arthexis 0.1.8__py3-none-any.whl → 0.1.10__py3-none-any.whl

config/auth_app.py

@@ -5,4 +5,3 @@ class AuthConfig(DjangoAuthConfig):
     """Use a shorter label for the auth section in the admin."""
 
     verbose_name = "AUTH"
-

config/celery.py

@@ -9,7 +9,7 @@ os.environ.setdefault("DJANGO_SETTINGS_MODULE", "config.settings")
 
 # When running on production-oriented nodes, avoid Celery debug mode.
 NODE_ROLE = os.environ.get("NODE_ROLE", "")
-if NODE_ROLE in {"Constellation", "Satellite", "Virtual"}:
+if NODE_ROLE in {"Constellation", "Satellite"}:
     for var in ["CELERY_TRACE_APP", "CELERY_DEBUG"]:
         os.environ.pop(var, None)
     os.environ.setdefault("CELERY_LOG_LEVEL", "INFO")
@@ -23,4 +23,3 @@ app.autodiscover_tasks()
 def debug_task(self):  # pragma: no cover - debug helper
     """A simple debug task."""
     print(f"Request: {self.request!r}")
-

config/context_processors.py

@@ -13,7 +13,7 @@ def site_and_node(request: HttpRequest):
     ``badge_node`` is a ``Node`` instance or ``None`` if no match.
     ``badge_site_color`` and ``badge_node_color`` provide the configured colors.
     """
-    host = request.get_host().split(':')[0]
+    host = request.get_host().split(":")[0]
     site = Site.objects.filter(domain__iexact=host).first()
 
     node = None

config/offline.py

@@ -2,6 +2,7 @@ import os
 import functools
 import asyncio
 
+
 class OfflineError(RuntimeError):
     """Raised when a network operation is attempted in offline mode."""
 
@@ -21,6 +22,7 @@ def requires_network(func):
     """
 
     if asyncio.iscoroutinefunction(func):
+
         @functools.wraps(func)
         async def async_wrapper(*args, **kwargs):
             if _is_offline():

config/settings.py

@@ -16,11 +16,16 @@ import os
 import sys
 import ipaddress
 import socket
+from core.log_paths import select_log_dir
 from django.utils.translation import gettext_lazy as _
 from celery.schedules import crontab
 from django.http import request as http_request
+from django.http.request import split_domain_port
 from django.middleware.csrf import CsrfViewMiddleware
 from django.core.exceptions import DisallowedHost
+from django.contrib.sites import shortcuts as sites_shortcuts
+from django.contrib.sites.requests import RequestSite
+from django.core.management.utils import get_random_secret_key
 from urllib.parse import urlsplit
 import django.utils.encoding as encoding
 
@@ -30,13 +35,36 @@ if not hasattr(encoding, "force_text"):  # pragma: no cover - Django>=5 compatib
     encoding.force_text = force_str
 
 
+
 _original_validate_host = http_request.validate_host
 
 
-def _validate_host_with_subnets(host, allowed_hosts):
+def _strip_ipv6_brackets(host: str) -> str:
+    if host.startswith("[") and host.endswith("]"):
+        return host[1:-1]
+    return host
+
+
+def _extract_ip_from_host(host: str):
+    """Return an :mod:`ipaddress` object for ``host`` when possible."""
+
+    candidate = _strip_ipv6_brackets(host)
     try:
-        ip = ipaddress.ip_address(host)
+        return ipaddress.ip_address(candidate)
     except ValueError:
+        domain, _port = split_domain_port(host)
+        if domain and domain != host:
+            candidate = _strip_ipv6_brackets(domain)
+            try:
+                return ipaddress.ip_address(candidate)
+            except ValueError:
+                return None
+    return None
+
+
+def _validate_host_with_subnets(host, allowed_hosts):
+    ip = _extract_ip_from_host(host)
+    if ip is None:
         return _original_validate_host(host, allowed_hosts)
     for pattern in allowed_hosts:
         try:
@@ -57,7 +85,9 @@ ACRONYMS: list[str] = []
 with contextlib.suppress(FileNotFoundError):
     ACRONYMS = [
         line.strip()
-        for line in (BASE_DIR / "config" / "data" / "ACRONYMS.txt").read_text().splitlines()
+        for line in (BASE_DIR / "config" / "data" / "ACRONYMS.txt")
+        .read_text()
+        .splitlines()
         if line.strip()
     ]
 
@@ -66,7 +96,29 @@ with contextlib.suppress(FileNotFoundError):
 # See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = "django-insecure-16%ed9hv^gg!jj5ff6d4w=t$50k^abkq75+vwl44%^+qyq!m#w"
+
+
+def _load_secret_key() -> str:
+    for env_var in ("DJANGO_SECRET_KEY", "SECRET_KEY"):
+        value = os.environ.get(env_var)
+        if value:
+            return value
+
+    secret_file = BASE_DIR / "locks" / "django-secret.key"
+    with contextlib.suppress(OSError):
+        stored_key = secret_file.read_text(encoding="utf-8").strip()
+        if stored_key:
+            return stored_key
+
+    generated_key = get_random_secret_key()
+    with contextlib.suppress(OSError):
+        secret_file.parent.mkdir(parents=True, exist_ok=True)
+        secret_file.write_text(generated_key, encoding="utf-8")
+
+    return generated_key
+
+
+SECRET_KEY = _load_secret_key()
 
 # SECURITY WARNING: don't run with debug turned on in production!
 
@@ -89,36 +141,190 @@ ALLOWED_HOSTS = [
 ]
 
 
+_DEFAULT_PORTS = {"http": "80", "https": "443"}
+
+
+def _get_allowed_hosts() -> list[str]:
+    from django.conf import settings as django_settings
+
+    configured = getattr(django_settings, "ALLOWED_HOSTS", None)
+    if configured is None:
+        return ALLOWED_HOSTS
+    return list(configured)
+
+
+def _iter_local_hostnames(hostname: str, fqdn: str | None = None) -> list[str]:
+    """Return unique hostname variants for the current machine."""
+
+    hostnames: list[str] = []
+    seen: set[str] = set()
+
+    def _append(candidate: str | None) -> None:
+        if not candidate:
+            return
+        normalized = candidate.strip()
+        if not normalized or normalized in seen:
+            return
+        hostnames.append(normalized)
+        seen.add(normalized)
+
+    _append(hostname)
+    _append(fqdn)
+    if hostname and "." not in hostname:
+        _append(f"{hostname}.local")
+
+    return hostnames
+
+
+_local_hostname = socket.gethostname().strip()
+_local_fqdn = ""
+with contextlib.suppress(Exception):
+    _local_fqdn = socket.getfqdn().strip()
+
+for host in _iter_local_hostnames(_local_hostname, _local_fqdn):
+    if host not in ALLOWED_HOSTS:
+        ALLOWED_HOSTS.append(host)
+
+
 # Allow CSRF origin verification for hosts within allowed subnets.
 _original_origin_verified = CsrfViewMiddleware._origin_verified
+_original_check_referer = CsrfViewMiddleware._check_referer
+
+
+def _host_is_allowed(host: str, allowed_hosts: list[str]) -> bool:
+    if http_request.validate_host(host, allowed_hosts):
+        return True
+    domain, _port = split_domain_port(host)
+    if domain and domain != host:
+        return http_request.validate_host(domain, allowed_hosts)
+    return False
+
+
+def _parse_forwarded_header(header_value: str) -> list[dict[str, str]]:
+    entries: list[dict[str, str]] = []
+    if not header_value:
+        return entries
+    for forwarded_part in header_value.split(","):
+        entry: dict[str, str] = {}
+        for element in forwarded_part.split(";"):
+            if "=" not in element:
+                continue
+            key, value = element.split("=", 1)
+            entry[key.strip().lower()] = value.strip().strip('"')
+        if entry:
+            entries.append(entry)
+    return entries
+
+
+def _get_request_scheme(request, forwarded_entry: dict[str, str] | None = None) -> str:
+    """Return the scheme used by the client, honoring proxy headers."""
+
+    if forwarded_entry and forwarded_entry.get("proto", "").lower() in {"http", "https"}:
+        return forwarded_entry["proto"].lower()
+
+    if request.is_secure():
+        return "https"
+
+    forwarded_proto = request.META.get("HTTP_X_FORWARDED_PROTO", "")
+    if forwarded_proto:
+        candidate = forwarded_proto.split(",")[0].strip().lower()
+        if candidate in {"http", "https"}:
+            return candidate
+
+    forwarded_header = request.META.get("HTTP_FORWARDED", "")
+    for forwarded_entry in _parse_forwarded_header(forwarded_header):
+        candidate = forwarded_entry.get("proto", "").lower()
+        if candidate in {"http", "https"}:
+            return candidate
+
+    return "http"
+
+
+def _normalize_origin_tuple(scheme: str | None, host: str) -> tuple[str, str, str | None] | None:
+    if not scheme or scheme.lower() not in {"http", "https"}:
+        return None
+    domain, port = split_domain_port(host)
+    normalized_host = _strip_ipv6_brackets(domain.strip().lower())
+    if not normalized_host:
+        return None
+    normalized_port = port.strip() if isinstance(port, str) else port
+    if not normalized_port:
+        normalized_port = _DEFAULT_PORTS.get(scheme.lower())
+    if normalized_port is not None:
+        normalized_port = str(normalized_port)
+    return scheme.lower(), normalized_host, normalized_port
+
+
+def _normalized_request_origin(origin: str) -> tuple[str, str, str | None] | None:
+    parsed = urlsplit(origin)
+    if not parsed.scheme or not parsed.hostname:
+        return None
+    scheme = parsed.scheme.lower()
+    host = parsed.hostname.lower()
+    port = str(parsed.port) if parsed.port is not None else _DEFAULT_PORTS.get(scheme)
+    return scheme, host, port
+
+
+def _candidate_origin_tuples(request, allowed_hosts: list[str]) -> list[tuple[str, str, str | None]]:
+    default_scheme = _get_request_scheme(request)
+    candidates: list[tuple[str, str, str | None]] = []
+    seen: set[tuple[str, str, str | None]] = set()
+
+    def _append_candidate(scheme: str | None, host: str) -> None:
+        if not scheme or not host:
+            return
+        normalized = _normalize_origin_tuple(scheme, host)
+        if normalized is None:
+            return
+        if not _host_is_allowed(host, allowed_hosts):
+            return
+        if normalized in seen:
+            return
+        candidates.append(normalized)
+        seen.add(normalized)
+
+    forwarded_header = request.META.get("HTTP_FORWARDED", "")
+    for forwarded_entry in _parse_forwarded_header(forwarded_header):
+        host = forwarded_entry.get("host", "").strip()
+        scheme = _get_request_scheme(request, forwarded_entry)
+        _append_candidate(scheme, host)
+
+    forwarded_host = request.META.get("HTTP_X_FORWARDED_HOST", "")
+    if forwarded_host:
+        host = forwarded_host.split(",")[0].strip()
+        _append_candidate(default_scheme, host)
 
-
-def _origin_verified_with_subnets(self, request):
-    request_origin = request.META["HTTP_ORIGIN"]
     try:
         good_host = request.get_host()
     except DisallowedHost:
-        pass
-    else:
-        good_origin = "%s://%s" % (
-            "https" if request.is_secure() else "http",
-            good_host,
-        )
-        if request_origin == good_origin:
+        good_host = ""
+    if good_host:
+        _append_candidate(default_scheme, good_host)
+
+    return candidates
+
+
+def _origin_verified_with_subnets(self, request):
+    request_origin = request.META["HTTP_ORIGIN"]
+    allowed_hosts = _get_allowed_hosts()
+    normalized_origin = _normalized_request_origin(request_origin)
+    if normalized_origin is None:
+        return _original_origin_verified(self, request)
+
+    origin_ip = _extract_ip_from_host(normalized_origin[1])
+
+    for candidate in _candidate_origin_tuples(request, allowed_hosts):
+        if candidate == normalized_origin:
             return True
-        try:
-            origin_host = urlsplit(request_origin).hostname
-            origin_ip = ipaddress.ip_address(origin_host)
-            request_ip = ipaddress.ip_address(good_host.split(":")[0])
-        except ValueError:
-            pass
-        else:
-            for pattern in ALLOWED_HOSTS:
+
+        candidate_ip = _extract_ip_from_host(candidate[1])
+        if origin_ip and candidate_ip:
+            for pattern in allowed_hosts:
                 try:
                     network = ipaddress.ip_network(pattern)
                 except ValueError:
                     continue
-                if origin_ip in network and request_ip in network:
+                if origin_ip in network and candidate_ip in network:
                     return True
     return _original_origin_verified(self, request)
 
@@ -126,6 +332,49 @@ def _origin_verified_with_subnets(self, request):
 CsrfViewMiddleware._origin_verified = _origin_verified_with_subnets
 
 
+def _check_referer_with_forwarded(self, request):
+    referer = request.META.get("HTTP_REFERER")
+    if referer is None:
+        return _original_check_referer(self, request)
+
+    try:
+        parsed = urlsplit(referer)
+    except ValueError:
+        return _original_check_referer(self, request)
+
+    if "" in (parsed.scheme, parsed.netloc):
+        return _original_check_referer(self, request)
+
+    if parsed.scheme.lower() != "https":
+        return _original_check_referer(self, request)
+
+    normalized_referer = _normalize_origin_tuple(parsed.scheme.lower(), parsed.netloc)
+    if normalized_referer is None:
+        return _original_check_referer(self, request)
+
+    allowed_hosts = _get_allowed_hosts()
+    referer_ip = _extract_ip_from_host(normalized_referer[1])
+
+    for candidate in _candidate_origin_tuples(request, allowed_hosts):
+        if candidate == normalized_referer:
+            return
+
+        candidate_ip = _extract_ip_from_host(candidate[1])
+        if referer_ip and candidate_ip:
+            for pattern in allowed_hosts:
+                try:
+                    network = ipaddress.ip_network(pattern)
+                except ValueError:
+                    continue
+                if referer_ip in network and candidate_ip in network:
+                    return
+
+    return _original_check_referer(self, request)
+
+
+CsrfViewMiddleware._check_referer = _check_referer_with_forwarded
+
+
 # Application definition
 
 LOCAL_APPS = [
@@ -134,12 +383,16 @@ LOCAL_APPS = [
     "ocpp",
     "awg",
     "pages",
-    "app",
+    "man",
+    "teams",
 ]
 
 INSTALLED_APPS = [
+    "whitenoise.runserver_nostatic",
     "django.contrib.admin",
     "django.contrib.admindocs",
+    "django_otp",
+    "django_otp.plugins.otp_totp",
     "config.auth_app.AuthConfig",
     "django.contrib.contenttypes",
     "django.contrib.sessions",
@@ -149,7 +402,6 @@ INSTALLED_APPS = [
     "django_object_actions",
     "django.contrib.sites",
     "channels",
-    "config.workgroup_app.WorkgroupConfig",
     "config.horologia_app.HorologiaConfig",
 ] + LOCAL_APPS
 
@@ -163,15 +415,35 @@ if DEBUG:
 
 SITE_ID = 1
 
+_original_get_current_site = sites_shortcuts.get_current_site
+
+
+def _get_current_site_with_request_fallback(request=None):
+    try:
+        return _original_get_current_site(request)
+    except Exception as exc:
+        from django.contrib.sites.models import Site
+
+        if request is not None and isinstance(exc, Site.DoesNotExist):
+            return RequestSite(request)
+        raise
+
+
+sites_shortcuts.get_current_site = _get_current_site_with_request_fallback
+
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
+    "whitenoise.middleware.WhiteNoiseMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "config.middleware.ActiveAppMiddleware",
     "django.middleware.locale.LocaleMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "django_otp.middleware.OTPMiddleware",
     "core.middleware.AdminHistoryMiddleware",
+    "core.middleware.SigilContextMiddleware",
+    "pages.middleware.ViewHistoryMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
@@ -187,6 +459,9 @@ if DEBUG:
 
 CSRF_FAILURE_VIEW = "pages.views.csrf_failure"
 
+# Allow staff TODO pages to embed internal admin views inside iframes.
+X_FRAME_OPTIONS = "SAMEORIGIN"
+
 ROOT_URLCONF = "config.urls"
 
 TEMPLATES = [
@@ -214,15 +489,43 @@ ASGI_APPLICATION = "config.asgi.application"
 CHANNEL_LAYERS = {"default": {"BACKEND": "channels.layers.InMemoryChannelLayer"}}
 
 
+# MCP sigil resolver configuration
+def _env_int(name: str, default: int) -> int:
+    try:
+        return int(os.environ.get(name, default))
+    except (TypeError, ValueError):  # pragma: no cover - defensive
+        return default
+
+
+def _split_env_list(name: str) -> list[str]:
+    raw = os.environ.get(name)
+    if not raw:
+        return []
+    return [item.strip() for item in raw.split(",") if item.strip()]
+
+
+MCP_SIGIL_SERVER = {
+    "host": os.environ.get("MCP_SIGIL_HOST", "127.0.0.1"),
+    "port": _env_int("MCP_SIGIL_PORT", 8800),
+    "api_keys": _split_env_list("MCP_SIGIL_API_KEYS"),
+    "required_scopes": ["sigils:read"],
+    "issuer_url": os.environ.get("MCP_SIGIL_ISSUER_URL"),
+    "resource_server_url": os.environ.get("MCP_SIGIL_RESOURCE_URL"),
+}
+
+
 # Custom user model
 AUTH_USER_MODEL = "core.User"
 
 # Enable RFID authentication backend and restrict default admin login to localhost
 AUTHENTICATION_BACKENDS = [
     "core.backends.LocalhostAdminBackend",
+    "core.backends.TOTPBackend",
     "core.backends.RFIDBackend",
 ]
 
+# Issuer name used when generating otpauth URLs for authenticator apps.
+OTP_TOTP_ISSUER = os.environ.get("OTP_TOTP_ISSUER", "Arthexis")
 
 # Database
 # https://docs.djangoproject.com/en/5.2/ref/settings/#databases
@@ -240,7 +543,7 @@ def _postgres_available() -> bool:
         "password": os.environ.get("POSTGRES_PASSWORD", ""),
         "host": os.environ.get("POSTGRES_HOST", "localhost"),
         "port": os.environ.get("POSTGRES_PORT", "5432"),
-        "connect_timeout": 1,
+        "connect_timeout": 10,
     }
     try:
         with contextlib.closing(psycopg.connect(**params)):
@@ -259,6 +562,9 @@ if _postgres_available():
             "HOST": os.environ.get("POSTGRES_HOST", "localhost"),
             "PORT": os.environ.get("POSTGRES_PORT", "5432"),
             "OPTIONS": {"options": "-c timezone=UTC"},
+            "TEST": {
+                "NAME": f"{os.environ.get('POSTGRES_DB', 'postgres')}_test",
+            },
         }
     }
 else:
@@ -266,7 +572,8 @@ else:
         "default": {
             "ENGINE": "django.db.backends.sqlite3",
             "NAME": BASE_DIR / "db.sqlite3",
-            "OPTIONS": {"timeout": 30},
+            "OPTIONS": {"timeout": 60},
+            "TEST": {"NAME": BASE_DIR / "test_db.sqlite3"},
         }
     }
 
@@ -296,8 +603,10 @@ AUTH_PASSWORD_VALIDATORS = [
 LANGUAGE_CODE = "en-us"
 
 LANGUAGES = [
-    ("en", _("English")),
     ("es", _("Spanish")),
+    ("en", _("English")),
+    ("it", _("Italian")),
+    ("de", _("German")),
 ]
 
 LOCALE_PATHS = [BASE_DIR / "locale"]
@@ -313,10 +622,13 @@ USE_TZ = True
 # https://docs.djangoproject.com/en/5.2/howto/static-files/
 
 STATIC_URL = "/static/"
+STATIC_ROOT = BASE_DIR / "static"
+STATICFILES_STORAGE = "whitenoise.storage.CompressedManifestStaticFilesStorage"
 MEDIA_URL = "/media/"
 MEDIA_ROOT = BASE_DIR / "media"
 
 # Email settings
+EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
 DEFAULT_FROM_EMAIL = "arthexis@gmail.com"
 SERVER_EMAIL = DEFAULT_FROM_EMAIL
 
@@ -325,15 +637,15 @@ SERVER_EMAIL = DEFAULT_FROM_EMAIL
 
 DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
 
-# Bluesky domain account (optional)
-BSKY_HANDLE = os.environ.get("BSKY_HANDLE")
-BSKY_APP_PASSWORD = os.environ.get("BSKY_APP_PASSWORD")
+# GitHub issue reporting
+GITHUB_ISSUE_REPORTING_ENABLED = True
+GITHUB_ISSUE_REPORTING_COOLDOWN = 3600  # seconds
 
 # Logging configuration
-LOG_DIR = BASE_DIR / "logs"
-LOG_DIR.mkdir(exist_ok=True)
+LOG_DIR = select_log_dir(BASE_DIR)
+os.environ.setdefault("ARTHEXIS_LOG_DIR", str(LOG_DIR))
 OLD_LOG_DIR = LOG_DIR / "old"
-OLD_LOG_DIR.mkdir(exist_ok=True)
+OLD_LOG_DIR.mkdir(parents=True, exist_ok=True)
 LOG_FILE_NAME = "tests.log" if "test" in sys.argv else f"{socket.gethostname()}.log"
 
 LOGGING = {
@@ -368,8 +680,11 @@ CELERY_BEAT_SCHEDULER = "django_celery_beat.schedulers:DatabaseScheduler"
 
 CELERY_BEAT_SCHEDULE = {
     "heartbeat": {
-        "task": "app.tasks.heartbeat",
+        "task": "core.tasks.heartbeat",
         "schedule": crontab(minute="*/5"),
-    }
+    },
+    "birthday_greetings": {
+        "task": "core.tasks.birthday_greetings",
+        "schedule": crontab(hour=9, minute=0),
+    },
 }
-