desec-io · peterthomassen · Dec 18, 2024 · Nov 25, 2024 · Dec 7, 2024 · Dec 13, 2024
diff --git a/api/desecapi/migrations/0042_rename_user_token_owner_token_user_override_and_more.py b/api/desecapi/migrations/0042_rename_user_token_owner_token_user_override_and_more.py
@@ -0,0 +1,151 @@
+# Generated by Django 5.1.3 on 2024-11-25 19:53
+
+import django.db.models.deletion
+import django.db.models.functions.comparison
+import pgtrigger.compiler
+import pgtrigger.migrations
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("desecapi", "0041_remove_token_token_auto_policy_and_more"),
+    ]
+
+    operations = [
+        migrations.RunSQL(
+            sql="ALTER TABLE desecapi_tokendomainpolicy DROP CONSTRAINT desecapi_tokendomainpolicy_token_id_token_user_id_fkey RESTRICT;",
+            reverse_sql="ALTER TABLE desecapi_tokendomainpolicy ADD FOREIGN KEY ( token_id, token_user_id ) REFERENCES desecapi_token ( id, user_id );",
+        ),
+        migrations.RemoveConstraint(
+            model_name="token",
+            name="unique_id_user",
+        ),
+        migrations.AlterField(
+            model_name="token",
+            name="user",
+            field=models.UUIDField(),
+        ),
+        migrations.RenameField(
+            model_name="token",
+            old_name="user",
+            new_name="owner",
+        ),
+        migrations.AlterField(
+            model_name="token",
+            name="owner",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="+",
+                to=settings.AUTH_USER_MODEL,
+            ),
+        ),
+        migrations.AddField(
+            model_name="token",
+            name="user_override",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="+",
+                to=settings.AUTH_USER_MODEL,
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="token",
+            constraint=models.CheckConstraint(
+                condition=models.Q(
+                    ("user_override__isnull", True),
+                    models.Q(
+                        ("mfa__isnull", True),
+                        ("perm_manage_tokens", False),
+                        models.Q(("user_override", models.F("owner")), _negated=True),
+                    ),
+                    _connector="OR",
+                ),
+                name="user_override_conditions",
+            ),
+        ),
+        migrations.AddField(
+            model_name="token",
+            name="user_id",
+            field=models.GeneratedField(
+                db_index=True,
+                db_persist=True,
+                expression=django.db.models.functions.comparison.Coalesce(
+                    "user_override", "owner"
+                ),
+                output_field=models.UUIDField(),
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="token",
+            constraint=models.UniqueConstraint(
+                fields=("id", "user_id"), name="unique_id_user"
+            ),
+        ),
+        migrations.RunSQL(
+            sql="ALTER TABLE desecapi_tokendomainpolicy ADD FOREIGN KEY ( token_id, token_user_id ) REFERENCES desecapi_token ( id, user_id ) DEFERRABLE INITIALLY DEFERRED;",
+            reverse_sql="ALTER TABLE desecapi_tokendomainpolicy DROP CONSTRAINT desecapi_tokendomainpolicy_token_id_token_user_id_fkey RESTRICT;",
+        ),
+        migrations.AddField(
+            model_name="token",
+            name="user",
+            field=models.ForeignObject(
+                from_fields=["user_id"],
+                null=True,
+                on_delete=django.db.models.deletion.CASCADE,
+                related_name="token_set",
+                to=settings.AUTH_USER_MODEL,
+                to_fields=["id"],
+            ),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name="token",
+            trigger=pgtrigger.compiler.Trigger(
+                name="token_policy_user_id",
+                sql=pgtrigger.compiler.UpsertTriggerSql(
+                    condition='WHEN (OLD."user_id" IS DISTINCT FROM (NEW."user_id"))',
+                    func="\n                    IF\n                        OLD.user_override_id IS NOT NULL\n                    THEN\n                        RAISE EXCEPTION 'Cannot alter Token.user_override_id once set. (token.id=%)', NEW.id;\n                    END IF;\n                    UPDATE desecapi_tokendomainpolicy SET token_user_id = NEW.user_id WHERE token_id = NEW.id;\n                    RETURN NULL;\n                ",
+                    hash="a35df14f79206d73314376dd33ce217359b8f3dc",
+                    operation='UPDATE OF "user_id"',
+                    pgid="pgtrigger_token_policy_user_id_c0a5d",
+                    table="desecapi_token",
+                    when="AFTER",
+                ),
+            ),
+        ),
+        pgtrigger.migrations.RemoveTrigger(
+            model_name="tokendomainpolicy",
+            name="token_user",
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name="tokendomainpolicy",
+            trigger=pgtrigger.compiler.Trigger(
+                name="token_user_insert",
+                sql=pgtrigger.compiler.UpsertTriggerSql(
+                    func="NEW.token_user_id = (SELECT user_id FROM desecapi_token WHERE id = NEW.token_id); RETURN NEW;",
+                    hash="37cd6136f62cfc0209565c771a1fc1b1e789ed4b",
+                    operation="INSERT",
+                    pgid="pgtrigger_token_user_insert_619b2",
+                    table="desecapi_tokendomainpolicy",
+                    when="BEFORE",
+                ),
+            ),
+        ),
+        pgtrigger.migrations.AddTrigger(
+            model_name="tokendomainpolicy",
+            trigger=pgtrigger.compiler.Trigger(
+                name="token_user_update",
+                sql=pgtrigger.compiler.UpsertTriggerSql(
+                    func="\n                    IF\n                        NEW.token_user_id != (SELECT user_id FROM desecapi_token WHERE id = NEW.token_id)\n                    THEN\n                        RAISE EXCEPTION 'Invalid token_user_id: %', NEW.token_user_id;\n                    END IF;\n                    RETURN NEW;\n                ",
+                    hash="f385209f06beb1f0d38376b6223721efd02baf73",
+                    operation='UPDATE OF "token_user_id"',
+                    pgid="pgtrigger_token_user_update_7ff54",
+                    table="desecapi_tokendomainpolicy",
+                    when="BEFORE",
+                ),
+            ),
+        ),
+    ]
diff --git a/api/desecapi/migrations/0043_authenticatedactivateuserwithoverridetokenaction.py b/api/desecapi/migrations/0043_authenticatedactivateuserwithoverridetokenaction.py
@@ -0,0 +1,35 @@
+# Generated by Django 5.1.4 on 2024-12-17 15:30
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("desecapi", "0042_rename_user_token_owner_token_user_override_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AuthenticatedActivateUserWithOverrideTokenAction",
+            fields=[
+                (
+                    "authenticateduseraction_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="desecapi.authenticateduseraction",
+                    ),
+                ),
+                ("outreach_preference", models.BooleanField(default=True)),
+            ],
+            options={
+                "managed": False,
+            },
+            bases=("desecapi.authenticateduseraction",),
+        ),
+    ]
diff --git a/api/desecapi/migrations/0044_alter_captcha_created_alter_domain_renewal_state_and_more.py b/api/desecapi/migrations/0044_alter_captcha_created_alter_domain_renewal_state_and_more.py
@@ -0,0 +1,38 @@
+# Generated by Django 5.1.4 on 2024-12-17 15:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("desecapi", "0043_authenticatedactivateuserwithoverridetokenaction"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="captcha",
+            name="created",
+            field=models.DateTimeField(auto_now_add=True, db_index=True),
+        ),
+        migrations.AlterField(
+            model_name="domain",
+            name="renewal_state",
+            field=models.IntegerField(
+                choices=[(0, "Immortal"), (1, "Fresh"), (2, "Notified"), (3, "Warned")],
+                db_index=True,
+                default=0,
+            ),
+        ),
+        migrations.AlterField(
+            model_name="user",
+            name="is_active",
+            field=models.BooleanField(db_index=True, default=True, null=True),
+        ),
+        migrations.AddIndex(
+            model_name="user",
+            index=models.Index(
+                fields=["last_login"], name="desecapi_us_last_lo_3b1092_idx"
+            ),
+        ),
+    ]
diff --git a/api/desecapi/models/authenticated_actions.py b/api/desecapi/models/authenticated_actions.py
@@ -171,6 +171,35 @@ def _act(self):
         self.user.activate()
 
 
+class AuthenticatedActivateUserWithOverrideTokenAction(AuthenticatedUserAction):
+    outreach_preference = models.BooleanField(default=True)
+    token = models.ForeignKey("Token", on_delete=models.DO_NOTHING, related_name="+")
+
+    class Meta:
+        managed = False
+
+    @property
+    def _state_fields(self):
+        # State does not cover self.token.tokendomainpolicy_set for now
+        return super()._state_fields + [
+            str(self.token.id),
+            str(self.token.user.id),
+            self.token.user_override and str(self.token.user_override.id),
+            self.token.name,
+            self.token.perm_create_domain,
+            self.token.perm_delete_domain,
+            self.token.auto_policy,
+            self.token.max_age,
+            self.token.max_unused_period,
+        ]
+
+    def _act(self):
+        self.user.outreach_preference = self.outreach_preference
+        self.user.activate()
+        self.token.user_override = self.user
+        self.token.save()
+
+
 class AuthenticatedChangeEmailUserAction(AuthenticatedUserAction):
     new_email = models.EmailField()
 

diff --git a/api/desecapi/models/captcha.py b/api/desecapi/models/captcha.py
@@ -35,7 +35,7 @@ class Kind(models.TextChoices):
         AUDIO = "audio"
 
     id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
-    created = models.DateTimeField(auto_now_add=True)
+    created = models.DateTimeField(auto_now_add=True, db_index=True)
     content = models.CharField(max_length=24, default="")
     kind = models.CharField(choices=Kind.choices, default=Kind.IMAGE, max_length=24)
 

diff --git a/api/desecapi/models/domains.py b/api/desecapi/models/domains.py
@@ -60,7 +60,7 @@ class RenewalState(models.IntegerChoices):
     published = models.DateTimeField(null=True, blank=True)
     minimum_ttl = models.PositiveIntegerField(default=_minimum_ttl_default.__func__)
     renewal_state = models.IntegerField(
-        choices=RenewalState.choices, default=RenewalState.IMMORTAL
+        choices=RenewalState.choices, db_index=True, default=RenewalState.IMMORTAL
     )
     renewal_changed = models.DateTimeField(auto_now_add=True)