arthexis 0.1.12__py3-none-any.whl → 0.1.14__py3-none-any.whl

core/auto_upgrade.py

@@ -1,57 +1,57 @@
-"""Helpers for managing the auto-upgrade scheduler."""
-
-from __future__ import annotations
-
-from pathlib import Path
-
-from django.conf import settings
-
-
-AUTO_UPGRADE_TASK_NAME = "auto-upgrade-check"
-AUTO_UPGRADE_TASK_PATH = "core.tasks.check_github_updates"
-
-
-def ensure_auto_upgrade_periodic_task(
-    sender=None, *, base_dir: Path | None = None, **kwargs
-) -> None:
-    """Ensure the auto-upgrade periodic task exists.
-
-    The function is signal-safe so it can be wired to Django's
-    ``post_migrate`` hook. When called directly the ``sender`` and
-    ``**kwargs`` parameters are ignored.
-    """
-
-    del sender, kwargs  # Unused when invoked as a Django signal handler.
-
-    if base_dir is None:
-        base_dir = Path(settings.BASE_DIR)
-    else:
-        base_dir = Path(base_dir)
-
-    lock_dir = base_dir / "locks"
-    mode_file = lock_dir / "auto_upgrade.lck"
-    if not mode_file.exists():
-        return
-
-    try:  # pragma: no cover - optional dependency failures
-        from django_celery_beat.models import IntervalSchedule, PeriodicTask
-        from django.db.utils import OperationalError, ProgrammingError
-    except Exception:
-        return
-
-    mode = mode_file.read_text().strip() or "version"
-    interval_minutes = 5 if mode == "latest" else 10
-
-    try:
-        schedule, _ = IntervalSchedule.objects.get_or_create(
-            every=interval_minutes, period=IntervalSchedule.MINUTES
-        )
-        PeriodicTask.objects.update_or_create(
-            name=AUTO_UPGRADE_TASK_NAME,
-            defaults={
-                "interval": schedule,
-                "task": AUTO_UPGRADE_TASK_PATH,
-            },
-        )
-    except (OperationalError, ProgrammingError):  # pragma: no cover - DB not ready
-        return
+"""Helpers for managing the auto-upgrade scheduler."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+from django.conf import settings
+
+
+AUTO_UPGRADE_TASK_NAME = "auto-upgrade-check"
+AUTO_UPGRADE_TASK_PATH = "core.tasks.check_github_updates"
+
+
+def ensure_auto_upgrade_periodic_task(
+    sender=None, *, base_dir: Path | None = None, **kwargs
+) -> None:
+    """Ensure the auto-upgrade periodic task exists.
+
+    The function is signal-safe so it can be wired to Django's
+    ``post_migrate`` hook. When called directly the ``sender`` and
+    ``**kwargs`` parameters are ignored.
+    """
+
+    del sender, kwargs  # Unused when invoked as a Django signal handler.
+
+    if base_dir is None:
+        base_dir = Path(settings.BASE_DIR)
+    else:
+        base_dir = Path(base_dir)
+
+    lock_dir = base_dir / "locks"
+    mode_file = lock_dir / "auto_upgrade.lck"
+    if not mode_file.exists():
+        return
+
+    try:  # pragma: no cover - optional dependency failures
+        from django_celery_beat.models import IntervalSchedule, PeriodicTask
+        from django.db.utils import OperationalError, ProgrammingError
+    except Exception:
+        return
+
+    _mode = mode_file.read_text().strip() or "version"
+    interval_minutes = 5
+
+    try:
+        schedule, _ = IntervalSchedule.objects.get_or_create(
+            every=interval_minutes, period=IntervalSchedule.MINUTES
+        )
+        PeriodicTask.objects.update_or_create(
+            name=AUTO_UPGRADE_TASK_NAME,
+            defaults={
+                "interval": schedule,
+                "task": AUTO_UPGRADE_TASK_PATH,
+            },
+        )
+    except (OperationalError, ProgrammingError):  # pragma: no cover - DB not ready
+        return

core/backends.py

@@ -1,236 +1,265 @@
-"""Custom authentication backends for the core app."""
-
-import contextlib
-import ipaddress
-import socket
-
-from django.conf import settings
-from django.contrib.auth import get_user_model
-from django.contrib.auth.backends import ModelBackend
-from django.core.exceptions import DisallowedHost
-from django.http.request import split_domain_port
-from django_otp.plugins.otp_totp.models import TOTPDevice
-
-from .models import EnergyAccount
-from . import temp_passwords
-
-
-TOTP_DEVICE_NAME = "authenticator"
-
-
-class TOTPBackend(ModelBackend):
-    """Authenticate using a TOTP code from an enrolled authenticator app."""
-
-    def authenticate(self, request, username=None, otp_token=None, **kwargs):
-        if not username or otp_token in (None, ""):
-            return None
-
-        token = str(otp_token).strip().replace(" ", "")
-        if not token:
-            return None
-
-        UserModel = get_user_model()
-        try:
-            user = UserModel._default_manager.get_by_natural_key(username)
-        except UserModel.DoesNotExist:
-            return None
-
-        if not user.is_active:
-            return None
-
-        device_qs = TOTPDevice.objects.filter(user=user, confirmed=True)
-        if TOTP_DEVICE_NAME:
-            device_qs = device_qs.filter(name=TOTP_DEVICE_NAME)
-
-        device = device_qs.order_by("-id").first()
-        if device is None:
-            return None
-
-        try:
-            verified = device.verify_token(token)
-        except Exception:
-            return None
-
-        if not verified:
-            return None
-
-        user.otp_device = device
-        return user
-
-    def get_user(self, user_id):
-        UserModel = get_user_model()
-        try:
-            return UserModel._default_manager.get(pk=user_id)
-        except UserModel.DoesNotExist:
-            return None
-
-
-class RFIDBackend:
-    """Authenticate using a user's RFID."""
-
-    def authenticate(self, request, rfid=None, **kwargs):
-        if not rfid:
-            return None
-        account = (
-            EnergyAccount.objects.filter(
-                rfids__rfid=rfid.upper(), rfids__allowed=True, user__isnull=False
-            )
-            .select_related("user")
-            .first()
-        )
-        if account:
-            return account.user
-        return None
-
-    def get_user(self, user_id):
-        User = get_user_model()
-        try:
-            return User.objects.get(pk=user_id)
-        except User.DoesNotExist:
-            return None
-
-
-def _collect_local_ip_addresses():
-    """Return IP addresses assigned to the current machine."""
-
-    hosts = {socket.gethostname().strip()}
-    with contextlib.suppress(Exception):
-        hosts.add(socket.getfqdn().strip())
-
-    addresses = set()
-    for host in filter(None, hosts):
-        with contextlib.suppress(OSError):
-            _, _, ip_list = socket.gethostbyname_ex(host)
-            for candidate in ip_list:
-                with contextlib.suppress(ValueError):
-                    addresses.add(ipaddress.ip_address(candidate))
-        with contextlib.suppress(OSError):
-            for info in socket.getaddrinfo(host, None, family=socket.AF_UNSPEC):
-                sockaddr = info[-1]
-                if not sockaddr:
-                    continue
-                raw_address = sockaddr[0]
-                if isinstance(raw_address, bytes):
-                    with contextlib.suppress(UnicodeDecodeError):
-                        raw_address = raw_address.decode()
-                if isinstance(raw_address, str):
-                    if "%" in raw_address:
-                        raw_address = raw_address.split("%", 1)[0]
-                    with contextlib.suppress(ValueError):
-                        addresses.add(ipaddress.ip_address(raw_address))
-    return tuple(sorted(addresses, key=str))
-
-
-class LocalhostAdminBackend(ModelBackend):
-    """Allow default admin credentials only from local networks."""
-
-    _ALLOWED_NETWORKS = (
-        ipaddress.ip_network("::1/128"),
-        ipaddress.ip_network("127.0.0.0/8"),
-        ipaddress.ip_network("10.42.0.0/16"),
-        ipaddress.ip_network("192.168.0.0/16"),
-    )
-    _CONTROL_ALLOWED_NETWORKS = (ipaddress.ip_network("10.0.0.0/8"),)
-    _LOCAL_IPS = _collect_local_ip_addresses()
-
-    def _iter_allowed_networks(self):
-        yield from self._ALLOWED_NETWORKS
-        if getattr(settings, "NODE_ROLE", "") == "Control":
-            yield from self._CONTROL_ALLOWED_NETWORKS
-
-    def authenticate(self, request, username=None, password=None, **kwargs):
-        if username == "admin" and password == "admin" and request is not None:
-            try:
-                host = request.get_host()
-            except DisallowedHost:
-                return None
-            host, _port = split_domain_port(host)
-            if host.startswith("[") and host.endswith("]"):
-                host = host[1:-1]
-            try:
-                ipaddress.ip_address(host)
-            except ValueError:
-                return None
-            forwarded = request.META.get("HTTP_X_FORWARDED_FOR")
-            if forwarded:
-                remote = forwarded.split(",")[0].strip()
-            else:
-                remote = request.META.get("REMOTE_ADDR", "")
-            try:
-                ip = ipaddress.ip_address(remote)
-            except ValueError:
-                return None
-            allowed = any(ip in net for net in self._iter_allowed_networks())
-            if not allowed and ip in self._LOCAL_IPS:
-                allowed = True
-            if not allowed:
-                return None
-            User = get_user_model()
-            user, created = User.all_objects.get_or_create(
-                username="admin",
-                defaults={
-                    "is_staff": True,
-                    "is_superuser": True,
-                },
-            )
-            if not created and not user.is_active:
-                return None
-            arthexis_user = (
-                User.all_objects.filter(username="arthexis").exclude(pk=user.pk).first()
-            )
-            if created:
-                if arthexis_user and user.operate_as_id is None:
-                    user.operate_as = arthexis_user
-                user.set_password("admin")
-                user.save()
-            elif not user.check_password("admin"):
-                return None
-            elif arthexis_user and user.operate_as_id is None:
-                user.operate_as = arthexis_user
-                user.save(update_fields=["operate_as"])
-            return user
-        return super().authenticate(request, username, password, **kwargs)
-
-    def get_user(self, user_id):
-        User = get_user_model()
-        try:
-            return User.all_objects.get(pk=user_id)
-        except User.DoesNotExist:
-            return None
-
-
-class TempPasswordBackend(ModelBackend):
-    """Authenticate using a temporary password stored in a lockfile."""
-
-    def authenticate(self, request, username=None, password=None, **kwargs):
-        if not username or not password:
-            return None
-
-        UserModel = get_user_model()
-        manager = getattr(UserModel, "all_objects", UserModel._default_manager)
-        try:
-            user = manager.get_by_natural_key(username)
-        except UserModel.DoesNotExist:
-            return None
-
-        entry = temp_passwords.load_temp_password(user.username)
-        if entry is None:
-            return None
-        if entry.is_expired:
-            temp_passwords.discard_temp_password(user.username)
-            return None
-        if not entry.check_password(password):
-            return None
-
-        if not user.is_active:
-            user.is_active = True
-            user.save(update_fields=["is_active"])
-        return user
-
-    def get_user(self, user_id):
-        UserModel = get_user_model()
-        manager = getattr(UserModel, "all_objects", UserModel._default_manager)
-        try:
-            return manager.get(pk=user_id)
-        except UserModel.DoesNotExist:
-            return None
+"""Custom authentication backends for the core app."""
+
+import contextlib
+import ipaddress
+import os
+import socket
+import subprocess
+
+from django.conf import settings
+from django.contrib.auth import get_user_model
+from django.contrib.auth.backends import ModelBackend
+from django.core.exceptions import DisallowedHost
+from django.http.request import split_domain_port
+from django_otp.plugins.otp_totp.models import TOTPDevice
+
+from .models import EnergyAccount, RFID
+from . import temp_passwords
+
+
+TOTP_DEVICE_NAME = "authenticator"
+
+
+class TOTPBackend(ModelBackend):
+    """Authenticate using a TOTP code from an enrolled authenticator app."""
+
+    def authenticate(self, request, username=None, otp_token=None, **kwargs):
+        if not username or otp_token in (None, ""):
+            return None
+
+        token = str(otp_token).strip().replace(" ", "")
+        if not token:
+            return None
+
+        UserModel = get_user_model()
+        try:
+            user = UserModel._default_manager.get_by_natural_key(username)
+        except UserModel.DoesNotExist:
+            return None
+
+        if not user.is_active:
+            return None
+
+        device_qs = TOTPDevice.objects.filter(user=user, confirmed=True)
+        if TOTP_DEVICE_NAME:
+            device_qs = device_qs.filter(name=TOTP_DEVICE_NAME)
+
+        device = device_qs.order_by("-id").first()
+        if device is None:
+            return None
+
+        try:
+            verified = device.verify_token(token)
+        except Exception:
+            return None
+
+        if not verified:
+            return None
+
+        user.otp_device = device
+        return user
+
+    def get_user(self, user_id):
+        UserModel = get_user_model()
+        try:
+            return UserModel._default_manager.get(pk=user_id)
+        except UserModel.DoesNotExist:
+            return None
+
+
+class RFIDBackend:
+    """Authenticate using a user's RFID."""
+
+    def authenticate(self, request, rfid=None, **kwargs):
+        if not rfid:
+            return None
+        rfid_value = str(rfid).strip().upper()
+        if not rfid_value:
+            return None
+
+        tag = RFID.objects.filter(rfid=rfid_value).first()
+        if not tag or not tag.allowed:
+            return None
+
+        command = (tag.external_command or "").strip()
+        if command:
+            env = os.environ.copy()
+            env["RFID_VALUE"] = rfid_value
+            env["RFID_LABEL_ID"] = str(tag.pk)
+            try:
+                completed = subprocess.run(
+                    command,
+                    shell=True,
+                    check=False,
+                    capture_output=True,
+                    text=True,
+                    env=env,
+                )
+            except Exception:
+                return None
+            if completed.returncode != 0:
+                return None
+
+        account = (
+            EnergyAccount.objects.filter(
+                rfids__pk=tag.pk, rfids__allowed=True, user__isnull=False
+            )
+            .select_related("user")
+            .first()
+        )
+        if account:
+            return account.user
+        return None
+
+    def get_user(self, user_id):
+        User = get_user_model()
+        try:
+            return User.objects.get(pk=user_id)
+        except User.DoesNotExist:
+            return None
+
+
+def _collect_local_ip_addresses():
+    """Return IP addresses assigned to the current machine."""
+
+    hosts = {socket.gethostname().strip()}
+    with contextlib.suppress(Exception):
+        hosts.add(socket.getfqdn().strip())
+
+    addresses = set()
+    for host in filter(None, hosts):
+        with contextlib.suppress(OSError):
+            _, _, ip_list = socket.gethostbyname_ex(host)
+            for candidate in ip_list:
+                with contextlib.suppress(ValueError):
+                    addresses.add(ipaddress.ip_address(candidate))
+        with contextlib.suppress(OSError):
+            for info in socket.getaddrinfo(host, None, family=socket.AF_UNSPEC):
+                sockaddr = info[-1]
+                if not sockaddr:
+                    continue
+                raw_address = sockaddr[0]
+                if isinstance(raw_address, bytes):
+                    with contextlib.suppress(UnicodeDecodeError):
+                        raw_address = raw_address.decode()
+                if isinstance(raw_address, str):
+                    if "%" in raw_address:
+                        raw_address = raw_address.split("%", 1)[0]
+                    with contextlib.suppress(ValueError):
+                        addresses.add(ipaddress.ip_address(raw_address))
+    return tuple(sorted(addresses, key=str))
+
+
+class LocalhostAdminBackend(ModelBackend):
+    """Allow default admin credentials only from local networks."""
+
+    _ALLOWED_NETWORKS = (
+        ipaddress.ip_network("::1/128"),
+        ipaddress.ip_network("127.0.0.0/8"),
+        ipaddress.ip_network("10.42.0.0/16"),
+        ipaddress.ip_network("192.168.0.0/16"),
+    )
+    _CONTROL_ALLOWED_NETWORKS = (ipaddress.ip_network("10.0.0.0/8"),)
+    _LOCAL_IPS = _collect_local_ip_addresses()
+
+    def _iter_allowed_networks(self):
+        yield from self._ALLOWED_NETWORKS
+        if getattr(settings, "NODE_ROLE", "") == "Control":
+            yield from self._CONTROL_ALLOWED_NETWORKS
+
+    def authenticate(self, request, username=None, password=None, **kwargs):
+        if username == "admin" and password == "admin" and request is not None:
+            try:
+                host = request.get_host()
+            except DisallowedHost:
+                return None
+            host, _port = split_domain_port(host)
+            if host.startswith("[") and host.endswith("]"):
+                host = host[1:-1]
+            try:
+                ipaddress.ip_address(host)
+            except ValueError:
+                return None
+            forwarded = request.META.get("HTTP_X_FORWARDED_FOR")
+            if forwarded:
+                remote = forwarded.split(",")[0].strip()
+            else:
+                remote = request.META.get("REMOTE_ADDR", "")
+            try:
+                ip = ipaddress.ip_address(remote)
+            except ValueError:
+                return None
+            allowed = any(ip in net for net in self._iter_allowed_networks())
+            if not allowed and ip in self._LOCAL_IPS:
+                allowed = True
+            if not allowed:
+                return None
+            User = get_user_model()
+            user, created = User.all_objects.get_or_create(
+                username="admin",
+                defaults={
+                    "is_staff": True,
+                    "is_superuser": True,
+                },
+            )
+            if not created and not user.is_active:
+                return None
+            arthexis_user = (
+                User.all_objects.filter(username="arthexis").exclude(pk=user.pk).first()
+            )
+            if created:
+                if arthexis_user and user.operate_as_id is None:
+                    user.operate_as = arthexis_user
+                user.set_password("admin")
+                user.save()
+            elif not user.check_password("admin"):
+                return None
+            elif arthexis_user and user.operate_as_id is None:
+                user.operate_as = arthexis_user
+                user.save(update_fields=["operate_as"])
+            return user
+        return super().authenticate(request, username, password, **kwargs)
+
+    def get_user(self, user_id):
+        User = get_user_model()
+        try:
+            return User.all_objects.get(pk=user_id)
+        except User.DoesNotExist:
+            return None
+
+
+class TempPasswordBackend(ModelBackend):
+    """Authenticate using a temporary password stored in a lockfile."""
+
+    def authenticate(self, request, username=None, password=None, **kwargs):
+        if not username or not password:
+            return None
+
+        UserModel = get_user_model()
+        manager = getattr(UserModel, "all_objects", UserModel._default_manager)
+        try:
+            user = manager.get_by_natural_key(username)
+        except UserModel.DoesNotExist:
+            return None
+
+        entry = temp_passwords.load_temp_password(user.username)
+        if entry is None:
+            return None
+        if entry.is_expired:
+            temp_passwords.discard_temp_password(user.username)
+            return None
+        if not entry.check_password(password):
+            return None
+
+        if not user.is_active:
+            user.is_active = True
+            user.save(update_fields=["is_active"])
+        return user
+
+    def get_user(self, user_id):
+        UserModel = get_user_model()
+        manager = getattr(UserModel, "all_objects", UserModel._default_manager)
+        try:
+            return manager.get(pk=user_id)
+        except UserModel.DoesNotExist:
+            return None