From e5953a1f4b2d58c0dc02cf25c1d14a679f80aa3b Mon Sep 17 00:00:00 2001
From: Luc De Meyer <luc.demeyer@noviat.com>
Date: Sat, 2 Dec 2023 18:35:04 +0100
Subject: [PATCH] [IMP]add support for signature passphrase

---
 account_ebics/__manifest__.py                 |  2 +-
 account_ebics/models/ebics_userid.py          | 34 ++++++-
 account_ebics/views/ebics_userid_views.xml    |  6 ++
 .../wizards/ebics_change_passphrase.py        | 72 +++++++++++----
 .../wizards/ebics_change_passphrase.xml       | 91 ++++++++++++-------
 account_ebics/wizards/ebics_xfer.py           | 30 ++++--
 account_ebics/wizards/ebics_xfer.xml          |  6 ++
 7 files changed, 178 insertions(+), 63 deletions(-)

diff --git a/account_ebics/__manifest__.py b/account_ebics/__manifest__.py
index aa0643b..8f66b60 100644
--- a/account_ebics/__manifest__.py
+++ b/account_ebics/__manifest__.py
@@ -3,7 +3,7 @@
 
 {
     "name": "EBICS banking protocol",
-    "version": "16.0.1.6.2",
+    "version": "16.0.1.7.0",
     "license": "LGPL-3",
     "author": "Noviat",
     "website": "https://www.noviat.com/",
diff --git a/account_ebics/models/ebics_userid.py b/account_ebics/models/ebics_userid.py
index ef2dc13..62e9a0d 100644
--- a/account_ebics/models/ebics_userid.py
+++ b/account_ebics/models/ebics_userid.py
@@ -115,6 +115,17 @@ class EbicsUserID(models.Model):
     ebics_passphrase_invisible = fields.Boolean(
         compute="_compute_ebics_passphrase_view_modifiers"
     )
+    ebics_sig_passphrase = fields.Char(
+        string="EBICS Signature Passphrase",
+        store=False,
+        help="You can set here a different passphrase for the EBICS "
+        "signing key. This passphrase will never be stored hence "
+        "you'll need to specify your passphrase for each transaction that "
+        "requires a digital signature.",
+    )
+    ebics_sig_passphrase_invisible = fields.Boolean(
+        compute="_compute_ebics_sig_passphrase_invisible"
+    )
     ebics_ini_letter = fields.Binary(
         string="EBICS INI Letter",
         readonly=True,
@@ -227,13 +238,22 @@ class EbicsUserID(models.Model):
                 rec.ebics_passphrase_required = False
                 rec.ebics_passphrase_invisible = True
 
+    @api.depends("state")
+    def _compute_ebics_sig_passphrase_invisible(self):
+        for rec in self:
+            rec.ebics_sig_passphrase_invisible = True
+            if fintech.__version_info__ < (7, 3, 1):
+                continue
+            if rec.transaction_rights != "down" and rec.state == "draft":
+                rec.ebics_sig_passphrase_invisible = False
+
     @api.constrains("ebics_key_x509")
     def _check_ebics_key_x509(self):
         for cfg in self:
             if cfg.ebics_version == "H005" and not cfg.ebics_key_x509:
                 raise UserError(_("X.509 certificates must be used with EBICS 3.0."))
 
-    @api.constrains("ebics_passphrase")
+    @api.constrains("ebics_passphrase", "ebics_sig_passphrase")
     def _check_ebics_passphrase(self):
         for rec in self:
             if rec.ebics_passphrase and len(rec.ebics_passphrase) < 8:
@@ -295,9 +315,13 @@ class EbicsUserID(models.Model):
 
         ebics_version = self.ebics_config_id.ebics_version
         try:
-            keyring = EbicsKeyRing(
-                keys=self.ebics_keys_fn, passphrase=self.ebics_passphrase
-            )
+            keyring_params = {
+                "keys": self.ebics_keys_fn,
+                "passphrase": self.ebics_passphrase,
+            }
+            if self.ebics_sig_passphrase:
+                keyring_params["ebics_sig_passphrase"] = self.ebics_sig_passphrase
+            keyring = EbicsKeyRing(**keyring_params)
             bank = EbicsBank(
                 keyring=keyring,
                 hostid=self.ebics_config_id.ebics_host,
@@ -536,7 +560,7 @@ class EbicsUserID(models.Model):
 
     def change_passphrase(self):
         self.ensure_one()
-        ctx = dict(self._context, default_ebics_userid_id=self.id)
+        ctx = dict(self.env.context, default_ebics_userid_id=self.id)
         module = __name__.split("addons.")[1].split(".")[0]
         view = self.env.ref("%s.ebics_change_passphrase_view_form" % module)
         return {
diff --git a/account_ebics/views/ebics_userid_views.xml b/account_ebics/views/ebics_userid_views.xml
index e4d9fd5..76c5021 100644
--- a/account_ebics/views/ebics_userid_views.xml
+++ b/account_ebics/views/ebics_userid_views.xml
@@ -88,6 +88,7 @@
           <field name="ebics_version" invisible="1" />
           <field name="ebics_passphrase_required" invisible="1" />
           <field name="ebics_passphrase_invisible" invisible="1" />
+          <field name="ebics_sig_passphrase_invisible" invisible="1" />
           <group name="main-left">
             <field name="name" />
             <field
@@ -96,6 +97,11 @@
                             attrs="{'required': [('ebics_passphrase_required', '=', True)], 'invisible': [('ebics_passphrase_invisible', '=', True)]}"
                         />
             <field name="ebics_passphrase_store" />
+            <field
+                            name="ebics_sig_passphrase"
+                            password="True"
+                            attrs="{'invisible': [('ebics_sig_passphrase_invisible', '=', True)]}"
+                        />
             <field name="transaction_rights" />
             <field name="active" />
           </group>
diff --git a/account_ebics/wizards/ebics_change_passphrase.py b/account_ebics/wizards/ebics_change_passphrase.py
index 38e689c..92561b9 100644
--- a/account_ebics/wizards/ebics_change_passphrase.py
+++ b/account_ebics/wizards/ebics_change_passphrase.py
@@ -24,37 +24,75 @@ class EbicsChangePassphrase(models.TransientModel):
     ebics_userid_id = fields.Many2one(
         comodel_name="ebics.userid", string="EBICS UserID", readonly=True
     )
-    old_pass = fields.Char(string="Old Passphrase", required=True)
-    new_pass = fields.Char(string="New Passphrase", required=True)
-    new_pass_check = fields.Char(string="New Passphrase (verification)", required=True)
+    old_pass = fields.Char(string="Old Passphrase")
+    new_pass = fields.Char(string="New Passphrase")
+    new_pass_check = fields.Char(string="New Passphrase (verification)")
+    old_sig_pass = fields.Char(string="Old Signature Passphrase")
+    new_sig_pass = fields.Char(string="New Signature Passphrase")
+    new_sig_pass_check = fields.Char(string="New Signature Passphrase (verification)")
+    ebics_sig_passphrase_invisible = fields.Boolean(
+        compute="_compute_ebics_sig_passphrase_invisible"
+    )
     note = fields.Text(string="Notes", readonly=True)
 
+    def _compute_ebics_sig_passphrase_invisible(self):
+        for rec in self:
+            if fintech.__version_info__ < (7, 3, 1):
+                rec.ebics_sig_passphrase_invisible = True
+            else:
+                rec.ebics_sig_passphrase_invisible = False
+
     def change_passphrase(self):
         self.ensure_one()
+        self.note = ""
         if (
             self.ebics_userid_id.ebics_passphrase_store
+            and self.old_pass
             and self.old_pass != self.ebics_userid_id.ebics_passphrase
         ):
             raise UserError(_("Incorrect old passphrase."))
         if self.new_pass != self.new_pass_check:
             raise UserError(_("New passphrase verification error."))
-        if self.new_pass == self.ebics_userid_id.ebics_passphrase:
+        if self.new_pass and self.new_pass == self.ebics_userid_id.ebics_passphrase:
             raise UserError(_("New passphrase equal to old passphrase."))
+        if (
+            self.new_sig_pass
+            and self.old_sig_pass
+            and self.new_sig_pass == self.old_sig_pass
+        ):
+            raise UserError(
+                _("New signature passphrase equal to old signature passphrase.")
+            )
+        if self.new_sig_pass != self.new_sig_pass_check:
+            raise UserError(_("New signature passphrase verification error."))
+        passphrase = (
+            self.ebics_userid_id.ebics_passphrase_store
+            and self.ebics_userid_id.ebics_passphrase
+            or self.old_pass
+        )
         try:
-            passphrase = (
-                self.ebics_userid_id.ebics_passphrase_store
-                and self.ebics_userid_id.ebics_passphrase
-                or self.old_pass
-            )
-            keyring = EbicsKeyRing(
-                keys=self.ebics_userid_id.ebics_keys_fn,
-                passphrase=passphrase,
-            )
-            keyring.change_passphrase(self.new_pass)
-        except ValueError as err:
+            keyring_params = {
+                "keys": self.ebics_userid_id.ebics_keys_fn,
+                "passphrase": passphrase,
+            }
+            if self.new_sig_pass:
+                keyring_params["sig_passphrase"] = self.old_sig_pass
+            keyring = EbicsKeyRing(**keyring_params)
+            change_params = {}
+            if self.new_pass:
+                change_params["passphrase"] = self.new_pass
+            if self.new_sig_pass:
+                change_params["sig_passphrase"] = self.new_sig_pass
+            if change_params:
+                keyring.change_passphrase(**change_params)
+        except (ValueError, RuntimeError) as err:
             raise UserError(str(err)) from err
-        self.ebics_userid_id.ebics_passphrase = self.new_pass
-        self.note = "The EBICS Passphrase has been changed."
+
+        if self.new_pass:
+            self.ebics_userid_id.ebics_passphrase = self.new_pass
+            self.note += "The EBICS Passphrase has been changed."
+        if self.new_sig_pass:
+            self.note += "The EBICS Signature Passphrase has been changed."
 
         module = __name__.split("addons.")[1].split(".")[0]
         result_view = self.env.ref(
diff --git a/account_ebics/wizards/ebics_change_passphrase.xml b/account_ebics/wizards/ebics_change_passphrase.xml
index bb24f0a..17839bd 100644
--- a/account_ebics/wizards/ebics_change_passphrase.xml
+++ b/account_ebics/wizards/ebics_change_passphrase.xml
@@ -1,44 +1,67 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <odoo>
 
-  <record id="ebics_change_passphrase_view_form" model="ir.ui.view">
-    <field name="name">EBICS Keys Change Passphrase</field>
-    <field name="model">ebics.change.passphrase</field>
-    <field name="priority">1</field>
-    <field name="arch" type="xml">
-      <form string="EBICS Keys Change Passphrase">
-        <group>
-          <field name="old_pass" password="True" />
-          <field name="new_pass" password="True" />
-          <field name="new_pass_check" password="True" />
-        </group>
-        <footer>
-          <button
+    <record id="ebics_change_passphrase_view_form" model="ir.ui.view">
+        <field name="name">EBICS Keys Change Passphrase</field>
+        <field name="model">ebics.change.passphrase</field>
+        <field name="priority">1</field>
+        <field name="arch" type="xml">
+            <form string="EBICS Keys Change Passphrase">
+                <group>
+                    <group name="pass">
+                        <field name="old_pass" password="True" />
+                        <field name="new_pass" password="True" />
+                        <field name="new_pass_check" password="True" />
+                    </group>
+                    <group
+                        name="sig_pass"
+                        attrs="{'invisible': [('ebics_sig_passphrase_invisible', '=', True)]}"
+                    >
+                        <field name="old_sig_pass" password="True" />
+                        <field name="new_sig_pass" password="True" />
+                        <field name="new_sig_pass_check" password="True" />
+                    </group>
+                    <group name="invisible" invisible="1">
+                        <field name="ebics_sig_passphrase_invisible" />
+                    </group>
+                </group>
+                <footer>
+                    <button
                         name="change_passphrase"
                         string="Change Passphrase"
                         type="object"
-                        class="oe_highlight"
+                        class="btn-primary"
+                        data-hotkey="q"
                     />
-          or
-          <button string="Cancel" class="oe_link" special="cancel" />
-        </footer>
-      </form>
-    </field>
-  </record>
+                    <button
+                        string="Cancel"
+                        class="btn-secondary"
+                        special="cancel"
+                        data-hotkey="z"
+                    />
+                </footer>
+            </form>
+        </field>
+    </record>
 
-  <record id="ebics_change_passphrase_view_form_result" model="ir.ui.view">
-    <field name="name">EBICS Keys Change Passphrase</field>
-    <field name="model">ebics.change.passphrase</field>
-    <field name="priority">2</field>
-    <field name="arch" type="xml">
-      <form string="EBICS Keys Change Passphrase">
-        <separator colspan="4" string="Results :" />
-        <field name="note" colspan="4" nolabel="1" width="850" height="400" />
-        <footer>
-          <button name="button_close" type="object" string="Close" />
-        </footer>
-      </form>
-    </field>
-  </record>
+    <record id="ebics_change_passphrase_view_form_result" model="ir.ui.view">
+        <field name="name">EBICS Keys Change Passphrase</field>
+        <field name="model">ebics.change.passphrase</field>
+        <field name="priority">2</field>
+        <field name="arch" type="xml">
+            <form string="EBICS Keys Change Passphrase">
+                <separator colspan="4" string="Results :" />
+                <field name="note" colspan="4" nolabel="1" width="850" height="400" />
+                <footer>
+                    <button
+                        name="button_close"
+                        type="object"
+                        string="Close"
+                        data-hotkey="z"
+                    />
+                </footer>
+            </form>
+        </field>
+    </record>
 
 </odoo>
diff --git a/account_ebics/wizards/ebics_xfer.py b/account_ebics/wizards/ebics_xfer.py
index bfa4b74..b2ee29e 100644
--- a/account_ebics/wizards/ebics_xfer.py
+++ b/account_ebics/wizards/ebics_xfer.py
@@ -67,6 +67,12 @@ class EbicsXfer(models.TransientModel):
     ebics_passphrase_store = fields.Boolean(
         related="ebics_userid_id.ebics_passphrase_store"
     )
+    ebics_sig_passphrase = fields.Char(
+        string="EBICS Signature Passphrase",
+    )
+    ebics_sig_passphrase_invisible = fields.Boolean(
+        compute="_compute_ebics_sig_passphrase_invisible"
+    )
     date_from = fields.Date()
     date_to = fields.Date()
     upload_data = fields.Binary(string="File to Upload")
@@ -110,6 +116,14 @@ class EbicsXfer(models.TransientModel):
         else:
             return cfg_mod
 
+    def _compute_ebics_sig_passphrase_invisible(self):
+        for rec in self:
+            rec.ebics_sig_passphrase_invisible = True
+            if fintech.__version_info__ < (7, 3, 1):
+                rec.ebics_sig_passphrase_invisible = True
+            else:
+                rec.ebics_sig_passphrase_invisible = False
+
     @api.onchange("ebics_config_id")
     def _onchange_ebics_config_id(self):
         avail_userids = self.ebics_config_id.ebics_userid_ids.filtered(
@@ -139,11 +153,11 @@ class EbicsXfer(models.TransientModel):
             if len(avail_userids) == 1:
                 self.ebics_userid_id = avail_userids
             else:
-                with_passphrs_userids = avail_userids.filtered(
+                with_passphrase_userids = avail_userids.filtered(
                     lambda r: r.ebics_passphrase_store
                 )
-                if len(with_passphrs_userids) == 1:
-                    self.ebics_userid_id = with_passphrs_userids
+                if len(with_passphrase_userids) == 1:
+                    self.ebics_userid_id = with_passphrase_userids
         else:
             self.ebics_userid_id = False
 
@@ -444,10 +458,14 @@ class EbicsXfer(models.TransientModel):
     def _setup_client(self):
         self.ebics_config_id._check_ebics_keys()
         passphrase = self._get_passphrase()
+        keyring_params = {
+            "keys": self.ebics_userid_id.ebics_keys_fn,
+            "passphrase": passphrase,
+        }
+        if self.ebics_sig_passphrase:
+            keyring_params["sig_passphrase"] = self.ebics_sig_passphrase
         try:
-            keyring = EbicsKeyRing(
-                keys=self.ebics_userid_id.ebics_keys_fn, passphrase=passphrase
-            )
+            keyring = EbicsKeyRing(**keyring_params)
         except (RuntimeError, ValueError) as err:
             error = _("Error while accessing the EBICS Keys:")
             error += "\n"
diff --git a/account_ebics/wizards/ebics_xfer.xml b/account_ebics/wizards/ebics_xfer.xml
index 4fdcac1..1486dc5 100644
--- a/account_ebics/wizards/ebics_xfer.xml
+++ b/account_ebics/wizards/ebics_xfer.xml
@@ -78,7 +78,13 @@
                         password="True"
                         attrs="{'invisible': [('ebics_passphrase_store', '=', True)], 'required': [('ebics_passphrase_store', '=', False)]}"
                     />
+          <field
+                        name="ebics_sig_passphrase"
+                        password="True"
+                        attrs="{'invisible': [('ebics_sig_passphrase_invisible', '=', True)]}"
+                    />
           <field name="ebics_passphrase_store" invisible="1" />
+          <field name="ebics_sig_passphrase_invisible" invisible="1" />
           <separator string="Select your file :" colspan="2" />
           <field name="upload_data" filename="upload_fname" required="1" />
           <field name="upload_fname" invisible="1" />