Merge remote-tracking branch 'origin/main' into personal/jennifer/7.45.1.dev0.bootstrap-merge

# Conflicts:
#	ietf/templates/meeting/session_buttons_include.html

Author: jennifer-richards

changelog

@@ -1,3 +1,38 @@
+ietfdb (7.46.0) ietf; urgency=medium
+
+  ** bugfixes, security improvements, performance improvements **
+
+  * Merged in [19946] from rjsparks@nostrum.com:
+    Allow the secretariat to request many more sessions.  
+
+  * Merged in [19947] from rjsparks@nostrum.com:
+    Add link to onsite tool to agenda. Fixes #3550.  
+
+  * Merged in [19948] from rjsparks@nostrum.com:
+    Update link to handling ballot positions. Fixes #3208.  
+
+  * Merged in [19949] and [19950] from rjsparks@nostrum.com:
+    Use tempfiles while rebuilding group and doc alias files. Fixes #3521.  
+
+  * Merged in [19952] from rjsparks@nostrum.com:
+    Only keep the first and most recent yang validator SubmissionCheck for 
+    any given submission. Fixes #3542.  
+
+  * Merged in [19954] from jennifer@painless-security.com:
+    Refactor session overlap computation to treat overlapping sessions 
+    correctly.  
+
+  * Merged in [19967] from rjsparks@nostrum.com:
+    From Kesara Rathnayake: Expire password reset links on use, password 
+    change through other mechanics, login, or a short configurable time 
+    (initially one hour).
+
+  * Merged in [19969] from jennifer@painless-security.com:
+    Use correct UTC time when creating Meetecho conferences. Fixes #3565.  
+
+ -- Robert Sparks <rjsparks@nostrum.com>  24 Feb 2022 03:05:28 +0000
+
+
 ietfdb (7.45.0) ietf; urgency=medium
 
   ** MeetEcho interim request integration, bugfixes **

hold-for-merge

@@ -6,6 +6,7 @@
 
 # Everyting below this line is OBE
 
+/personal/rjs/7.45.1.dev0@19962 # Mangled commit
 /personal/rjs/7.39.1.dev1@19554 # Optimization wasn't measured correctly
 /personal/rjs/7.36.1.dev0@19318 # Folded this into r19336
 /personal/rjs/7.36.1.dev0@19302 # Handled this in an earlier merge

ietf/__init__.py

@@ -5,13 +5,13 @@
 from . import checks                           # pyflakes:ignore
 
 # Don't add patch number here:
-__version__ = "7.45.1.dev0"
+__version__ = "7.46.1.dev0"
 
 # set this to ".p1", ".p2", etc. after patching
 __patch__   = ""
 
 __date__    = "$Date$"
 
-__rev__     = "$Rev$ (dev) Latest release: Rev. 19938 "
+__rev__     = "$Rev$ (dev) Latest release: Rev. 19974 "
 
 __id__      = "$Id$"

ietf/doc/management/commands/generate_draft_aliases.py

@@ -8,7 +8,11 @@
 import io
 import os
 import re
+import shutil
+import stat
 import time
+
+from tempfile import mkstemp
 
 from django.conf import settings
 from django.core.management.base import BaseCommand
@@ -102,8 +106,13 @@ def handle(self, *args, **options):
         date = time.strftime("%Y-%m-%d_%H:%M:%S")
         signature = '# Generated by %s at %s\n' % (os.path.abspath(__file__), date)
 
-        afile = io.open(settings.DRAFT_ALIASES_PATH, "w")
-        vfile = io.open(settings.DRAFT_VIRTUAL_PATH, "w")
+        ahandle, aname = mkstemp()
+        os.close(ahandle)
+        afile = io.open(aname,"w")
+
+        vhandle, vname = mkstemp()
+        os.close(vhandle)
+        vfile = io.open(vname,"w")
 
         afile.write(signature)
         vfile.write(signature)
@@ -160,4 +169,11 @@ def handle(self, *args, **options):
 
         afile.close()
         vfile.close()
+
+        os.chmod(aname, stat.S_IWUSR|stat.S_IRUSR|stat.S_IRGRP|stat.S_IROTH) 
+        os.chmod(vname, stat.S_IWUSR|stat.S_IRUSR|stat.S_IRGRP|stat.S_IROTH) 
+
+        shutil.move(aname, settings.DRAFT_ALIASES_PATH)
+        shutil.move(vname, settings.DRAFT_VIRTUAL_PATH)
+
 

ietf/group/management/commands/generate_group_aliases.py

@@ -7,7 +7,11 @@
 import datetime
 import io
 import os
+import shutil
+import stat
 import time
+
+from tempfile import mkstemp
 
 from django.conf import settings
 from django.core.management.base import BaseCommand
@@ -40,8 +44,13 @@ def handle(self, *args, **options):
         date = time.strftime("%Y-%m-%d_%H:%M:%S")
         signature = '# Generated by %s at %s\n' % (os.path.abspath(__file__), date)
 
-        afile = io.open(settings.GROUP_ALIASES_PATH, "w")
-        vfile = io.open(settings.GROUP_VIRTUAL_PATH, "w")
+        ahandle, aname = mkstemp()
+        os.close(ahandle)
+        afile = io.open(aname,"w")
+
+        vhandle, vname = mkstemp()
+        os.close(vhandle)
+        vfile = io.open(vname,"w")
 
         afile.write(signature)
         vfile.write(signature)
@@ -86,4 +95,10 @@ def handle(self, *args, **options):
             dump_sublist(afile, vfile, group.acronym+'-chairs', IETF_DOMAIN, settings.GROUP_VIRTUAL_DOMAIN, get_group_role_emails(group, ['chair', 'delegate']))
 
         afile.close()
-        vfile.close()
+        vfile.close()
+
+        os.chmod(aname, stat.S_IWUSR|stat.S_IRUSR|stat.S_IRGRP|stat.S_IROTH) 
+        os.chmod(vname, stat.S_IWUSR|stat.S_IRUSR|stat.S_IRGRP|stat.S_IROTH) 
+
+        shutil.move(aname, settings.GROUP_ALIASES_PATH)
+        shutil.move(vname, settings.GROUP_VIRTUAL_PATH)

ietf/ietfauth/tests.py

@@ -373,9 +373,11 @@ def test_nomcom_dressing_on_profile(self):
 
     def test_reset_password(self):
         url = urlreverse(ietf.ietfauth.views.password_reset)
+        email = 'someone@example.com'
+        password = 'foobar'
 
-        user = User.objects.create(username="someone@example.com", email="someone@example.com")
-        user.set_password("forgotten")
+        user = User.objects.create(username=email, email=email)
+        user.set_password(password)
         user.save()
         p = Person.objects.create(name="Some One", ascii="Some One", user=user)
         Email.objects.create(address=user.username, person=p, origin=user.username)
@@ -414,6 +416,39 @@ def test_reset_password(self):
         self.assertEqual(len(q("form .is-invalid")), 0)
         self.assertTrue(self.username_in_htpasswd_file(user.username))
 
+        # reuse reset url
+        r = self.client.get(confirm_url)
+        self.assertEqual(r.status_code, 404)
+
+        # login after reset request
+        empty_outbox()
+        user.set_password(password)
+        user.save()
+
+        r = self.client.post(url, { 'username': user.username })
+        self.assertEqual(r.status_code, 200)
+        self.assertEqual(len(outbox), 1)
+        confirm_url = self.extract_confirm_url(outbox[-1])
+
+        r = self.client.post(urlreverse(ietf.ietfauth.views.login), {'username': email, 'password': password})
+
+        r = self.client.get(confirm_url)
+        self.assertEqual(r.status_code, 404)
+
+        # change password after reset request
+        empty_outbox()
+
+        r = self.client.post(url, { 'username': user.username })
+        self.assertEqual(r.status_code, 200)
+        self.assertEqual(len(outbox), 1)
+        confirm_url = self.extract_confirm_url(outbox[-1])
+
+        user.set_password('newpassword')
+        user.save()
+
+        r = self.client.get(confirm_url)
+        self.assertEqual(r.status_code, 404)
+
     def test_review_overview(self):
         review_req = ReviewRequestFactory()
         assignment = ReviewAssignmentFactory(review_request=review_req,reviewer=EmailFactory(person__user__username='reviewer'))

ietf/ietfauth/views.py

@@ -36,7 +36,7 @@
 
 import importlib
 
-from datetime import date as Date
+from datetime import date as Date, datetime as DateTime
 # needed if we revert to higher barrier for account creation
 #from datetime import datetime as DateTime, timedelta as TimeDelta, date as Date
 from collections import defaultdict
@@ -418,7 +418,16 @@ def password_reset(request):
         if form.is_valid():
             username = form.cleaned_data['username']
 
-            auth = django.core.signing.dumps(username, salt="password_reset")
+            data = { 'username': username }
+            if User.objects.filter(username=username).exists():
+                user = User.objects.get(username=username)
+                data['password'] = user.password and user.password[-4:]
+                if user.last_login:
+                    data['last_login'] = user.last_login.timestamp()
+                else:
+                    data['last_login'] = None
+
+            auth = django.core.signing.dumps(data, salt="password_reset")
 
             domain = Site.objects.get_current().domain
             subject = 'Confirm password reset at %s' % domain
@@ -429,7 +438,7 @@ def password_reset(request):
                 'domain': domain,
                 'auth': auth,
                 'username': username,
-                'expire': settings.DAYS_TO_EXPIRE_REGISTRATION_LINK,
+                'expire': settings.MINUTES_TO_EXPIRE_RESET_PASSWORD_LINK,
             })
 
             success = True
@@ -443,11 +452,16 @@ def password_reset(request):
 
 def confirm_password_reset(request, auth):
     try:
-        username = django.core.signing.loads(auth, salt="password_reset", max_age=settings.DAYS_TO_EXPIRE_REGISTRATION_LINK * 24 * 60 * 60)
+        data = django.core.signing.loads(auth, salt="password_reset", max_age=settings.MINUTES_TO_EXPIRE_RESET_PASSWORD_LINK * 60)
+        username = data['username']
+        password = data['password']
+        last_login = None
+        if data['last_login']:
+            last_login = DateTime.fromtimestamp(data['last_login'])
     except django.core.signing.BadSignature:
         raise Http404("Invalid or expired auth")
 
-    user = get_object_or_404(User, username=username)
+    user = get_object_or_404(User, username=username, password__endswith=password, last_login=last_login)
 
     success = False
     if request.method == 'POST':

ietf/meeting/helpers.py

@@ -1099,7 +1099,7 @@ def create_interim_session_conferences(sessions):
                 confs = meetecho_manager.create(
                     group=session.group,
                     description=str(session),
-                    start_time=ts.time,
+                    start_time=ts.utc_start_time(),
                     duration=ts.duration,
                 )
             except Exception as err:

ietf/meeting/models.py

@@ -487,6 +487,9 @@ def audio_stream_url(self):
     def video_stream_url(self):
         urlresources = [ur for ur in self.urlresource_set.all() if ur.name_id in ['meetecho']]
         return urlresources[0].url if urlresources else None
+    def onsite_tool_url(self):
+        urlresources = [ur for ur in self.urlresource_set.all() if ur.name_id in ['meetecho_onsite']]
+        return urlresources[0].url if urlresources else None
     def webex_url(self):
         urlresources = [ur for ur in self.urlresource_set.all() if ur.name_id in ['webex']]
         return urlresources[0].url if urlresources else None

ietf/meeting/tests_helpers.py

@@ -456,8 +456,8 @@ def test_sessions_post_cancel_delete_exception(self, mock):
     def test_create_interim_session_conferences(self, mock):
         mock_conf_mgr = mock.return_value  # "instance" seen by the internals
         sessions = [
-            SessionFactory(meeting__type_id='interim', remote_instructions='junk'),
-            SessionFactory(meeting__type_id='interim', remote_instructions=''),
+            SessionFactory(meeting__type_id='interim', meeting__time_zone='america/halifax', remote_instructions='junk'),
+            SessionFactory(meeting__type_id='interim', meeting__time_zone='asia/kuala_lumpur', remote_instructions=''),
         ]
         timeslots = [
             session.official_timeslotassignment().timeslot for session in sessions
@@ -482,18 +482,18 @@ def test_create_interim_session_conferences(self, mock):
         mock_conf_mgr.create.return_value = [
             Conference(
                 manager=mock_conf_mgr, id=1, public_id='some-uuid', description='desc',
-                start_time=timeslots[0].time, duration=timeslots[0].duration, url='fake-meetecho-url',
+                start_time=timeslots[0].utc_start_time(), duration=timeslots[0].duration, url='fake-meetecho-url',
                 deletion_token='please-delete-me',
             ),
         ]
         create_interim_session_conferences([sessions[0]])
         self.assertTrue(mock_conf_mgr.create.called)
-        self.assertCountEqual(
+        self.assertEqual(
             mock_conf_mgr.create.call_args[1],
             {
                 'group': sessions[0].group,
                 'description': str(sessions[0]),
-                'start_time': timeslots[0].time,
+                'start_time': timeslots[0].utc_start_time(),
                 'duration': timeslots[0].duration,
             }
         )
@@ -507,30 +507,30 @@ def test_create_interim_session_conferences(self, mock):
         mock_conf_mgr.create.side_effect = [
             [Conference(
                 manager=mock_conf_mgr, id=1, public_id='some-uuid', description='desc',
-                start_time=timeslots[0].time, duration=timeslots[0].duration, url='different-fake-meetecho-url',
+                start_time=timeslots[0].utc_start_time(), duration=timeslots[0].duration, url='different-fake-meetecho-url',
                 deletion_token='please-delete-me',
             )],
             [Conference(
                 manager=mock_conf_mgr, id=2, public_id='another-uuid', description='desc',
-                start_time=timeslots[1].time, duration=timeslots[1].duration, url='another-fake-meetecho-url',
+                start_time=timeslots[1].utc_start_time(), duration=timeslots[1].duration, url='another-fake-meetecho-url',
                 deletion_token='please-delete-me-too',
             )],
         ]
         create_interim_session_conferences([sessions[0], sessions[1]])
         self.assertTrue(mock_conf_mgr.create.called)
-        self.assertCountEqual(
+        self.assertEqual(
             mock_conf_mgr.create.call_args_list,
             [
                 ({
                     'group': sessions[0].group,
                     'description': str(sessions[0]),
-                    'start_time': timeslots[0].time,
+                    'start_time': timeslots[0].utc_start_time(),
                     'duration': timeslots[0].duration,
                  },),
                 ({
                     'group': sessions[1].group,
                     'description': str(sessions[1]),
-                    'start_time': timeslots[1].time,
+                    'start_time': timeslots[1].utc_start_time(),
                     'duration': timeslots[1].duration,
                  },),
             ]