Grant service access by permissions (#692)

* Add service access permissions and migration

`ENABLE_AUTH_<servicename> = True` will have the new permission applied
to the settings configured `DEFAULT_AUTH_GROUP` group or `Member` if
none is configured.

`ENABLE_BLUE_<servicename> = True` will have the new permission applied
to the settings configured `DEFAULT_BLUE_GROUP` group or `Blue` if none
is configured.

* Move views and hooks to permissions based access

* Remove access restriction to services view

Hypothetically non-member/blues could be granted permission to access
services manually as desired now. A user that has no permissions to
access any services will see a blank services list.

* Remove obsolete service settings

* Remove references to obsolete settings

* Adjusted tests to support permissions based access

* Fix incorrectly named permissions

* Add simple get_services generator function

* Added signals for user and groups perm changes

* Update validate_services to support permissions

deactivate_services removed as its surplus to requirements.

* Removed state parameter from validate_services calls

* Update tests to support signals changes

* Fix incorrect call to validate_services task

* Fix validate_services and test

* Add validate_user to changed user groups signal

* Added tests for new signals

* Remove unnecessary post_add signals

* Added documentation for service permissions

* Added detection for members with service active

If there are any service users in the Member or Blue groups active, then
the permission will be added to the respective Member or Blue group.
This means its no longer necessary to maintain the service enablesettings to migrate to permissions based service.

Remove obsolete state based status checking

services/modules/teamspeak3/auth_hooks.py

@@ -20,6 +20,7 @@ class Teamspeak3Service(ServicesHook):
         self.name = 'teamspeak3'
         self.urlpatterns = urlpatterns
         self.service_ctrl_template = 'registered/teamspeak3_service_ctrl.html'
+        self.access_perm = 'teamspeak3.access_teamspeak3'
 
     def delete_user(self, user, notify_user=False):
         logger.debug('Deleting user %s %s account' % (user, self.name))
@@ -38,11 +39,8 @@ class Teamspeak3Service(ServicesHook):
         logger.debug('Update all %s groups called' % self.name)
         Teamspeak3Tasks.update_all_groups.delay()
 
-    def service_enabled_members(self):
-        return settings.ENABLE_AUTH_TEAMSPEAK3 or False
-
-    def service_enabled_blues(self):
-        return settings.ENABLE_BLUE_TEAMSPEAK3 or False
+    def service_active_for_user(self, user):
+        return user.has_perm(self.access_perm)
 
     def render_services_ctrl(self, request):
         authinfo = {'teamspeak3_uid': '',

services/modules/teamspeak3/migrations/0004_service_permissions.py

@@ -0,0 +1,61 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.10.5 on 2017-02-02 05:59
+from __future__ import unicode_literals
+
+from django.db import migrations
+from django.conf import settings
+from django.core.exceptions import ObjectDoesNotExist
+from django.contrib.auth.management import create_permissions
+
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def migrate_service_enabled(apps, schema_editor):
+    for app_config in apps.get_app_configs():
+        app_config.models_module = True
+        create_permissions(app_config, apps=apps, verbosity=0)
+        app_config.models_module = None
+
+    Group = apps.get_model("auth", "Group")
+    Permission = apps.get_model("auth", "Permission")
+    Teamspeak3User = apps.get_model("teamspeak3", "Teamspeak3User")
+
+    perm = Permission.objects.get(codename='access_teamspeak3')
+
+    member_group_name = getattr(settings, str('DEFAULT_AUTH_GROUP'), 'Member')
+    blue_group_name = getattr(settings, str('DEFAULT_BLUE_GROUP'), 'Blue')
+
+    # Migrate members
+    if Teamspeak3User.objects.filter(user__groups__name=member_group_name).exists() or \
+            getattr(settings, str('ENABLE_AUTH_TEAMSPEAK3'), False):
+        try:
+            group = Group.objects.get(name=member_group_name)
+            group.permissions.add(perm)
+        except ObjectDoesNotExist:
+            logger.warning('Failed to migrate ENABLE_AUTH_TEAMSPEAK3 setting')
+
+    # Migrate blues
+    if Teamspeak3User.objects.filter(user__groups__name=blue_group_name).exists() or \
+            getattr(settings, str('ENABLE_BLUE_TEAMSPEAK3'), False):
+        try:
+            group = Group.objects.get(name=blue_group_name)
+            group.permissions.add(perm)
+        except ObjectDoesNotExist:
+            logger.warning('Failed to migrate ENABLE_BLUE_TEAMSPEAK3 setting')
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('teamspeak3', '0003_teamspeak3user'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='teamspeak3user',
+            options={'permissions': (('access_teamspeak3', 'Can access the Teamspeak3 service'),)},
+        ),
+        migrations.RunPython(migrate_service_enabled),
+    ]

services/modules/teamspeak3/models.py

@@ -15,6 +15,11 @@ class Teamspeak3User(models.Model):
     def __str__(self):
         return self.uid
 
+    class Meta:
+        permissions = (
+            ("access_teamspeak3", u"Can access the Teamspeak3 service"),
+        )
+
 
 @python_2_unicode_compatible
 class TSgroup(models.Model):

services/modules/teamspeak3/tasks.py

@@ -42,18 +42,11 @@ class Teamspeak3Tasks:
     @staticmethod
     @app.task()
     def run_ts3_group_update():
-        if settings.ENABLE_AUTH_TEAMSPEAK3 or settings.ENABLE_BLUE_TEAMSPEAK3:
-            logger.debug("TS3 installed. Syncing local group objects.")
-            Teamspeak3Manager._sync_ts_group_db()
+        logger.debug("TS3 installed. Syncing local group objects.")
+        Teamspeak3Manager._sync_ts_group_db()
 
     @staticmethod
     def disable():
-        if settings.ENABLE_AUTH_TEAMSPEAK3:
-            logger.warn(
-                "ENABLE_AUTH_TEAMSPEAK3 still True, after disabling users will still be able to create teamspeak accounts")
-        if settings.ENABLE_BLUE_TEAMSPEAK3:
-            logger.warn(
-                "ENABLE_BLUE_TEAMSPEAK3 still True, after disabling blues will still be able to create teamspeak accounts")
         logger.info("Deleting all Teamspeak3Users")
         Teamspeak3User.objects.all().delete()
         logger.info("Deleting all UserTSgroup models")

services/modules/teamspeak3/tests.py

@@ -10,7 +10,7 @@ except ImportError:
 from django.test import TestCase, RequestFactory
 from django.conf import settings
 from django import urls
-from django.contrib.auth.models import User, Group
+from django.contrib.auth.models import User, Group, Permission
 from django.core.exceptions import ObjectDoesNotExist
 from django.db.models import signals
 
@@ -24,6 +24,13 @@ from .signals import m2m_changed_authts_group, post_save_authts, post_delete_aut
 MODULE_PATH = 'services.modules.teamspeak3'
 
 
+def add_permissions():
+    permission = Permission.objects.get(codename='access_teamspeak3')
+    members = Group.objects.get(name=settings.DEFAULT_AUTH_GROUP)
+    blues = Group.objects.get(name=settings.DEFAULT_BLUE_GROUP)
+    AuthUtils.add_permissions_to_groups([permission], [members, blues])
+
+
 class Teamspeak3HooksTestCase(TestCase):
     def setUp(self):
         # Inert signals before setup begins
@@ -46,6 +53,7 @@ class Teamspeak3HooksTestCase(TestCase):
             m2m_blue_group.ts_group.add(ts_blue_group)
             m2m_blue_group.save()
             self.service = Teamspeak3Service
+            add_permissions()
 
     def test_has_account(self):
         member = User.objects.get(username=self.member)
@@ -60,11 +68,9 @@ class Teamspeak3HooksTestCase(TestCase):
         member = User.objects.get(username=self.member)
         blue = User.objects.get(username=self.blue)
         none_user = User.objects.get(username=self.none_user)
-        self.assertTrue(service.service_enabled_members())
-        self.assertTrue(service.service_enabled_blues())
 
-        self.assertEqual(service.service_active_for_user(member), settings.ENABLE_AUTH_TEAMSPEAK3)
-        self.assertEqual(service.service_active_for_user(blue), settings.ENABLE_BLUE_TEAMSPEAK3)
+        self.assertTrue(service.service_active_for_user(member))
+        self.assertTrue(service.service_active_for_user(blue))
         self.assertFalse(service.service_active_for_user(none_user))
 
     @mock.patch(MODULE_PATH + '.tasks.Teamspeak3Manager')
@@ -164,6 +170,7 @@ class Teamspeak3ViewsTestCase(TestCase):
             m2m_blue = AuthTS.objects.create(auth_group=Group.objects.get(name='Blue'))
             m2m_blue.ts_group.add(ts_blue_group)
             m2m_blue.save()
+            add_permissions()
 
     def login(self, user=None, password=None):
         if user is None:

services/modules/teamspeak3/views.py

@@ -1,10 +1,9 @@
 import logging
 
 from django.contrib import messages
-from django.contrib.auth.decorators import login_required
+from django.contrib.auth.decorators import login_required, permission_required
 from django.shortcuts import render, redirect
 
-from authentication.decorators import members_and_blues
 from authentication.states import BLUE_STATE
 from authentication.models import AuthServicesInfo
 from eveonline.managers import EveManager
@@ -18,9 +17,11 @@ from .models import Teamspeak3User
 
 logger = logging.getLogger(__name__)
 
+ACCESS_PERM = 'teamspeak3.access_teamspeak3'
+
 
 @login_required
-@members_and_blues()
+@permission_required(ACCESS_PERM)
 def activate_teamspeak3(request):
     logger.debug("activate_teamspeak3 called by user %s" % request.user)
 
@@ -52,7 +53,7 @@ def activate_teamspeak3(request):
 
 
 @login_required
-@members_and_blues()
+@permission_required(ACCESS_PERM)
 def verify_teamspeak3(request):
     logger.debug("verify_teamspeak3 called by user %s" % request.user)
     if not Teamspeak3Tasks.has_account(request.user):
@@ -75,7 +76,7 @@ def verify_teamspeak3(request):
 
 
 @login_required
-@members_and_blues()
+@permission_required(ACCESS_PERM)
 def deactivate_teamspeak3(request):
     logger.debug("deactivate_teamspeak3 called by user %s" % request.user)
     if Teamspeak3Tasks.has_account(request.user) and Teamspeak3Tasks.delete_user(request.user):
@@ -87,7 +88,7 @@ def deactivate_teamspeak3(request):
 
 
 @login_required
-@members_and_blues()
+@permission_required(ACCESS_PERM)
 def reset_teamspeak3_perm(request):
     logger.debug("reset_teamspeak3_perm called by user %s" % request.user)
     if not Teamspeak3Tasks.has_account(request.user):