Implement account invitations

Author: alexiri

astra_app/config/settings.py

@@ -353,6 +353,28 @@ def _parse_email_url(email_url: str) -> dict[str, Any]:
     default="membership-request-rfi",
 ) or "membership-request-rfi"
 
+
+ACCOUNT_INVITATION_MAX_CSV_ROWS = _env_int("ACCOUNT_INVITATION_MAX_CSV_ROWS", default=500)
+ACCOUNT_INVITATION_MAX_UPLOAD_BYTES = _env_int(
+    "ACCOUNT_INVITATION_MAX_UPLOAD_BYTES",
+    default=2 * 1024 * 1024,
+)
+ACCOUNT_INVITATION_BULK_SEND_LIMIT = _env_int("ACCOUNT_INVITATION_BULK_SEND_LIMIT", default=10)
+ACCOUNT_INVITATION_BULK_SEND_WINDOW_SECONDS = _env_int(
+    "ACCOUNT_INVITATION_BULK_SEND_WINDOW_SECONDS",
+    default=60 * 10,
+)
+ACCOUNT_INVITATION_RESEND_LIMIT = _env_int("ACCOUNT_INVITATION_RESEND_LIMIT", default=10)
+ACCOUNT_INVITATION_RESEND_WINDOW_SECONDS = _env_int(
+    "ACCOUNT_INVITATION_RESEND_WINDOW_SECONDS",
+    default=60 * 10,
+)
+ACCOUNT_INVITATION_REFRESH_LIMIT = _env_int("ACCOUNT_INVITATION_REFRESH_LIMIT", default=10)
+ACCOUNT_INVITATION_REFRESH_WINDOW_SECONDS = _env_int(
+    "ACCOUNT_INVITATION_REFRESH_WINDOW_SECONDS",
+    default=60 * 10,
+)
+
 MEMBERSHIP_COMMITTEE_PENDING_REQUESTS_EMAIL_TEMPLATE_NAME = _env_str(
     "MEMBERSHIP_COMMITTEE_PENDING_REQUESTS_EMAIL_TEMPLATE_NAME",
     default="membership-committee-pending-requests",
@@ -639,6 +661,10 @@ def _parse_email_url(email_url: str) -> dict[str, Any]:
     "ACCOUNT_INVITE_EMAIL_TEMPLATE_NAME",
     default="account-invite",
 ) or "account-invite"
+ACCOUNT_INVITATION_EMAIL_TEMPLATE_NAMES = _env_list(
+    "ACCOUNT_INVITATION_EMAIL_TEMPLATE_NAMES",
+    default=[ACCOUNT_INVITE_EMAIL_TEMPLATE_NAME],
+)
 
 # Map FreeIPA groups to Django permissions
 # Format: {'freeipa_group_name': {'app_label.permission_codename', ...}}

astra_app/core/account_invitations.py

@@ -0,0 +1,142 @@
+from __future__ import annotations
+
+import csv
+import io
+import logging
+from collections.abc import Callable
+
+from django.core.exceptions import ValidationError
+from django.core.validators import validate_email
+
+from core.backends import FreeIPAUser
+
+logger = logging.getLogger(__name__)
+
+
+def normalize_invitation_email(value: str) -> str:
+    return str(value or "").strip().lower()
+
+
+def parse_invitation_csv(content: str, *, max_rows: int) -> list[dict[str, str]]:
+    raw = str(content or "")
+    if not raw.strip():
+        raise ValueError("CSV is empty.")
+
+    sample = raw[:64 * 1024]
+    try:
+        dialect = csv.Sniffer().sniff(sample, delimiters=",;\t|")
+    except Exception:
+        dialect = csv.excel
+
+    reader = csv.reader(io.StringIO(raw), dialect)
+    rows = [row for row in reader if any(str(cell or "").strip() for cell in row)]
+    if not rows:
+        raise ValueError("CSV is empty.")
+
+    header = ["".join(ch for ch in str(cell or "").strip().lower() if ch.isalnum()) for cell in rows[0]]
+
+    header_map: dict[int, str] = {}
+    if "email" in header:
+        for idx, name in enumerate(header):
+            if name == "email":
+                header_map[idx] = "email"
+            elif name == "fullname":
+                header_map[idx] = "full_name"
+            elif name in {"note", "notes"}:
+                header_map[idx] = "note"
+    else:
+        header_map = {0: "email", 1: "full_name", 2: "note"}
+
+    data_rows = rows[1:] if "email" in header else rows
+    if max_rows > 0 and len(data_rows) > max_rows:
+        raise ValueError(f"CSV exceeds the maximum of {max_rows} rows.")
+
+    parsed: list[dict[str, str]] = []
+    for row in data_rows:
+        entry: dict[str, str] = {"email": "", "full_name": "", "note": ""}
+        for idx, key in header_map.items():
+            if idx >= len(row):
+                continue
+            entry[key] = str(row[idx] or "").strip()
+        parsed.append(entry)
+
+    return parsed
+
+
+def classify_invitation_rows(
+    rows: list[dict[str, str]],
+    *,
+    existing_invitations: dict[str, object],
+    freeipa_lookup: Callable[[str], list[str]],
+) -> tuple[list[dict[str, object]], dict[str, int]]:
+    preview_rows: list[dict[str, object]] = []
+    counts: dict[str, int] = {"new": 0, "resend": 0, "accepted": 0, "invalid": 0, "duplicate": 0}
+    seen: set[str] = set()
+    freeipa_cache: dict[str, list[str]] = {}
+
+    for row in rows:
+        email_raw = str(row.get("email") or "")
+        full_name = str(row.get("full_name") or "")
+        note = str(row.get("note") or "")
+        normalized = normalize_invitation_email(email_raw)
+
+        status = ""
+        reason = ""
+        matches: list[str] = []
+
+        if not normalized:
+            status = "invalid"
+            reason = "Missing email"
+        elif normalized in seen:
+            status = "duplicate"
+            reason = "Duplicate email in upload"
+        else:
+            seen.add(normalized)
+            try:
+                validate_email(normalized)
+            except ValidationError:
+                status = "invalid"
+                reason = "Invalid email"
+            else:
+                cached = freeipa_cache.get(normalized)
+                if cached is None:
+                    cached = sorted(
+                        {str(u or "").strip().lower() for u in freeipa_lookup(normalized) if str(u or "").strip()}
+                    )
+                    freeipa_cache[normalized] = cached
+                matches = cached
+
+                if matches:
+                    status = "accepted"
+                else:
+                    existing = existing_invitations.get(normalized)
+                    status = "resend" if existing is not None else "new"
+
+        counts[status] = counts.get(status, 0) + 1
+        preview_rows.append(
+            {
+                "email": normalized or email_raw,
+                "full_name": full_name,
+                "note": note,
+                "status": status,
+                "reason": reason,
+                "freeipa_usernames": matches,
+                "has_multiple_matches": len(matches) > 1,
+            }
+        )
+
+    return preview_rows, counts
+
+
+def find_account_invitation_matches(email: str) -> list[str]:
+    normalized = normalize_invitation_email(email)
+    if not normalized:
+        return []
+
+    try:
+        matches = FreeIPAUser.find_usernames_by_email(normalized)
+    except Exception:
+        logger.exception("Account invitation FreeIPA email lookup failed")
+        return []
+
+    return sorted({str(value or "").strip().lower() for value in matches if str(value or "").strip()})

astra_app/core/backends.py

@@ -781,6 +781,44 @@ def _do(client: ClientMeta):
             logger.exception(f"Failed to find user by email email={email}: {e}")
             return None
 
+    @classmethod
+    def find_usernames_by_email(cls, email: str) -> list[str]:
+        normalized = (email or "").strip().lower()
+        if not normalized:
+            return []
+
+        def _do(client: ClientMeta):
+            return client.user_find(o_mail=normalized, o_all=True, o_no_members=False)
+
+        try:
+            res = _with_freeipa_service_client_retry(cls.get_client, _do)
+        except Exception:
+            logger.exception("Failed to find users by email")
+            return []
+
+        if not isinstance(res, dict) or res.get("count", 0) <= 0:
+            return []
+
+        results = res.get("result")
+        if not isinstance(results, list):
+            return []
+
+        usernames: set[str] = set()
+        for item in results:
+            if not isinstance(item, dict):
+                continue
+            uid = item.get("uid")
+            if isinstance(uid, list):
+                values = uid
+            else:
+                values = [uid]
+            for value in values:
+                name = str(value or "").strip().lower()
+                if name:
+                    usernames.add(name)
+
+        return sorted(usernames)
+
     @classmethod
     def create(cls, username, **kwargs):
         """

astra_app/core/migrations/0061_account_invitations.py

@@ -0,0 +1,74 @@
+from __future__ import annotations
+
+import django.db.models.deletion
+import django.utils.timezone
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("core", "0059_create_account_invite_email_template"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AccountInvitation",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("email", models.EmailField(max_length=254, unique=True)),
+                ("full_name", models.CharField(blank=True, default="", max_length=255)),
+                ("note", models.TextField(blank=True, default="")),
+                ("email_template_name", models.CharField(blank=True, default="", max_length=255)),
+                ("invited_by_username", models.CharField(max_length=255)),
+                ("invited_at", models.DateTimeField(auto_now_add=True)),
+                ("last_sent_at", models.DateTimeField(blank=True, null=True)),
+                ("send_count", models.PositiveIntegerField(default=0)),
+                ("dismissed_at", models.DateTimeField(blank=True, null=True)),
+                ("dismissed_by_username", models.CharField(blank=True, default="", max_length=255)),
+                ("accepted_at", models.DateTimeField(blank=True, null=True)),
+                ("freeipa_matched_usernames", models.JSONField(blank=True, default=list)),
+                ("freeipa_last_checked_at", models.DateTimeField(blank=True, null=True)),
+            ],
+            options={
+                "ordering": ("-invited_at", "email"),
+            },
+        ),
+        migrations.CreateModel(
+            name="AccountInvitationSend",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("sent_by_username", models.CharField(max_length=255)),
+                ("sent_at", models.DateTimeField(default=django.utils.timezone.now)),
+                ("template_name", models.CharField(max_length=255)),
+                ("post_office_email_id", models.BigIntegerField(blank=True, null=True)),
+                (
+                    "result",
+                    models.CharField(
+                        choices=[("queued", "Queued"), ("failed", "Failed")],
+                        max_length=16,
+                    ),
+                ),
+                ("error_category", models.CharField(blank=True, default="", max_length=64)),
+                (
+                    "invitation",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="sends",
+                        to="core.accountinvitation",
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddIndex(
+            model_name="accountinvitation",
+            index=models.Index(fields=["accepted_at"], name="acct_inv_accept_at"),
+        ),
+        migrations.AddIndex(
+            model_name="accountinvitation",
+            index=models.Index(fields=["dismissed_at"], name="acct_inv_dismiss_at"),
+        ),
+        migrations.AddIndex(
+            model_name="accountinvitationsend",
+            index=models.Index(fields=["sent_at"], name="acct_inv_send_at"),
+        ),
+    ]