject
+ """
+
+ for key, value in validated_data.items():
+ if hasattr(instance, key):
+ setattr(instance, key, value)
+
+ return instance