Manage no active superusers in LOD devices

Author: AlexVelezLl

kolibri/core/auth/management/commands/deprovision.py

@@ -11,7 +11,8 @@
 from kolibri.core.auth.management.utils import confirm_or_exit
 from kolibri.core.auth.models import FacilityDataset
 from kolibri.core.auth.models import FacilityUser
-from kolibri.core.auth.utils.delete import DisablePostDeleteSignal
+from kolibri.core.auth.utils.deprovision import deprovision
+from kolibri.core.auth.utils.deprovision import get_deprovision_progress_total
 from kolibri.core.device.models import DevicePermissions
 from kolibri.core.device.models import DeviceSettings
 from kolibri.core.logger.models import AttemptLog
@@ -57,12 +58,10 @@ def add_arguments(self, parser):
         )
 
     def deprovision(self):
-        with DisablePostDeleteSignal(), self.start_progress(
-            total=len(MODELS_TO_DELETE)
+        with self.start_progress(
+            total=get_deprovision_progress_total()
         ) as progress_update:
-            for Model in MODELS_TO_DELETE:
-                Model.objects.all().delete()
-                progress_update(1)
+            deprovision(progress_update=progress_update)
 
     def handle_async(self, *args, **options):
 

kolibri/core/auth/utils/deprovision.py

@@ -0,0 +1,45 @@
+from morango.models import Certificate
+from morango.models import DatabaseIDModel
+from morango.models import DatabaseMaxCounter
+from morango.models import DeletedModels
+from morango.models import HardDeletedModels
+from morango.models import Store
+
+from kolibri.core.auth.models import FacilityDataset
+from kolibri.core.auth.models import FacilityUser
+from kolibri.core.auth.utils.delete import DisablePostDeleteSignal
+from kolibri.core.device.models import DevicePermissions
+from kolibri.core.device.models import DeviceSettings
+from kolibri.core.device.utils import reset_device_provisioned_flag
+from kolibri.core.logger.models import AttemptLog
+from kolibri.core.logger.models import ContentSessionLog
+from kolibri.core.logger.models import ContentSummaryLog
+
+MODELS_TO_DELETE = [
+    AttemptLog,
+    ContentSessionLog,
+    ContentSummaryLog,
+    FacilityUser,
+    FacilityDataset,
+    HardDeletedModels,
+    Certificate,
+    DatabaseIDModel,
+    Store,
+    DevicePermissions,
+    DeletedModels,
+    DeviceSettings,
+    DatabaseMaxCounter,
+]
+
+
+def deprovision(progress_update=None):
+    with DisablePostDeleteSignal():
+        for Model in MODELS_TO_DELETE:
+            Model.objects.all().delete()
+            if progress_update:
+                progress_update(1)
+    reset_device_provisioned_flag()
+
+
+def get_deprovision_progress_total():
+    return len(MODELS_TO_DELETE)

kolibri/core/device/tasks.py

@@ -10,6 +10,7 @@
 from kolibri.core.auth.models import Facility
 from kolibri.core.auth.models import FacilityUser
 from kolibri.core.auth.serializers import FacilitySerializer
+from kolibri.core.auth.utils.deprovision import deprovision
 from kolibri.core.device.models import DevicePermissions
 from kolibri.core.device.models import OSUser
 from kolibri.core.device.serializers import DeviceSerializerMixin
@@ -20,6 +21,7 @@
 from kolibri.core.device.utils import valid_app_key_on_request
 from kolibri.core.tasks.decorators import register_task
 from kolibri.core.tasks.permissions import FirstProvisioning
+from kolibri.core.tasks.permissions import IsDeviceUnusable
 from kolibri.core.tasks.utils import get_current_job
 from kolibri.core.tasks.validation import JobValidator
 from kolibri.plugins.app.utils import GET_OS_USER
@@ -28,6 +30,7 @@
 logger = logging.getLogger(__name__)
 
 PROVISION_TASK_QUEUE = "device_provision"
+DEPROVISION_TASK_QUEUE = "device_deprovision"
 
 
 class DeviceProvisionValidator(DeviceSerializerMixin, JobValidator):
@@ -227,3 +230,15 @@ def provisiondevice(**data):  # noqa C901
                 facility_id=facility.id,
                 username=superuser.username if superuser else None,
             )
+
+
+@register_task(
+    permission_classes=[IsDeviceUnusable],
+    cancellable=False,
+    queue=DEPROVISION_TASK_QUEUE,
+)
+def deprovisiondevice():
+    """
+    Task for deprovisioning a device.
+    """
+    deprovision()

kolibri/core/device/utils.py

@@ -29,6 +29,9 @@
 APP_KEY_COOKIE_NAME = "app_key_cookie"
 APP_AUTH_TOKEN_COOKIE_NAME = "app_auth_token_cookie"
 
+DEVICE_UNUSABLE_NO_SUPERUSERS = "NO_SUPERUSERS"
+DEVICE_UNUSABLE_SUPERUSERS_SOFT_DELETED = "SUPERUSERS_SOFT_DELETED"
+
 
 class DeviceNotProvisioned(Exception):
     pass
@@ -494,3 +497,37 @@ def is_full_facility_import(dataset_id):
         .filter(scope_definition_id=ScopeDefinitions.FULL_FACILITY)
         .exists()
     )
+
+
+device_is_provisioned = False
+
+
+def is_provisioned():
+    # First check if the device has been provisioned
+    global device_is_provisioned
+    device_is_provisioned = device_is_provisioned or device_provisioned()
+    return device_is_provisioned
+
+
+def reset_device_provisioned_flag():
+    global device_is_provisioned
+    device_is_provisioned = False
+
+
+def get_device_unusable_reason():
+    from kolibri.core.auth.models import FacilityUser
+
+    is_soud = get_device_setting("subset_of_users_device")
+    if not is_soud:
+        return None
+
+    superadmins = FacilityUser.all_objects.filter(devicepermissions__is_superuser=True)
+    if not superadmins.exists():
+        return DEVICE_UNUSABLE_NO_SUPERUSERS
+
+    non_soft_deleted_superadmins = FacilityUser.objects.filter(
+        devicepermissions__is_superuser=True
+    )
+    if not non_soft_deleted_superadmins.exists():
+        return DEVICE_UNUSABLE_SUPERUSERS_SOFT_DELETED
+    return None

kolibri/core/tasks/permissions.py

@@ -197,3 +197,13 @@ def user_can_run_job(self, user, job):
 
     def user_can_read_job(self, user, job):
         return True
+
+
+class IsDeviceUnusable(BasePermission):
+    def user_can_run_job(self, user, job):
+        from kolibri.core.device.utils import get_device_unusable_reason
+
+        return get_device_unusable_reason() is not None
+
+    def user_can_read_job(self, user, job):
+        return True

kolibri/core/views.py

@@ -28,7 +28,7 @@
 from kolibri.core.device.translation import get_device_language
 from kolibri.core.device.translation import get_settings_language
 from kolibri.core.device.utils import allow_guest_access
-from kolibri.core.device.utils import device_provisioned
+from kolibri.core.device.utils import is_provisioned
 from kolibri.core.hooks import LogoutRedirectHook
 from kolibri.core.hooks import RoleBasedRedirectHook
 from kolibri.core.theme_hook import ThemeHook
@@ -128,16 +128,6 @@ def get(self, request):
         return RootURLRedirectView.as_view()(request)
 
 
-device_is_provisioned = False
-
-
-def is_provisioned():
-    # First check if the device has been provisioned
-    global device_is_provisioned
-    device_is_provisioned = device_is_provisioned or device_provisioned()
-    return device_is_provisioned
-
-
 class RootURLRedirectView(View):
     def get(self, request):
         """

kolibri/plugins/user_auth/assets/src/constants.js

@@ -9,3 +9,8 @@ export const ComponentMap = {
 export const pageNameToModuleMap = {
   [ComponentMap.SIGN_IN]: 'signIn',
 };
+
+export const DeviceUnusableReason = {
+  NO_SUPERUSERS: 'NO_SUPERUSERS',
+  SUPERUSERS_SOFT_DELETED: 'SUPERUSERS_SOFT_DELETED',
+};

kolibri/plugins/user_auth/assets/src/views/AuthBase.vue

@@ -6,7 +6,7 @@
         <div class="main-cell table-cell">
           <!-- remote access disabled -->
           <div
-            v-if="!$store.getters.allowAccess"
+            v-if="!$store.getters.allowAccess || deviceUnusableReason"
             class="box"
             :style="{ backgroundColor: $themeTokens.surface }"
           >
@@ -24,10 +24,16 @@
             >
               {{ logoText }}
             </h1>
-            <p data-test="restrictedAccess">
-              {{ $tr('restrictedAccess') }}
-            </p>
-            <p>{{ $tr('restrictedAccessDescription') }}</p>
+            <template v-if="!$store.getters.allowAccess">
+              <p data-test="restrictedAccess">
+                {{ $tr('restrictedAccess') }}
+              </p>
+              <p>{{ $tr('restrictedAccessDescription') }}</p>
+            </template>
+            <DeviceUnusableMessage
+              v-else
+              :reason="deviceUnusableReason"
+            />
           </div>
           <!-- remote access enabled -->
           <div
@@ -191,10 +197,11 @@
   import LanguageSwitcherFooter from '../views/LanguageSwitcherFooter';
   import commonUserStrings from './commonUserStrings';
   import getUrlParameter from './getUrlParameter';
+  import DeviceUnusableMessage from './DeviceUnusableMessage.vue';
 
   export default {
     name: 'AuthBase',
-    components: { CoreLogo, LanguageSwitcherFooter, PrivacyInfoModal },
+    components: { CoreLogo, LanguageSwitcherFooter, PrivacyInfoModal, DeviceUnusableMessage },
     mixins: [commonCoreStrings, commonUserStrings],
     setup() {
       const { facilityConfig } = useFacilities();
@@ -271,6 +278,9 @@
       showGuestAccess() {
         return plugin_data.allowGuestAccess && !this.oidcProviderFlow;
       },
+      deviceUnusableReason() {
+        return plugin_data.deviceUnusableReason;
+      },
       versionMsg() {
         return this.$tr('poweredBy', { version: __version });
       },

kolibri/plugins/user_auth/assets/src/views/DeviceUnusableMessage.vue

@@ -0,0 +1,135 @@
+<template>
+
+  <div>
+    <template v-if="reason === DeviceUnusableReason.NO_SUPERUSERS">
+      <p>{{ strings.noSuperusersNotice$() }}</p>
+      <p>{{ strings.noSuperuserCallToAction$() }}</p>
+    </template>
+    <template v-else-if="reason === DeviceUnusableReason.SUPERUSERS_SOFT_DELETED">
+      <p>
+        {{ strings.superusersSoftDeletedNotice$() }}
+      </p>
+      <p>
+        {{ strings.superusersSoftDeletedCallToAction$() }}
+      </p>
+    </template>
+    <p v-else>{{ strings.unknownIssueNotice$() }}</p>
+    <KButton
+      :disabled="taskLoading"
+      style="margin-top: 16px"
+      primary
+      :text="strings.reinstallKolibriAction$()"
+      @click="deprovision"
+    />
+  </div>
+
+</template>
+
+
+<script>
+
+  import TaskResource from 'kolibri/apiResources/TaskResource';
+  import useTaskPolling from 'kolibri-common/composables/useTaskPolling';
+  import useSnackbar from 'kolibri/composables/useSnackbar';
+  import { TaskStatuses, TaskTypes } from 'kolibri-common/utils/syncTaskUtils';
+  import redirectBrowser from 'kolibri/utils/redirectBrowser';
+  import { createTranslator } from 'kolibri/utils/i18n';
+
+  import { computed, ref, watch } from 'vue';
+  import { DeviceUnusableReason } from '../constants';
+
+  const DEPROVISION_TASK_QUEUE = 'device_deprovision';
+
+  const strings = createTranslator('DeviceUnusableStrings', {
+    noSuperusersNotice: {
+      message: 'This device is unusable because there are no superuser accounts on this device.',
+      context: 'Notice that there are no superuser accounts on the device',
+    },
+    noSuperuserCallToAction: {
+      message: 'Please reinstall Kolibri to create a superuser account.',
+      context: 'Call to action to reinstall Kolibri to create a superuser account',
+    },
+    superusersSoftDeletedNotice: {
+      message:
+        'This device is unusable because all superuser accounts on this device have been deleted on the server.',
+      context: 'Notice that all superuser accounts have been deleted on the server',
+    },
+    superusersSoftDeletedCallToAction: {
+      message:
+        'Please contact your system administrator to restore your account or reinstall Kolibri to create a new superuser account.',
+      context:
+        'Call to action to contact system administrator or reinstall Kolibri to create a new superuser account',
+    },
+    unknownIssueNotice: {
+      message: 'This device is unusable due to an unknown reason. Please contact support.',
+      context: 'Notice that the device is unusable due to an unknown reason',
+    },
+    reinstallKolibriAction: {
+      message: 'Reinstall Kolibri',
+      context: 'Button text to reinstall Kolibri',
+    },
+    deprovisioningError: {
+      message: 'An error occurred while trying to reinstall Kolibri. Please try again.',
+      context: 'Error message when there is an error deprovisioning the device',
+    },
+  });
+
+  export default {
+    name: 'DeviceUnusableMessage',
+    setup() {
+      const taskLoading = ref(false);
+      const { tasks } = useTaskPolling(DEPROVISION_TASK_QUEUE);
+      const { createSnackbar } = useSnackbar();
+      const deprovisionTask = computed(() => tasks.value[tasks.value.length - 1]);
+
+      const deprovision = async () => {
+        try {
+          taskLoading.value = true;
+          await TaskResource.startTask({
+            type: TaskTypes.DEPROVISIONDEVICE,
+          });
+        } catch (e) {
+          createSnackbar(strings.deprovisioningError$());
+        }
+      };
+
+      const clearTasks = async () => {
+        try {
+          await TaskResource.clearAll(DEPROVISION_TASK_QUEUE);
+        } catch (e) {
+          return;
+        }
+      };
+
+      watch(deprovisionTask, task => {
+        if (!task) return;
+        taskLoading.value = true;
+        if (task.status === TaskStatuses.FAILED) {
+          taskLoading.value = false;
+          createSnackbar(strings.deprovisioningError$());
+          clearTasks();
+          return;
+        }
+        if (task.status === TaskStatuses.COMPLETED) {
+          clearTasks();
+          redirectBrowser();
+        }
+      });
+
+      return {
+        strings,
+        taskLoading,
+        DeviceUnusableReason,
+        deprovision,
+      };
+    },
+    props: {
+      reason: {
+        type: String,
+        required: true,
+        validator: value => Object.values(DeviceUnusableReason).includes(value),
+      },
+    },
+  };
+
+</script>