udata 11.1.2.dev8__py3-none-any.whl → 11.1.2.dev11__py3-none-any.whl

udata/api/oauth2.py

@@ -29,7 +29,7 @@ from authlib.oauth2.rfc6750 import BearerTokenValidator
 from authlib.oauth2.rfc7009 import RevocationEndpoint
 from authlib.oauth2.rfc7636 import CodeChallenge
 from bson import ObjectId
-from flask import current_app, render_template, request
+from flask import abort, current_app, jsonify, render_template, request
 from flask_security.utils import verify_password
 from werkzeug.exceptions import Unauthorized
 
@@ -40,6 +40,7 @@ from udata.core.storages import default_image_basename, images
 from udata.i18n import I18nBlueprint
 from udata.i18n import lazy_gettext as _
 from udata.mongo import db
+from udata.utils import wants_json
 
 blueprint = I18nBlueprint("oauth", __name__, url_prefix="/oauth")
 oauth = AuthorizationServer()
@@ -292,18 +293,31 @@ class BearerToken(BearerTokenValidator):
         return token.revoked
 
 
-@blueprint.route("/token", methods=["POST"], localize=False, endpoint="token")
+@blueprint.route("/token", methods=["POST"], endpoint="token")
 @csrf.exempt
 def access_token():
     return oauth.create_token_response()
 
 
-@blueprint.route("/revoke", methods=["POST"], localize=False)
+@blueprint.route("/revoke", methods=["POST"])
 @csrf.exempt
 def revoke_token():
     return oauth.create_endpoint_response(RevokeToken.ENDPOINT_NAME)
 
 
+@blueprint.route("/client_info", methods=["GET"])
+def client_info(*args, **kwargs):
+    if not current_user or not current_user.is_authenticated:
+        abort(401)
+
+    try:
+        grant = oauth.get_consent_grant(end_user=current_user)
+    except OAuth2Error as error:
+        return error.error
+
+    return jsonify({"client": {"name": grant.client.name}, "scopes": ["default"]})
+
+
 @blueprint.route("/authorize", methods=["GET", "POST"])
 @login_required
 def authorize(*args, **kwargs):
@@ -313,8 +327,13 @@ def authorize(*args, **kwargs):
         except OAuth2Error as error:
             return error.error
         # Bypass authorization screen for internal clients
+        # It's not used right now…
         if grant.client.internal:
             return oauth.create_authorization_response(grant_user=current_user)
+
+        if wants_json():
+            return jsonify({"client": {"name": grant.client.name}, "scopes": ["default"]})
+
         return render_template("api/oauth_authorize.html", grant=grant)
     elif request.method == "POST":
         accept = "accept" in request.form

udata/app.py

@@ -223,6 +223,7 @@ def register_extensions(app):
         sentry,
         tasks,
     )
+    from udata.auth import proconnect
 
     cors.init_app(app)
     tasks.init_app(app)
@@ -236,6 +237,8 @@ def register_extensions(app):
     mail.init_app(app)
     search.init_app(app)
     sentry.init_app(app)
+    proconnect.init_app(app)
+
     app.after_request(return_404_html_if_requested)
     app.register_error_handler(NotFound, page_not_found)
     return app

udata/auth/__init__.py

@@ -39,6 +39,7 @@ def init_app(app):
     from udata.models import datastore
 
     from .forms import (
+        ExtendedForgotPasswordForm,
         ExtendedLoginForm,
         ExtendedRegisterForm,
         ExtendedResetPasswordForm,
@@ -47,6 +48,15 @@ def init_app(app):
     from .password_validation import UdataPasswordUtil
     from .views import create_security_blueprint
 
+    # We want to alias SECURITY_POST_CONFIRM_VIEW to the CDATA_BASE_URL (the homepage)
+    # but can't do it in `settings.py` because it's not defined yet (`CDATA_BASE_URL` is set
+    # in the env)
+    # :SecurityPostConfirmViewAtRuntime
+    if app.config["CDATA_BASE_URL"]:
+        app.config.setdefault(
+            "SECURITY_POST_CONFIRM_VIEW", app.config["CDATA_BASE_URL"] + "?flash=post_confirm"
+        )
+
     security.init_app(
         app,
         datastore,
@@ -56,6 +66,7 @@ def init_app(app):
         confirm_register_form=ExtendedRegisterForm,
         register_form=ExtendedRegisterForm,
         reset_password_form=ExtendedResetPasswordForm,
+        forgot_password_form=ExtendedForgotPasswordForm,
         mail_util_cls=UdataMailUtil,
         password_util_cls=UdataPasswordUtil,
     )

udata/auth/forms.py

@@ -1,14 +1,37 @@
 import datetime
+import logging
 
+import requests
 from flask import current_app
 from flask_login import current_user
-from flask_security.forms import Form, LoginForm, RegisterForm, ResetPasswordForm
-
+from flask_security.forms import (
+    ForgotPasswordForm,
+    Form,
+    LoginForm,
+    RegisterForm,
+    ResetPasswordForm,
+)
+
+from udata.core.captchetat import bearer_token
 from udata.forms import fields, validators
 from udata.i18n import lazy_gettext as _
 
+log = logging.getLogger(__name__)
+
+
+class WithCaptcha:
+    captcha_code = fields.StringField(_("Captcha code"))
+    captcha_uuid = fields.StringField(_("Captcha ID"))
+
+    def validate_captcha(self):
+        if check_captchetat(self.captcha_uuid.data, self.captcha_code.data):
+            return True
+
+        self.captcha_code.errors = [_("Invalid Captcha")]
+        return False
+
 
-class ExtendedRegisterForm(RegisterForm):
+class ExtendedRegisterForm(WithCaptcha, RegisterForm):
     first_name = fields.StringField(
         _("First name"),
         [
@@ -23,12 +46,21 @@ class ExtendedRegisterForm(RegisterForm):
             validators.NoURLs(_("URLs not allowed in this field")),
         ],
     )
+    accept_conditions = fields.BooleanField(
+        _("J'accepte les conditions générales d'utilisation"),
+        validators=[
+            validators.DataRequired(message=_("Vous devez accepter les CGU pour continuer."))
+        ],
+    )
 
     def validate(self, **kwargs):
         # no register allowed when read only mode is on
         if not super().validate(**kwargs) or current_app.config.get("READ_ONLY_MODE"):
             return False
 
+        if not self.validate_captcha():
+            return False
+
         return True
 
 
@@ -57,6 +89,17 @@ class ExtendedResetPasswordForm(ResetPasswordForm):
         return True
 
 
+class ExtendedForgotPasswordForm(WithCaptcha, ForgotPasswordForm):
+    def validate(self, **kwargs):
+        if not super().validate(**kwargs):
+            return False
+
+        if not self.validate_captcha():
+            return False
+
+        return True
+
+
 class ChangeEmailForm(Form):
     new_email = fields.StringField(_("New email"), [validators.DataRequired(), validators.Email()])
     new_email_confirm = fields.StringField(
@@ -77,3 +120,27 @@ class ChangeEmailForm(Form):
             )
             return False
         return True
+
+
+def check_captchetat(id: str, code: str) -> bool:
+    captchetat_url = current_app.config.get("CAPTCHETAT_BASE_URL")
+    if not captchetat_url:
+        return True
+
+    if not id or not code:
+        return False
+
+    headers = {"Authorization": "Bearer " + bearer_token()}
+    try:
+        resp = requests.post(
+            f"{captchetat_url}/valider-captcha",
+            headers=headers,
+            json={
+                "uuid": id,
+                "code": code,
+            },
+        )
+        return resp.text == "true"
+    except requests.exceptions.RequestException as err:
+        log.error(f"Failed to query CaptchEtat: {err}")
+        return True

udata/auth/mails.py

@@ -1,8 +1,12 @@
+import logging
+
 import email_validator
 from flask import current_app
 
 from udata.tasks import task
 
+log = logging.getLogger(__name__)
+
 
 @task
 def sendmail(msg):
@@ -11,6 +15,8 @@ def sendmail(msg):
     if send_mail:
         mail = current_app.extensions.get("mail")
         mail.send(msg)
+    else:
+        log.warning(msg)
 
 
 class UdataMailUtil:

udata/auth/proconnect.py

@@ -0,0 +1,127 @@
+from datetime import datetime
+
+from authlib.common.urls import add_params_to_uri
+from authlib.integrations.flask_client import OAuth
+from flask import abort, redirect, request, session, url_for
+from werkzeug.security import gen_salt
+
+from udata.api import API, api
+from udata.auth import login_user
+from udata.uris import homepage_url
+
+ns = api.namespace("proconnect", "Proconnect related operations")
+oauth = OAuth()
+# blueprint = I18nBlueprint("proconnect", __name__, url_prefix="/proconnect")
+STATE_KEY = "proconnect_state"
+ID_TOKEN_KEY = "id_token"
+
+
+def init_app(app):
+    if app.config.get("PROCONNECT_OPENID_CONF_URL"):
+        # ProConnect SSO
+        oauth.init_app(app)
+        oauth.register(
+            name="proconnect",
+            client_id=app.config.get("PROCONNECT_CLIENT_ID"),
+            client_secret=app.config.get("PROCONNECT_CLIENT_SECRET"),
+            server_metadata_url=app.config.get("PROCONNECT_OPENID_CONF_URL"),
+            client_kwargs={"scope": app.config.get("PROCONNECT_SCOPE")},
+        )
+
+
+def get_logout_url():
+    id_token = session.get(ID_TOKEN_KEY)
+    if id_token is None:
+        # No id_token, so no way to logout from ProConnect.
+        return None
+
+    metadata = oauth.proconnect.load_server_metadata()
+    end_session_endpoint = metadata["end_session_endpoint"]
+    # Generate a random state that we send to ProConnect, they'll return it so we can check it.
+    state = gen_salt(50)
+    session[STATE_KEY] = state
+    redirect_uri = url_for("api.proconnect_logout", _external=True)
+
+    return add_params_to_uri(
+        end_session_endpoint,
+        (
+            ("id_token_hint", id_token),
+            ("state", state),
+            ("post_logout_redirect_uri", redirect_uri),
+        ),
+    )
+
+
+@ns.route("/login/", endpoint="proconnect_login")
+class ProconnectLoginAPI(API):
+    def get(self):
+        redirect_uri = url_for("api.proconnect_auth", _external=True)
+        return oauth.proconnect.authorize_redirect(redirect_uri, acr_values="eidas1")
+
+
+@ns.route("/auth", endpoint="proconnect_auth")
+class ProconnectAuthAPI(API):
+    def get(self):
+        from udata.models import datastore
+
+        token = oauth.proconnect.authorize_access_token()
+        # Store the user info in the session, it'll be used when logging out from ProConnect.
+        session[ID_TOKEN_KEY] = token[ID_TOKEN_KEY]
+        # /!\ DIRTY HACK.
+        # authlib expects the userinfo to either be in the token["id_token"] as a jwt...
+        # but in this case, it's not there, it's some other information.
+        # We thus need to go get the userinfo from the userinfo_endpoint, but authlib
+        # expects it to be plain json. However, proconnect returns a jwt.
+        # So we can't use authlib's client.userinfo() helper, we need to do it ourselves.
+        metadata = oauth.proconnect.load_server_metadata()
+        resp = oauth.proconnect.get(metadata["userinfo_endpoint"])
+        resp.raise_for_status()
+        # Create a new token that `client.parse_id_token` expects. Replace the initial
+        # `id_token` with the jwt we received from the `userinfo_endpoint`.
+        userinfo_token = token.copy()
+        userinfo_token[ID_TOKEN_KEY] = resp.content
+        proconnect_user = oauth.proconnect.parse_id_token(userinfo_token, nonce=None)
+        # We now have the user information decoded from the jwt, ready to be used.
+        user = datastore.find_user(email=proconnect_user["email"])
+        if not user:
+            user = datastore.create_user(
+                email=proconnect_user["email"],
+                first_name=proconnect_user.get("given_name"),
+                last_name=proconnect_user.get("usual_name"),
+                confirmed_at=datetime.now(),
+            )
+
+        if not login_user(user):
+            return {"message": "ProConnect Authentication failed"}, 401
+
+        return redirect(homepage_url(flash="connected"))
+
+
+@ns.route("/logout_oauth", endpoint="proconnect_logout_oauth")
+class ProconnectLogoutOAuthAPI(API):
+    def get(self):
+        # At the time of this writing, authlib didn't implement OpenIDC session management:
+        # https://github.com/lepture/authlib/issues/292
+        # So we implement it ourselves. This code may be simplified (or even removed?) in the future
+        # if we update to a version that supports it.
+        end_session_url = get_logout_url()
+        if end_session_url is None:
+            return redirect(url_for("security.logout"))
+
+        return redirect(end_session_url)
+
+
+@ns.route("/logout", endpoint="proconnect_logout")
+class ProconnectLogoutAPI(API):
+    def get(self):
+        # Double check that the request hasn't been forged by checking the random "state" we provided.
+        state = request.args["state"]
+        stored_state = session.get(STATE_KEY)
+        if state != stored_state:
+            abort(401)
+
+        # We're logged out from ProConnect, cleanup the ProConnect related data from the session.
+        session.pop(ID_TOKEN_KEY, None)
+        session.pop(STATE_KEY, None)
+
+        return redirect(url_for("security.logout"))

udata/auth/views.py

@@ -1,4 +1,4 @@
-from flask import current_app, redirect, url_for
+from flask import current_app, jsonify, redirect, request, url_for
 from flask_login import current_user, login_required
 from flask_security.utils import (
     check_and_get_token_status,
@@ -21,10 +21,13 @@ from flask_security.views import (
     send_login,
     token_login,
 )
+from flask_wtf.csrf import generate_csrf
 from werkzeug.local import LocalProxy
 
+from udata.auth.proconnect import get_logout_url
 from udata.i18n import lazy_gettext as _
 from udata.uris import homepage_url
+from udata.utils import wants_json
 
 from .forms import ChangeEmailForm
 
@@ -98,6 +101,16 @@ def confirm_change_email(token):
     return redirect(homepage_url(flash="change_email_confirmed"))
 
 
+def get_csrf():
+    # We need to have a public endpoint for getting a CSRF token.
+    # In Flask, we can query the form with an Accept:application/json,
+    # for example: GET `/login` to get a JSON with the CSRF token.
+    # It's not working in our implementation because GET `/login` is routed to
+    # cdata and not udata. So we need to have an endpoint existing only on udata
+    # so we can fetch a valid CSRF token.
+    return jsonify({"response": {"csrf_token": generate_csrf()}})
+
+
 @login_required
 def change_email():
     """Change email page."""
@@ -107,6 +120,10 @@ def change_email():
     if form.validate_on_submit():
         new_email = form.new_email.data
         send_change_email_confirmation_instructions(current_user, new_email)
+
+        if wants_json():
+            return jsonify({})
+
         return redirect(
             homepage_url(
                 flash="change_email",
@@ -116,6 +133,9 @@ def change_email():
             )
         )
 
+    if wants_json():
+        return jsonify({"response": {"csrf_token": generate_csrf()}})
+
     return _security.render_template("security/change_email.html", change_email_form=form)
 
 
@@ -134,7 +154,9 @@ def create_security_blueprint(app, state, import_name):
         template_folder="templates",
     )
 
-    bp.route(app.config["SECURITY_LOGOUT_URL"], endpoint="logout")(logout)
+    bp.route(app.config["SECURITY_LOGOUT_URL"], methods=["GET", "POST"], endpoint="logout")(
+        logout_with_proconnect_url
+    )
 
     if state.passwordless:
         bp.route(app.config["SECURITY_LOGIN_URL"], methods=["GET", "POST"], endpoint="login")(
@@ -187,5 +209,38 @@ def create_security_blueprint(app, state, import_name):
     )(confirm_change_email)
 
     bp.route("/change-email", methods=["GET", "POST"], endpoint="change_email")(change_email)
+    bp.route("/get-csrf", methods=["GET"], endpoint="get_csrf")(get_csrf)
 
     return bp
+
+
+def logout_with_proconnect_url():
+    """
+    Extends the flask-security `logout` by returning the ProConnect logout URL (if any)
+    so `cdata` can redirect to it if the user was connected via ProConnect.
+    """
+    # after the redirection to ProConnect logout, the user will be redirected
+    # to our logout again with ProconnectLogoutAPI.
+    if request.method == "POST" and wants_json():
+        proconnect_logout_url = get_logout_url()
+
+        if proconnect_logout_url:
+            return jsonify(
+                {
+                    "proconnect_logout_url": get_logout_url(),
+                }
+            )
+
+    # Calling the flask-security logout endpoint
+    logout()
+
+    # But rewriting the response since we want to redirect with a flash
+    # query param for cdata. Flask-Security redirects to the homepage without
+    # any information.
+    # PS: in a normal logout it's a JSON request, but after logout from ProConnect
+    # the user is redirected to this endpoint as a normal HTTP request, so we must
+    # manage the basic redirection in this case.
+    if request.method == "POST" and wants_json():
+        return jsonify({})
+
+    return redirect(homepage_url(flash="logout"))

udata/core/__init__.py

@@ -1,5 +1,7 @@
 from importlib import import_module
 
+import udata.core.captchetat  # noqa
+
 MODULES = (
     "metrics",
     "storages",

udata/core/captchetat.py

@@ -0,0 +1,80 @@
+import logging
+
+import requests
+from flask import abort, current_app, make_response
+
+from udata.api import API, apiv2
+from udata.app import cache
+
+log = logging.getLogger(__name__)
+
+ns = apiv2.namespace("captchetat", "CaptchEtat related operations")
+captchetat_parser = apiv2.parser()
+captchetat_parser.add_argument(
+    "get", type=str, location="args", help="type of data wanted from captchetat"
+)
+captchetat_parser.add_argument("c", type=str, location="args", help="captcha name")
+captchetat_parser.add_argument(
+    "t",
+    type=str,
+    location="args",
+    help="this is a technical argument auto-generated for audio content",
+)
+
+CAPTCHETAT_ERROR = "CaptchEtat request didn't failed but didn't contain any access_token"
+
+
+def bearer_token():
+    """Get CaptchEtat bearer token from cache or get a new one from CaptchEtat Oauth server"""
+    token_cache_key = current_app.config.get("CAPTCHETAT_TOKEN_CACHE_KEY")
+    url = current_app.config.get("CAPTCHETAT_OAUTH_BASE_URL")
+    previous_value = cache.get(token_cache_key)
+    if previous_value:
+        return previous_value
+    log.debug(f"New access token requested from {url}")
+    try:
+        oauth = requests.post(
+            f"{url}/api/oauth/token",
+            data={
+                "grant_type": "client_credentials",
+                "scope": "piste.captchetat",
+                "client_id": current_app.config.get("CAPTCHETAT_CLIENT_ID"),
+                "client_secret": current_app.config.get("CAPTCHETAT_CLIENT_SECRET"),
+            },
+        )
+        oauth.raise_for_status()
+        body = oauth.json()
+        access_token = body.get("access_token")
+        if not access_token:
+            raise requests.exceptions.RequestException(CAPTCHETAT_ERROR)
+        cache.set(token_cache_key, access_token, timeout=body.get("expires_in", 0))
+    except requests.exceptions.RequestException as request_exception:
+        log.exception(f"Error while getting access token from {url}")
+        raise request_exception
+    else:
+        return access_token
+
+
+@ns.route("/", endpoint="captchetat")
+class CaptchEtatAPI(API):
+    @apiv2.expect(captchetat_parser)
+    @apiv2.doc("captchetat")
+    def get(self):
+        """CaptchEtat endpoint for captcha generation and validation"""
+        args = captchetat_parser.parse_args()
+        try:
+            token = bearer_token()
+            headers = {}
+            if token:
+                headers = {"Authorization": "Bearer " + token}
+            captchetat_url = current_app.config.get("CAPTCHETAT_BASE_URL")
+            req = requests.get(
+                f"{captchetat_url}/simple-captcha-endpoint", headers=headers, params=args
+            )
+            req.raise_for_status()
+        except requests.exceptions.RequestException:
+            abort(500, description="Catptcha internal error")
+
+        resp = make_response(bytes(req.content))
+        resp.headers["Content-Type"] = req.headers.get("Content-Type")
+        return resp

udata/core/dataset/api.py

@@ -64,7 +64,7 @@ from .api_fields import (
     upload_community_fields,
     upload_fields,
 )
-from .constants import RESOURCE_TYPES, UPDATE_FREQUENCIES
+from .constants import RESOURCE_TYPES, UpdateFrequency
 from .exceptions import (
     SchemasCacheUnavailableException,
     SchemasCatalogNotFoundException,
@@ -890,7 +890,7 @@ class FrequenciesAPI(API):
     @api.marshal_list_with(frequency_fields)
     def get(self):
         """List all available frequencies"""
-        return [{"id": id, "label": label} for id, label in UPDATE_FREQUENCIES.items()]
+        return [{"id": f.id, "label": f.label} for f in UpdateFrequency]
 
 
 @ns.route("/extensions/", endpoint="allowed_extensions")

udata/core/dataset/api_fields.py

@@ -9,11 +9,10 @@ from udata.core.user.api_fields import user_ref_fields
 from .constants import (
     CHECKSUM_TYPES,
     DEFAULT_CHECKSUM_TYPE,
-    DEFAULT_FREQUENCY,
     DEFAULT_LICENSE,
     RESOURCE_FILETYPES,
     RESOURCE_TYPES,
-    UPDATE_FREQUENCIES,
+    UpdateFrequency,
 )
 
 checksum_fields = api.model(
@@ -361,8 +360,8 @@ dataset_fields = api.model(
         "frequency": fields.String(
             description="The update frequency",
             required=True,
-            enum=list(UPDATE_FREQUENCIES),
-            default=DEFAULT_FREQUENCY,
+            enum=list(UpdateFrequency),
+            default=UpdateFrequency.UNKNOWN,
         ),
         "frequency_date": fields.ISODateTime(
             description=(

udata/core/dataset/apiv2.py

@@ -30,7 +30,7 @@ from .api_fields import (
     temporal_coverage_fields,
     user_ref_fields,
 )
-from .constants import DEFAULT_FREQUENCY, DEFAULT_LICENSE, FULL_OBJECTS_HEADER, UPDATE_FREQUENCIES
+from .constants import DEFAULT_LICENSE, FULL_OBJECTS_HEADER, UpdateFrequency
 from .models import CommunityResource, Dataset
 from .search import DatasetSearch
 
@@ -157,13 +157,13 @@ dataset_fields = apiv2.model(
         ),
         "frequency": fields.Raw(
             attribute=lambda d: {
-                "id": d.frequency or DEFAULT_FREQUENCY,
-                "label": UPDATE_FREQUENCIES.get(d.frequency or DEFAULT_FREQUENCY),
+                "id": (d.frequency or UpdateFrequency.UNKNOWN).id,
+                "label": (d.frequency or UpdateFrequency.UNKNOWN).label,
             }
             if request.headers.get(FULL_OBJECTS_HEADER, False, bool)
-            else d.frequency,
-            enum=list(UPDATE_FREQUENCIES),
-            default=DEFAULT_FREQUENCY,
+            else (d.frequency or UpdateFrequency.UNKNOWN),
+            enum=list(UpdateFrequency),
+            default=UpdateFrequency.UNKNOWN,
             required=True,
             description="The update frequency (full Frequency object if `X-Get-Datasets-Full-Objects` is set, ID of the frequency otherwise)",
         ),

udata/core/dataset/commands.py

@@ -10,7 +10,6 @@ from udata.core.dataset.constants import DEFAULT_LICENSE
 from udata.models import Dataset, License
 
 from . import actions
-from .tasks import send_frequency_reminder
 
 log = logging.getLogger(__name__)
 
@@ -66,15 +65,6 @@ def licenses(source=DEFAULT_LICENSE_FILE):
     success("Done")
 
 
-@cli.command()
-def frequency_reminder():
-    """Send a unique email per organization to members
-
-    to remind them they have outdated datasets on the website.
-    """
-    send_frequency_reminder()
-
-
 @cli.group("dataset")
 def grp():
     """Dataset related operations"""