arthexis 0.1.19__py3-none-any.whl → 0.1.20__py3-none-any.whl

nodes/urls.py

@@ -8,7 +8,11 @@ urlpatterns = [
     path("register/", views.register_node, name="register-node"),
     path("screenshot/", views.capture, name="node-screenshot"),
     path("net-message/", views.net_message, name="net-message"),
+    path("net-message/pull/", views.net_message_pull, name="net-message-pull"),
     path("rfid/export/", views.export_rfids, name="node-rfid-export"),
     path("rfid/import/", views.import_rfids, name="node-rfid-import"),
+    path("proxy/session/", views.proxy_session, name="node-proxy-session"),
+    path("proxy/login/<str:token>/", views.proxy_login, name="node-proxy-login"),
+    path("proxy/execute/", views.proxy_execute, name="node-proxy-execute"),
     path("<slug:endpoint>/", views.public_node_endpoint, name="node-public-endpoint"),
 ]

nodes/views.py

@@ -1,17 +1,29 @@
 import base64
 import ipaddress
 import json
+import re
+import secrets
 import socket
 from collections.abc import Mapping
+from datetime import timedelta
 
-from django.http import JsonResponse
-from django.http.request import split_domain_port
-from django.views.decorators.csrf import csrf_exempt
-from django.shortcuts import get_object_or_404
+from django.apps import apps
 from django.conf import settings
+from django.contrib.auth import authenticate, get_user_model, login
+from django.contrib.auth.models import Group, Permission
+from django.core import serializers
+from django.core.cache import cache
+from django.core.signing import BadSignature, SignatureExpired, TimestampSigner
+from django.http import HttpResponse, JsonResponse
+from django.http.request import split_domain_port
+from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
-from pathlib import Path
+from django.utils import timezone
 from django.utils.cache import patch_vary_headers
+from django.utils.http import url_has_allowed_host_and_scheme
+from django.views.decorators.csrf import csrf_exempt
+from pathlib import Path
+from urllib.parse import urlsplit
 
 from utils.api import api_login_required
 
@@ -22,16 +34,95 @@ from core.models import RFID
 
 from .rfid_sync import apply_rfid_payload, serialize_rfid
 
-from .models import (
-    Node,
-    NetMessage,
-    NodeFeature,
-    NodeRole,
-    node_information_updated,
-)
+from .models import Node, NetMessage, PendingNetMessage, node_information_updated
 from .utils import capture_screenshot, save_screenshot
 
 
+PROXY_TOKEN_SALT = "nodes.proxy.session"
+PROXY_TOKEN_TIMEOUT = 300
+PROXY_CACHE_PREFIX = "nodes:proxy-session:"
+
+
+def _load_signed_node(request, requester_id: str):
+    signature = request.headers.get("X-Signature")
+    if not signature:
+        return None, JsonResponse({"detail": "signature required"}, status=403)
+    node = Node.objects.filter(uuid=requester_id).first()
+    if not node or not node.public_key:
+        return None, JsonResponse({"detail": "unknown requester"}, status=403)
+    try:
+        public_key = serialization.load_pem_public_key(node.public_key.encode())
+        public_key.verify(
+            base64.b64decode(signature),
+            request.body,
+            padding.PKCS1v15(),
+            hashes.SHA256(),
+        )
+    except Exception:
+        return None, JsonResponse({"detail": "invalid signature"}, status=403)
+    return node, None
+
+
+def _sanitize_proxy_target(target: str | None, request) -> str:
+    default_target = reverse("admin:index")
+    if not target:
+        return default_target
+    candidate = str(target).strip()
+    if not candidate:
+        return default_target
+    if candidate.startswith(("http://", "https://")):
+        parsed = urlsplit(candidate)
+        if not parsed.path:
+            return default_target
+        allowed = url_has_allowed_host_and_scheme(
+            candidate,
+            allowed_hosts={request.get_host()},
+            require_https=request.is_secure(),
+        )
+        if not allowed:
+            return default_target
+        path = parsed.path
+        if parsed.query:
+            path = f"{path}?{parsed.query}"
+        return path
+    if not candidate.startswith("/"):
+        candidate = f"/{candidate}"
+    return candidate
+
+
+def _assign_groups_and_permissions(user, payload: Mapping) -> None:
+    groups = payload.get("groups", [])
+    group_objs: list[Group] = []
+    if isinstance(groups, (list, tuple)):
+        for name in groups:
+            if not isinstance(name, str):
+                continue
+            cleaned = name.strip()
+            if not cleaned:
+                continue
+            group, _ = Group.objects.get_or_create(name=cleaned)
+            group_objs.append(group)
+    if group_objs or user.groups.exists():
+        user.groups.set(group_objs)
+
+    permissions = payload.get("permissions", [])
+    perm_objs: list[Permission] = []
+    if isinstance(permissions, (list, tuple)):
+        for label in permissions:
+            if not isinstance(label, str):
+                continue
+            app_label, _, codename = label.partition(".")
+            if not app_label or not codename:
+                continue
+            perm = Permission.objects.filter(
+                content_type__app_label=app_label, codename=codename
+            ).first()
+            if perm:
+                perm_objs.append(perm)
+    if perm_objs:
+        user.user_permissions.set(perm_objs)
+
+
 def _get_client_ip(request):
     """Return the client IP from the request headers."""
 
@@ -315,6 +406,12 @@ def register_node(request):
         "address": address,
         "port": port,
     }
+    role_name = str(data.get("role") or data.get("role_name") or "").strip()
+    desired_role = None
+    if role_name and (verified or request.user.is_authenticated):
+        desired_role = NodeRole.objects.filter(name=role_name).first()
+        if desired_role:
+            defaults["role"] = desired_role
     if verified:
         defaults["public_key"] = public_key
     if installed_version is not None:
@@ -349,6 +446,9 @@ def register_node(request):
         if relation_value is not None and node.current_relation != relation_value:
             node.current_relation = relation_value
             update_fields.append("current_relation")
+        if desired_role and node.role_id != desired_role.id:
+            node.role = desired_role
+            update_fields.append("role")
         node.save(update_fields=update_fields)
         current_version = (node.installed_version or "").strip()
         current_revision = (node.installed_revision or "").strip()
@@ -368,7 +468,11 @@ def register_node(request):
                 feature_list = list(features)
             node.update_manual_features(feature_list)
         response = JsonResponse(
-            {"id": node.id, "detail": f"Node already exists (id: {node.id})"}
+            {
+                "id": node.id,
+                "uuid": str(node.uuid),
+                "detail": f"Node already exists (id: {node.id})",
+            }
         )
         return _add_cors_headers(request, response)
 
@@ -393,7 +497,7 @@ def register_node(request):
 
     _announce_visitor_join(node, relation_value)
 
-    response = JsonResponse({"id": node.id})
+    response = JsonResponse({"id": node.id, "uuid": str(node.uuid)})
     return _add_cors_headers(request, response)
 
 
@@ -524,6 +628,293 @@ def import_rfids(request):
     )
 
 
+@csrf_exempt
+def proxy_session(request):
+    """Create a proxy login session for a remote administrator."""
+
+    if request.method != "POST":
+        return JsonResponse({"detail": "POST required"}, status=405)
+
+    try:
+        payload = json.loads(request.body.decode() or "{}")
+    except json.JSONDecodeError:
+        return JsonResponse({"detail": "invalid json"}, status=400)
+
+    requester = payload.get("requester")
+    if not requester:
+        return JsonResponse({"detail": "requester required"}, status=400)
+
+    node, error_response = _load_signed_node(request, requester)
+    if error_response is not None:
+        return error_response
+
+    user_payload = payload.get("user") or {}
+    username = str(user_payload.get("username", "")).strip()
+    if not username:
+        return JsonResponse({"detail": "username required"}, status=400)
+
+    User = get_user_model()
+    user, created = User.objects.get_or_create(
+        username=username,
+        defaults={
+            "email": user_payload.get("email", ""),
+            "first_name": user_payload.get("first_name", ""),
+            "last_name": user_payload.get("last_name", ""),
+        },
+    )
+
+    updates: list[str] = []
+    for field in ("first_name", "last_name", "email"):
+        value = user_payload.get(field)
+        if isinstance(value, str) and getattr(user, field) != value:
+            setattr(user, field, value)
+            updates.append(field)
+
+    if created:
+        user.set_unusable_password()
+        updates.append("password")
+
+    staff_flag = user_payload.get("is_staff")
+    if staff_flag is not None:
+        is_staff = bool(staff_flag)
+    else:
+        is_staff = True
+    if user.is_staff != is_staff:
+        user.is_staff = is_staff
+        updates.append("is_staff")
+
+    superuser_flag = user_payload.get("is_superuser")
+    if superuser_flag is not None:
+        is_superuser = bool(superuser_flag)
+        if user.is_superuser != is_superuser:
+            user.is_superuser = is_superuser
+            updates.append("is_superuser")
+
+    if not user.is_active:
+        user.is_active = True
+        updates.append("is_active")
+
+    if updates:
+        user.save(update_fields=updates)
+
+    _assign_groups_and_permissions(user, user_payload)
+
+    target_path = _sanitize_proxy_target(payload.get("target"), request)
+    nonce = secrets.token_urlsafe(24)
+    cache_key = f"{PROXY_CACHE_PREFIX}{nonce}"
+    cache.set(cache_key, {"user_id": user.pk}, PROXY_TOKEN_TIMEOUT)
+
+    signer = TimestampSigner(salt=PROXY_TOKEN_SALT)
+    token = signer.sign_object({"user": user.pk, "next": target_path, "nonce": nonce})
+    login_url = request.build_absolute_uri(
+        reverse("node-proxy-login", args=[token])
+    )
+    expires = timezone.now() + timedelta(seconds=PROXY_TOKEN_TIMEOUT)
+
+    return JsonResponse({"login_url": login_url, "expires": expires.isoformat()})
+
+
+@csrf_exempt
+def proxy_login(request, token):
+    """Redeem a proxy login token and redirect to the target path."""
+
+    signer = TimestampSigner(salt=PROXY_TOKEN_SALT)
+    try:
+        payload = signer.unsign_object(token, max_age=PROXY_TOKEN_TIMEOUT)
+    except SignatureExpired:
+        return HttpResponse(status=410)
+    except BadSignature:
+        return HttpResponse(status=400)
+
+    nonce = payload.get("nonce")
+    if not nonce:
+        return HttpResponse(status=400)
+
+    cache_key = f"{PROXY_CACHE_PREFIX}{nonce}"
+    cache_payload = cache.get(cache_key)
+    if not cache_payload:
+        return HttpResponse(status=410)
+    cache.delete(cache_key)
+
+    user_id = cache_payload.get("user_id")
+    if not user_id:
+        return HttpResponse(status=403)
+
+    User = get_user_model()
+    user = User.objects.filter(pk=user_id).first()
+    if not user or not user.is_active:
+        return HttpResponse(status=403)
+
+    backend = getattr(user, "backend", "")
+    if not backend:
+        backends = getattr(settings, "AUTHENTICATION_BACKENDS", None) or ()
+        backend = backends[0] if backends else "django.contrib.auth.backends.ModelBackend"
+    login(request, user, backend=backend)
+
+    next_path = payload.get("next") or reverse("admin:index")
+    if not url_has_allowed_host_and_scheme(
+        next_path,
+        allowed_hosts={request.get_host()},
+        require_https=request.is_secure(),
+    ):
+        next_path = reverse("admin:index")
+
+    return redirect(next_path)
+
+
+def _suite_model_name(meta) -> str:
+    base = str(meta.verbose_name_plural or meta.verbose_name or meta.object_name)
+    normalized = re.sub(r"[^0-9A-Za-z]+", " ", base).title().replace(" ", "")
+    return normalized or meta.object_name
+
+
+@csrf_exempt
+def proxy_execute(request):
+    """Execute model operations on behalf of a remote interface node."""
+
+    if request.method != "POST":
+        return JsonResponse({"detail": "POST required"}, status=405)
+
+    try:
+        payload = json.loads(request.body.decode() or "{}")
+    except json.JSONDecodeError:
+        return JsonResponse({"detail": "invalid json"}, status=400)
+
+    requester = payload.get("requester")
+    if not requester:
+        return JsonResponse({"detail": "requester required"}, status=400)
+
+    node, error_response = _load_signed_node(request, requester)
+    if error_response is not None:
+        return error_response
+
+    action = str(payload.get("action", "")).strip().lower()
+    if not action:
+        return JsonResponse({"detail": "action required"}, status=400)
+
+    credentials = payload.get("credentials") or {}
+    username = str(credentials.get("username", "")).strip()
+    password_value = credentials.get("password")
+    password = password_value if isinstance(password_value, str) else str(password_value or "")
+    if not username or not password:
+        return JsonResponse({"detail": "credentials required"}, status=401)
+
+    User = get_user_model()
+    existing_user = User.objects.filter(username=username).first()
+    auth_user = authenticate(request=None, username=username, password=password)
+
+    if auth_user is None:
+        if existing_user is not None:
+            return JsonResponse({"detail": "authentication failed"}, status=403)
+        auth_user = User.objects.create_user(
+            username=username,
+            password=password,
+            email=str(credentials.get("email", "")),
+        )
+        auth_user.is_staff = True
+        auth_user.is_superuser = True
+        auth_user.first_name = str(credentials.get("first_name", ""))
+        auth_user.last_name = str(credentials.get("last_name", ""))
+        auth_user.save()
+    else:
+        updates: list[str] = []
+        for field in ("first_name", "last_name", "email"):
+            value = credentials.get(field)
+            if isinstance(value, str) and getattr(auth_user, field) != value:
+                setattr(auth_user, field, value)
+                updates.append(field)
+        for flag in ("is_staff", "is_superuser"):
+            if flag in credentials:
+                desired = bool(credentials.get(flag))
+                if getattr(auth_user, flag) != desired:
+                    setattr(auth_user, flag, desired)
+                    updates.append(flag)
+        if updates:
+            auth_user.save(update_fields=updates)
+
+    if not auth_user.is_active:
+        return JsonResponse({"detail": "user inactive"}, status=403)
+
+    _assign_groups_and_permissions(auth_user, credentials)
+
+    model_label = payload.get("model")
+    model = None
+    if action != "schema":
+        if not isinstance(model_label, str) or "." not in model_label:
+            return JsonResponse({"detail": "model required"}, status=400)
+        app_label, model_name = model_label.split(".", 1)
+        model = apps.get_model(app_label, model_name)
+        if model is None:
+            return JsonResponse({"detail": "model not found"}, status=404)
+
+    if action == "schema":
+        models_payload = []
+        for registered_model in apps.get_models():
+            meta = registered_model._meta
+            models_payload.append(
+                {
+                    "app_label": meta.app_label,
+                    "model": meta.model_name,
+                    "object_name": meta.object_name,
+                    "verbose_name": str(meta.verbose_name),
+                    "verbose_name_plural": str(meta.verbose_name_plural),
+                    "suite_name": _suite_model_name(meta),
+                }
+            )
+        return JsonResponse({"models": models_payload})
+
+    action_perm = {
+        "list": "view",
+        "get": "view",
+        "create": "add",
+        "update": "change",
+        "delete": "delete",
+    }.get(action)
+
+    if action_perm and not auth_user.is_superuser:
+        perm_codename = f"{model._meta.app_label}.{action_perm}_{model._meta.model_name}"
+        if not auth_user.has_perm(perm_codename):
+            return JsonResponse({"detail": "forbidden"}, status=403)
+
+    try:
+        if action == "list":
+            filters = payload.get("filters") or {}
+            if filters and not isinstance(filters, Mapping):
+                return JsonResponse({"detail": "filters must be a mapping"}, status=400)
+            queryset = model._default_manager.all()
+            if filters:
+                queryset = queryset.filter(**filters)
+            limit = payload.get("limit")
+            if limit is not None:
+                try:
+                    limit_value = int(limit)
+                    if limit_value > 0:
+                        queryset = queryset[:limit_value]
+                except (TypeError, ValueError):
+                    pass
+            data = serializers.serialize("python", queryset)
+            return JsonResponse({"objects": data})
+
+        if action == "get":
+            filters = payload.get("filters") or {}
+            if filters and not isinstance(filters, Mapping):
+                return JsonResponse({"detail": "filters must be a mapping"}, status=400)
+            lookup = dict(filters)
+            if not lookup and "pk" in payload:
+                lookup = {"pk": payload.get("pk")}
+            if not lookup:
+                return JsonResponse({"detail": "lookup required"}, status=400)
+            obj = model._default_manager.get(**lookup)
+            data = serializers.serialize("python", [obj])[0]
+            return JsonResponse({"object": data})
+    except model.DoesNotExist:
+        return JsonResponse({"detail": "not found"}, status=404)
+    except Exception as exc:
+        return JsonResponse({"detail": str(exc)}, status=400)
+
+    return JsonResponse({"detail": "unsupported action"}, status=400)
+
+
 @csrf_exempt
 @api_login_required
 def public_node_endpoint(request, endpoint):
@@ -586,85 +977,99 @@ def net_message(request):
     except Exception:
         return JsonResponse({"detail": "invalid signature"}, status=403)
 
-    msg_uuid = data.get("uuid")
-    subject = data.get("subject", "")
-    body = data.get("body", "")
-    attachments = NetMessage.normalize_attachments(data.get("attachments"))
-    reach_name = data.get("reach")
-    reach_role = None
-    if reach_name:
-        reach_role = NodeRole.objects.filter(name=reach_name).first()
-    filter_node_uuid = data.get("filter_node")
-    filter_node = None
-    if filter_node_uuid:
-        filter_node = Node.objects.filter(uuid=filter_node_uuid).first()
-    filter_feature_slug = data.get("filter_node_feature")
-    filter_feature = None
-    if filter_feature_slug:
-        filter_feature = NodeFeature.objects.filter(slug=filter_feature_slug).first()
-    filter_role_name = data.get("filter_node_role")
-    filter_role = None
-    if filter_role_name:
-        filter_role = NodeRole.objects.filter(name=filter_role_name).first()
-    filter_relation_value = data.get("filter_current_relation")
-    filter_relation = ""
-    if filter_relation_value:
-        relation = Node.normalize_relation(filter_relation_value)
-        filter_relation = relation.value if relation else ""
-    filter_installed_version = (data.get("filter_installed_version") or "")[:20]
-    filter_installed_revision = (data.get("filter_installed_revision") or "")[:40]
-    seen = data.get("seen", [])
-    origin_id = data.get("origin")
-    origin_node = None
-    if origin_id:
-        origin_node = Node.objects.filter(uuid=origin_id).first()
-    if not origin_node:
-        origin_node = node
-    if not msg_uuid:
-        return JsonResponse({"detail": "uuid required"}, status=400)
-    msg, created = NetMessage.objects.get_or_create(
-        uuid=msg_uuid,
-        defaults={
-            "subject": subject[:64],
-            "body": body[:256],
-            "reach": reach_role,
-            "node_origin": origin_node,
-            "attachments": attachments or None,
-            "filter_node": filter_node,
-            "filter_node_feature": filter_feature,
-            "filter_node_role": filter_role,
-            "filter_current_relation": filter_relation,
-            "filter_installed_version": filter_installed_version,
-            "filter_installed_revision": filter_installed_revision,
-        },
-    )
-    if not created:
-        msg.subject = subject[:64]
-        msg.body = body[:256]
-        update_fields = ["subject", "body"]
-        if reach_role and msg.reach_id != reach_role.id:
-            msg.reach = reach_role
-            update_fields.append("reach")
-        if msg.node_origin_id is None and origin_node:
-            msg.node_origin = origin_node
-            update_fields.append("node_origin")
-        if attachments and msg.attachments != attachments:
-            msg.attachments = attachments
-            update_fields.append("attachments")
-        field_updates = {
-            "filter_node": filter_node,
-            "filter_node_feature": filter_feature,
-            "filter_node_role": filter_role,
-            "filter_current_relation": filter_relation,
-            "filter_installed_version": filter_installed_version,
-            "filter_installed_revision": filter_installed_revision,
-        }
-        for field, value in field_updates.items():
-            if getattr(msg, field) != value:
-                setattr(msg, field, value)
-                update_fields.append(field)
-        msg.save(update_fields=update_fields)
-    if attachments:
-        msg.apply_attachments(attachments)
-    msg.propagate(seen=seen)
+    try:
+        msg = NetMessage.receive_payload(data, sender=node)
+    except ValueError as exc:
+        return JsonResponse({"detail": str(exc)}, status=400)
     return JsonResponse({"status": "propagated", "complete": msg.complete})
+
+
+@csrf_exempt
+def net_message_pull(request):
+    """Allow downstream nodes to retrieve queued network messages."""
+
+    if request.method != "POST":
+        return JsonResponse({"detail": "POST required"}, status=405)
+    try:
+        data = json.loads(request.body.decode() or "{}")
+    except json.JSONDecodeError:
+        return JsonResponse({"detail": "invalid json"}, status=400)
+
+    requester = data.get("requester")
+    if not requester:
+        return JsonResponse({"detail": "requester required"}, status=400)
+    signature = request.headers.get("X-Signature")
+    if not signature:
+        return JsonResponse({"detail": "signature required"}, status=403)
+
+    node = Node.objects.filter(uuid=requester).first()
+    if not node or not node.public_key:
+        return JsonResponse({"detail": "unknown requester"}, status=403)
+    try:
+        public_key = serialization.load_pem_public_key(node.public_key.encode())
+        public_key.verify(
+            base64.b64decode(signature),
+            request.body,
+            padding.PKCS1v15(),
+            hashes.SHA256(),
+        )
+    except Exception:
+        return JsonResponse({"detail": "invalid signature"}, status=403)
+
+    local = Node.get_local()
+    if not local:
+        return JsonResponse({"detail": "local node unavailable"}, status=503)
+    private_key = local.get_private_key()
+    if not private_key:
+        return JsonResponse({"detail": "signing unavailable"}, status=503)
+
+    entries = (
+        PendingNetMessage.objects.select_related(
+            "message",
+            "message__filter_node",
+            "message__filter_node_feature",
+            "message__filter_node_role",
+            "message__node_origin",
+        )
+        .filter(node=node)
+        .order_by("queued_at")
+    )
+    messages: list[dict[str, object]] = []
+    expired_ids: list[int] = []
+    delivered_ids: list[int] = []
+
+    origin_fallback = str(local.uuid)
+
+    for entry in entries:
+        if entry.is_stale:
+            expired_ids.append(entry.pk)
+            continue
+        message = entry.message
+        reach_source = message.filter_node_role or message.reach
+        reach_name = reach_source.name if reach_source else None
+        origin_node = message.node_origin
+        origin_uuid = str(origin_node.uuid) if origin_node else origin_fallback
+        sender_id = str(local.uuid)
+        seen = [str(value) for value in entry.seen]
+        payload = message._build_payload(
+            sender_id=sender_id,
+            origin_uuid=origin_uuid,
+            reach_name=reach_name,
+            seen=seen,
+        )
+        payload_json = message._serialize_payload(payload)
+        payload_signature = message._sign_payload(payload_json, private_key)
+        if not payload_signature:
+            logger.warning(
+                "Unable to sign queued NetMessage %s for node %s", message.pk, node.pk
+            )
+            continue
+        messages.append({"payload": payload, "signature": payload_signature})
+        delivered_ids.append(entry.pk)
+
+    if expired_ids:
+        PendingNetMessage.objects.filter(pk__in=expired_ids).delete()
+    if delivered_ids:
+        PendingNetMessage.objects.filter(pk__in=delivered_ids).delete()
+
+    return JsonResponse({"messages": messages})