From d0c012090dfea06142584dfc92da2b49409b0678 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josu=C3=A9=20Tille?= <josue@tille.ch>
Date: Tue, 30 Apr 2024 21:40:53 +0200
Subject: [PATCH 1/3] Enable again and configure LDAP correctly

---
 conf/local.py.j2 | 67 ++++++++++++++++++++++--------------------------
 manifest.toml    | 28 ++++++++++++++++----
 scripts/install  |  2 +-
 scripts/upgrade  |  2 +-
 4 files changed, 56 insertions(+), 43 deletions(-)

diff --git a/conf/local.py.j2 b/conf/local.py.j2
index 39ffa11..0654bae 100644
--- a/conf/local.py.j2
+++ b/conf/local.py.j2
@@ -43,39 +43,34 @@ EMAIL_HOST = '{{ domain }}'
 EMAIL_HOST_USER = '{{ app }}@{{ domain }}'
 EMAIL_HOST_PASSWORD = '{{ mail_pwd }}'
 
-#    # Tous acces
-#    # parametrer SSO en protect_uris
-#    # OU
-#    # Pas d'acces
-#    # hook
-#    # parametrer SSO en protect_uris
-#    import ldap
-#    from django_auth_ldap.config import LDAPSearch, PosixGroupType
-#    AUTHENTICATION_BACKENDS = (
-#        'django_auth_ldap.backend.LDAPBackend',
-#        'django.contrib.auth.backends.ModelBackend',
-#    )
-#    AUTH_LDAP_SERVER_URI = "ldap://localhost:389"
-#    AUTH_LDAP_USER_SEARCH = LDAPSearch("uid={{ admin }},ou=users,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
-#    AUTH_LDAP_USER_ATTR_MAP = {
-#        "username": "uid",
-#        "first_name": "givenName",
-#        "last_name": "sn",
-#        "email": "mail",
-#    }
-#    AUTH_LDAP_USER_FLAGS_BY_GROUP = {
-#        "is_active": "cn=sftpusers,ou=groups,dc=yunohost,dc=org",
-#        "is_staff": "cn=sftpusers,ou=groups,dc=yunohost,dc=org",
-#        "is_superuser": "cn=sftpusers,ou=groups,dc=yunohost,dc=org"
-#    }
-#    AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE, "(objectClass=posixGroup)")
-#    AUTH_LDAP_GROUP_TYPE = PosixGroupType()
-#    AUTH_LDAP_ALWAYS_UPDATE_USER = True
-#    AUTH_LDAP_AUTHORIZE_ALL_USERS = True
-#    AUTH_LDAP_FIND_GROUP_PERMS = True
-#    #AUTH_LDAP_CACHE_GROUPS = True
-#    #AUTH_LDAP_GROUP_CACHE_TIMEOUT = 300
-#    #import logging
-#    #logger = logging.getLogger('django_auth_ldap')
-#    #logger.addHandler(logging.StreamHandler())
-#    #logger.setLevel(logging.DEBUG)
+# Tous acces
+import ldap
+from django_auth_ldap.config import LDAPSearch, MemberDNGroupType
+AUTHENTICATION_BACKENDS = (
+    'django_auth_ldap.backend.LDAPBackend',
+    'django.contrib.auth.backends.ModelBackend',
+)
+AUTH_LDAP_SERVER_URI = "ldap://localhost:389"
+AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
+AUTH_LDAP_USER_ATTR_MAP = {
+    "username": "uid",
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+}
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    "is_active": "cn={{ app }}.main,ou=permission,dc=yunohost,dc=org",
+    "is_staff": "cn={{ app }}.staff,ou=permission,dc=yunohost,dc=org",
+    "is_superuser": "cn={{ app }}.superadmin,ou=permission,dc=yunohost,dc=org"
+}
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=permission,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE)
+AUTH_LDAP_GROUP_TYPE = MemberDNGroupType("inheritPermission", "permissionYnh")
+AUTH_LDAP_ALWAYS_UPDATE_USER = True
+AUTH_LDAP_AUTHORIZE_ALL_USERS = False
+AUTH_LDAP_FIND_GROUP_PERMS = True
+AUTH_LDAP_CACHE_GROUPS = True
+AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1000
+# import logging
+# logger = logging.getLogger('django_auth_ldap')
+# logger.addHandler(logging.StreamHandler())
+# logger.setLevel(logging.DEBUG)
diff --git a/manifest.toml b/manifest.toml
index cc86077..6ebaab8 100644
--- a/manifest.toml
+++ b/manifest.toml
@@ -31,10 +31,6 @@ ram.runtime = "50M"
     # this is a generic question - ask strings are automatically handled by Yunohost's core
     type = "domain"
 
-    [install.admin]
-    # this is a generic question - ask strings are automatically handled by Yunohost's core
-    type = "user"
-
     [install.email]
     ask.en = "Choose email were send notification"
     ask.fr = "Choisissez l'email vers lequel envoyer les notifications"
@@ -53,6 +49,22 @@ ram.runtime = "50M"
     type = "string"
     example = "https://www.exemple.tld"
 
+    [install.init_staff_permission]
+    ask.en = "Which group will have the staff access"
+    ask.fr = "Quel groupe aura accès l'accès en tant que staff"
+    help.en = "Users of this group should have access to the Coin admin page"
+    help.fr = "Les utilisateurs de ce groupe devrait avoir accès à la page d'administration de Coin"
+    type = "group"
+    default = "admins"
+
+    [install.init_superadmin_permission]
+    ask.en = "Which group will have the superadmin access"
+    ask.fr = "Quel groupe aura accès l'accès en tant que super admin"
+    help.en = "Users of this group should have all access on the Coin admin page"
+    help.fr = "Les utilisateurs de ce groupe devrait avoir tout les accès sur la page d'administration de Coin"
+    type = "group"
+    default = "admins"
+
 [resources]
     [resources.sources.main]
     url = "https://code.ffdn.org/ffdn/coin/-/archive/bcaad5f.tar.gz"
@@ -66,7 +78,13 @@ ram.runtime = "50M"
 
     [resources.permissions]
     main.url = "/"
-    main.allowed = "visitors"
+    main.allowed = ["visitors", "all_users"]
+
+    staff.show_tile = false
+    staff.label = "Staff"
+
+    superadmin.show_tile = false
+    superadmin.label = "Super admin"
 
     [resources.apt]
     packages = "gunicorn, python3, python3-venv, libpq-dev, libsasl2-dev, libjpeg-dev, libxml2-dev, libxslt1-dev, libpango1.0-0, postgresql, postgresql-contrib, postgresql-server-dev-13"
diff --git a/scripts/install b/scripts/install
index 3133d5b..89507fb 100644
--- a/scripts/install
+++ b/scripts/install
@@ -28,7 +28,7 @@ pushd "$install_dir"
     python3 -m venv venv
     venv/bin/pip install --upgrade pip
     venv/bin/pip install gunicorn
-	#echo "django-auth-ldap<1.4" >> $install_dir/requirements.txt
+    echo "django-auth-ldap<1.4" >> $install_dir/requirements.txt
     venv/bin/pip install -r requirements.txt
 popd
 
diff --git a/scripts/upgrade b/scripts/upgrade
index d97a29d..d93dd70 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -32,7 +32,7 @@ pushd "$install_dir"
     python3 -m venv venv
     venv/bin/pip install --upgrade pip
     venv/bin/pip install gunicorn
-	#echo "django-auth-ldap<1.4" >> $install_dir/requirements.txt
+    echo "django-auth-ldap<1.4" >> $install_dir/requirements.txt
     venv/bin/pip install -r requirements.txt
 popd
 

From 10ac156cbfbc639187a9b0774ae2eb99e709ff67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josu=C3=A9=20Tille?= <josue@tille.ch>
Date: Wed, 1 May 2024 11:06:13 +0200
Subject: [PATCH 2/3] add missing LDAP dependancy

---
 manifest.toml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/manifest.toml b/manifest.toml
index 6ebaab8..dd5746a 100644
--- a/manifest.toml
+++ b/manifest.toml
@@ -87,7 +87,11 @@ ram.runtime = "50M"
     superadmin.label = "Super admin"
 
     [resources.apt]
-    packages = "gunicorn, python3, python3-venv, libpq-dev, libsasl2-dev, libjpeg-dev, libxml2-dev, libxslt1-dev, libpango1.0-0, postgresql, postgresql-contrib, postgresql-server-dev-13"
+    packages = ["gunicorn",
+        "python3", "python3-venv", "python3-dev",
+        "libpq-dev", "libsasl2-dev", "libjpeg-dev", "libxml2-dev", "libxslt1-dev", "libpango1.0-0",
+        "postgresql", "postgresql-contrib", "postgresql-server-dev-13",
+        "libldap2-dev"]
 
     [resources.database]
     type = "postgresql"

From ecdc3c6d32e42d3b141023879d5db346436e87d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josu=C3=A9=20Tille?= <josue@tille.ch>
Date: Sun, 7 Jul 2024 22:35:35 +0200
Subject: [PATCH 3/3] Add support for group in django permissions

---
 conf/local.py.j2                 | 16 ++++++++++++----
 scripts/install                  |  1 +
 scripts/upgrade                  |  1 +
 sources/django_ldap_extension.py | 19 +++++++++++++++++++
 4 files changed, 33 insertions(+), 4 deletions(-)
 create mode 100644 sources/django_ldap_extension.py

diff --git a/conf/local.py.j2 b/conf/local.py.j2
index 0654bae..745ad8c 100644
--- a/conf/local.py.j2
+++ b/conf/local.py.j2
@@ -2,6 +2,7 @@
 from __future__ import unicode_literals
 import os
 from .settings_base import *
+from .django_ldap_extension import *
 
 DEBUG = TEMPLATE_DEBUG = False
 
@@ -43,9 +44,9 @@ EMAIL_HOST = '{{ domain }}'
 EMAIL_HOST_USER = '{{ app }}@{{ domain }}'
 EMAIL_HOST_PASSWORD = '{{ mail_pwd }}'
 
-# Tous acces
+# LDAP authentication and group management
 import ldap
-from django_auth_ldap.config import LDAPSearch, MemberDNGroupType
+from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion, MemberDNGroupType, LDAPGroupType
 AUTHENTICATION_BACKENDS = (
     'django_auth_ldap.backend.LDAPBackend',
     'django.contrib.auth.backends.ModelBackend',
@@ -63,13 +64,20 @@ AUTH_LDAP_USER_FLAGS_BY_GROUP = {
     "is_staff": "cn={{ app }}.staff,ou=permission,dc=yunohost,dc=org",
     "is_superuser": "cn={{ app }}.superadmin,ou=permission,dc=yunohost,dc=org"
 }
-AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=permission,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE)
-AUTH_LDAP_GROUP_TYPE = MemberDNGroupType("inheritPermission", "permissionYnh")
+AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion(
+    LDAPSearch("ou=permission,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE, filterstr=u'(cn=coin.*)'),
+    LDAPSearch("ou=groups,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE)
+)
+AUTH_LDAP_GROUP_TYPE = MemberDNGroupTypeUnion(
+    MemberDNGroupType("inheritPermission"), # permissionYnh
+    MemberDNGroupType("member")) # groupOfNamesYnh
 AUTH_LDAP_ALWAYS_UPDATE_USER = True
 AUTH_LDAP_AUTHORIZE_ALL_USERS = False
 AUTH_LDAP_FIND_GROUP_PERMS = True
 AUTH_LDAP_CACHE_GROUPS = True
 AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1000
+# Link Yunohost group with django permission group
+AUTH_LDAP_MIRROR_GROUPS_EXCEPT = ("{{ app }}.main", "{{ app }}.staff", "{{ app }}.superadmin")
 # import logging
 # logger = logging.getLogger('django_auth_ldap')
 # logger.addHandler(logging.StreamHandler())
diff --git a/scripts/install b/scripts/install
index 89507fb..e9569fb 100644
--- a/scripts/install
+++ b/scripts/install
@@ -12,6 +12,7 @@ ynh_app_setting_set --app=$app --key=secret --value=$secret
 ynh_script_progression --message="Setting up source files..."
 
 ynh_setup_source --dest_dir="$install_dir"
+cp ../sources/django_ldap_extension.py "$install_dir"/coin/
 
 chmod 750 "$install_dir"
 chmod -R o-rwx "$install_dir"
diff --git a/scripts/upgrade b/scripts/upgrade
index d93dd70..08bed5a 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -24,6 +24,7 @@ then
 
 	# Download, check integrity, uncompress and patch the source from app.src
 	ynh_setup_source --dest_dir="$install_dir" --full_replace=1 --keep=coin/settings_local.py
+	cp ../sources/django_ldap_extension.py "$install_dir"/coin/
 fi
 
 
diff --git a/sources/django_ldap_extension.py b/sources/django_ldap_extension.py
new file mode 100644
index 0000000..12384dd
--- /dev/null
+++ b/sources/django_ldap_extension.py
@@ -0,0 +1,19 @@
+from django_auth_ldap.config import LDAPGroupType
+
+class MemberDNGroupTypeUnion(LDAPGroupType):
+
+    def __init__(self, *types, name_attr='cn'):
+        self.types = types
+        super(MemberDNGroupTypeUnion, self).__init__(name_attr)
+
+    def user_groups(self, ldap_user, group_search):
+        res = dict()
+        for t in self.types:
+            res.update(t.user_groups(ldap_user, group_search))
+        return res.items()
+
+    def is_member(self, ldap_user, group_dn):
+        for t in self.types:
+            if t.is_member(ldap_user, group_dn):
+                return True
+        return False