From 089e0001c20681dc7e4c3b594e6cd4815d6c1048 Mon Sep 17 00:00:00 2001 From: axolotle Date: Tue, 17 Oct 2023 14:15:22 +0200 Subject: [PATCH] portal: retreive app permissions from ldap --- src/portal.py | 83 ++++++++++++++++++++++++++++++++------------------- 1 file changed, 53 insertions(+), 30 deletions(-) diff --git a/src/portal.py b/src/portal.py index e89d176fd..6cd4b7816 100644 --- a/src/portal.py +++ b/src/portal.py @@ -18,16 +18,16 @@ along with this program; if not, see http://www.gnu.org/licenses """ +import logging from pathlib import Path from typing import Any, Union -import logging -import ldap -from moulinette.utils.filesystem import read_json, read_yaml +import ldap +from moulinette.utils.filesystem import read_yaml from yunohost.authenticators.ldap_ynhuser import URI, USERDN, Authenticator as Auth from yunohost.user import _hash_user_password from yunohost.utils.error import YunohostError, YunohostValidationError -from yunohost.utils.ldap import LDAPInterface +from yunohost.utils.ldap import LDAPInterface, _ldap_path_extract from yunohost.utils.password import ( assert_password_is_compatible, assert_password_is_strong_enough, @@ -51,6 +51,49 @@ def _get_user_infos( return username, auth["host"], result[0], ldap_interface +def _get_apps(username: Union[str, None] = None): + """Get public + user's authorized apps. + If `username` is not given, returns only public apps + (e.g. with `visitors` in group permissions) + """ + SYSTEM_PERMS = ("mail", "xmpp", "sftp", "ssh") + + ldap_interface = LDAPInterface("root") + permissions_infos = ldap_interface.search( + "ou=permission", + "(objectclass=permissionYnh)", + [ + "cn", + "groupPermission", + "inheritPermission", + "URL", + "label", + "showTile", + ], + ) + + apps = {} + + for perm in permissions_infos: + name = perm["cn"][0].replace(".main", "") + + if name in SYSTEM_PERMS or not perm.get("showTile", [False])[0]: + continue + + groups = [_ldap_path_extract(g, "cn") for g in perm["groupPermission"]] + users = [ + _ldap_path_extract(u, "uid") for u in perm.get("inheritPermission", []) + ] + + if username in users or "visitors" in groups: + apps[name] = { + "label": perm["label"][0], + "url": perm["URL"][0], + } + + return apps + + def _get_portal_settings(domain: Union[str, None] = None): from yunohost.domain import DOMAIN_SETTINGS_DIR @@ -80,18 +123,12 @@ def portal_public(): portal_settings = _get_portal_settings() portal_settings["apps"] = {} - portal_settings["public"] = portal_settings.pop("default_app", None) == "_yunohost_portal_with_public_apps" + portal_settings["public"] = ( + portal_settings.pop("default_app", None) == "_yunohost_portal_with_public_apps" + ) if portal_settings["public"]: - ssowat_conf = read_json("/etc/ssowat/conf.json") - portal_settings["apps"] = { - perm.replace(".main", ""): { - "label": infos["label"], - "url": infos["uris"][0], - } - for perm, infos in ssowat_conf["permissions"].items() - if infos["show_tile"] and infos["public"] - } + portal_settings["apps"] = _get_apps() if not portal_settings["show_other_domains_apps"]: portal_settings["apps"] = { @@ -111,23 +148,9 @@ def portal_me(): ["cn", "mail", "maildrop", "mailuserquota", "memberOf", "permission"] ) - groups = [ - g.replace("cn=", "").replace(",ou=groups,dc=yunohost,dc=org", "") - for g in user["memberOf"] - ] + groups = [_ldap_path_extract(g, "cn") for g in user["memberOf"]] groups = [g for g in groups if g not in [username, "all_users"]] - - permissions = [ - p.replace("cn=", "").replace(",ou=permission,dc=yunohost,dc=org", "") - for p in user["permission"] - ] - - ssowat_conf = read_json("/etc/ssowat/conf.json") - apps = { - perm.replace(".main", ""): {"label": infos["label"], "url": infos["uris"][0]} - for perm, infos in ssowat_conf["permissions"].items() - if perm in permissions and infos["show_tile"] and username in infos["users"] - } + apps = _get_apps(username) settings = _get_portal_settings(domain=domain) if not settings["show_other_domains_apps"]: