Compare commits

...

20 Commits

Author SHA1 Message Date
Eléonore Voisin a073e491b1 🐛(front) fix missing pagination mail domains
fix position div ref
2025-07-02 14:16:31 +02:00
Eléonore Voisin efd137e328 🐛(front) fix missing pagination mail domains
fix missing pagination mail domains + mailboxes list
2025-07-02 00:03:06 +02:00
Marie PUPO JEAMMET 10dcdfc8c2 🐛(webhook) fix error raised when no secret
Our Tchap webhook contains no secret (as a dedicated access token is provided)
This lead to an error upon trying to join rooms.
2025-06-23 17:28:41 +02:00
elvoisin f30398fbc7 🐛(front) fix button add mail domain (#932)
fix button rules + fix bad wording
2025-06-23 16:27:52 +02:00
Marie PUPO JEAMMET cc39ed5298 (teams) add matrix webhook for teams
A webhook to invite/kick team members to a matrix room.
2025-06-21 00:15:16 +02:00
Marie PUPO JEAMMET 7bebf13d88 🐛(domains) reduce logs around domain invitations
reduce logs and add tests around domain invitations
2025-06-21 00:15:16 +02:00
Quentin BEY e64a34f167 🧑‍💻(keycloak) command to add new client
This introduce a command to create a new client into the "people" realm.
This could be use to create a specific client to test the resource
server mode on a local deployment:
 - run the people stack
 - add the new client, let say, for docs
 - configure the people backend for token introspection
 - make calls from docs backend to people's backend

The new client is not mandatory because the same client could be used
everywhere but this would not demonstrate the fact the introspection
works in a real world configuration.
2025-06-21 00:15:16 +02:00
Quentin BEY 3379d6d499 🔧(git) set LF line endings for all text files
Windows users are by default using CRLF line endings,
which can cause issues with some tools and
environments. This commit sets the `.gitattributes`
file to enforce LF line endings for all text
files in the repository.

Based on the same commit on docs
2025-06-21 00:15:16 +02:00
Quentin BEY 213656fc2e 🧑‍💻(docker) split frontend to another file
This commit aims at improving the user experience:
- Use a dedicated `Dockerfile` for the frontend
- Run the backend and frontend in "watch"/dev mode in Docker
- Do not start all Docker instances for small tasks
2025-06-21 00:15:16 +02:00
Quentin BEY 4dfd682cb6 (resource-server) add SCIM /Me endpoint
This provide a "self-care" SCIM endpoint, authenticated with OIDC token
introspection. This endpoint will be use by services to fetch the user's
team list.

We chose to use the SCIM format (even if this is not a SCIM context) to
make it easier to understand/maintain/plug.
2025-06-21 00:15:16 +02:00
mjeammet 160c45bf35 🌐(i18n) update translated strings
Update translated files with new translations
2025-06-11 11:40:56 +02:00
Marie PUPO JEAMMET 3fdd8a230c 🔖(minor) release version 1.17.0
Update all version files and changelog for minor release.
2025-06-11 11:40:56 +02:00
renovate[bot] b47246826e ⬆️(dependencies) manually update python dependencies
Many of our dependencies still aren't compatible with Redis 6.
This results in a partial upgrade of our dependencies.
2025-06-10 21:59:41 +02:00
Marie PUPO JEAMMET 5429354261 🐛(config) whitelist kube pod
Whitelist our pod's IP address. Based on Visio's PR
https://github.com/suitenumerique/meet/pull/95
2025-06-10 18:12:02 +02:00
Marie PUPO JEAMMET 86c98cc426 🧑‍💻(dimail) modify makefile to setup dimail container upon running demo
Setup dimail container upon running demo so that it's always in sync.
2025-06-10 16:52:04 +02:00
Marie PUPO JEAMMET 0bbce9ffc8 🔥(dimail) remove obsolete user and allow creation in dimail setup
Remove obsolete duplication to dimail database.
See PR https://github.com/suitenumerique/people/pull/886 for more context.
2025-06-10 16:52:04 +02:00
Marie PUPO JEAMMET ce66645294 🐛(demo) fix domains names
Mailbox creation was broken in dev because of wrong format of domains names
2025-06-10 16:52:04 +02:00
Eléonore Voisin 485eb88dd1 (frontend) add crisp script
add crisp chatbox to global layout
2025-06-10 16:13:24 +02:00
renovate[bot] a8b08c4b6d ⬆️(dependencies) update requests to v2.32.4 [SECURITY] 2025-06-10 15:47:00 +02:00
renovate[bot] 23f5a13ccc ⬆️(dependencies) update django to v5.2.2 [SECURITY] 2025-06-10 12:20:27 +00:00
74 changed files with 1995 additions and 533 deletions
+24
View File
@@ -0,0 +1,24 @@
# Set the default behavior for all files
* text=auto eol=lf
# Binary files (should not be modified)
*.png binary
*.jpg binary
*.jpeg binary
*.gif binary
*.ico binary
*.mov binary
*.mp4 binary
*.mp3 binary
*.flv binary
*.fla binary
*.swf binary
*.gz binary
*.zip binary
*.7z binary
*.ttf binary
*.woff binary
*.woff2 binary
*.eot binary
*.pdf binary
+2 -1
View File
@@ -40,7 +40,7 @@ jobs:
name: Run trivy scan (frontend)
uses: numerique-gouv/action-trivy-cache@main
with:
docker-build-args: '--target frontend-production -f Dockerfile'
docker-build-args: '--target frontend-production -f src/frontend/Dockerfile'
docker-image-name: 'docker.io/lasuite/people-frontend:${{ github.sha }}'
build-and-push-backend:
@@ -105,6 +105,7 @@ jobs:
uses: docker/build-push-action@v6
with:
context: .
file: ./src/frontend/Dockerfile
target: frontend-production
build-args: DOCKER_USER=${{ env.DOCKER_USER }}:-1000
push: ${{ github.event_name != 'pull_request' }}
+2 -4
View File
@@ -167,6 +167,8 @@ jobs:
COMPOSE_DOCKER_CLI_BUILD: 1
run: |
docker compose build --pull --build-arg BUILDKIT_INLINE_CACHE=1
make update-keycloak-realm-app
make add-dev-rsa-private-key-to-env
make run
- name: Apply DRF migrations
@@ -177,10 +179,6 @@ jobs:
run: |
make demo FLUSH_ARGS='--no-input'
- name: Setup Dimail DB
run: |
make dimail-setup-db
- name: Run e2e tests
run: cd src/frontend/ && yarn e2e:test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
+17 -1
View File
@@ -10,6 +10,21 @@ and this project adheres to
### Added
- 🐛(front) fix missing pagination mail domains
- 🐛(front) fix button add mail domain
- ✨(teams) add matrix webhook for teams #904
- ✨(resource-server) add SCIM /Me endpoint #895
- 🔧(git) set LF line endings for all text files #928
### Changed
- 🧑‍💻(docker) split frontend to another file #924
## [1.17.0] - 2025-06-11
### Added
- ✨(frontend) add crisp script #914
- ⚡️(fix) add error when mailbox create failed
- ✨(mailbox) allow to reset password on mailboxes #834
@@ -391,7 +406,8 @@ and this project adheres to
- ✨(domains) create and manage domains on admin + API
- ✨(domains) mailbox creation + link to email provisioning API
[unreleased]: https://github.com/suitenumerique/people/compare/v1.16.0...main
[unreleased]: https://github.com/suitenumerique/people/compare/v1.17.0...main
[1.17.0]: https://github.com/suitenumerique/people/releases/v1.17.0
[1.16.0]: https://github.com/suitenumerique/people/releases/v1.16.0
[1.15.0]: https://github.com/suitenumerique/people/releases/v1.15.0
[1.14.1]: https://github.com/suitenumerique/people/releases/v1.14.1
-55
View File
@@ -10,61 +10,6 @@ RUN python -m pip install --upgrade pip setuptools
RUN apk update && \
apk upgrade
### ---- Front-end dependencies image ----
FROM node:20 AS frontend-deps
WORKDIR /deps
COPY ./src/frontend/package.json ./package.json
COPY ./src/frontend/yarn.lock ./yarn.lock
COPY ./src/frontend/apps/desk/package.json ./apps/desk/package.json
COPY ./src/frontend/packages/i18n/package.json ./packages/i18n/package.json
COPY ./src/frontend/packages/eslint-config-people/package.json ./packages/eslint-config-people/package.json
RUN yarn --frozen-lockfile
### ---- Front-end builder dev image ----
FROM node:20 AS frontend-builder-dev
WORKDIR /builder
COPY --from=frontend-deps /deps/node_modules ./node_modules
COPY ./src/frontend .
WORKDIR ./apps/desk
### ---- Front-end builder image ----
FROM frontend-builder-dev AS frontend-builder
RUN yarn build
# ---- Front-end image ----
FROM nginxinc/nginx-unprivileged:1.27-alpine AS frontend-production
USER root
RUN apk update && apk upgrade libssl3 libcrypto3 libxml2
USER nginx
# Un-privileged user running the application
ARG DOCKER_USER
USER ${DOCKER_USER}
COPY --from=frontend-builder \
/builder/apps/desk/out \
/usr/share/nginx/html
COPY ./src/frontend/apps/desk/conf/default.conf /etc/nginx/conf.d
# Copy entrypoint
COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint
ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
CMD ["nginx", "-g", "daemon off;"]
# ---- Back-end builder image ----
FROM base AS back-builder
+36 -28
View File
@@ -41,11 +41,9 @@ DOCKER_USER = $(DOCKER_UID):$(DOCKER_GID)
COMPOSE = DOCKER_USER=$(DOCKER_USER) docker compose
COMPOSE_EXEC = $(COMPOSE) exec
COMPOSE_EXEC_APP = $(COMPOSE_EXEC) app-dev
COMPOSE_RUN = $(COMPOSE) run --rm
COMPOSE_RUN = $(COMPOSE) run --rm --no-deps
COMPOSE_RUN_APP = $(COMPOSE_RUN) app-dev
COMPOSE_RUN_CROWDIN = $(COMPOSE_RUN) crowdin crowdin
WAIT_DB = @$(COMPOSE_RUN) dockerize -wait tcp://$(DB_HOST):$(DB_PORT) -timeout 60s
WAIT_KC_DB = $(COMPOSE_RUN) dockerize -wait tcp://kc_postgresql:5432 -timeout 60s
# -- Backend
MANAGE = $(COMPOSE_RUN_APP) python manage.py
@@ -78,19 +76,33 @@ create-env-files: \
env.d/development/kc_postgresql
.PHONY: create-env-files
add-dev-rsa-private-key-to-env: ## Add a generated RSA private key to the env file
@echo "Generating RSA private key PEM for development..."
@mkdir -p env.d/development/rsa
@openssl genrsa -out env.d/development/rsa/private.pem 2048
@echo -n "\nOAUTH2_PROVIDER_OIDC_RSA_PRIVATE_KEY=\"" >> env.d/development/common
@openssl rsa -in env.d/development/rsa/private.pem -outform PEM >> env.d/development/common
@echo "\"" >> env.d/development/common
@rm -rf env.d/development/rsa
.PHONY: add-dev-rsa-private-key-to-env
update-keycloak-realm-app: ## Create the Keycloak realm for the project
@echo "$(BOLD)Creating Keycloak realm for 'app'$(RESET)"
@sed -i 's|http://app-dev:8000|http://app:8000|g' ./docker/auth/realm.json
.PHONY: update-keycloak-realm-app
bootstrap: ## Prepare Docker images for the project and install frontend dependencies
bootstrap: \
data/media \
data/static \
create-env-files \
build \
run \
run-dev \
migrate \
back-i18n-compile \
mails-install \
mails-build \
dimail-setup-db \
install-front-desk
dimail-setup-db
.PHONY: bootstrap
# -- Docker/compose
@@ -106,19 +118,14 @@ logs: ## display app-dev logs (follow mode)
@$(COMPOSE) logs -f app-dev
.PHONY: logs
run: ## start the wsgi (production) and development server
@$(COMPOSE) up --force-recreate -d nginx
@$(COMPOSE) up --force-recreate -d app-dev
@$(COMPOSE) up --force-recreate -d celery-dev
@$(COMPOSE) up --force-recreate -d celery-beat-dev
@$(COMPOSE) up --force-recreate -d flower-dev
@$(COMPOSE) up --force-recreate -d keycloak
@$(COMPOSE) up -d dimail
@echo "Wait for postgresql to be up..."
@$(WAIT_KC_DB)
@$(WAIT_DB)
run: ## start the wsgi (production) and servers with production Docker images
@$(COMPOSE) up --force-recreate --detach app frontend celery celery-beat nginx maildev
.PHONY: run
run-dev: ## start the servers in development mode (watch) Docker images
@$(COMPOSE) up --force-recreate --detach app-dev frontend-dev celery-dev celery-beat-dev nginx maildev
.PHONY: run-dev
status: ## an alias for "docker compose ps"
@$(COMPOSE) ps
.PHONY: status
@@ -132,6 +139,7 @@ stop: ## stop the development server using Docker
demo: ## flush db then create a demo for load testing purpose
@$(MAKE) resetdb
@$(MANAGE) create_demo
@$(MAKE) dimail-setup-db
.PHONY: demo
@@ -186,22 +194,16 @@ test-coverage: ## compute, display and save test coverage
makemigrations: ## run django makemigrations for the people project.
@echo "$(BOLD)Running makemigrations$(RESET)"
@$(COMPOSE) up -d postgresql
@$(WAIT_DB)
@$(MANAGE) makemigrations $(ARGS)
.PHONY: makemigrations
migrate: ## run django migrations for the people project.
@echo "$(BOLD)Running migrations$(RESET)"
@$(COMPOSE) up -d postgresql
@$(WAIT_DB)
@$(MANAGE) migrate $(ARGS)
.PHONY: migrate
showmigrations: ## run django showmigrations for the people project.
@echo "$(BOLD)Running showmigrations$(RESET)"
@$(COMPOSE) up -d postgresql
@$(WAIT_DB)
@$(MANAGE) showmigrations $(ARGS)
.PHONY: showmigrations
@@ -293,12 +295,8 @@ i18n-generate-and-upload: \
# -- INTEROPERABILTY
# -- Dimail configuration
dimail-recreate-container:
@$(COMPOSE) up --force-recreate -d dimail
.PHONY: dimail-recreate-container
dimail-setup-db:
@$(COMPOSE) up --force-recreate -d dimail
@echo "$(BOLD)Populating database of local dimail API container$(RESET)"
@$(MANAGE) setup_dimail_db --populate-from-people
.PHONY: dimail-setup-db
@@ -429,3 +427,13 @@ install-secret: ## install the kubernetes secrets from Vaultwarden
fetch-domain-status:
@$(MANAGE) fetch_domain_status
.PHONY: fetch-domain-status
# -- Keycloak related
create-new-client: ## run the add-keycloak-client.sh script for keycloak.
@echo "$(BOLD)Running add-keycloak-client.sh$(RESET)"
@$(COMPOSE_RUN) \
-v ./scripts/keycloak/add-keycloak-client.sh:/tmp/add-keycloak-client.sh \
--entrypoint="/tmp/add-keycloak-client.sh" \
keycloak \
$(filter-out $@,$(MAKECMDGOALS))
.PHONY: create-new-client
+7 -1
View File
@@ -33,7 +33,7 @@ The easiest way to start working on the project is to use GNU Make:
$ make bootstrap
```
This command builds the `app` container, installs dependencies, performs
This command builds the `app-dev` container, installs dependencies, performs
database migrations and compile translations. It's a good idea to use this
command each time you are pulling code from the project repository to avoid
dependency-related or migration-related issues.
@@ -46,6 +46,12 @@ Note that if you need to run them afterward, you can use the eponym Make rule:
$ make run
```
or if you want to run them in development mode (with live reloading):
```bash
$ make run-dev
```
You can check all available Make rules using:
```bash
+17
View File
@@ -64,6 +64,23 @@ function _dc_run() {
_docker_compose run --rm $user_args "$@"
}
# _dc_run_no_deps: wrap docker compose run command without dependencies
#
# usage: _dc_run_no_deps [options] [ARGS...]
#
# options: docker compose run command options
# ARGS : docker compose run command arguments
function _dc_run_no_deps() {
_set_user
user_args="--user=$USER_ID"
if [ -z $USER_ID ]; then
user_args=""
fi
_docker_compose run --no-deps --rm $user_args "$@"
}
# _dc_exec: wrap docker compose exec command
#
# usage: _dc_exec [options] [ARGS...]
+1 -1
View File
@@ -35,4 +35,4 @@ fi
# Fix docker vs local path when project sources are mounted as a volume
read -ra paths <<< "$(echo "${paths[@]}" | sed "s|src/backend/||g")"
_dc_run app-dev pylint "${paths[@]}" "${args[@]}"
_dc_run_no_deps app-dev pylint "${paths[@]}" "${args[@]}"
+123 -39
View File
@@ -6,6 +6,11 @@ services:
- env.d/development/postgresql
ports:
- "15432:5432"
healthcheck:
test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
interval: 1s
timeout: 2s
retries: 300
redis:
image: redis:5
@@ -23,6 +28,7 @@ services:
DOCKER_USER: ${DOCKER_USER:-1000}
user: ${DOCKER_USER:-1000}
image: people:backend-development
pull_policy: never
environment:
- PYLINTHOME=/app/.pylint.d
- DJANGO_CONFIGURATION=Development
@@ -37,11 +43,69 @@ services:
- ./data/media:/data/media
- ./data/static:/data/static
depends_on:
- dimail
- postgresql
- maildev
- redis
postgresql:
condition: service_healthy
restart: true
dimail:
condition: service_started
maildev:
condition: service_started
redis:
condition: service_started
frontend-dev:
user: "${DOCKER_USER:-1000}"
build:
context: .
dockerfile: ./src/frontend/Dockerfile
target: frontend-dev
image: people:frontend-development
pull_policy: never
volumes:
- ./src/frontend:/home/frontend
- /home/frontend/node_modules
- /home/frontend/apps/desk/node_modules
ports:
- "3000:3000"
app:
build:
context: .
target: backend-production
args:
DOCKER_USER: ${DOCKER_USER:-1000}
user: ${DOCKER_USER:-1000}
image: people:backend-production
environment:
- DJANGO_CONFIGURATION=Development
env_file:
- env.d/development/common
- env.d/development/france
- env.d/development/postgresql
ports:
- "8071:8000"
volumes:
- ./data/media:/data/media
depends_on:
postgresql:
condition: service_healthy
restart: true
redis:
condition: service_started
frontend:
user: "${DOCKER_USER:-1000}"
build:
context: .
dockerfile: ./src/frontend/Dockerfile
target: frontend-production
args:
API_ORIGIN: "http://localhost:8071"
image: people:frontend-production
pull_policy: build
ports:
- "3000:3000"
celery-dev:
user: ${DOCKER_USER:-1000}
image: people:backend-development
@@ -56,7 +120,11 @@ services:
- ./data/media:/data/media
- ./data/static:/data/static
depends_on:
- app-dev
postgresql:
condition: service_healthy
restart: true
app-dev:
condition: service_started
celery-beat-dev:
user: ${DOCKER_USER:-1000}
@@ -72,26 +140,9 @@ services:
- ./data/media:/data/media
- ./data/static:/data/static
depends_on:
- app-dev
app:
build:
context: .
target: backend-production
args:
DOCKER_USER: ${DOCKER_USER:-1000}
user: ${DOCKER_USER:-1000}
image: people:backend-production
environment:
- DJANGO_CONFIGURATION=Demo
env_file:
- env.d/development/common
- env.d/development/postgresql
volumes:
- ./data/media:/data/media
depends_on:
- postgresql
- redis
postgresql:
condition: service_healthy
restart: true
celery:
user: ${DOCKER_USER:-1000}
@@ -103,7 +154,29 @@ services:
- env.d/development/common
- env.d/development/postgresql
depends_on:
- app
postgresql:
condition: service_healthy
restart: true
app:
condition: service_started
celery-beat:
user: ${DOCKER_USER:-1000}
image: people:backend-production
command: ["celery", "-A", "people.celery_app", "beat", "-l", "INFO"]
environment:
- DJANGO_CONFIGURATION=Demo
env_file:
- env.d/development/common
- env.d/development/postgresql
volumes:
- ./src/backend:/app
- ./data/media:/data/media
- ./data/static:/data/static
depends_on:
postgresql:
condition: service_healthy
restart: true
nginx:
image: nginx:1.25
@@ -112,12 +185,9 @@ services:
volumes:
- ./docker/files/etc/nginx/conf.d:/etc/nginx/conf.d:ro
depends_on:
- app
- keycloak
dockerize:
image: jwilder/dockerize
platform: linux/x86_64
keycloak:
condition: service_healthy
restart: true
crowdin:
image: crowdin/cli:4.6.1
@@ -137,11 +207,16 @@ services:
- ".:/app"
kc_postgresql:
image: postgres:14.3
ports:
- "5433:5432"
env_file:
- env.d/development/kc_postgresql
image: postgres:14.3
ports:
- "5433:5432"
env_file:
- env.d/development/kc_postgresql
healthcheck:
test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
interval: 1s
timeout: 2s
retries: 300
keycloak:
image: quay.io/keycloak/keycloak:20.0.1
@@ -158,6 +233,8 @@ services:
- --hostname-admin-url=http://localhost:8083/
- --hostname-strict=false
- --hostname-strict-https=false
- --health-enabled=true
- --metrics-enabled=true
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
@@ -168,10 +245,17 @@ services:
KC_DB_USERNAME: people
KC_DB_SCHEMA: public
PROXY_ADDRESS_FORWARDING: 'true'
healthcheck:
test: [ "CMD", "curl", "--head", "-fsS", "http://localhost:8080/health/ready" ]
interval: 1s
timeout: 2s
retries: 300
ports:
- "8080:8080"
depends_on:
- kc_postgresql
kc_postgresql:
condition: service_healthy
restart: true
dimail:
entrypoint: /opt/dimail-api/start-dev.sh
+1 -1
View File
@@ -26,7 +26,7 @@
"oauth2DeviceCodeLifespan": 600,
"oauth2DevicePollingInterval": 5,
"enabled": true,
"sslRequired": "external",
"sslRequired": "none",
"registrationAllowed": true,
"registrationEmailAsUsername": false,
"rememberMe": true,
+2 -3
View File
@@ -13,8 +13,7 @@ To ease local development, dimail provides a container that we embark in our doc
Bootstraping with command `make bootstrap` creates a container and initializes its database.
Additional commands :
- Reset the database by recreating the container with `dimail-recreate-container`.
- Populate the database with all the content of your People database with `dimail-setup-db`
- Reset and populate the database with all the content of your People database with `dimail-setup-db`
## Architecture
@@ -47,5 +46,5 @@ People users can have 3 levels of permissions on a domain:
Mailboxes can be created by a domain owners or administrators in People's domain tab.
On enabled domains, mailboxes are created at the same time on dimail (and a confirmation email is sent to the secondary email).
On pending/failed domains, mailboxes are only created locally with "pending" status and are sent to dimail upon domain's activation.
On pending/failed domains, mailboxes are only created locally with "pending" status and are sent to dimail upon domain's (re)activation.
On disabled domains, mailboxes creation is not allowed.
+4
View File
@@ -3,6 +3,7 @@ DJANGO_ALLOWED_HOSTS=*
DJANGO_SECRET_KEY=ThisIsAnExampleKeyForDevPurposeOnly
DJANGO_SETTINGS_MODULE=people.settings
DJANGO_SUPERUSER_PASSWORD=admin
DJANGO_CORS_ALLOWED_ORIGINS=http://localhost:3000
# Python
PYTHONPATH=/app
@@ -65,3 +66,6 @@ IH5em4M/pHIcsqCi1qggBMbdvzHBUtC3R4sK0CpEFHlN+Y59aGazidcN2FPupNJv
MbyqKyC6DAzv4jEEhHaN7oY=
-----END PRIVATE KEY-----
"
# INTEROP
MAIL_PROVISIONING_API_CREDENTIALS="bGFfcmVnaWU6cGFzc3dvcmQ=" # Dev and test key for dimail interop
+4 -2
View File
@@ -2,7 +2,9 @@
SUSTAINED_THROTTLE_RATES="200/hour"
BURST_THROTTLE_RATES="200/minute"
OAUTH2_PROVIDER_OIDC_ENABLED = True
OAUTH2_PROVIDER_VALIDATOR_CLASS: "mailbox_oauth2.validators.ProConnectValidator"
OIDC_ORGANIZATION_REGISTRATION_ID_FIELD="siret"
OAUTH2_PROVIDER_OIDC_ENABLED=True
OAUTH2_PROVIDER_VALIDATOR_CLASS="mailbox_oauth2.validators.ProConnectValidator"
INSTALLED_PLUGINS=plugins.la_suite
+149
View File
@@ -0,0 +1,149 @@
#!/bin/bash
# Script to add a new client to Keycloak using the kcadm.sh CLI
# Usage: ./add-keycloak-client.sh [client_id] [client_secret]
# Default values
CLIENT_ID=${1:-"some-client-id"}
CLIENT_SECRET=${2:-"ThisIsAnExampleKeyForDevPurposeOnly"}
KEYCLOAK_URL=${KEYCLOAK_URL:-"http://keycloak:8080"}
KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN:-"admin"}
KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-"admin"}
REALM=${REALM:-"people"}
# Check for kcadm.sh in common locations
KCADM_LOCATIONS=(
"/opt/keycloak/bin/kcadm.sh"
"/opt/jboss/keycloak/bin/kcadm.sh"
"/usr/local/bin/kcadm.sh"
"./bin/kcadm.sh"
"$(which kcadm.sh 2>/dev/null)"
)
KCADM=""
for loc in "${KCADM_LOCATIONS[@]}"; do
if [ -x "$loc" ]; then
KCADM="$loc"
break
fi
done
if [ -z "$KCADM" ]; then
echo "Error: kcadm.sh not found. Please specify its location manually."
echo "You can set the KCADM environment variable to the path of kcadm.sh"
exit 1
fi
echo "Using Keycloak Admin CLI at: $KCADM"
echo "Logging in to Keycloak at $KEYCLOAK_URL..."
# Login to Keycloak
$KCADM config credentials \
--server $KEYCLOAK_URL \
--realm master \
--user $KEYCLOAK_ADMIN \
--password $KEYCLOAK_ADMIN_PASSWORD
if [ $? -ne 0 ]; then
echo "Failed to login to Keycloak. Please check your credentials and try again."
exit 1
fi
echo "Successfully logged in to Keycloak."
echo "Creating new client '$CLIENT_ID' in realm '$REALM'..."
# Create a temporary JSON file with client configuration
CLIENT_JSON=$(mktemp)
cat > "$CLIENT_JSON" << EOF
{
"clientId": "$CLIENT_ID",
"name": "",
"description": "",
"rootUrl": "",
"adminUrl": "",
"baseUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "$CLIENT_SECRET",
"redirectUris": [
"http://localhost:8070/*",
"http://localhost:8071/*",
"http://localhost:3200/*",
"http://localhost:8088/*",
"http://localhost:3000/*"
],
"webOrigins": [
"http://localhost:3200",
"http://localhost:8088",
"http://localhost:8070",
"http://localhost:3000"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "openid-connect",
"attributes": {
"access.token.lifespan": "-1",
"client.secret.creation.time": "$(date +%s)",
"user.info.response.signature.alg": "RS256",
"post.logout.redirect.uris": "http://localhost:8070/*##http://localhost:3200/*##http://localhost:3000/*",
"oauth2.device.authorization.grant.enabled": "false",
"use.jwks.url": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"use.refresh.tokens": "true",
"tls-client-certificate-bound-access-tokens": "false",
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"acr.loa.map": "{}",
"require.pushed.authorization.requests": "false",
"display.on.consent.screen": "false",
"client.session.idle.timeout": "-1",
"token.response.type.bearer.lower-case": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"acr",
"roles",
"profile",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
EOF
# Create the client using kcadm.sh
$KCADM create clients -r "$REALM" -f "$CLIENT_JSON"
if [ $? -ne 0 ]; then
echo "Failed to create client. Check the error message above."
rm "$CLIENT_JSON"
exit 1
fi
echo "✅ Client '$CLIENT_ID' created successfully!"
echo " Client ID: $CLIENT_ID"
echo " Client Secret: $CLIENT_SECRET"
# Clean up temporary file
rm "$CLIENT_JSON"
# Display the created client
echo "Client details:"
$KCADM get clients -r "$REALM" --query "clientId=$CLIENT_ID"
+7 -1
View File
@@ -586,7 +586,13 @@ class ConfigView(views.APIView):
GET /api/v1.0/config/
Return a dictionary of public settings.
"""
array_settings = ["LANGUAGES", "FEATURES", "RELEASE", "COMMIT"]
array_settings = [
"LANGUAGES",
"FEATURES",
"RELEASE",
"COMMIT",
"CRISP_WEBSITE_ID",
]
dict_settings = {}
for setting in array_settings:
dict_settings[setting] = getattr(settings, setting)
@@ -0,0 +1 @@
"""SCIM compliant API for resource server"""
@@ -0,0 +1,16 @@
"""Exceptions for SCIM API."""
from django.conf import settings
from core.api.resource_server.scim.response import ScimJsonResponse
def scim_exception_handler(exc, _context):
"""Handle SCIM exceptions and return them in the correct format."""
data = {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": str(exc.status_code),
"detail": str(exc.detail) if settings.DEBUG else "",
}
return ScimJsonResponse(data, status=exc.status_code)
@@ -0,0 +1,16 @@
"""SCIM API response classes."""
from rest_framework.response import Response
class ScimJsonResponse(Response):
"""
Custom JSON response class for SCIM API.
This class sets the content type to "application/json+scim" for SCIM
responses.
"""
def __init__(self, *args, **kwargs):
"""JSON response with enforced SCIM content type."""
super().__init__(*args, content_type="application/json+scim", **kwargs)
@@ -0,0 +1,90 @@
"""SCIM serializers for resource server API."""
from django.urls import reverse
from rest_framework import serializers
from core import models
class SCIMUserSerializer(serializers.ModelSerializer):
"""Serialize users in SCIM format."""
schemas = serializers.SerializerMethodField()
userName = serializers.CharField(source="sub")
displayName = serializers.CharField(source="name")
emails = serializers.SerializerMethodField()
meta = serializers.SerializerMethodField()
groups = serializers.SerializerMethodField()
active = serializers.BooleanField(source="is_active")
class Meta:
model = models.User
fields = [
"id",
"schemas",
"active",
"userName",
"displayName",
"emails",
"groups",
"meta",
]
read_only_fields = [
"id",
"schemas",
"active",
"userName",
"displayName",
"emails",
"groups",
"meta",
]
def get_schemas(self, _obj):
"""Return the SCIM schemas for the user."""
return ["urn:ietf:params:scim:schemas:core:2.0:User"]
def get_emails(self, obj):
"""Return the user's email as a list of email objects."""
if obj.email:
return [
{
"value": obj.email,
"primary": True,
"type": "work",
}
]
return []
def get_groups(self, obj):
"""
Return the groups the user belongs to.
WARNING: you need to prefetch the team accesses in the
viewset to avoid N+1 queries.
"""
return [
{
"value": str(team_access.team.external_id),
"display": team_access.team.name,
"type": "direct",
}
for team_access in obj.accesses.all()
]
def get_meta(self, obj):
"""Return metadata about the user."""
request = self.context.get("request")
location = (
f"{request.build_absolute_uri('/').rstrip('/')}{reverse('scim-me-list')}"
if request
else None
)
return {
"resourceType": "User",
"created": obj.created_at.isoformat(),
"lastModified": obj.updated_at.isoformat(),
"location": location,
}
@@ -0,0 +1,62 @@
"""Resource server SCIM API endpoints"""
from django.contrib.auth import get_user_model
from django.db.models import Prefetch, Q
from lasuite.oidc_resource_server.mixins import ResourceServerMixin
from rest_framework import (
viewsets,
)
from core.api import permissions
from core.models import TeamAccess
from . import serializers
from .exceptions import scim_exception_handler
from .response import ScimJsonResponse
User = get_user_model()
class MeViewSet(ResourceServerMixin, viewsets.ViewSet):
"""
SCIM-compliant ViewSet for the /Me endpoint.
This endpoint provides information about the currently authenticated user
in SCIM (System for Cross-domain Identity Management) format.
Features:
- Returns user details in SCIM format.
- Includes the user's teams, restricted to the audience.
Limitations:
- Does not currently support managing Team hierarchies.
Endpoint:
GET /resource-server/v1.0/scim/Me/
Retrieves the authenticated user's details and associated teams.
"""
permission_classes = [permissions.IsAuthenticated]
serializer_class = serializers.SCIMUserSerializer
def get_exception_handler(self):
"""Override the default exception handler to use SCIM-specific handling."""
return scim_exception_handler
def list(self, request, *args, **kwargs):
"""Return the current user's details in SCIM format."""
service_provider_audience = self._get_service_provider_audience()
user = User.objects.prefetch_related(
Prefetch(
"accesses",
queryset=TeamAccess.objects.select_related("team").filter(
Q(team__service_providers__audience_id=service_provider_audience)
| Q(team__is_visible_all_services=True)
),
)
).get(pk=request.user.pk)
serializer = self.serializer_class(user, context={"request": request})
return ScimJsonResponse(serializer.data)
+7
View File
@@ -24,3 +24,10 @@ class WebhookStatusChoices(models.TextChoices):
FAILURE = "failure", _("Failure")
PENDING = "pending", _("Pending")
SUCCESS = "success", _("Success")
class WebhookProtocolChoices(models.TextChoices):
"""Defines the possible protocols of webhook."""
SCIM = "scim"
MATRIX = "matrix"
@@ -0,0 +1,40 @@
# Generated by Django 5.2 on 2025-06-12 09:58
import uuid
from django.conf import settings
from django.db import migrations, models
def gen_team_uuid(apps, schema_editor):
Team = apps.get_model("core", "Team")
for row in Team.objects.all():
row.external_id = uuid.uuid4()
# Don't need to batch update here, as the table is likely small or empty
row.save(update_fields=["external_id"])
class Migration(migrations.Migration):
dependencies = [
('core', '0015_alter_accountservice_api_key'),
]
operations = [
migrations.AddField(
model_name='team',
name='external_id',
field=models.UUIDField(default=uuid.uuid4, editable=False, help_text='Team external UUID for synchronization with external systems', unique=False, verbose_name='external_id'),
),
migrations.RunPython(gen_team_uuid, reverse_code=migrations.RunPython.noop),
migrations.AlterField(
model_name='team',
name='external_id',
field=models.UUIDField(default=uuid.uuid4, editable=False, help_text='Team external UUID for synchronization with external systems', unique=True, verbose_name='external_id'),
),
#
migrations.AlterField(
model_name='team',
name='users',
field=models.ManyToManyField(related_name='teams', through='core.TeamAccess', through_fields=('team', 'user'), to=settings.AUTH_USER_MODEL),
),
]
@@ -0,0 +1,18 @@
# Generated by Django 5.2.3 on 2025-06-17 14:23
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('core', '0016_team_external_id_alter_team_users'),
]
operations = [
migrations.AddField(
model_name='teamwebhook',
name='protocol',
field=models.CharField(choices=[('scim', 'Scim'), ('matrix', 'Matrix')], default='scim'),
),
]
+31 -16
View File
@@ -21,7 +21,7 @@ from django.contrib.postgres.fields import ArrayField
from django.contrib.sites.models import Site
from django.core import exceptions, mail, validators
from django.core.exceptions import ValidationError
from django.db import models, transaction
from django.db import models
from django.template.loader import render_to_string
from django.utils import timezone
from django.utils.translation import gettext, override
@@ -31,9 +31,9 @@ import jsonschema
from timezone_field import TimeZoneField
from treebeard.mp_tree import MP_Node, MP_NodeManager
from core.enums import WebhookStatusChoices
from core.enums import WebhookProtocolChoices, WebhookStatusChoices
from core.plugins.registry import registry as plugin_hooks_registry
from core.utils.webhooks import scim_synchronizer
from core.utils.webhooks import webhooks_synchronizer
from core.validators import get_field_validators_from_setting
logger = getLogger(__name__)
@@ -742,6 +742,11 @@ class Team(MP_Node, BaseModel):
can see it.
When a team is created from a Service Provider this one is automatically set in the
Team `service_providers`.
The team `external_id` is used to synchronize the team with external systems, this
is the equivalent of the User `sub` field but for teams (note: `sub` is highly related
to the OIDC standard, while `external_id` is not). The `external_id` is NOT the same as
the `externalId` field in the SCIM standard when importing teams from SCIM.
"""
# Allow up to 80 nested teams with 62^5 (916_132_832) root nodes
@@ -752,6 +757,14 @@ class Team(MP_Node, BaseModel):
name = models.CharField(max_length=100)
external_id = models.UUIDField(
verbose_name=_("external_id"),
help_text=_("Team external UUID for synchronization with external systems"),
unique=True,
default=uuid.uuid4,
editable=False,
)
users = models.ManyToManyField(
User,
through="TeamAccess",
@@ -851,16 +864,12 @@ class TeamAccess(BaseModel):
Override save function to fire webhooks on any addition or update
to a team access.
"""
if self._state.adding:
if self._state.adding and self.team.webhooks.exists():
self.team.webhooks.update(status=WebhookStatusChoices.PENDING)
with transaction.atomic():
instance = super().save(*args, **kwargs)
scim_synchronizer.add_user_to_group(self.team, self.user)
else:
instance = super().save(*args, **kwargs)
# try to synchronize all webhooks
webhooks_synchronizer.add_user_to_group(self.team, self.user)
return instance
return super().save(*args, **kwargs)
def delete(self, *args, **kwargs):
"""
@@ -868,11 +877,12 @@ class TeamAccess(BaseModel):
Don't allow deleting a team access until it is successfully synchronized with all
its webhooks.
"""
self.team.webhooks.update(status=WebhookStatusChoices.PENDING)
with transaction.atomic():
arguments = self.team, self.user
super().delete(*args, **kwargs)
scim_synchronizer.remove_user_from_group(*arguments)
if webhooks := self.team.webhooks.all():
webhooks.update(status=WebhookStatusChoices.PENDING)
# try to synchronize all webhooks
webhooks_synchronizer.remove_user_from_group(self.team, self.user)
super().delete(*args, **kwargs)
def get_abilities(self, user):
"""
@@ -930,6 +940,11 @@ class TeamWebhook(BaseModel):
team = models.ForeignKey(Team, related_name="webhooks", on_delete=models.CASCADE)
url = models.URLField(_("url"))
secret = models.CharField(_("secret"), max_length=255, null=True, blank=True)
protocol = models.CharField(
max_length=None,
default=WebhookProtocolChoices.SCIM,
choices=WebhookProtocolChoices.choices,
)
status = models.CharField(
max_length=10,
default=WebhookStatusChoices.PENDING,
+1
View File
@@ -0,0 +1 @@
"""Test fixtures."""
+75
View File
@@ -0,0 +1,75 @@
"""Define here some fake responses from Matrix API, useful to mock responses in tests."""
from rest_framework import status
# JOIN ROOMS
def mock_join_room_successful(room_id):
"""Mock response when succesfully joining room. Same response if already in room."""
return {"message": {"room_id": str(room_id)}, "status_code": status.HTTP_200_OK}
def mock_join_room_no_known_servers():
"""Mock response when room to join cannot be found."""
return {
"message": {"errcode": "M_UNKNOWN", "error": "No known servers"},
"status_code": status.HTTP_404_NOT_FOUND,
}
def mock_join_room_forbidden():
"""Mock response when room cannot be joined."""
return {
"message": {
"errcode": "M_FORBIDDEN",
"error": "You do not belong to any of the required rooms/spaces to join this room.",
},
"status_code": status.HTTP_403_FORBIDDEN,
}
# INVITE USER
def mock_invite_successful():
"""Mock response when invite request was succesful. Does not check the user exists."""
return {"message": {}, "status_code": status.HTTP_200_OK}
def mock_invite_user_already_in_room(user):
"""Mock response when invitation forbidden for People user."""
return {
"message": {
"errcode": "M_FORBIDDEN",
"error": f"{user.email.replace('@', ':')} is already in the room.",
},
"status_code": status.HTTP_403_FORBIDDEN,
}
# KICK USER
def mock_kick_successful():
"""Mock response when succesfully joining room."""
return {"message": {}, "status_code": status.HTTP_200_OK}
def mock_kick_user_forbidden(user):
"""Mock response when kick request is forbidden (i.e. wrong permission or user is room admin."""
return {
"message": {
"errcode": "M_FORBIDDEN",
"error": f"You cannot kick user @{user.email.replace('@', ':')}.",
},
"status_code": status.HTTP_403_FORBIDDEN,
}
def mock_kick_user_not_in_room():
"""
Mock response when trying to kick a user who isn't in the room. Don't check the user exists.
"""
return {
"message": {
"errcode": "M_FORBIDDEN",
"error": "The target user is not in the room",
},
"status_code": status.HTTP_403_FORBIDDEN,
}
@@ -0,0 +1 @@
"""Tests for the resource server SCIM API endpoints."""
@@ -0,0 +1,186 @@
"""
Tests for the SCIM Me API endpoint in People's core app
"""
import pytest
from rest_framework.status import (
HTTP_200_OK,
HTTP_401_UNAUTHORIZED,
HTTP_405_METHOD_NOT_ALLOWED,
)
from core import factories
from core.models import RoleChoices
pytestmark = pytest.mark.django_db
def test_api_me_anonymous(client):
"""Anonymous users should not be allowed to access the Me endpoint."""
response = client.get("/resource-server/v1.0/scim/Me/")
assert response.status_code == HTTP_401_UNAUTHORIZED
assert response.headers["Content-Type"] == "application/json+scim"
# Check the full response with the expected structure
assert response.json() == {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": "401",
"detail": "",
}
def test_api_me_authenticated(
client, force_login_via_resource_server, django_assert_num_queries
):
"""
Authenticated users should be able to access their own information
in SCIM format.
"""
user = factories.UserFactory(name="Test User", email="test@example.com")
service_provider = factories.ServiceProviderFactory()
# Authenticate using the resource server, ie via the Authorization header
with force_login_via_resource_server(client, user, service_provider.audience_id):
with django_assert_num_queries(2):
response = client.get(
"/resource-server/v1.0/scim/Me/",
format="json",
HTTP_AUTHORIZATION="Bearer b64untestedbearertoken",
)
assert response.status_code == HTTP_200_OK
assert response.headers["Content-Type"] == "application/json+scim"
# Check the full response with the expected structure
assert response.json() == {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": str(user.pk),
"active": True,
"userName": user.sub,
"displayName": user.name,
"emails": [
{
"value": user.email,
"primary": True,
"type": "work",
}
],
"groups": [],
"meta": {
"resourceType": "User",
"created": user.created_at.isoformat(),
"lastModified": user.updated_at.isoformat(),
"location": "http://testserver/resource-server/v1.0/scim/Me/",
},
}
def test_api_me_authenticated_with_team_access(
client, force_login_via_resource_server, django_assert_num_queries
):
"""
Authenticated users with TeamAccess should see their team information
in SCIM format, but only for teams visible to the service provider.
"""
user = factories.UserFactory(name="Test User", email="test@example.com")
service_provider = factories.ServiceProviderFactory()
# Create teams with different visibility settings
team_visible = factories.TeamFactory(name="Visible Team")
team_visible.service_providers.add(service_provider)
team_all_services = factories.TeamFactory(
name="All Services Team", is_visible_all_services=True
)
team_not_visible = factories.TeamFactory(name="Not Visible Team")
# This team is not associated with the service provider
# Add user to all teams
factories.TeamAccessFactory(user=user, team=team_visible, role=RoleChoices.MEMBER)
factories.TeamAccessFactory(
user=user, team=team_all_services, role=RoleChoices.ADMIN
)
factories.TeamAccessFactory(
user=user, team=team_not_visible, role=RoleChoices.OWNER
)
# Authenticate using the resource server, ie via the Authorization header
with force_login_via_resource_server(client, user, service_provider.audience_id):
with django_assert_num_queries(
2
): # User + TeamAccess (with select_related teams)
response = client.get(
"/resource-server/v1.0/scim/Me/",
format="json",
HTTP_AUTHORIZATION="Bearer b64untestedbearertoken",
)
assert response.status_code == HTTP_200_OK
assert response.headers["Content-Type"] == "application/json+scim"
# Check the full response with the expected structure
assert response.json() == {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": str(user.pk),
"active": True,
"userName": user.sub,
"displayName": user.name,
"emails": [
{
"value": user.email,
"primary": True,
"type": "work",
}
],
"groups": [
{
"value": str(team_visible.external_id),
"display": team_visible.name,
"type": "direct",
},
{
"value": str(team_all_services.external_id),
"display": team_all_services.name,
"type": "direct",
},
],
"meta": {
"resourceType": "User",
"created": user.created_at.isoformat(),
"lastModified": user.updated_at.isoformat(),
"location": "http://testserver/resource-server/v1.0/scim/Me/",
},
}
@pytest.mark.parametrize(
"http_method",
["post", "put", "patch", "delete"],
ids=["POST", "PUT", "PATCH", "DELETE"],
)
def test_api_me_method_not_allowed(
client, force_login_via_resource_server, http_method
):
"""Test that methods other than GET are not allowed for the Me endpoint."""
user = factories.UserFactory()
service_provider = factories.ServiceProviderFactory()
# Authenticate using the resource server, ie via the Authorization header
with force_login_via_resource_server(client, user, service_provider.audience_id):
client_method = getattr(client, http_method)
response = client_method(
"/resource-server/v1.0/scim/Me/",
format="json",
HTTP_AUTHORIZATION="Bearer b64untestedbearertoken",
)
assert response.status_code == HTTP_405_METHOD_NOT_ALLOWED
assert response.headers["Content-Type"] == "application/json+scim"
# Check the full response with the expected structure
assert response.json() == {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": str(HTTP_405_METHOD_NOT_ALLOWED),
"detail": "",
}
@@ -3,14 +3,17 @@ Test for team accesses API endpoints in People's core app : create
"""
import json
import logging
import random
import re
import pytest
import responses
from rest_framework import status
from rest_framework.test import APIClient
from core import factories, models
from core import enums, factories, models
from core.tests.fixtures import matrix
pytestmark = pytest.mark.django_db
@@ -171,14 +174,17 @@ def test_api_team_accesses_create_authenticated_owner():
}
def test_api_team_accesses_create_webhook():
def test_api_team_accesses_create__with_scim_webhook():
"""
When the team has a webhook, creating a team access should fire a call.
If a team has a SCIM webhook, creating a team access should fire a call
with the expected payload.
"""
user, other_user = factories.UserFactory.create_batch(2)
team = factories.TeamFactory(users=[(user, "owner")])
webhook = factories.TeamWebhookFactory(team=team)
webhook = factories.TeamWebhookFactory(
team=team, protocol=enums.WebhookProtocolChoices.SCIM
)
role = random.choice([role[0] for role in models.RoleChoices.choices])
@@ -226,3 +232,139 @@ def test_api_team_accesses_create_webhook():
}
],
}
assert models.TeamAccess.objects.filter(user=other_user, team=team).exists()
def test_api_team_accesses_create__multiple_webhooks_success(caplog):
"""
When the team has multiple webhooks, creating a team access should fire all the expected calls.
If all responses are positive, proceeds to add the user to the team.
"""
caplog.set_level(logging.INFO)
user, other_user = factories.UserFactory.create_batch(2)
team = factories.TeamFactory(users=[(user, "owner")])
webhook_scim = factories.TeamWebhookFactory(
team=team, protocol=enums.WebhookProtocolChoices.SCIM, secret="wesh"
)
webhook_matrix = factories.TeamWebhookFactory(
team=team,
url="https://www.webhookserver.fr/#/room/room_id:home_server/",
protocol=enums.WebhookProtocolChoices.MATRIX,
secret="yo",
)
role = random.choice([role[0] for role in models.RoleChoices.choices])
client = APIClient()
client.force_login(user)
with responses.RequestsMock() as rsps:
# Ensure successful response by scim provider using "responses":
rsps.add(
rsps.PATCH,
re.compile(r".*/Groups/.*"),
body="{}",
status=200,
content_type="application/json",
)
rsps.add(
rsps.POST,
re.compile(r".*/join"),
body=str(matrix.mock_join_room_successful),
status=status.HTTP_200_OK,
content_type="application/json",
)
rsps.add(
rsps.POST,
re.compile(r".*/invite"),
body=str(matrix.mock_invite_successful()["message"]),
status=matrix.mock_invite_successful()["status_code"],
content_type="application/json",
)
response = client.post(
f"/api/v1.0/teams/{team.id!s}/accesses/",
{
"user": str(other_user.id),
"role": role,
},
format="json",
)
assert response.status_code == 201
# Logger
log_messages = [msg.message for msg in caplog.records]
for webhook in [webhook_scim, webhook_matrix]:
assert (
f"add_user_to_group synchronization succeeded with {webhook.url}"
in log_messages
)
# Status
for webhook in [webhook_scim, webhook_matrix]:
webhook.refresh_from_db()
assert webhook.status == "success"
assert models.TeamAccess.objects.filter(user=other_user, team=team).exists()
@responses.activate
def test_api_team_accesses_create__multiple_webhooks_failure(caplog):
"""When a webhook fails, user should still be added to the team."""
caplog.set_level(logging.INFO)
user, other_user = factories.UserFactory.create_batch(2)
team = factories.TeamFactory(users=[(user, "owner")])
webhook_scim = factories.TeamWebhookFactory(
team=team, protocol=enums.WebhookProtocolChoices.SCIM, secret="wesh"
)
webhook_matrix = factories.TeamWebhookFactory(
team=team,
url="https://www.webhookserver.fr/#/room/room_id:home_server/",
protocol=enums.WebhookProtocolChoices.MATRIX,
secret="secret",
)
role = random.choice([role[0] for role in models.RoleChoices.choices])
client = APIClient()
client.force_login(user)
responses.patch(
re.compile(r".*/Groups/.*"),
body="{}",
status=200,
)
responses.post(
re.compile(r".*/join"),
body=str(matrix.mock_join_room_forbidden()["message"]),
status=str(matrix.mock_join_room_forbidden()["status_code"]),
)
response = client.post(
f"/api/v1.0/teams/{team.id!s}/accesses/",
{
"user": str(other_user.id),
"role": role,
},
format="json",
)
assert response.status_code == status.HTTP_201_CREATED
# Logger
log_messages = [msg.message for msg in caplog.records]
assert (
f"add_user_to_group synchronization succeeded with {webhook_scim.url}"
in log_messages
)
assert (
f"add_user_to_group synchronization failed with {webhook_matrix.url}"
in log_messages
)
# Status
webhook_scim.status = "success"
webhook_matrix.status = "failure"
assert models.TeamAccess.objects.filter(user=other_user, team=team).exists()
@@ -19,6 +19,7 @@ def test_api_config_anonymous():
response = client.get("/api/v1.0/config/")
assert response.status_code == HTTP_200_OK
assert response.json() == {
"CRISP_WEBSITE_ID": None,
"LANGUAGES": [["en-us", "English"], ["fr-fr", "French"]],
"COMMIT": "NA",
"FEATURES": {
@@ -42,6 +43,7 @@ def test_api_config_authenticated():
response = client.get("/api/v1.0/config/")
assert response.status_code == HTTP_200_OK
assert response.json() == {
"CRISP_WEBSITE_ID": None,
"LANGUAGES": [["en-us", "English"], ["fr-fr", "French"]],
"COMMIT": "NA",
"FEATURES": {
@@ -0,0 +1,277 @@
"""Test Team synchronization webhooks : focus on matrix client."""
import json
import logging
import re
from django.test import override_settings
import pytest
import responses
from rest_framework import status
from core import factories
from core.enums import WebhookProtocolChoices
from core.tests.fixtures import matrix
from core.utils.webhooks import webhooks_synchronizer
pytestmark = pytest.mark.django_db
## INVITE
@responses.activate
def test_matrix_webhook__invite_user_to_room_forbidden(caplog):
"""Cannot invite when Matrix returns forbidden. This might mean the user is an admin."""
caplog.set_level(logging.INFO)
user = factories.UserFactory()
webhook = factories.TeamWebhookFactory(
protocol=WebhookProtocolChoices.MATRIX,
url="https://www.matrix.org/#/room/room_id:home_server",
secret="secret-access-token",
)
# Mock successful responses
error = matrix.mock_kick_user_forbidden(user)
responses.post(
re.compile(r".*/join"),
body=str(matrix.mock_join_room_successful),
status=status.HTTP_200_OK,
)
responses.post(
re.compile(r".*/invite"),
body=str(error["message"]),
status=error["status_code"],
)
webhooks_synchronizer.add_user_to_group(team=webhook.team, user=user)
@responses.activate
def test_matrix_webhook__invite_user_to_room_already_in_room(caplog):
"""If user is already in room, webhooks should be set to success."""
caplog.set_level(logging.INFO)
user = factories.UserFactory()
webhook = factories.TeamWebhookFactory(
protocol=WebhookProtocolChoices.MATRIX,
url="https://www.matrix.org/#/room/room_id:home_server",
secret="secret-access-token",
)
# Mock successful responses
responses.post(
re.compile(r".*/join"),
body=str(matrix.mock_join_room_successful("room_id")["message"]),
status=matrix.mock_join_room_successful("room_id")["status_code"],
)
responses.post(
re.compile(r".*/invite"),
body=str(matrix.mock_invite_user_already_in_room(user)["message"]),
status=matrix.mock_invite_user_already_in_room(user)["status_code"],
)
webhooks_synchronizer.add_user_to_group(team=webhook.team, user=user)
# Logger
log_messages = [msg.message for msg in caplog.records]
expected_messages = (
f"add_user_to_group synchronization succeeded with {webhook.url}"
)
assert expected_messages in log_messages
# Status
webhook.refresh_from_db()
assert webhook.status == "success"
@responses.activate
def test_matrix_webhook__invite_user_to_room_success(caplog):
"""The user passed to the function should get invited."""
caplog.set_level(logging.INFO)
user = factories.UserFactory()
webhook = factories.TeamWebhookFactory(
protocol=WebhookProtocolChoices.MATRIX,
url="https://www.matrix.org/#/room/room_id:home_server",
secret="secret-access-token",
)
# Mock successful responses
responses.post(
re.compile(r".*/join"),
body=str(matrix.mock_join_room_successful("room_id")["message"]),
status=matrix.mock_join_room_successful("room_id")["status_code"],
)
responses.post(
re.compile(r".*/invite"),
body=str(matrix.mock_invite_successful()["message"]),
status=matrix.mock_invite_successful()["status_code"],
)
webhooks_synchronizer.add_user_to_group(team=webhook.team, user=user)
# Check headers
headers = responses.calls[0].request.headers
assert webhook.secret in headers["Authorization"]
# Check payloads sent to Matrix API
assert json.loads(responses.calls[1].request.body) == {
"user_id": f"@{user.email.replace('@', ':')}",
"reason": f"User added to team {webhook.team} on People",
}
# Logger
log_messages = [msg.message for msg in caplog.records]
expected_messages = (
f"add_user_to_group synchronization succeeded with {webhook.url}"
)
assert expected_messages in log_messages
# Status
webhook.refresh_from_db()
assert webhook.status == "success"
@responses.activate
@override_settings(TCHAP_ACCESS_TOKEN="TCHAP_TOKEN")
def test_matrix_webhook__override_secret_for_tchap():
"""The user passed to the function should get invited."""
user = factories.UserFactory()
webhook = factories.TeamWebhookFactory(
protocol=WebhookProtocolChoices.MATRIX,
url="https://www.tchap.gouv.fr/#/room/room_id:home_server",
secret=None,
)
# Mock successful responses
responses.post(
re.compile(r".*/join"),
body=str(matrix.mock_join_room_successful("room_id")["message"]),
status=matrix.mock_join_room_successful("room_id")["status_code"],
)
responses.post(
re.compile(r".*/invite"),
body=str(matrix.mock_invite_successful()["message"]),
status=matrix.mock_invite_successful()["status_code"],
)
webhooks_synchronizer.add_user_to_group(team=webhook.team, user=user)
# Check headers
headers = responses.calls[0].request.headers
assert "TCHAP_TOKEN" in headers["Authorization"]
## KICK
@responses.activate
def test_matrix_webhook__kick_user_from_room_not_in_room(caplog):
"""Webhook should report a success when user was already not in room."""
caplog.set_level(logging.INFO)
user = factories.UserFactory()
webhook = factories.TeamWebhookFactory(
protocol=WebhookProtocolChoices.MATRIX,
url="https://www.matrix.org/#/room/room_id:home_server",
secret="secret-access-token",
)
# Mock successful responses
responses.post(
re.compile(r".*/join"),
body=str(matrix.mock_join_room_successful),
status=status.HTTP_200_OK,
)
responses.post(
re.compile(r".*/kick"),
body=str(matrix.mock_kick_user_not_in_room()["message"]),
status=matrix.mock_kick_user_not_in_room()["status_code"],
)
webhooks_synchronizer.remove_user_from_group(team=webhook.team, user=user)
# Logger
log_messages = [msg.message for msg in caplog.records]
assert (
f"remove_user_from_group synchronization succeeded with {webhook.url}"
in log_messages
)
# Status
webhook.refresh_from_db()
assert webhook.status == "success"
@responses.activate
def test_matrix_webhook__kick_user_from_room_success(caplog):
"""The user passed to the function should get removed."""
caplog.set_level(logging.INFO)
user = factories.UserFactory()
webhook = factories.TeamWebhookFactory(
protocol=WebhookProtocolChoices.MATRIX,
url="https://www.matrix.org/#/room/room_id:home_server",
secret="secret-access-token",
)
responses.post(
re.compile(r".*/join"),
body=str(matrix.mock_join_room_successful),
status=status.HTTP_200_OK,
)
responses.post(
re.compile(r".*/kick"),
body=str(matrix.mock_kick_successful),
status=status.HTTP_200_OK,
)
webhooks_synchronizer.remove_user_from_group(team=webhook.team, user=user)
# Check payloads sent to Matrix API
assert json.loads(responses.calls[1].request.body) == {
"user_id": f"@{user.email.replace('@', ':')}",
"reason": f"User removed from team {webhook.team} on People",
}
# Logger
log_messages = [msg.message for msg in caplog.records]
expected_messages = (
f"remove_user_from_group synchronization succeeded with {webhook.url}"
)
assert expected_messages in log_messages
# Status
webhook.refresh_from_db()
assert webhook.status == "success"
@responses.activate
def test_matrix_webhook__kick_user_from_room_forbidden(caplog):
"""Cannot kick an admin."""
caplog.set_level(logging.INFO)
user = factories.UserFactory()
webhook = factories.TeamWebhookFactory(
protocol=WebhookProtocolChoices.MATRIX,
url="https://www.matrix.org/#/room/room_id:home_server",
secret="secret-access-token",
)
# Mock successful responses
error = matrix.mock_kick_user_forbidden(user)
responses.post(
re.compile(r".*/join"),
body=str(matrix.mock_join_room_successful),
status=status.HTTP_200_OK,
)
responses.post(
re.compile(r".*/kick"),
body=str(error["message"]),
status=error["status_code"],
)
webhooks_synchronizer.remove_user_from_group(team=webhook.team, user=user)
# Logger
log_messages = [msg.message for msg in caplog.records]
assert (
f"remove_user_from_group synchronization failed with {webhook.url}"
in log_messages
)
# Status
webhook.refresh_from_db()
assert webhook.status == "failure"
@@ -1,4 +1,4 @@
"""Test Team synchronization webhooks."""
"""Test Team synchronization webhooks : focus on scim client"""
import json
import random
@@ -10,7 +10,7 @@ import pytest
import responses
from core import factories
from core.utils.webhooks import scim_synchronizer
from core.utils.webhooks import webhooks_synchronizer
pytestmark = pytest.mark.django_db
@@ -20,7 +20,7 @@ def test_utils_webhooks_add_user_to_group_no_webhooks():
access = factories.TeamAccessFactory()
with responses.RequestsMock():
scim_synchronizer.add_user_to_group(access.team, access.user)
webhooks_synchronizer.add_user_to_group(access.team, access.user)
assert len(responses.calls) == 0
@@ -42,7 +42,7 @@ def test_utils_webhooks_add_user_to_group_success(mock_info):
content_type="application/json",
)
scim_synchronizer.add_user_to_group(access.team, access.user)
webhooks_synchronizer.add_user_to_group(access.team, access.user)
for i, webhook in enumerate(webhooks):
assert rsps.calls[i].request.url == webhook.url
@@ -107,7 +107,7 @@ def test_utils_webhooks_remove_user_from_group_success(mock_info):
content_type="application/json",
)
scim_synchronizer.remove_user_from_group(access.team, access.user)
webhooks_synchronizer.remove_user_from_group(access.team, access.user)
for i, webhook in enumerate(webhooks):
assert rsps.calls[i].request.url == webhook.url
@@ -163,11 +163,11 @@ def test_utils_webhooks_add_user_to_group_failure(mock_error):
rsps.PATCH,
re.compile(r".*/Groups/.*"),
body="{}",
status=random.choice([404, 301, 302]),
status=404,
content_type="application/json",
)
scim_synchronizer.add_user_to_group(access.team, access.user)
webhooks_synchronizer.add_user_to_group(access.team, access.user)
for i, webhook in enumerate(webhooks):
assert rsps.calls[i].request.url == webhook.url
@@ -228,7 +228,7 @@ def test_utils_webhooks_add_user_to_group_retries(mock_info, mock_error):
rsps.add(rsps.PATCH, url, status=200, content_type="application/json"),
]
scim_synchronizer.add_user_to_group(access.team, access.user)
webhooks_synchronizer.add_user_to_group(access.team, access.user)
for i in range(4):
assert all_rsps[i].call_count == 1
@@ -285,7 +285,7 @@ def test_utils_synchronize_course_runs_max_retries_exceeded(mock_error):
content_type="application/json",
)
scim_synchronizer.add_user_to_group(access.team, access.user)
webhooks_synchronizer.add_user_to_group(access.team, access.user)
assert rsp.call_count == 5
assert rsps.calls[0].request.url == webhook.url
@@ -339,7 +339,7 @@ def test_utils_webhooks_add_user_to_group_authorization():
content_type="application/json",
)
scim_synchronizer.add_user_to_group(access.team, access.user)
webhooks_synchronizer.add_user_to_group(access.team, access.user)
assert rsps.calls[0].request.url == webhook.url
# Check headers
+136
View File
@@ -0,0 +1,136 @@
"""Matrix client for interoperability to synchronize with remote service providers."""
import logging
from django.conf import settings
import requests
from rest_framework.status import (
HTTP_200_OK,
)
from urllib3.util import Retry
logger = logging.getLogger(__name__)
adapter = requests.adapters.HTTPAdapter(
max_retries=Retry(
total=4,
backoff_factor=0.1,
status_forcelist=[500, 502],
allowed_methods=["POST"],
)
)
session = requests.Session()
session.mount("http://", adapter)
session.mount("https://", adapter)
class MatrixAPIClient:
"""A client to interact with Matrix API"""
secret = settings.TCHAP_ACCESS_TOKEN
def get_headers(self, webhook):
"""Build header dict from webhook object."""
headers = {"Content-Type": "application/json"}
if "tchap.gouv.fr" in webhook.url:
token = settings.TCHAP_ACCESS_TOKEN
elif webhook.secret:
token = webhook.secret
else:
raise ValueError("Please configure this webhook's secret access token.")
headers["Authorization"] = f"Bearer {token}"
return headers
def _get_room_url(self, webhook_url):
"""Returns room id from webhook url."""
room_id = webhook_url.split("/room/")[1]
base_url = room_id.split(":")[1]
if "tchap.gouv.fr" in webhook_url:
base_url = f"matrix.{base_url}"
return f"https://{base_url}/_matrix/client/v3/rooms/{room_id}"
def get_user_id(self, user):
"""Returns user id from email."""
if user.email is None:
raise ValueError("You must first set an email for the user.")
return f"@{user.email.replace('@', ':')}"
def join_room(self, webhook):
"""Accept invitation to the room. As of today, it is a mandatory step
to make sure our account will be able to invite/remove users."""
return session.post(
f"{self._get_room_url(webhook.url)}/join",
json={},
headers=self.get_headers(webhook),
verify=False,
timeout=3,
)
def add_user_to_group(self, webhook, user):
"""Send request to invite an user to a room or space upon adding them to group.."""
join_response = self.join_room(webhook)
if join_response.status_code != HTTP_200_OK:
logger.error(
"Synchronization failed (cannot join room) %s",
webhook.url,
)
return join_response, False
user_id = self.get_user_id(user)
response = session.post(
f"{self._get_room_url(webhook.url)}/invite",
json={
"user_id": user_id,
"reason": f"User added to team {webhook.team} on People",
},
headers=self.get_headers(webhook),
verify=False,
timeout=3,
)
# Checks for false negative
# (i.e. trying to invite user already in room)
webhook_succeeded = False
if (
response.status_code == HTTP_200_OK
or b"is already in the room." in response.content
):
webhook_succeeded = True
return response, webhook_succeeded
def remove_user_from_group(self, webhook, user):
"""Send request to kick an user from a room or space upon removing them from group."""
join_response = self.join_room(webhook)
if join_response.status_code != HTTP_200_OK:
logger.error(
"Synchronization failed (cannot join room) %s",
webhook.url,
)
return join_response, False
user_id = self.get_user_id(user)
response = session.post(
f"{self._get_room_url(webhook.url)}/kick",
json={
"user_id": user_id,
"reason": f"User removed from team {webhook.team} on People",
},
headers=self.get_headers(webhook),
verify=False,
timeout=3,
)
# Checks for false negative
# (i.e. trying to remove user who already left the room)
webhook_succeeded = False
if (
response.status_code == HTTP_200_OK
or b"The target user is not in the room" in response.content
):
webhook_succeeded = True
return response, webhook_succeeded
+6 -2
View File
@@ -39,7 +39,7 @@ class SCIMClient:
],
}
return session.patch(
response = session.patch(
webhook.url,
json=payload,
headers=webhook.get_headers(),
@@ -47,6 +47,8 @@ class SCIMClient:
timeout=3,
)
return response, response.ok
def remove_user_from_group(self, webhook, user):
"""Remove a user from a group by its ID or email."""
payload = {
@@ -61,10 +63,12 @@ class SCIMClient:
}
],
}
return session.patch(
response = session.patch(
webhook.url,
json=payload,
headers=webhook.get_headers(),
verify=False,
timeout=3,
)
return response, response.ok
+42 -24
View File
@@ -4,14 +4,16 @@ import logging
import requests
from core import enums
from core.enums import WebhookStatusChoices
from .matrix import MatrixAPIClient
from .scim import SCIMClient
logger = logging.getLogger(__name__)
class WebhookSCIMClient:
class WebhookClient:
"""Wraps the SCIM client to record call results on webhooks."""
def __getattr__(self, name):
@@ -26,31 +28,15 @@ class WebhookSCIMClient:
if not webhook.url:
continue
client = SCIMClient()
status = WebhookStatusChoices.FAILURE
try:
response = getattr(client, name)(webhook, user)
response, webhook_succeeded = self._get_response_and_status(
name, webhook, user
)
except requests.exceptions.RetryError as exc:
logger.error(
"%s synchronization failed due to max retries exceeded with url %s",
name,
webhook.url,
exc_info=exc,
)
except requests.exceptions.RequestException as exc:
logger.error(
"%s synchronization failed with %s.",
name,
webhook.url,
exc_info=exc,
)
else:
extra = {
"response": response.content,
}
if response is not None:
extra = {"response": response.content}
# pylint: disable=no-member
if response.status_code == requests.codes.ok:
if webhook_succeeded:
logger.info(
"%s synchronization succeeded with %s",
name,
@@ -71,5 +57,37 @@ class WebhookSCIMClient:
return wrapper
def _get_client(self, webhook):
"""Get client depending on the protocol."""
if webhook.protocol == enums.WebhookProtocolChoices.MATRIX:
return MatrixAPIClient()
scim_synchronizer = WebhookSCIMClient()
return SCIMClient()
def _get_response_and_status(self, name, webhook, user):
"""Get response from webhook outside party."""
client = self._get_client(webhook)
try:
response, webhook_succeeded = getattr(client, name)(webhook, user)
except requests.exceptions.RetryError as exc:
logger.error(
"%s synchronization failed due to max retries exceeded with url %s",
name,
webhook.url,
exc_info=exc,
)
except requests.exceptions.RequestException as exc:
logger.error(
"%s synchronization failed with %s.",
name,
webhook.url,
exc_info=exc,
)
else:
return response, webhook_succeeded
return None, False
webhooks_synchronizer = WebhookClient()
@@ -271,10 +271,11 @@ def create_demo(stdout): # pylint: disable=too-many-locals
queue.push(
models.TeamAccess(team_id=team_id, user_id=user_id, role=role[0])
)
queue.flush()
with Timeit(stdout, "Creating domains"):
for i in range(defaults.NB_OBJECTS["domains"]):
name = f"{fake.domain_name()}-i{i:d}"
name = fake.domain_name().replace(".", f"-i{i:d}.")
queue.push(
mailbox_models.MailDomain(
Binary file not shown.
@@ -2,8 +2,8 @@ msgid ""
msgstr ""
"Project-Id-Version: lasuite-people\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2025-05-16 09:31+0000\n"
"PO-Revision-Date: 2025-05-16 11:22\n"
"POT-Creation-Date: 2025-06-10 16:13+0000\n"
"PO-Revision-Date: 2025-06-11 09:29\n"
"Last-Translator: \n"
"Language-Team: English\n"
"Language: en_US\n"
@@ -562,11 +562,11 @@ msgstr ""
msgid "Your password has been updated"
msgstr ""
#: build/lib/people/settings.py:158 people/settings.py:158
#: build/lib/people/settings.py:159 people/settings.py:159
msgid "English"
msgstr ""
#: build/lib/people/settings.py:159 people/settings.py:159
#: build/lib/people/settings.py:160 people/settings.py:160
msgid "French"
msgstr ""
Binary file not shown.
@@ -2,8 +2,8 @@ msgid ""
msgstr ""
"Project-Id-Version: lasuite-people\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2025-05-16 09:31+0000\n"
"PO-Revision-Date: 2025-05-16 11:22\n"
"POT-Creation-Date: 2025-06-10 16:13+0000\n"
"PO-Revision-Date: 2025-06-11 09:29\n"
"Last-Translator: \n"
"Language-Team: French\n"
"Language: fr_FR\n"
@@ -562,11 +562,11 @@ msgstr "Informations sur votre nouvelle boîte mail"
msgid "Your password has been updated"
msgstr "Votre mot de passe a été mis à jour"
#: build/lib/people/settings.py:158 people/settings.py:158
#: build/lib/people/settings.py:159 people/settings.py:159
msgid "English"
msgstr "Anglais"
#: build/lib/people/settings.py:159 people/settings.py:159
#: build/lib/people/settings.py:160 people/settings.py:160
msgid "French"
msgstr "Français"
@@ -47,9 +47,9 @@ class Command(BaseCommand):
f"This command is not meant to run in {settings.CONFIGURATION} environment."
)
# Create a first superuser for dimail-api container. User creation is usually
# protected behind admin rights but dimail allows to create a first user
# when database is empty
# Create a first superuser for dimail-api container.
# User creation is usually protected behind admin rights
# but dimail allows to create a first user when database is empty
self.create_user(
auth=("", ""),
name=admin["username"],
@@ -57,8 +57,8 @@ class Command(BaseCommand):
perms=[],
)
# Create Regie user, auth for all remaining requests
# and your own dev
# Create Regie user,
# auth for all remaining requests and your own local setup
self.create_user(
auth=(admin["username"], admin["password"]),
name=regie["username"],
@@ -66,28 +66,22 @@ class Command(BaseCommand):
perms=["new_domain", "create_users", "manage_users"],
)
# we create a domain and add John Doe to it
domain_name = "test.domain.com"
domain = MailDomain.objects.get_or_create(
name=domain_name,
defaults={
"status": enums.MailDomainStatusChoices.ENABLED,
"support_email": f"support@{domain_name}",
},
)[0]
self.create_domain(domain_name)
# we create a dimail user for keycloak+regie user John Doe
# This way, la Régie will be able to make request in the name of
# this user
# Create a test domain for local development
try:
people_base_user = User.objects.get(email="people@people.world")
except User.DoesNotExist:
self.stdout.write("people@people.world user not found", ending="\n")
else:
domain_name = "test.domain.com"
domain = MailDomain.objects.get_or_create(
name=domain_name,
defaults={
"status": enums.MailDomainStatusChoices.ENABLED,
"support_email": f"support@{domain_name}",
},
)[0]
self.create_domain(domain_name)
# create accesses for john doe
self.create_user(name=people_base_user.sub)
self.create_allow(people_base_user.sub, domain_name)
MailDomainAccess.objects.get_or_create(
user=people_base_user,
domain=domain,
@@ -97,7 +91,7 @@ class Command(BaseCommand):
if options["populate_from_people"]:
self._populate_dimail_from_people()
self.stdout.write("DONE", ending="\n")
self.stdout.write("DONE 🎉", ending="\n")
def create_user(
self,
@@ -148,41 +142,12 @@ class Command(BaseCommand):
)
)
def create_allow(self, user, domain):
"""
Send a request to create a new allows between user and domain using DimailAPIClient.
"""
response = self.client.create_allow(user, domain)
if response.status_code == status.HTTP_201_CREATED:
self.stdout.write(
self.style.SUCCESS(
f"Creating permissions for {user} on {domain} ........ OK"
)
)
else:
self.stdout.write(
self.style.ERROR(
f"Creating permissions for {user} on {domain}\
........ failed: {response.json()['detail']}"
)
)
def _populate_dimail_from_people(self):
self.stdout.write("Creating accounts from people database", ending="\n")
user_to_create = set()
domain_to_create = set()
access_to_create = set()
for mail_access in MailDomainAccess.objects.select_related(
"domain", "user"
).all():
user_to_create.add(mail_access.user)
domain_to_create.add(mail_access.domain)
access_to_create.add(mail_access)
"""Populate dimail so that it reflects people's domains."""
self.stdout.write("Creating domain from people database", ending="\n")
# create missing domains
for domain in domain_to_create:
for domain in MailDomain.objects.all():
# enforce domain status
if domain.status != enums.MailDomainStatusChoices.ENABLED:
self.stdout.write(
@@ -191,15 +156,3 @@ class Command(BaseCommand):
domain.status = enums.MailDomainStatusChoices.ENABLED
domain.save()
self.create_domain(domain.name)
# create missing users
for user in user_to_create:
self.create_user(
auth=(admin["username"], admin["password"]),
name=user.sub,
perms=[], # no permission needed for "classic" users
)
# create missing accesses
for access in access_to_create:
self.create_allow(access.user.sub, access.domain.name)
+5 -2
View File
@@ -23,7 +23,6 @@ def convert_domain_invitations(sender, created, instance, **kwargs): # pylint:
Convert valid domain invitations to domain accesses for a given user.
Expired invitations are ignored.
"""
logger.info("Convert domain invitations for user %s", instance)
if created:
valid_domain_invitations = MailDomainInvitation.objects.filter(
email=instance.email,
@@ -36,6 +35,11 @@ def convert_domain_invitations(sender, created, instance, **kwargs): # pylint:
if not valid_domain_invitations.exists():
return
logger.info(
"Converting %s domain invitations for new user %s",
len(valid_domain_invitations),
instance,
)
MailDomainAccess.objects.bulk_create(
[
MailDomainAccess(
@@ -46,4 +50,3 @@ def convert_domain_invitations(sender, created, instance, **kwargs): # pylint:
)
valid_domain_invitations.delete()
logger.info("Invitations converted to domain accesses for user %s", instance)
@@ -141,3 +141,26 @@ def test_api_domain_invitations__should_not_create_duplicate_invitations():
assert response.json()["__all__"] == [
"Mail domain invitation with this Email address and Domain already exists."
]
def test_api_domain_invitations__should_not_invite_when_user_already_exists():
"""Already existing users should not be invited but given access directly."""
existing_user = core_factories.UserFactory()
# Grant privileged role on the domain to the user
access = factories.MailDomainAccessFactory(role=enums.MailDomainRoleChoices.OWNER)
client = APIClient()
client.force_login(access.user)
invitation_values = serializers.MailDomainInvitationSerializer(
factories.MailDomainInvitationFactory.build(email=existing_user.email)
).data
response = client.post(
f"/api/v1.0/mail-domains/{access.domain.slug}/invitations/",
invitation_values,
format="json",
)
assert response.status_code == status.HTTP_400_BAD_REQUEST
assert response.json()["email"] == [
"This email is already associated to a registered user."
]
@@ -6,8 +6,6 @@ from django.core.management import call_command
import pytest
import responses
from core import factories
from mailbox_manager import factories as mailbox_factories
from mailbox_manager.management.commands.setup_dimail_db import DIMAIL_URL, admin
@@ -22,23 +20,12 @@ def test_commands_setup_dimail_db(settings):
"""The create_demo management command should create objects as expected."""
settings.DEBUG = True # required to run the command
john_doe = factories.UserFactory(
name="John Doe", email="people@people.world", sub="sub.john.doe"
)
# mock dimail API
responses.add(responses.POST, f"{DIMAIL_URL}/users/", status=201)
responses.add(responses.POST, f"{DIMAIL_URL}/domains/", status=201)
responses.add(responses.POST, f"{DIMAIL_URL}/allows/", status=201)
responses.add(
responses.GET,
responses.post(f"{DIMAIL_URL}/users/", status=201)
responses.post(f"{DIMAIL_URL}/domains/", status=201)
responses.get(
f"{DIMAIL_URL}/users/",
json=[
{
"is_admin": False,
"name": john_doe.sub,
"perms": [],
},
{
"is_admin": True,
"name": "admin",
@@ -59,7 +46,7 @@ def test_commands_setup_dimail_db(settings):
call_command("setup_dimail_db")
# check dimail API received the expected requests
assert len(responses.calls) == 5
assert len(responses.calls) == 2
assert responses.calls[0].request.url == f"{DIMAIL_URL}/users/"
assert (
responses.calls[0].request.body
@@ -72,25 +59,6 @@ def test_commands_setup_dimail_db(settings):
b'"perms": ["new_domain", "create_users", "manage_users"]}'
)
assert responses.calls[2].request.url == f"{DIMAIL_URL}/domains/"
assert responses.calls[2].request.body == (
b'{"name": "test.domain.com", "context_name": "test.domain.com", '
b'"features": ["webmail", "mailbox", "alias"], '
b'"delivery": "virtual"}'
)
assert responses.calls[3].request.url == f"{DIMAIL_URL}/users/"
assert (
responses.calls[3].request.body
== b'{"name": "sub.john.doe", "password": "no", "is_admin": false, "perms": []}'
)
assert responses.calls[4].request.url == f"{DIMAIL_URL}/allows/"
assert (
responses.calls[4].request.body
== b'{"user": "sub.john.doe", "domain": "test.domain.com"}'
)
# reset the responses counter
responses.calls.reset() # pylint: disable=no-member
@@ -102,29 +70,14 @@ def test_commands_setup_dimail_db(settings):
call_command("setup_dimail_db", "--populate-from-people")
# check dimail API received the expected requests
assert (
len(responses.calls) == 5 + 3 + 3
) # calls for some.domain.com and test.domain.com
assert len(responses.calls) == 3 # calls for some.domain.com and test.domain.com
dimail_calls = []
for call in responses.calls[5:]:
for call in responses.calls[3:]:
dimail_calls.append((call.request.url, call.request.body))
assert (
f"{DIMAIL_URL}/domains/",
(
b'{"name": "some.domain.com", "context_name": "some.domain.com", '
b'"features": ["webmail", "mailbox", "alias"], '
b'"delivery": "virtual"}'
),
) in dimail_calls
assert (
f"{DIMAIL_URL}/users/",
(b'{"name": "sub.toto.123", "password": "no", "is_admin": false, "perms": []}'),
) in dimail_calls
assert (
f"{DIMAIL_URL}/allows/",
b'{"user": "sub.toto.123", "domain": "some.domain.com"}',
) in dimail_calls
assert responses.calls[2].request.body == (
b'{"name": "some.domain.com", "context_name": "some.domain.com", '
b'"features": ["webmail", "mailbox", "alias"], '
b'"delivery": "virtual"}'
)
@@ -38,11 +38,15 @@ def test_models_domain_invitations__is_expired():
assert expired_invitation.is_expired is True
def test_models_domain_invitation__should_convert_invitations_to_accesses_upon_joining():
def test_models_domain_invitation__should_convert_invitations_to_accesses_upon_joining(
caplog,
):
"""
Upon creating a new user, domain invitations linked to that email
should be converted to accesses and then deleted.
"""
caplog.set_level("INFO")
# Two invitations to the same mail but to different domains
email = "future_admin@example.com"
invitation_to_domain1 = factories.MailDomainInvitationFactory(
@@ -81,3 +85,8 @@ def test_models_domain_invitation__should_convert_invitations_to_accesses_upon_j
assert models.MailDomainInvitation.objects.filter(
domain=invitation_to_domain2.domain, email=other_invitation.email
).exists() # the other invitation remains
log_messages = [msg.message for msg in caplog.records]
assert (
f"Converting 2 domain invitations for new user {str(new_user)}" in log_messages
)
+9 -3
View File
@@ -3,18 +3,23 @@
from django.urls import include, path
from lasuite.oidc_resource_server.urls import urlpatterns as resource_server_urls
from rest_framework.routers import DefaultRouter
from rest_framework.routers import SimpleRouter
from core.api.resource_server import viewsets
from core.api.resource_server.scim import viewsets as scim_viewsets
# - Main endpoints
# Contacts will be added later
# Users will be added later
router = DefaultRouter()
router = SimpleRouter()
router.register("teams", viewsets.TeamViewSet, basename="teams")
# - SCIM endpoints
scim_router = SimpleRouter()
scim_router.register("Me", scim_viewsets.MeViewSet, basename="scim-me")
# - Routes nested under a team
team_related_router = DefaultRouter()
team_related_router = SimpleRouter()
team_related_router.register(
"invitations",
viewsets.InvitationViewset,
@@ -33,6 +38,7 @@ urlpatterns = [
*router.urls,
*resource_server_urls,
path("teams/<uuid:team_id>/", include(team_related_router.urls)),
path("scim/", include(scim_router.urls)),
]
),
),
+17 -1
View File
@@ -14,6 +14,7 @@ https://docs.djangoproject.com/en/3.1/ref/settings/
import json
import os
from socket import gethostbyname, gethostname
from django.utils.translation import gettext_lazy as _
@@ -547,6 +548,13 @@ class Base(Configuration):
environ_prefix=None,
)
# SUPPORT
CRISP_WEBSITE_ID = values.Value(
default=None,
environ_name="CRISP_WEBSITE_ID",
environ_prefix=None,
)
# MAILBOX-PROVISIONING API
WEBMAIL_URL = values.Value(
default=None,
@@ -593,6 +601,11 @@ class Base(Configuration):
environ_name="DNS_PROVISIONING_API_CREDENTIALS",
environ_prefix=None,
)
TCHAP_ACCESS_TOKEN = values.Value(
default=None,
environ_name="TCHAP_ACCESS_TOKEN",
environ_prefix=None,
)
# Organizations
ORGANIZATION_REGISTRATION_ID_VALIDATORS = json.loads(
@@ -935,7 +948,10 @@ class Production(Base):
"""
# Security
ALLOWED_HOSTS = values.ListValue(None)
ALLOWED_HOSTS = [
*values.ListValue([], environ_name="ALLOWED_HOSTS"),
gethostbyname(gethostname()),
]
CSRF_TRUSTED_ORIGINS = values.ListValue([])
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
+17 -17
View File
@@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta"
[project]
name = "people"
version = "1.16.0"
version = "1.17.0"
authors = [{ "name" = "DINUM", "email" = "dev@mail.numerique.gouv.fr" }]
classifiers = [
"Development Status :: 5 - Production/Stable",
@@ -27,14 +27,15 @@ requires-python = ">=3.11"
dependencies = [
"Brotli==1.1.0",
"PyJWT==2.10.1",
"boto3==1.38.17",
"celery[redis]==5.5.2",
"boto3==1.38.33",
"celery[redis]==5.5.3",
"django-celery-beat==2.8.1",
"django-celery-results==2.6.0",
"django-configurations==2.5.1",
"django-cors-headers==4.7.0",
"django-countries==7.6.1",
"django-lasuite==0.0.8",
"django-extensions==4.1",
"django-lasuite==0.0.9",
"django-oauth-toolkit==3.0.1",
"django-parler==2.3",
"django-redis==5.4.0",
@@ -42,7 +43,7 @@ dependencies = [
"django-timezone-field>=5.1",
"django-treebeard==4.7.1",
"django-zxcvbn-password-validator==1.4.5",
"django==5.2.1",
"django==5.2.3",
"djangorestframework==3.16.0",
"dockerflow==2024.4.2",
"drf_spectacular==0.28.0",
@@ -51,14 +52,14 @@ dependencies = [
"factory_boy==3.3.3",
"flower==2.0.1",
"gunicorn==23.0.0",
"joserfc==1.0.4",
"jsonschema==4.23.0",
"joserfc==1.1.0",
"jsonschema==4.24.0",
"mozilla-django-oidc==4.0.1",
"nested-multipart-parser==1.5.0",
"psycopg[binary]==3.2.9",
"redis==5.2.1",
"requests==2.32.3",
"sentry-sdk[django]==2.28.0",
"requests==2.32.4",
"sentry-sdk[django]==2.29.1",
"whitenoise==6.9.0",
]
@@ -70,23 +71,22 @@ dependencies = [
[project.optional-dependencies]
dev = [
"django-extensions==4.1",
"drf-spectacular-sidecar==2025.5.1",
"drf-spectacular-sidecar==2025.6.1",
"ipdb==0.13.13",
"ipython==9.2.0",
"ipython==9.3.0",
"jq==1.8.0",
"pyfakefs==5.8.0",
"pylint-django==2.6.1",
"pylint==3.3.7",
"pytest-cov==6.1.1",
"pytest-django==4.11.1",
"pytest==8.3.5",
"pytest==8.4.0",
"pytest-icdiff==0.9",
"pytest-xdist==3.6.1",
"pytest-xdist==3.7.0",
"responses==0.25.7",
"ruff==0.11.10",
"types-requests==2.32.0.20250515",
"freezegun==1.5.1",
"ruff==0.11.13",
"types-requests==2.32.0.20250602",
"freezegun==1.5.2",
]
[tool.setuptools]
+63
View File
@@ -0,0 +1,63 @@
FROM node:22-alpine AS frontend-deps
# Upgrade system packages to install security updates
RUN apk update && \
apk upgrade && \
rm -rf /var/cache/apk/*
WORKDIR /home/frontend/
COPY ./src/frontend/package.json ./package.json
COPY ./src/frontend/yarn.lock ./yarn.lock
COPY ./src/frontend/apps/desk/package.json ./apps/desk/package.json
COPY ./src/frontend/packages/i18n/package.json ./packages/i18n/package.json
COPY ./src/frontend/packages/eslint-config-people/package.json ./packages/eslint-config-people/package.json
RUN yarn install --frozen-lockfile
COPY .dockerignore ./.dockerignore
COPY ./src/frontend/.prettierrc.js ./.prettierrc.js
COPY ./src/frontend/packages/eslint-config-people ./packages/eslint-config-people
COPY ./src/frontend/apps/desk ./apps/desk
### ---- Front-end builder image ----
FROM frontend-deps AS frontend-base
WORKDIR /home/frontend/apps/desk
### ---- Front-end builder dev image ----
FROM frontend-deps AS frontend-dev
WORKDIR /home/frontend/apps/desk
EXPOSE 3000
CMD [ "yarn", "dev"]
FROM frontend-base AS frontend-builder
WORKDIR /home/frontend/apps/desk
ARG API_ORIGIN
ENV NEXT_PUBLIC_API_ORIGIN=${API_ORIGIN}
RUN yarn build
# ---- Front-end image ----
FROM nginxinc/nginx-unprivileged:alpine3.21 AS frontend-production
# Un-privileged user running the application
ARG DOCKER_USER
USER ${DOCKER_USER}
COPY --from=frontend-builder \
/home/frontend/apps/desk/out \
/usr/share/nginx/html
COPY ./src/frontend/apps/desk/conf/default.conf /etc/nginx/conf.d
COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint
ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
CMD ["nginx", "-g", "daemon off;"]
+1
View File
@@ -1,4 +1,5 @@
server {
listen 3000;
listen 8080;
server_name localhost;
server_tokens off;
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "app-desk",
"version": "1.16.0",
"version": "1.17.0",
"private": true,
"scripts": {
"dev": "next dev",
@@ -37,6 +37,7 @@ describe('Page', () => {
useConfigStore.setState({
config: {
CRISP_WEBSITE_ID: 'wesh',
RELEASE: '1.0.0',
COMMIT: 'NA',
FEATURES: { TEAMS_DISPLAY: true },
@@ -66,6 +67,7 @@ describe('Page', () => {
useConfigStore.setState({
config: {
CRISP_WEBSITE_ID: 'wesh',
RELEASE: '1.0.0',
COMMIT: 'NA',
FEATURES: { TEAMS_DISPLAY: false },
@@ -95,6 +97,7 @@ describe('Page', () => {
useConfigStore.setState({
config: {
CRISP_WEBSITE_ID: 'wesh',
RELEASE: '1.0.0',
COMMIT: 'NA',
FEATURES: { TEAMS_DISPLAY: false },
@@ -124,6 +127,7 @@ describe('Page', () => {
useConfigStore.setState({
config: {
CRISP_WEBSITE_ID: 'wesh',
RELEASE: '1.0.0',
COMMIT: 'NA',
FEATURES: { TEAMS_DISPLAY: true },
@@ -1,4 +1,5 @@
export interface Config {
CRISP_WEBSITE_ID: string;
LANGUAGES: [string, string][];
RELEASE: string;
COMMIT: string;
@@ -243,6 +243,10 @@ input:-webkit-autofill:focus {
border-bottom: 1px var(--c--theme--colors--greyscale-100) solid;
}
.c__datagrid__table__container > table tbody tr:hover {
background-color: var(--c--theme--colors--greyscale-050);
}
.c__datagrid__table__container > table tbody {
background-color: var(--c--components--datagrid--body--background-color);
color: var(--c--theme--colors--greyscale-900);
@@ -259,7 +263,7 @@ input:-webkit-autofill:focus {
.c__datagrid__table__container > table th:first-child,
.c__datagrid__table__container > table td:first-child {
padding-left: 0;
padding-left: 15px;
}
.c__datagrid__table__container > table tr:last-child {
@@ -1,5 +1,5 @@
import { Button, DataGrid } from '@openfun/cunningham-react';
import { useMemo } from 'react';
import { useEffect, useMemo, useRef } from 'react';
import { useTranslation } from 'react-i18next';
import { Box, StyledLink, Tag, Text } from '@/components';
@@ -17,7 +17,8 @@ export function MailDomainsListView({ querySearch }: MailDomainsListViewProps) {
const { t } = useTranslation();
const { ordering } = useMailDomainsStore();
const { data, isLoading } = useMailDomains({ ordering });
const { data, isLoading, fetchNextPage, hasNextPage, isFetchingNextPage } =
useMailDomains({ ordering });
const mailDomains = useMemo(() => {
return data?.pages.reduce((acc, page) => {
return acc.concat(page.results);
@@ -38,6 +39,31 @@ export function MailDomainsListView({ querySearch }: MailDomainsListViewProps) {
);
}, [querySearch, mailDomains]);
const loadMoreRef = useRef<HTMLDivElement | null>(null);
useEffect(() => {
if (!hasNextPage) {
return;
}
const ref = loadMoreRef.current;
const observer = new IntersectionObserver(
(entries) => {
if (entries[0].isIntersecting && hasNextPage && !isFetchingNextPage) {
void fetchNextPage();
}
},
{ threshold: 1 },
);
if (ref) {
observer.observe(ref);
}
return () => {
if (ref) {
observer.unobserve(ref);
}
};
}, [hasNextPage, isFetchingNextPage, fetchNextPage]);
return (
<div role="listbox">
{filteredMailDomains && filteredMailDomains.length ? (
@@ -47,17 +73,17 @@ export function MailDomainsListView({ querySearch }: MailDomainsListViewProps) {
columns={[
{
field: 'name',
headerName: 'Domaine',
headerName: `${t('Domain')} (${filteredMailDomains.length})`,
enableSorting: true,
},
{
field: 'count_mailboxes',
headerName: "Nombre d'adresses",
headerName: `${t('Number of mailboxes')}`,
enableSorting: true,
},
{
id: 'status',
headerName: 'Statut',
headerName: `${t('Status')}`,
enableSorting: true,
renderCell({ row }) {
return (
@@ -96,6 +122,8 @@ export function MailDomainsListView({ querySearch }: MailDomainsListViewProps) {
isLoading={isLoading}
/>
) : null}
<div ref={loadMoreRef} style={{ height: 32 }} />
{isFetchingNextPage && <div>{t('Loading more...')}</div>}
{!filteredMailDomains ||
(!filteredMailDomains.length && (
<Text $align="center" $size="small">
@@ -0,0 +1,45 @@
import { useInfiniteQuery } from '@tanstack/react-query';
import { APIError, APIList } from '@/api';
import { MailDomainMailbox } from '../types';
import {
KEY_LIST_MAILBOX,
MailDomainMailboxesParams,
getMailDomainMailboxes,
} from './useMailboxes';
// Redéfinition locale du type
type MailDomainMailboxesResponse = APIList<MailDomainMailbox>;
export function useMailboxesInfinite(
param: Omit<MailDomainMailboxesParams, 'page'>,
queryConfig = {},
) {
return useInfiniteQuery<
MailDomainMailboxesResponse,
APIError,
MailDomainMailboxesResponse,
[string, Omit<MailDomainMailboxesParams, 'page'>],
number
>({
queryKey: [KEY_LIST_MAILBOX, param],
queryFn: ({ pageParam = 1 }) =>
getMailDomainMailboxes({ ...param, page: pageParam }),
getNextPageParam: (lastPage): number | undefined => {
if (!lastPage.next) {
return undefined;
}
try {
const url = new URL(lastPage.next, window.location.origin);
const nextPage = url.searchParams.get('page');
return nextPage ? Number(nextPage) : undefined;
} catch {
return undefined;
}
},
initialPageParam: 1,
...queryConfig,
});
}
@@ -1,5 +1,6 @@
import { DataGrid, SortModel, usePagination } from '@openfun/cunningham-react';
import { useMemo, useState } from 'react';
import { DataGrid, SortModel } from '@openfun/cunningham-react';
import type { InfiniteData } from '@tanstack/react-query';
import { useEffect, useMemo, useRef, useState } from 'react';
import { useTranslation } from 'react-i18next';
import { Box, Tag, Text, TextErrors } from '@/components';
@@ -9,11 +10,17 @@ import {
MailDomainMailboxStatus,
} from '@/features/mail-domains/mailboxes/types';
import { PAGE_SIZE } from '../../../conf';
import { useMailboxes } from '../../api/useMailboxes';
import { useMailboxesInfinite } from '../../api/useMailboxesInfinite';
import { PanelActions } from './PanelActions';
type MailDomainMailboxesResponse = {
count: number;
next: string | null;
previous: string | null;
results: MailDomainMailbox[];
};
interface MailBoxesListViewProps {
mailDomain: MailDomain;
querySearch: string;
@@ -43,101 +50,134 @@ export function MailBoxesListView({
const [sortModel] = useState<SortModel>([]);
const pagination = usePagination({
defaultPage: 1,
pageSize: PAGE_SIZE,
});
const { page } = pagination;
const ordering = sortModel.length ? formatSortModel(sortModel[0]) : undefined;
const { data, isLoading, error } = useMailboxes({
const {
data,
isLoading,
error,
fetchNextPage,
hasNextPage,
isFetchingNextPage,
} = useMailboxesInfinite({
mailDomainSlug: mailDomain.slug,
page,
ordering,
});
}) as {
data: InfiniteData<MailDomainMailboxesResponse, number> | undefined;
isLoading: boolean;
error: { cause?: string[] };
fetchNextPage: () => void;
hasNextPage: boolean | undefined;
isFetchingNextPage: boolean;
};
const mailboxes: ViewMailbox[] = useMemo(() => {
if (!mailDomain || !data?.results?.length) {
if (!mailDomain || !data?.pages?.length) {
return [];
}
return data.results.map((mailbox: MailDomainMailbox) => ({
email: `${mailbox.local_part}@${mailDomain.name}`,
name: `${mailbox.first_name} ${mailbox.last_name}`,
id: mailbox.id,
status: mailbox.status,
mailbox,
}));
}, [data?.results, mailDomain]);
return data.pages.flatMap((page) =>
page.results.map((mailbox: MailDomainMailbox) => ({
email: `${mailbox.local_part}@${mailDomain.name}`,
name: `${mailbox.first_name} ${mailbox.last_name}`,
id: mailbox.id,
status: mailbox.status,
mailbox,
})),
);
}, [data, mailDomain]);
const filteredMailboxes = useMemo(() => {
if (!querySearch) {
return mailboxes;
}
const lowerCaseSearch = querySearch.toLowerCase();
return (
(mailboxes &&
mailboxes.filter((mailbox) =>
mailbox.email.toLowerCase().includes(lowerCaseSearch),
)) ||
[]
return mailboxes.filter((mailbox) =>
mailbox.email.toLowerCase().includes(lowerCaseSearch),
);
}, [querySearch, mailboxes]);
const loadMoreRef = useRef<HTMLDivElement | null>(null);
useEffect(() => {
if (!hasNextPage) {
return;
}
const ref = loadMoreRef.current;
const observer = new IntersectionObserver(
(entries) => {
if (entries[0].isIntersecting && hasNextPage && !isFetchingNextPage) {
fetchNextPage();
}
},
{ threshold: 1 },
);
if (ref) {
observer.observe(ref);
}
return () => {
if (ref) {
observer.unobserve(ref);
}
};
}, [hasNextPage, isFetchingNextPage, fetchNextPage]);
return (
<div>
{error && <TextErrors causes={error.cause} />}
{error && <TextErrors causes={error.cause ?? []} />}
{filteredMailboxes && filteredMailboxes.length ? (
<DataGrid
aria-label="listbox"
rows={filteredMailboxes}
columns={[
{
field: 'email',
headerName: `${t('Address')}${filteredMailboxes.length}`,
},
{
field: 'name',
headerName: t('User'),
enableSorting: true,
renderCell: ({ row }) => (
<Text
$weight="500"
$theme="greyscale"
$css="text-transform: capitalize;"
>
{row.name}
</Text>
),
},
{
id: 'status',
headerName: t('Status'),
enableSorting: true,
renderCell({ row }) {
return (
<Box $direction="row" $align="center">
<Tag
showTooltip={true}
status={row.status}
tooltipType="mail"
></Tag>
</Box>
);
<>
<DataGrid
aria-label="listbox"
rows={filteredMailboxes}
columns={[
{
field: 'email',
headerName: `${t('Address')}${filteredMailboxes.length}`,
renderCell: ({ row }) => <Text>{row.email}</Text>,
},
},
{
id: 'actions',
renderCell: ({ row }) => (
<PanelActions mailDomain={mailDomain} mailbox={row} />
),
},
]}
isLoading={isLoading}
/>
{
field: 'name',
headerName: t('User'),
enableSorting: true,
renderCell: ({ row }) => (
<Text
$weight="500"
$theme="greyscale"
$css="text-transform: capitalize;"
>
{row.name}
</Text>
),
},
{
id: 'status',
headerName: t('Status'),
enableSorting: true,
renderCell({ row }) {
return (
<Box $direction="row" $align="center">
<Tag
showTooltip={true}
status={row.status}
tooltipType="mail"
></Tag>
</Box>
);
},
},
{
id: 'actions',
renderCell: ({ row }) => (
<PanelActions mailDomain={mailDomain} mailbox={row} />
),
},
]}
isLoading={isLoading}
/>
{isFetchingNextPage && <div>{t('Loading more...')}</div>}
</>
) : null}
<div ref={loadMoreRef} style={{ height: 32 }} />
</div>
);
}
+23 -1
View File
@@ -1,8 +1,9 @@
import type { AppProps } from 'next/app';
import Head from 'next/head';
import { useEffect } from 'react';
import { useTranslation } from 'react-i18next';
import { AppProvider } from '@/core/';
import { AppProvider, useConfigStore } from '@/core';
import { NextPageWithLayout } from '@/types/next';
import './globals.css';
@@ -11,9 +12,30 @@ type AppPropsWithLayout = AppProps & {
Component: NextPageWithLayout;
};
declare global {
interface Window {
$crisp?: Array<[]>;
CRISP_WEBSITE_ID?: string;
}
}
export default function App({ Component, pageProps }: AppPropsWithLayout) {
const getLayout = Component.getLayout ?? ((page) => page);
const { t } = useTranslation();
const { config } = useConfigStore();
useEffect(() => {
if (!window.$crisp && config?.CRISP_WEBSITE_ID) {
window.$crisp = [];
window.CRISP_WEBSITE_ID = config?.CRISP_WEBSITE_ID;
const script = document.createElement('script');
script.type = 'text/javascript';
script.async = true;
script.src = 'https://client.crisp.chat/l.js';
document.head.appendChild(script);
}
}, [config]);
return (
<>
@@ -1,51 +0,0 @@
import { Loader } from '@openfun/cunningham-react';
import { useRouter as useNavigate } from 'next/navigation';
import { useRouter } from 'next/router';
import { ReactElement } from 'react';
import { Box } from '@/components';
import { TextErrors } from '@/components/TextErrors';
import {
MailDomainsLayout,
useMailDomain,
} from '@/features/mail-domains/domains';
import { NextPageWithLayout } from '@/types/next';
const MailDomainAccessesPage: NextPageWithLayout = () => {
const router = useRouter();
if (router?.query?.slug && typeof router.query.slug !== 'string') {
throw new Error('Invalid mail domain slug');
}
const { slug } = router.query;
const navigate = useNavigate();
const { error, isError, isLoading } = useMailDomain({ slug: String(slug) });
if (error?.status === 404) {
navigate.replace(`/404`);
return null;
}
if (isError && error) {
return <TextErrors causes={error?.cause} />;
}
if (isLoading) {
return (
<Box $align="center" $justify="center" $height="100%">
<Loader />
</Box>
);
}
return null;
};
MailDomainAccessesPage.getLayout = function getLayout(page: ReactElement) {
return <MailDomainsLayout>{page}</MailDomainsLayout>;
};
export default MailDomainAccessesPage;
@@ -1,9 +1,8 @@
import { Button, Input, Tooltip } from '@openfun/cunningham-react';
import { Button, Input } from '@openfun/cunningham-react';
import React, { ReactElement } from 'react';
import { useTranslation } from 'react-i18next';
import { Box, Text } from '@/components';
import { useAuthStore } from '@/core/auth';
import { useCunninghamTheme } from '@/cunningham';
import { ModalAddMailDomain } from '@/features/mail-domains/domains/components/ModalAddMailDomain';
import { MailDomainsListView } from '@/features/mail-domains/domains/components/panel/MailDomainsListView';
@@ -12,8 +11,6 @@ import { NextPageWithLayout } from '@/types/next';
const Page: NextPageWithLayout = () => {
const { t } = useTranslation();
const { userData } = useAuthStore();
const can_create = userData?.abilities?.mailboxes.can_create;
const [isModalOpen, setIsModalOpen] = React.useState(false);
const [searchValue, setSearchValue] = React.useState('');
const { colorsTokens } = useCunninghamTheme();
@@ -66,7 +63,7 @@ const Page: NextPageWithLayout = () => {
$gap="1em"
$css="margin-bottom: 20px;"
>
<Box $css="width: calc(100% - 245px);" $flex="1">
<Box $flex="1">
<Input
style={{ width: '100%' }}
label={t('Search a mail domain')}
@@ -106,32 +103,12 @@ const Page: NextPageWithLayout = () => {
<Box className="block md:hidden" $css="margin-bottom: 10px;"></Box>
<Box>
{can_create ? (
<Button data-testid="button-new-domain" onClick={openModal}>
{t('Add a mail domain')}
</Button>
) : (
<Tooltip content={t("You don't have the correct access right")}>
<div>
<Button
data-testid="button-new-domain"
onClick={openModal}
disabled={!can_create}
>
{t('Add a mail domain')}
</Button>
</div>
</Tooltip>
)}
<Button data-testid="button-new-domain" onClick={openModal}>
{t('Add a mail domain')}
</Button>
</Box>
</Box>
{!can_create && (
<p style={{ textAlign: 'center' }}>
{t('Click on mailbox to view details')}
</p>
)}
<MailDomainsListView querySearch={searchValue} />
{isModalOpen && <ModalAddMailDomain closeModal={closeModal} />}
</Box>
@@ -21,6 +21,7 @@ test.describe('Config', () => {
['fr-fr', 'French'],
],
COMMIT: 'NA',
CRISP_WEBSITE_ID: null,
FEATURES: {
CONTACTS_CREATE: true,
CONTACTS_DISPLAY: true,
@@ -238,7 +238,7 @@ test.describe('Mail domain create mailbox', () => {
await inputLastName.fill('Doe');
await inputLocalPart.fill('john.doe');
await expect(page.locator('span').getByText('@domain.fr')).toBeVisible();
await expect(page.getByText('@domain.fr', { exact: true })).toBeVisible();
await inputSecondaryEmailAddress.fill('john.doe@mail.com');
await page.getByRole('button', { name: 'Create' }).click();
@@ -97,6 +97,7 @@ test.describe('Mail domain', () => {
});
await page.goto('/mail-domains/unknown-domain.fr');
await page.waitForURL('/404/');
await expect(
page.getByText(
'It seems that the page you are looking for does not exist or cannot be displayed correctly.',
@@ -101,6 +101,8 @@ test.describe('Add Mail Domains', () => {
test('checks 404 on mail-domains/[slug] page', async ({ page }) => {
await page.goto('/mail-domains/unknown-domain');
await page.waitForURL('/404/');
await expect(
page.getByText(
'It seems that the page you are looking for does not exist or cannot be displayed correctly.',
@@ -76,17 +76,11 @@ test.describe('Menu', () => {
const menu = page.locator('menu').first();
let buttonMenu = menu.getByLabel(`Teams button`);
const buttonMenu = menu.getByLabel(`Teams button`);
await buttonMenu.click();
await expect(
page.getByText('Click on team to view details').first(),
).toBeVisible();
buttonMenu = menu.getByLabel(`Mail Domains`);
await buttonMenu.click();
await expect(
page.getByText('Click on mailbox to view details').first(),
).toBeVisible();
});
test(`it checks that the menu is not displaying when all abilities`, async ({
@@ -122,12 +116,12 @@ test.describe('Menu', () => {
const menu = page.locator('menu').first();
let buttonMenu = menu.getByLabel(`Teams button`);
const buttonMenu = menu.getByLabel(`Teams button`);
await buttonMenu.click();
await expect(page.getByText('Create a new team').first()).toBeVisible();
buttonMenu = menu.getByLabel(`Mail Domains`);
await buttonMenu.click();
const buttonMenuMailDomain = menu.getByLabel(`Mail Domains`);
await buttonMenuMailDomain.click();
await expect(page.getByText('Add a mail domain').first()).toBeVisible();
});
});
@@ -83,6 +83,7 @@ test.describe('Teams Create', () => {
test('checks 404 on teams/[id] page', async ({ page }) => {
await page.goto('/teams/some-unknown-team');
await page.waitForURL('/404/');
await expect(
page.getByText(
'It seems that the page you are looking for does not exist or cannot be displayed correctly.',
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "app-e2e",
"version": "1.16.0",
"version": "1.17.0",
"private": true,
"scripts": {
"lint": "eslint . --ext .ts",
+2 -4
View File
@@ -32,12 +32,10 @@ export default defineConfig({
},
webServer: {
command: `cd ../.. && yarn app:${
process.env.CI ? 'start -p ' : 'dev --port '
} ${PORT}`,
command: !process.env.CI ? `cd ../.. && yarn app:dev --port ${PORT}` : '',
url: baseURL,
timeout: 120 * 1000,
reuseExistingServer: !process.env.CI,
reuseExistingServer: true,
},
/* Configure projects for major browsers */
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "people",
"version": "1.16.0",
"version": "1.17.0",
"private": true,
"workspaces": {
"packages": [
@@ -1,6 +1,6 @@
{
"name": "eslint-config-people",
"version": "1.16.0",
"version": "1.17.0",
"license": "MIT",
"scripts": {
"lint": "eslint --ext .js ."
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "packages-i18n",
"version": "1.16.0",
"version": "1.17.0",
"private": true,
"scripts": {
"extract-translation": "yarn extract-translation:desk",
@@ -73,6 +73,7 @@ backend:
secretKeyRef:
name: backend
key: MAIL_PROVISIONING_API_CREDENTIALS
TCHAP_ACCESS_TOKEN: service_account_key
command:
- "gunicorn"
- "-c"