arthexis 0.1.10__py3-none-any.whl → 0.1.12__py3-none-any.whl

core/temp_passwords.py

@@ -0,0 +1,181 @@
+"""Utilities for temporary password lock files."""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import re
+import secrets
+import string
+from dataclasses import dataclass
+from datetime import datetime, timedelta
+from pathlib import Path
+from typing import Optional
+
+from django.conf import settings
+from django.contrib.auth.hashers import check_password, make_password
+from django.utils import timezone
+from django.utils.dateparse import parse_datetime
+
+
+DEFAULT_PASSWORD_LENGTH = 16
+DEFAULT_EXPIRATION = timedelta(hours=1)
+_SAFE_COMPONENT_RE = re.compile(r"[^A-Za-z0-9_.-]+")
+
+
+def _base_lock_dir() -> Path:
+    """Return the root directory used for temporary password lock files."""
+
+    configured = getattr(settings, "TEMP_PASSWORD_LOCK_DIR", None)
+    if configured:
+        path = Path(configured)
+    else:
+        path = Path(settings.BASE_DIR) / "locks" / "temp-passwords"
+    path.mkdir(parents=True, exist_ok=True)
+    return path
+
+
+def _safe_component(value: str) -> str:
+    """Return a filesystem safe component derived from ``value``."""
+
+    if not value:
+        return ""
+    safe = _SAFE_COMPONENT_RE.sub("_", value)
+    safe = safe.strip("._")
+    return safe[:64]
+
+
+def _lockfile_name(username: str) -> str:
+    """Return the filename used for the provided ``username``."""
+
+    digest = hashlib.sha256(username.encode("utf-8")).hexdigest()[:12]
+    safe = _safe_component(username)
+    if safe:
+        return f"{safe}-{digest}.json"
+    return f"user-{digest}.json"
+
+
+def _lockfile_path(username: str) -> Path:
+    """Return the lockfile path for ``username``."""
+
+    return _base_lock_dir() / _lockfile_name(username)
+
+
+def _parse_timestamp(value: str | None) -> Optional[datetime]:
+    """Return a timezone aware datetime parsed from ``value``."""
+
+    if not value:
+        return None
+    parsed = parse_datetime(value)
+    if parsed is None:
+        return None
+    if timezone.is_naive(parsed):
+        parsed = timezone.make_aware(parsed)
+    return parsed
+
+
+@dataclass(frozen=True)
+class TempPasswordEntry:
+    """Details for a temporary password stored on disk."""
+
+    username: str
+    password_hash: str
+    expires_at: datetime
+    created_at: datetime
+    path: Path
+    allow_change: bool = False
+
+    @property
+    def is_expired(self) -> bool:
+        return timezone.now() >= self.expires_at
+
+    def check_password(self, raw_password: str) -> bool:
+        """Return ``True`` if ``raw_password`` matches this entry."""
+
+        return check_password(raw_password, self.password_hash)
+
+
+def generate_password(length: int = DEFAULT_PASSWORD_LENGTH) -> str:
+    """Return a random password composed of letters and digits."""
+
+    if length <= 0:
+        raise ValueError("length must be a positive integer")
+    alphabet = string.ascii_letters + string.digits
+    return "".join(secrets.choice(alphabet) for _ in range(length))
+
+
+def store_temp_password(
+    username: str,
+    raw_password: str,
+    expires_at: Optional[datetime] = None,
+    *,
+    allow_change: bool = False,
+) -> TempPasswordEntry:
+    """Persist a temporary password for ``username`` and return the entry."""
+
+    if expires_at is None:
+        expires_at = timezone.now() + DEFAULT_EXPIRATION
+    if timezone.is_naive(expires_at):
+        expires_at = timezone.make_aware(expires_at)
+    created_at = timezone.now()
+    path = _lockfile_path(username)
+    data = {
+        "username": username,
+        "password_hash": make_password(raw_password),
+        "expires_at": expires_at.isoformat(),
+        "created_at": created_at.isoformat(),
+        "allow_change": allow_change,
+    }
+    path.write_text(json.dumps(data, indent=2, sort_keys=True))
+    return TempPasswordEntry(
+        username=username,
+        password_hash=data["password_hash"],
+        expires_at=expires_at,
+        created_at=created_at,
+        path=path,
+        allow_change=allow_change,
+    )
+
+
+def load_temp_password(username: str) -> Optional[TempPasswordEntry]:
+    """Return the stored temporary password for ``username``, if any."""
+
+    path = _lockfile_path(username)
+    if not path.exists():
+        return None
+    try:
+        data = json.loads(path.read_text())
+    except (json.JSONDecodeError, UnicodeDecodeError):
+        path.unlink(missing_ok=True)
+        return None
+
+    expires_at = _parse_timestamp(data.get("expires_at"))
+    created_at = _parse_timestamp(data.get("created_at")) or timezone.now()
+    password_hash = data.get("password_hash")
+    if not expires_at or not password_hash:
+        path.unlink(missing_ok=True)
+        return None
+
+    username = data.get("username") or username
+    allow_change_value = data.get("allow_change", False)
+    if isinstance(allow_change_value, str):
+        allow_change = allow_change_value.lower() in {"1", "true", "yes", "on"}
+    else:
+        allow_change = bool(allow_change_value)
+
+    return TempPasswordEntry(
+        username=username,
+        password_hash=password_hash,
+        expires_at=expires_at,
+        created_at=created_at,
+        path=path,
+        allow_change=allow_change,
+    )
+
+
+def discard_temp_password(username: str) -> None:
+    """Remove any stored temporary password for ``username``."""
+
+    path = _lockfile_path(username)
+    path.unlink(missing_ok=True)
+

core/test_system_info.py

@@ -1,3 +1,4 @@
+import json
 import os
 from pathlib import Path
 from subprocess import CompletedProcess
@@ -11,9 +12,9 @@ import django
 django.setup()
 
 from django.conf import settings
-from django.test import SimpleTestCase, TestCase, override_settings
+from django.test import SimpleTestCase, override_settings
 from nodes.models import Node, NodeFeature, NodeRole
-from core.system import _gather_info
+from core.system import _gather_info, get_system_sigil_values
 
 
 class SystemInfoRoleTests(SimpleTestCase):
@@ -55,6 +56,27 @@ class SystemInfoRevisionTests(SimpleTestCase):
         mock_revision.assert_called_once()
 
 
+class SystemInfoDatabaseTests(SimpleTestCase):
+    def test_collects_database_definitions(self):
+        info = _gather_info()
+        self.assertIn("databases", info)
+        aliases = {entry["alias"] for entry in info["databases"]}
+        self.assertIn("default", aliases)
+
+    @override_settings(
+        DATABASES={
+            "default": {
+                "ENGINE": "django.db.backends.sqlite3",
+                "NAME": Path("/tmp/db.sqlite3"),
+            }
+        }
+    )
+    def test_serializes_path_database_names(self):
+        info = _gather_info()
+        databases = info["databases"]
+        self.assertEqual(databases[0]["name"], "/tmp/db.sqlite3")
+
+
 class SystemInfoRunserverDetectionTests(SimpleTestCase):
     @patch("core.system.subprocess.run")
     def test_detects_runserver_process_port(self, mock_run):
@@ -77,3 +99,41 @@ class SystemInfoRunserverDetectionTests(SimpleTestCase):
         self.assertTrue(info["running"])
         self.assertEqual(info["port"], 8000)
 
+
+class SystemSigilValueTests(SimpleTestCase):
+    def test_exports_values_for_sigil_resolution(self):
+        sample_info = {
+            "installed": True,
+            "revision": "abcdef",
+            "service": "gunicorn",
+            "mode": "internal",
+            "port": 8888,
+            "role": "Terminal",
+            "screen_mode": "",
+            "features": [
+                {"display": "Feature", "expected": True, "actual": False, "slug": "feature"}
+            ],
+            "running": True,
+            "service_status": "active",
+            "hostname": "example.local",
+            "ip_addresses": ["127.0.0.1"],
+            "databases": [
+                {
+                    "alias": "default",
+                    "engine": "django.db.backends.sqlite3",
+                    "name": "db.sqlite3",
+                }
+            ],
+        }
+        with patch("core.system._gather_info", return_value=sample_info):
+            values = get_system_sigil_values()
+
+        self.assertEqual(values["REVISION"], "abcdef")
+        self.assertEqual(values["RUNNING"], "True")
+        self.assertEqual(values["NGINX_MODE"], "internal (8888)")
+        self.assertEqual(values["IP_ADDRESSES"], "127.0.0.1")
+        features = json.loads(values["FEATURES"])
+        self.assertEqual(features[0]["display"], "Feature")
+        databases = json.loads(values["DATABASES"])
+        self.assertEqual(databases[0]["alias"], "default")
+

core/tests.py

@@ -15,7 +15,7 @@ from unittest.mock import patch
 from pathlib import Path
 import subprocess
 from glob import glob
-from datetime import timedelta
+from datetime import datetime, timedelta, timezone as datetime_timezone
 import tempfile
 from urllib.parse import quote
 
@@ -770,6 +770,50 @@ class ReleaseProcessTests(TestCase):
         self.assertFalse(proc.stdout.strip())
         self.assertEqual(version_path.read_text(encoding="utf-8"), original)
 
+    @mock.patch("core.views.requests.get")
+    @mock.patch("core.views.release_utils.network_available", return_value=True)
+    @mock.patch("core.views.release_utils._git_clean", return_value=True)
+    def test_step_check_ignores_yanked_release(
+        self, git_clean, network_available, requests_get
+    ):
+        response = mock.Mock()
+        response.ok = True
+        response.json.return_value = {
+            "releases": {
+                "0.1.12": [
+                    {"filename": "pkg.whl", "yanked": True},
+                    {"filename": "pkg.tar.gz", "yanked": True},
+                ]
+            }
+        }
+        requests_get.return_value = response
+        self.release.version = "0.1.12"
+        _step_check_version(self.release, {}, Path("rel.log"))
+        requests_get.assert_called_once()
+
+    @mock.patch("core.views.requests.get")
+    @mock.patch("core.views.release_utils.network_available", return_value=True)
+    @mock.patch("core.views.release_utils._git_clean", return_value=True)
+    def test_step_check_blocks_available_release(
+        self, git_clean, network_available, requests_get
+    ):
+        response = mock.Mock()
+        response.ok = True
+        response.json.return_value = {
+            "releases": {
+                "0.1.12": [
+                    {"filename": "pkg.whl", "yanked": False},
+                    {"filename": "pkg.tar.gz"},
+                ]
+            }
+        }
+        requests_get.return_value = response
+        self.release.version = "0.1.12"
+        with self.assertRaises(Exception) as exc:
+            _step_check_version(self.release, {}, Path("rel.log"))
+        self.assertIn("already on PyPI", str(exc.exception))
+        requests_get.assert_called_once()
+
     @mock.patch("core.models.PackageRelease.dump_fixture")
     def test_save_does_not_dump_fixture(self, dump):
         self.release.pypi_url = "https://example.com"
@@ -831,15 +875,21 @@ class ReleaseProcessTests(TestCase):
         )
         version_path.write_text(original, encoding="utf-8")
 
+    @mock.patch("core.views.timezone.now")
     @mock.patch("core.views.PackageRelease.dump_fixture")
     @mock.patch("core.views.release_utils.publish")
-    def test_publish_sets_pypi_url(self, publish, dump_fixture):
+    def test_publish_sets_pypi_url(self, publish, dump_fixture, now):
+        now.return_value = datetime(2025, 3, 4, 5, 6, tzinfo=datetime_timezone.utc)
         _step_publish(self.release, {}, Path("rel.log"))
         self.release.refresh_from_db()
         self.assertEqual(
             self.release.pypi_url,
             f"https://pypi.org/project/{self.package.name}/{self.release.version}/",
         )
+        self.assertEqual(
+            self.release.release_on,
+            datetime(2025, 3, 4, 5, 6, tzinfo=datetime_timezone.utc),
+        )
         dump_fixture.assert_called_once()
 
     @mock.patch("core.views.PackageRelease.dump_fixture")
@@ -849,8 +899,33 @@ class ReleaseProcessTests(TestCase):
             _step_publish(self.release, {}, Path("rel.log"))
         self.release.refresh_from_db()
         self.assertEqual(self.release.pypi_url, "")
+        self.assertIsNone(self.release.release_on)
         dump_fixture.assert_not_called()
 
+    def test_new_todo_does_not_reset_pending_flow(self):
+        user = User.objects.create_superuser("admin", "admin@example.com", "pw")
+        url = reverse("release-progress", args=[self.release.pk, "publish"])
+        Todo.objects.create(request="Initial checklist item")
+        steps = [("Confirm release TODO completion", core_views._step_check_todos)]
+        with mock.patch("core.views.PUBLISH_STEPS", steps):
+            self.client.force_login(user)
+            response = self.client.get(url)
+            self.assertTrue(response.context["has_pending_todos"])
+            self.client.get(f"{url}?ack_todos=1")
+            self.client.get(f"{url}?start=1")
+            self.client.get(f"{url}?step=0")
+            Todo.objects.create(request="Follow-up checklist item")
+            response = self.client.get(url)
+            self.assertEqual(
+                Todo.objects.filter(is_deleted=False, done_on__isnull=True).count(),
+                1,
+            )
+            self.assertIsNone(response.context["todos"])
+            self.assertFalse(response.context["has_pending_todos"])
+            session = self.client.session
+            ctx = session.get(f"release_publish_{self.release.pk}")
+            self.assertTrue(ctx.get("todos_ack"))
+
     def test_release_progress_uses_lockfile(self):
         run = []
 
@@ -1044,6 +1119,8 @@ class PackageReleaseAdminActionTests(TestCase):
         self.admin = PackageReleaseAdmin(PackageRelease, self.site)
         self.admin.message_user = lambda *args, **kwargs: None
         self.package = Package.objects.create(name="pkg")
+        self.package.is_active = True
+        self.package.save(update_fields=["is_active"])
         self.release = PackageRelease.objects.create(
             package=self.package,
             version="1.0.0",
@@ -1072,11 +1149,64 @@ class PackageReleaseAdminActionTests(TestCase):
     def test_refresh_from_pypi_creates_releases(self, mock_get, dump):
         mock_get.return_value.raise_for_status.return_value = None
         mock_get.return_value.json.return_value = {
-            "releases": {"1.0.0": [], "1.1.0": []}
+            "releases": {
+                "1.0.0": [
+                    {"upload_time_iso_8601": "2024-01-01T12:30:00.000000Z"}
+                ],
+                "1.1.0": [
+                    {"upload_time_iso_8601": "2024-02-02T15:45:00.000000Z"}
+                ],
+            }
         }
         self.admin.refresh_from_pypi(self.request, PackageRelease.objects.none())
         new_release = PackageRelease.objects.get(version="1.1.0")
         self.assertEqual(new_release.revision, "")
+        self.assertEqual(
+            new_release.release_on,
+            datetime(2024, 2, 2, 15, 45, tzinfo=datetime_timezone.utc),
+        )
+        dump.assert_called_once()
+
+    @mock.patch("core.admin.PackageRelease.dump_fixture")
+    @mock.patch("core.admin.requests.get")
+    def test_refresh_from_pypi_updates_release_date(self, mock_get, dump):
+        self.release.release_on = None
+        self.release.save(update_fields=["release_on"])
+        mock_get.return_value.raise_for_status.return_value = None
+        mock_get.return_value.json.return_value = {
+            "releases": {
+                "1.0.0": [
+                    {"upload_time_iso_8601": "2024-01-01T12:30:00.000000Z"}
+                ]
+            }
+        }
+        self.admin.refresh_from_pypi(self.request, PackageRelease.objects.none())
+        self.release.refresh_from_db()
+        self.assertEqual(
+            self.release.release_on,
+            datetime(2024, 1, 1, 12, 30, tzinfo=datetime_timezone.utc),
+        )
+        dump.assert_called_once()
+
+    @mock.patch("core.admin.PackageRelease.dump_fixture")
+    @mock.patch("core.admin.requests.get")
+    def test_refresh_from_pypi_restores_deleted_release(self, mock_get, dump):
+        self.release.is_deleted = True
+        self.release.save(update_fields=["is_deleted"])
+        mock_get.return_value.raise_for_status.return_value = None
+        mock_get.return_value.json.return_value = {
+            "releases": {
+                "1.0.0": [
+                    {"upload_time_iso_8601": "2024-01-01T12:30:00.000000Z"}
+                ]
+            }
+        }
+
+        self.admin.refresh_from_pypi(self.request, PackageRelease.objects.none())
+
+        self.assertTrue(
+            PackageRelease.objects.filter(version="1.0.0").exists()
+        )
         dump.assert_called_once()
 
 
@@ -1283,6 +1413,13 @@ class TodoFocusViewTests(TestCase):
         change_url = reverse("admin:core_todo_change", args=[todo.pk])
         self.assertContains(resp, f'src="{change_url}"')
 
+    def test_focus_view_includes_open_target_button(self):
+        todo = Todo.objects.create(request="Task", url="/docs/")
+        resp = self.client.get(reverse("todo-focus", args=[todo.pk]))
+        self.assertContains(resp, 'class="todo-button todo-button-open"')
+        self.assertContains(resp, 'target="_blank"')
+        self.assertContains(resp, 'href="/docs/"')
+
     def test_focus_view_sanitizes_loopback_absolute_url(self):
         todo = Todo.objects.create(
             request="Task",
@@ -1300,6 +1437,35 @@ class TodoFocusViewTests(TestCase):
         change_url = reverse("admin:core_todo_change", args=[todo.pk])
         self.assertContains(resp, f'src="{change_url}"')
 
+    def test_focus_view_avoids_recursive_focus_url(self):
+        todo = Todo.objects.create(request="Task")
+        focus_url = reverse("todo-focus", args=[todo.pk])
+        Todo.objects.filter(pk=todo.pk).update(url=focus_url)
+        resp = self.client.get(reverse("todo-focus", args=[todo.pk]))
+        change_url = reverse("admin:core_todo_change", args=[todo.pk])
+        self.assertContains(resp, f'src="{change_url}"')
+
+    def test_focus_view_avoids_recursive_focus_absolute_url(self):
+        todo = Todo.objects.create(request="Task")
+        focus_url = reverse("todo-focus", args=[todo.pk])
+        Todo.objects.filter(pk=todo.pk).update(url=f"http://testserver{focus_url}")
+        resp = self.client.get(reverse("todo-focus", args=[todo.pk]))
+        change_url = reverse("admin:core_todo_change", args=[todo.pk])
+        self.assertContains(resp, f'src="{change_url}"')
+
+    def test_focus_view_parses_auth_directives(self):
+        todo = Todo.objects.create(
+            request="Task",
+            url="/docs/?section=chart&_todo_auth=logout&_todo_auth=user:demo&_todo_auth=perm:core.view_user&_todo_auth=extra",
+        )
+        resp = self.client.get(reverse("todo-focus", args=[todo.pk]))
+        self.assertContains(resp, 'src="/docs/?section=chart"')
+        self.assertContains(resp, 'href="/docs/?section=chart"')
+        self.assertContains(resp, "logged out")
+        self.assertContains(resp, "Sign in using: demo")
+        self.assertContains(resp, "Required permissions: core.view_user")
+        self.assertContains(resp, "Additional authentication notes: extra")
+
     def test_focus_view_redirects_if_todo_completed(self):
         todo = Todo.objects.create(request="Task")
         todo.done_on = timezone.now()

core/user_data.py

@@ -238,6 +238,36 @@ def _mark_fixture_user_data(path: Path) -> None:
         model.all_objects.filter(pk=pk).update(is_user_data=True)
 
 
+def _fixture_targets_installed_apps(data) -> bool:
+    """Return ``True`` when *data* only targets installed apps and models."""
+
+    if not isinstance(data, list):
+        return True
+
+    labels = {
+        obj.get("model")
+        for obj in data
+        if isinstance(obj, dict) and obj.get("model")
+    }
+
+    for label in labels:
+        if not isinstance(label, str):
+            continue
+        if "." not in label:
+            continue
+        app_label, model_name = label.split(".", 1)
+        if not app_label or not model_name:
+            continue
+        if not apps.is_installed(app_label):
+            return False
+        try:
+            apps.get_model(label)
+        except LookupError:
+            return False
+
+    return True
+
+
 def _load_fixture(path: Path, *, mark_user_data: bool = True) -> bool:
     """Load a fixture from *path* and optionally flag loaded entities."""
 
@@ -261,9 +291,12 @@ def _load_fixture(path: Path, *, mark_user_data: bool = True) -> bool:
         except Exception:
             data = None
         else:
-            if isinstance(data, list) and not data:
-                path.unlink(missing_ok=True)
-                return False
+            if isinstance(data, list):
+                if not data:
+                    path.unlink(missing_ok=True)
+                    return False
+                if not _fixture_targets_installed_apps(data):
+                    return False
 
     try:
         call_command("loaddata", str(path), ignorenonexistent=True)
@@ -484,11 +517,23 @@ def patch_admin_user_datum() -> None:
     admin.site._user_datum_patched = True
 
 
-def _seed_data_view(request):
-    sections = []
+def _iter_entity_admin_models():
+    """Yield registered :class:`Entity` admin models without proxy duplicates."""
+
+    seen: set[type] = set()
     for model, model_admin in admin.site._registry.items():
         if not issubclass(model, Entity):
             continue
+        concrete_model = model._meta.concrete_model
+        if concrete_model in seen:
+            continue
+        seen.add(concrete_model)
+        yield model, model_admin
+
+
+def _seed_data_view(request):
+    sections = []
+    for model, model_admin in _iter_entity_admin_models():
         objs = model.objects.filter(is_seed_data=True)
         if not objs.exists():
             continue
@@ -508,9 +553,7 @@ def _seed_data_view(request):
 
 def _user_data_view(request):
     sections = []
-    for model, model_admin in admin.site._registry.items():
-        if not issubclass(model, Entity):
-            continue
+    for model, model_admin in _iter_entity_admin_models():
         objs = model.objects.filter(is_user_data=True)
         if not objs.exists():
             continue