oca/oca-ocb-security
2
0
Fork 0
mirror of https://github.com/bringout/oca-ocb-security.git synced 2026-04-23 08:32:00 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Initial commit: Security packages

Browse source
This commit is contained in:
Ernad Husremovic 2025-08-29 15:20:51 +02:00
commit bb469e4763
1399 changed files with 278378 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
odoo-bringout-oca-ocb-microsoft_calendar/microsoft_calendar/utils/__init__.py Normal file
View file

@ -0,0 +1,5 @@
# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.
from . import microsoft_calendar
from . import microsoft_event
from . import event_id_storage

10
odoo-bringout-oca-ocb-microsoft_calendar/microsoft_calendar/utils/event_id_storage.py Normal file
View file

@ -0,0 +1,10 @@
IDS_SEPARATOR = ':'
def combine_ids(ms_id, ms_uid):
if not ms_id:
return False
return ms_id + IDS_SEPARATOR + (ms_uid if ms_uid else '')
def split_ids(value):
ids = value.split(IDS_SEPARATOR)
return tuple(ids) if len(ids) > 1 and ids[1] else (ids[0], False)

213
odoo-bringout-oca-ocb-microsoft_calendar/microsoft_calendar/utils/microsoft_calendar.py Normal file
View file

@ -0,0 +1,213 @@
# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.
import requests
import json
import logging
from werkzeug import urls
from odoo import fields
from odoo.addons.microsoft_calendar.utils.microsoft_event import MicrosoftEvent
from odoo.addons.microsoft_account.models.microsoft_service import TIMEOUT, RESOURCE_NOT_FOUND_STATUSES
_logger = logging.getLogger(__name__)
def requires_auth_token(func):
def wrapped(self, *args, **kwargs):
if not kwargs.get('token'):
raise AttributeError("An authentication token is required")
return func(self, *args, **kwargs)
return wrapped
class InvalidSyncToken(Exception):
pass
# In Outlook, an event can be:
# - a 'singleInstance' event,
# - a 'serie master' which contains all the information about an event reccurrence such as
# - an 'occurrence' which is an event from a reccurrence (serie) that follows this reccurrence
# - an 'exception' which is an event from a reccurrence (serie) but some differences with the reccurrence template (could be
# the name, the day of occurrence, ...)
#
# All these kinds of events are identified by:
# - a event ID (id) which is specific to an Outlook calendar.
# - a global event ID (iCalUId) which is common to all Outlook calendars containing this event.
#
# - 'singleInstance' and 'serie master' events are retrieved through the end-point `/v1.0/me/calendarView/delta` which provides
# the last modified/deleted items since the last sync (or all of these items at the first time).
# - 'occurrence' and 'exception' events are retrieved through the end-point `/v1.0/me/events/{serieMaster.id}/instances`,
# using the corresponding serie master ID.
class MicrosoftCalendarService():
def __init__(self, microsoft_service):
self.microsoft_service = microsoft_service
@requires_auth_token
def _get_single_event(self, iCalUId, token, timeout=TIMEOUT):
""" Fetch a single event from Graph API filtered by its iCalUId. """
url = "/v1.0/me/events?$filter=iCalUId eq '%s'" % iCalUId
headers = {'Content-type': 'application/json', 'Authorization': 'Bearer %s' % token}
status, event, _dummy = self.microsoft_service._do_request(url, {}, headers, method='GET', timeout=timeout)
return status not in RESOURCE_NOT_FOUND_STATUSES, event
@requires_auth_token
def _get_events_from_paginated_url(self, url, token=None, params=None, timeout=TIMEOUT):
"""
Get a list of events from a paginated URL.
Each page contains a link to the next page, so loop over all the pages to get all the events.
"""
headers = {
'Content-type': 'application/json',
'Authorization': 'Bearer %s' % token,
'Prefer': 'outlook.body-content-type="html", odata.maxpagesize=50'
}
if not params:
# By default, fetch events from at most one year in the past and two years in the future.
# Can be modified by microsoft_calendar.sync.range_days system parameter.
day_range = int(self.microsoft_service.env['ir.config_parameter'].sudo().get_param('microsoft_calendar.sync.range_days', default=365))
params = {
'startDateTime': fields.Datetime.subtract(fields.Datetime.now(), days=day_range).strftime("%Y-%m-%dT00:00:00Z"),
'endDateTime': fields.Datetime.add(fields.Datetime.now(), days=day_range * 2).strftime("%Y-%m-%dT00:00:00Z"),
}
# get the first page of events
_, data, _ = self.microsoft_service._do_request(
url, params, headers, method='GET', timeout=timeout
)
# and then, loop on other pages to get all the events
events = data.get('value', [])
next_page_token = data.get('@odata.nextLink')
while next_page_token:
_, data, _ = self.microsoft_service._do_request(
next_page_token, {}, headers, preuri='', method='GET', timeout=timeout
)
next_page_token = data.get('@odata.nextLink')
events += data.get('value', [])
token_url = data.get('@odata.deltaLink')
next_sync_token = urls.url_parse(token_url).decode_query().get('$deltatoken', False) if token_url else None
return events, next_sync_token
def _check_full_sync_required(self, response):
""" Checks if full sync is required according to the error code received. """
response_json = response.json()
response_code = response_json.get('error', {}).get('code', '')
return any(error_code in response_code for error_code in ['fullSyncRequired', 'SyncStateNotFound'])
@requires_auth_token
def _get_events_delta(self, sync_token=None, token=None, timeout=TIMEOUT):
"""
Get a set of events that have been added, deleted or updated in a time range.
See: https://docs.microsoft.com/en-us/graph/api/event-delta?view=graph-rest-1.0&tabs=http
"""
url = "/v1.0/me/calendarView/delta"
params = {'$deltatoken': sync_token} if sync_token else None
try:
events, next_sync_token = self._get_events_from_paginated_url(
url, params=params, token=token, timeout=timeout)
except requests.HTTPError as e:
full_sync_needed = self._check_full_sync_required(e.response)
if e.response.status_code == 410 and full_sync_needed and sync_token:
# retry with a full sync
return self._get_events_delta(token=token, timeout=timeout)
raise e
# event occurrences (from a recurrence) are retrieved separately to get all their info,
# # and mainly the iCalUId attribute which is not provided by the 'get_delta' api end point
events = [e for e in events if e.get('type') != 'occurrence']
return MicrosoftEvent(events), next_sync_token
@requires_auth_token
def _get_occurrence_details(self, serieMasterId, token=None, timeout=TIMEOUT):
"""
Get all occurrences details from a serie master.
See: https://docs.microsoft.com/en-us/graph/api/event-list-instances?view=graph-rest-1.0&tabs=http
"""
url = f"/v1.0/me/events/{serieMasterId}/instances"
events, _ = self._get_events_from_paginated_url(url, token=token, timeout=timeout)
return MicrosoftEvent(events)
@requires_auth_token
def get_events(self, sync_token=None, token=None, timeout=TIMEOUT):
"""
Retrieve all the events that have changed (added/updated/removed) from Microsoft Outlook.
This is done in 2 steps:
1) get main changed events (so single events and serie masters)
2) get occurrences linked to a serie masters (to retrieve all needed details such as iCalUId)
"""
events, next_sync_token = self._get_events_delta(sync_token=sync_token, token=token, timeout=timeout)
# get occurences details for all serie masters
for master in filter(lambda e: e.type == 'seriesMaster', events):
events |= self._get_occurrence_details(master.id, token=token, timeout=timeout)
return events, next_sync_token
@requires_auth_token
def insert(self, values, token=None, timeout=TIMEOUT):
url = "/v1.0/me/calendar/events"
headers = {'Content-type': 'application/json', 'Authorization': 'Bearer %s' % token}
_dummy, data, _dummy = self.microsoft_service._do_request(url, json.dumps(values), headers, method='POST', timeout=timeout)
return data['id'], data['iCalUId']
@requires_auth_token
def patch(self, event_id, values, token=None, timeout=TIMEOUT):
url = "/v1.0/me/calendar/events/%s" % event_id
headers = {'Content-type': 'application/json', 'Authorization': 'Bearer %s' % token}
try:
status, _dummy, _dummy = self.microsoft_service._do_request(url, json.dumps(values), headers, method='PATCH', timeout=timeout)
except requests.HTTPError:
_logger.info("Microsoft event %s has not been updated", event_id)
return False
return status not in RESOURCE_NOT_FOUND_STATUSES
@requires_auth_token
def delete(self, event_id, token=None, timeout=TIMEOUT):
url = "/v1.0/me/calendar/events/%s" % event_id
headers = {'Authorization': 'Bearer %s' % token}
params = {}
try:
status, _dummy, _dummy = self.microsoft_service._do_request(url, params, headers=headers, method='DELETE', timeout=timeout)
except requests.HTTPError as e:
# For some unknown reason Microsoft can also return a 403 response when the event is already cancelled.
status = e.response.status_code
if status in (410, 403):
_logger.info("Microsoft event %s was already deleted", event_id)
else:
raise e
return status not in RESOURCE_NOT_FOUND_STATUSES
@requires_auth_token
def answer(self, event_id, answer, values, token=None, timeout=TIMEOUT):
url = "/v1.0/me/calendar/events/%s/%s" % (event_id, answer)
headers = {'Content-type': 'application/json', 'Authorization': 'Bearer %s' % token}
status, _dummy, _dummy = self.microsoft_service._do_request(url, json.dumps(values), headers, method='POST', timeout=timeout)
return status not in RESOURCE_NOT_FOUND_STATUSES
#####################################
## MANAGE CONNEXION TO MICROSOFT ##
#####################################
def is_authorized(self, user):
return bool(user.sudo().microsoft_calendar_rtoken)
def _get_calendar_scope(self):
return 'offline_access openid Calendars.ReadWrite'
def _microsoft_authentication_url(self, from_url='http://www.odoo.com'):
return self.microsoft_service._get_authorize_uri(from_url, service='calendar', scope=self._get_calendar_scope())
def _can_authorize_microsoft(self, user):
return user.has_group('base.group_erp_manager')

284
odoo-bringout-oca-ocb-microsoft_calendar/microsoft_calendar/utils/microsoft_event.py Normal file
View file

@ -0,0 +1,284 @@
# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.
import json
from odoo.api import model
from typing import Iterator, Mapping
from collections import abc
from odoo.tools import ReadonlyDict, email_normalize
from odoo.addons.microsoft_calendar.utils.event_id_storage import combine_ids
class MicrosoftEvent(abc.Set):
"""
This helper class holds the values of a Microsoft event.
Inspired by Odoo recordset, one instance can be a single Microsoft event or a
(immutable) set of Microsoft events.
All usual set operations are supported (union, intersection, etc).
:param iterable: iterable of MicrosoftCalendar instances or iterable of dictionnaries
"""
def __init__(self, iterable=()):
_events = {}
for item in iterable:
if isinstance(item, self.__class__):
_events[item.id] = item._events[item.id]
elif isinstance(item, Mapping):
_events[item.get('id')] = item
else:
raise ValueError("Only %s or iterable of dict are supported" % self.__class__.__name__)
self._events = ReadonlyDict(_events)
def __iter__(self) -> Iterator['MicrosoftEvent']:
return iter(MicrosoftEvent([vals]) for vals in self._events.values())
def __contains__(self, microsoft_event):
return microsoft_event.id in self._events
def __len__(self):
return len(self._events)
def __bool__(self):
return bool(self._events)
def __getattr__(self, name):
# ensure_one
try:
event, = self._events.keys()
except ValueError:
raise ValueError("Expected singleton: %s" % self)
event_id = list(self._events.keys())[0]
value = self._events[event_id].get(name)
json.dumps(value)
return value
def __repr__(self):
return '%s%s' % (self.__class__.__name__, self.ids)
@property
def ids(self):
"""
Use 'id' to return an event identifier which is specific to a calendar
"""
return tuple(e.id for e in self)
def microsoft_ids(self):
return tuple(e.id for e in self)
@property
def uids(self):
"""
Use 'iCalUid' to return an identifier which is unique accross all calendars
"""
return tuple(e.iCalUId for e in self)
def odoo_id(self, env):
return self._odoo_id
def _meta_odoo_id(self, microsoft_guid):
"""Returns the Odoo id stored in the Microsoft Event metadata.
This id might not actually exists in the database.
"""
return None
@property
def odoo_ids(self):
"""
Get the list of Odoo event ids already mapped with Outlook events (self)
"""
return tuple(e._odoo_id for e in self if e._odoo_id)
def _load_odoo_ids_from_db(self, env, force_model=None):
"""
Map Microsoft events to existing Odoo events:
1) extract unmapped events only,
2) match Odoo events and Outlook events which have both a ICalUId set,
3) match remaining events,
Returns the list of mapped events
"""
mapped_events = [e.id for e in self if e._odoo_id]
# avoid mapping events if they are already all mapped
if len(self) == len(mapped_events):
return self
unmapped_events = self.filter(lambda e: e.id not in mapped_events)
# Query events OR recurrences, get organizer_id and universal_id values by splitting microsoft_id.
model_env = force_model if force_model is not None else self._get_model(env)
organiser_ids = tuple(str(v) for v in unmapped_events.ids if v) or ('NULL',)
universal_ids = tuple(str(v) for v in unmapped_events.uids if v) or ('NULL',)
model_env.flush_model(['microsoft_id'])
env.cr.execute(
"""
SELECT id, organizer_id, universal_id
FROM (
SELECT id,
split_part(microsoft_id, ':', 1) AS organizer_id,
split_part(microsoft_id, ':', 2) AS universal_id
FROM %s
WHERE microsoft_id IS NOT NULL) AS splitter
WHERE organizer_id IN %%s
OR universal_id IN %%s
""" % model_env._table, (organiser_ids, universal_ids))
res = env.cr.fetchall()
odoo_events_ids = [val[0] for val in res]
odoo_events = model_env.browse(odoo_events_ids)
# 1. try to match unmapped events with Odoo events using their iCalUId
unmapped_events_with_uids = unmapped_events.filter(lambda e: e.iCalUId)
odoo_events_with_uids = odoo_events.filtered(lambda e: e.ms_universal_event_id)
mapping = {e.ms_universal_event_id: e.id for e in odoo_events_with_uids}
for ms_event in unmapped_events_with_uids:
odoo_id = mapping.get(ms_event.iCalUId)
if odoo_id:
ms_event._events[ms_event.id]['_odoo_id'] = odoo_id
mapped_events.append(ms_event.id)
# 2. try to match unmapped events with Odoo events using their id
unmapped_events = self.filter(lambda e: e.id not in mapped_events)
mapping = {e.ms_organizer_event_id: e for e in odoo_events}
for ms_event in unmapped_events:
odoo_event = mapping.get(ms_event.id)
if odoo_event:
ms_event._events[ms_event.id]['_odoo_id'] = odoo_event.id
mapped_events.append(ms_event.id)
# don't forget to also set the global event ID on the Odoo event to ease
# and improve reliability of future mappings
odoo_event.write({
'microsoft_id': combine_ids(ms_event.id, ms_event.iCalUId),
'need_sync_m': False,
})
return self.filter(lambda e: e.id in mapped_events)
def owner_id(self, env):
"""
Indicates who is the owner of an event (i.e the organizer of the event).
There are several possible cases:
1) the current Odoo user is the organizer of the event according to Outlook event, so return his id.
2) the current Odoo user is NOT the organizer and:
2.1) we are able to find a Odoo user using the Outlook event organizer email address and we use his id,
2.2) we are NOT able to find a Odoo user matching the organizer email address and we return False, meaning
that no Odoo user will be able to modify this event. All modifications will be done from Outlook.
"""
if self.isOrganizer:
return env.user.id
if not self.organizer:
return False
organizer_email = self.organizer.get('emailAddress') and email_normalize(self.organizer.get('emailAddress').get('address'))
if organizer_email:
# Warning: In Microsoft: 1 email = 1 user; but in Odoo several users might have the same email
user = env['res.users'].search([('email', '=', organizer_email)], limit=1)
return user.id if user else False
return False
def filter(self, func) -> 'MicrosoftEvent':
return MicrosoftEvent(e for e in self if func(e))
def is_recurrence(self):
return self.type == 'seriesMaster'
def is_recurrent(self):
return bool(self.seriesMasterId or self.is_recurrence())
def is_recurrent_not_master(self):
return bool(self.seriesMasterId)
def get_recurrence(self):
if not self.recurrence:
return {}
pattern = self.recurrence['pattern']
range = self.recurrence['range']
end_type_dict = {
'endDate': 'end_date',
'noEnd': 'forever',
'numbered': 'count',
}
type_dict = {
'absoluteMonthly': 'monthly',
'relativeMonthly': 'monthly',
'absoluteYearly': 'yearly',
'relativeYearly': 'yearly',
}
index_dict = {
'first': '1',
'second': '2',
'third': '3',
'fourth': '4',
'last': '-1',
}
rrule_type = type_dict.get(pattern['type'], pattern['type'])
interval = pattern['interval']
if rrule_type == 'yearly':
interval *= 12
result = {
'rrule_type': rrule_type,
'end_type': end_type_dict.get(range['type'], False),
'interval': interval,
'count': range['numberOfOccurrences'],
'day': pattern['dayOfMonth'],
'byday': index_dict.get(pattern['index'], False),
'until': range['type'] == 'endDate' and range['endDate'],
}
month_by_dict = {
'absoluteMonthly': 'date',
'relativeMonthly': 'day',
'absoluteYearly': 'date',
'relativeYearly': 'day',
}
month_by = month_by_dict.get(pattern['type'], False)
if month_by:
result['month_by'] = month_by
# daysOfWeek contains the full name of the day, the fields contain the first 3 letters (mon, tue, etc)
week_days = [x[:3] for x in pattern.get('daysOfWeek', [])]
for week_day in ['mon', 'tue', 'wed', 'thu', 'fri', 'sat', 'sun']:
result[week_day] = week_day in week_days
if week_days:
result['weekday'] = week_days[0].upper()
return result
def is_cancelled(self):
return bool(self.isCancelled) or self.is_removed()
def is_removed(self):
return self.__getattr__('@removed') and self.__getattr__('@removed').get('reason') == 'deleted'
def is_recurrence_outlier(self):
return self.type == "exception"
def cancelled(self):
return self.filter(lambda e: e.is_cancelled())
def match_with_odoo_events(self, env) -> 'MicrosoftEvent':
"""
Match Outlook events (self) with existing Odoo events, and return the list of matched events
"""
# first, try to match recurrences
# Note that when a recurrence is removed, there is no field in Outlook data to identify
# the item as a recurrence, so select all deleted items by default.
recurrence_candidates = self.filter(lambda x: x.is_recurrence() or x.is_removed())
mapped_recurrences = recurrence_candidates._load_odoo_ids_from_db(env, force_model=env["calendar.recurrence"])
# then, try to match events
events_candidates = (self - mapped_recurrences).filter(lambda x: not x.is_recurrence())
mapped_events = events_candidates._load_odoo_ids_from_db(env)
return mapped_recurrences | mapped_events
def _get_model(self, env):
if all(e.is_recurrence() for e in self):
return env['calendar.recurrence']
if all(not e.is_recurrence() for e in self):
return env['calendar.event']
raise TypeError("Mixing Microsoft events and Microsoft recurrences")