From b4d72c76e602060d0a360b0e56b0eb15fc2b7fb4 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 7 May 2019 16:51:19 +0100
Subject: [PATCH] accounts: Create LDAP user when account is activated

This converts the temporary user account into an account on our
LDAP database.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/backend/accounts.py          | 27 ++++++++++++++++++------
 src/templates/auth/activate.html |  7 ++++++-
 src/web/auth.py                  | 35 ++++++++++++--------------------
 3 files changed, 40 insertions(+), 29 deletions(-)

diff --git a/src/backend/accounts.py b/src/backend/accounts.py
index a474bc0c..657d765b 100644
--- a/src/backend/accounts.py
+++ b/src/backend/accounts.py
@@ -191,13 +191,23 @@ class Accounts(Object):
 			activation_code=activation_code, email=email,
 			first_name=first_name, last_name=last_name)
 
-	def create(self, uid, email, first_name, last_name):
-		activation_code = util.random_string(24)
+	def activate(self, uid, activation_code):
+		res = self.db.get("DELETE FROM account_activations \
+			WHERE uid = %s AND activation_code = %s AND expires_at > NOW() \
+			RETURNING *", uid, activation_code)
+
+		# Return nothing when account was not found
+		if not res:
+			return
 
+		# Create a new account on the LDAP database
+		return self.create(uid, res.email,
+			first_name=res.first_name, last_name=res.last_name)
+
+	def create(self, uid, email, first_name, last_name):
 		# Account Parameters
 		account = {
 			"objectClass"  : [b"top", b"person", b"inetOrgPerson"],
-			"userPassword" : activation_code.encode(),
 			"mail"         : email.encode(),
 
 			# Name
@@ -206,11 +216,16 @@ class Accounts(Object):
 			"givenName"    : first_name.encode(),
 		}
 
+		logging.info("Creating new account: %s: %s" % (uid, account))
+
+		# Create DN
+		dn = "uid=%s,ou=People,dc=mcfly,dc=local" % uid
+
 		# Create account on LDAP
-		self.ldap.add_s("uid=%s,ou=People,dc=mcfly,dc=local" % uid, ldap.modlist.addModlist(account))
+		self.ldap.add_s(dn, ldap.modlist.addModlist(account))
 
-		# TODO Send email with activation code
-		pass
+		# Return account
+		return self._get_account_from_dn(dn)
 
 	# Session stuff
 
diff --git a/src/templates/auth/activate.html b/src/templates/auth/activate.html
index 4a88d584..4b661c16 100644
--- a/src/templates/auth/activate.html
+++ b/src/templates/auth/activate.html
@@ -7,10 +7,15 @@
 		<div class="col col-md-4">
 			<h5 class=" mb-4">{{ _("Activate Your Account") }}</h5>
 
+			<p>
+				{{ _("Thank you for creating a new account.") }}
+				{{ _("To activate it, please enter a strong password.") }}
+			</p>
+
 			<form action="" method="POST">
 				{% raw xsrf_form_html() %}
 
-				{% module Password(account) %}
+				{% module Password() %}
 
 				<button type="submit" class="btn btn-primary btn-block">
 					{{ _("Activate Account") }}
diff --git a/src/web/auth.py b/src/web/auth.py
index 15d4e369..2fc70eec 100644
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -105,34 +105,25 @@ class RegisterHandler(base.BaseHandler):
 
 class ActivateHandler(AuthenticationMixin, base.BaseHandler):
 	def get(self, uid, activation_code):
-		# Fetch the account
-		account = self.backend.accounts.get_by_uid(uid)
-		if not account:
-			raise tornado.web.HTTPError(400, "Account not found: %s" % uid)
-
-		# Validate activation code
-		if not account.check_password(activation_code):
-			raise tornado.web.HTTPError(400, "Activation code did not match: %s" % activation_code)
-
-		self.render("auth/activate.html", account=account)
+		self.render("auth/activate.html")
 
 	def post(self, uid, activation_code):
-		password = self.get_argument("password1")
+		password1 = self.get_argument("password1")
+		password2 = self.get_argument("password2")
 
-		# Fetch the account
-		account = self.backend.accounts.get_by_uid(uid)
-		if not account:
-			raise tornado.web.HTTPError(404, "Account not found: %s" % uid)
+		if not password1 == password2:
+			raise tornado.web.HTTPError(400, "Passwords do not match")
 
-		# Validate activation code
-		if not account.check_password(activation_code):
-			raise tornado.web.HTTPError(403, "Activation code did not match: %s" % activation_code)
+		with self.db.transaction():
+			account = self.backend.accounts.activate(uid, activation_code)
+			if not account:
+				raise tornado.web.HTTPError(400, "Account not found: %s" % uid)
 
-		# Set the new password
-		account.passwd(password)
+			# Set the new password
+			account.passwd(password1)
 
-		# Create session
-		self.login(account)
+			# Create session
+			self.login(account)
 
 		# Redirect to main page
 		self.redirect("/")
-- 
2.47.3