[feature] Made RegisteredUser model support multi-tenancy #692

- Updated the RegisteredUser model to support organization-specific records.
- Changed the primary key to UUID and added organization as a nullable ForeignKey.
- Modified related code across the application to handle multiple registered users per organization.
- Updated tests to reflect changes in the RegisteredUser model and ensure proper functionality.
- Added migration scripts to handle the transition from the old model to the new schema.

Closes #692

Author: pandafy

openwisp_radius/admin.py

@@ -3,7 +3,7 @@
 from django import forms
 from django.conf import settings
 from django.contrib import admin, messages
-from django.contrib.admin import ModelAdmin, StackedInline
+from django.contrib.admin import ModelAdmin, StackedInline, TabularInline
 from django.contrib.admin.utils import model_ngettext
 from django.contrib.auth import get_user_model
 from django.core.exceptions import PermissionDenied
@@ -534,11 +534,15 @@ def has_change_permission(self, request, obj=None):
         return False
 
 
-class RegisteredUserInline(StackedInline):
+class RegisteredUserInline(TabularInline):
     model = RegisteredUser
     form = AlwaysHasChangedForm
     extra = 0
-    readonly_fields = ("modified",)
+    readonly_fields = (
+        "organization",
+        "modified",
+    )
+    fields = ("organization", "method", "is_verified", "modified")
 
     def has_delete_permission(self, request, obj=None):
         return False
@@ -549,12 +553,17 @@ def has_delete_permission(self, request, obj=None):
     RadiusUserGroupInline,
     PhoneTokenInline,
 ]
-UserAdmin.list_filter += (RegisteredUserFilter, "registered_user__method")
+UserAdmin.list_filter += (RegisteredUserFilter, "registered_users__method")
 
 
 def get_is_verified(self, obj):
     try:
-        value = "yes" if obj.registered_user.is_verified else "no"
+        if not obj.registered_users.exists():
+            value = "unknown"
+        elif obj.registered_users.filter(is_verified=True).exists():
+            value = "yes"
+        else:
+            value = "no"
     except Exception:
         value = "unknown"
     icon_url = static(f"admin/img/icon-{value}.svg")
@@ -564,7 +573,6 @@ def get_is_verified(self, obj):
 UserAdmin.get_is_verified = get_is_verified
 UserAdmin.get_is_verified.short_description = _("Verified")
 UserAdmin.list_display.insert(3, "get_is_verified")
-UserAdmin.list_select_related = ("registered_user",)
 
 
 class OrganizationRadiusSettingsInline(admin.StackedInline):

openwisp_radius/api/freeradius_views.py

@@ -290,7 +290,7 @@ def get_user(self, request, username, password):
         """
         conditions = self._get_user_query_conditions(request)
         try:
-            user = auth_backend.get_users(username).filter(conditions)[0]
+            user = auth_backend.get_users(username).filter(conditions).distinct()[0]
         except IndexError:
             return None
         # ensure user is member of the authenticated org
@@ -409,8 +409,11 @@ def _get_user_query_conditions(self, request):
         # just ensure user is active
         if not needs_verification:
             return is_active
-        # if identity verification is enabled
-        is_verified = Q(registered_user__is_verified=True)
+        organization_id = request._auth
+        org_or_global = Q(registered_users__organization_id=organization_id) | Q(
+            registered_users__organization__isnull=True
+        )
+        is_verified = Q(registered_users__is_verified=True) & org_or_global
         AUTHORIZE_UNVERIFIED = registration.AUTHORIZE_UNVERIFIED
         # and no method should authorize unverified users
         # ensure user is active AND verified
@@ -420,7 +423,9 @@ def _get_user_query_conditions(self, request):
         # ensure user is active AND
         # (user is verified OR user uses one of these methods)
         else:
-            authorize_unverified = Q(registered_user__method__in=AUTHORIZE_UNVERIFIED)
+            authorize_unverified = (
+                Q(registered_users__method__in=AUTHORIZE_UNVERIFIED) & org_or_global
+            )
             return is_active & (is_verified | authorize_unverified)
 
     def authenticate_user(self, request, user, password):

openwisp_radius/api/serializers.py

@@ -688,9 +688,11 @@ def save(self, request):
         # the custom_signup method contains the openwisp specific logic
         self.custom_signup(request, user)
         # create a RegisteredUser object for every user that registers through API
-        RegisteredUser.objects.create(
+        org = self.context["view"].organization
+        RegisteredUser.objects.get_or_create(
             user=user,
-            method=self.validated_data["method"],
+            organization=org,
+            defaults={"method": self.validated_data["method"]},
         )
         setup_user_email(request, user, [])
         return user
@@ -753,20 +755,23 @@ def save(self):
         # yet, tha will be done by the phone token validation view
         # once the phone number has been validated
         # at this point we flag the user as unverified again
-        self.user.registered_user.is_verified = False
-        self.user.registered_user.save()
+        org = self.context["view"].organization
+        reg_user, _ = RegisteredUser.get_or_create_for_user_and_org(
+            user=self.user,
+            organization=org,
+            defaults={"is_verified": False, "method": ""},
+        )
+        reg_user.is_verified = False
+        reg_user.save()
 
 
 class RadiusUserSerializer(serializers.ModelSerializer):
     """
     Used to return information about the logged in user
     """
 
-    is_verified = serializers.BooleanField(source="registered_user.is_verified")
-    method = serializers.CharField(
-        source="registered_user.method",
-        allow_null=True,
-    )
+    is_verified = serializers.SerializerMethodField()
+    method = serializers.SerializerMethodField()
     password_expired = serializers.BooleanField(source="has_password_expired")
     radius_user_token = serializers.CharField(source="radius_token.key", default=None)
 
@@ -786,3 +791,24 @@ class Meta:
             "password_expired",
             "radius_user_token",
         ]
+
+    def _get_registered_user(self, obj):
+        view = self.context.get("view")
+        organization = getattr(view, "organization", None)
+        org_reg_user = None
+        global_reg_user = None
+        for ru in obj.registered_users.all():
+            if organization and ru.organization_id == organization.pk:
+                org_reg_user = ru
+                break
+            elif ru.organization_id is None:
+                global_reg_user = ru
+        return org_reg_user or global_reg_user
+
+    def get_is_verified(self, obj):
+        reg_user = self._get_registered_user(obj)
+        return reg_user.is_verified if reg_user else None
+
+    def get_method(self, obj):
+        reg_user = self._get_registered_user(obj)
+        return reg_user.method if reg_user else None

openwisp_radius/api/utils.py

@@ -30,8 +30,16 @@ def _needs_identity_verification(self, organization_filter_kwargs={}, org=None):
         except ObjectDoesNotExist:
             return app_settings.NEEDS_IDENTITY_VERIFICATION
 
-    def is_identity_verified_strong(self, user):
-        try:
-            return user.registered_user.is_identity_verified_strong
-        except ObjectDoesNotExist:
+    def is_identity_verified_strong(self, user, organization=None):
+        reg_user = None
+        global_reg_user = None
+        for ru in user.registered_users.all():
+            if organization and ru.organization_id == organization.pk:
+                reg_user = ru
+                break
+            elif ru.organization_id is None:
+                global_reg_user = ru
+        reg_user = reg_user or global_reg_user
+        if reg_user is None:
             return False
+        return reg_user.is_identity_verified_strong

openwisp_radius/api/views.py

@@ -92,6 +92,7 @@
 Organization = swapper.load_model("openwisp_users", "Organization")
 OrganizationUser = swapper.load_model("openwisp_users", "OrganizationUser")
 PhoneToken = load_model("PhoneToken")
+RegisteredUser = load_model("RegisteredUser")
 RadiusAccounting = load_model("RadiusAccounting")
 RadiusToken = load_model("RadiusToken")
 RadiusBatch = load_model("RadiusBatch")
@@ -321,7 +322,7 @@ def post(self, request, *args, **kwargs):
         # If identity verification is required, check if user is verified
         if self._needs_identity_verification(
             {"slug": kwargs["slug"]}
-        ) and not self.is_identity_verified_strong(user):
+        ) and not self.is_identity_verified_strong(user, self.organization):
             status_code = 401
         return Response(response, status=status_code)
 
@@ -337,7 +338,7 @@ def validate_membership(self, user):
             ):
                 if self._needs_identity_verification(
                     org=self.organization
-                ) and not self.is_identity_verified_strong(user):
+                ) and not self.is_identity_verified_strong(user, self.organization):
                     raise PermissionDenied
                 try:
                     org_user = OrganizationUser(
@@ -383,9 +384,15 @@ def post(self, request, *args, **kwargs):
         response = {"response_code": "BLANK_OR_INVALID_TOKEN"}
         if request_token:
             try:
-                token = UserToken.objects.select_related(
-                    "user", "user__registered_user"
-                ).get(key=request_token)
+                token = (
+                    UserToken.objects.select_related(
+                        "user",
+                    )
+                    .prefetch_related(
+                        "user__registered_users",
+                    )
+                    .get(key=request_token)
+                )
             except UserToken.DoesNotExist:
                 pass
             else:
@@ -395,7 +402,7 @@ def post(self, request, *args, **kwargs):
                 )
                 # user may be in the process of changing the phone number
                 # in that case show the new phone number (which is not verified yet)
-                if not self.is_identity_verified_strong(user):
+                if not self.is_identity_verified_strong(user, self.organization):
                     phone_token = (
                         PhoneToken.objects.filter(user=user)
                         .order_by("-created")
@@ -753,8 +760,13 @@ def post(self, request, *args, **kwargs):
         if not is_valid:
             return self._error_response(_("Invalid code."))
         else:
-            user.registered_user.is_verified = True
-            user.registered_user.method = "mobile_phone"
+            reg_user, _ = RegisteredUser.get_or_create_for_user_and_org(
+                user=user,
+                organization=self.organization,
+                defaults={"is_verified": False, "method": ""},
+            )
+            reg_user.is_verified = True
+            reg_user.method = "mobile_phone"
             user.is_active = True
             # Update username if phone_number is used as username
             if user.username == user.phone_number:
@@ -763,7 +775,7 @@ def post(self, request, *args, **kwargs):
             # we can write it to the user field
             user.phone_number = phone_token.phone_number
             user.save()
-            user.registered_user.save()
+            reg_user.save()
             # delete any radius token cache key if present
             cache.delete(f"rt-{phone_token.phone_number}")
             return Response(None, status=200)

openwisp_radius/base/admin_filters.py

@@ -15,7 +15,9 @@ def lookups(self, request, model_admin):
 
     def queryset(self, request, queryset):
         if self.value() == "unknown":
-            return queryset.filter(registered_user__isnull=True)
+            return queryset.filter(registered_users__isnull=True)
         elif self.value():
-            return queryset.filter(registered_user__is_verified=self.value() == "true")
+            return queryset.filter(
+                registered_users__is_verified=self.value() == "true"
+            ).distinct()
         return queryset

openwisp_radius/base/models.py

@@ -4,6 +4,7 @@
 import logging
 import os
 import string
+import uuid
 from datetime import timedelta
 from io import StringIO
 
@@ -1058,7 +1059,11 @@ def save_user(self, user):
         OrganizationUser = swapper.load_model("openwisp_users", "OrganizationUser")
         RegisteredUser = swapper.load_model("openwisp_radius", "RegisteredUser")
         user.save()
-        registered_user = RegisteredUser(user=user, method="manual")
+        registered_user = RegisteredUser(
+            user=user,
+            method="manual",
+            organization=self.organization,
+        )
         if self.organization.radius_settings.needs_identity_verification:
             registered_user.is_verified = True
         registered_user.save()
@@ -1570,14 +1575,12 @@ def is_valid(self, token):
         return self.verified
 
     def _validate_already_verified(self):
-        try:
-            if self.user.registered_user.is_verified:
-                logger.warning(f"User {self.user.pk} is already verified")
-                raise exceptions.UserAlreadyVerified(
-                    _("This user has been already verified.")
-                )
-        except ObjectDoesNotExist:
-            pass
+        RegisteredUser = swapper.load_model("openwisp_radius", "RegisteredUser")
+        if RegisteredUser.objects.filter(user=self.user, is_verified=True).exists():
+            logger.warning(f"User {self.user.pk} is already verified")
+            raise exceptions.UserAlreadyVerified(
+                _("This user has been already verified.")
+            )
 
     def __check(self, token):
         self._validate_already_verified()
@@ -1602,12 +1605,23 @@ def __check(self, token):
         return token == self.token
 
 
-class AbstractRegisteredUser(models.Model):
-    user = models.OneToOneField(
+class AbstractRegisteredUser(UUIDModel):
+    user = models.ForeignKey(
         settings.AUTH_USER_MODEL,
         on_delete=models.CASCADE,
-        related_name="registered_user",
-        primary_key=True,
+        related_name="registered_users",
+    )
+    organization = models.ForeignKey(
+        swapper.get_model_name("openwisp_users", "Organization"),
+        on_delete=models.CASCADE,
+        null=True,
+        blank=True,
+        related_name="registered_users",
+        verbose_name=_("organization"),
+        help_text=(
+            "The organization this registration info belongs to. "
+            "If null, applies to all orgs without specific requirements."
+        ),
     )
     method = models.CharField(
         _("registration method"),
@@ -1649,6 +1663,54 @@ class Meta:
         abstract = True
         verbose_name = _("Registration Information")
         verbose_name_plural = verbose_name
+        constraints = [
+            models.UniqueConstraint(
+                fields=["user", "organization"],
+                name="unique_registered_user_per_org",
+            ),
+            models.UniqueConstraint(
+                fields=["user"],
+                condition=Q(organization__isnull=True),
+                name="unique_global_registered_user",
+            ),
+        ]
+
+    def clean(self):
+        super().clean()
+        Model = self._meta.model
+        qs = Model.objects.filter(user=self.user, organization=self.organization)
+        if self.pk:
+            qs = qs.exclude(pk=self.pk)
+        if qs.exists():
+            raise ValidationError(
+                _("A registration record already exists for this user/organization.")
+            )
+
+    @classmethod
+    def get_for_user_and_org(cls, user, organization):
+        try:
+            return cls.objects.get(user=user, organization=organization)
+        except cls.DoesNotExist:
+            return None
+
+    @classmethod
+    def get_or_create_for_user_and_org(cls, user, organization, defaults=None):
+        defaults = defaults or {}
+        return cls.objects.get_or_create(
+            user=user, organization=organization, defaults=defaults
+        )
+
+    @classmethod
+    def get_global_or_org_specific(cls, user, organization=None):
+        if organization:
+            try:
+                return cls.objects.get(user=user, organization=organization)
+            except cls.DoesNotExist:
+                pass
+        try:
+            return cls.objects.get(user=user, organization__isnull=True)
+        except cls.DoesNotExist:
+            return None
 
     @classmethod
     def unverify_inactive_users(cls):