desec-stack/api/desecapi/serializers.py

import binascii
import copy
import json
import re
from base64 import b64encode
from datetime import timedelta

import django.core.exceptions
import dns.name
import dns.zone
from captcha.audio import AudioCaptcha
from captcha.image import ImageCaptcha
from django.contrib.auth.password_validation import validate_password
from django.core.validators import MinValueValidator
from django.db.models import Model, Q
from django.utils import timezone
from netfields import rest_framework as netfields_rf
from rest_framework import fields, serializers
from rest_framework.settings import api_settings
from rest_framework.validators import UniqueTogetherValidator, UniqueValidator, qs_filter

from api import settings
from desecapi import crypto, models, validators
from desecapi.models import validate_domain_name


class CaptchaSerializer(serializers.ModelSerializer):
    challenge = serializers.SerializerMethodField()

    class Meta:
        model = models.Captcha
        fields = ('id', 'challenge', 'kind') if not settings.DEBUG else ('id', 'challenge', 'kind', 'content')

    def get_challenge(self, obj: models.Captcha):
        # TODO Does this need to be stored in the object instance, in case this method gets called twice?
        if obj.kind == models.Captcha.Kind.IMAGE:
            challenge = ImageCaptcha().generate(obj.content).getvalue()
        elif obj.kind == models.Captcha.Kind.AUDIO:
            challenge = AudioCaptcha().generate(obj.content)
        else:
            raise ValueError(f'Unknown captcha type {obj.kind}')
        return b64encode(challenge)


class CaptchaSolutionSerializer(serializers.Serializer):
    id = serializers.PrimaryKeyRelatedField(
        queryset=models.Captcha.objects.all(),
        error_messages={'does_not_exist': 'CAPTCHA does not exist.'}
    )
    solution = serializers.CharField(write_only=True, required=True)

    def validate(self, attrs):
        captcha = attrs['id']  # Note that this already is the Captcha object
        if not captcha.verify(attrs['solution']):
            raise serializers.ValidationError('CAPTCHA could not be validated. Please obtain a new one and try again.')

        return attrs


class TokenSerializer(serializers.ModelSerializer):
    allowed_subnets = serializers.ListField(child=netfields_rf.CidrAddressField(), required=False)
    token = serializers.ReadOnlyField(source='plain')
    is_valid = serializers.ReadOnlyField()

    class Meta:
        model = models.Token
        fields = ('id', 'created', 'last_used', 'max_age', 'max_unused_period', 'name', 'perm_manage_tokens',
                  'allowed_subnets', 'is_valid', 'token',)
        read_only_fields = ('id', 'created', 'last_used', 'token')

    def __init__(self, *args, include_plain=False, **kwargs):
        self.include_plain = include_plain
        return super().__init__(*args, **kwargs)

    def get_fields(self):
        fields = super().get_fields()
        if not self.include_plain:
            fields.pop('token')
        return fields


class DomainSlugRelatedField(serializers.SlugRelatedField):

    def get_queryset(self):
        return self.context['request'].user.domains


class TokenDomainPolicySerializer(serializers.ModelSerializer):
    domain = DomainSlugRelatedField(allow_null=True, slug_field='name')

    class Meta:
        model = models.TokenDomainPolicy
        fields = ('domain', 'perm_dyndns', 'perm_rrsets',)

    def to_internal_value(self, data):
        return {**super().to_internal_value(data),
                'token': self.context['request'].user.token_set.get(id=self.context['view'].kwargs['token_id'])}

    def save(self, **kwargs):
        try:
            return super().save(**kwargs)
        except django.core.exceptions.ValidationError as exc:
            raise serializers.ValidationError(exc.message_dict, code='precedence')


class Validator:

    message = 'This field did not pass validation.'

    def __init__(self, message=None):
        self.field_name = None
        self.message = message or self.message
        self.instance = None

    def __call__(self, value):
        raise NotImplementedError

    def __repr__(self):
        return '<%s>' % self.__class__.__name__


class ReadOnlyOnUpdateValidator(Validator):

    message = 'Can only be written on create.'
    requires_context = True

    def __call__(self, value, serializer_field):
        field_name = serializer_field.source_attrs[-1]
        instance = getattr(serializer_field.parent, 'instance', None)
        if isinstance(instance, Model) and value != getattr(instance, field_name):
            raise serializers.ValidationError(self.message, code='read-only-on-update')


class ConditionalExistenceModelSerializer(serializers.ModelSerializer):
    """
    Only considers data with certain condition as existing data.
    If the existence condition does not hold, given instances are deleted, and no new instances are created,
    respectively. Also, to_representation and data will return None.
    Contrary, if the existence condition holds, the behavior is the same as DRF's ModelSerializer.
    """

    def exists(self, arg):
        """
        Determine if arg is to be considered existing.
        :param arg: Either a model instance or (possibly invalid!) data object.
        :return: Whether we treat this as non-existing instance.
        """
        raise NotImplementedError

    def to_representation(self, instance):
        return None if not self.exists(instance) else super().to_representation(instance)

    @property
    def data(self):
        try:
            return super().data
        except TypeError:
            return None

    def save(self, **kwargs):
        validated_data = {}
        validated_data.update(self.validated_data)
        validated_data.update(kwargs)

        known_instance = self.instance is not None
        data_exists = self.exists(validated_data)

        if known_instance and data_exists:
            self.instance = self.update(self.instance, validated_data)
        elif known_instance and not data_exists:
            self.delete()
        elif not known_instance and data_exists:
            self.instance = self.create(validated_data)
        elif not known_instance and not data_exists:
            pass  # nothing to do

        return self.instance

    def delete(self):
        self.instance.delete()


class NonBulkOnlyDefault:
    """
    This class may be used to provide default values that are only used
    for non-bulk operations, but that do not return any value for bulk
    operations.
    Implementation inspired by CreateOnlyDefault.
    """
    requires_context = True

    def __init__(self, default):
        self.default = default

    def __call__(self, serializer_field):
        is_many = getattr(serializer_field.root, 'many', False)
        if is_many:
            raise serializers.SkipField()
        if callable(self.default):
            if getattr(self.default, 'requires_context', False):
                return self.default(serializer_field)
            else:
                return self.default()
        return self.default

    def __repr__(self):
        return '%s(%s)' % (self.__class__.__name__, repr(self.default))


class RRSerializer(serializers.ModelSerializer):

    class Meta:
        model = models.RR
        fields = ('content',)

    def to_internal_value(self, data):
        if not isinstance(data, str):
            raise serializers.ValidationError('Must be a string.', code='must-be-a-string')
        return super().to_internal_value({'content': data})

    def to_representation(self, instance):
        return instance.content


class RRsetListSerializer(serializers.ListSerializer):
    default_error_messages = {
        **serializers.Serializer.default_error_messages,
        **serializers.ListSerializer.default_error_messages,
        **{'not_a_list': 'Expected a list of items but got {input_type}.'},
    }

    @staticmethod
    def _key(data_item):
        return data_item.get('subname'), data_item.get('type')

    @staticmethod
    def _types_by_position_string(conflicting_indices_by_type):
        types_by_position = {}
        for type_, conflict_positions in conflicting_indices_by_type.items():
            for position in conflict_positions:
                types_by_position.setdefault(position, []).append(type_)
        # Sort by position, None at the end
        types_by_position = dict(sorted(types_by_position.items(), key=lambda x: (x[0] is None, x)))
        db_conflicts = types_by_position.pop(None, None)
        if db_conflicts: types_by_position['database'] = db_conflicts
        for position, types in types_by_position.items():
            types_by_position[position] = ', '.join(sorted(types))
        types_by_position = [f'{position} ({types})' for position, types in types_by_position.items()]
        return ', '.join(types_by_position)

    def to_internal_value(self, data):
        if not isinstance(data, list):
            message = self.error_messages['not_a_list'].format(input_type=type(data).__name__)
            raise serializers.ValidationError({api_settings.NON_FIELD_ERRORS_KEY: [message]}, code='not_a_list')

        if not self.allow_empty and len(data) == 0:
            if self.parent and self.partial:
                raise serializers.SkipField()
            else:
                self.fail('empty')

        partial = self.partial

        # build look-up objects for instances and data, so we can look them up with their keys
        try:
            known_instances = {(x.subname, x.type): x for x in self.instance}
        except TypeError:  # in case self.instance is None (as during POST)
            known_instances = {}

        errors = [{} for _ in data]
        indices = {}
        for idx, item in enumerate(data):
            # Validate data types before using anything from it
            if not isinstance(item, dict):
                errors[idx].update(non_field_errors=f"Expected a dictionary, but got {type(item).__name__}.")
                continue
            s, t = self._key(item)  # subname, type
            if not (isinstance(s, str) or s is None):
                errors[idx].update(subname=f"Expected a string, but got {type(s).__name__}.")
            if not (isinstance(t, str) or t is None):
                errors[idx].update(type=f"Expected a string, but got {type(t).__name__}.")
            if errors[idx]:
                continue

            # Construct an index of the RRsets in `data` by `s` and `t`. As (subname, type) may be given multiple times
            # (although invalid), we make indices[s][t] a set to properly keep track. We also check and record RRsets
            # which are known in the database (once per subname), using index `None` (for checking CNAME exclusivity).
            if s not in indices:
                types = self.child.domain.rrset_set.filter(subname=s).values_list('type', flat=True)
                indices[s] = {type_: {None} for type_ in types}
            items = indices[s].setdefault(t, set())
            items.add(idx)

        collapsed_indices = copy.deepcopy(indices)
        for idx, item in enumerate(data):
            if errors[idx]:
                continue
            if item.get('records') == []:
                s, t = self._key(item)
                collapsed_indices[s][t] -= {idx, None}

        # Iterate over all rows in the data given
        ret = []
        for idx, item in enumerate(data):
            if errors[idx]:
                continue
            try:
                # see if other rows have the same key
                s, t = self._key(item)
                data_indices = indices[s][t] - {None}
                if len(data_indices) > 1:
                    raise serializers.ValidationError({
                        'non_field_errors': [
                            'Same subname and type as in position(s) %s, but must be unique.' %
                            ', '.join(map(str, data_indices - {idx}))
                        ]
                    })

                # see if other rows violate CNAME exclusivity
                if item.get('records') != []:
                    conflicting_indices_by_type = {k: v for k, v in collapsed_indices[s].items()
                                                   if (k == 'CNAME') != (t == 'CNAME')}
                    if any(conflicting_indices_by_type.values()):
                        types_by_position = self._types_by_position_string(conflicting_indices_by_type)
                        raise serializers.ValidationError({
                            'non_field_errors': [
                                f'RRset with conflicting type present: {types_by_position}.'
                                ' (No other RRsets are allowed alongside CNAME.)'
                            ]
                        })

                # determine if this is a partial update (i.e. PATCH):
                # we allow partial update if a partial update method (i.e. PATCH) is used, as indicated by self.partial,
                # and if this is not actually a create request because it is unknown and nonempty
                unknown = self._key(item) not in known_instances.keys()
                nonempty = item.get('records', None) != []
                self.partial = partial and not (unknown and nonempty)
                self.child.instance = known_instances.get(self._key(item), None)

                # with partial value and instance in place, let the validation begin!
                validated = self.child.run_validation(item)
            except serializers.ValidationError as exc:
                errors[idx].update(exc.detail)
            else:
                ret.append(validated)

        self.partial = partial

        if any(errors):
            raise serializers.ValidationError(errors)

        return ret

    def update(self, instance, validated_data):
        """
        Creates, updates and deletes RRsets according to the validated_data given. Relevant instances must be passed as
        a queryset in the `instance` argument.

        RRsets that appear in `instance` are considered "known", other RRsets are considered "unknown". RRsets that
        appear in `validated_data` with records == [] are considered empty, otherwise non-empty.

        The update proceeds as follows:
        1. All unknown, non-empty RRsets are created.
        2. All known, non-empty RRsets are updated.
        3. All known, empty RRsets are deleted.
        4. Unknown, empty RRsets will not cause any action.

        Rationale:
        As both "known"/"unknown" and "empty"/"non-empty" are binary partitions on `everything`, the combination of
        both partitions `everything` in four disjoint subsets. Hence, every RRset in `everything` is taken care of.

                   empty   |  non-empty
        ------- | -------- | -----------
        known   |  delete  |   update
        unknown |  no-op   |   create

        :param instance: QuerySet of relevant RRset objects, i.e. the Django.Model subclass instances. Relevant are all
        instances that are referenced in `validated_data`. If a referenced RRset is missing from instances, it will be
        considered unknown and hence be created. This may cause a database integrity error. If an RRset is given, but
        not relevant (i.e. not referred to by `validated_data`), a ValueError will be raised.
        :param validated_data: List of RRset data objects, i.e. dictionaries.
        :return: List of RRset objects (Django.Model subclass) that have been created or updated.
        """
        def is_empty(data_item):
            return data_item.get('records', None) == []

        query = Q(pk__in=[])  # start out with an always empty query, see https://stackoverflow.com/q/35893867/6867099
        for item in validated_data:
            query |= Q(type=item['type'], subname=item['subname'])  # validation has ensured these fields exist
        instance = instance.filter(query)

        instance_index = {(rrset.subname, rrset.type): rrset for rrset in instance}
        data_index = {self._key(data): data for data in validated_data}

        if data_index.keys() | instance_index.keys() != data_index.keys():
            raise ValueError('Given set of known RRsets (`instance`) is not a subset of RRsets referred to in'
                             ' `validated_data`. While this would produce a correct result, this is illegal due to its'
                             ' inefficiency.')

        everything = instance_index.keys() | data_index.keys()
        known = instance_index.keys()
        unknown = everything - known
        # noinspection PyShadowingNames
        empty = {self._key(data) for data in validated_data if is_empty(data)}
        nonempty = everything - empty

        # noinspection PyUnusedLocal
        noop = unknown & empty
        created = unknown & nonempty
        updated = known & nonempty
        deleted = known & empty

        ret = []

        # The above algorithm makes sure that created, updated, and deleted are disjoint. Thus, no "override cases"
        # (such as: an RRset should be updated and delete, what should be applied last?) need to be considered.
        # We apply deletion first to get any possible CNAME exclusivity collisions out of the way.
        for subname, type_ in deleted:
            instance_index[(subname, type_)].delete()

        for subname, type_ in created:
            ret.append(self.child.create(
                validated_data=data_index[(subname, type_)]
            ))

        for subname, type_ in updated:
            ret.append(self.child.update(
                instance=instance_index[(subname, type_)],
                validated_data=data_index[(subname, type_)]
            ))

        return ret

    def save(self, **kwargs):
        kwargs.setdefault('domain', self.child.domain)
        return super().save(**kwargs)


class RRsetSerializer(ConditionalExistenceModelSerializer):
    domain = serializers.SlugRelatedField(read_only=True, slug_field='name')
    records = RRSerializer(many=True)
    ttl = serializers.IntegerField(max_value=settings.MAXIMUM_TTL)

    class Meta:
        model = models.RRset
        fields = ('created', 'domain', 'subname', 'name', 'records', 'ttl', 'type', 'touched',)
        extra_kwargs = {
            'subname': {'required': False, 'default': NonBulkOnlyDefault('')}
        }
        list_serializer_class = RRsetListSerializer

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        try:
            self.domain = self.context['domain']
        except KeyError:
            raise ValueError('RRsetSerializer() must be given a domain object (to validate uniqueness constraints).')
        self.minimum_ttl = self.context.get('minimum_ttl', self.domain.minimum_ttl)

    def get_fields(self):
        fields = super().get_fields()
        fields['subname'].validators.append(ReadOnlyOnUpdateValidator())
        fields['type'].validators.append(ReadOnlyOnUpdateValidator())
        fields['ttl'].validators.append(MinValueValidator(limit_value=self.minimum_ttl))
        return fields

    def get_validators(self):
        return [
            UniqueTogetherValidator(
                self.domain.rrset_set,
                ('subname', 'type'),
                message='Another RRset with the same subdomain and type exists for this domain.',
            ),
            validators.ExclusionConstraintValidator(
                self.domain.rrset_set,
                ('subname',),
                exclusion_condition=('type', 'CNAME',),
                message='RRset with conflicting type present: database ({types}).'
                        ' (No other RRsets are allowed alongside CNAME.)',
            ),
        ]

    @staticmethod
    def validate_type(value):
        if value not in models.RR_SET_TYPES_MANAGEABLE:
            # user cannot manage this type, let's try to tell her the reason
            if value in models.RR_SET_TYPES_AUTOMATIC:
                raise serializers.ValidationError(f'You cannot tinker with the {value} RR set. It is managed '
                                                  f'automatically.')
            elif value.startswith('TYPE'):
                raise serializers.ValidationError('Generic type format is not supported.')
            else:
                raise serializers.ValidationError(f'The {value} RR set type is currently unsupported.')
        return value

    def validate_records(self, value):
        # `records` is usually allowed to be empty (for idempotent delete), except for POST requests which are intended
        # for RRset creation only. We use the fact that DRF generic views pass the request in the serializer context.
        request = self.context.get('request')
        if request and request.method == 'POST' and not value:
            raise serializers.ValidationError('This field must not be empty when using POST.')
        return value

    def validate_subname(self, value):
        try:
            dns.name.from_text(value, dns.name.from_text(self.domain.name))
        except dns.name.NameTooLong:
            raise serializers.ValidationError(
                'This field combined with the domain name must not exceed 255 characters.', code='name_too_long')
        return value

    def validate(self, attrs):
        if 'records' in attrs:
            try:
                type_ = attrs['type']
            except KeyError:  # on the RRsetDetail endpoint, the type is not in attrs
                type_ = self.instance.type

            try:
                attrs['records'] = [{'content': models.RR.canonical_presentation_format(rr['content'], type_)}
                                    for rr in attrs['records']]
            except ValueError as ex:
                raise serializers.ValidationError(str(ex))

            # There is a 12 byte baseline requirement per record, c.f.
            # https://lists.isc.org/pipermail/bind-users/2008-April/070137.html
            # There also seems to be a 32 byte (?) baseline requirement per RRset, plus the qname length, see
            # https://lists.isc.org/pipermail/bind-users/2008-April/070148.html
            # The binary length of the record depends actually on the type, but it's never longer than vanilla len()
            qname = models.RRset.construct_name(attrs.get('subname', ''), self.domain.name)
            conservative_total_length = 32 + len(qname) + sum(12 + len(rr['content']) for rr in attrs['records'])

            # Add some leeway for RRSIG record (really ~110 bytes) and other data we have not thought of
            conservative_total_length += 256

            excess_length = conservative_total_length - 65535  # max response size
            if excess_length > 0:
                raise serializers.ValidationError(f'Total length of RRset exceeds limit by {excess_length} bytes.',
                                                  code='max_length')

        return attrs

    def exists(self, arg):
        if isinstance(arg, models.RRset):
            return arg.records.exists() if arg.pk else False
        else:
            return bool(arg.get('records')) if 'records' in arg.keys() else True

    def create(self, validated_data):
        rrs_data = validated_data.pop('records')
        rrset = models.RRset.objects.create(**validated_data)
        self._set_all_record_contents(rrset, rrs_data)
        return rrset

    def update(self, instance: models.RRset, validated_data):
        rrs_data = validated_data.pop('records', None)
        if rrs_data is not None:
            self._set_all_record_contents(instance, rrs_data)

        ttl = validated_data.pop('ttl', None)
        if ttl and instance.ttl != ttl:
            instance.ttl = ttl
            instance.save()  # also updates instance.touched
        else:
            # Update instance.touched without triggering post-save signal (no pdns action required)
            models.RRset.objects.filter(pk=instance.pk).update(touched=timezone.now())

        return instance

    def save(self, **kwargs):
        kwargs.setdefault('domain', self.domain)
        return super().save(**kwargs)

    @staticmethod
    def _set_all_record_contents(rrset: models.RRset, rrs):
        """
        Updates this RR set's resource records, discarding any old values.

        :param rrset: the RRset at which we overwrite all RRs
        :param rrs: list of RR representations
        """
        record_contents = [rr['content'] for rr in rrs]
        try:
            rrset.save_records(record_contents)
        except django.core.exceptions.ValidationError as e:
            raise serializers.ValidationError(e.messages, code='record-content')


class DomainSerializer(serializers.ModelSerializer):
    default_error_messages = {
        **serializers.Serializer.default_error_messages,
        'name_unavailable': 'This domain name conflicts with an existing zone, or is disallowed by policy.',
    }
    zonefile = serializers.CharField(write_only=True, required=False, allow_blank=True)

    class Meta:
        model = models.Domain
        fields = ('created', 'published', 'name', 'keys', 'minimum_ttl', 'touched', 'zonefile')
        read_only_fields = ('published', 'minimum_ttl',)
        extra_kwargs = {
            'name': {'trim_whitespace': False},
        }

    def __init__(self, *args, include_keys=False, **kwargs):
        self.include_keys = include_keys
        self.import_zone = None
        super().__init__(*args, **kwargs)

    def get_fields(self):
        fields = super().get_fields()
        if not self.include_keys:
            fields.pop('keys')
        fields['name'].validators.append(ReadOnlyOnUpdateValidator())
        return fields

    def validate_name(self, value):
        if not models.Domain(name=value, owner=self.context['request'].user).is_registrable():
            raise serializers.ValidationError(self.default_error_messages['name_unavailable'], code='name_unavailable')
        return value

    def parse_zonefile(self, domain_name: str, zonefile: str):
        try:
            self.import_zone = dns.zone.from_text(
                zonefile,
                origin=dns.name.from_text(domain_name),
                allow_include=False,
                check_origin=False,
                relativize=False,
            )
        except dns.zonefile.CNAMEAndOtherData:
            raise serializers.ValidationError(
                {'zonefile': ['No other records with the same name are allowed alongside a CNAME record.']})
        except ValueError as e:
            if 'has non-origin SOA' in str(e):
                raise serializers.ValidationError(
                    {'zonefile': [f'Zonefile includes an SOA record for a name different from {domain_name}.']})
            raise e
        except dns.exception.SyntaxError as e:
            try:
                line = str(e).split(':')[1]
                raise serializers.ValidationError({'zonefile': [f'Zonefile contains syntax error in line {line}.']})
            except IndexError:
                raise serializers.ValidationError({'zonefile': [f'Could not parse zonefile: {str(e)}']})

    def validate(self, attrs):
        if attrs.get('zonefile') is not None:
            self.parse_zonefile(attrs.get('name'), attrs.pop('zonefile'))
        return super().validate(attrs)

    def create(self, validated_data):
        # save domain
        if 'minimum_ttl' not in validated_data and models.Domain(name=validated_data['name']).is_locally_registrable:
            validated_data.update(minimum_ttl=60)
        domain: models.Domain = super().create(validated_data)

        # save RRsets if zonefile was given
        nodes = getattr(self.import_zone, 'nodes', None)
        if nodes:
            zone_name = dns.name.from_text(validated_data['name'])
            min_ttl, max_ttl = domain.minimum_ttl, settings.MAXIMUM_TTL
            data = [
                {
                    'type': dns.rdatatype.to_text(rrset.rdtype),
                    'ttl': max(min_ttl, min(max_ttl, rrset.ttl)),
                    'subname': (owner_name - zone_name).to_text() if owner_name - zone_name != dns.name.empty else '',
                    'records': [rr.to_text() for rr in rrset],
                }
                for owner_name, node in nodes.items()
                for rrset in node.rdatasets
                if (
                    dns.rdatatype.to_text(rrset.rdtype) not in (
                        models.RR_SET_TYPES_AUTOMATIC |  # do not import automatically managed record types
                        {'CDS', 'CDNSKEY', 'DNSKEY'}  # do not import these, as this would likely be unexpected
                    )
                    and not (owner_name - zone_name == dns.name.empty and rrset.rdtype == dns.rdatatype.NS)  # ignore apex NS
                )
            ]

            rrset_list_serializer = RRsetSerializer(data=data, context=dict(domain=domain), many=True)
            # The following line raises if data passed validation by dnspython during zone file parsing,
            # but is rejected by validation in RRsetSerializer. See also
            # test_create_domain_zonefile_import_validation
            try:
                rrset_list_serializer.is_valid(raise_exception=True)
            except serializers.ValidationError as e:
                if isinstance(e.detail, serializers.ReturnList):
                    # match the order of error messages with the RRsets provided to the
                    # serializer to make sense to the client
                    def fqdn(idx): return (data[idx]['subname'] + "." + domain.name).lstrip('.')
                    raise serializers.ValidationError({
                        'zonefile': [
                            f"{fqdn(idx)}/{data[idx]['type']}: {err}"
                            for idx, d in enumerate(e.detail)
                            for _, errs in d.items()
                            for err in errs
                        ]
                    })

                raise e

            rrset_list_serializer.save()

        return domain


class DonationSerializer(serializers.ModelSerializer):

    class Meta:
        model = models.Donation
        fields = ('name', 'iban', 'bic', 'amount', 'message', 'email', 'mref', 'interval')
        read_only_fields = ('mref',)
        extra_kwargs = {  # do not return sensitive information
            'iban': {'write_only': True},
            'bic': {'write_only': True},
            'message': {'write_only': True},
        }


    @staticmethod
    def validate_bic(value):
        return re.sub(r'[\s]', '', value)

    @staticmethod
    def validate_iban(value):
        return re.sub(r'[\s]', '', value)

    def create(self, validated_data):
        return self.Meta.model(**validated_data)


class UserSerializer(serializers.ModelSerializer):

    class Meta:
        model = models.User
        fields = ('created', 'email', 'id', 'limit_domains', 'outreach_preference',)
        read_only_fields = ('created', 'email', 'id', 'limit_domains',)

    def validate_password(self, value):
        if value is not None:
            validate_password(value)
        return value

    def create(self, validated_data):
        return models.User.objects.create_user(**validated_data)


class RegisterAccountSerializer(UserSerializer):
    domain = serializers.CharField(required=False, validators=validate_domain_name)
    captcha = CaptchaSolutionSerializer(required=False)

    class Meta:
        model = UserSerializer.Meta.model
        fields = ('email', 'password', 'domain', 'captcha', 'outreach_preference',)
        extra_kwargs = {
            'password': {
                'write_only': True,  # Do not expose password field
                'allow_null': True,
            }
        }

    def validate_domain(self, value):
        serializer = DomainSerializer(data=dict(name=value), context=self.context)
        try:
            serializer.is_valid(raise_exception=True)
        except serializers.ValidationError:
            raise serializers.ValidationError(serializer.default_error_messages['name_unavailable'],
                                              code='name_unavailable')
        return value

    def create(self, validated_data):
        validated_data.pop('domain', None)
        # If validated_data['captcha'] exists, the captcha was also validated, so we can set the user to verified
        if 'captcha' in validated_data:
            validated_data.pop('captcha')
            validated_data['needs_captcha'] = False
        return super().create(validated_data)


class EmailSerializer(serializers.Serializer):
    email = serializers.EmailField()


class EmailPasswordSerializer(EmailSerializer):
    password = serializers.CharField()


class ChangeEmailSerializer(serializers.Serializer):
    new_email = serializers.EmailField()

    def validate_new_email(self, value):
        if value == self.context['request'].user.email:
            raise serializers.ValidationError('Email address unchanged.')
        return value


class ResetPasswordSerializer(EmailSerializer):
    captcha = CaptchaSolutionSerializer(required=True)


class CustomFieldNameUniqueValidator(UniqueValidator):
    """
    Does exactly what rest_framework's UniqueValidator does, however allows to further customize the
    query that is used to determine the uniqueness.
    More specifically, we allow that the field name the value is queried against is passed when initializing
    this validator. (At the time of writing, UniqueValidator insists that the field's name is used for the
    database query field; only how the lookup must match is allowed to be changed.)
    """

    def __init__(self, queryset, message=None, lookup='exact', lookup_field=None):
        self.lookup_field = lookup_field
        super().__init__(queryset, message, lookup)

    def filter_queryset(self, value, queryset, field_name):
        """
        Filter the queryset to all instances matching the given value on the specified lookup field.
        """
        filter_kwargs = {'%s__%s' % (self.lookup_field or field_name, self.lookup): value}
        return qs_filter(queryset, **filter_kwargs)


class AuthenticatedActionSerializer(serializers.ModelSerializer):
    state = serializers.CharField()  # serializer read-write, but model read-only field
    validity_period = settings.VALIDITY_PERIOD_VERIFICATION_SIGNATURE

    _crypto_context = 'desecapi.serializers.AuthenticatedActionSerializer'
    timestamp = None  # is set to the code's timestamp during validation

    class Meta:
        model = models.AuthenticatedAction
        fields = ('state',)

    @classmethod
    def _pack_code(cls, data):
        payload = json.dumps(data).encode()
        code = crypto.encrypt(payload, context=cls._crypto_context).decode()
        return code.rstrip('=')

    @classmethod
    def _unpack_code(cls, code, *, ttl):
        code += -len(code) % 4 * '='
        try:
            timestamp, payload = crypto.decrypt(code.encode(), context=cls._crypto_context, ttl=ttl)
            return timestamp, json.loads(payload.decode())
        except (TypeError, UnicodeDecodeError, UnicodeEncodeError, json.JSONDecodeError, binascii.Error):
            raise ValueError

    def to_representation(self, instance: models.AuthenticatedAction):
        # do the regular business
        data = super().to_representation(instance)

        # encode into single string
        return {'code': self._pack_code(data)}

    def to_internal_value(self, data):
        # Allow injecting validity period from context.  This is used, for example, for authentication, where the code's
        # integrity and timestamp is checked by AuthenticatedBasicUserActionSerializer with validity injected as needed.
        validity_period = self.context.get('validity_period', self.validity_period)
        # calculate code TTL
        try:
            ttl = validity_period.total_seconds()
        except AttributeError:
            ttl = None  # infinite

        # decode from single string
        try:
            self.timestamp, unpacked_data = self._unpack_code(self.context['code'], ttl=ttl)
        except KeyError:
            raise serializers.ValidationError({'code': ['This field is required.']})
        except ValueError:
            if ttl is None:
                msg = 'This code is invalid.'
            else:
                msg = f'This code is invalid, possibly because it expired (validity: {validity_period}).'
            raise serializers.ValidationError({api_settings.NON_FIELD_ERRORS_KEY: msg})

        # add extra fields added by the user, but give precedence to fields unpacked from the code
        data = {**data, **unpacked_data}

        # do the regular business
        return super().to_internal_value(data)

    def act(self):
        self.instance.act()
        return self.instance

    def save(self, **kwargs):
        raise ValueError


class AuthenticatedBasicUserActionMixin():
    def save(self, **kwargs):
        context = {**self.context, 'action_serializer': self}
        return self.action_user.send_email(self.reason, context=context, **kwargs)


class AuthenticatedBasicUserActionSerializer(AuthenticatedBasicUserActionMixin, AuthenticatedActionSerializer):
    user = serializers.PrimaryKeyRelatedField(
        queryset=models.User.objects.all(),
        error_messages={'does_not_exist': 'This user does not exist.'},
        pk_field=serializers.UUIDField()
    )

    reason = None

    class Meta:
        model = models.AuthenticatedBasicUserAction
        fields = AuthenticatedActionSerializer.Meta.fields + ('user',)

    @property
    def action_user(self):
        return self.instance.user

    @classmethod
    def build_and_save(cls, **kwargs):
        action = cls.Meta.model(**kwargs)
        return cls(action).save()


class AuthenticatedBasicUserActionListSerializer(AuthenticatedBasicUserActionMixin, serializers.ListSerializer):

    @property
    def reason(self):
        return self.child.reason

    @property
    def action_user(self):
        user = self.instance[0].user
        if any(instance.user != user for instance in self.instance):
            raise ValueError('Actions must belong to the same user.')
        return user


class AuthenticatedChangeOutreachPreferenceUserActionSerializer(AuthenticatedBasicUserActionSerializer):
    reason = 'change-outreach-preference'
    validity_period = None

    class Meta:
        model = models.AuthenticatedChangeOutreachPreferenceUserAction
        fields = AuthenticatedBasicUserActionSerializer.Meta.fields + ('outreach_preference',)


class AuthenticatedActivateUserActionSerializer(AuthenticatedBasicUserActionSerializer):
    captcha = CaptchaSolutionSerializer(required=False)

    reason = 'activate-account'

    class Meta(AuthenticatedBasicUserActionSerializer.Meta):
        model = models.AuthenticatedActivateUserAction
        fields = AuthenticatedBasicUserActionSerializer.Meta.fields + ('captcha', 'domain',)
        extra_kwargs = {
            'domain': {'default': None, 'allow_null': True}
        }

    def validate(self, attrs):
        try:
            attrs.pop('captcha')  # remove captcha from internal value to avoid passing to Meta.model(**kwargs)
        except KeyError:
            if attrs['user'].needs_captcha:
                raise serializers.ValidationError({'captcha': fields.Field.default_error_messages['required']})
        return attrs


class AuthenticatedChangeEmailUserActionSerializer(AuthenticatedBasicUserActionSerializer):
    new_email = serializers.EmailField(
        validators=[
            CustomFieldNameUniqueValidator(
                queryset=models.User.objects.all(),
                lookup_field='email',
                message='You already have another account with this email address.',
            )
        ],
        required=True,
    )

    reason = 'change-email'

    class Meta(AuthenticatedBasicUserActionSerializer.Meta):
        model = models.AuthenticatedChangeEmailUserAction
        fields = AuthenticatedBasicUserActionSerializer.Meta.fields + ('new_email',)

    def save(self):
        return super().save(recipient=self.instance.new_email)


class AuthenticatedConfirmAccountUserActionSerializer(AuthenticatedBasicUserActionSerializer):
    reason = 'confirm-account'
    validity_period = timedelta(days=14)

    class Meta(AuthenticatedBasicUserActionSerializer.Meta):
        model = models.AuthenticatedNoopUserAction  # confirmation happens during authentication, so nothing left to do


class AuthenticatedResetPasswordUserActionSerializer(AuthenticatedBasicUserActionSerializer):
    new_password = serializers.CharField(write_only=True)

    reason = 'reset-password'

    class Meta(AuthenticatedBasicUserActionSerializer.Meta):
        model = models.AuthenticatedResetPasswordUserAction
        fields = AuthenticatedBasicUserActionSerializer.Meta.fields + ('new_password',)


class AuthenticatedDeleteUserActionSerializer(AuthenticatedBasicUserActionSerializer):
    reason = 'delete-account'

    class Meta(AuthenticatedBasicUserActionSerializer.Meta):
        model = models.AuthenticatedDeleteUserAction


class AuthenticatedDomainBasicUserActionSerializer(AuthenticatedBasicUserActionSerializer):
    domain = serializers.PrimaryKeyRelatedField(
        queryset=models.Domain.objects.all(),
        error_messages={'does_not_exist': 'This domain does not exist.'},
    )

    class Meta:
        model = models.AuthenticatedDomainBasicUserAction
        fields = AuthenticatedBasicUserActionSerializer.Meta.fields + ('domain',)


class AuthenticatedRenewDomainBasicUserActionSerializer(AuthenticatedDomainBasicUserActionSerializer):
    reason = 'renew-domain'
    validity_period = None

    class Meta(AuthenticatedDomainBasicUserActionSerializer.Meta):
        model = models.AuthenticatedRenewDomainBasicUserAction
        list_serializer_class = AuthenticatedBasicUserActionListSerializer