c2cgeoportal-geoportal 2.3.5.80__py3-none-any.whl → 2.9rc45__py3-none-any.whl

c2cgeoportal_geoportal/lib/__init__.py

@@ -0,0 +1,256 @@
+# Copyright (c) 2011-2024, Camptocamp SA
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# The views and conclusions contained in the software and documentation are those
+# of the authors and should not be interpreted as representing official policies,
+# either expressed or implied, of the FreeBSD Project.
+
+
+import datetime
+import ipaddress
+import json
+import logging
+import re
+from collections.abc import Iterable
+from string import Formatter
+from typing import Any, cast
+
+import dateutil
+import pyramid.request
+import pyramid.response
+from pyramid.interfaces import IRoutePregenerator
+from zope.interface import implementer
+
+from c2cgeoportal_commons.lib.url import get_url2
+from c2cgeoportal_geoportal.lib.cacheversion import get_cache_version
+from c2cgeoportal_geoportal.lib.caching import get_region
+
+_LOG = logging.getLogger(__name__)
+_CACHE_REGION = get_region("std")
+_CACHE_REGION_OBJ = get_region("obj")
+
+
+def get_types_map(types_array: list[dict[str, Any]]) -> dict[str, dict[str, Any]]:
+    """Get the type name of a metadata or a functionality."""
+    return {type_["name"]: type_ for type_ in types_array}
+
+
+def get_typed(
+    name: str,
+    value: str,
+    types: dict[str, Any],
+    request: pyramid.request.Request,
+    errors: set[str],
+    layer_name: str | None = None,
+) -> str | int | float | bool | None | list[Any] | dict[str, Any]:
+    """Get the typed (parsed) value of a metadata or a functionality."""
+    prefix = f"Layer '{layer_name}': " if layer_name is not None else ""
+    type_ = {"type": "not init"}
+    try:
+        if name not in types:
+            errors.add(f"{prefix}Type '{name}' not defined.")
+            return None
+        type_ = types[name]
+        if type_.get("type", "string") == "string":
+            return value
+        if type_["type"] == "list":
+            return [v.strip() for v in value.split(",")]
+        if type_["type"] == "boolean":
+            value = value.lower()
+            if value in ["yes", "y", "on", "1", "true"]:
+                return True
+            if value in ["no", "n", "off", "0", "false"]:
+                return False
+            errors.add(
+                f"{prefix}The boolean attribute '{name}'='{value.lower()}' is not in "
+                "[yes, y, on, 1, true, no, n, off, 0, false]."
+            )
+        elif type_["type"] == "integer":
+            return int(value)
+        elif type_["type"] == "float":
+            return float(value)
+        elif type_["type"] == "date":
+            date = dateutil.parser.parse(value, default=datetime.datetime(1, 1, 1, 0, 0, 0))
+            if date.time() != datetime.time(0, 0, 0):
+                errors.add(f"{prefix}The date attribute '{name}'='{value}' should not have any time")
+            else:
+                return datetime.date.strftime(date.date(), "%Y-%m-%d")
+        elif type_["type"] == "time":
+            date = dateutil.parser.parse(value, default=datetime.datetime(1, 1, 1, 0, 0, 0))
+            if date.date() != datetime.date(1, 1, 1):
+                errors.add(f"{prefix}The time attribute '{name}'='{value}' should not have any date")
+            else:
+                return datetime.time.strftime(date.time(), "%H:%M:%S")
+        elif type_["type"] == "datetime":
+            date = dateutil.parser.parse(value, default=datetime.datetime(1, 1, 1, 0, 0, 0))
+            return datetime.datetime.strftime(date, "%Y-%m-%dT%H:%M:%S")
+        elif type_["type"] == "url":
+            url = get_url2(f"{prefix}The attribute '{name}'", value, request, errors)
+            return url.url() if url else ""
+        elif type_["type"] == "json":
+            try:
+                return cast(dict[str, Any], json.loads(value))
+            except Exception as e:  # pylint: disable=broad-exception-caught
+                errors.add(f"{prefix}The attribute '{name}'='{value}' has an error: {str(e)}")
+        elif type_["type"] == "regex":
+            pattern = type_["regex"]
+            if re.match(pattern, value) is None:
+                errors.add(
+                    f"{prefix}The regex attribute '{name}'='{value}' "
+                    f"does not match expected pattern '{pattern}'."
+                )
+            else:
+                return value
+        else:
+            errors.add(f"{prefix}Unknown type '{type_['type']}'.")
+    except Exception as e:  # pylint: disable=broad-exception-caught
+        errors.add(
+            f"{prefix}Unable to parse the attribute '{name}'='{value}' with the type "
+            f"'{type_.get('type', 'string')}', error:\n{e!s}"
+        )
+    return None
+
+
+def get_setting(settings: Any, path: Iterable[str], default: Any = None) -> Any:
+    """Get the settings."""
+    value = settings
+    for p in path:
+        if value and p in value:
+            value = value[p]
+        else:
+            return default
+    return value if value else default
+
+
+@_CACHE_REGION_OBJ.cache_on_arguments()
+def get_ogc_server_wms_url_ids(request: pyramid.request.Request, host: str) -> dict[str, list[int]]:
+    """Get the OGCServer ids mapped on the WMS URL."""
+    from c2cgeoportal_commons.models import DBSession  # pylint: disable=import-outside-toplevel
+    from c2cgeoportal_commons.models.main import OGCServer  # pylint: disable=import-outside-toplevel
+
+    del host  # used for cache
+    assert DBSession is not None
+
+    errors: set[str] = set()
+    servers: dict[str, list[int]] = {}
+    for ogc_server in DBSession.query(OGCServer).all():
+        url = get_url2(ogc_server.name, ogc_server.url, request, errors)
+        if url is not None:
+            servers.setdefault(url.url(), []).append(ogc_server.id)
+    return servers
+
+
+@_CACHE_REGION_OBJ.cache_on_arguments()
+def get_ogc_server_wfs_url_ids(request: pyramid.request.Request, host: str) -> dict[str, list[int]]:
+    """Get the OGCServer ids mapped on the WFS URL."""
+    from c2cgeoportal_commons.models import DBSession  # pylint: disable=import-outside-toplevel
+    from c2cgeoportal_commons.models.main import OGCServer  # pylint: disable=import-outside-toplevel
+
+    del host  # used for cache
+    assert DBSession is not None
+
+    errors: set[str] = set()
+    servers: dict[str, list[int]] = {}
+    for ogc_server in DBSession.query(OGCServer).all():
+        url = get_url2(ogc_server.name, ogc_server.url_wfs or ogc_server.url, request, errors)
+        if url is not None:
+            servers.setdefault(url.url(), []).append(ogc_server.id)
+    return servers
+
+
+@implementer(IRoutePregenerator)
+class C2CPregenerator:
+    """The custom pyramid pregenerator that manage the cache version."""
+
+    def __init__(self, version: bool = True, role: bool = False):
+        self.version = version
+        self.role = role
+
+    def __call__(self, request: pyramid.request.Request, elements: Any, kw: Any) -> tuple[Any, Any]:
+        query = {**kw.get("_query", {})}
+
+        if self.version:
+            query["cache_version"] = get_cache_version()
+
+        if self.role and request.user:
+            # The templates change if the user is logged in or not. Usually it is
+            # the role that is making a difference, but the username is put in
+            # some JS files. So we add the username to hit different cache entries.
+            query["username"] = request.user.username
+
+        kw["_query"] = query
+        return elements, kw
+
+
+_formatter = Formatter()
+
+
+@_CACHE_REGION_OBJ.cache_on_arguments()
+def _get_intranet_networks(
+    request: pyramid.request.Request,
+) -> list[ipaddress.IPv4Network | ipaddress.IPv6Network]:
+    return [
+        ipaddress.ip_network(network, strict=False)
+        for network in request.registry.settings.get("intranet", {}).get("networks", [])
+    ]
+
+
+@_CACHE_REGION.cache_on_arguments()
+def get_role_id(name: str) -> int:
+    """Get the role ID."""
+    from c2cgeoportal_commons.models import DBSession, main  # pylint: disable=import-outside-toplevel
+
+    assert DBSession is not None
+
+    return cast(int, DBSession.query(main.Role.id).filter(main.Role.name == name).one()[0])
+
+
+def get_roles_id(request: pyramid.request.Request) -> list[int]:
+    """Get the user roles ID."""
+    result = [get_role_id(request.get_organization_role("anonymous"))]
+    if is_intranet(request):
+        result.append(get_role_id(request.get_organization_role("intranet")))
+    if request.user is not None:
+        result.append(get_role_id(request.get_organization_role("registered")))
+        result.extend([r.id for r in request.user.roles])
+    return result
+
+
+def get_roles_name(request: pyramid.request.Request) -> pyramid.response.Response:
+    """Get the user roles name."""
+    result = [request.get_organization_role("anonymous")]
+    if is_intranet(request):
+        result.append(request.get_organization_role("intranet"))
+    if request.user is not None:
+        result.append(request.get_organization_role("registered"))
+        result.extend([r.name for r in request.user.roles])
+    return result
+
+
+def is_intranet(request: pyramid.request.Request) -> bool:
+    """Get if it's an intranet user."""
+    address = ipaddress.ip_address(request.client_addr)
+    for network in _get_intranet_networks(request):
+        if address in network:
+            return True
+    return False

c2cgeoportal_geoportal/lib/authentication.py

@@ -0,0 +1,250 @@
+# Copyright (c) 2014-2024, Camptocamp SA
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# The views and conclusions contained in the software and documentation are those
+# of the authors and should not be interpreted as representing official policies,
+# either expressed or implied, of the FreeBSD Project.
+
+
+import binascii
+import json
+import logging
+import os
+import re
+import time
+from collections.abc import Callable
+from typing import Any, cast
+
+import pyramid.request
+from Crypto.Cipher import AES  # nosec
+from pyramid.authentication import (
+    AuthTktAuthenticationPolicy,
+    BasicAuthAuthenticationPolicy,
+    CallbackAuthenticationPolicy,
+)
+from pyramid.interfaces import IAuthenticationPolicy
+from pyramid.security import remember
+from pyramid_multiauth import MultiAuthenticationPolicy
+from zope.interface import implementer
+
+from c2cgeoportal_geoportal.lib import oauth2
+from c2cgeoportal_geoportal.resources import defaultgroupsfinder
+
+_LOG = logging.getLogger(__name__)
+
+_HEX_RE = re.compile(r"^[0-9a-fA-F]+$")
+
+
+@implementer(IAuthenticationPolicy)
+class UrlAuthenticationPolicy(CallbackAuthenticationPolicy):  # type: ignore
+    """An authentication policy based on information given in the URL."""
+
+    def __init__(
+        self, aes_key: str, callback: Callable[[str, Any], list[str]] | None = None, debug: bool = False
+    ):
+        self.aeskey = aes_key
+        self.callback = callback
+        self.debug = debug
+
+    def unauthenticated_userid(self, request: pyramid.request.Request) -> str | None:
+        if not request.method == "GET" or "auth" not in request.params:
+            return None
+        auth_enc = request.params.get("auth")
+        if auth_enc is None:
+            return None
+        try:
+            if self.aeskey is None:
+                _LOG.warning("Found auth parameter in URL query string but urllogin is not configured")
+                return None
+
+            if not _HEX_RE.match(auth_enc):
+                _LOG.warning("Found auth parameter in URL query string but it is not an hex string")
+                return None
+
+            if len(auth_enc) % 2 != 0:
+                _LOG.warning(
+                    "Found auth parameter in URL query string but it is not an even number of characters"
+                )
+                return None
+
+            now = int(time.time())
+            data = binascii.unhexlify(auth_enc.encode("ascii"))
+            nonce = data[0:16]
+            tag = data[16:32]
+            ciphertext = data[32:]
+            cipher = AES.new(self.aeskey.encode("ascii"), AES.MODE_EAX, nonce)
+            auth = json.loads(cipher.decrypt_and_verify(ciphertext, tag).decode("utf-8"))
+
+            if "t" in auth and "u" in auth and "p" in auth:
+                timestamp = int(auth["t"])
+
+                if now < timestamp and request.registry.validate_user(request, auth["u"], auth["p"]):
+                    headers = remember(request, auth["u"])
+                    request.response.headerlist.extend(headers)
+                    return cast(str, auth["u"])
+
+        except Exception:  # pylint: disable=broad-exception-caught
+            _LOG.exception("URL login error on auth '%s'.", auth_enc)
+
+        return None
+
+    def remember(self, request: pyramid.request.Request, userid: str, **kw: Any) -> list[dict[str, str]]:
+        """Do no-op."""
+        del request, userid, kw
+        return []
+
+    def forget(self, request: pyramid.request.Request) -> list[dict[str, str]]:
+        """Do no-op."""
+        del request
+        return []
+
+
+@implementer(IAuthenticationPolicy)
+class OAuth2AuthenticationPolicy(CallbackAuthenticationPolicy):  # type: ignore
+    """The oauth2 authentication policy."""
+
+    @staticmethod
+    def unauthenticated_userid(request: pyramid.request.Request) -> str | None:
+        route_url = ""
+        try:
+            route_url = request.current_route_url(_query={**request.GET})
+        except ValueError:
+            route_url = request.route_url("base", _query={**request.GET})
+
+        _LOG.debug(
+            "Call OAuth verify_request with:\nurl: %s\nmethod: %s\nbody:\n%s",
+            route_url,
+            request.method,
+            request.body,
+        )
+        valid, oauth2_request = oauth2.get_oauth_client(request.registry.settings).verify_request(
+            route_url,
+            request.method,
+            request.body,
+            request.headers,
+            [],
+        )
+        _LOG.debug("OAuth verify_request: %s", valid)
+        if valid:
+            request.user_ = oauth2_request.user
+
+            return cast(str, request.user.username)
+        return None
+
+    def remember(self, request: pyramid.request.Request, userid: str, **kw: Any) -> list[dict[str, str]]:
+        """Do no-op."""
+        del request, userid, kw
+        return []
+
+    def forget(self, request: pyramid.request.Request) -> list[dict[str, str]]:
+        """Do no-op."""
+        del request
+        return []
+
+
+@implementer(IAuthenticationPolicy)
+class DevAuthenticationPolicy(CallbackAuthenticationPolicy):  # type: ignore
+    """An authentication policy for the dev base on an environment variable."""
+
+    @staticmethod
+    def unauthenticated_userid(request: pyramid.request.Request) -> str | None:
+        """Get the user name from the environment variable."""
+        del request
+        return os.environ["DEV_LOGINNAME"]
+
+
+def create_authentication(settings: dict[str, Any]) -> MultiAuthenticationPolicy:
+    """Create all the authentication policies."""
+    timeout = settings.get("authtkt_timeout")
+    timeout = None if timeout is None or timeout.lower() == "none" else int(timeout)
+    reissue_time = settings.get("authtkt_reissue_time")
+    reissue_time = None if reissue_time is None or reissue_time.lower() == "none" else int(reissue_time)
+    max_age = settings.get("authtkt_max_age")
+    max_age = None if max_age is None or max_age.lower() == "none" else int(max_age)
+    http_only = settings.get("authtkt_http_only", "True")
+    http_only = http_only.lower() in ("true", "yes", "1")
+    secure = settings.get("authtkt_secure", "True")
+    secure = secure.lower() in ("true", "yes", "1")
+    samesite = settings.get("authtkt_samesite", "Lax")
+    secret = settings["authtkt_secret"]
+    basicauth = settings.get("basicauth", "False").lower() in ("true", "yes", "1")
+    if len(secret) < 64:
+        raise Exception(  # pylint: disable=broad-exception-raised
+            '"authtkt_secret should be at least 64 characters.'
+            "See https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html"
+        )
+
+    policies = []
+
+    policies.append(
+        UrlAuthenticationPolicy(
+            settings.get("urllogin", {}).get("aes_key"),
+            defaultgroupsfinder,
+        )
+    )
+
+    policies.append(
+        AuthTktAuthenticationPolicy(
+            secret,
+            callback=defaultgroupsfinder,
+            cookie_name=settings["authtkt_cookie_name"],
+            samesite=None if samesite == "" else samesite,
+            timeout=timeout,
+            max_age=max_age,
+            reissue_time=reissue_time,
+            hashalg="sha512",
+            http_only=http_only,
+            secure=secure,
+        )
+    )
+
+    authentication_config = settings.get("authentication", {})
+    openid_connect_config = authentication_config.get("openid_connect", {})
+    oauth2_config = authentication_config.get("oauth2", {})
+    if oauth2_config.get("enabled", not openid_connect_config.get("enabled", False)):
+        policies.append(OAuth2AuthenticationPolicy())
+
+    if basicauth:
+        if authentication_config.get("two_factor", False):
+            _LOG.warning(
+                "Basic auth and two factor auth should not be enable together, "
+                "you should use OAuth2 instead of Basic auth"
+            )
+        if openid_connect_config.get("enabled", False):
+            _LOG.warning("Basic auth and OpenID Connect should not be enable together")
+
+        basic_authentication_policy = BasicAuthAuthenticationPolicy(c2cgeoportal_check)
+        policies.append(basic_authentication_policy)
+
+    # Consider empty string as not configured
+    if "DEV_LOGINNAME" in os.environ and os.environ["DEV_LOGINNAME"]:
+        policies.append(DevAuthenticationPolicy())
+
+    return MultiAuthenticationPolicy(policies)
+
+
+def c2cgeoportal_check(username: str, password: str, request: pyramid.request.Request) -> list[str] | None:
+    """Check the user authentication."""
+    if request.registry.validate_user(request, username, password):
+        return defaultgroupsfinder(username, request)
+    return None

c2cgeoportal_geoportal/lib/bashcolor.py

@@ -0,0 +1,46 @@
+# Copyright (c) 2013-2021, Camptocamp SA
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# The views and conclusions contained in the software and documentation are those
+# of the authors and should not be interpreted as representing official policies,
+# either expressed or implied, of the FreeBSD Project.
+
+from enum import Enum
+
+
+class Color(Enum):
+    """The available colors."""
+
+    BLACK = 0
+    RED = 1
+    GREEN = 2
+    YELLOW = 3
+    BLUE = 4
+    MAGENTA = 5
+    CYAN = 6
+    WHITE = 7
+
+
+def colorize(text: str, color: Color) -> str:
+    """Colorize a text for the bash."""
+    return f"\x1b[01;3{color.value}m{text}\x1b[0m"

c2cgeoportal_geoportal/lib/cacheversion.py

@@ -0,0 +1,77 @@
+# Copyright (c) 2011-2024, Camptocamp SA
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# The views and conclusions contained in the software and documentation are those
+# of the authors and should not be interpreted as representing official policies,
+# either expressed or implied, of the FreeBSD Project.
+
+
+import uuid
+from collections.abc import Callable
+from typing import Any
+from urllib.parse import urljoin
+
+import pyramid.registry
+import pyramid.request
+import pyramid.response
+
+from c2cgeoportal_geoportal.lib.caching import get_region
+
+CACHE_REGION = get_region("std")
+
+
+@CACHE_REGION.cache_on_arguments()
+def get_cache_version() -> str:
+    """Return a cache version that is regenerate after each cache invalidation."""
+    return uuid.uuid4().hex
+
+
+def version_cache_buster(
+    request: pyramid.request.Request, subpath: str, kw: dict[str, Any]
+) -> tuple[str, dict[str, Any]]:
+    """Join the cash buster version with the sub path."""
+    del request  # unused
+    return urljoin(get_cache_version() + "/", subpath), kw
+
+
+class CachebusterTween:
+    """Get back the cachebuster URL."""
+
+    def __init__(
+        self,
+        handler: Callable[[pyramid.request.Request], pyramid.response.Response],
+        registry: pyramid.registry.Registry,
+    ):
+        self.handler = handler
+        self.cache_path = registry.settings["cache_path"]
+
+    def __call__(self, request: pyramid.request.Request) -> pyramid.response.Response:
+        path = request.path_info.split("/", 3)
+        if len(path) > 1 and path[1] in self.cache_path:
+            if len(path) == 2:
+                raise pyramid.httpexceptions.HTTPNotFound()
+            # Remove the cache buster
+            path.pop(2)
+            request.path_info = "/".join(path)
+
+        return self.handler(request)