canaille-globuzma/canaille/core/models.py

import datetime
from typing import Optional

from flask import g
from flask import session


class User:
    """
    User model, based on the `SCIM User schema <https://datatracker.ietf.org/doc/html/rfc7643#section-4.1>`_
    """

    def __init__(self, *args, **kwargs):
        self.read = set()
        self.write = set()
        self.permissions = set()
        super().__init__(*args, **kwargs)

    @classmethod
    def get_from_login(cls, login=None, **kwargs) -> Optional["User"]:
        raise NotImplementedError()

    def login(self):
        """
        Opens a session for the user.
        """
        g.user = self
        try:
            previous = (
                session["user_id"]
                if isinstance(session["user_id"], list)
                else [session["user_id"]]
            )
            session["user_id"] = previous + [self.id]
        except KeyError:
            session["user_id"] = [self.id]

    @classmethod
    def logout(self):
        """
        Closes the user session.
        """
        try:
            session["user_id"].pop()
            del g.user
            if not session["user_id"]:
                del session["user_id"]
        except (IndexError, KeyError):
            pass

    def has_password(self) -> bool:
        """
        Checks wether a password has been set for the user.
        """
        raise NotImplementedError()

    def check_password(self, password: str) -> bool:
        """
        Checks if the password matches the user password in the database.
        """
        raise NotImplementedError()

    def set_password(self, password: str):
        """
        Sets a password for the user.
        """
        raise NotImplementedError()

    def can_read(self, field: str):
        return field in self.read | self.write

    @property
    def preferred_email(self):
        return self.emails[0] if self.emails else None

    def __getattr__(self, name):
        if name.startswith("can_") and name != "can_read":
            permission = name[4:]
            return permission in self.permissions

        return super().__getattr__(name)

    @property
    def locked(self) -> bool:
        """
        Wether the user account has been locked or has expired.
        """
        return bool(self.lock_date) and self.lock_date < datetime.datetime.now(
            datetime.timezone.utc
        )


class Group:
    """
    User model, based on the `SCIM Group schema <https://datatracker.ietf.org/doc/html/rfc7643#section-4.2>`_
    """
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`import datetime`
doc: model documentation 2023-08-17 13:55:41 +00:00			`from typing import Optional`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00
refactor: store user profile in g.user 2023-08-13 20:08:28 +00:00			`from flask import g`
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from flask import session`

draft 2020-08-14 11:18:08 +00:00
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`class User:`
doc: model documentation 2023-08-17 13:55:41 +00:00			`"""`
			User model, based on the `SCIM User schema <https://datatracker.ietf.org/doc/html/rfc7643#section-4.1>`_
			`"""`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`def __init__(self, args, *kwargs):`
			`self.read = set()`
			`self.write = set()`
			`self.permissions = set()`
			`super().__init__(args, *kwargs)`

Admin login 2020-08-19 14:20:57 +00:00			`@classmethod`
doc: model documentation 2023-08-17 13:55:41 +00:00			`def get_from_login(cls, login=None, **kwargs) -> Optional["User"]:`
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`raise NotImplementedError()`
ACL filters are no more LDAP filters but user attribute mappings. 2023-04-14 16:46:42 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`def login(self):`
doc: model documentation 2023-08-17 13:55:41 +00:00			`"""`
			`Opens a session for the user.`
			`"""`
refactor: store user profile in g.user 2023-08-13 20:08:28 +00:00			`g.user = self`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`try:`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`previous = (`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`session["user_id"]`
			`if isinstance(session["user_id"], list)`
			`else [session["user_id"]]`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`)`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`session["user_id"] = previous + [self.id]`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`except KeyError:`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`session["user_id"] = [self.id]`
User refactoring 2020-08-21 08:23:39 +00:00
Session compatibility fix 2020-12-29 08:31:46 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def logout(self):`
doc: model documentation 2023-08-17 13:55:41 +00:00			`"""`
			`Closes the user session.`
			`"""`
User refactoring 2020-08-21 08:23:39 +00:00			`try:`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`session["user_id"].pop()`
refactor: store user profile in g.user 2023-08-13 20:08:28 +00:00			`del g.user`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`if not session["user_id"]:`
			`del session["user_id"]`
User.logout excepts IndexError in case of invalid sessions 2023-04-18 18:36:48 +00:00			`except (IndexError, KeyError):`
User refactoring 2020-08-21 08:23:39 +00:00			`pass`

doc: model documentation 2023-08-17 13:55:41 +00:00			`def has_password(self) -> bool:`
Use a unique identifier to indentify users in URLS Previously we used the uid since we supposed this value was always valid, but some users user the mail attribute as the User RDN in their OpenLDAP installation, and do not have a uuid. 2023-06-27 15:41:00 +00:00			`"""`
doc: model documentation 2023-08-17 13:55:41 +00:00			`Checks wether a password has been set for the user.`
Use a unique identifier to indentify users in URLS Previously we used the uid since we supposed this value was always valid, but some users user the mail attribute as the User RDN in their OpenLDAP installation, and do not have a uuid. 2023-06-27 15:41:00 +00:00			`"""`
			`raise NotImplementedError()`

doc: model documentation 2023-08-17 13:55:41 +00:00			`def check_password(self, password: str) -> bool:`
			`"""`
			`Checks if the password matches the user password in the database.`
			`"""`
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`raise NotImplementedError()`
draft 2020-08-14 11:18:08 +00:00
doc: model documentation 2023-08-17 13:55:41 +00:00			`def set_password(self, password: str):`
			`"""`
			`Sets a password for the user.`
			`"""`
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`raise NotImplementedError()`
Permissions overhaul 2021-12-02 17:23:14 +00:00
doc: model documentation 2023-08-17 13:55:41 +00:00			`def can_read(self, field: str):`
jpegPhoto profile form 2021-12-08 17:06:50 +00:00			`return field in self.read \| self.write`

Implemented User.preferred_email 2023-06-22 13:24:13 +00:00			`@property`
			`def preferred_email(self):`
			`return self.emails[0] if self.emails else None`

refactor: user permission sugar 2023-08-14 14:25:12 +00:00			`def __getattr__(self, name):`
			`if name.startswith("can_") and name != "can_read":`
			`permission = name[4:]`
			`return permission in self.permissions`
Permissions overhaul 2021-12-02 17:23:14 +00:00
refactor: user permission sugar 2023-08-14 14:25:12 +00:00			`return super().__getattr__(name)`
Permissions overhaul 2021-12-02 17:23:14 +00:00
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`@property`
doc: model documentation 2023-08-17 13:55:41 +00:00			`def locked(self) -> bool:`
			`"""`
			`Wether the user account has been locked or has expired.`
			`"""`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`return bool(self.lock_date) and self.lock_date < datetime.datetime.now(`
			`datetime.timezone.utc`
			`)`

Issue 12 groups 2021-06-03 13:00:11 +00:00
Moved models specificities in the backend module 2023-04-10 11:45:52 +00:00			`class Group:`
doc: model documentation 2023-08-17 13:55:41 +00:00			`"""`
			User model, based on the `SCIM Group schema <https://datatracker.ietf.org/doc/html/rfc7643#section-4.2>`_
			`"""`