feat: implement custom fields, gantt view, calendar view, and file encryption

- Custom Fields (FEAT-001): - CustomField and TaskCustomValue models with formula support - CRUD API for custom field management - Formula engine for calculated fields - Frontend: CustomFieldEditor, CustomFieldInput, ProjectSettings page - Task list API now includes custom_values - KanbanBoard displays custom field values - Gantt View (FEAT-003): - TaskDependency model with FS/SS/FF/SF dependency types - Dependency CRUD API with cycle detection - start_date field added to tasks - GanttChart component with Frappe Gantt integration - Dependency type selector in UI - Calendar View (FEAT-004): - CalendarView component with FullCalendar integration - Date range filtering API for tasks - Drag-and-drop date updates - View mode switching in Tasks page - File Encryption (FEAT-010): - AES-256-GCM encryption service - EncryptionKey model with key rotation support - Admin API for key management - Encrypted upload/download for confidential projects - Migrations: 011 (custom fields), 012 (encryption keys), 013 (task dependencies) - Updated issues.md with completion status 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-05 23:39:12 +08:00
parent 69b81d9241
commit 2d80a8384e
65 changed files with 11045 additions and 82 deletions
--- a/backend/app/api/attachments/router.py
+++ b/backend/app/api/attachments/router.py
@@ -1,5 +1,7 @@
 import uuid
+import logging
 from datetime import datetime
+from io import BytesIO
 from fastapi import APIRouter, Depends, HTTPException, UploadFile, File, Request
 from fastapi.responses import FileResponse, Response
 from sqlalchemy.orm import Session
@@ -7,7 +9,7 @@ from typing import Optional

 from app.core.database import get_db
 from app.middleware.auth import get_current_user, check_task_access, check_task_edit_access
-from app.models import User, Task, Project, Attachment, AttachmentVersion, AuditAction
+from app.models import User, Task, Project, Attachment, AttachmentVersion, EncryptionKey, AuditAction
 from app.schemas.attachment import (
    AttachmentResponse, AttachmentListResponse, AttachmentDetailResponse,
    AttachmentVersionResponse, VersionHistoryResponse
@@ -15,6 +17,13 @@ from app.schemas.attachment import (
 from app.services.file_storage_service import file_storage_service
 from app.services.audit_service import AuditService
 from app.services.watermark_service import watermark_service
+from app.services.encryption_service import (
+    encryption_service,
+    MasterKeyNotConfiguredError,
+    DecryptionError,
+)
+
+logger = logging.getLogger(__name__)

 router = APIRouter(prefix="/api", tags=["attachments"])

@@ -103,6 +112,40 @@ def version_to_response(version: AttachmentVersion) -> AttachmentVersionResponse
    )


+def should_encrypt_file(project: Project, db: Session) -> tuple[bool, Optional[EncryptionKey]]:
+    """
+    Determine if a file should be encrypted based on project security level.
+
+    Returns:
+        Tuple of (should_encrypt, encryption_key)
+    """
+    # Only encrypt for confidential projects
+    if project.security_level != "confidential":
+        return False, None
+
+    # Check if encryption is available
+    if not encryption_service.is_encryption_available():
+        logger.warning(
+            f"Project {project.id} is confidential but encryption is not configured. "
+            "Files will be stored unencrypted."
+        )
+        return False, None
+
+    # Get active encryption key
+    active_key = db.query(EncryptionKey).filter(
+        EncryptionKey.is_active == True
+    ).first()
+
+    if not active_key:
+        logger.warning(
+            f"Project {project.id} is confidential but no active encryption key exists. "
+            "Files will be stored unencrypted. Create a key using /api/admin/encryption-keys/rotate"
+        )
+        return False, None
+
+    return True, active_key
+
+
@router.post("/tasks/{task_id}/attachments", response_model=AttachmentResponse)
 async def upload_attachment(
    task_id: str,
@@ -111,10 +154,22 @@ async def upload_attachment(
    db: Session = Depends(get_db),
    current_user: User = Depends(get_current_user)
 ):
-    """Upload a file attachment to a task."""
+    """
+    Upload a file attachment to a task.
+
+    For confidential projects, files are automatically encrypted using AES-256-GCM.
+    """
    task = get_task_with_access_check(db, task_id, current_user, require_edit=True)

-    # Check if attachment with same filename exists (for versioning in Phase 2)
+    # Get project to check security level
+    project = db.query(Project).filter(Project.id == task.project_id).first()
+    if not project:
+        raise HTTPException(status_code=404, detail="Project not found")
+
+    # Determine if encryption is needed
+    should_encrypt, encryption_key = should_encrypt_file(project, db)
+
+    # Check if attachment with same filename exists (for versioning)
    existing = db.query(Attachment).filter(
        Attachment.task_id == task_id,
        Attachment.original_filename == file.filename,
@@ -122,17 +177,73 @@ async def upload_attachment(
    ).first()

    if existing:
-        # Phase 2: Create new version
+        # Create new version for existing attachment
        new_version = existing.current_version + 1

-        # Save file
-        file_path, file_size, checksum = await file_storage_service.save_file(
-            file=file,
-            project_id=task.project_id,
-            task_id=task_id,
-            attachment_id=existing.id,
-            version=new_version
-        )
+        if should_encrypt and encryption_key:
+            # Read and encrypt file content
+            file_content = await file.read()
+            await file.seek(0)
+
+            try:
+                # Decrypt the encryption key
+                raw_key = encryption_service.decrypt_key(encryption_key.key_data)
+                # Encrypt the file
+                encrypted_content = encryption_service.encrypt_bytes(file_content, raw_key)
+
+                # Create a new UploadFile-like object with encrypted content
+                encrypted_file = BytesIO(encrypted_content)
+                encrypted_file.seek(0)
+
+                # Save encrypted file using a modified approach
+                file_path, _, checksum = await file_storage_service.save_file(
+                    file=file,
+                    project_id=task.project_id,
+                    task_id=task_id,
+                    attachment_id=existing.id,
+                    version=new_version
+                )
+
+                # Overwrite with encrypted content
+                with open(file_path, "wb") as f:
+                    f.write(encrypted_content)
+
+                file_size = len(encrypted_content)
+
+                # Update existing attachment with encryption info
+                existing.is_encrypted = True
+                existing.encryption_key_id = encryption_key.id
+
+                # Audit log for encryption
+                AuditService.log_event(
+                    db=db,
+                    event_type="attachment.encrypt",
+                    resource_type="attachment",
+                    action=AuditAction.UPDATE,
+                    user_id=current_user.id,
+                    resource_id=existing.id,
+                    changes=[
+                        {"field": "is_encrypted", "old_value": False, "new_value": True},
+                        {"field": "encryption_key_id", "old_value": None, "new_value": encryption_key.id},
+                    ],
+                    request_metadata=getattr(request.state, "audit_metadata", None),
+                )
+
+            except Exception as e:
+                logger.error(f"Failed to encrypt file for attachment {existing.id}: {e}")
+                raise HTTPException(
+                    status_code=500,
+                    detail="Failed to encrypt file. Please try again."
+                )
+        else:
+            # Save file without encryption
+            file_path, file_size, checksum = await file_storage_service.save_file(
+                file=file,
+                project_id=task.project_id,
+                task_id=task_id,
+                attachment_id=existing.id,
+                version=new_version
+            )

        # Create version record
        version = AttachmentVersion(
@@ -170,15 +281,52 @@ async def upload_attachment(

    # Create new attachment
    attachment_id = str(uuid.uuid4())
+    is_encrypted = False
+    encryption_key_id = None

-    # Save file
-    file_path, file_size, checksum = await file_storage_service.save_file(
-        file=file,
-        project_id=task.project_id,
-        task_id=task_id,
-        attachment_id=attachment_id,
-        version=1
-    )
+    if should_encrypt and encryption_key:
+        # Read and encrypt file content
+        file_content = await file.read()
+        await file.seek(0)
+
+        try:
+            # Decrypt the encryption key
+            raw_key = encryption_service.decrypt_key(encryption_key.key_data)
+            # Encrypt the file
+            encrypted_content = encryption_service.encrypt_bytes(file_content, raw_key)
+
+            # Save file first to get path
+            file_path, _, checksum = await file_storage_service.save_file(
+                file=file,
+                project_id=task.project_id,
+                task_id=task_id,
+                attachment_id=attachment_id,
+                version=1
+            )
+
+            # Overwrite with encrypted content
+            with open(file_path, "wb") as f:
+                f.write(encrypted_content)
+
+            file_size = len(encrypted_content)
+            is_encrypted = True
+            encryption_key_id = encryption_key.id
+
+        except Exception as e:
+            logger.error(f"Failed to encrypt new file: {e}")
+            raise HTTPException(
+                status_code=500,
+                detail="Failed to encrypt file. Please try again."
+            )
+    else:
+        # Save file without encryption
+        file_path, file_size, checksum = await file_storage_service.save_file(
+            file=file,
+            project_id=task.project_id,
+            task_id=task_id,
+            attachment_id=attachment_id,
+            version=1
+        )

    # Get mime type from file storage validation
    extension = file_storage_service.get_extension(file.filename or "")
@@ -193,7 +341,8 @@ async def upload_attachment(
        mime_type=mime_type,
        file_size=file_size,
        current_version=1,
-        is_encrypted=False,
+        is_encrypted=is_encrypted,
+        encryption_key_id=encryption_key_id,
        uploaded_by=current_user.id
    )
    db.add(attachment)
@@ -211,6 +360,10 @@ async def upload_attachment(
    db.add(version)

    # Audit log
+    changes = [{"field": "filename", "old_value": None, "new_value": attachment.filename}]
+    if is_encrypted:
+        changes.append({"field": "is_encrypted", "old_value": None, "new_value": True})
+
    AuditService.log_event(
        db=db,
        event_type="attachment.upload",
@@ -218,7 +371,7 @@ async def upload_attachment(
        action=AuditAction.CREATE,
        user_id=current_user.id,
        resource_id=attachment.id,
-        changes=[{"field": "filename", "old_value": None, "new_value": attachment.filename}],
+        changes=changes,
        request_metadata=getattr(request.state, "audit_metadata", None)
    )

@@ -286,7 +439,11 @@ async def download_attachment(
    db: Session = Depends(get_db),
    current_user: User = Depends(get_current_user)
 ):
-    """Download an attachment file with dynamic watermark."""
+    """
+    Download an attachment file with dynamic watermark.
+
+    For encrypted files, the file is automatically decrypted before returning.
+    """
    attachment = get_attachment_with_access_check(db, attachment_id, current_user, require_edit=False)

    # Get version to download
@@ -319,14 +476,69 @@ async def download_attachment(
    )
    db.commit()

+    # Read file content
+    with open(file_path, "rb") as f:
+        file_bytes = f.read()
+
+    # Decrypt if encrypted
+    if attachment.is_encrypted:
+        if not attachment.encryption_key_id:
+            raise HTTPException(
+                status_code=500,
+                detail="Encrypted file is missing encryption key reference"
+            )
+
+        encryption_key = db.query(EncryptionKey).filter(
+            EncryptionKey.id == attachment.encryption_key_id
+        ).first()
+
+        if not encryption_key:
+            raise HTTPException(
+                status_code=500,
+                detail="Encryption key not found for this file"
+            )
+
+        try:
+            # Decrypt the encryption key
+            raw_key = encryption_service.decrypt_key(encryption_key.key_data)
+            # Decrypt the file
+            file_bytes = encryption_service.decrypt_bytes(file_bytes, raw_key)
+
+            # Audit log for decryption
+            AuditService.log_event(
+                db=db,
+                event_type="attachment.decrypt",
+                resource_type="attachment",
+                action=AuditAction.UPDATE,
+                user_id=current_user.id,
+                resource_id=attachment.id,
+                changes=[{"field": "decrypted_for_download", "old_value": None, "new_value": True}],
+                request_metadata=getattr(request.state, "audit_metadata", None) if request else None,
+            )
+            db.commit()
+
+        except DecryptionError as e:
+            logger.error(f"Failed to decrypt attachment {attachment_id}: {e}")
+            raise HTTPException(
+                status_code=500,
+                detail="Failed to decrypt file. The file may be corrupted."
+            )
+        except MasterKeyNotConfiguredError:
+            raise HTTPException(
+                status_code=500,
+                detail="Encryption is not configured. Cannot decrypt file."
+            )
+        except Exception as e:
+            logger.error(f"Unexpected error decrypting attachment {attachment_id}: {e}")
+            raise HTTPException(
+                status_code=500,
+                detail="Failed to decrypt file."
+            )
+
    # Check if watermark should be applied
    mime_type = attachment.mime_type or ""
    if watermark_service.supports_watermark(mime_type):
        try:
-            # Read the original file
-            with open(file_path, "rb") as f:
-                file_bytes = f.read()
-
            # Apply watermark based on file type
            if watermark_service.is_supported_image(mime_type):
                watermarked_bytes, output_format = watermark_service.add_image_watermark(
@@ -367,19 +579,19 @@ async def download_attachment(
                )

        except Exception as e:
-            # If watermarking fails, log the error but still return the original file
-            # This ensures users can still download files even if watermarking has issues
-            import logging
-            logging.getLogger(__name__).warning(
+            # If watermarking fails, log the error but still return the file
+            logger.warning(
                f"Watermarking failed for attachment {attachment_id}: {str(e)}. "
-                "Returning original file."
+                "Returning file without watermark."
            )

-    # Return original file without watermark for unsupported types or on error
-    return FileResponse(
-        path=str(file_path),
-        filename=attachment.original_filename,
-        media_type=attachment.mime_type
+    # Return file (decrypted if needed, without watermark for unsupported types)
+    return Response(
+        content=file_bytes,
+        media_type=attachment.mime_type,
+        headers={
+            "Content-Disposition": f'attachment; filename="{attachment.original_filename}"'
+        }
    )