Merge branch '3.1.x' into pauta_multiformat

sapl/base/forms.py

@@ -40,7 +40,7 @@ from sapl.utils import (autor_label, autor_modal, ChoiceWithoutValidationField,
                         FilterOverridesMetaMixin, FileFieldCheckMixin,
                         ImageThumbnailFileInput, qs_override_django_filter,
                         RANGE_ANOS, YES_NO_CHOICES, choice_tipos_normas,
-                        GoogleRecapthaMixin, parlamentares_ativos, RANGE_MESES)
+                        GoogleRecapthaMixin, parlamentares_ativos, RANGE_MESES, is_weak_password)
 
 from .models import AppConfig, CasaLegislativa
 
@@ -288,8 +288,13 @@ class UserAdminForm(ModelForm):
             )
         else:
             if new_password1 and new_password2:
+                if is_weak_password(new_password1):
+                    raise forms.ValidationError(_(
+                        'A senha deve ter pelo menos 8 caracteres e incluir uma combinação '
+                        'de letras maiúsculas e minúsculas, números e caracteres especiais.'
+                    ))
                 password_validation.validate_password(
-                    new_password2, self.instance)
+                    new_password1, self.instance)
 
         parlamentar = data.get('parlamentar', None)
         if parlamentar and parlamentar.votante_set.exists() and \
@@ -926,12 +931,12 @@ class CasaLegislativaForm(FileFieldCheckMixin, ModelForm):
 
 class LoginForm(AuthenticationForm):
     username = forms.CharField(
-        label="Username", max_length=30,
+        label="Usuário", max_length=30,
         widget=forms.TextInput(
             attrs={
                 'class': 'form-control', 'name': 'username'}))
     password = forms.CharField(
-        label="Password", max_length=30,
+        label="Senha", max_length=30,
         widget=forms.PasswordInput(
             attrs={
                 'class': 'form-control', 'name': 'password'}))
@@ -1139,12 +1144,15 @@ class AlterarSenhaForm(Form):
         # TODO: caracteres alfanuméricos, maiúsculas (?),
         # TODO: senha atual igual a senha anterior, etc
 
-        if len(new_password1) < 6:
+        if is_weak_password(new_password1):
             self.logger.warning(
-                'A senha informada não tem o mínimo de 6 caracteres.'
+                'A senha deve ter pelo menos 8 caracteres e incluir uma combinação '
+                'de letras maiúsculas e minúsculas, números e caracteres especiais.'
             )
             raise ValidationError(
-                "A senha informada deve ter no mínimo 6 caracteres")
+                'A senha deve ter pelo menos 8 caracteres e incluir uma combinação '
+                'de letras maiúsculas e minúsculas, números e caracteres especiais.'
+            )
 
         username = data['username']
         old_password = data['old_password']

sapl/base/views.py

@@ -6,7 +6,7 @@ import os
 
 from django.apps.registry import apps
 from django.contrib import messages
-from django.contrib.auth import get_user_model, views
+from django.contrib.auth import authenticate, login, get_user_model, views
 from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.contrib.auth.models import Group
 from django.contrib.auth.tokens import default_token_generator
@@ -51,7 +51,7 @@ from sapl.sessao.models import (Bancada, SessaoPlenaria)
 from sapl.settings import EMAIL_SEND_USER
 from sapl.utils import (gerar_hash_arquivo, intervalos_tem_intersecao, mail_service_configured,
                         SEPARADOR_HASH_PROPOSICAO, show_results_filter_set, google_recaptcha_configured,
-                        get_client_ip, sapn_is_enabled)
+                        get_client_ip, sapn_is_enabled, is_weak_password)
 from .forms import (AlterarSenhaForm, CasaLegislativaForm, ConfiguracoesAppForm, EstatisticasAcessoNormasForm)
 from .models import AppConfig, CasaLegislativa
 
@@ -75,6 +75,21 @@ class LoginSapl(views.LoginView):
     template_name = 'base/login.html'
     authentication_form = LoginForm
 
+    def form_valid(self, form):
+        """Override do comportamento padrão para verificar senha fraca"""
+        username = form.cleaned_data.get('username')
+        password = form.cleaned_data.get('password')
+
+        user = authenticate(self.request, username=username, password=password)
+        if user is not None:
+            login(self.request, user)
+            if is_weak_password(password):
+                self.request.session['weak_password'] = True
+            return redirect(self.get_success_url())
+
+        # Fallback se falhar a autenticação (tecnicamente não devia chegar aqui)
+        return super().form_invalid(form)
+
 
 class ConfirmarEmailView(TemplateView):
     template_name = "email/confirma.html"
@@ -1481,6 +1496,8 @@ class AlterarSenha(FormView):
         user.set_password(new_password)
         user.save()
 
+        self.request.session.pop('weak_password', None)
+
         return super().form_valid(form)
 
 

sapl/materia/views.py

@@ -2985,7 +2985,7 @@ def create_pdf_docacessorios(materia):
         materia.pk,
         time.mktime(datetime.now().timetuple()))
 
-    merger = PdfFileMerger()
+    merger = PdfFileMerger(strict=False)
     for f in docs_path:
         merger.append(fileobj=f)
 

sapl/middleware.py

@@ -0,0 +1,21 @@
+import logging
+
+from django.shortcuts import redirect
+from django.urls import reverse
+
+
+class CheckWeakPasswordMiddleware:
+    logger = logging.getLogger(__name__)
+
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        if request.user.is_authenticated and \
+                request.session.get('weak_password', False) and \
+                request.path != reverse('sapl.base:alterar_senha') and \
+                request.path != reverse('sapl.base:logout'):
+            logging.warning(f"Usuário {request.user.username} possui senha fraca.")
+            return redirect('sapl.base:alterar_senha')
+
+        return self.get_response(request)

sapl/norma/views.py

@@ -166,7 +166,7 @@ class NormaPesquisaView(MultiFormatOutputMixin, FilterView):
         texto_integral = obj.texto_integral if not isinstance(
             obj, dict) else obj["texto_integral"]
 
-        return f'{url}/{texto_integral}'
+        return f'{url}/media/{texto_integral}'
 
     def get_queryset(self):
         qs = super().get_queryset()

sapl/protocoloadm/views.py

@@ -174,7 +174,7 @@ def create_pdf_docacessorios(docadministrativo):
     logger.info("Gerando compilado PDF de documentos acessorios com {} documentos"
                 .format(docs_path))
 
-    merger = PdfFileMerger()
+    merger = PdfFileMerger(strict=False)
     for f in docs_path:
         merger.append(fileobj=f)
 

sapl/settings.py

@@ -141,6 +141,7 @@ MIDDLEWARE = [
     'whitenoise.middleware.WhiteNoiseMiddleware',
     'django_prometheus.middleware.PrometheusAfterMiddleware',
     'waffle.middleware.WaffleMiddleware',
+    'sapl.middleware.CheckWeakPasswordMiddleware',
 ]
 if DEBUG:
     INSTALLED_APPS += ('debug_toolbar',)

sapl/templates/base/alterar_senha.html

@@ -3,6 +3,18 @@
 {% load crispy_forms_tags %}
 {% block actions %}{% endblock %}
 {% block detail_content %}
+<head>
+    <!-- TODO: Hack. Atualizar vue-bootstrap libs so we can call this in base.html and get the glyphs -->
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.10.5/font/bootstrap-icons.css">
+</head>
+    {%if request.session.weak_password %}
+          <div class="alert alert-danger" role="alert">
+              A senha utilizada pelo usuário <strong>{{request.user.username}}</strong> é fraca!
+              Uma senha forte deve ter pelo menos 8 caracteres e incluir uma combinação de letras maiúsculas
+              e minúsculas, números e caracteres especiais (por exemplo, !, $, #, @). Evitem reutilizar
+              senhas antigas ou senhas utilizadas em outros serviços.
+          </div>
+    {% endif %}
     <h1>Alterar Senha</h1>
 	{% crispy form %}
     </br>
@@ -10,3 +22,46 @@
     Favor entrar novamente com a nova senha após a mudança com sucesso.
 
 {% endblock detail_content %}
+{% block extra_js %}
+<script>
+$(document).ready(function () {
+  $("input[type='password']").each(function () {
+    const $input = $(this);
+
+    // Avoid re-wrapping
+    if ($input.parent().hasClass("password-container")) return;
+
+    // Wrap in relative container
+    const $wrapper = $('<div class="password-container position-relative mb-3"></div>');
+    $input.wrap($wrapper);
+
+    // Style input to have padding-right for icon
+    $input.css("padding-right", "2.5rem");
+
+    // Create the eye icon
+    const $eyeIcon = $(`
+      <i class="bi bi-eye password-toggle-icon"
+         style="
+           position: absolute;
+           right: 10px;
+           top: 50%;
+           transform: translateY(-50%);
+           cursor: pointer;
+           color: #6c757d;
+           font-size: 1.2rem;
+         "></i>
+    `);
+
+    // Insert icon after input
+    $input.after($eyeIcon);
+
+    // Toggle logic
+    $eyeIcon.on("click", function () {
+      const isPassword = $input.attr("type") === "password";
+      $input.attr("type", isPassword ? "text" : "password");
+      $(this).toggleClass("bi-eye bi-eye-slash");
+    });
+  });
+});
+</script>
+{% endblock %}

sapl/templates/base/login.html

@@ -13,6 +13,11 @@
 
   {% endif %} -->
 
+<head>
+    <!-- TODO: Hack. Atualizar vue-bootstrap libs so we can call this in base.html and get the glyphs -->
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.10.5/font/bootstrap-icons.css">
+</head>
+
   <div class="container mb-3">
       <div class="row">
           <div class="col-lg-4 offset-lg-4 col-8 offset-2">
@@ -32,11 +37,11 @@
 
                                 {% endif %}
                                   <tr>
-                                      <p><b><center>Usuário</center></b></p>
+                                      <p><b><center>{{form.username.label}}</center></b></p>
                                       {{ form.username }}
                                   </tr>
                                   <tr>
-                                      <p><b><center>Senha</center></b></p>
+                                      <p><b><center>{{form.password.label}}</center></b></p>
                                       {{ form.password }}
                                   </tr>
                               </table>
@@ -67,5 +72,45 @@
     {% if not user.is_authenticated %}
         $("#autenticacao") .css("display","none");
     {% endif %}
+
+    $(document).ready(function () {
+      $("input[type='password']").each(function () {
+        const $input = $(this);
+
+        // Avoid re-wrapping
+        if ($input.parent().hasClass("password-container")) return;
+
+        // Wrap in relative container
+        const $wrapper = $('<div class="password-container position-relative mb-3"></div>');
+        $input.wrap($wrapper);
+
+        // Style input to have padding-right for icon
+        $input.css("padding-right", "2.5rem");
+
+        // Create the eye icon
+        const $eyeIcon = $(`
+          <i class="bi bi-eye password-toggle-icon"
+             style="
+               position: absolute;
+               right: 10px;
+               top: 50%;
+               transform: translateY(-50%);
+               cursor: pointer;
+               color: #6c757d;
+               font-size: 1.2rem;
+             "></i>
+        `);
+
+        // Insert icon after input
+        $input.after($eyeIcon);
+
+        // Toggle logic
+        $eyeIcon.on("click", function () {
+          const isPassword = $input.attr("type") === "password";
+          $input.attr("type", isPassword ? "text" : "password");
+          $(this).toggleClass("bi-eye bi-eye-slash");
+        });
+      });
+    });
   </script>
 {% endblock %}

sapl/utils.py

@@ -1,4 +1,5 @@
 import csv
+import string
 from functools import wraps
 import hashlib
 import io
@@ -24,7 +25,7 @@ from django.contrib.contenttypes.fields import (GenericForeignKey, GenericRel,
                                                 GenericRelation)
 from django.core.exceptions import ValidationError
 from django.core.files.storage import FileSystemStorage
-from django.core.files.uploadedfile import UploadedFile, InMemoryUploadedFile,\
+from django.core.files.uploadedfile import UploadedFile, InMemoryUploadedFile, \
     TemporaryUploadedFile
 from django.core.mail import get_connection
 from django.db import models
@@ -47,7 +48,6 @@ from sapl.crispy_layout_mixin import (form_actions, SaplFormHelper,
                                       SaplFormLayout, to_row)
 from sapl.settings import MAX_DOC_UPLOAD_SIZE
 
-
 # (26/10/2018): O separador foi mudador de '/' para 'K'
 # por conta dos leitores de códigos de barra, que trocavam
 # a '/' por '&' ou ';'
@@ -55,6 +55,28 @@ SEPARADOR_HASH_PROPOSICAO = 'K'
 
 TIME_PATTERN = '^([0-1]?[0-9]|2[0-3]):[0-5][0-9]$'
 
+MIN_PASSWORD_LENGTH = 8
+
+
+def is_weak_password(password):
+    pwd_has_lowercase = False
+    pwd_has_uppercase = False
+    pwd_has_number = False
+    pwd_has_special_char = False
+
+    for c in password:
+        if c.isdigit():
+            pwd_has_number = True
+        elif c.islower():
+            pwd_has_lowercase = True
+        elif c.isupper():
+            pwd_has_uppercase = True
+        elif c in list(string.punctuation):
+            pwd_has_special_char = True
+
+    return len(password) < MIN_PASSWORD_LENGTH or not (pwd_has_lowercase and pwd_has_uppercase
+                                                       and pwd_has_number and pwd_has_special_char)
+
 
 def groups_remove_user(user, groups_name):
     from django.contrib.auth.models import Group
@@ -92,9 +114,11 @@ def num_materias_por_tipo(qs, attr_tipo='tipo'):
     qtdes = {}
 
     if attr_tipo == 'tipo':
-        def sort_function(m): return m.tipo
+        def sort_function(m):
+            return m.tipo
     else:
-        def sort_function(m): return m.materia.tipo
+        def sort_function(m):
+            return m.materia.tipo
 
     # select_related eh importante por questoes de desempenho, pois caso
     # contrario ele realizara uma consulta ao banco para cada iteracao,
@@ -113,12 +137,12 @@ def validar_arquivo(arquivo, nome_campo):
         raise ValidationError(
             "Certifique-se de que o nome do arquivo no "
             "campo '" + nome_campo + "' tenha no máximo 200 caracteres "
-            "(ele possui {})".format(len(arquivo.name))
+                                     "(ele possui {})".format(len(arquivo.name))
         )
     if arquivo.size > MAX_DOC_UPLOAD_SIZE:
         raise ValidationError(
             "O arquivo " + nome_campo + " deve ser menor que "
-            "{0:.1f} mb, o tamanho atual desse arquivo é {1:.1f} mb".format(
+                                        "{0:.1f} mb, o tamanho atual desse arquivo é {1:.1f} mb".format(
                 (MAX_DOC_UPLOAD_SIZE / 1024) / 1024,
                 (arquivo.size / 1024) / 1024
             )
@@ -148,7 +172,6 @@ def dont_break_out(value, max_part=50):
 
 
 def clear_thumbnails_cache(queryset, field):
-
     for r in queryset:
         assert hasattr(r, field), _(
             'Objeto da listagem não possui o campo informado')
@@ -213,6 +236,7 @@ def montar_row_autor(name):
 
     return autor_row
 
+
 # TODO: Esta função é utilizada?
 
 
@@ -284,7 +308,6 @@ class SaplGenericRelation(GenericRelation):
     """
 
     def __init__(self, to, fields_search=(), **kwargs):
-
         assert 'related_query_name' in kwargs, _(
             'SaplGenericRelation não pode ser instanciada sem '
             'related_query_name.')
@@ -337,8 +360,8 @@ class RangeWidgetOverride(forms.MultiWidget):
                 )
             )
 
-        html = '<div class="col-sm-6">%s</div><div class="col-sm-6">%s</div>'\
+        html = '<div class="col-sm-6">%s</div><div class="col-sm-6">%s</div>' \
-            % tuple(rendered_widgets)
+               % tuple(rendered_widgets)
         return '<div class="row">%s</div>' % html
 
 
@@ -355,8 +378,8 @@ class CustomSplitDateTimeWidget(SplitDateTimeWidget):
                 )
             )
 
-        html = '<div class="col-6">%s</div><div class="col-6">%s</div>'\
+        html = '<div class="col-6">%s</div><div class="col-6">%s</div>' \
-            % tuple(rendered_widgets)
+               % tuple(rendered_widgets)
         return '<div class="row">%s</div>' % html
 
 
@@ -417,7 +440,6 @@ YES_NO_CHOICES = [(True, _('Sim')), (False, _('Não'))]
 
 
 def listify(function):
-
     @wraps(function)
     def f(*args, **kwargs):
         return list(function(*args, **kwargs))
@@ -613,7 +635,6 @@ TIPOS_IMG_PERMITIDOS = (
 
 
 def fabrica_validador_de_tipos_de_arquivo(lista, nome):
-
     def restringe_tipos_de_arquivo(value):
 
         filename = value.name if type(value) in (
@@ -649,7 +670,6 @@ def intervalos_tem_intersecao(a_inicio, a_fim, b_inicio, b_fim):
 
 
 class MateriaPesquisaOrderingFilter(django_filters.OrderingFilter):
-
     choices = (
         ('', 'Selecione'),
         ('dataC', 'Data, Tipo, Ano, Numero - Ordem Crescente'),
@@ -675,7 +695,6 @@ class MateriaPesquisaOrderingFilter(django_filters.OrderingFilter):
 
 
 class NormaPesquisaOrderingFilter(django_filters.OrderingFilter):
-
     choices = (
         ('', 'Selecione'),
         ('dataC', 'Data, Tipo, Ano, Numero - Ordem Crescente'),
@@ -733,7 +752,6 @@ class FileFieldCheckMixin(BaseForm):
 
 
 class AnoNumeroOrderingFilter(django_filters.OrderingFilter):
-
     choices = (('DEC', 'Ordem Decrescente'),
                ('CRE', 'Ordem Crescente'),)
     order_by_mapping = {
@@ -774,8 +792,8 @@ def models_with_gr_for_model(model):
         lambda x: x.related_model,
         filter(
             lambda obj: obj.is_relation and
-            hasattr(obj, 'field') and
+                        hasattr(obj, 'field') and
-            isinstance(obj, GenericRel),
+                        isinstance(obj, GenericRel),
 
             model._meta.get_fields(include_hidden=True))
     ))
@@ -802,9 +820,9 @@ def generic_relations_for_model(model):
         lambda x: (x,
                    list(filter(
                        lambda field: (
-                           isinstance(
+                               isinstance(
-                               field, SaplGenericRelation) and
+                                   field, SaplGenericRelation) and
-                           field.related_model == model),
+                               field.related_model == model),
                        x._meta.get_fields(include_hidden=True)))),
         models_with_gr_for_model(model)
     ))
@@ -852,13 +870,13 @@ def texto_upload_path(instance, filename, subpath='', pk_first=False):
         subpath = '_'
 
     path = str_path % \
-        {
+           {
-            'prefix': prefix,
+               'prefix': prefix,
-            'model_name': instance._meta.model_name,
+               'model_name': instance._meta.model_name,
-            'pk': instance.pk,
+               'pk': instance.pk,
-            'subpath': subpath,
+               'subpath': subpath,
-            'filename': filename
+               'filename': filename
-        }
+           }
 
     return path
 
@@ -1040,7 +1058,6 @@ def remover_acentos(string):
 
 
 def mail_service_configured(request=None):
-
     logger = logging.getLogger(__name__)
 
     if settings.EMAIL_RUNNING is None:
@@ -1079,6 +1096,7 @@ def timing(f):
         logger.info('funcao:%r args:[%r, %r] took: %2.4f sec' %
                     (f.__name__, args, kw, te - ts))
         return result
+
     return wrap
 
 
@@ -1150,7 +1168,6 @@ def get_tempfile_dir():
 
 
 class GoogleRecapthaMixin:
-
     logger = logging.getLogger(__name__)
 
     def __init__(self, *args, **kwargs):
@@ -1163,9 +1180,9 @@ class GoogleRecapthaMixin:
         row1 = to_row(
             [
                 (Div(
-                 css_class="g-recaptcha float-right",  # if not settings.DEBUG else '',
+                    css_class="g-recaptcha float-right",  # if not settings.DEBUG else '',
-                 data_sitekey=AppConfig.attr('google_recaptcha_site_key')
+                    data_sitekey=AppConfig.attr('google_recaptcha_site_key')
-                 ), 5),
+                ), 5),
                 ('email', 7),
 
             ]
@@ -1296,7 +1313,6 @@ def get_path_to_name_report_map():
 
 
 class MultiFormatOutputMixin:
-
     formats_impl = 'csv', 'xlsx', 'json'
 
     queryset_values_for_formats = True