ositah 24.7.dev1__py3-none-any.whl → 24.7.dev3__py3-none-any.whl

ositah/static/style.css

@@ -0,0 +1,54 @@
+/* CSS for the validation part of OSITAH */
+
+div.login_page {
+    margin-left: 50px;
+}
+
+div.login_form_field {
+    font-weight: bold;
+    margin-top: 20px;
+}
+
+input.login_button {
+    margin-top: 30px;
+    margin-left: 45px;
+}
+
+ul.flash-message {
+    display: inline-block;
+    list-style-type: none;
+    padding-left: 0;
+}
+
+
+/* CSS for Dash components */
+
+.team_list_dropdown {
+   margin-top: 15px;
+}
+
+.validated_hito_missing {
+   background-color: tomato;
+}
+
+table.sortable th::after, th.sorttable_sorted::after, th.sorttable_sorted_reverse::after {
+  content: " ";
+  display: inline-block;
+  width: 24px;
+  height: 24px;
+}
+
+table.sortable th:not(.sorttable_sorted):not(.sorttable_sorted_reverse):not(.sorttable_nosort):after {
+  content: url("arrow_down_up.svg");
+}
+
+th.sorttable_sorted::after {
+  background: url("sort_ascending.svg");
+  background-size: contain;
+}
+th.sorttable_sorted_reverse::after {
+  background: url("sort_descending.svg");
+  background-size: cover;
+}
+
+#sorttable_sortfwdind, #sorttable_sortrevind { display: none; }

ositah/templates/base.html

@@ -0,0 +1,22 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>OSITAH Login page</title>
+  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
+  <link rel="stylesheet" href="{{ url_for('static', filename='style.css') }}">
+</head>
+<body>
+    {% with messages = get_flashed_messages(with_categories=True) %}
+        {% if messages %}
+            <ul class="bg-warning flash-message">
+                {%- for category, message in messages %}
+                    <li>{{ category }}: {{ message }}</li>
+                {% endfor -%}
+            </ul>
+        {% endif %}
+    {% endwith %}
+
+    {% block content %}{% endblock %}
+</body>
+</html>

ositah/templates/bootstrap_login.html

@@ -0,0 +1,38 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <link rel="icon" href="/docs/4.0/assets/img/favicons/favicon.ico">
+
+    <title>Signin Template for Bootstrap</title>
+
+    <link rel="canonical" href="https://getbootstrap.com/docs/4.0/examples/sign-in/">
+
+    <!-- Bootstrap core CSS -->
+    <link href="../../dist/css/bootstrap.min.css" rel="stylesheet">
+
+    <!-- Custom styles for this template -->
+    <link href="signin.css" rel="stylesheet">
+  </head>
+
+  <body class="text-center">
+    <form class="form-signin">
+      <img class="mb-4" src="https://getbootstrap.com/docs/4.0/assets/brand/bootstrap-solid.svg" alt="" width="72" height="72">
+      <h1 class="h3 mb-3 font-weight-normal">Please sign in</h1>
+      <label for="inputEmail" class="sr-only">Email address</label>
+      <input type="email" id="inputEmail" class="form-control" placeholder="Email address" required autofocus>
+      <label for="inputPassword" class="sr-only">Password</label>
+      <input type="password" id="inputPassword" class="form-control" placeholder="Password" required>
+      <div class="checkbox mb-3">
+        <label>
+          <input type="checkbox" value="remember-me"> Remember me
+        </label>
+      </div>
+      <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
+      <p class="mt-5 mb-3 text-muted">&copy; 2017-2018</p>
+    </form>
+  </body>
+</html>

ositah/templates/login_form.html

@@ -0,0 +1,27 @@
+<div class="login_page">
+    {% extends 'base.html' %}
+    {% block content %}
+        <p>Log in using <strong>{{ provider.title }}</strong></p>
+
+        <form method=post>
+            <div class="login_form">
+                {% for field in form %}
+                    {% if field.widget.__class__.__name__ == 'HiddenInput' %}
+                        {{ field() }}
+                    {% else %}
+                        <div class="login_form_field">
+                            {{ field.label() }}
+                        </div>
+                        <div>
+                            {{ field() }}
+                            {% if field.errors %}
+                                Errors: {{ field.errors|join(' / ') }}
+                            {% endif %}
+                        </div>
+                    {% endif %}
+                {% endfor %}
+                <input type="submit" value="Login" class="btn btn-secondary login_button">
+            </div>
+        </form>
+    {% endblock %}
+</div>

ositah/utils/agents.py

@@ -0,0 +1,117 @@
+# Helper functions to interact with the agent table
+import pandas as pd
+from flask import session
+
+from ositah.utils.exceptions import SessionDataMissing
+from ositah.utils.utils import TEAM_LIST_ALL_AGENTS, GlobalParams, no_session_id_jumbotron
+
+NSIP_AGENT_COLUMNS = {
+    "email_reseda": "email_reseda",
+    "firstname": "firstname",
+    "lastname": "lastname",
+}
+
+
+def get_agent_by_email(connexion_email: str) -> str:
+    """
+    Retrieve an agent from Hito using the connexion email. If the connexion email is not
+    defined for the agent, try to use the contact email.
+
+    :param connexion_email: agent's email
+    :return: agent entry (row)
+    """
+
+    from ositah.utils.hito_db_model import Agent
+
+    user = Agent.query.filter_by(email_auth=session["user_email"]).first()
+    if user is None:
+        user = Agent.query.filter_by(email=session["user_email"]).first()
+
+    return user
+
+
+def get_agents(period_date: str, team: str = None) -> pd.DataFrame:
+    """
+    Read agent table in Hito database and return it as a dataframe. If a cached version exists,
+    use it.
+
+    :param period_date: a date that must be inside the declaration period
+    :param team: selected team (and subteams). Ignored if None or TEAM_LIST_ALL_AGENTS.
+    :return: dataframe
+    """
+
+    from ositah.utils.hito_db import get_db
+
+    global_params = GlobalParams()
+    columns = global_params.columns
+    db = get_db()
+
+    try:
+        session_data = global_params.session_data
+    except SessionDataMissing:
+        return no_session_id_jumbotron()
+
+    # start_date, _ = get_validation_period_dates(period_date)
+
+    agents = session_data.agent_list
+    if agents is None:
+        agent_list = pd.read_sql_query(global_params.agent_query, con=db.engine)
+        # WIP ; attempt to refine the agent list taking into account arrival and departure date
+        # Difficulty: carriere table has a suboptimal structure making a SQL request difficult
+        # TODO: query separately agent+team and carriere, then use Pandas to join them taking all
+        # the criteria into account
+        # Ignore archived agents that left before the start of the declaration period
+        # agent_list = agent_list.loc[(agent_list.archive == 0) |
+        #                          (agent_list.date_fin >= start_date.date().isoformat())]
+        if team and team != TEAM_LIST_ALL_AGENTS:
+            agent_list = agent_list[agent_list["team"].str.match(team, case=False, na=False)]
+        agent_list[columns["fullname"]] = agent_list[
+            [columns["lastname"], columns["firstname"]]
+        ].agg(" ".join, axis=1)
+        agent_list.columns = agent_list.columns.str.lower()
+        agent_list["statut"] = agent_list["statut"].str.extract("^statut_(.+)$")
+        agent_list["optional"] = agent_list["statut"].isin(
+            global_params.declaration_options["optional_statutes"]
+        )
+        agent_list["email_auth"] = agent_list["email_auth"].str.lower()
+        team_list = pd.DataFrame(agent_list[columns["team"]].unique(), columns=["name"])
+        optional_teams_list = []
+        for opt_team in global_params.declaration_options["optional_teams"]:
+            optional_teams_list.append(
+                team_list[team_list["name"].str.match(opt_team, case=False, na=False)]["name"]
+            )
+        optional_teams = pd.concat(optional_teams_list)
+        agent_list.loc[~agent_list["optional"], "optional"] = agent_list["team"].isin(
+            optional_teams
+        )
+        session_data.agent_list = agent_list
+    else:
+        agent_list = session_data.agent_list
+
+    return agent_list
+
+
+def get_nsip_agents():
+    """
+    Retrieve agents from NSIP and return them in a dataframe.
+
+    :return: dataframe or None if NSIP is not configured
+    """
+
+    global_params = GlobalParams()
+
+    if global_params.nsip:
+        agents = pd.DataFrame.from_dict(global_params.nsip.get_agent_list())
+        columns_to_delete = []
+        for c in agents.columns.tolist():
+            if c not in NSIP_AGENT_COLUMNS.values():
+                columns_to_delete.append(c)
+        agents["fullname"] = agents[
+            [NSIP_AGENT_COLUMNS["lastname"], NSIP_AGENT_COLUMNS["firstname"]]
+        ].agg(" ".join, axis=1)
+        agents.drop(columns=columns_to_delete, inplace=True)
+
+        return agents
+
+    else:
+        return None

ositah/utils/authentication.py

@@ -0,0 +1,287 @@
+# Module to handle user login with flask-multipass, a multi-backend authentication module for Flask
+# The code is largely based on a simplified version of what Indico is doing and is focused on using
+# LDAP (IJCLab ActiveDirectory) as the backend.
+#
+# There is no attempt to store session data in a database.
+
+import functools
+import json
+from urllib.parse import urlparse
+from uuid import uuid1
+
+from flask import flash, redirect, request, session
+from flask_multipass import InvalidCredentials, Multipass, NoSuchUser
+
+from ositah.utils.utils import GlobalParams
+
+# Redirect URL for login and logout
+LOGIN_URL = "/login"
+LOGOUT_URL = "/logout"
+
+
+# Session validity duration (in hours), i.e. max time since the last use
+SESSION_MAX_DURATION = 4
+
+
+# List of authenticated users
+user_list = {}
+identity_list = {}
+
+
+class User:
+    def __init__(self, first_name=None, last_name=None, email=None):
+        self._id = uuid1()
+        self._firstname = first_name
+        self._lastname = last_name
+        self._email = email
+        self._identities = []
+
+    def add_identity(self, identity):
+        self._identities.append(identity)
+
+    @property
+    def identities(self):
+        return self._identities
+
+    @property
+    def email(self):
+        return self._email
+
+    def get_first_identity(self):
+        if len(self._identities) >= 1:
+            return self._identities[0]
+        else:
+            return Exception(f"No identity defined for user '{self.email}'")
+
+    @property
+    def id(self):
+        return self._id
+
+
+class Identity:
+    def __init__(self, provider=None, identifier=None):
+        self._id = identifier
+        self._provider = provider
+        self._multipass_data = None
+
+    @property
+    def id(self):
+        return self._id
+
+    @property
+    def multipass_data(self):
+        return self._multipass_data
+
+    @multipass_data.setter
+    def multipass_data(self, data):
+        self._multipass_data = data
+
+    @property
+    def provider(self):
+        return self._provider
+
+
+class OSITAHMultipass(Multipass):
+    def init_app(self, app):
+        super(OSITAHMultipass, self).init_app(app)
+        with app.app_context():
+            self._check_default_provider()
+
+    def _check_default_provider(self):
+        # Ensure that there is maximum one sync provider
+        sync_providers = [
+            p for p in self.identity_providers.values() if p.settings.get("synced_fields")
+        ]
+        if len(sync_providers) > 1:
+            raise ValueError("There can only be one sync provider.")
+        # Ensure that there is exactly one form-based default auth provider
+        auth_providers = list(self.auth_providers.values())
+        external_providers = [p for p in auth_providers if p.is_external]
+        local_providers = [p for p in auth_providers if not p.is_external]
+        if any(p.settings.get("default") for p in external_providers):
+            raise ValueError("The default provider cannot be external")
+        if all(p.is_external for p in auth_providers):
+            return
+        default_providers = [p for p in auth_providers if p.settings.get("default")]
+        if len(default_providers) > 1:
+            raise ValueError("There can only be one default auth provider")
+        elif not default_providers:
+            if len(local_providers) == 1:
+                local_providers[0].settings["default"] = True
+            else:
+                raise ValueError("There is no default auth provider")
+
+    def handle_auth_error(self, exc, redirect_to_login=False):
+        if isinstance(exc, (NoSuchUser, InvalidCredentials)):
+            print("Invalid credentials")
+        else:
+            exc_str = str(exc)
+            print(
+                "Authentication via %s failed: %s (%r)",
+                exc.provider.name if exc.provider else None,
+                exc_str,
+                exc.details,
+            )
+        return super(OSITAHMultipass, self).handle_auth_error(
+            exc, redirect_to_login=redirect_to_login
+        )
+
+
+def configure_multipass_ldap(app, provider_title):
+    """
+    Configure Flask_multipass from configuration. Inspired from Indico and its configuration file.
+    Required flask_multipass with PR #42.
+
+    :param app: Flask app
+    :param provider_title: text associated with the auth/identity provider
+    :return: none
+    """
+
+    global_params = GlobalParams()
+    config = global_params.ldap
+
+    if not config or len(config) == 0:
+        raise Exception("Missing LDAP configuration")
+
+    ldap_config = {
+        "uri": config["uri"],
+        "bind_dn": config["bind_dn"],
+        "bind_password": config["password"],
+        "timeout": 30,
+        "verify_cert": True,
+        "page_size": 10000,
+        "uid": "sAMAccountName",
+        "user_base": config["base_dn"],
+        "user_filter": "(objectcategory=user)",
+    }
+
+    auth_provider = {
+        "ldap": {
+            "type": "ldap",
+            "title": provider_title,
+            "ldap": ldap_config,
+        },
+    }
+
+    identity_provider = {
+        "ldap": {
+            "type": "ldap",
+            "title": provider_title,
+            "ldap": ldap_config,
+            "identifier_field": "mail",
+            "accepted_users": "all",
+            "mapping": {
+                "first_name": "givenName",
+                "last_name": "sn",
+                "email": "mail",
+                "affiliation": "company",
+                "phone": "telephoneNumber",
+            },
+            "trusted_email": True,
+        },
+    }
+
+    app.config["MULTIPASS_AUTH_PROVIDERS"] = auth_provider
+    app.config["MULTIPASS_IDENTITY_PROVIDERS"] = identity_provider
+    app.config["MULTIPASS_PROVIDER_MAP"] = {"ldap": "ldap"}
+    app.config["MULTIPASS_IDENTITY_INFO_KEYS"] = {"first_name", "last_name", "email"}
+    app.config["MULTIPASS_LOGIN_FORM_TEMPLATE"] = "login_form.html"
+    app.config["MULTIPASS_SUCCESS_ENDPOINT"] = "/"
+    app.config["MULTIPASS_FAILURE_MESSAGE"] = "Login failed: {error}"
+
+
+multipass = OSITAHMultipass()
+
+
+@multipass.identity_handler
+def identity_handler(identity_info):
+    if identity_info.identifier in identity_list:
+        user = identity_list[identity_info.identifier]
+        identity = user.get_first_identity()
+    else:
+        if identity_info.data["email"] in user_list:
+            user = user_list[identity_info.data["email"]]
+        else:
+            user = User(**identity_info.data.to_dict())
+            user_list[user.email] = user
+        identity = Identity(
+            provider=identity_info.provider.name, identifier=identity_info.identifier
+        )
+        user.add_identity(identity)
+        identity_list[identity.id] = user
+    identity.multipass_data = json.dumps(identity_info.multipass_data)
+    session["user_id"] = identity.id
+    flash("Received IdentityInfo: {}".format(identity_info), "success")
+
+
+def login_required(view):
+    """
+    A decorator to require login on Flask views
+
+    :param view: a function
+    :return: decorated function
+    """
+
+    @functools.wraps(view)
+    def wrapped_view(**kwargs):
+        redirect_path = urlparse(request.base_url).path
+        if len(redirect_path) == 0:
+            redirect_path = "/"
+        if "user_id" not in session:
+            if redirect_path != "/favicon.ico":
+                return redirect(f"{LOGIN_URL}?next={redirect_path}")
+        elif redirect_path == LOGOUT_URL:
+            remove_session()
+            return multipass.logout("/", clear_session=True)
+
+        return view(**kwargs)
+
+    return wrapped_view
+
+
+def protect_views(app):
+    for view_func in app.server.view_functions:
+        if view_func.startswith("/<path:path>"):
+            app.server.view_functions[view_func] = login_required(
+                app.server.view_functions[view_func]
+            )
+
+    return app
+
+
+def remove_session():
+    """
+    Remove a session from the database and do additional session cleanup.
+
+    :return: None
+    """
+
+    from sqlalchemy import delete
+
+    from ositah.utils.hito_db import get_db
+    from ositah.utils.hito_db_model import OSITAHSession
+
+    global_params = GlobalParams()
+
+    if "uid" in session:
+        del global_params.session_data
+
+        if session["user_id"] in identity_list:
+            del user_list[identity_list[session["user_id"]].email]
+            del identity_list[session["user_id"]]
+        else:
+            print(
+                (
+                    f"WARNING: attempt to delete a non-existing user/identity"
+                    f" {session['uid']} (user={session['user_id']})"
+                )
+            )
+
+        if "user_email" in session:
+            sql_cmd = delete(OSITAHSession).where(
+                OSITAHSession.id == session["uid"],
+                OSITAHSession.email == session["user_email"],
+            )
+            db = get_db()
+            db.session.execute(sql_cmd)
+            db.session.commit()

ositah/utils/cache.py

@@ -0,0 +1,19 @@
+# Helper functions to manage the data cache
+
+from ositah.utils.exceptions import SessionDataMissing
+from ositah.utils.utils import GlobalParams, no_session_id_jumbotron
+
+
+def clear_cached_data():
+    """
+    Clear the data cached by the previous requests
+
+    :return: None
+    """
+
+    global_params = GlobalParams()
+    try:
+        session_data = global_params.session_data
+        session_data.reset_caches()
+    except SessionDataMissing:
+        return no_session_id_jumbotron()

ositah/utils/core.py

@@ -0,0 +1,13 @@
+# Module with utility functions
+
+
+# Singleton decorator definition
+def singleton(cls):
+    instances = {}
+
+    def getinstance(*args, **kwargs):
+        if cls not in instances:
+            instances[cls] = cls(*args, **kwargs)
+        return instances[cls]
+
+    return getinstance

ositah/utils/exceptions.py

@@ -0,0 +1,64 @@
+# OSITAH exceptions not specific to one of the sub-application
+
+from hito_tools.exceptions import EXIT_STATUS_GENERAL_ERROR
+
+
+class InvalidCallbackInput(Exception):
+    def __init__(self, input_name):
+        self.msg = f"internal error: invalid input ({input_name}) in callback"
+        self.status = EXIT_STATUS_GENERAL_ERROR
+
+    def __str__(self):
+        return repr(self.msg)
+
+
+class InvalidDataSource(Exception):
+    def __init__(self, source):
+        self.msg = f"attempt to use and invalid data source ({source})"
+        self.status = EXIT_STATUS_GENERAL_ERROR
+
+    def __str__(self):
+        return repr(self.msg)
+
+
+class InvalidHitoProjectName(Exception):
+    def __init__(self, projects):
+        self.msg = (
+            f"The following Hito project names don't match the format 'masterproject / project' :"
+            f" {', '.join(projects)}"
+        )
+        self.status = EXIT_STATUS_GENERAL_ERROR
+
+    def __str__(self):
+        return repr(self.msg)
+
+
+class SessionDataMissing(Exception):
+    def __init__(self, session_id=None):
+        if session_id:
+            session_txt = f" (session={session_id})"
+        else:
+            session_txt = ""
+        self.msg = f"Attempt to use non existing session data{session_txt}"
+        self.status = EXIT_STATUS_GENERAL_ERROR
+
+    def __str__(self):
+        return repr(self.msg)
+
+
+class ValidationPeriodAmbiguous(Exception):
+    def __init__(self, date):
+        self.msg = f"Configuration error: several periods matching {date}"
+        self.status = EXIT_STATUS_GENERAL_ERROR
+
+    def __str__(self):
+        return repr(self.msg)
+
+
+class ValidationPeriodMissing(Exception):
+    def __init__(self, date):
+        self.msg = f"No defined declaration period matching {date}"
+        self.status = EXIT_STATUS_GENERAL_ERROR
+
+    def __str__(self):
+        return repr(self.msg)