ositah 24.7.dev1__py3-none-any.whl → 24.7.dev3__py3-none-any.whl

ositah/main.py

@@ -0,0 +1,449 @@
+#!/usr/bin/env python
+
+"""
+Application to display the declared time on projects by agents in Hito and to allow validation of
+these declarations by the line managers.
+"""
+
+import argparse
+import os
+from datetime import datetime, timedelta
+
+import dash_bootstrap_components as dbc
+from dash import dcc, html
+from dash.dependencies import Input, Output, State
+from flask import session
+
+from ositah.app import app
+from ositah.apps.analysis import analysis_layout
+from ositah.apps.configuration.main import configuration_layout
+from ositah.apps.export import export_layout
+from ositah.apps.validation.main import validation_layout
+from ositah.utils.agents import get_agent_by_email
+from ositah.utils.authentication import (
+    LOGIN_URL,
+    LOGOUT_URL,
+    SESSION_MAX_DURATION,
+    configure_multipass_ldap,
+    identity_list,
+    multipass,
+    protect_views,
+)
+from ositah.utils.menus import (
+    TEAM_SELECTED_VALUE_ID,
+    TEAM_SELECTION_DATE_ID,
+    VALIDATION_PERIOD_SELECTED_ID,
+    ositah_jumbotron,
+)
+from ositah.utils.utils import (
+    AUTHORIZED_ROLES,
+    HITO_ROLE_TEAM_MGR,
+    TEAM_LIST_ALL_AGENTS,
+    GlobalParams,
+    define_config_params,
+)
+
+# Minimum role to access the configuration page
+CONFIGURATION_MIN_ROLE = HITO_ROLE_TEAM_MGR
+
+CONFIG_FILE_NAME_DEFAULT = "ositah.cfg"
+
+SIDEBAR_WIDTH = 16
+SIDEBAR_HREF_HOME = "/"
+SIDEBAR_HREF_ANALYSIS = "/analysis"
+SIDEBAR_HREF_CONFIGURATION = "/configuration"
+SIDEBAR_HREF_NSIP_EXPORT = "/export"
+SIDEBAR_HREF_VALIDATION = "/validation"
+# SIDEBAR_HREF_ALL entry order must match render_page_content callback
+# output order
+SIDEBAR_HREF_ALL = [
+    SIDEBAR_HREF_ANALYSIS,
+    SIDEBAR_HREF_CONFIGURATION,
+    SIDEBAR_HREF_NSIP_EXPORT,
+    SIDEBAR_HREF_VALIDATION,
+    LOGOUT_URL,
+    SIDEBAR_HREF_HOME,
+    LOGIN_URL,
+]
+
+MENU_ID_ANALYSIS = "analysis-menu"
+MENU_ID_CONFIGURATION = "configuration-menu"
+MENU_ID_EXPORT = "export-menu"
+MENU_ID_HOME = "home-menu"
+MENU_ID_LOGIN = "login-menu"
+MENU_ID_LOGOUT = "logout-menu"
+MENU_ID_VALIDATION = "validation-menu"
+
+
+# the style arguments for the sidebar. We use position:fixed and a fixed width
+SIDEBAR_STYLE = {
+    "position": "fixed",
+    "top": 0,
+    "left": 0,
+    "bottom": 0,
+    "width": f"{SIDEBAR_WIDTH}rem",
+    "padding": "2rem 1rem",
+    "background-color": "#f8f9fa",
+}
+
+# the styles for the main content position it to the right of the sidebar and
+# add some padding.
+CONTENT_STYLE = {
+    "margin-left": f"{SIDEBAR_WIDTH+2}rem",
+    "margin-right": "2rem",
+    "padding": "2rem 1rem",
+}
+
+
+# Get default configuration file: look first in the current directory and if not
+# found use the application directory.
+def default_config_path() -> str:
+    config_file = f"{os.getcwd()}/{CONFIG_FILE_NAME_DEFAULT}"
+    if not os.path.exists(config_file):
+        config_file = f"{os.path.dirname(os.path.abspath(__file__))}/{CONFIG_FILE_NAME_DEFAULT}"
+
+    return config_file
+
+
+# URL not found jumbotron
+def url_not_found(path):
+    return ositah_jumbotron(
+        "404: Not found",
+        f"URL {path} was not recognised...",
+        title_class="text-danger",
+    )
+
+
+# valid role missing jumbotron
+def valid_role_missing(msg):
+    return ositah_jumbotron(
+        "You don't have a valid Hito role to OSITAH",
+        msg,
+        title_class="text-warning",
+    )
+
+
+@app.callback(
+    [
+        Output("page-content", "children"),
+        Output("login-info", "children"),
+        #  Output order must match SIDEBAR_HREF_ALL entry order
+        Output(MENU_ID_ANALYSIS, "disabled"),
+        Output(MENU_ID_CONFIGURATION, "disabled"),
+        Output(MENU_ID_EXPORT, "disabled"),
+        Output(MENU_ID_VALIDATION, "disabled"),
+        Output(MENU_ID_LOGOUT, "disabled"),
+    ],
+    Input("url", "pathname"),
+    State("login-info", "children"),
+)
+def render_page_content(pathname, login_menu):
+    """
+    Function called to render the main page in OSITAH. It is also in charge of managing user
+    sessions.
+
+    :param pathname:
+    :param login_menu:
+    :return: callback output
+    """
+
+    from ositah.utils.authentication import remove_session
+    from ositah.utils.hito_db import get_db, new_uuid
+    from ositah.utils.hito_db_model import OSITAHSession, Team
+
+    global_params = GlobalParams()
+    logged_in_user = login_menu
+    menus_disabled = True
+
+    db = get_db()
+    OSITAHSession.__table__.create(db.session.bind, checkfirst=True)
+
+    user_authenticated = False
+    if "user_id" in session:
+        # 'user_id' is defined by Multipass if the login was successful
+        if "uid" in session and "user_email" in session:
+            # The user already logged in successfully once, check if the session is among the known
+            # valid sessions. As id and email columns have a unique constraint, the query can
+            # return only 0 or 1 value
+            saved_session = OSITAHSession.query.filter(
+                OSITAHSession.id == str(session["uid"]),
+                OSITAHSession.email == session["user_email"],
+            ).first()
+            if saved_session:
+                current_time = datetime.now()
+                if current_time > saved_session.last_use + timedelta(hours=SESSION_MAX_DURATION):
+                    remove_session()
+                else:
+                    saved_session.last_use = current_time
+                    db.session.commit()
+                    user_authenticated = True
+        if not user_authenticated and session["user_id"] in identity_list:
+            # Session has been fully initialized yet: do it and save it
+            session["user_email"] = identity_list[session["user_id"]].email
+            session["uid"] = new_uuid()
+            this_session = OSITAHSession(
+                id=str(session["uid"]),
+                email=session["user_email"],
+                last_use=datetime.now(),
+            )
+            db.session.add(this_session)
+            db.session.commit()
+            user_authenticated = True
+
+    if user_authenticated:
+        user_session_data = global_params.session_data
+        user = get_agent_by_email(session["user_email"])
+        role_ok = False
+        user_roles = user.roles
+        for role in AUTHORIZED_ROLES:
+            if role in user_roles:
+                role_ok = True
+                user_session_data.role = role
+                break
+        if role_ok:
+            if not user_session_data.agent_teams:
+                if role == HITO_ROLE_TEAM_MGR:
+                    # For a team manager, show only the teams he/she is a manager
+                    teams = Team.query.filter(Team.managers.any(email=session["user_email"])).all()
+                    if len(teams) == 0:
+                        # A user with role ROLE_RESP but is not the manager of any team is degraded
+                        # to ROLE_AGENT
+                        role_ok = False
+                        role_not_ok_msg = (
+                            f"{user.prenom} {user.nom} n'est" " responsable d'aucune équipe"
+                        )
+                        team_list = []
+                    else:
+                        teams.extend(
+                            Team.query.filter(
+                                Team.children_managers.any(email_auth=session["user_email"])
+                            ).all()
+                        )
+                        team_list = sorted([t.nom for t in teams])
+                else:
+                    # For other allowed roles, show all teams and add an entry for all agents
+                    teams = Team.query.all()
+                    team_list = sorted([t.nom for t in teams])
+                    team_list.insert(0, TEAM_LIST_ALL_AGENTS)
+                user_session_data.add_teams(team_list, sort_list=False)
+            logged_in_user = f"logged in as {user.prenom} {user.nom}"
+            menus_disabled = False
+        else:
+            role_not_ok_msg = (
+                f"{user.prenom} {user.nom} n'a pas de role Hito approprié"
+                " ({', '.join(AUTHORIZED_ROLES)})"
+            )
+    else:
+        logged_in_user = login_menu_link()
+        role_ok = True
+
+    return_values = [logged_in_user]
+    for i in range(len(SIDEBAR_HREF_ALL) - 2):
+        if (
+            SIDEBAR_HREF_ALL[i] == SIDEBAR_HREF_CONFIGURATION
+            and user_authenticated
+            and AUTHORIZED_ROLES.index(user_session_data.role)
+            > AUTHORIZED_ROLES.index(CONFIGURATION_MIN_ROLE)
+        ):
+            disable_flag = True
+        else:
+            disable_flag = menus_disabled
+        return_values.append(disable_flag)
+    if not role_ok:
+        return_values.insert(0, valid_role_missing(role_not_ok_msg))
+        return return_values
+
+    if user_authenticated:
+        if pathname == SIDEBAR_HREF_VALIDATION:
+            return_values.insert(0, validation_layout())
+            return return_values
+        elif pathname == SIDEBAR_HREF_ANALYSIS:
+            return_values.insert(0, analysis_layout())
+            return return_values
+        elif pathname == SIDEBAR_HREF_NSIP_EXPORT:
+            return_values.insert(0, export_layout())
+            return return_values
+        elif pathname == SIDEBAR_HREF_CONFIGURATION:
+            return_values.insert(0, configuration_layout())
+            return return_values
+
+    # Display the same message based on the login state for all valid URLs if none matched
+    # previously
+    if pathname in SIDEBAR_HREF_ALL:
+        if user_authenticated:
+            return_values.insert(
+                0,
+                html.P("Sélectionner ce que vous souhaitez faire dans le menu principal"),
+            )
+        else:
+            return_values.insert(0, html.P("Veuillez vous authentifier"))
+        return return_values
+
+    # If the user tries to reach a different page, return a 404 message
+    return_values.insert(0, url_not_found(pathname))
+    return return_values
+
+
+def login_menu_link():
+    """
+    :return: graphic object for login menu
+    """
+
+    return dbc.NavLink("Login", id=MENU_ID_LOGIN, href=LOGIN_URL, external_link=True)
+
+
+def make_app(environ=None, start_response=None, options=None):
+    """
+    Function to create the application without running it. It is the main entry point when called
+    as a uWSGI application (from gunicorn or uwswgi for example). Must return the Flask application
+    server.
+
+    :param environ: environment variables received from the uWSGI server
+    :param start_response: function received from the uWSGI server (not used)
+    :param options: parser options (will be initialized to sensible values when called from a uSWGI
+                    server)
+    :return: Flask application server
+    """
+
+    # Initialize options to sensible values: required when called from a uWSGI server
+    if options is None:
+        options = argparse.Namespace()
+        options.configuration_file = default_config_path()
+        options.debug = True
+
+    config = define_config_params(options.configuration_file)
+
+    configure_multipass_ldap(app.server, config["server"]["authentication"]["provider_name"])
+    multipass.init_app(app.server)
+
+    app.server.secret_key = "ositah-dashboard"
+
+    protect_views(app)
+
+    # Import from hito_db must not be done after configuration has been loaded
+    from ositah.utils.hito_db import get_db
+
+    # Initialize DB connection by calling get_db()
+    get_db(init_session=False)
+
+    sidebar = html.Div(
+        [
+            html.H2("OSITAH", className="display-4"),
+            html.Hr(),
+            html.P("Suivi des déclarations de temps", className="lead"),
+            dbc.Nav(
+                [
+                    # external_link=True is required for the callback on dcc.Location to work
+                    html.Div(login_menu_link(), id="login-info"),
+                    dbc.NavLink(
+                        "Logout",
+                        id=MENU_ID_LOGOUT,
+                        href=LOGOUT_URL,
+                        disabled=True,
+                        external_link=True,
+                    ),
+                ],
+                vertical="md",
+            ),
+            html.Hr(),
+            dbc.Nav(
+                [
+                    dbc.NavLink(
+                        "Home",
+                        id=MENU_ID_HOME,
+                        href=SIDEBAR_HREF_HOME,
+                        active="exact",
+                    ),
+                    dbc.NavLink(
+                        "Suvi / Validation",
+                        id=MENU_ID_VALIDATION,
+                        href=SIDEBAR_HREF_VALIDATION,
+                        active="exact",
+                        disabled=True,
+                    ),
+                    dbc.NavLink(
+                        "Analyse",
+                        id=MENU_ID_ANALYSIS,
+                        href=SIDEBAR_HREF_ANALYSIS,
+                        active="exact",
+                        disabled=True,
+                    ),
+                    dbc.NavLink(
+                        "Export NSIP",
+                        id=MENU_ID_EXPORT,
+                        href=SIDEBAR_HREF_NSIP_EXPORT,
+                        active="exact",
+                        disabled=True,
+                    ),
+                    dbc.NavLink(
+                        "Configuration",
+                        id=MENU_ID_CONFIGURATION,
+                        href=SIDEBAR_HREF_CONFIGURATION,
+                        active="exact",
+                        disabled=True,
+                    ),
+                ],
+                vertical="md",
+                pills=True,
+            ),
+            dcc.Store(id=TEAM_SELECTED_VALUE_ID, data=""),
+            dcc.Store(id=TEAM_SELECTION_DATE_ID, data=""),
+            dcc.Store(id=VALIDATION_PERIOD_SELECTED_ID, data=""),
+        ],
+        style=SIDEBAR_STYLE,
+    )
+
+    content = html.Div(id="page-content", style=CONTENT_STYLE)
+
+    app.layout = html.Div([dcc.Location(id="url"), sidebar, content])
+
+    return app.server
+
+
+def main():
+    """
+    Main entry point when executing the application from the command line
+
+    :return: exit status
+    """
+
+    global_params = GlobalParams()
+
+    DEBUG_DASH = "dash"
+    DEBUG_SQLALCHEMY = "db"
+    DEBUG_ALL = "all"
+    DEBUG_NONE = "none"
+
+    # parser must be run here to avoid messing up with gunicorn
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--configuration-file",
+        default=default_config_path(),
+        help=f"Configuration file (D: {default_config_path()})",
+    )
+    parser.add_argument(
+        "--debug",
+        choices=[DEBUG_DASH, DEBUG_SQLALCHEMY, DEBUG_ALL, DEBUG_NONE],
+        default=DEBUG_NONE,
+        help="Enable debugging mode in Dash and/or SQLAlchemy (do not use in production)",
+    )
+    options = parser.parse_args()
+
+    dash_debug = False
+    sqlalchemy_debug = False
+    if options.debug == DEBUG_DASH or options.debug == DEBUG_ALL:
+        dash_debug = True
+    if options.debug == DEBUG_SQLALCHEMY or options.debug == DEBUG_ALL:
+        sqlalchemy_debug = "debug"
+
+    make_app(options=options)
+
+    # If --debug, enable SQLAlchemy verbose mode
+    if sqlalchemy_debug:
+        app.server.config["SQLALCHEMY_ECHO"] = True
+
+    app.run_server(debug=dash_debug, port=global_params.port)
+
+
+if __name__ == "__main__":
+    exit(main())

ositah/ositah.example.cfg

@@ -0,0 +1,215 @@
+# Configuration file for OSITAH application
+
+# Where to read the data
+hito:
+  db:
+    # type muste be sqlite or mysql
+    #type: sqlite
+    type: mysql
+    # location must be a filename for sqlite or server/database for mysql
+    #location: 'c:\temp\hito-dev.sqlite'
+    location: 'localhost/hito'
+    user: hitousery
+    password: *verysecret*
+    # After this time (in seconds), DB connection is recycled
+    inactivity_timeout: 900
+    # For some unidentified reason, in SQLite, "stagiaire" carriere type is not found with an exact match...
+    agent_query: |
+      SELECT
+          DISTINCT(agent.id)
+        , agent.nom
+        , agent.prenom
+        , agent.team_id as team_id
+        , team.nom as team
+        , agent.statut as statut
+        , agent.email as email
+        , agent.corps_exercice_metier as cem
+        , CASE
+          WHEN agent.email_auth IS NULL THEN agent.email
+          ELSE agent.email_auth
+          END                            AS email_auth
+      FROM
+          agent
+          LEFT JOIN team on team.id = agent.team_id
+          JOIN carriere on carriere.agent_id = agent.id
+      WHERE
+          agent.archive = 0
+          AND
+          carriere.date_debut = (
+              SELECT MAX(c.date_debut)
+              FROM carriere AS c
+              WHERE
+                  agent.id = c.agent_id
+                  AND
+                  (c.type IN ("apprenti", "cdd", "emeritat", "stagiaire", "visiteur") OR c.type LIKE "arrivee%" OR c.type LIKE "stagiaire%")
+              )
+          AND
+          carriere.date_debut <= $$TODAY$$
+  # Patterns to identify the different activity categories from the activity name
+  categories:
+    consultance: 'Consultances & Expertises'
+    enseignement: 'Enseignement Supérieur'
+    local_project: 'Local projects'
+    service: 'Services & Support'
+  # Time unit (default is hours for categories not listed). Supported values h(our), w(eek)
+  time_unit:
+    local_project: w
+    nsip_project: w
+    service: w
+  # Column titles to use when displying the information about categories and agents
+  titles:
+    consultance: 'Consultance'
+    declarations_number: 'Déclarations effectuées'
+    enseignement: 'Enseignement'
+    fullname: 'Agent'
+    local_project: 'projets locaux'
+    missings_number: 'Déclarations obligatoires manquantes'
+    nsip_project: 'projets NSIP'
+    percent_global: 'Temps déclarés (%)'
+    service: 'Service'
+    statut: 'Statut'
+    team: 'Equipe'
+
+# Web server information
+server:
+  port: 9999
+  authentication:
+    ldap:
+      # uri can be space-separated list
+      uri: 'ldaps://ijclabad1.ijclab.in2p3.fr ldaps://ijclabad2.ijclab.in2p3.fr ldaps://ccijclabad01.ijclab.in2p3.fr'
+      base_dn: 'ou=ijclab,dc=ijclab,dc=in2p3,dc=fr'
+      bind_dn: 'CN=Non-Interactive Queries,OU=SI,OU=Services techniques,OU=Laboratoire,DC=lal,DC=in2p3,DC=fr'
+      password: 'ldap_bind_password'
+    provider_name: "MyLab account"
+
+# Options related to declarations
+declaration:
+  # Default date must be a date included into the selected validation period. It is a default, if no other explicitly select
+  #default_date: 2021-07-01
+  # max_hours specifies the upper valid value for activities declared in hours
+  max_hours: 400
+  # Agent statut whose declaration is not mandatory
+  optional_statutes:
+    - benevole
+    - emerite
+    - stagiaire
+    - visiteur
+  # Team who are not required to declare: values must match the beginning of the team name
+  optional_teams:
+    - Administration
+    - Support
+  # Thresholds used to mark declarations as low, suspect or good
+  # The value is the upper bound for the corresonding class
+  thresholds:
+    low: 50
+    suspect: 80
+    good: 100
+
+# Information related to validation
+validation:
+  override_period:
+    - ROLE_SUPER_ADMIN
+    - ROLE_PROJECT_MANAGER
+
+# Users with specific rights
+roles:
+  # List users (with their connection email) who are given a read-only access to OSITAH (no validation right)
+  read-only:
+    - user@my.dom.ain
+
+# NSIP related parameters
+
+nsip:
+  # The following sections configures information about NSIP service
+  # For each part of the API, there must be a base URL and some operation sub-urls
+  agent_api:
+    base_url: /api_labo/agent
+    declaration_add: /declaration/create
+    declaration_delete: /declaration/delete
+    declaration_update: /declaration/update
+  institute_api:
+    base_url: /api_institut
+    declaration_period_list: /declaration_period/list
+  lab_api:
+    base_url: /api_labo
+    agent_list: /agent/list
+    declaration_list: /declaration/list
+    project_list: /project/list
+    reference_list: /reference/list
+  server_url: https://nsip.in2p3.fr
+  token: nsip_lab_token
+
+  # teaching dictionary allows to define a ratio to apply to teaching activities.
+  # It also allows to define (optionally) a list of CEM that this ratio must
+  # be applied to (instead of all agents).
+  # master allows to define the masterproject identifying teaching activities
+  # (default: Enseignement Supérieur)
+  teaching:
+    masterproject: Enseignement Supérieur
+    ratio: 4.4
+    cem:
+      - cem_enseignant_chercheur
+
+  # Match against NSIP reference types to define the OSITAH masterproject.
+  # A reference with no value will cause the entry to be ignored by OSITAH.
+  # Reference types can be regex.
+  reference_masterprojects:
+    consultancyexpertise: Consultances & Expertises
+    highereducation: Enseignement Supérieur
+    servicesupport: Services & Support
+
+
+# project_teams allow to define a list of teams for a project
+# The project name is matched against the list of defined projects and must be a regex matching
+# the beginning of the project name. A team can be specified as a regex.
+# Example below is for IJCLab: update according to your needs.
+project_teams:
+  Consultances & Expertises:
+    - .*
+  Enseignement Supérieur:
+    - Accélérateurs.*
+    - A2C.*
+    - Direction
+    - Energie.*
+    - Ingénierie.*
+    - Nucléaire.*
+    - PHE.*
+    - Plateforme.*
+    - Santé.*
+    - Théorie.*
+  Services & Support / Assurance-Qualité:
+    - Support - Projets
+  Services & Support / Budget-Finances:
+    - Administration - Division financière
+  Services & Support / Communication-Documentation:
+    - Support - Communication
+  #Services & Support / Environnement:
+  Services & Support / Formation:
+    - Support - Enseignement
+  #Services & Support / Hygiène-Sécurité:
+  Services & Support / Management:
+    - .*
+  Services & Support / Partenariat:
+    - Support - STIRI
+  Services & Support / Patrimoine:
+    - Support - Infrastructure
+  Services & Support / Radioprotection:
+    - Support - Service SPR
+  Services & Support / Ressources Humaines:
+    - Administration.* - RH.*
+  Services & Support / Secrétariat:
+    - Direction - Assistantes
+  #Services & Support / Services Généraux:
+  Services & Support / Support-Biologie:
+    - Santé.*
+  Services & Support / Support-Electronique:
+    - Ingénierie - Electronique.*
+  Services & Support / Support-Informatique:
+    - Ingénierie - Informatique
+  Services & Support / Support-Instrumentation:
+    - Ingénierie - Détecteurs.*
+  Services & Support / Support-Mécanique:
+    - Ingénierie - Mécanique
+  #Services & Support / Sûreté:
+  Services & Support / Valorisation:
+    - Support - STIRI