Implement migration for group and permission

2024-09-03 20:06:10 +02:00 · 2018-12-14 23:49:26 +01:00 · 2018-12-14 23:49:26 +01:00 · 0d3d33fdce
commit 0d3d33fdce
parent 811d1f6a9c
3 changed files with 118 additions and 2 deletions
--- a/locales/en.json
+++ b/locales/en.json
@ -307,6 +307,7 @@
    "migration_description_0006_sync_admin_and_root_passwords": "Synchronize admin and root passwords",
    "migration_description_0007_ssh_conf_managed_by_yunohost_step1": "Let the SSH configuration be managed by YunoHost (step 1, automatic)",
    "migration_description_0008_ssh_conf_managed_by_yunohost_step2": "Let the SSH configuration be managed by YunoHost (step 2, manual)",
    "migration_description_0009_setup_group_permission": "Setup user group and setup permission for apps and services",
    "migration_0003_backward_impossible": "The stretch migration cannot be reverted.",
    "migration_0003_start": "Starting migration to Stretch. The logs will be available in {logfile}.",
    "migration_0003_patching_sources_list": "Patching the sources.lists…",
@ -332,6 +333,12 @@
    "migration_0008_dsa": " - the DSA key will be disabled. Hence, you might need to invalidate a spooky warning from your SSH client, and recheck the fingerprint of your server;",
    "migration_0008_warning": "If you understand those warnings and agree to let YunoHost override your current configuration, run the migration. Otherwise, you can also skip the migration - though it is not recommended.",
    "migration_0008_no_warning": "No major risk has been indentified about overriding your SSH configuration - but we can't be absolutely sure ;)! If you agree to let YunoHost override your current configuration, run the migration. Otherwise, you can also skip the migration - though it is not recommended.",
    "migration_0009_create_group": "Create group for each user.",
    "migration_0009_disclaimer": "Your LDAP schema will be updated and your LDAP database will be updated",
    "migration_0009_done": "Migration sucess. You are now able to use groups of user.",
    "migration_0009_migrate_permission": "Migrate permission from apps settings to LDAP",
    "migration_0009_update_LDAP_database": "Update LDAP database for groups and permission support",
    "migration_0009_update_LDAP_schema": "Update LDAP schema",
    "migrations_backward": "Migrating backward.",
    "migrations_bad_value_for_target": "Invalid number for target argument, available migrations numbers are 0 or {}",
    "migrations_cant_reach_migration_file": "Can't access migrations files at path %s",
--- a/src/yunohost/data_migrations/0009_setup_group_permission.py
+++ b/src/yunohost/data_migrations/0009_setup_group_permission.py
@ -0,0 +1,108 @@
 import yaml
 import errno
 from moulinette import m18n
 from moulinette.core import MoulinetteError, init_authenticator
 from moulinette.utils.log import getActionLogger
 from yunohost.tools import Migration
 from yunohost.utils.filesystem import free_space_in_directory, space_used_by_directory
 from yunohost.user import user_list, user_group_add, user_group_update
 from yunohost.app import app_setting, app_list
 from yunohost.service import service_regen_conf
 from yunohost.permission import permission_add, permission_sync_to_user
 from yunohost.user import user_permission_add
 logger = getActionLogger('yunohost.migration')
 ###################################################
 # Tools used also for restoration
 ###################################################
 def migrate_LDAP_db(auth):
    logger.info(m18n.n("migration_0009_update_LDAP_database"))
    try:
        auth.remove('cn=sftpusers,ou=groups')
    except Exception as e:
        logger.warn("Error when trying remove sftpusers group")
    with open('/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml') as f:
        ldap_map = yaml.load(f)
    try:
        attr_dict = ldap_map['parents']['ou=permission']
        auth.add('ou=permission', attr_dict)
        attr_dict = ldap_map['children']['cn=all_users,ou=groups']
        auth.add('cn=all_users,ou=groups', attr_dict)
        for rdn, attr_dict in ldap_map['depends_children'].items():
            auth.add(rdn, attr_dict)
    except Exception as e:
        raise MoulinetteError(errno.EINVAL, m18n.n(("LDAP_update_failled")))
    logger.info(m18n.n("migration_0009_create_group"))
    #Create group for each yunohost user
    user_list = auth.search('ou=users,dc=yunohost,dc=org',
                            '(&(objectclass=person)(!(uid=root))(!(uid=nobody)))',
                            ['uid', 'uidNumber'])
    for user_info in user_list:
        username = user_info['uid'][0]
        user_group_add(auth, username, gid=user_info['uidNumber'][0], sync_perm=False)
        user_group_update(auth, groupname=username, add_user=username, force=True, sync_perm=False)
        user_group_update(auth, 'all_users', add_user=username, force=True, sync_perm=False)
 def migrate_app_permission(auth):
    logger.info(m18n.n("migration_0009_migrate_permission"))
    for app_info in app_list(installed=True)['apps']:
        app = app_info['id']
        permission = app_setting(app, 'allowed_users')
        path = app_setting(app, 'path')
        domain = app_setting(app, 'domain')
        url = None
        if domain and path:
            url = domain + path
        permission_add(auth, app, 'main', url=url, default_allow=True, sync_perm=False)
        if permission:
            allowed_group = permission.split(',')
            user_permission_add(auth, [app], 'main', group=allowed_group, sync_perm=False)
        app_setting(app, 'allowed_users', delete=True)
 class MyMigration(Migration):
    """
        Update the LDAP DB to be able to store the permission
        Create a group for each yunohost user
        Migrate app permission from apps setting to LDAP
    """
    required = True
    def migrate(self):
        # Update LDAP schema restart slapd
        logger.info(m18n.n("migration_0009_update_LDAP_schema"))
        service_regen_conf(names=['slapd'], force=True)
        # Do the authentication to LDAP after LDAP as been updated
        AUTH_IDENTIFIER = ('ldap', 'as-root')
        AUTH_PARAMETERS = {'uri': 'ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi',
                           'base_dn': 'dc=yunohost,dc=org',
                           'user_rdn': 'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth'}
        auth = init_authenticator(AUTH_IDENTIFIER, AUTH_PARAMETERS)
        #Update LDAP database
        migrate_LDAP_db(auth)
        # Migrate permission
        migrate_app_permission(auth)
        permission_sync_to_user(auth)
        logger.info(m18n.n("migration_0009_done"))
    @property
    def disclaimer(self):
        return m18n.n("migration_0009_disclaimer")
--- a/src/yunohost/permission.py
+++ b/src/yunohost/permission.py
@ -114,7 +114,7 @@ def user_permission_list(auth, app=None, permission=None, username=None, group=N
    return {'permissions': permissions}
-def user_permission_update(operation_logger, auth, app=[], permission=None, add_username=None, add_group=None, del_username=None, del_group=None):
+def user_permission_update(operation_logger, auth, app=[], permission=None, add_username=None, add_group=None, del_username=None, del_group=None, sync_perm=True):
    """
    Allow or Disallow a user or group to a permission for a specific application
@ -231,6 +231,7 @@ def user_permission_update(operation_logger, auth, app=[], permission=None, add_
        else:
            raise MoulinetteError(169, m18n.n('permission_update_failed'))
    if sync_perm:
        permission_sync_to_user(auth)
    for a in app: