marc/goodie
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
66383adf0679bfa42405e0e64208abdfa636f2e3
goodie/addons/account/models/account_lock.go
Marc 66383adf06 feat: Portal, Email Inbound, Discuss + module improvements 
- Portal: /my/* routes, signup, password reset, portal user support
- Email Inbound: IMAP polling (go-imap/v2), thread matching
- Discuss: mail.channel, long-polling bus, DM, unread count
- Cron: ir.cron runner (goroutine scheduler)
- Bank Import, CSV/Excel Import
- Automation (ir.actions.server)
- Fetchmail service
- HR Payroll model
- Various fixes across account, sale, stock, purchase, crm, hr, project

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 18:41:57 +02:00

300 lines
9.7 KiB
Go
Raw Blame History

package models
import (
"crypto/sha256"
"fmt"
"strings"
"odoo-go/pkg/orm"
)
// initAccountLock registers entry locking and hash chain integrity features.
// Mirrors: odoo/addons/account/models/account_move.py (hash chain features)
//
// France, Belgium and other countries require an immutable audit trail.
// Posted entries are hashed in sequence; any tampering breaks the chain.
func initAccountLock() {
ext := orm.ExtendModel("account.move")
ext.AddFields(
orm.Char("inalterable_hash", orm.FieldOpts{
String: "Inalterability Hash",
Readonly: true,
Help: "Secure hash for preventing tampering with posted entries",
}),
orm.Char("secure_sequence_number", orm.FieldOpts{
String: "Inalterability No.",
Readonly: true,
}),
orm.Boolean("restrict_mode_hash_table", orm.FieldOpts{
String: "Lock with Hash",
Related: "journal_id.restrict_mode_hash_table",
}),
orm.Char("string_to_hash", orm.FieldOpts{
String: "Data to Hash",
Compute: "_compute_string_to_hash",
Help: "Concatenation of fields used for hashing",
}),
)
// _compute_string_to_hash: generates the string representation of the move
// used for hash computation. Includes date, journal, partner, amounts, and company VAT.
// Mirrors: odoo/addons/account/models/account_move.py _compute_string_to_hash()
//
// The company VAT is included to ensure entries from different legal entities
// produce distinct hashes even when all other fields match.
ext.RegisterCompute("string_to_hash", func(rs *orm.Recordset) (orm.Values, error) {
env := rs.Env()
moveID := rs.IDs()[0]
var name, moveType, state string
var date interface{}
var companyID, journalID int64
var partnerID *int64
env.Tx().QueryRow(env.Ctx(),
`SELECT COALESCE(name, '/'), COALESCE(move_type, 'entry'), COALESCE(state, 'draft'),
date, COALESCE(company_id, 0), COALESCE(journal_id, 0), partner_id
FROM account_move WHERE id = $1`, moveID,
).Scan(&name, &moveType, &state, &date, &companyID, &journalID, &partnerID)
// Fetch company VAT for inclusion in the hash
var companyVAT string
if companyID > 0 {
env.Tx().QueryRow(env.Ctx(),
`SELECT COALESCE(p.vat, '')
FROM res_company c
LEFT JOIN res_partner p ON p.id = c.partner_id
WHERE c.id = $1`, companyID,
).Scan(&companyVAT)
}
// Include line amounts
rows, err := env.Tx().Query(env.Ctx(),
`SELECT COALESCE(account_id, 0), COALESCE(debit::float8, 0), COALESCE(credit::float8, 0),
COALESCE(name, '')
FROM account_move_line WHERE move_id = $1 ORDER BY id`, moveID)
if err != nil {
return orm.Values{"string_to_hash": ""}, nil
}
defer rows.Close()
var lineData []string
for rows.Next() {
var accID int64
var debit, credit float64
var label string
rows.Scan(&accID, &debit, &credit, &label)
lineData = append(lineData, fmt.Sprintf("%d|%.2f|%.2f|%s", accID, debit, credit, label))
}
pid := int64(0)
if partnerID != nil {
pid = *partnerID
}
hashStr := fmt.Sprintf("%s|%s|%v|%d|%d|%d|%s|%s",
name, moveType, date, companyID, journalID, pid,
strings.Join(lineData, ";"), companyVAT)
return orm.Values{"string_to_hash": hashStr}, nil
})
// action_hash_entry: computes and stores the hash for a posted entry.
// Mirrors: odoo/addons/account/models/account_move.py _hash_move()
ext.RegisterMethod("action_hash_entry", func(rs *orm.Recordset, args ...interface{}) (interface{}, error) {
env := rs.Env()
for _, moveID := range rs.IDs() {
var state string
var journalID int64
var restrictHash bool
env.Tx().QueryRow(env.Ctx(),
`SELECT COALESCE(m.state, 'draft'), COALESCE(m.journal_id, 0),
COALESCE(j.restrict_mode_hash_table, false)
FROM account_move m
LEFT JOIN account_journal j ON j.id = m.journal_id
WHERE m.id = $1`, moveID,
).Scan(&state, &journalID, &restrictHash)
if state != "posted" || !restrictHash {
continue
}
// Already hashed?
var existingHash *string
env.Tx().QueryRow(env.Ctx(),
`SELECT inalterable_hash FROM account_move WHERE id = $1`, moveID,
).Scan(&existingHash)
if existingHash != nil && *existingHash != "" {
continue // already hashed
}
// Get the string to hash
var stringToHash string
env.Tx().QueryRow(env.Ctx(),
`SELECT COALESCE(name, '/') || '|' || COALESCE(move_type, 'entry') || '|' ||
COALESCE(date::text, '') || '|' || COALESCE(company_id::text, '0')
FROM account_move WHERE id = $1`, moveID,
).Scan(&stringToHash)
// Include lines
lineRows, _ := env.Tx().Query(env.Ctx(),
`SELECT COALESCE(account_id, 0), COALESCE(debit::float8, 0), COALESCE(credit::float8, 0)
FROM account_move_line WHERE move_id = $1 ORDER BY id`, moveID)
if lineRows != nil {
for lineRows.Next() {
var accID int64
var debit, credit float64
lineRows.Scan(&accID, &debit, &credit)
stringToHash += fmt.Sprintf("|%d:%.2f:%.2f", accID, debit, credit)
}
lineRows.Close()
}
// Get previous hash in the chain
var prevHash string
env.Tx().QueryRow(env.Ctx(),
`SELECT COALESCE(inalterable_hash, '')
FROM account_move
WHERE journal_id = $1 AND state = 'posted' AND inalterable_hash IS NOT NULL
AND inalterable_hash != '' AND id < $2
ORDER BY secure_sequence_number DESC, id DESC LIMIT 1`,
journalID, moveID,
).Scan(&prevHash)
// Compute hash: SHA-256 of (previous_hash + string_to_hash)
hashInput := prevHash + stringToHash
hash := sha256.Sum256([]byte(hashInput))
hashHex := fmt.Sprintf("%x", hash)
// Get next secure sequence number
var nextSeq int64
env.Tx().QueryRow(env.Ctx(),
`SELECT COALESCE(MAX(CAST(secure_sequence_number AS INTEGER)), 0) + 1
FROM account_move WHERE journal_id = $1 AND secure_sequence_number IS NOT NULL`,
journalID,
).Scan(&nextSeq)
env.Tx().Exec(env.Ctx(),
`UPDATE account_move SET inalterable_hash = $1, secure_sequence_number = $2 WHERE id = $3`,
hashHex, fmt.Sprintf("%d", nextSeq), moveID)
}
return true, nil
})
// action_check_hash_integrity: verify the hash chain for a journal.
// Mirrors: odoo/addons/account/models/account_move.py _check_hash_integrity()
ext.RegisterMethod("action_check_hash_integrity", func(rs *orm.Recordset, args ...interface{}) (interface{}, error) {
env := rs.Env()
moveID := rs.IDs()[0]
var journalID int64
env.Tx().QueryRow(env.Ctx(),
`SELECT COALESCE(journal_id, 0) FROM account_move WHERE id = $1`, moveID,
).Scan(&journalID)
if journalID == 0 {
return nil, fmt.Errorf("account: no journal found for move %d", moveID)
}
// Read all hashed entries for this journal in order
rows, err := env.Tx().Query(env.Ctx(),
`SELECT id, COALESCE(inalterable_hash, ''),
COALESCE(name, '/') || '|' || COALESCE(move_type, 'entry') || '|' ||
COALESCE(date::text, '') || '|' || COALESCE(company_id::text, '0')
FROM account_move
WHERE journal_id = $1 AND state = 'posted'
AND inalterable_hash IS NOT NULL AND inalterable_hash != ''
ORDER BY CAST(secure_sequence_number AS INTEGER), id`, journalID)
if err != nil {
return nil, fmt.Errorf("account: query hashed entries: %w", err)
}
defer rows.Close()
prevHash := ""
entryCount := 0
for rows.Next() {
var id int64
var storedHash, baseStr string
if err := rows.Scan(&id, &storedHash, &baseStr); err != nil {
return nil, fmt.Errorf("account: scan hash entry: %w", err)
}
// Include lines for this entry
lineRows, _ := env.Tx().Query(env.Ctx(),
`SELECT COALESCE(account_id, 0), COALESCE(debit::float8, 0), COALESCE(credit::float8, 0)
FROM account_move_line WHERE move_id = $1 ORDER BY id`, id)
stringToHash := baseStr
if lineRows != nil {
for lineRows.Next() {
var accID int64
var debit, credit float64
lineRows.Scan(&accID, &debit, &credit)
stringToHash += fmt.Sprintf("|%d:%.2f:%.2f", accID, debit, credit)
}
lineRows.Close()
}
// Verify hash
hashInput := prevHash + stringToHash
expectedHash := sha256.Sum256([]byte(hashInput))
expectedHex := fmt.Sprintf("%x", expectedHash)
if storedHash != expectedHex {
return map[string]interface{}{
"status": "corrupted",
"message": fmt.Sprintf("Hash chain broken at entry %d", id),
"entries_checked": entryCount,
}, nil
}
prevHash = storedHash
entryCount++
}
return map[string]interface{}{
"status": "valid",
"message": "All entries verified successfully",
"entries_checked": entryCount,
}, nil
})
}
// initAccountSequence registers sequence generation helpers for accounting.
// Mirrors: odoo/addons/account/models/sequence_mixin.py
func initAccountSequence() {
// account.sequence.mixin fields on account.move (already mostly handled via sequence_prefix/number)
// This extends with the date-range based sequences
ext := orm.ExtendModel("account.move")
ext.AddFields(
orm.Char("highest_name", orm.FieldOpts{
String: "Highest Name",
Compute: "_compute_highest_name",
Help: "Technical: highest sequence name in the same journal for ordering",
}),
orm.Boolean("made_sequence_hole", orm.FieldOpts{
String: "Sequence Hole",
Help: "Technical: whether this entry created a gap in the sequence",
Default: false,
}),
)
ext.RegisterCompute("highest_name", func(rs *orm.Recordset) (orm.Values, error) {
env := rs.Env()
moveID := rs.IDs()[0]
var journalID int64
env.Tx().QueryRow(env.Ctx(),
`SELECT COALESCE(journal_id, 0) FROM account_move WHERE id = $1`, moveID,
).Scan(&journalID)
var highest string
env.Tx().QueryRow(env.Ctx(),
`SELECT COALESCE(MAX(name), '/') FROM account_move
WHERE journal_id = $1 AND name != '/' AND state = 'posted'`,
journalID,
).Scan(&highest)
return orm.Values{"highest_name": highest}, nil
})
}
Reference in New Issue View Git Blame Copy Permalink