arthexis 0.1.9__py3-none-any.whl → 0.1.10__py3-none-any.whl

core/auto_upgrade.py

@@ -0,0 +1,57 @@
+"""Helpers for managing the auto-upgrade scheduler."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+from django.conf import settings
+
+
+AUTO_UPGRADE_TASK_NAME = "auto-upgrade-check"
+AUTO_UPGRADE_TASK_PATH = "core.tasks.check_github_updates"
+
+
+def ensure_auto_upgrade_periodic_task(
+    sender=None, *, base_dir: Path | None = None, **kwargs
+) -> None:
+    """Ensure the auto-upgrade periodic task exists.
+
+    The function is signal-safe so it can be wired to Django's
+    ``post_migrate`` hook. When called directly the ``sender`` and
+    ``**kwargs`` parameters are ignored.
+    """
+
+    del sender, kwargs  # Unused when invoked as a Django signal handler.
+
+    if base_dir is None:
+        base_dir = Path(settings.BASE_DIR)
+    else:
+        base_dir = Path(base_dir)
+
+    lock_dir = base_dir / "locks"
+    mode_file = lock_dir / "auto_upgrade.lck"
+    if not mode_file.exists():
+        return
+
+    try:  # pragma: no cover - optional dependency failures
+        from django_celery_beat.models import IntervalSchedule, PeriodicTask
+        from django.db.utils import OperationalError, ProgrammingError
+    except Exception:
+        return
+
+    mode = mode_file.read_text().strip() or "version"
+    interval_minutes = 5 if mode == "latest" else 10
+
+    try:
+        schedule, _ = IntervalSchedule.objects.get_or_create(
+            every=interval_minutes, period=IntervalSchedule.MINUTES
+        )
+        PeriodicTask.objects.update_or_create(
+            name=AUTO_UPGRADE_TASK_NAME,
+            defaults={
+                "interval": schedule,
+                "task": AUTO_UPGRADE_TASK_PATH,
+            },
+        )
+    except (OperationalError, ProgrammingError):  # pragma: no cover - DB not ready
+        return

core/backends.py

@@ -4,12 +4,66 @@ import contextlib
 import ipaddress
 import socket
 
+from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.backends import ModelBackend
+from django.core.exceptions import DisallowedHost
+from django.http.request import split_domain_port
+from django_otp.plugins.otp_totp.models import TOTPDevice
 
 from .models import EnergyAccount
 
 
+TOTP_DEVICE_NAME = "authenticator"
+
+
+class TOTPBackend(ModelBackend):
+    """Authenticate using a TOTP code from an enrolled authenticator app."""
+
+    def authenticate(self, request, username=None, otp_token=None, **kwargs):
+        if not username or otp_token in (None, ""):
+            return None
+
+        token = str(otp_token).strip().replace(" ", "")
+        if not token:
+            return None
+
+        UserModel = get_user_model()
+        try:
+            user = UserModel._default_manager.get_by_natural_key(username)
+        except UserModel.DoesNotExist:
+            return None
+
+        if not user.is_active:
+            return None
+
+        device_qs = TOTPDevice.objects.filter(user=user, confirmed=True)
+        if TOTP_DEVICE_NAME:
+            device_qs = device_qs.filter(name=TOTP_DEVICE_NAME)
+
+        device = device_qs.order_by("-id").first()
+        if device is None:
+            return None
+
+        try:
+            verified = device.verify_token(token)
+        except Exception:
+            return None
+
+        if not verified:
+            return None
+
+        user.otp_device = device
+        return user
+
+    def get_user(self, user_id):
+        UserModel = get_user_model()
+        try:
+            return UserModel._default_manager.get(pk=user_id)
+        except UserModel.DoesNotExist:
+            return None
+
+
 class RFIDBackend:
     """Authenticate using a user's RFID."""
 
@@ -69,15 +123,33 @@ def _collect_local_ip_addresses():
 class LocalhostAdminBackend(ModelBackend):
     """Allow default admin credentials only from local networks."""
 
-    _ALLOWED_NETWORKS = [
+    _ALLOWED_NETWORKS = (
         ipaddress.ip_network("::1/128"),
         ipaddress.ip_network("127.0.0.0/8"),
+        ipaddress.ip_network("10.42.0.0/16"),
         ipaddress.ip_network("192.168.0.0/16"),
-    ]
+    )
+    _CONTROL_ALLOWED_NETWORKS = (ipaddress.ip_network("10.0.0.0/8"),)
     _LOCAL_IPS = _collect_local_ip_addresses()
 
+    def _iter_allowed_networks(self):
+        yield from self._ALLOWED_NETWORKS
+        if getattr(settings, "NODE_ROLE", "") == "Control":
+            yield from self._CONTROL_ALLOWED_NETWORKS
+
     def authenticate(self, request, username=None, password=None, **kwargs):
         if username == "admin" and password == "admin" and request is not None:
+            try:
+                host = request.get_host()
+            except DisallowedHost:
+                return None
+            host, _port = split_domain_port(host)
+            if host.startswith("[") and host.endswith("]"):
+                host = host[1:-1]
+            try:
+                ipaddress.ip_address(host)
+            except ValueError:
+                return None
             forwarded = request.META.get("HTTP_X_FORWARDED_FOR")
             if forwarded:
                 remote = forwarded.split(",")[0].strip()
@@ -87,7 +159,7 @@ class LocalhostAdminBackend(ModelBackend):
                 ip = ipaddress.ip_address(remote)
             except ValueError:
                 return None
-            allowed = any(ip in net for net in self._ALLOWED_NETWORKS)
+            allowed = any(ip in net for net in self._iter_allowed_networks())
             if not allowed and ip in self._LOCAL_IPS:
                 allowed = True
             if not allowed:
@@ -100,6 +172,8 @@ class LocalhostAdminBackend(ModelBackend):
                     "is_superuser": True,
                 },
             )
+            if not created and not user.is_active:
+                return None
             arthexis_user = (
                 User.all_objects.filter(username="arthexis").exclude(pk=user.pk).first()
             )

core/fields.py

@@ -1,5 +1,10 @@
+from dataclasses import dataclass
+import re
+import sqlite3
+
 from django.db import models
 from django.db.models.fields import DeferredAttribute
+from django.utils.translation import gettext_lazy as _
 
 
 class _BaseSigilDescriptor(DeferredAttribute):
@@ -73,3 +78,91 @@ class SigilShortAutoField(SigilAutoFieldMixin, models.CharField):
 
 class SigilLongAutoField(SigilAutoFieldMixin, models.TextField):
     pass
+
+
+class ConditionEvaluationError(Exception):
+    """Raised when a condition expression cannot be evaluated."""
+
+
+@dataclass
+class ConditionCheckResult:
+    """Represents the outcome of evaluating a condition field."""
+
+    passed: bool
+    resolved: str
+    error: str | None = None
+
+
+_COMMENT_PATTERN = re.compile(r"(--|/\*)")
+_FORBIDDEN_KEYWORDS = re.compile(
+    r"\b(ATTACH|DETACH|ALTER|ANALYZE|CREATE|DROP|INSERT|UPDATE|DELETE|REPLACE|"
+    r"VACUUM|TRIGGER|TABLE|INDEX|VIEW|PRAGMA|BEGIN|COMMIT|ROLLBACK|SAVEPOINT|WITH)\b",
+    re.IGNORECASE,
+)
+
+
+def _evaluate_sql_condition(expression: str) -> bool:
+    """Evaluate a SQL expression in an isolated SQLite connection."""
+
+    if ";" in expression:
+        raise ConditionEvaluationError(
+            _("Semicolons are not allowed in conditions."),
+        )
+    if _COMMENT_PATTERN.search(expression):
+        raise ConditionEvaluationError(
+            _("SQL comments are not allowed in conditions."),
+        )
+    match = _FORBIDDEN_KEYWORDS.search(expression)
+    if match:
+        raise ConditionEvaluationError(
+            _("Disallowed keyword in condition: %(keyword)s")
+            % {"keyword": match.group(1)},
+        )
+
+    try:
+        conn = sqlite3.connect(":memory:")
+        try:
+            conn.execute("PRAGMA trusted_schema = OFF")
+            conn.execute("PRAGMA foreign_keys = OFF")
+            try:
+                conn.enable_load_extension(False)
+            except AttributeError:
+                # ``enable_load_extension`` is not available on some platforms.
+                pass
+            cursor = conn.execute(
+                f"SELECT CASE WHEN ({expression}) THEN 1 ELSE 0 END"
+            )
+            row = cursor.fetchone()
+            return bool(row[0]) if row else False
+        finally:
+            conn.close()
+    except sqlite3.Error as exc:  # pragma: no cover - exact error message varies
+        raise ConditionEvaluationError(str(exc)) from exc
+
+
+class ConditionTextField(models.TextField):
+    """Field storing a conditional SQL expression resolved through [sigils]."""
+
+    def evaluate(self, instance) -> ConditionCheckResult:
+        """Evaluate the stored expression for ``instance``."""
+
+        value = self.value_from_object(instance)
+        if hasattr(instance, "resolve_sigils"):
+            resolved = instance.resolve_sigils(self.name)
+        else:
+            resolved = value
+
+        if resolved is None:
+            resolved_text = ""
+        else:
+            resolved_text = str(resolved)
+
+        resolved_text = resolved_text.strip()
+        if not resolved_text:
+            return ConditionCheckResult(True, resolved_text)
+
+        try:
+            passed = _evaluate_sql_condition(resolved_text)
+            return ConditionCheckResult(passed, resolved_text)
+        except ConditionEvaluationError as exc:
+            return ConditionCheckResult(False, resolved_text, str(exc))

core/models.py

@@ -9,12 +9,12 @@ from django.db.models.functions import Lower
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.utils.translation import gettext_lazy as _
-from django.core.validators import RegexValidator
+from django.core.validators import MaxValueValidator, MinValueValidator, RegexValidator
 from django.core.exceptions import ValidationError
 from django.apps import apps
 from django.db.models.signals import m2m_changed, post_delete, post_save
 from django.dispatch import receiver
-from datetime import timedelta
+from datetime import time as datetime_time, timedelta
 from django.contrib.contenttypes.models import ContentType
 import hashlib
 import os
@@ -39,7 +39,11 @@ xmlrpc_client = defused_xmlrpc.xmlrpc_client
 from .entity import Entity, EntityUserManager, EntityManager
 from .release import Package as ReleasePackage, Credentials, DEFAULT_PACKAGE
 from . import user_data  # noqa: F401 - ensure signal registration
-from .fields import SigilShortAutoField
+from .fields import (
+    SigilShortAutoField,
+    ConditionTextField,
+    ConditionCheckResult,
+)
 
 
 class SecurityGroup(Group):
@@ -225,7 +229,7 @@ class InviteLead(Lead):
 
 
 class PublicWifiAccess(Entity):
-    """Allow public Wi-Fi clients onto the wider internet."""
+    """Represent a Wi-Fi lease granted to a client for internet access."""
 
     user = models.ForeignKey(
         settings.AUTH_USER_MODEL,
@@ -239,8 +243,8 @@ class PublicWifiAccess(Entity):
 
     class Meta:
         unique_together = ("user", "mac_address")
-        verbose_name = "Public Wi-Fi Access"
-        verbose_name_plural = "Public Wi-Fi Access"
+        verbose_name = "Wi-Fi Lease"
+        verbose_name_plural = "Wi-Fi Leases"
 
     def __str__(self) -> str:  # pragma: no cover - simple representation
         return f"{self.user} -> {self.mac_address}"
@@ -265,7 +269,7 @@ def _cleanup_public_wifi_on_delete(sender, instance, **kwargs):
 class User(Entity, AbstractUser):
     SYSTEM_USERNAME = "arthexis"
     ADMIN_USERNAME = "admin"
-    PROFILE_RESTRICTED_USERNAMES = frozenset({SYSTEM_USERNAME, ADMIN_USERNAME})
+    PROFILE_RESTRICTED_USERNAMES = frozenset()
 
     objects = EntityUserManager()
     all_objects = DjangoUserManager()
@@ -844,6 +848,9 @@ class Reference(Entity):
     include_in_footer = models.BooleanField(
         default=False, verbose_name="Include in Footer"
     )
+    show_in_header = models.BooleanField(
+        default=False, verbose_name="Show in Header"
+    )
     FOOTER_PUBLIC = "public"
     FOOTER_PRIVATE = "private"
     FOOTER_STAFF = "staff"
@@ -1046,6 +1053,195 @@ class RFID(Entity):
         db_table = "core_rfid"
 
 
+class EnergyTariffManager(EntityManager):
+    def get_by_natural_key(
+        self,
+        year: int,
+        season: str,
+        zone: str,
+        contract_type: str,
+        period: str,
+        unit: str,
+        start_time,
+        end_time,
+    ):
+        if isinstance(start_time, str):
+            start_time = datetime_time.fromisoformat(start_time)
+        if isinstance(end_time, str):
+            end_time = datetime_time.fromisoformat(end_time)
+        return self.get(
+            year=year,
+            season=season,
+            zone=zone,
+            contract_type=contract_type,
+            period=period,
+            unit=unit,
+            start_time=start_time,
+            end_time=end_time,
+        )
+
+
+class EnergyTariff(Entity):
+    class Zone(models.TextChoices):
+        ONE = "1", _("Zone 1")
+        ONE_A = "1A", _("Zone 1A")
+        ONE_B = "1B", _("Zone 1B")
+        ONE_C = "1C", _("Zone 1C")
+        ONE_D = "1D", _("Zone 1D")
+        ONE_E = "1E", _("Zone 1E")
+        ONE_F = "1F", _("Zone 1F")
+
+    class Season(models.TextChoices):
+        ANNUAL = "annual", _("All year")
+        SUMMER = "summer", _("Summer season")
+        NON_SUMMER = "non_summer", _("Non-summer season")
+
+    class Period(models.TextChoices):
+        FLAT = "flat", _("Flat rate")
+        BASIC = "basic", _("Basic block")
+        INTERMEDIATE_1 = "intermediate_1", _("Intermediate block 1")
+        INTERMEDIATE_2 = "intermediate_2", _("Intermediate block 2")
+        EXCESS = "excess", _("Excess consumption")
+        BASE = "base", _("Base")
+        INTERMEDIATE = "intermediate", _("Intermediate")
+        PEAK = "peak", _("Peak")
+        CRITICAL_PEAK = "critical_peak", _("Critical peak")
+        DEMAND = "demand", _("Demand charge")
+        CAPACITY = "capacity", _("Capacity charge")
+        DISTRIBUTION = "distribution", _("Distribution charge")
+        FIXED = "fixed", _("Fixed charge")
+
+    class ContractType(models.TextChoices):
+        DOMESTIC = "domestic", _("Domestic service (Tarifa 1)")
+        DAC = "dac", _("High consumption domestic (DAC)")
+        PDBT = "pdbt", _("General service low demand (PDBT)")
+        GDBT = "gdbt", _("General service high demand (GDBT)")
+        GDMTO = "gdmto", _("General distribution medium tension (GDMTO)")
+        GDMTH = "gdmth", _("General distribution medium tension hourly (GDMTH)")
+
+    class Unit(models.TextChoices):
+        KWH = "kwh", _("Kilowatt-hour")
+        KW = "kw", _("Kilowatt")
+        MONTH = "month", _("Monthly charge")
+
+    year = models.PositiveIntegerField(
+        validators=[MinValueValidator(2000)],
+        help_text=_("Calendar year when the tariff applies."),
+    )
+    season = models.CharField(
+        max_length=16,
+        choices=Season.choices,
+        default=Season.ANNUAL,
+        help_text=_("Season or applicability window defined by CFE."),
+    )
+    zone = models.CharField(
+        max_length=3,
+        choices=Zone.choices,
+        help_text=_("CFE climate zone associated with the tariff."),
+    )
+    contract_type = models.CharField(
+        max_length=16,
+        choices=ContractType.choices,
+        help_text=_("Type of service contract regulated by CFE."),
+    )
+    period = models.CharField(
+        max_length=32,
+        choices=Period.choices,
+        help_text=_("Tariff block, demand component, or time-of-use period."),
+    )
+    unit = models.CharField(
+        max_length=16,
+        choices=Unit.choices,
+        default=Unit.KWH,
+        help_text=_("Measurement unit for the tariff charge."),
+    )
+    start_time = models.TimeField(
+        help_text=_("Start time for the tariff's applicability window."),
+    )
+    end_time = models.TimeField(
+        help_text=_("End time for the tariff's applicability window."),
+    )
+    price_mxn = models.DecimalField(
+        max_digits=10,
+        decimal_places=4,
+        help_text=_("Customer price per unit in MXN."),
+    )
+    cost_mxn = models.DecimalField(
+        max_digits=10,
+        decimal_places=4,
+        help_text=_("Provider cost per unit in MXN."),
+    )
+    notes = models.TextField(
+        blank=True,
+        default="",
+        help_text=_("Context or special billing conditions published by CFE."),
+    )
+
+    objects = EnergyTariffManager()
+
+    class Meta:
+        verbose_name = _("Energy Tariff")
+        verbose_name_plural = _("Energy Tariffs")
+        ordering = (
+            "-year",
+            "season",
+            "zone",
+            "contract_type",
+            "period",
+            "start_time",
+        )
+        constraints = [
+            models.UniqueConstraint(
+                fields=[
+                    "year",
+                    "season",
+                    "zone",
+                    "contract_type",
+                    "period",
+                    "unit",
+                    "start_time",
+                    "end_time",
+                ],
+                name="uniq_energy_tariff_schedule",
+            )
+        ]
+        indexes = [
+            models.Index(
+                fields=["year", "season", "zone", "contract_type"],
+                name="energy_tariff_scope_idx",
+            )
+        ]
+
+    def clean(self):
+        super().clean()
+        if self.start_time >= self.end_time:
+            raise ValidationError(
+                {"end_time": _("End time must be after the start time.")}
+            )
+
+    def __str__(self):  # pragma: no cover - simple representation
+        return _("%(contract)s %(zone)s %(season)s %(year)s (%(period)s)") % {
+            "contract": self.get_contract_type_display(),
+            "zone": self.zone,
+            "season": self.get_season_display(),
+            "year": self.year,
+            "period": self.get_period_display(),
+        }
+
+    def natural_key(self):  # pragma: no cover - simple representation
+        return (
+            self.year,
+            self.season,
+            self.zone,
+            self.contract_type,
+            self.period,
+            self.unit,
+            self.start_time.isoformat(),
+            self.end_time.isoformat(),
+        )
+
+    natural_key.dependencies = []  # type: ignore[attr-defined]
+
 class EnergyAccount(Entity):
     """Track kW energy credits for a user."""
 
@@ -2162,6 +2358,7 @@ class Todo(Entity):
     )
     request_details = models.TextField(blank=True, default="")
     done_on = models.DateTimeField(null=True, blank=True)
+    on_done_condition = ConditionTextField(blank=True, default="")
 
     objects = TodoManager()
 
@@ -2193,3 +2390,11 @@ class Todo(Entity):
         return (self.request,)
 
     natural_key.dependencies = []
+
+    def check_on_done_condition(self) -> ConditionCheckResult:
+        """Evaluate the ``on_done_condition`` field for this TODO."""
+
+        field = self._meta.get_field("on_done_condition")
+        if isinstance(field, ConditionTextField):
+            return field.evaluate(self)
+        return ConditionCheckResult(True, "")

core/reference_utils.py

@@ -0,0 +1,97 @@
+"""Utility helpers for working with Reference objects."""
+
+from __future__ import annotations
+
+from typing import Iterable, TYPE_CHECKING
+
+from django.contrib.sites.models import Site
+
+if TYPE_CHECKING:  # pragma: no cover - imported only for type checking
+    from django.http import HttpRequest
+    from nodes.models import Node
+    from .models import Reference
+
+
+def filter_visible_references(
+    refs: Iterable["Reference"],
+    *,
+    request: "HttpRequest | None" = None,
+    site: Site | None = None,
+    node: "Node | None" = None,
+    respect_footer_visibility: bool = True,
+) -> list["Reference"]:
+    """Return references visible for the current context."""
+
+    if site is None and request is not None:
+        try:
+            host = request.get_host().split(":")[0]
+        except Exception:
+            host = ""
+        if host:
+            site = Site.objects.filter(domain__iexact=host).first()
+
+    site_id = site.pk if site else None
+
+    if node is None:
+        try:
+            from nodes.models import Node  # imported lazily to avoid circular import
+
+            node = Node.get_local()
+        except Exception:
+            node = None
+
+    node_role_id = getattr(node, "role_id", None)
+    node_feature_ids: set[int] = set()
+    if node is not None:
+        features_manager = getattr(node, "features", None)
+        if features_manager is not None:
+            try:
+                node_feature_ids = set(
+                    features_manager.values_list("pk", flat=True)
+                )
+            except Exception:
+                node_feature_ids = set()
+
+    visible_refs: list["Reference"] = []
+    for ref in refs:
+        required_roles = {role.pk for role in ref.roles.all()}
+        required_features = {feature.pk for feature in ref.features.all()}
+        required_sites = {current_site.pk for current_site in ref.sites.all()}
+
+        if required_roles or required_features or required_sites:
+            allowed = False
+            if required_roles and node_role_id and node_role_id in required_roles:
+                allowed = True
+            elif (
+                required_features
+                and node_feature_ids
+                and node_feature_ids.intersection(required_features)
+            ):
+                allowed = True
+            elif required_sites and site_id and site_id in required_sites:
+                allowed = True
+
+            if not allowed:
+                continue
+
+        if respect_footer_visibility:
+            if ref.footer_visibility == ref.FOOTER_PUBLIC:
+                visible_refs.append(ref)
+            elif (
+                ref.footer_visibility == ref.FOOTER_PRIVATE
+                and request
+                and request.user.is_authenticated
+            ):
+                visible_refs.append(ref)
+            elif (
+                ref.footer_visibility == ref.FOOTER_STAFF
+                and request
+                and request.user.is_authenticated
+                and request.user.is_staff
+            ):
+                visible_refs.append(ref)
+        else:
+            visible_refs.append(ref)
+
+    return visible_refs
+

core/sigil_builder.py

@@ -88,16 +88,27 @@ def _sigil_builder_view(request):
 
     sigils_text = ""
     resolved_text = ""
+    show_sigils_input = True
+    show_result = False
     if request.method == "POST":
         sigils_text = request.POST.get("sigils_text", "")
+        source_text = sigils_text
         upload = request.FILES.get("sigils_file")
         if upload:
-            sigils_text = upload.read().decode("utf-8", errors="ignore")
+            source_text = upload.read().decode("utf-8", errors="ignore")
+            show_sigils_input = False
         else:
             single = request.POST.get("sigil", "")
             if single:
-                sigils_text = f"[{single}]" if not single.startswith("[") else single
-        resolved_text = resolve_sigils_in_text(sigils_text) if sigils_text else ""
+                source_text = (
+                    f"[{single}]" if not single.startswith("[") else single
+                )
+                sigils_text = source_text
+        if source_text:
+            resolved_text = resolve_sigils_in_text(source_text)
+            show_result = True
+        if upload:
+            sigils_text = ""
 
     context = admin.site.each_context(request)
     context.update(
@@ -108,6 +119,8 @@ def _sigil_builder_view(request):
             "auto_fields": auto_fields,
             "sigils_text": sigils_text,
             "resolved_text": resolved_text,
+            "show_sigils_input": show_sigils_input,
+            "show_result": show_result,
         }
     )
     return TemplateResponse(request, "admin/sigil_builder.html", context)