fanilo/Sage100-vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: fanilo:1164c7975ae2742c6248cd443a0b3175d26c0a97
Branches Tags
fanilo:main
fanilo:develop
fanilo:develop_like
fanilo:main_2
fanilo:feat/controlled_swagger_access
fanilo:fix/security
fanilo:feat/securing_API
fanilo:feat/secureing_API
fanilo:feat/get_all_reglements
fanilo:feat/enrich_settle_invoice
fanilo:feat/settle_invoice
fanilo:feat/validation_facture
fanilo:feat/get_society_API_sirene
fanilo:fix/update_pdf_structure
fanilo:feat/get_society
fanilo:fix/get_signed_documents
fanilo:feat/updates_containers
fanilo:feat/update_pdf_structure
fanilo:feat/get_signed_documents
fanilo:debug/universign_3
fanilo:debug/universign_2
fanilo:fix/manage_hour
fanilo:feat/universign_delocalization
fanilo:feat/collaborator
fanilo:fix/document_treatment
fanilo:fix/article_treatment
fanilo:feat/enhanced_security_auth_2
fanilo:feat/enhanced_security_auth
..
compare: fanilo:89510537b35f57ab3620fde9c49e0f4ee769ca32
Branches Tags
fanilo:develop
fanilo:develop_like
fanilo:main
fanilo:main_2
fanilo:feat/controlled_swagger_access
fanilo:fix/security
fanilo:feat/securing_API
fanilo:feat/secureing_API
fanilo:feat/get_all_reglements
fanilo:feat/enrich_settle_invoice
fanilo:feat/settle_invoice
fanilo:feat/validation_facture
fanilo:feat/get_society_API_sirene
fanilo:fix/update_pdf_structure
fanilo:feat/get_society
fanilo:fix/get_signed_documents
fanilo:feat/updates_containers
fanilo:feat/update_pdf_structure
fanilo:feat/get_signed_documents
fanilo:debug/universign_3
fanilo:debug/universign_2
fanilo:fix/manage_hour
fanilo:feat/universign_delocalization
fanilo:feat/collaborator
fanilo:fix/document_treatment
fanilo:fix/article_treatment
fanilo:feat/enhanced_security_auth_2
fanilo:feat/enhanced_security_auth

No commits in common. "1164c7975ae2742c6248cd443a0b3175d26c0a97" and "89510537b35f57ab3620fde9c49e0f4ee769ca32" have entirely different histories.
1164c7975a ... 89510537b3

25 changed files with 187 additions and 1628 deletions
Show stats Expand all files Collapse all files

2
.gitignore vendored
View file

@ -46,5 +46,3 @@ tools/
.env.production .env.production
.trunk .trunk
*clean*.py

3
api.py
View file

@ -132,6 +132,7 @@ async def lifespan(app: FastAPI):
api_url=settings.universign_api_url, api_key=settings.universign_api_key api_url=settings.universign_api_url, api_key=settings.universign_api_key
) )
# Configuration du service avec les dépendances
sync_service.configure( sync_service.configure(
sage_client=sage_client, email_queue=email_queue, settings=settings sage_client=sage_client, email_queue=email_queue, settings=settings
) )
@ -179,6 +180,7 @@ app.include_router(entreprises_router)
@app.get("/clients", response_model=List[ClientDetails], tags=["Clients"]) @app.get("/clients", response_model=List[ClientDetails], tags=["Clients"])
async def obtenir_clients( async def obtenir_clients(
query: Optional[str] = Query(None), query: Optional[str] = Query(None),
# sage: SageGatewayClient = Depends(get_sage_client_for_user),
): ):
try: try:
clients = sage_client.lister_clients(filtre=query or "") clients = sage_client.lister_clients(filtre=query or "")
@ -2766,6 +2768,7 @@ async def get_current_sage_config(
} }
# Routes Collaborateurs
@app.get( @app.get(
"/collaborateurs", "/collaborateurs",
response_model=List[CollaborateurDetails], response_model=List[CollaborateurDetails],

8
config/config.py
View file

@ -7,6 +7,7 @@ class Settings(BaseSettings):
env_file=".env", env_file_encoding="utf-8", case_sensitive=False, extra="ignore" env_file=".env", env_file_encoding="utf-8", case_sensitive=False, extra="ignore"
) )
# === JWT & Auth ===
jwt_secret: str jwt_secret: str
jwt_algorithm: str jwt_algorithm: str
access_token_expire_minutes: int access_token_expire_minutes: int
@ -20,12 +21,15 @@ class Settings(BaseSettings):
SAGE_TYPE_BON_AVOIR: int = 50 SAGE_TYPE_BON_AVOIR: int = 50
SAGE_TYPE_FACTURE: int = 60 SAGE_TYPE_FACTURE: int = 60
# === Sage Gateway (Windows) ===
sage_gateway_url: str sage_gateway_url: str
sage_gateway_token: str sage_gateway_token: str
frontend_url: str frontend_url: str
# === Base de données ===
database_url: str = "sqlite+aiosqlite:///./data/sage_dataven.db" database_url: str = "sqlite+aiosqlite:///./data/sage_dataven.db"
# === SMTP ===
smtp_host: str smtp_host: str
smtp_port: int = 587 smtp_port: int = 587
smtp_user: str smtp_user: str
@ -33,17 +37,21 @@ class Settings(BaseSettings):
smtp_from: str smtp_from: str
smtp_use_tls: bool = True smtp_use_tls: bool = True
# === Universign ===
universign_api_key: str universign_api_key: str
universign_api_url: str universign_api_url: str
# === API ===
api_host: str api_host: str
api_port: int api_port: int
api_reload: bool = False api_reload: bool = False
# === Email Queue ===
max_email_workers: int = 3 max_email_workers: int = 3
max_retry_attempts: int = 3 max_retry_attempts: int = 3
retry_delay_seconds: int = 3 retry_delay_seconds: int = 3
# === CORS ===
cors_origins: List[str] = ["*"] cors_origins: List[str] = ["*"]

125
config/cors_config.py
View file

@ -1,125 +0,0 @@
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from typing import List
import os
import logging
logger = logging.getLogger(__name__)
def configure_cors_open(app: FastAPI):
app.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=False,
allow_methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
allow_headers=["*"],
expose_headers=["X-RateLimit-Limit", "X-RateLimit-Remaining"],
max_age=3600,
)
logger.info(" CORS configuré: Mode OUVERT (sécurisé par API Keys)")
logger.info(" - Origins: * (toutes)")
logger.info(" - Headers: * (dont X-API-Key)")
logger.info(" - Credentials: False")
def configure_cors_whitelist(app: FastAPI):
allowed_origins_str = os.getenv("CORS_ALLOWED_ORIGINS", "")
if allowed_origins_str:
allowed_origins = [
origin.strip()
for origin in allowed_origins_str.split(",")
if origin.strip()
]
else:
allowed_origins = ["*"]
app.add_middleware(
CORSMiddleware,
allow_origins=allowed_origins,
allow_credentials=True,
allow_methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
allow_headers=["Content-Type", "Authorization", "X-API-Key"],
expose_headers=["X-RateLimit-Limit", "X-RateLimit-Remaining"],
max_age=3600,
)
logger.info(" CORS configuré: Mode WHITELIST")
logger.info(f" - Origins autorisées: {len(allowed_origins)}")
for origin in allowed_origins:
logger.info(f"{origin}")
def configure_cors_regex(app: FastAPI):
origin_regex = r"*"
app.add_middleware(
CORSMiddleware,
allow_origin_regex=origin_regex,
allow_credentials=True,
allow_methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
allow_headers=["Content-Type", "Authorization", "X-API-Key"],
expose_headers=["X-RateLimit-Limit", "X-RateLimit-Remaining"],
max_age=3600,
)
logger.info(" CORS configuré: Mode REGEX")
logger.info(f" - Pattern: {origin_regex}")
def configure_cors_hybrid(app: FastAPI):
from starlette.middleware.base import BaseHTTPMiddleware
class HybridCORSMiddleware(BaseHTTPMiddleware):
def __init__(self, app, known_origins: List[str]):
super().__init__(app)
self.known_origins = set(known_origins)
async def dispatch(self, request, call_next):
origin = request.headers.get("origin")
if origin in self.known_origins:
response = await call_next(request)
response.headers["Access-Control-Allow-Origin"] = origin
response.headers["Access-Control-Allow-Credentials"] = "true"
response.headers["Access-Control-Allow-Methods"] = (
"GET, POST, PUT, DELETE, PATCH, OPTIONS"
)
response.headers["Access-Control-Allow-Headers"] = (
"Content-Type, Authorization, X-API-Key"
)
return response
response = await call_next(request)
response.headers["Access-Control-Allow-Origin"] = "*"
response.headers["Access-Control-Allow-Methods"] = (
"GET, POST, PUT, DELETE, PATCH, OPTIONS"
)
response.headers["Access-Control-Allow-Headers"] = "*"
return response
known_origins = ["*"]
app.add_middleware(HybridCORSMiddleware, known_origins=known_origins)
logger.info(" CORS configuré: Mode HYBRIDE")
logger.info(f" - Whitelist: {len(known_origins)} domaines")
logger.info(" - Fallback: * (ouvert)")
def setup_cors(app: FastAPI, mode: str = "open"):
if mode == "open":
configure_cors_open(app)
elif mode == "whitelist":
configure_cors_whitelist(app)
elif mode == "regex":
configure_cors_regex(app)
elif mode == "hybrid":
configure_cors_hybrid(app)
else:
logger.warning(
f" Mode CORS inconnu: {mode}. Utilisation de 'open' par défaut."
)
configure_cors_open(app)

96
core/dependencies.py
View file

@ -1,4 +1,4 @@
from fastapi import Depends, HTTPException, status, Request from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select from sqlalchemy import select
@ -6,19 +6,14 @@ from database import get_session, User
from security.auth import decode_token from security.auth import decode_token
from typing import Optional from typing import Optional
from datetime import datetime from datetime import datetime
import logging
logger = logging.getLogger(__name__) security = HTTPBearer()
security = HTTPBearer(auto_error=False)
async def get_current_user_hybrid( async def get_current_user(
request: Request, credentials: HTTPAuthorizationCredentials = Depends(security),
credentials: Optional[HTTPAuthorizationCredentials] = Depends(security),
session: AsyncSession = Depends(get_session), session: AsyncSession = Depends(get_session),
) -> User: ) -> User:
if credentials and credentials.credentials:
token = credentials.credentials token = credentials.credentials
payload = decode_token(token) payload = decode_token(token)
@ -71,96 +66,29 @@ async def get_current_user_hybrid(
detail="Compte temporairement verrouillé suite à trop de tentatives échouées", detail="Compte temporairement verrouillé suite à trop de tentatives échouées",
) )
logger.debug(f" Authentifié via JWT: {user.email}")
return user return user
api_key_obj = getattr(request.state, "api_key", None)
if api_key_obj: async def get_current_user_optional(
if api_key_obj.user_id:
result = await session.execute(
select(User).where(User.id == api_key_obj.user_id)
)
user = result.scalar_one_or_none()
if user:
logger.debug(
f" Authentifié via API Key ({api_key_obj.name}) → User: {user.email}"
)
return user
from database import User as UserModel
virtual_user = UserModel(
id=f"api_key_{api_key_obj.id}",
email=f"{api_key_obj.name.lower().replace(' ', '_')}@api-key.local",
nom="API Key",
prenom=api_key_obj.name,
role="api_client",
is_verified=True,
is_active=True,
)
virtual_user._is_api_key_user = True
virtual_user._api_key_obj = api_key_obj
logger.debug(f" Authentifié via API Key: {api_key_obj.name} (user virtuel)")
return virtual_user
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Authentification requise (JWT ou API Key)",
headers={"WWW-Authenticate": "Bearer"},
)
async def get_current_user_optional_hybrid(
request: Request,
credentials: Optional[HTTPAuthorizationCredentials] = Depends(security), credentials: Optional[HTTPAuthorizationCredentials] = Depends(security),
session: AsyncSession = Depends(get_session), session: AsyncSession = Depends(get_session),
) -> Optional[User]: ) -> Optional[User]:
"""Version optionnelle de get_current_user_hybrid (ne lève pas d'erreur)""" if not credentials:
return None
try: try:
return await get_current_user_hybrid(request, credentials, session) return await get_current_user(credentials, session)
except HTTPException: except HTTPException:
return None return None
def require_role_hybrid(*allowed_roles: str): def require_role(*allowed_roles: str):
async def role_checker( async def role_checker(user: User = Depends(get_current_user)) -> User:
request: Request, user: User = Depends(get_current_user_hybrid) if user.role not in allowed_roles:
) -> User:
is_api_key_user = getattr(user, "_is_api_key_user", False)
if is_api_key_user:
if "api_client" not in allowed_roles and "*" not in allowed_roles:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail=f"Accès refusé. Rôles requis: {', '.join(allowed_roles)}. API Keys non autorisées.",
)
logger.debug(" API Key autorisée pour cette route")
return user
if user.role not in allowed_roles and "*" not in allowed_roles:
raise HTTPException( raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN, status_code=status.HTTP_403_FORBIDDEN,
detail=f"Accès refusé. Rôles requis: {', '.join(allowed_roles)}", detail=f"Accès refusé. Rôles requis: {', '.join(allowed_roles)}",
) )
return user return user
return role_checker return role_checker
def is_api_key_user(user: User) -> bool:
"""Vérifie si l'utilisateur est authentifié via API Key"""
return getattr(user, "_is_api_key_user", False)
def get_api_key_from_user(user: User):
"""Récupère l'objet API Key depuis un user virtuel"""
return getattr(user, "_api_key_obj", None)
get_current_user = get_current_user_hybrid
get_current_user_optional = get_current_user_optional_hybrid

3
create_admin.py
View file

@ -19,6 +19,7 @@ async def create_admin():
print(" Création d'un compte administrateur") print(" Création d'un compte administrateur")
print("=" * 60 + "\n") print("=" * 60 + "\n")
# Saisie des informations
email = input("Email de l'admin: ").strip().lower() email = input("Email de l'admin: ").strip().lower()
if not email or "@" not in email: if not email or "@" not in email:
print(" Email invalide") print(" Email invalide")
@ -31,6 +32,7 @@ async def create_admin():
print(" Prénom et nom requis") print(" Prénom et nom requis")
return False return False
# Mot de passe avec validation
while True: while True:
password = input( password = input(
"Mot de passe (min 8 car., 1 maj, 1 min, 1 chiffre, 1 spécial): " "Mot de passe (min 8 car., 1 maj, 1 min, 1 chiffre, 1 spécial): "
@ -56,6 +58,7 @@ async def create_admin():
print(f"\n Un utilisateur avec l'email {email} existe déjà") print(f"\n Un utilisateur avec l'email {email} existe déjà")
return False return False
# Créer l'admin
admin = User( admin = User(
id=str(uuid.uuid4()), id=str(uuid.uuid4()),
email=email, email=email,

56
database/models/api_key.py
View file

@ -1,56 +0,0 @@
from sqlalchemy import Column, String, Boolean, DateTime, Integer, Text
from datetime import datetime
import uuid
from database.models.generic_model import Base
class ApiKey(Base):
"""Modèle pour les clés API publiques"""
__tablename__ = "api_keys"
id = Column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
key_hash = Column(String(64), unique=True, nullable=False, index=True)
key_prefix = Column(String(10), nullable=False)
name = Column(String(255), nullable=False)
description = Column(Text, nullable=True)
user_id = Column(String(36), nullable=True)
created_by = Column(String(255), nullable=False)
is_active = Column(Boolean, default=True, nullable=False)
rate_limit_per_minute = Column(Integer, default=60, nullable=False)
allowed_endpoints = Column(Text, nullable=True)
total_requests = Column(Integer, default=0, nullable=False)
last_used_at = Column(DateTime, nullable=True)
created_at = Column(DateTime, default=datetime.now, nullable=False)
expires_at = Column(DateTime, nullable=True)
revoked_at = Column(DateTime, nullable=True)
def __repr__(self):
return f"<ApiKey(name='{self.name}', prefix='{self.key_prefix}', active={self.is_active})>"
class SwaggerUser(Base):
"""Modèle pour les utilisateurs autorisés à accéder au Swagger"""
__tablename__ = "swagger_users"
id = Column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
username = Column(String(100), unique=True, nullable=False, index=True)
hashed_password = Column(String(255), nullable=False)
full_name = Column(String(255), nullable=True)
email = Column(String(255), nullable=True)
is_active = Column(Boolean, default=True, nullable=False)
created_at = Column(DateTime, default=datetime.now, nullable=False)
last_login = Column(DateTime, nullable=True)
def __repr__(self):
return f"<SwaggerUser(username='{self.username}', active={self.is_active})>"

236
middleware/security.py
View file

@ -1,236 +0,0 @@
from fastapi import Request, status
from fastapi.responses import JSONResponse
from fastapi.security import HTTPBasic, HTTPBasicCredentials
from sqlalchemy import select
from typing import Optional
from datetime import datetime
import logging
from database import get_session
from database.models.api_key import SwaggerUser
from security.auth import verify_password
logger = logging.getLogger(__name__)
security = HTTPBasic()
async def verify_swagger_credentials(credentials: HTTPBasicCredentials) -> bool:
username = credentials.username
password = credentials.password
try:
async for session in get_session():
result = await session.execute(
select(SwaggerUser).where(SwaggerUser.username == username)
)
swagger_user = result.scalar_one_or_none()
if swagger_user and swagger_user.is_active:
if verify_password(password, swagger_user.hashed_password):
swagger_user.last_login = datetime.now()
await session.commit()
logger.info(f" Accès Swagger autorisé (DB): {username}")
return True
logger.warning(f" Tentative d'accès Swagger refusée: {username}")
return False
except Exception as e:
logger.error(f" Erreur vérification Swagger credentials: {e}")
return False
class SwaggerAuthMiddleware:
def __init__(self, app):
self.app = app
async def __call__(self, scope, receive, send):
if scope["type"] != "http":
await self.app(scope, receive, send)
return
request = Request(scope, receive=receive)
path = request.url.path
protected_paths = ["/docs", "/redoc", "/openapi.json"]
if any(path.startswith(protected_path) for protected_path in protected_paths):
auth_header = request.headers.get("Authorization")
if not auth_header or not auth_header.startswith("Basic "):
response = JSONResponse(
status_code=status.HTTP_401_UNAUTHORIZED,
content={
"detail": "Authentification requise pour accéder à la documentation"
},
headers={"WWW-Authenticate": 'Basic realm="Swagger UI"'},
)
await response(scope, receive, send)
return
try:
import base64
encoded_credentials = auth_header.split(" ")[1]
decoded_credentials = base64.b64decode(encoded_credentials).decode(
"utf-8"
)
username, password = decoded_credentials.split(":", 1)
credentials = HTTPBasicCredentials(username=username, password=password)
if not await verify_swagger_credentials(credentials):
response = JSONResponse(
status_code=status.HTTP_401_UNAUTHORIZED,
content={"detail": "Identifiants invalides"},
headers={"WWW-Authenticate": 'Basic realm="Swagger UI"'},
)
await response(scope, receive, send)
return
except Exception as e:
logger.error(f" Erreur parsing auth header: {e}")
response = JSONResponse(
status_code=status.HTTP_401_UNAUTHORIZED,
content={"detail": "Format d'authentification invalide"},
headers={"WWW-Authenticate": 'Basic realm="Swagger UI"'},
)
await response(scope, receive, send)
return
await self.app(scope, receive, send)
class ApiKeyMiddleware:
def __init__(self, app):
self.app = app
async def __call__(self, scope, receive, send):
if scope["type"] != "http":
await self.app(scope, receive, send)
return
request = Request(scope, receive=receive)
path = request.url.path
excluded_paths = [
"/docs",
"/redoc",
"/openapi.json",
"/health",
"/",
"/auth/login",
"/auth/register",
"/auth/verify-email",
"/auth/reset-password",
"/auth/request-reset",
"/auth/refresh",
]
if any(path.startswith(excluded_path) for excluded_path in excluded_paths):
await self.app(scope, receive, send)
return
auth_header = request.headers.get("Authorization")
has_jwt = auth_header and auth_header.startswith("Bearer ")
api_key = request.headers.get("X-API-Key")
has_api_key = api_key is not None
if has_jwt:
logger.debug(f" JWT détecté pour {path}")
await self.app(scope, receive, send)
return
elif has_api_key:
logger.debug(f" API Key détectée pour {path}")
from services.api_key import ApiKeyService
try:
async for session in get_session():
api_key_service = ApiKeyService(session)
api_key_obj = await api_key_service.verify_api_key(api_key)
if not api_key_obj:
response = JSONResponse(
status_code=status.HTTP_401_UNAUTHORIZED,
content={
"detail": "Clé API invalide ou expirée",
"hint": "Utilisez X-API-Key: sdk_live_xxx ou Authorization: Bearer <jwt>",
},
)
await response(scope, receive, send)
return
is_allowed, rate_info = await api_key_service.check_rate_limit(
api_key_obj
)
if not is_allowed:
response = JSONResponse(
status_code=status.HTTP_429_TOO_MANY_REQUESTS,
content={"detail": "Rate limit dépassé"},
headers={
"X-RateLimit-Limit": str(rate_info["limit"]),
"X-RateLimit-Remaining": "0",
},
)
await response(scope, receive, send)
return
has_access = await api_key_service.check_endpoint_access(
api_key_obj, path
)
if not has_access:
response = JSONResponse(
status_code=status.HTTP_403_FORBIDDEN,
content={
"detail": "Accès non autorisé à cet endpoint",
"endpoint": path,
"api_key": api_key_obj.key_prefix + "...",
},
)
await response(scope, receive, send)
return
request.state.api_key = api_key_obj
request.state.authenticated_via = "api_key"
logger.info(f" API Key valide: {api_key_obj.name}{path}")
await self.app(scope, receive, send)
return
except Exception as e:
logger.error(f" Erreur validation API Key: {e}", exc_info=True)
response = JSONResponse(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
content={
"detail": "Erreur interne lors de la validation de la clé"
},
)
await response(scope, receive, send)
return
else:
response = JSONResponse(
status_code=status.HTTP_401_UNAUTHORIZED,
content={
"detail": "Authentification requise",
"hint": "Utilisez soit 'X-API-Key: sdk_live_xxx' soit 'Authorization: Bearer <jwt>'",
},
headers={"WWW-Authenticate": 'Bearer realm="API", charset="UTF-8"'},
)
await response(scope, receive, send)
return
def get_api_key_from_request(request: Request) -> Optional:
"""Récupère l'objet ApiKey depuis la requête si présent"""
return getattr(request.state, "api_key", None)
def get_auth_method(request: Request) -> str:
return getattr(request.state, "authenticated_via", "none")

154
routes/api_keys.py
View file

@ -1,154 +0,0 @@
from fastapi import APIRouter, Depends, HTTPException, status, Query
from sqlalchemy.ext.asyncio import AsyncSession
import logging
from database import get_session, User
from core.dependencies import get_current_user, require_role
from services.api_key import ApiKeyService, api_key_to_response
from schemas.api_key import (
ApiKeyCreate,
ApiKeyCreatedResponse,
ApiKeyResponse,
ApiKeyList,
)
logger = logging.getLogger(__name__)
router = APIRouter(prefix="/api-keys", tags=["API Keys Management"])
@router.post(
"",
response_model=ApiKeyCreatedResponse,
status_code=status.HTTP_201_CREATED,
dependencies=[Depends(require_role("admin", "super_admin"))],
)
async def create_api_key(
data: ApiKeyCreate,
session: AsyncSession = Depends(get_session),
user: User = Depends(get_current_user),
):
service = ApiKeyService(session)
api_key_obj, api_key_plain = await service.create_api_key(
name=data.name,
description=data.description,
created_by=user.email,
user_id=user.id,
expires_in_days=data.expires_in_days,
rate_limit_per_minute=data.rate_limit_per_minute,
allowed_endpoints=data.allowed_endpoints,
)
logger.info(f" Clé API créée par {user.email}: {data.name}")
response_data = api_key_to_response(api_key_obj)
response_data["api_key"] = api_key_plain
return ApiKeyCreatedResponse(**response_data)
@router.get("", response_model=ApiKeyList)
async def list_api_keys(
include_revoked: bool = Query(False, description="Inclure les clés révoquées"),
session: AsyncSession = Depends(get_session),
user: User = Depends(get_current_user),
):
service = ApiKeyService(session)
user_id = None if user.role in ["admin", "super_admin"] else user.id
keys = await service.list_api_keys(include_revoked=include_revoked, user_id=user_id)
items = [ApiKeyResponse(**api_key_to_response(k)) for k in keys]
return ApiKeyList(total=len(items), items=items)
@router.get("/{key_id}", response_model=ApiKeyResponse)
async def get_api_key(
key_id: str,
session: AsyncSession = Depends(get_session),
user: User = Depends(get_current_user),
):
""" Récupérer une clé API par son ID"""
service = ApiKeyService(session)
api_key_obj = await service.get_by_id(key_id)
if not api_key_obj:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail=f"Clé API {key_id} introuvable",
)
if user.role not in ["admin", "super_admin"]:
if api_key_obj.user_id != user.id:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Accès refusé à cette clé",
)
return ApiKeyResponse(**api_key_to_response(api_key_obj))
@router.delete("/{key_id}", status_code=status.HTTP_200_OK)
async def revoke_api_key(
key_id: str,
session: AsyncSession = Depends(get_session),
user: User = Depends(get_current_user),
):
service = ApiKeyService(session)
api_key_obj = await service.get_by_id(key_id)
if not api_key_obj:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail=f"Clé API {key_id} introuvable",
)
if user.role not in ["admin", "super_admin"]:
if api_key_obj.user_id != user.id:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Accès refusé à cette clé",
)
success = await service.revoke_api_key(key_id)
if not success:
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="Erreur lors de la révocation",
)
logger.info(f" Clé API révoquée par {user.email}: {api_key_obj.name}")
return {
"success": True,
"message": f"Clé API '{api_key_obj.name}' révoquée avec succès",
}
@router.post("/verify", status_code=status.HTTP_200_OK)
async def verify_api_key_endpoint(
api_key: str = Query(..., description="Clé API à vérifier"),
session: AsyncSession = Depends(get_session),
):
service = ApiKeyService(session)
api_key_obj = await service.verify_api_key(api_key)
if not api_key_obj:
return {
"valid": False,
"message": "Clé API invalide, expirée ou révoquée",
}
return {
"valid": True,
"message": "Clé API valide",
"key_name": api_key_obj.name,
"rate_limit": api_key_obj.rate_limit_per_minute,
"expires_at": api_key_obj.expires_at,
}

1
routes/enterprise.py
View file

@ -22,6 +22,7 @@ async def rechercher_entreprise(
try: try:
logger.info(f" Recherche entreprise: '{q}'") logger.info(f" Recherche entreprise: '{q}'")
# Appel API
api_response = await rechercher_entreprise_api(q, per_page) api_response = await rechercher_entreprise_api(q, per_page)
resultats_api = api_response.get("results", []) resultats_api = api_response.get("results", [])

1
routes/universign.py
View file

@ -511,6 +511,7 @@ async def webhook_universign(
transaction_id = None transaction_id = None
if payload.get("type", "").startswith("transaction.") and "payload" in payload: if payload.get("type", "").startswith("transaction.") and "payload" in payload:
# Le transaction_id est dans payload.object.id
nested_object = payload.get("payload", {}).get("object", {}) nested_object = payload.get("payload", {}).get("object", {})
if nested_object.get("object") == "transaction": if nested_object.get("object") == "transaction":
transaction_id = nested_object.get("id") transaction_id = nested_object.get("id")

2
sage_client.py
View file

@ -1,3 +1,4 @@
# sage_client.py
import requests import requests
from typing import Dict, List, Optional from typing import Dict, List, Optional
from config.config import settings from config.config import settings
@ -467,6 +468,7 @@ class SageGatewayClient:
"tva_encaissement": tva_encaissement, "tva_encaissement": tva_encaissement,
} }
# Champs optionnels
if date_reglement: if date_reglement:
payload["date_reglement"] = date_reglement payload["date_reglement"] = date_reglement
if code_journal: if code_journal:

77
schemas/api_key.py
View file

@ -1,77 +0,0 @@
from pydantic import BaseModel, Field
from typing import Optional, List
from datetime import datetime
class ApiKeyCreate(BaseModel):
"""Schema pour créer une clé API"""
name: str = Field(..., min_length=3, max_length=255, description="Nom de la clé")
description: Optional[str] = Field(None, description="Description de l'usage")
expires_in_days: Optional[int] = Field(
None, ge=1, le=3650, description="Expiration en jours (max 10 ans)"
)
rate_limit_per_minute: int = Field(
60, ge=1, le=1000, description="Limite de requêtes par minute"
)
allowed_endpoints: Optional[List[str]] = Field(
None, description="Endpoints autorisés ([] = tous, ['/clients*'] = wildcard)"
)
class ApiKeyResponse(BaseModel):
"""Schema de réponse pour une clé API"""
id: str
name: str
description: Optional[str]
key_prefix: str
is_active: bool
is_expired: bool
rate_limit_per_minute: int
allowed_endpoints: Optional[List[str]]
total_requests: int
last_used_at: Optional[datetime]
created_at: datetime
expires_at: Optional[datetime]
revoked_at: Optional[datetime]
created_by: str
class ApiKeyCreatedResponse(ApiKeyResponse):
"""Schema de réponse après création (inclut la clé en clair)"""
api_key: str = Field(
..., description=" Clé API en clair - à sauvegarder immédiatement"
)
class ApiKeyList(BaseModel):
"""Liste de clés API"""
total: int
items: List[ApiKeyResponse]
class SwaggerUserCreate(BaseModel):
"""Schema pour créer un utilisateur Swagger"""
username: str = Field(..., min_length=3, max_length=100)
password: str = Field(..., min_length=8)
full_name: Optional[str] = None
email: Optional[str] = None
class SwaggerUserResponse(BaseModel):
"""Schema de réponse pour un utilisateur Swagger"""
id: str
username: str
full_name: Optional[str]
email: Optional[str]
is_active: bool
created_at: datetime
last_login: Optional[datetime]
class Config:
from_attributes = True

1
schemas/articles/articles.py
View file

@ -76,6 +76,7 @@ class Article(BaseModel):
) )
nb_emplacements: int = Field(0, description="Nombre d'emplacements") nb_emplacements: int = Field(0, description="Nombre d'emplacements")
# Champs énumérés normalisés
suivi_stock: Optional[int] = Field( suivi_stock: Optional[int] = Field(
None, None,
description="Type de suivi de stock (AR_SuiviStock): 0=Aucun, 1=CMUP, 2=FIFO/LIFO, 3=Sérialisé", description="Type de suivi de stock (AR_SuiviStock): 0=Aucun, 1=CMUP, 2=FIFO/LIFO, 3=Sérialisé",

6
schemas/documents/reglements.py
View file

@ -10,10 +10,12 @@ logger = logging.getLogger(__name__)
class ReglementFactureCreate(BaseModel): class ReglementFactureCreate(BaseModel):
"""Requête de règlement d'une facture côté VPS""" """Requête de règlement d'une facture côté VPS"""
# Montant et devise
montant: Decimal = Field(..., gt=0, description="Montant à régler") montant: Decimal = Field(..., gt=0, description="Montant à régler")
devise_code: Optional[int] = Field(0, description="Code devise (0=EUR par défaut)") devise_code: Optional[int] = Field(0, description="Code devise (0=EUR par défaut)")
cours_devise: Optional[Decimal] = Field(1.0, description="Cours de la devise") cours_devise: Optional[Decimal] = Field(1.0, description="Cours de la devise")
# Mode et journal
mode_reglement: int = Field( mode_reglement: int = Field(
..., ge=0, description="Code mode règlement depuis /reglements/modes" ..., ge=0, description="Code mode règlement depuis /reglements/modes"
) )
@ -21,11 +23,13 @@ class ReglementFactureCreate(BaseModel):
..., min_length=1, description="Code journal depuis /journaux/tresorerie" ..., min_length=1, description="Code journal depuis /journaux/tresorerie"
) )
# Dates
date_reglement: Optional[date] = Field( date_reglement: Optional[date] = Field(
None, description="Date du règlement (défaut: aujourd'hui)" None, description="Date du règlement (défaut: aujourd'hui)"
) )
date_echeance: Optional[date] = Field(None, description="Date d'échéance") date_echeance: Optional[date] = Field(None, description="Date d'échéance")
# Références
reference: Optional[str] = Field( reference: Optional[str] = Field(
"", max_length=17, description="Référence pièce règlement" "", max_length=17, description="Référence pièce règlement"
) )
@ -33,6 +37,7 @@ class ReglementFactureCreate(BaseModel):
"", max_length=35, description="Libellé du règlement" "", max_length=35, description="Libellé du règlement"
) )
# TVA sur encaissement
tva_encaissement: Optional[bool] = Field( tva_encaissement: Optional[bool] = Field(
False, description="Appliquer TVA sur encaissement" False, description="Appliquer TVA sur encaissement"
) )
@ -76,6 +81,7 @@ class ReglementMultipleCreate(BaseModel):
libelle: Optional[str] = Field("") libelle: Optional[str] = Field("")
tva_encaissement: Optional[bool] = Field(False) tva_encaissement: Optional[bool] = Field(False)
# Factures spécifiques (optionnel)
numeros_factures: Optional[List[str]] = Field( numeros_factures: Optional[List[str]] = Field(
None, description="Si vide, règle les plus anciennes en premier" None, description="Si vide, règle les plus anciennes en premier"
) )

2
schemas/sage/sage_gateway.py
View file

@ -10,6 +10,7 @@ class GatewayHealthStatus(str, Enum):
UNKNOWN = "unknown" UNKNOWN = "unknown"
# === CREATE ===
class SageGatewayCreate(BaseModel): class SageGatewayCreate(BaseModel):
name: str = Field( name: str = Field(
@ -70,6 +71,7 @@ class SageGatewayUpdate(BaseModel):
return v.rstrip("/") if v else v return v.rstrip("/") if v else v
# === RESPONSE ===
class SageGatewayResponse(BaseModel): class SageGatewayResponse(BaseModel):
id: str id: str

5
schemas/tiers/commercial.py
View file

@ -9,6 +9,7 @@ class CollaborateurBase(BaseModel):
prenom: Optional[str] = Field(None, max_length=50) prenom: Optional[str] = Field(None, max_length=50)
fonction: Optional[str] = Field(None, max_length=50) fonction: Optional[str] = Field(None, max_length=50)
# Adresse
adresse: Optional[str] = Field(None, max_length=100) adresse: Optional[str] = Field(None, max_length=100)
complement: Optional[str] = Field(None, max_length=100) complement: Optional[str] = Field(None, max_length=100)
code_postal: Optional[str] = Field(None, max_length=10) code_postal: Optional[str] = Field(None, max_length=10)
@ -16,6 +17,7 @@ class CollaborateurBase(BaseModel):
code_region: Optional[str] = Field(None, max_length=50) code_region: Optional[str] = Field(None, max_length=50)
pays: Optional[str] = Field(None, max_length=50) pays: Optional[str] = Field(None, max_length=50)
# Services
service: Optional[str] = Field(None, max_length=50) service: Optional[str] = Field(None, max_length=50)
vendeur: bool = Field(default=False) vendeur: bool = Field(default=False)
caissier: bool = Field(default=False) caissier: bool = Field(default=False)
@ -23,15 +25,18 @@ class CollaborateurBase(BaseModel):
chef_ventes: bool = Field(default=False) chef_ventes: bool = Field(default=False)
numero_chef_ventes: Optional[int] = None numero_chef_ventes: Optional[int] = None
# Contact
telephone: Optional[str] = Field(None, max_length=20) telephone: Optional[str] = Field(None, max_length=20)
telecopie: Optional[str] = Field(None, max_length=20) telecopie: Optional[str] = Field(None, max_length=20)
email: Optional[EmailStr] = None email: Optional[EmailStr] = None
tel_portable: Optional[str] = Field(None, max_length=20) tel_portable: Optional[str] = Field(None, max_length=20)
# Réseaux sociaux
facebook: Optional[str] = Field(None, max_length=100) facebook: Optional[str] = Field(None, max_length=100)
linkedin: Optional[str] = Field(None, max_length=100) linkedin: Optional[str] = Field(None, max_length=100)
skype: Optional[str] = Field(None, max_length=100) skype: Optional[str] = Field(None, max_length=100)
# Autres
matricule: Optional[str] = Field(None, max_length=20) matricule: Optional[str] = Field(None, max_length=20)
sommeil: bool = Field(default=False) sommeil: bool = Field(default=False)

13
schemas/tiers/tiers.py
View file

@ -14,6 +14,7 @@ class TypeTiersInt(IntEnum):
class TiersDetails(BaseModel): class TiersDetails(BaseModel):
# IDENTIFICATION
numero: Optional[str] = Field(None, description="Code tiers (CT_Num)") numero: Optional[str] = Field(None, description="Code tiers (CT_Num)")
intitule: Optional[str] = Field( intitule: Optional[str] = Field(
None, description="Raison sociale ou Nom complet (CT_Intitule)" None, description="Raison sociale ou Nom complet (CT_Intitule)"
@ -36,6 +37,7 @@ class TiersDetails(BaseModel):
) )
code_naf: Optional[str] = Field(None, description="Code NAF/APE (CT_Ape)") code_naf: Optional[str] = Field(None, description="Code NAF/APE (CT_Ape)")
# ADRESSE
contact: Optional[str] = Field( contact: Optional[str] = Field(
None, description="Nom du contact principal (CT_Contact)" None, description="Nom du contact principal (CT_Contact)"
) )
@ -48,6 +50,7 @@ class TiersDetails(BaseModel):
region: Optional[str] = Field(None, description="Région/État (CT_CodeRegion)") region: Optional[str] = Field(None, description="Région/État (CT_CodeRegion)")
pays: Optional[str] = Field(None, description="Pays (CT_Pays)") pays: Optional[str] = Field(None, description="Pays (CT_Pays)")
# TELECOM
telephone: Optional[str] = Field(None, description="Téléphone fixe (CT_Telephone)") telephone: Optional[str] = Field(None, description="Téléphone fixe (CT_Telephone)")
telecopie: Optional[str] = Field(None, description="Fax (CT_Telecopie)") telecopie: Optional[str] = Field(None, description="Fax (CT_Telecopie)")
email: Optional[str] = Field(None, description="Email principal (CT_EMail)") email: Optional[str] = Field(None, description="Email principal (CT_EMail)")
@ -55,11 +58,13 @@ class TiersDetails(BaseModel):
facebook: Optional[str] = Field(None, description="Profil Facebook (CT_Facebook)") facebook: Optional[str] = Field(None, description="Profil Facebook (CT_Facebook)")
linkedin: Optional[str] = Field(None, description="Profil LinkedIn (CT_LinkedIn)") linkedin: Optional[str] = Field(None, description="Profil LinkedIn (CT_LinkedIn)")
# TAUX
taux01: Optional[float] = Field(None, description="Taux personnalisé 1 (CT_Taux01)") taux01: Optional[float] = Field(None, description="Taux personnalisé 1 (CT_Taux01)")
taux02: Optional[float] = Field(None, description="Taux personnalisé 2 (CT_Taux02)") taux02: Optional[float] = Field(None, description="Taux personnalisé 2 (CT_Taux02)")
taux03: Optional[float] = Field(None, description="Taux personnalisé 3 (CT_Taux03)") taux03: Optional[float] = Field(None, description="Taux personnalisé 3 (CT_Taux03)")
taux04: Optional[float] = Field(None, description="Taux personnalisé 4 (CT_Taux04)") taux04: Optional[float] = Field(None, description="Taux personnalisé 4 (CT_Taux04)")
# STATISTIQUES
statistique01: Optional[str] = Field( statistique01: Optional[str] = Field(
None, description="Statistique 1 (CT_Statistique01)" None, description="Statistique 1 (CT_Statistique01)"
) )
@ -91,6 +96,7 @@ class TiersDetails(BaseModel):
None, description="Statistique 10 (CT_Statistique10)" None, description="Statistique 10 (CT_Statistique10)"
) )
# COMMERCIAL
encours_autorise: Optional[float] = Field( encours_autorise: Optional[float] = Field(
None, description="Encours maximum autorisé (CT_Encours)" None, description="Encours maximum autorisé (CT_Encours)"
) )
@ -107,6 +113,7 @@ class TiersDetails(BaseModel):
None, description="Détails du commercial/collaborateur" None, description="Détails du commercial/collaborateur"
) )
# FACTURATION
lettrage_auto: Optional[bool] = Field( lettrage_auto: Optional[bool] = Field(
None, description="Lettrage automatique (CT_Lettrage)" None, description="Lettrage automatique (CT_Lettrage)"
) )
@ -139,6 +146,7 @@ class TiersDetails(BaseModel):
None, description="Bon à payer obligatoire (CT_BonAPayer)" None, description="Bon à payer obligatoire (CT_BonAPayer)"
) )
# LOGISTIQUE
priorite_livraison: Optional[int] = Field( priorite_livraison: Optional[int] = Field(
None, description="Priorité livraison (CT_PrioriteLivr)" None, description="Priorité livraison (CT_PrioriteLivr)"
) )
@ -152,14 +160,17 @@ class TiersDetails(BaseModel):
None, description="Délai appro jours (CT_DelaiAppro)" None, description="Délai appro jours (CT_DelaiAppro)"
) )
# COMMENTAIRE
commentaire: Optional[str] = Field( commentaire: Optional[str] = Field(
None, description="Commentaire libre (CT_Commentaire)" None, description="Commentaire libre (CT_Commentaire)"
) )
# ANALYTIQUE
section_analytique: Optional[str] = Field( section_analytique: Optional[str] = Field(
None, description="Section analytique (CA_Num)" None, description="Section analytique (CA_Num)"
) )
# ORGANISATION / SURVEILLANCE
mode_reglement_code: Optional[int] = Field( mode_reglement_code: Optional[int] = Field(
None, description="Code mode règlement (MR_No)" None, description="Code mode règlement (MR_No)"
) )
@ -189,6 +200,7 @@ class TiersDetails(BaseModel):
None, description="Résultat financier (CT_SvResultat)" None, description="Résultat financier (CT_SvResultat)"
) )
# COMPTE GENERAL ET CATEGORIES
compte_general: Optional[str] = Field( compte_general: Optional[str] = Field(
None, description="Compte général principal (CG_NumPrinc)" None, description="Compte général principal (CG_NumPrinc)"
) )
@ -199,6 +211,7 @@ class TiersDetails(BaseModel):
None, description="Catégorie comptable (N_CatCompta)" None, description="Catégorie comptable (N_CatCompta)"
) )
# CONTACTS
contacts: Optional[List[Contact]] = Field( contacts: Optional[List[Contact]] = Field(
default_factory=list, description="Liste des contacts du tiers" default_factory=list, description="Liste des contacts du tiers"
) )

264
scripts/manage_security.py
View file

@ -1,264 +0,0 @@
import asyncio
import sys
from pathlib import Path
import argparse
sys.path.insert(0, str(Path(__file__).parent.parent))
from database import get_session
from database.models.api_key import SwaggerUser
from services.api_key import ApiKeyService
from security.auth import hash_password
from sqlalchemy import select
import logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
async def add_swagger_user(username: str, password: str, full_name: str = None):
"""Ajouter un utilisateur Swagger"""
async with get_session() as session:
result = await session.execute(
select(SwaggerUser).where(SwaggerUser.username == username)
)
existing = result.scalar_one_or_none()
if existing:
logger.error(f" L'utilisateur {username} existe déjà")
return
user = SwaggerUser(
username=username,
hashed_password=hash_password(password),
full_name=full_name or username,
is_active=True,
)
session.add(user)
await session.commit()
logger.info(f" Utilisateur Swagger créé: {username}")
print("\n Utilisateur créé avec succès")
print(f" Username: {username}")
print(" Accès: https://votre-serveur/docs")
async def list_swagger_users():
"""Lister les utilisateurs Swagger"""
async with get_session() as session:
result = await session.execute(select(SwaggerUser))
users = result.scalars().all()
if not users:
print("Aucun utilisateur Swagger trouvé")
return
print(f"\n {len(users)} utilisateur(s) Swagger:\n")
for user in users:
status = " Actif" if user.is_active else " Inactif"
print(f"{user.username:<20} {status}")
if user.full_name:
print(f" Nom: {user.full_name}")
if user.last_login:
print(f" Dernière connexion: {user.last_login}")
print()
async def delete_swagger_user(username: str):
"""Supprimer un utilisateur Swagger"""
async with get_session() as session:
result = await session.execute(
select(SwaggerUser).where(SwaggerUser.username == username)
)
user = result.scalar_one_or_none()
if not user:
logger.error(f" Utilisateur {username} introuvable")
return
await session.delete(user)
await session.commit()
logger.info(f"🗑️ Utilisateur supprimé: {username}")
async def create_api_key(
name: str,
description: str = None,
expires_in_days: int = 365,
rate_limit: int = 60,
endpoints: list = None,
):
"""Créer une clé API"""
async with get_session() as session:
service = ApiKeyService(session)
api_key_obj, api_key_plain = await service.create_api_key(
name=name,
description=description,
created_by="CLI",
expires_in_days=expires_in_days,
rate_limit_per_minute=rate_limit,
allowed_endpoints=endpoints,
)
print("\n Clé API créée avec succès\n")
print(f" ID: {api_key_obj.id}")
print(f" Nom: {name}")
print(f" Clé: {api_key_plain}")
print(f" Préfixe: {api_key_obj.key_prefix}")
print(f" Rate limit: {rate_limit} req/min")
print(f" Expire le: {api_key_obj.expires_at or 'Jamais'}")
print("\n IMPORTANT: Sauvegardez cette clé, elle ne sera plus affichée !\n")
async def list_api_keys():
"""Lister les clés API"""
async with get_session() as session:
service = ApiKeyService(session)
keys = await service.list_api_keys()
if not keys:
print("Aucune clé API trouvée")
return
print(f"\n {len(keys)} clé(s) API:\n")
for key in keys:
status = "" if key.is_active else ""
expired = (
"⏰ Expirée"
if key.expires_at and key.expires_at < datetime.now()
else ""
)
print(f" {status} {key.name:<30} ({key.key_prefix}...)")
print(f" ID: {key.id}")
print(f" Requêtes: {key.total_requests}")
print(f" Dernière utilisation: {key.last_used_at or 'Jamais'}")
if expired:
print(f" {expired}")
print()
async def revoke_api_key(key_id: str):
"""Révoquer une clé API"""
async with get_session() as session:
service = ApiKeyService(session)
api_key = await service.get_by_id(key_id)
if not api_key:
logger.error(f" Clé {key_id} introuvable")
return
success = await service.revoke_api_key(key_id)
if success:
logger.info(f" Clé révoquée: {api_key.name}")
print(f"\n Clé '{api_key.name}' révoquée avec succès")
else:
logger.error(" Erreur lors de la révocation")
async def verify_api_key_cmd(api_key: str):
"""Vérifier une clé API"""
async with get_session() as session:
service = ApiKeyService(session)
api_key_obj = await service.verify_api_key(api_key)
if api_key_obj:
print("\n Clé API valide\n")
print(f" Nom: {api_key_obj.name}")
print(f" ID: {api_key_obj.id}")
print(f" Rate limit: {api_key_obj.rate_limit_per_minute} req/min")
print(f" Requêtes: {api_key_obj.total_requests}")
print(f" Expire le: {api_key_obj.expires_at or 'Jamais'}\n")
else:
print("\n Clé API invalide, expirée ou révoquée\n")
async def main():
parser = argparse.ArgumentParser(
description="Gestion de la sécurité Sage Dataven API"
)
subparsers = parser.add_subparsers(dest="command", help="Commandes disponibles")
swagger_parser = subparsers.add_parser(
"swagger", help="Gestion utilisateurs Swagger"
)
swagger_subparsers = swagger_parser.add_subparsers(dest="action")
swagger_add = swagger_subparsers.add_parser("add", help="Ajouter un utilisateur")
swagger_add.add_argument("username", help="Nom d'utilisateur")
swagger_add.add_argument("password", help="Mot de passe")
swagger_add.add_argument("--full-name", help="Nom complet")
swagger_subparsers.add_parser("list", help="Lister les utilisateurs")
swagger_delete = swagger_subparsers.add_parser(
"delete", help="Supprimer un utilisateur"
)
swagger_delete.add_argument("username", help="Nom d'utilisateur")
apikey_parser = subparsers.add_parser("apikey", help="Gestion clés API")
apikey_subparsers = apikey_parser.add_subparsers(dest="action")
apikey_create = apikey_subparsers.add_parser("create", help="Créer une clé API")
apikey_create.add_argument("name", help="Nom de la clé")
apikey_create.add_argument("--description", help="Description")
apikey_create.add_argument(
"--days", type=int, default=365, help="Expiration en jours"
)
apikey_create.add_argument(
"--rate-limit", type=int, default=60, help="Limite req/min"
)
apikey_create.add_argument("--endpoints", nargs="+", help="Endpoints autorisés")
apikey_subparsers.add_parser("list", help="Lister les clés")
apikey_revoke = apikey_subparsers.add_parser("revoke", help="Révoquer une clé")
apikey_revoke.add_argument("key_id", help="ID de la clé")
apikey_verify = apikey_subparsers.add_parser("verify", help="Vérifier une clé")
apikey_verify.add_argument("api_key", help="Clé API à vérifier")
args = parser.parse_args()
if not args.command:
parser.print_help()
return
if args.command == "swagger":
if args.action == "add":
await add_swagger_user(args.username, args.password, args.full_name)
elif args.action == "list":
await list_swagger_users()
elif args.action == "delete":
await delete_swagger_user(args.username)
else:
swagger_parser.print_help()
elif args.command == "apikey":
if args.action == "create":
await create_api_key(
args.name,
args.description,
args.days,
args.rate_limit,
args.endpoints,
)
elif args.action == "list":
await list_api_keys()
elif args.action == "revoke":
await revoke_api_key(args.key_id)
elif args.action == "verify":
await verify_api_key_cmd(args.api_key)
else:
apikey_parser.print_help()
if __name__ == "__main__":
from datetime import datetime
asyncio.run(main())

354
scripts/test_security.py
View file

@ -1,354 +0,0 @@
import requests
import argparse
import sys
from typing import Tuple
class SecurityTester:
def __init__(self, base_url: str):
self.base_url = base_url.rstrip("/")
self.results = {"passed": 0, "failed": 0, "tests": []}
def log_test(self, name: str, passed: bool, details: str = ""):
"""Enregistrer le résultat d'un test"""
status = " PASS" if passed else " FAIL"
print(f"{status} - {name}")
if details:
print(f" {details}")
self.results["tests"].append(
{"name": name, "passed": passed, "details": details}
)
if passed:
self.results["passed"] += 1
else:
self.results["failed"] += 1
def test_swagger_without_auth(self) -> bool:
"""Test 1: Swagger UI devrait demander une authentification"""
print("\n Test 1: Protection Swagger UI")
try:
response = requests.get(f"{self.base_url}/docs", timeout=5)
if response.status_code == 401:
self.log_test(
"Swagger protégé",
True,
"Code 401 retourné sans authentification",
)
return True
else:
self.log_test(
"Swagger protégé",
False,
f"Code {response.status_code} au lieu de 401",
)
return False
except Exception as e:
self.log_test("Swagger protégé", False, f"Erreur: {str(e)}")
return False
def test_swagger_with_auth(self, username: str, password: str) -> bool:
"""Test 2: Swagger UI accessible avec credentials valides"""
print("\n Test 2: Accès Swagger avec authentification")
try:
response = requests.get(
f"{self.base_url}/docs", auth=(username, password), timeout=5
)
if response.status_code == 200:
self.log_test(
"Accès Swagger avec auth",
True,
f"Authentifié comme {username}",
)
return True
else:
self.log_test(
"Accès Swagger avec auth",
False,
f"Code {response.status_code}, credentials invalides?",
)
return False
except Exception as e:
self.log_test("Accès Swagger avec auth", False, f"Erreur: {str(e)}")
return False
def test_api_without_auth(self) -> bool:
"""Test 3: Endpoints API devraient demander une authentification"""
print("\n Test 3: Protection des endpoints API")
test_endpoints = ["/api/v1/clients", "/api/v1/documents"]
all_protected = True
for endpoint in test_endpoints:
try:
response = requests.get(f"{self.base_url}{endpoint}", timeout=5)
if response.status_code == 401:
print(f" {endpoint} protégé (401)")
else:
print(
f" {endpoint} accessible sans auth (code {response.status_code})"
)
all_protected = False
except Exception as e:
print(f" {endpoint} erreur: {str(e)}")
all_protected = False
self.log_test("Endpoints API protégés", all_protected)
return all_protected
def test_health_endpoint_public(self) -> bool:
"""Test 4: Endpoint /health devrait être accessible sans auth"""
print("\n Test 4: Endpoint /health public")
try:
response = requests.get(f"{self.base_url}/health", timeout=5)
if response.status_code == 200:
self.log_test("/health accessible", True, "Endpoint public fonctionne")
return True
else:
self.log_test(
"/health accessible",
False,
f"Code {response.status_code} inattendu",
)
return False
except Exception as e:
self.log_test("/health accessible", False, f"Erreur: {str(e)}")
return False
def test_api_key_creation(self, username: str, password: str) -> Tuple[bool, str]:
"""Test 5: Créer une clé API via l'endpoint"""
print("\n Test 5: Création d'une clé API")
try:
login_response = requests.post(
f"{self.base_url}/api/v1/auth/login",
json={"email": username, "password": password},
timeout=5,
)
if login_response.status_code != 200:
self.log_test(
"Création clé API",
False,
"Impossible de se connecter pour obtenir un JWT",
)
return False, ""
jwt_token = login_response.json().get("access_token")
create_response = requests.post(
f"{self.base_url}/api/v1/api-keys",
headers={"Authorization": f"Bearer {jwt_token}"},
json={
"name": "Test API Key",
"description": "Clé de test automatisé",
"rate_limit_per_minute": 60,
"expires_in_days": 30,
},
timeout=5,
)
if create_response.status_code == 201:
api_key = create_response.json().get("api_key")
self.log_test("Création clé API", True, f"Clé créée: {api_key[:20]}...")
return True, api_key
else:
self.log_test(
"Création clé API",
False,
f"Code {create_response.status_code}",
)
return False, ""
except Exception as e:
self.log_test("Création clé API", False, f"Erreur: {str(e)}")
return False, ""
def test_api_key_usage(self, api_key: str) -> bool:
"""Test 6: Utiliser une clé API pour accéder à un endpoint"""
print("\n Test 6: Utilisation d'une clé API")
if not api_key:
self.log_test("Utilisation clé API", False, "Pas de clé disponible")
return False
try:
response = requests.get(
f"{self.base_url}/api/v1/clients",
headers={"X-API-Key": api_key},
timeout=5,
)
if response.status_code == 200:
self.log_test("Utilisation clé API", True, "Clé acceptée")
return True
else:
self.log_test(
"Utilisation clé API",
False,
f"Code {response.status_code}, clé refusée?",
)
return False
except Exception as e:
self.log_test("Utilisation clé API", False, f"Erreur: {str(e)}")
return False
def test_invalid_api_key(self) -> bool:
"""Test 7: Une clé invalide devrait être refusée"""
print("\n Test 7: Rejet de clé API invalide")
invalid_key = "sdk_live_invalid_key_12345"
try:
response = requests.get(
f"{self.base_url}/api/v1/clients",
headers={"X-API-Key": invalid_key},
timeout=5,
)
if response.status_code == 401:
self.log_test("Clé invalide rejetée", True, "Code 401 comme attendu")
return True
else:
self.log_test(
"Clé invalide rejetée",
False,
f"Code {response.status_code} au lieu de 401",
)
return False
except Exception as e:
self.log_test("Clé invalide rejetée", False, f"Erreur: {str(e)}")
return False
def test_rate_limiting(self, api_key: str) -> bool:
"""Test 8: Rate limiting (optionnel, peut prendre du temps)"""
print("\n Test 8: Rate limiting (test simple)")
if not api_key:
self.log_test("Rate limiting", False, "Pas de clé disponible")
return False
print(" Envoi de 70 requêtes rapides...")
rate_limited = False
for i in range(70):
try:
response = requests.get(
f"{self.base_url}/health",
headers={"X-API-Key": api_key},
timeout=1,
)
if response.status_code == 429:
rate_limited = True
print(f" Rate limit atteint à la requête {i + 1}")
break
except Exception:
pass
if rate_limited:
self.log_test("Rate limiting", True, "Rate limit détecté")
return True
else:
self.log_test(
"Rate limiting",
True,
"Aucun rate limit détecté (peut être normal si pas implémenté)",
)
return True
def print_summary(self):
"""Afficher le résumé des tests"""
print("\n" + "=" * 60)
print(" RÉSUMÉ DES TESTS")
print("=" * 60)
total = self.results["passed"] + self.results["failed"]
success_rate = (self.results["passed"] / total * 100) if total > 0 else 0
print(f"\nTotal: {total} tests")
print(f" Réussis: {self.results['passed']}")
print(f" Échoués: {self.results['failed']}")
print(f"Taux de réussite: {success_rate:.1f}%\n")
if self.results["failed"] == 0:
print("🎉 Tous les tests sont passés ! Sécurité OK.")
return 0
else:
print(" Certains tests ont échoué. Vérifiez la configuration.")
return 1
def main():
parser = argparse.ArgumentParser(
description="Test automatisé de la sécurité de l'API"
)
parser.add_argument(
"--url",
required=True,
help="URL de base de l'API (ex: http://localhost:8000)",
)
parser.add_argument(
"--swagger-user", required=True, help="Utilisateur Swagger pour les tests"
)
parser.add_argument(
"--swagger-pass", required=True, help="Mot de passe Swagger pour les tests"
)
parser.add_argument(
"--skip-rate-limit",
action="store_true",
help="Sauter le test de rate limiting (long)",
)
args = parser.parse_args()
print(" Démarrage des tests de sécurité")
print(f" URL cible: {args.url}\n")
tester = SecurityTester(args.url)
tester.test_swagger_without_auth()
tester.test_swagger_with_auth(args.swagger_user, args.swagger_pass)
tester.test_api_without_auth()
tester.test_health_endpoint_public()
success, api_key = tester.test_api_key_creation(
args.swagger_user, args.swagger_pass
)
if success and api_key:
tester.test_api_key_usage(api_key)
tester.test_invalid_api_key()
if not args.skip_rate_limit:
tester.test_rate_limiting(api_key)
else:
print("\n Test de rate limiting sauté")
else:
print("\n Tests avec clé API sautés (création échouée)")
exit_code = tester.print_summary()
sys.exit(exit_code)
if __name__ == "__main__":
main()

205
services/api_key.py
View file

@ -1,205 +0,0 @@
import secrets
import hashlib
import json
from datetime import datetime, timedelta
from typing import Optional, List, Dict
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select, and_, or_
import logging
from database.models.api_key import ApiKey
logger = logging.getLogger(__name__)
class ApiKeyService:
"""Service de gestion des clés API"""
def __init__(self, session: AsyncSession):
self.session = session
@staticmethod
def generate_api_key() -> str:
"""Génère une clé API unique et sécurisée"""
random_part = secrets.token_urlsafe(32)
return f"sdk_live_{random_part}"
@staticmethod
def hash_api_key(api_key: str) -> str:
"""Hash la clé API pour stockage sécurisé"""
return hashlib.sha256(api_key.encode()).hexdigest()
@staticmethod
def get_key_prefix(api_key: str) -> str:
"""Extrait le préfixe de la clé pour identification"""
return api_key[:12] if len(api_key) >= 12 else api_key
async def create_api_key(
self,
name: str,
description: Optional[str] = None,
created_by: str = "system",
user_id: Optional[str] = None,
expires_in_days: Optional[int] = None,
rate_limit_per_minute: int = 60,
allowed_endpoints: Optional[List[str]] = None,
) -> tuple[ApiKey, str]:
api_key_plain = self.generate_api_key()
key_hash = self.hash_api_key(api_key_plain)
key_prefix = self.get_key_prefix(api_key_plain)
expires_at = None
if expires_in_days:
expires_at = datetime.now() + timedelta(days=expires_in_days)
api_key_obj = ApiKey(
key_hash=key_hash,
key_prefix=key_prefix,
name=name,
description=description,
created_by=created_by,
user_id=user_id,
expires_at=expires_at,
rate_limit_per_minute=rate_limit_per_minute,
allowed_endpoints=json.dumps(allowed_endpoints)
if allowed_endpoints
else None,
)
self.session.add(api_key_obj)
await self.session.commit()
await self.session.refresh(api_key_obj)
logger.info(f" Clé API créée: {name} (prefix: {key_prefix})")
return api_key_obj, api_key_plain
async def verify_api_key(self, api_key_plain: str) -> Optional[ApiKey]:
key_hash = self.hash_api_key(api_key_plain)
result = await self.session.execute(
select(ApiKey).where(
and_(
ApiKey.key_hash == key_hash,
ApiKey.is_active,
ApiKey.revoked_at.is_(None),
or_(
ApiKey.expires_at.is_(None), ApiKey.expires_at > datetime.now()
),
)
)
)
api_key_obj = result.scalar_one_or_none()
if api_key_obj:
api_key_obj.total_requests += 1
api_key_obj.last_used_at = datetime.now()
await self.session.commit()
logger.debug(f" Clé API validée: {api_key_obj.name}")
else:
logger.warning(" Clé API invalide ou expirée")
return api_key_obj
async def list_api_keys(
self,
include_revoked: bool = False,
user_id: Optional[str] = None,
) -> List[ApiKey]:
"""Liste les clés API"""
query = select(ApiKey)
if not include_revoked:
query = query.where(ApiKey.revoked_at.is_(None))
if user_id:
query = query.where(ApiKey.user_id == user_id)
query = query.order_by(ApiKey.created_at.desc())
result = await self.session.execute(query)
return list(result.scalars().all())
async def revoke_api_key(self, key_id: str) -> bool:
"""Révoque une clé API"""
result = await self.session.execute(select(ApiKey).where(ApiKey.id == key_id))
api_key_obj = result.scalar_one_or_none()
if not api_key_obj:
return False
api_key_obj.is_active = False
api_key_obj.revoked_at = datetime.now()
await self.session.commit()
logger.info(f" Clé API révoquée: {api_key_obj.name}")
return True
async def get_by_id(self, key_id: str) -> Optional[ApiKey]:
"""Récupère une clé API par son ID"""
result = await self.session.execute(select(ApiKey).where(ApiKey.id == key_id))
return result.scalar_one_or_none()
async def check_rate_limit(self, api_key_obj: ApiKey) -> tuple[bool, Dict]:
return True, {
"allowed": True,
"limit": api_key_obj.rate_limit_per_minute,
"remaining": api_key_obj.rate_limit_per_minute,
}
async def check_endpoint_access(self, api_key_obj: ApiKey, endpoint: str) -> bool:
"""Vérifie si la clé a accès à un endpoint spécifique"""
if not api_key_obj.allowed_endpoints:
return True
try:
allowed = json.loads(api_key_obj.allowed_endpoints)
for pattern in allowed:
if pattern == "*":
return True
if pattern.endswith("*"):
prefix = pattern[:-1]
if endpoint.startswith(prefix):
return True
if pattern == endpoint:
return True
return False
except json.JSONDecodeError:
logger.error(f" Erreur parsing allowed_endpoints pour {api_key_obj.id}")
return False
def api_key_to_response(api_key_obj: ApiKey, show_key: bool = False) -> Dict:
"""Convertit un objet ApiKey en réponse API"""
allowed_endpoints = None
if api_key_obj.allowed_endpoints:
try:
allowed_endpoints = json.loads(api_key_obj.allowed_endpoints)
except json.JSONDecodeError:
pass
is_expired = False
if api_key_obj.expires_at:
is_expired = api_key_obj.expires_at < datetime.now()
return {
"id": api_key_obj.id,
"name": api_key_obj.name,
"description": api_key_obj.description,
"key_prefix": api_key_obj.key_prefix,
"is_active": api_key_obj.is_active,
"is_expired": is_expired,
"rate_limit_per_minute": api_key_obj.rate_limit_per_minute,
"allowed_endpoints": allowed_endpoints,
"total_requests": api_key_obj.total_requests,
"last_used_at": api_key_obj.last_used_at,
"created_at": api_key_obj.created_at,
"expires_at": api_key_obj.expires_at,
"revoked_at": api_key_obj.revoked_at,
"created_by": api_key_obj.created_by,
}

39
services/universign_document.py
View file

@ -23,7 +23,7 @@ class UniversignDocumentService:
def fetch_transaction_documents(self, transaction_id: str) -> Optional[List[Dict]]: def fetch_transaction_documents(self, transaction_id: str) -> Optional[List[Dict]]:
try: try:
logger.info(f" Récupération documents pour transaction: {transaction_id}") logger.info(f"📋 Récupération documents pour transaction: {transaction_id}")
response = requests.get( response = requests.get(
f"{self.api_url}/transactions/{transaction_id}", f"{self.api_url}/transactions/{transaction_id}",
@ -38,6 +38,7 @@ class UniversignDocumentService:
logger.info(f"{len(documents)} document(s) trouvé(s)") logger.info(f"{len(documents)} document(s) trouvé(s)")
# Log détaillé de chaque document
for idx, doc in enumerate(documents): for idx, doc in enumerate(documents):
logger.debug( logger.debug(
f" Document {idx}: id={doc.get('id')}, " f" Document {idx}: id={doc.get('id')}, "
@ -63,7 +64,7 @@ class UniversignDocumentService:
logger.error(f"⏱️ Timeout récupération transaction {transaction_id}") logger.error(f"⏱️ Timeout récupération transaction {transaction_id}")
return None return None
except Exception as e: except Exception as e:
logger.error(f" Erreur fetch documents: {e}", exc_info=True) logger.error(f" Erreur fetch documents: {e}", exc_info=True)
return None return None
def download_signed_document( def download_signed_document(
@ -93,6 +94,7 @@ class UniversignDocumentService:
f"Content-Type={content_type}, Size={content_length}" f"Content-Type={content_type}, Size={content_length}"
) )
# Vérification du type de contenu
if ( if (
"pdf" not in content_type.lower() "pdf" not in content_type.lower()
and "octet-stream" not in content_type.lower() and "octet-stream" not in content_type.lower()
@ -102,30 +104,31 @@ class UniversignDocumentService:
f"Tentative de lecture quand même..." f"Tentative de lecture quand même..."
) )
# Lecture du contenu
content = response.content content = response.content
if len(content) < 1024: if len(content) < 1024:
logger.error(f" Document trop petit: {len(content)} octets") logger.error(f" Document trop petit: {len(content)} octets")
return None return None
return content return content
elif response.status_code == 404: elif response.status_code == 404:
logger.error( logger.error(
f" Document {document_id} introuvable pour transaction {transaction_id}" f" Document {document_id} introuvable pour transaction {transaction_id}"
) )
return None return None
elif response.status_code == 403: elif response.status_code == 403:
logger.error( logger.error(
f" Accès refusé au document {document_id}. " f" Accès refusé au document {document_id}. "
f"Vérifiez que la transaction est bien signée." f"Vérifiez que la transaction est bien signée."
) )
return None return None
else: else:
logger.error( logger.error(
f" Erreur HTTP {response.status_code}: {response.text[:500]}" f" Erreur HTTP {response.status_code}: {response.text[:500]}"
) )
return None return None
@ -133,12 +136,13 @@ class UniversignDocumentService:
logger.error(f"⏱️ Timeout téléchargement document {document_id}") logger.error(f"⏱️ Timeout téléchargement document {document_id}")
return None return None
except Exception as e: except Exception as e:
logger.error(f" Erreur téléchargement: {e}", exc_info=True) logger.error(f" Erreur téléchargement: {e}", exc_info=True)
return None return None
async def download_and_store_signed_document( async def download_and_store_signed_document(
self, session: AsyncSession, transaction, force: bool = False self, session: AsyncSession, transaction, force: bool = False
) -> Tuple[bool, Optional[str]]: ) -> Tuple[bool, Optional[str]]:
# Vérification si déjà téléchargé
if not force and transaction.signed_document_path: if not force and transaction.signed_document_path:
if os.path.exists(transaction.signed_document_path): if os.path.exists(transaction.signed_document_path):
logger.debug( logger.debug(
@ -149,6 +153,7 @@ class UniversignDocumentService:
transaction.download_attempts += 1 transaction.download_attempts += 1
try: try:
# ÉTAPE 1: Récupérer les documents de la transaction
logger.info( logger.info(
f"Récupération document signé pour: {transaction.transaction_id}" f"Récupération document signé pour: {transaction.transaction_id}"
) )
@ -162,11 +167,13 @@ class UniversignDocumentService:
await session.commit() await session.commit()
return False, error return False, error
# ÉTAPE 2: Récupérer le premier document (ou chercher celui qui est signé)
document_id = None document_id = None
for doc in documents: for doc in documents:
doc_id = doc.get("id") doc_id = doc.get("id")
doc_status = doc.get("status", "").lower() doc_status = doc.get("status", "").lower()
# Priorité aux documents marqués comme signés/complétés
if doc_status in ["signed", "completed", "closed"]: if doc_status in ["signed", "completed", "closed"]:
document_id = doc_id document_id = doc_id
logger.info( logger.info(
@ -174,30 +181,34 @@ class UniversignDocumentService:
) )
break break
# Fallback sur le premier document si aucun n'est explicitement signé
if document_id is None: if document_id is None:
document_id = doc_id document_id = doc_id
if not document_id: if not document_id:
error = "Impossible de déterminer l'ID du document à télécharger" error = "Impossible de déterminer l'ID du document à télécharger"
logger.error(f" {error}") logger.error(f" {error}")
transaction.download_error = error transaction.download_error = error
await session.commit() await session.commit()
return False, error return False, error
# Stocker le document_id pour référence future
if hasattr(transaction, "universign_document_id"): if hasattr(transaction, "universign_document_id"):
transaction.universign_document_id = document_id transaction.universign_document_id = document_id
# ÉTAPE 3: Télécharger le document signé
pdf_content = self.download_signed_document( pdf_content = self.download_signed_document(
transaction_id=transaction.transaction_id, document_id=document_id transaction_id=transaction.transaction_id, document_id=document_id
) )
if not pdf_content: if not pdf_content:
error = f"Échec téléchargement document {document_id}" error = f"Échec téléchargement document {document_id}"
logger.error(f" {error}") logger.error(f" {error}")
transaction.download_error = error transaction.download_error = error
await session.commit() await session.commit()
return False, error return False, error
# ÉTAPE 4: Stocker le fichier localement
filename = self._generate_filename(transaction) filename = self._generate_filename(transaction)
file_path = SIGNED_DOCS_DIR / filename file_path = SIGNED_DOCS_DIR / filename
@ -206,11 +217,13 @@ class UniversignDocumentService:
file_size = os.path.getsize(file_path) file_size = os.path.getsize(file_path)
# Mise à jour de la transaction
transaction.signed_document_path = str(file_path) transaction.signed_document_path = str(file_path)
transaction.signed_document_downloaded_at = datetime.now() transaction.signed_document_downloaded_at = datetime.now()
transaction.signed_document_size_bytes = file_size transaction.signed_document_size_bytes = file_size
transaction.download_error = None transaction.download_error = None
# Stocker aussi l'URL de téléchargement pour référence
transaction.document_url = ( transaction.document_url = (
f"{self.api_url}/transactions/{transaction.transaction_id}" f"{self.api_url}/transactions/{transaction.transaction_id}"
f"/documents/{document_id}/download" f"/documents/{document_id}/download"
@ -226,14 +239,14 @@ class UniversignDocumentService:
except OSError as e: except OSError as e:
error = f"Erreur filesystem: {str(e)}" error = f"Erreur filesystem: {str(e)}"
logger.error(f" {error}") logger.error(f" {error}")
transaction.download_error = error transaction.download_error = error
await session.commit() await session.commit()
return False, error return False, error
except Exception as e: except Exception as e:
error = f"Erreur inattendue: {str(e)}" error = f"Erreur inattendue: {str(e)}"
logger.error(f" {error}", exc_info=True) logger.error(f" {error}", exc_info=True)
transaction.download_error = error transaction.download_error = error
await session.commit() await session.commit()
return False, error return False, error
@ -281,6 +294,7 @@ class UniversignDocumentService:
return deleted, int(size_freed_mb) return deleted, int(size_freed_mb)
# === MÉTHODES DE DIAGNOSTIC ===
def diagnose_transaction(self, transaction_id: str) -> Dict: def diagnose_transaction(self, transaction_id: str) -> Dict:
""" """
@ -294,6 +308,7 @@ class UniversignDocumentService:
} }
try: try:
# Test 1: Récupération de la transaction
logger.info(f"Diagnostic transaction: {transaction_id}") logger.info(f"Diagnostic transaction: {transaction_id}")
response = requests.get( response = requests.get(
@ -319,6 +334,7 @@ class UniversignDocumentService:
"participants_count": len(data.get("participants", [])), "participants_count": len(data.get("participants", [])),
} }
# Test 2: Documents disponibles
documents = data.get("documents", []) documents = data.get("documents", [])
result["checks"]["documents"] = [] result["checks"]["documents"] = []
@ -329,6 +345,7 @@ class UniversignDocumentService:
"status": doc.get("status"), "status": doc.get("status"),
} }
# Test téléchargement
if doc.get("id"): if doc.get("id"):
download_url = ( download_url = (
f"{self.api_url}/transactions/{transaction_id}" f"{self.api_url}/transactions/{transaction_id}"

56
services/universign_sync.py
View file

@ -159,6 +159,7 @@ class UniversignSyncService:
return stats return stats
# CORRECTION 1 : process_webhook dans universign_sync.py
async def process_webhook( async def process_webhook(
self, session: AsyncSession, payload: Dict, transaction_id: str = None self, session: AsyncSession, payload: Dict, transaction_id: str = None
) -> Tuple[bool, Optional[str]]: ) -> Tuple[bool, Optional[str]]:
@ -166,7 +167,9 @@ class UniversignSyncService:
Traite un webhook Universign - CORRECTION : meilleure gestion des payloads Traite un webhook Universign - CORRECTION : meilleure gestion des payloads
""" """
try: try:
# Si transaction_id n'est pas fourni, essayer de l'extraire
if not transaction_id: if not transaction_id:
# Même logique que dans universign.py
if ( if (
payload.get("type", "").startswith("transaction.") payload.get("type", "").startswith("transaction.")
and "payload" in payload and "payload" in payload
@ -192,6 +195,7 @@ class UniversignSyncService:
f"📨 Traitement webhook: transaction={transaction_id}, event={event_type}" f"📨 Traitement webhook: transaction={transaction_id}, event={event_type}"
) )
# Récupérer la transaction locale
query = ( query = (
select(UniversignTransaction) select(UniversignTransaction)
.options(selectinload(UniversignTransaction.signers)) .options(selectinload(UniversignTransaction.signers))
@ -204,20 +208,25 @@ class UniversignSyncService:
logger.warning(f"Transaction {transaction_id} inconnue localement") logger.warning(f"Transaction {transaction_id} inconnue localement")
return False, "Transaction inconnue" return False, "Transaction inconnue"
# Marquer comme webhook reçu
transaction.webhook_received = True transaction.webhook_received = True
# Stocker l'ancien statut pour comparaison
old_status = transaction.local_status.value old_status = transaction.local_status.value
# Force la synchronisation complète
success, error = await self.sync_transaction( success, error = await self.sync_transaction(
session, transaction, force=True session, transaction, force=True
) )
# Log du changement de statut
if success and transaction.local_status.value != old_status: if success and transaction.local_status.value != old_status:
logger.info( logger.info(
f"Webhook traité: {transaction_id} | " f"Webhook traité: {transaction_id} | "
f"{old_status}{transaction.local_status.value}" f"{old_status}{transaction.local_status.value}"
) )
# Enregistrer le log du webhook
await self._log_sync_attempt( await self._log_sync_attempt(
session=session, session=session,
transaction=transaction, transaction=transaction,
@ -239,6 +248,7 @@ class UniversignSyncService:
logger.error(f"💥 Erreur traitement webhook: {e}", exc_info=True) logger.error(f"💥 Erreur traitement webhook: {e}", exc_info=True)
return False, str(e) return False, str(e)
# CORRECTION 2 : _sync_signers - Ne pas écraser les signers existants
async def _sync_signers( async def _sync_signers(
self, self,
session: AsyncSession, session: AsyncSession,
@ -261,6 +271,7 @@ class UniversignSyncService:
logger.warning(f"Signataire sans email à l'index {idx}, ignoré") logger.warning(f"Signataire sans email à l'index {idx}, ignoré")
continue continue
# PROTECTION : gérer les statuts inconnus
raw_status = signer_data.get("status") or signer_data.get( raw_status = signer_data.get("status") or signer_data.get(
"state", "waiting" "state", "waiting"
) )
@ -291,6 +302,7 @@ class UniversignSyncService:
if signer_data.get("name") and not signer.name: if signer_data.get("name") and not signer.name:
signer.name = signer_data.get("name") signer.name = signer_data.get("name")
else: else:
# Nouveau signer avec gestion d'erreur intégrée
try: try:
signer = UniversignSigner( signer = UniversignSigner(
id=f"{transaction.id}_signer_{idx}_{int(datetime.now().timestamp())}", id=f"{transaction.id}_signer_{idx}_{int(datetime.now().timestamp())}",
@ -318,6 +330,7 @@ class UniversignSyncService:
): ):
import json import json
# Si statut final et pas de force, skip
if is_final_status(transaction.local_status.value) and not force: if is_final_status(transaction.local_status.value) and not force:
logger.debug( logger.debug(
f"⏭️ Skip {transaction.transaction_id}: statut final " f"⏭️ Skip {transaction.transaction_id}: statut final "
@ -327,13 +340,14 @@ class UniversignSyncService:
await session.commit() await session.commit()
return True, None return True, None
# Récupération du statut distant
logger.info(f"Synchronisation: {transaction.transaction_id}") logger.info(f"Synchronisation: {transaction.transaction_id}")
result = self.fetch_transaction_status(transaction.transaction_id) result = self.fetch_transaction_status(transaction.transaction_id)
if not result: if not result:
error = "Échec récupération données Universign" error = "Échec récupération données Universign"
logger.error(f" {error}: {transaction.transaction_id}") logger.error(f" {error}: {transaction.transaction_id}")
transaction.sync_attempts += 1 transaction.sync_attempts += 1
transaction.sync_error = error transaction.sync_error = error
await self._log_sync_attempt(session, transaction, "polling", False, error) await self._log_sync_attempt(session, transaction, "polling", False, error)
@ -344,8 +358,9 @@ class UniversignSyncService:
universign_data = result["transaction"] universign_data = result["transaction"]
universign_status_raw = universign_data.get("state", "draft") universign_status_raw = universign_data.get("state", "draft")
logger.info(f" Statut Universign brut: {universign_status_raw}") logger.info(f"📊 Statut Universign brut: {universign_status_raw}")
# Convertir le statut
new_local_status = map_universign_to_local(universign_status_raw) new_local_status = map_universign_to_local(universign_status_raw)
previous_local_status = transaction.local_status.value previous_local_status = transaction.local_status.value
@ -354,6 +369,7 @@ class UniversignSyncService:
f"{new_local_status} (Local) | Actuel: {previous_local_status}" f"{new_local_status} (Local) | Actuel: {previous_local_status}"
) )
# Vérifier la transition
if not is_transition_allowed(previous_local_status, new_local_status): if not is_transition_allowed(previous_local_status, new_local_status):
logger.warning( logger.warning(
f"Transition refusée: {previous_local_status}{new_local_status}" f"Transition refusée: {previous_local_status}{new_local_status}"
@ -367,9 +383,10 @@ class UniversignSyncService:
if status_changed: if status_changed:
logger.info( logger.info(
f"CHANGEMENT DÉTECTÉ: {previous_local_status}{new_local_status}" f"🔔 CHANGEMENT DÉTECTÉ: {previous_local_status}{new_local_status}"
) )
# Mise à jour du statut Universign brut
try: try:
transaction.universign_status = UniversignTransactionStatus( transaction.universign_status = UniversignTransactionStatus(
universign_status_raw universign_status_raw
@ -387,12 +404,14 @@ class UniversignSyncService:
else: else:
transaction.universign_status = UniversignTransactionStatus.STARTED transaction.universign_status = UniversignTransactionStatus.STARTED
# Mise à jour du statut local
transaction.local_status = LocalDocumentStatus(new_local_status) transaction.local_status = LocalDocumentStatus(new_local_status)
transaction.universign_status_updated_at = datetime.now() transaction.universign_status_updated_at = datetime.now()
# Mise à jour des dates
if new_local_status == "EN_COURS" and not transaction.sent_at: if new_local_status == "EN_COURS" and not transaction.sent_at:
transaction.sent_at = datetime.now() transaction.sent_at = datetime.now()
logger.info("Date d'envoi mise à jour") logger.info("📅 Date d'envoi mise à jour")
if new_local_status == "SIGNE" and not transaction.signed_at: if new_local_status == "SIGNE" and not transaction.signed_at:
transaction.signed_at = datetime.now() transaction.signed_at = datetime.now()
@ -400,11 +419,15 @@ class UniversignSyncService:
if new_local_status == "REFUSE" and not transaction.refused_at: if new_local_status == "REFUSE" and not transaction.refused_at:
transaction.refused_at = datetime.now() transaction.refused_at = datetime.now()
logger.info(" Date de refus mise à jour") logger.info(" Date de refus mise à jour")
if new_local_status == "EXPIRE" and not transaction.expired_at: if new_local_status == "EXPIRE" and not transaction.expired_at:
transaction.expired_at = datetime.now() transaction.expired_at = datetime.now()
logger.info("Date d'expiration mise à jour") logger.info("⏰ Date d'expiration mise à jour")
# === SECTION CORRIGÉE: Gestion des documents ===
# Ne plus chercher document_url dans la réponse (elle n'existe pas!)
# Le téléchargement se fait via le service document qui utilise le bon endpoint
documents = universign_data.get("documents", []) documents = universign_data.get("documents", [])
if documents: if documents:
@ -414,6 +437,7 @@ class UniversignSyncService:
f"status={first_doc.get('status')}" f"status={first_doc.get('status')}"
) )
# Téléchargement automatique du document signé
if new_local_status == "SIGNE" and not transaction.signed_document_path: if new_local_status == "SIGNE" and not transaction.signed_document_path:
logger.info("Déclenchement téléchargement document signé...") logger.info("Déclenchement téléchargement document signé...")
@ -431,15 +455,21 @@ class UniversignSyncService:
logger.warning(f"Échec téléchargement: {download_error}") logger.warning(f"Échec téléchargement: {download_error}")
except Exception as e: except Exception as e:
logger.error(f" Erreur téléchargement document: {e}", exc_info=True) logger.error(
f"❌ Erreur téléchargement document: {e}", exc_info=True
)
# === FIN SECTION CORRIGÉE ===
# Synchroniser les signataires
await self._sync_signers(session, transaction, universign_data) await self._sync_signers(session, transaction, universign_data)
# Mise à jour des métadonnées de sync
transaction.last_synced_at = datetime.now() transaction.last_synced_at = datetime.now()
transaction.sync_attempts += 1 transaction.sync_attempts += 1
transaction.needs_sync = not is_final_status(new_local_status) transaction.needs_sync = not is_final_status(new_local_status)
transaction.sync_error = None transaction.sync_error = None
# Log de la tentative
await self._log_sync_attempt( await self._log_sync_attempt(
session=session, session=session,
transaction=transaction, transaction=transaction,
@ -461,6 +491,7 @@ class UniversignSyncService:
await session.commit() await session.commit()
# Exécuter les actions post-changement
if status_changed: if status_changed:
logger.info(f"🎬 Exécution actions pour statut: {new_local_status}") logger.info(f"🎬 Exécution actions pour statut: {new_local_status}")
await self._execute_status_actions( await self._execute_status_actions(
@ -476,7 +507,7 @@ class UniversignSyncService:
except Exception as e: except Exception as e:
error_msg = f"Erreur lors de la synchronisation: {str(e)}" error_msg = f"Erreur lors de la synchronisation: {str(e)}"
logger.error(f" {error_msg}", exc_info=True) logger.error(f" {error_msg}", exc_info=True)
transaction.sync_error = error_msg[:1000] transaction.sync_error = error_msg[:1000]
transaction.sync_attempts += 1 transaction.sync_attempts += 1
@ -488,16 +519,20 @@ class UniversignSyncService:
return False, error_msg return False, error_msg
# CORRECTION 3 : Amélioration du logging dans sync_transaction
async def _sync_transaction_documents_corrected( async def _sync_transaction_documents_corrected(
self, session, transaction, universign_data: dict, new_local_status: str self, session, transaction, universign_data: dict, new_local_status: str
): ):
# Récupérer et stocker les infos documents
documents = universign_data.get("documents", []) documents = universign_data.get("documents", [])
if documents: if documents:
# Stocker le premier document_id pour référence
first_doc = documents[0] first_doc = documents[0]
first_doc_id = first_doc.get("id") first_doc_id = first_doc.get("id")
if first_doc_id: if first_doc_id:
# Stocker l'ID du document (si le champ existe dans le modèle)
if hasattr(transaction, "universign_document_id"): if hasattr(transaction, "universign_document_id"):
transaction.universign_document_id = first_doc_id transaction.universign_document_id = first_doc_id
@ -508,6 +543,7 @@ class UniversignSyncService:
else: else:
logger.debug("Aucun document dans la réponse Universign") logger.debug("Aucun document dans la réponse Universign")
# Téléchargement automatique si signé
if new_local_status == "SIGNE": if new_local_status == "SIGNE":
if not transaction.signed_document_path: if not transaction.signed_document_path:
logger.info("Déclenchement téléchargement document signé...") logger.info("Déclenchement téléchargement document signé...")
@ -526,7 +562,9 @@ class UniversignSyncService:
logger.warning(f"Échec téléchargement: {download_error}") logger.warning(f"Échec téléchargement: {download_error}")
except Exception as e: except Exception as e:
logger.error(f" Erreur téléchargement document: {e}", exc_info=True) logger.error(
f"❌ Erreur téléchargement document: {e}", exc_info=True
)
else: else:
logger.debug( logger.debug(
f"Document déjà téléchargé: {transaction.signed_document_path}" f"Document déjà téléchargé: {transaction.signed_document_path}"

6
utils/generic_functions.py
View file

@ -290,11 +290,15 @@ def _preparer_lignes_document(lignes: List) -> List[Dict]:
UNIVERSIGN_TO_LOCAL: Dict[str, str] = { UNIVERSIGN_TO_LOCAL: Dict[str, str] = {
# États initiaux
"draft": "EN_ATTENTE", "draft": "EN_ATTENTE",
"ready": "EN_ATTENTE", "ready": "EN_ATTENTE",
# En cours
"started": "EN_COURS", "started": "EN_COURS",
# États finaux (succès)
"completed": "SIGNE", "completed": "SIGNE",
"closed": "SIGNE", "closed": "SIGNE",
# États finaux (échec)
"refused": "REFUSE", "refused": "REFUSE",
"expired": "EXPIRE", "expired": "EXPIRE",
"canceled": "REFUSE", "canceled": "REFUSE",
@ -425,7 +429,7 @@ STATUS_MESSAGES: Dict[str, Dict[str, str]] = {
"REFUSE": { "REFUSE": {
"fr": "Signature refusée", "fr": "Signature refusée",
"en": "Signature refused", "en": "Signature refused",
"icon": "", "icon": "",
"color": "red", "color": "red",
}, },
"EXPIRE": { "EXPIRE": {

2
utils/universign_status_mapping.py
View file

@ -96,7 +96,7 @@ STATUS_MESSAGES: Dict[str, Dict[str, str]] = {
"REFUSE": { "REFUSE": {
"fr": "Signature refusée", "fr": "Signature refusée",
"en": "Signature refused", "en": "Signature refused",
"icon": "", "icon": "",
"color": "red", "color": "red",
}, },
"EXPIRE": { "EXPIRE": {