Merge branch 'nix-shell' into 'main'

Nix shell

See merge request bde/nk20!201

.env_example

@@ -21,6 +21,3 @@ EMAIL_PASSWORD=CHANGE_ME
 # Wiki configuration
 WIKI_USER=NoteKfet2020
 WIKI_PASSWORD=
-
-# OIDC
-OIDC_RSA_PRIVATE_KEY=CHANGE_ME

.gitignore

@@ -48,7 +48,6 @@ backups/
 env/
 venv/
 db.sqlite3
-shell.nix
 
 # ansibles customs host
 ansible/host_vars/*.yaml

README.md

@@ -61,8 +61,8 @@ Bien que cela permette de créer une instance sur toutes les distributions,
 6. (Optionnel) **Création d'une clé privée OpenID Connect**
 
 Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
-exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et copier la clé dans .env dans le champ
-`OIDC_RSA_PRIVATE_KEY`.
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
 
 7.  Enjoy :
 
@@ -237,8 +237,8 @@ Sinon vous pouvez suivre les étapes décrites ci-dessous.
 7. **Création d'une clé privée OpenID Connect**
 
 Pour activer le support d'OpenID Connect, il faut générer une clé privée, par
-exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner le champ
-`OIDC_RSA_PRIVATE_KEY` dans le .env (par défaut `/var/secrets/oidc.key`).
+exemple avec openssl (`openssl genrsa -out oidc.key 4096`), et renseigner son
+emplacement dans `OIDC_RSA_PRIVATE_KEY` (par défaut `/var/secrets/oidc.key`).
 
 8.  *Enjoy \o/*
 

apps/food/views.py

@@ -7,7 +7,7 @@ from api.viewsets import is_regex
 from django_tables2.views import MultiTableMixin
 from django.db import transaction
 from django.db.models import Q
-from django.http import HttpResponseRedirect, Http404
+from django.http import HttpResponseRedirect
 from django.views.generic import DetailView, UpdateView, CreateView
 from django.views.generic.list import ListView
 from django.urls import reverse_lazy
@@ -63,8 +63,7 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li
             valid_regex = is_regex(pattern)
             suffix = '__iregex' if valid_regex else '__istartswith'
             prefix = '^' if valid_regex else ''
-            qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern})
-                           | Q(**{f'owner__name{suffix}': prefix + pattern}))
+            qs = qs.filter(Q(**{f'name{suffix}': prefix + pattern}))
         else:
             qs = qs.none()
         search_table = qs.filter(PermissionBackend.filter_queryset(self.request, Food, 'view'))
@@ -72,7 +71,7 @@ class FoodListView(ProtectQuerysetMixin, LoginRequiredMixin, MultiTableMixin, Li
         open_table = self.get_queryset().order_by('expiry_date').filter(
             Q(polymorphic_ctype__model='transformedfood')
             | Q(polymorphic_ctype__model='basicfood', basicfood__date_type='DLC')).filter(
-                expiry_date__lt=timezone.now(), end_of_life='').filter(
+                expiry_date__lt=timezone.now()).filter(
                     PermissionBackend.filter_queryset(self.request, Food, 'view'))
         # table served
         served_table = self.get_queryset().order_by('-pk').filter(
@@ -241,6 +240,11 @@ class TransformedFoodCreateView(ProtectQuerysetMixin, ProtectedCreateView):
         form.instance.is_ready = False
         return super().form_valid(form)
 
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+        context['title'] += ' ' + self.object.name
+        return context
+
     def get_success_url(self, **kwargs):
         self.object.refresh_from_db()
         return reverse_lazy('food:transformedfood_view', kwargs={"pk": self.object.pk})
@@ -434,8 +438,6 @@ class FoodDetailView(ProtectQuerysetMixin, LoginRequiredMixin, DetailView):
         return context
 
     def get(self, *args, **kwargs):
-        if Food.objects.filter(pk=kwargs['pk']).count() != 1:
-            return Http404
         model = Food.objects.get(pk=kwargs['pk']).polymorphic_ctype.model
         if 'stop_redirect' in kwargs and kwargs['stop_redirect']:
             return super().get(*args, **kwargs)

apps/permission/scopes.py

@@ -1,10 +1,8 @@
 # Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
-
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.scopes import BaseScopes
 from member.models import Club
-from note.models import Alias
 from note_kfet.middlewares import get_current_request
 
 from .backends import PermissionBackend
@@ -19,46 +17,25 @@ class PermissionScopes(BaseScopes):
     """
 
     def get_all_scopes(self):
-        scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
-                  for p in Permission.objects.all() for club in Club.objects.all()}
-        scopes['openid'] = "OpenID Connect"
-        return scopes
+        return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
+                for p in Permission.objects.all() for club in Club.objects.all()}
 
     def get_available_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        scopes = [f"{p.id}_{p.membership.club.id}"
-                  for t in Permission.PERMISSION_TYPES
-                  for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
-        scopes.append('openid')
-        return scopes
+        return [f"{p.id}_{p.membership.club.id}"
+                for t in Permission.PERMISSION_TYPES
+                for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
 
     def get_default_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        scopes = [f"{p.id}_{p.membership.club.id}"
-                  for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
-        scopes.append('openid')
-        return scopes
+        return [f"{p.id}_{p.membership.club.id}"
+                for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
 
 
 class PermissionOAuth2Validator(OAuth2Validator):
-    oidc_claim_scope = OAuth2Validator.oidc_claim_scope
-    oidc_claim_scope.update({"name": 'openid',
-                             "normalized_name": 'openid',
-                             "email": 'openid',
-                             })
-
-    def get_additional_claims(self, request):
-        return {
-            "name": request.user.username,
-            "normalized_name": Alias.normalize(request.user.username),
-            "email": request.user.email,
-        }
-
-    def get_discovery_claims(self, request):
-        claims = super().get_discovery_claims(self)
-        return claims + ["name", "normalized_name", "email"]
+    oidc_claim_scope = None  # fix breaking change of django-oauth-toolkit 2.0.0
 
     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
         """
@@ -77,8 +54,6 @@ class PermissionOAuth2Validator(OAuth2Validator):
                 if scope in scopes:
                     valid_scopes.add(scope)
 
-        if 'openid' in scopes:
-            valid_scopes.add('openid')
-
         request.scopes = valid_scopes
+
         return valid_scopes

apps/permission/signals.py

@@ -19,7 +19,6 @@ EXCLUDED = [
     'oauth2_provider.accesstoken',
     'oauth2_provider.grant',
     'oauth2_provider.refreshtoken',
-    'oauth2_provider.idtoken',
     'sessions.session',
 ]
 

apps/permission/views.py

@@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView):
             available_scopes = scopes.get_available_scopes(app)
             context["scopes"][app] = OrderedDict()
             items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
-            # items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
+            items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
             for k, v in items:
                 context["scopes"][app][k] = v
 

docs/apps/food.rst

@@ -19,9 +19,8 @@ Le modèle regroupe :
 * Propriétaire (doit-être un Club)
 * Allergènes (ManyToManyField)
 * date d'expiration
-* fin de vie
+* a été mangé (booléen)
 * est prêt (booléen)
-* consigne (pour les GCKs)
 
 BasicFood
 ~~~~~~~~~
@@ -41,7 +40,7 @@ Les TransformedFood correspondent aux produits préparés à la Kfet. Ils peuven
 
 Le modèle regroupe :
 
-* Durée de conservation (par défaut 3 jours)
+* Durée de consommation (par défaut 3 jours)
 * Ingrédients (ManyToManyField vers Food)
 * Date de création
 * Champs de Food

docs/apps/index.rst

@@ -12,7 +12,6 @@ Applications de la Note Kfet 2020
    ../api/index
    registration
    logs
-   food
    treasury
    wei
    wrapped
@@ -67,8 +66,6 @@ Applications facultatives
     Serveur central d'authentification, permet d'utiliser son compte de la NoteKfet2020 pour se connecter à d'autre application ayant intégrer un client.
 * `Scripts <https://gitlab.crans.org/bde/nk20-scripts>`_
      Ensemble de commande `./manage.py` pour la gestion de la note: import de données, verification d'intégrité, etc...
-* `Food <food>`_ :
-    Gestion de la nourriture dans Kfet pour les clubs.
 * `Treasury <treasury>`_ :
     Interface de gestion pour les trésorièr⋅es, émission de factures, remises de chèque, statistiques...
 * `WEI <wei>`_ :

docs/faq.rst

@@ -183,7 +183,6 @@ Contributeur⋅rices
    * korenst1
    * nicomarg
    * PAC
-   * Quark
    * ÿnérant
 
 

note_kfet/settings/base.py

@@ -270,7 +270,7 @@ OAUTH2_PROVIDER = {
     'PKCE_REQUIRED': False, # PKCE (fix a breaking change of django-oauth-toolkit 2.0.0)
     'OIDC_ENABLED': True,
     'OIDC_RSA_PRIVATE_KEY':
-        os.getenv('OIDC_RSA_PRIVATE_KEY', 'CHANGE_ME_IN_ENV_SETTINGS').replace('\\n', '\n'), # for multilines
+        os.getenv('OIDC_RSA_PRIVATE_KEY', '/var/secrets/oidc.key'),
     'SCOPES': { 'openid': "OpenID Connect scope" },
 }
 

shell-static.nix

@@ -0,0 +1,34 @@
+# This is a workaround meant for use with the nix package manager. If you don't know what it is or don't use it, please ignore this file.
+# 
+# The nk20 javascript static location are hardcoded for imperative system.
+# This make ./manage.py collectstatic hard to use with nixos.
+# 
+# A workaround is to enter a FHSUserEnv with the static placed under /share/javascript/<static>.
+# This emulate a debian like system and enable collecting static normally with ./manage.py collectstatics.
+# The regular shell.nix should be enough for other configurations.
+#
+# Warning, you are still supposed to use pip package with a venv !
+{ pkgs ? import <nixpkgs> {} }:
+(pkgs.buildFHSUserEnv {
+  name = "pipzone";
+  targetPkgs = pkgs: (with pkgs;
+  let
+    fhs-static = stdenv.mkDerivation {
+      name = "fhs-static";
+      buildCommand = ''
+      mkdir -p $out/share/javascript/bootstrap4
+      mkdir -p $out/share/javascript/jquery
+      ln -s ${python39Packages.xstatic-bootstrap}/lib/python3.9/site-packages/xstatic/pkg/bootstrap/data/* $out/share/javascript/bootstrap4
+      ln -s ${python39Packages.xstatic-jquery}/lib/python3.9/site-packages/xstatic/pkg/jquery/data/* $out/share/javascript/jquery
+    '';
+    };
+  in [
+    fhs-static
+    python39
+    gettext
+    python39Packages.pip
+    python39Packages.virtualenv
+    python39Packages.setuptools
+  ]);
+  runScript = "bash";
+}).env

shell.nix

@@ -0,0 +1,23 @@
+# This is meant for use with the nix package manager. If you don't know what it is or don't use it, please ignore this file.
+#
+# This shell.nix contains all dependencies require to create a venv and pip install -r requirements.txt.
+#
+# Please check shell-static.nix for running ./manage.py collectstatics.
+{ pkgs ? import <nixpkgs> {} }:
+pkgs.mkShell {
+  buildInputs = with pkgs; [
+    python39
+    python39Packages.pip
+    python39Packages.setuptools
+    gettext
+
+  ];
+  shellHook = ''
+    # Tells pip to put packages into $PIP_PREFIX instead of the usual locations.
+    # See https://pip.pypa.io/en/stable/user_guide/#environment-variables.
+    export PIP_PREFIX=$(pwd)/_build/pip_packages
+    export PYTHONPATH="$PIP_PREFIX/${pkgs.python39.sitePackages}:$PYTHONPATH"
+    export PATH="$PIP_PREFIX/bin:$PATH"
+    unset SOURCE_DATE_EPOCH
+  '';
+}