Merge branch '16-fix-passphrase-handling' into '16.0'

[FIX]fix handling of non-stored passphrases

See merge request Noviat/Noviat_Generic/accounting-ebics!22

account_ebics/README.rst

@@ -174,6 +174,16 @@ Go to **Accounting > Bank and Cash > EBICS Processing**
 
 |
 
+Diagnostics
+===========
+
+Add the following to your Odoo config file in order to diagnose
+issues with the EBICS connection with your bank:
+
+log_handler = fintech.ebics:DEBUG
+
+|
+
 EBICS Return Codes
 ------------------
 
@@ -192,13 +202,14 @@ Electronic Distributed Signature (EDS)
 
 This is supported via external signing apps, e.g. BankingVEU:
 
-  https://play.google.com/store/apps/details?id=subsembly.bankingveu
-  https://apps.apple.com/de/app/bankingveu/id1578694190
+- https://play.google.com/store/apps/details?id=subsembly.bankingveu
+- https://apps.apple.com/de/app/bankingveu/id1578694190
 
 
 Known Issues / Roadmap
 ======================
 
+- The end user is currently not able to change his passphrases (only the users with 'EBICS Manager' rights can do so).
 - Add support to import externally generated keys & certificates (currently only 3SKey signature certificate).
 - Add support for SWIFT 3SKey signing javascript lib (SConnect, cf https://www2.swift.com/3skey/help/sconnect.html).
 

account_ebics/__manifest__.py

@@ -3,7 +3,7 @@
 
 {
     "name": "EBICS banking protocol",
-    "version": "16.0.1.7.1",
+    "version": "16.0.1.8.0",
     "license": "LGPL-3",
     "author": "Noviat",
     "website": "https://www.noviat.com/",

account_ebics/models/ebics_userid.py

@@ -13,10 +13,6 @@ from odoo.exceptions import UserError
 
 _logger = logging.getLogger(__name__)
 
-# logging.basicConfig(
-#    level=logging.DEBUG,
-#    format='[%(asctime)s] %(levelname)s - %(name)s: %(message)s')
-
 try:
     import fintech
     from fintech.ebics import (
@@ -117,7 +113,6 @@ class EbicsUserID(models.Model):
     )
     ebics_sig_passphrase = fields.Char(
         string="EBICS Signature Passphrase",
-        store=False,
         help="You can set here a different passphrase for the EBICS "
         "signing key. This passphrase will never be stored hence "
         "you'll need to specify your passphrase for each transaction that "
@@ -228,10 +223,12 @@ class EbicsUserID(models.Model):
     @api.depends("state", "ebics_passphrase")
     def _compute_ebics_passphrase_view_modifiers(self):
         for rec in self:
+            rec.ebics_passphrase_invisible = False
             if rec.state == "draft":
                 rec.ebics_passphrase_required = True
-                rec.ebics_passphrase_invisible = False
-            elif rec.state == "get_bank_keys":
+            elif rec.state == "init":
+                rec.ebics_passphrase_invisible = True
+            elif rec.state in ("get_bank_keys", "to_verify"):
                 rec.ebics_passphrase_required = not rec.ebics_passphrase
                 rec.ebics_passphrase_invisible = rec.ebics_passphrase
             else:
@@ -253,11 +250,19 @@ class EbicsUserID(models.Model):
             if cfg.ebics_version == "H005" and not cfg.ebics_key_x509:
                 raise UserError(_("X.509 certificates must be used with EBICS 3.0."))
 
-    @api.constrains("ebics_passphrase", "ebics_sig_passphrase")
+    @api.constrains("ebics_passphrase")
     def _check_ebics_passphrase(self):
         for rec in self:
             if rec.ebics_passphrase and len(rec.ebics_passphrase) < 8:
-                raise UserError(_("The passphrase must be at least 8 characters long"))
+                raise UserError(_("The Passphrase must be at least 8 characters long"))
+
+    @api.constrains("ebics_sig_passphrase")
+    def _check_ebics_sig_passphrase(self):
+        for rec in self:
+            if rec.ebics_sig_passphrase and len(rec.ebics_sig_passphrase) < 8:
+                raise UserError(
+                    _("The Signature Passphrase must be at least 8 characters long")
+                )
 
     @api.onchange("ebics_version")
     def _onchange_ebics_version(self):
@@ -271,7 +276,7 @@ class EbicsUserID(models.Model):
 
     @api.onchange("ebics_passphrase_store")
     def _onchange_ebics_passphrase_store(self):
-        if not self.ebics_passphrase_store:
+        if not self.ebics_passphrase_store and self.state == "active_keys":
             self.ebics_passphrase = False
 
     @api.onchange("swift_3skey")
@@ -320,7 +325,7 @@ class EbicsUserID(models.Model):
                 "passphrase": self.ebics_passphrase,
             }
             if self.ebics_sig_passphrase:
-                keyring_params["ebics_sig_passphrase"] = self.ebics_sig_passphrase
+                keyring_params["sig_passphrase"] = self.ebics_sig_passphrase
             keyring = EbicsKeyRing(**keyring_params)
             bank = EbicsBank(
                 keyring=keyring,
@@ -457,24 +462,35 @@ class EbicsUserID(models.Model):
         fn_date = fields.Date.today().isoformat()
         fn = "_".join([self.ebics_config_id.ebics_host, "ini_letter", fn_date]) + ".pdf"
         letter = user.create_ini_letter(bankname=ebics_config_bank.name, lang=lang)
-        self.write(
-            {
+        vals = {
             "ebics_ini_letter": base64.encodebytes(letter),
             "ebics_ini_letter_fn": fn,
+            "state": "init",
         }
-        )
-
-        return self.write({"state": "init"})
+        # remove non-stored passphrases from db after successfull init_1
+        if not self.ebics_passphrase_store:
+            vals.update["ebics_passphrase"] = False
+        if self.ebics_sig_passphrase:
+            vals.update["ebics_sig_passphrase"] = False
+        return self.write(vals)
 
     def ebics_init_2(self):
         """
         Initialization of bank keys - Step 2:
         Activation of the account by the bank.
         """
+        self.ensure_one()
         if self.state != "init":
             raise UserError(_("Set state to 'Initialisation'."))
-        self.ensure_one()
-        return self.write({"state": "get_bank_keys"})
+        vals = {"state": "get_bank_keys"}
+        # remove non-stored passphrases from db
+        # remark: this code is here for extra safety but shouldn't
+        # have any effect since passphrases are invisible in state "init"
+        if not self.ebics_passphrase_store:
+            vals.update["ebics_passphrase"] = False
+        if self.ebics_sig_passphrase:
+            vals.update["ebics_sig_passphrase"] = False
+        return self.write(vals)
 
     def ebics_init_3(self):
         """
@@ -527,21 +543,23 @@ class EbicsUserID(models.Model):
             "_".join([self.ebics_config_id.ebics_host, "public_bank_keys", fn_date])
             + ".txt"
         )
-        self.write(
-            {
+        vals = {
             "ebics_public_bank_keys": base64.encodebytes(public_bank_keys),
             "ebics_public_bank_keys_fn": fn,
             "state": "to_verify",
         }
-        )
-
-        return True
+        # remove non-stored passphrases from db
+        if not self.ebics_passphrase_store:
+            vals.update["ebics_passphrase"] = False
+        if self.ebics_sig_passphrase:
+            vals.update["ebics_sig_passphrase"] = False
+        return self.write(vals)
 
     def ebics_init_4(self):
         """
         Initialization of bank keys - Step 2:
         Confirm Verification of the public bank keys
-        and activate the bank keyu.
+        and activate the bank keys.
         """
         self.ensure_one()
         if self.state != "to_verify":
@@ -556,7 +574,13 @@ class EbicsUserID(models.Model):
             url=self.ebics_config_id.ebics_url,
         )
         bank.activate_keys()
-        return self.write({"state": "active_keys"})
+        vals = {"state": "active_keys"}
+        # remove non-stored passphrases from db
+        if not self.ebics_passphrase_store:
+            vals.update["ebics_passphrase"] = False
+        if self.ebics_sig_passphrase:
+            vals.update["ebics_sig_passphrase"] = False
+        return self.write(vals)
 
     def change_passphrase(self):
         self.ensure_one()

account_ebics/static/description/index.html

@@ -527,6 +527,15 @@ fintech_register_keycode = AB1CD-E2FG-3H-IJ4K-5L
 <div class="line-block">
 <div class="line"><br /></div>
 </div>
+</div>
+<div class="section" id="diagnostics">
+<h2>Diagnostics</h2>
+<p>Add the following to your Odoo config file in order to diagnose
+issues with the EBICS connection with your bank:</p>
+<p>log_handler = fintech.ebics:DEBUG</p>
+<div class="line-block">
+<div class="line"><br /></div>
+</div>
 <div class="section" id="ebics-return-codes">
 <h3>EBICS Return Codes</h3>
 <p>During the processing of your EBICS upload/download, your bank may return an Error Code, e.g.</p>
@@ -541,14 +550,16 @@ You can also find this information in the doc folder of this module (file EBICS_
 <div class="section" id="electronic-distributed-signature-eds">
 <h3>Electronic Distributed Signature (EDS)</h3>
 <p>This is supported via external signing apps, e.g. BankingVEU:</p>
-<blockquote>
-<a class="reference external" href="https://play.google.com/store/apps/details?id=subsembly.bankingveu">https://play.google.com/store/apps/details?id=subsembly.bankingveu</a>
-<a class="reference external" href="https://apps.apple.com/de/app/bankingveu/id1578694190">https://apps.apple.com/de/app/bankingveu/id1578694190</a></blockquote>
+<ul class="simple">
+<li><a class="reference external" href="https://play.google.com/store/apps/details?id=subsembly.bankingveu">https://play.google.com/store/apps/details?id=subsembly.bankingveu</a></li>
+<li><a class="reference external" href="https://apps.apple.com/de/app/bankingveu/id1578694190">https://apps.apple.com/de/app/bankingveu/id1578694190</a></li>
+</ul>
 </div>
 </div>
 <div class="section" id="known-issues-roadmap">
 <h2>Known Issues / Roadmap</h2>
 <ul class="simple">
+<li>The end user is currently not able to change his passphrases (only the users with 'EBICS Manager' rights can do so).</li>
 <li>Add support to import externally generated keys &amp; certificates (currently only 3SKey signature certificate).</li>
 <li>Add support for SWIFT 3SKey signing javascript lib (SConnect, cf <a class="reference external" href="https://www2.swift.com/3skey/help/sconnect.html">https://www2.swift.com/3skey/help/sconnect.html</a>).</li>
 </ul>

account_ebics/wizards/ebics_change_passphrase.py

@@ -89,9 +89,15 @@ class EbicsChangePassphrase(models.TransientModel):
             raise UserError(str(err)) from err
 
         if self.new_pass:
-            self.ebics_userid_id.ebics_passphrase = self.new_pass
+            self.ebics_userid_id.ebics_passphrase = (
+                self.ebics_userid_id.ebics_passphrase_store and self.new_pass
+            )
             self.note += "The EBICS Passphrase has been changed."
         if self.new_sig_pass:
+            # removing ebics_sig_passphrase from db should not be required
+            # but we do it for double safety
+            if self.ebics_userid_id.ebics_sig_passphrase:
+                self.ebics_userid_id.ebics_sig_passphrase = False
             self.note += "The EBICS Signature Passphrase has been changed."
 
         module = __name__.split("addons.")[1].split(".")[0]

account_ebics/wizards/ebics_xfer.py

@@ -1,13 +1,6 @@
 # Copyright 2009-2023 Noviat.
 # License LGPL-3 or later (http://www.gnu.org/licenses/lgpl).
 
-"""
-import logging
-logging.basicConfig(
-    level=logging.DEBUG,
-    format='[%(asctime)s] %(levelname)s - %(name)s: %(message)s')
-"""
-
 import base64
 import logging
 from sys import exc_info