arthexis 0.1.10__py3-none-any.whl → 0.1.12__py3-none-any.whl

core/apps.py

@@ -21,6 +21,7 @@ class CoreConfig(AppConfig):
         from pathlib import Path
 
         from django.conf import settings
+        from django.core.exceptions import ObjectDoesNotExist
         from django.contrib.auth import get_user_model
         from django.db.models.signals import post_migrate
         from django.core.signals import got_request_exception
@@ -39,6 +40,26 @@ class CoreConfig(AppConfig):
         )
         from .admin_history import patch_admin_history
 
+        from django_otp.plugins.otp_totp.models import TOTPDevice as OTP_TOTPDevice
+
+        if not hasattr(
+            OTP_TOTPDevice._read_str_from_settings, "_core_totp_issuer_patch"
+        ):
+            original_read_str = OTP_TOTPDevice._read_str_from_settings
+
+            def _core_totp_read_str(self, key):
+                if key == "OTP_TOTP_ISSUER":
+                    try:
+                        settings_obj = self.custom_settings
+                    except ObjectDoesNotExist:
+                        settings_obj = None
+                    if settings_obj and settings_obj.issuer:
+                        return settings_obj.issuer
+                return original_read_str(self, key)
+
+            _core_totp_read_str._core_totp_issuer_patch = True
+            OTP_TOTPDevice._read_str_from_settings = _core_totp_read_str
+
         def create_default_arthexis(**kwargs):
             User = get_user_model()
             if not User.all_objects.exists():
@@ -104,8 +125,11 @@ class CoreConfig(AppConfig):
 
         lock = Path(settings.BASE_DIR) / "locks" / "celery.lck"
 
+        from django.db.backends.signals import connection_created
+
         if lock.exists():
             from .auto_upgrade import ensure_auto_upgrade_periodic_task
+            from django.db import DEFAULT_DB_ALIAS, connections
 
             def ensure_email_collector_task(**kwargs):
                 try:  # pragma: no cover - optional dependency
@@ -133,9 +157,31 @@ class CoreConfig(AppConfig):
 
             post_migrate.connect(ensure_email_collector_task, sender=self)
             post_migrate.connect(ensure_auto_upgrade_periodic_task, sender=self)
-            ensure_auto_upgrade_periodic_task()
 
-        from django.db.backends.signals import connection_created
+            auto_upgrade_dispatch_uid = "core.apps.ensure_auto_upgrade_periodic_task"
+
+            def ensure_auto_upgrade_on_connection(**kwargs):
+                connection = kwargs.get("connection")
+                if connection is not None and connection.alias != "default":
+                    return
+
+                try:
+                    ensure_auto_upgrade_periodic_task()
+                finally:
+                    connection_created.disconnect(
+                        receiver=ensure_auto_upgrade_on_connection,
+                        dispatch_uid=auto_upgrade_dispatch_uid,
+                    )
+
+            connection_created.connect(
+                ensure_auto_upgrade_on_connection,
+                dispatch_uid=auto_upgrade_dispatch_uid,
+                weak=False,
+            )
+
+            default_connection = connections[DEFAULT_DB_ALIAS]
+            if default_connection.connection is not None:
+                ensure_auto_upgrade_on_connection(connection=default_connection)
 
         def enable_sqlite_wal(**kwargs):
             connection = kwargs.get("connection")

core/backends.py

@@ -12,6 +12,7 @@ from django.http.request import split_domain_port
 from django_otp.plugins.otp_totp.models import TOTPDevice
 
 from .models import EnergyAccount
+from . import temp_passwords
 
 
 TOTP_DEVICE_NAME = "authenticator"
@@ -196,3 +197,40 @@ class LocalhostAdminBackend(ModelBackend):
             return User.all_objects.get(pk=user_id)
         except User.DoesNotExist:
             return None
+
+
+class TempPasswordBackend(ModelBackend):
+    """Authenticate using a temporary password stored in a lockfile."""
+
+    def authenticate(self, request, username=None, password=None, **kwargs):
+        if not username or not password:
+            return None
+
+        UserModel = get_user_model()
+        manager = getattr(UserModel, "all_objects", UserModel._default_manager)
+        try:
+            user = manager.get_by_natural_key(username)
+        except UserModel.DoesNotExist:
+            return None
+
+        entry = temp_passwords.load_temp_password(user.username)
+        if entry is None:
+            return None
+        if entry.is_expired:
+            temp_passwords.discard_temp_password(user.username)
+            return None
+        if not entry.check_password(password):
+            return None
+
+        if not user.is_active:
+            user.is_active = True
+            user.save(update_fields=["is_active"])
+        return user
+
+    def get_user(self, user_id):
+        UserModel = get_user_model()
+        manager = getattr(UserModel, "all_objects", UserModel._default_manager)
+        try:
+            return manager.get(pk=user_id)
+        except UserModel.DoesNotExist:
+            return None

core/environment.py

@@ -9,22 +9,35 @@ from django.urls import path
 from django.utils.translation import gettext_lazy as _
 
 
-def _environment_view(request):
-    env_vars = sorted(os.environ.items())
-    django_settings = sorted(
+def _get_django_settings():
+    return sorted(
         [(name, getattr(settings, name)) for name in dir(settings) if name.isupper()]
     )
+
+
+def _environment_view(request):
+    env_vars = sorted(os.environ.items())
     context = admin.site.each_context(request)
     context.update(
         {
-            "title": _("Environment"),
+            "title": _("Environ"),
             "env_vars": env_vars,
-            "django_settings": django_settings,
         }
     )
     return TemplateResponse(request, "admin/environment.html", context)
 
 
+def _config_view(request):
+    context = admin.site.each_context(request)
+    context.update(
+        {
+            "title": _("Config"),
+            "django_settings": _get_django_settings(),
+        }
+    )
+    return TemplateResponse(request, "admin/config.html", context)
+
+
 def patch_admin_environment_view() -> None:
     """Add custom admin view for environment information."""
     original_get_urls = admin.site.get_urls
@@ -37,6 +50,11 @@ def patch_admin_environment_view() -> None:
                 admin.site.admin_view(_environment_view),
                 name="environment",
             ),
+            path(
+                "config/",
+                admin.site.admin_view(_config_view),
+                name="config",
+            ),
         ]
         return custom + urls
 

core/mailer.py

@@ -61,7 +61,9 @@ def can_send_email() -> bool:
 
     from nodes.models import EmailOutbox  # imported lazily to avoid circular deps
 
-    has_outbox = EmailOutbox.objects.exclude(host="").exists()
+    has_outbox = (
+        EmailOutbox.objects.filter(is_enabled=True).exclude(host="").exists()
+    )
     if has_outbox:
         return True
 

core/models.py

@@ -14,6 +14,7 @@ from django.core.exceptions import ValidationError
 from django.apps import apps
 from django.db.models.signals import m2m_changed, post_delete, post_save
 from django.dispatch import receiver
+from django.views.decorators.debug import sensitive_variables
 from datetime import time as datetime_time, timedelta
 from django.contrib.contenttypes.models import ContentType
 import hashlib
@@ -38,6 +39,7 @@ xmlrpc_client = defused_xmlrpc.xmlrpc_client
 
 from .entity import Entity, EntityUserManager, EntityManager
 from .release import Package as ReleasePackage, Credentials, DEFAULT_PACKAGE
+from . import temp_passwords
 from . import user_data  # noqa: F401 - ensure signal registration
 from .fields import (
     SigilShortAutoField,
@@ -160,6 +162,25 @@ class Profile(Entity):
         return str(owner)
 
 
+_SOCIAL_DOMAIN_PATTERN = re.compile(
+    r"^(?=.{1,253}\Z)(?!-)[A-Za-z0-9-]{1,63}(?<!-)(\.(?!-)[A-Za-z0-9-]{1,63}(?<!-))*$"
+)
+
+
+social_domain_validator = RegexValidator(
+    regex=_SOCIAL_DOMAIN_PATTERN,
+    message=_("Enter a valid domain name such as example.com."),
+    code="invalid",
+)
+
+
+social_did_validator = RegexValidator(
+    regex=r"^(|did:[a-z0-9]+:[A-Za-z0-9.\-_:]+)$",
+    message=_("Enter a valid DID such as did:plc:1234abcd."),
+    code="invalid",
+)
+
+
 class SigilRootManager(EntityManager):
     def get_by_natural_key(self, prefix: str):
         return self.get(prefix=prefix)
@@ -219,6 +240,13 @@ class InviteLead(Lead):
     sent_on = models.DateTimeField(null=True, blank=True)
     error = models.TextField(blank=True)
     mac_address = models.CharField(max_length=17, blank=True)
+    sent_via_outbox = models.ForeignKey(
+        "nodes.EmailOutbox",
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="invite_leads",
+    )
 
     class Meta:
         verbose_name = "Invite Lead"
@@ -303,6 +331,28 @@ class User(Entity, AbstractUser):
     def is_system_username(cls, username):
         return bool(username) and username == cls.SYSTEM_USERNAME
 
+    @sensitive_variables("raw_password")
+    def set_password(self, raw_password):
+        result = super().set_password(raw_password)
+        temp_passwords.discard_temp_password(self.username)
+        return result
+
+    @sensitive_variables("raw_password")
+    def check_password(self, raw_password):
+        if super().check_password(raw_password):
+            return True
+        if raw_password is None:
+            return False
+        entry = temp_passwords.load_temp_password(self.username)
+        if entry is None:
+            return False
+        if entry.is_expired:
+            temp_passwords.discard_temp_password(self.username)
+            return False
+        if not entry.allow_change:
+            return False
+        return entry.check_password(raw_password)
+
     @classmethod
     def is_profile_restricted_username(cls, username):
         return bool(username) and username in cls.PROFILE_RESTRICTED_USERNAMES
@@ -375,12 +425,16 @@ class User(Entity, AbstractUser):
         )
 
     def _profile_for(self, profile_cls: Type[Profile], user: "User"):
-        profile = profile_cls.objects.filter(user=user).first()
+        queryset = profile_cls.objects.all()
+        if hasattr(profile_cls, "is_enabled"):
+            queryset = queryset.filter(is_enabled=True)
+
+        profile = queryset.filter(user=user).first()
         if profile:
             return profile
         group_ids = list(user.groups.values_list("id", flat=True))
         if group_ids:
-            return profile_cls.objects.filter(group_id__in=group_ids).first()
+            return queryset.filter(group_id__in=group_ids).first()
         return None
 
     def get_profile(self, profile_cls: Type[Profile]):
@@ -434,6 +488,10 @@ class User(Entity, AbstractUser):
     def assistant_profile(self):
         return self._direct_profile("AssistantProfile")
 
+    @property
+    def social_profile(self):
+        return self._direct_profile("SocialProfile")
+
     @property
     def chat_profile(self):
         return self.assistant_profile
@@ -637,13 +695,45 @@ class EmailInbox(Profile):
         except Exception as exc:
             raise ValidationError(str(exc))
 
-    def search_messages(self, subject="", from_address="", body="", limit: int = 10):
+    def search_messages(
+        self,
+        subject="",
+        from_address="",
+        body="",
+        limit: int = 10,
+        use_regular_expressions: bool = False,
+    ):
         """Retrieve up to ``limit`` recent messages matching the filters.
 
-        Parameters are case-insensitive fragments. Results are returned as a list
-        of dictionaries with ``subject``, ``from`` and ``body`` keys.
+        Parameters are case-insensitive fragments by default. When
+        ``use_regular_expressions`` is ``True`` the filters are treated as regular
+        expressions using case-insensitive matching. Results are returned as a
+        list of dictionaries with ``subject``, ``from``, ``body`` and ``date``
+        keys.
         """
 
+        def _compile(pattern: str | None):
+            if not pattern:
+                return None
+            try:
+                return re.compile(pattern, re.IGNORECASE)
+            except re.error as exc:
+                raise ValidationError(str(exc))
+
+        subject_regex = sender_regex = body_regex = None
+        if use_regular_expressions:
+            subject_regex = _compile(subject)
+            sender_regex = _compile(from_address)
+            body_regex = _compile(body)
+
+        def _matches(value: str, needle: str, regex):
+            value = value or ""
+            if regex is not None:
+                return bool(regex.search(value))
+            if not needle:
+                return True
+            return needle.lower() in value.lower()
+
         def _get_body(msg):
             if msg.is_multipart():
                 for part in msg.walk():
@@ -670,28 +760,57 @@ class EmailInbox(Profile):
             )
             conn.login(self.username, self.password)
             conn.select("INBOX")
-            criteria = []
-            if subject:
-                criteria.extend(["SUBJECT", f'"{subject}"'])
-            if from_address:
-                criteria.extend(["FROM", f'"{from_address}"'])
-            if body:
-                criteria.extend(["TEXT", f'"{body}"'])
-            if not criteria:
-                criteria = ["ALL"]
-            typ, data = conn.search(None, *criteria)
-            ids = data[0].split()[-limit:]
+            fetch_limit = limit if not use_regular_expressions else max(limit * 5, limit)
+            if use_regular_expressions:
+                typ, data = conn.search(None, "ALL")
+            else:
+                criteria = []
+                charset = None
+
+                def _append(term: str, value: str):
+                    nonlocal charset
+                    if not value:
+                        return
+                    try:
+                        value.encode("ascii")
+                        encoded_value = value
+                    except UnicodeEncodeError:
+                        charset = charset or "UTF-8"
+                        encoded_value = value.encode("utf-8")
+                    criteria.extend([term, encoded_value])
+
+                _append("SUBJECT", subject)
+                _append("FROM", from_address)
+                _append("TEXT", body)
+
+                if not criteria:
+                    typ, data = conn.search(None, "ALL")
+                else:
+                    typ, data = conn.search(charset, *criteria)
+            ids = data[0].split()[-fetch_limit:]
             messages = []
             for mid in ids:
                 typ, msg_data = conn.fetch(mid, "(RFC822)")
                 msg = email.message_from_bytes(msg_data[0][1])
+                body_text = _get_body(msg)
+                subj_value = msg.get("Subject", "")
+                from_value = msg.get("From", "")
+                if not (
+                    _matches(subj_value, subject, subject_regex)
+                    and _matches(from_value, from_address, sender_regex)
+                    and _matches(body_text, body, body_regex)
+                ):
+                    continue
                 messages.append(
                     {
-                        "subject": msg.get("Subject", ""),
-                        "from": msg.get("From", ""),
-                        "body": _get_body(msg),
+                        "subject": subj_value,
+                        "from": from_value,
+                        "body": body_text,
+                        "date": msg.get("Date", ""),
                     }
                 )
+                if len(messages) >= limit:
+                    break
             conn.logout()
             return list(reversed(messages))
 
@@ -713,25 +832,137 @@ class EmailInbox(Profile):
             subj = msg.get("Subject", "")
             frm = msg.get("From", "")
             body_text = _get_body(msg)
-            if subject and subject.lower() not in subj.lower():
-                continue
-            if from_address and from_address.lower() not in frm.lower():
-                continue
-            if body and body.lower() not in body_text.lower():
+            if not (
+                _matches(subj, subject, subject_regex)
+                and _matches(frm, from_address, sender_regex)
+                and _matches(body_text, body, body_regex)
+            ):
                 continue
-            messages.append({"subject": subj, "from": frm, "body": body_text})
+            messages.append(
+                {
+                    "subject": subj,
+                    "from": frm,
+                    "body": body_text,
+                    "date": msg.get("Date", ""),
+                }
+            )
             if len(messages) >= limit:
                 break
         conn.quit()
         return messages
 
     def __str__(self):  # pragma: no cover - simple representation
-        return f"{self.username}@{self.host}"
+        username = (self.username or "").strip()
+        host = (self.host or "").strip()
+
+        if username:
+            if "@" in username:
+                return username
+            if host:
+                return f"{username}@{host}"
+            return username
+
+        if host:
+            return host
+
+        owner = self.owner_display()
+        if owner:
+            return owner
+
+        return super().__str__()
+
+
+class SocialProfile(Profile):
+    """Store configuration required to link social accounts such as Bluesky."""
+
+    class Network(models.TextChoices):
+        BLUESKY = "bluesky", _("Bluesky")
+
+    profile_fields = ("handle", "domain", "did")
+
+    network = models.CharField(
+        max_length=32,
+        choices=Network.choices,
+        default=Network.BLUESKY,
+        help_text=_(
+            "Select the social network you want to connect. Only Bluesky is supported at the moment."
+        ),
+    )
+    handle = models.CharField(
+        max_length=253,
+        help_text=_(
+            "Bluesky handle that should resolve to Arthexis. Use the verified domain (for example arthexis.com)."
+        ),
+        validators=[social_domain_validator],
+    )
+    domain = models.CharField(
+        max_length=253,
+        help_text=_(
+            "Domain that hosts the Bluesky verification. Publish a _atproto TXT record or a /.well-known/atproto-did file with the DID below."
+        ),
+        validators=[social_domain_validator],
+    )
+    did = models.CharField(
+        max_length=255,
+        blank=True,
+        help_text=_(
+            "Optional DID that Bluesky assigns once the domain is linked (for example did:plc:1234abcd)."
+        ),
+        validators=[social_did_validator],
+    )
+
+    def clean(self):
+        super().clean()
+        if self.network == self.Network.BLUESKY:
+            errors = {}
+            if not self.handle:
+                errors["handle"] = _("Provide the handle that should point to this domain.")
+            if not self.domain:
+                errors["domain"] = _("A verified domain is required for Bluesky handles.")
+            if errors:
+                raise ValidationError(errors)
+
+    def save(self, *args, **kwargs):
+        if self.handle:
+            self.handle = self.handle.strip().lower()
+        if self.domain:
+            self.domain = self.domain.strip().lower()
+        super().save(*args, **kwargs)
+
+    def __str__(self):  # pragma: no cover - simple representation
+        handle = self.handle or self.domain
+        label = f"{self.get_network_display()} ({handle})" if handle else self.get_network_display()
+        owner = self.owner_display()
+        return f"{owner} – {label}" if owner else label
+
+    class Meta:
+        verbose_name = _("Social Identity")
+        verbose_name_plural = _("Social Identities")
+        constraints = [
+            models.UniqueConstraint(
+                fields=["network", "handle"], name="socialprofile_network_handle"
+            ),
+            models.UniqueConstraint(
+                fields=["network", "domain"], name="socialprofile_network_domain"
+            ),
+            models.CheckConstraint(
+                check=(
+                    (Q(user__isnull=False) & Q(group__isnull=True))
+                    | (Q(user__isnull=True) & Q(group__isnull=False))
+                ),
+                name="socialprofile_requires_owner",
+            ),
+        ]
 
 
 class EmailCollector(Entity):
     """Search an inbox for matching messages and extract data via sigils."""
 
+    name = models.CharField(
+        max_length=255,
+        blank=True,
+        help_text="Optional label to identify this collector.",
+    )
     inbox = models.ForeignKey(
         "EmailInbox",
         related_name="collectors",
@@ -745,6 +976,10 @@ class EmailCollector(Entity):
         blank=True,
         help_text="Pattern with [sigils] to extract values from the body.",
     )
+    use_regular_expressions = models.BooleanField(
+        default=False,
+        help_text="Treat subject, sender and body filters as regular expressions (case-insensitive).",
+    )
 
     def _parse_sigils(self, text: str) -> dict[str, str]:
         """Extract values from ``text`` according to ``fragment`` sigils."""
@@ -764,16 +999,32 @@ class EmailCollector(Entity):
             return {}
         return {k: v.strip() for k, v in match.groupdict().items()}
 
-    def collect(self, limit: int = 10) -> None:
-        """Poll the inbox and store new artifacts until an existing one is found."""
-        from .models import EmailArtifact
-
-        messages = self.inbox.search_messages(
+    def __str__(self):  # pragma: no cover - simple representation
+        if self.name:
+            return self.name
+        parts = []
+        if self.subject:
+            parts.append(self.subject)
+        if self.sender:
+            parts.append(self.sender)
+        if not parts:
+            parts.append(str(self.inbox))
+        return " – ".join(parts)
+
+    def search_messages(self, limit: int = 10):
+        return self.inbox.search_messages(
             subject=self.subject,
             from_address=self.sender,
             body=self.body,
             limit=limit,
+            use_regular_expressions=self.use_regular_expressions,
         )
+
+    def collect(self, limit: int = 10) -> None:
+        """Poll the inbox and store new artifacts until an existing one is found."""
+        from .models import EmailArtifact
+
+        messages = self.search_messages(limit=limit)
         for msg in messages:
             fp = EmailArtifact.fingerprint_for(
                 msg.get("subject", ""), msg.get("from", ""), msg.get("body", "")
@@ -2123,6 +2374,7 @@ class PackageRelease(Entity):
         max_length=40, blank=True, default=revision_utils.get_revision, editable=False
     )
     pypi_url = models.URLField("PyPI URL", blank=True, editable=False)
+    release_on = models.DateTimeField(blank=True, null=True, editable=False)
 
     class Meta:
         verbose_name = "Package Release"
@@ -2398,3 +2650,23 @@ class Todo(Entity):
         if isinstance(field, ConditionTextField):
             return field.evaluate(self)
         return ConditionCheckResult(True, "")
+
+
+class TOTPDeviceSettings(models.Model):
+    """Per-device configuration options for authenticator enrollments."""
+
+    device = models.OneToOneField(
+        "otp_totp.TOTPDevice",
+        on_delete=models.CASCADE,
+        related_name="custom_settings",
+    )
+    issuer = models.CharField(
+        max_length=64,
+        blank=True,
+        default="",
+        help_text=_("Label shown in authenticator apps. Leave blank to use Arthexis."),
+    )
+
+    class Meta:
+        verbose_name = _("Authenticator device settings")
+        verbose_name_plural = _("Authenticator device settings")