From 4c2ae4fc776b2f0d70e8d55e05507837d93ecdcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Wed, 28 Nov 2018 22:06:33 +0100 Subject: [PATCH] Implement permission helper --- data/helpers.d/setting | 70 ++++++++++++++++++++++++++++++++++++++ src/yunohost/app.py | 9 ++++- src/yunohost/permission.py | 5 +-- 3 files changed, 81 insertions(+), 3 deletions(-) diff --git a/data/helpers.d/setting b/data/helpers.d/setting index ad036ba4f..3267bf846 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -25,3 +25,73 @@ ynh_app_setting_set() { ynh_app_setting_delete() { sudo yunohost app setting -d "$1" "$2" --quiet } + +# Create a new permission for the app +# +# usage: ynh_permission_create --app "app" --permission "permission" --defaultdisallow [--url "url" ["url" ...]] +# | arg: app - the application id +# | arg: permission - the name for the permission (by default a permission named "main" already exist) +# | arg: defaultdisallow - define if all user will be allowed by default +# | arg: url - the url for the the permission +ynh_permission_create() { + declare -Ar args_array=( [a]=app= [p]=permission= [d]=defaultdisallow [u]=url= ) + local app + local permission + local defaultdisallow + local url + ynh_handle_getopts_args "$@" + if [[ -n ${defaultdisallow:-} ]]; then + defaultdisallow=",default_allow=False" + fi + + if [[ -n ${url:-} ]]; then + url=",url=['${url//';'/"','"}']" + fi + yunohost tools shell -c "from yunohost.permission import permission_add; permission_add(auth, '$app', '$permission' ${defaultdisallow:-} ${url:-}, sync_perm=False)" +} + +# Remove a permission for the app (note that when the app is removed all permission is automatically removed) +# +# usage: ynh_permission_remove --app "app" --permission "permission" +# | arg: app - the application id +# | arg: permission - the name for the permission (by default a permission named "main" is removed automatically when the app is removed) +ynh_permission_remove() { + declare -Ar args_array=( [a]=app= [p]=permission= ) + local app + local permission + ynh_handle_getopts_args "$@" + + yunohost tools shell -c "from yunohost.permission import permission_remove; permission_remove(auth, '$app', '$permission')" +} + +# Add a path managed by the SSO +# +# usage: ynh_permission_add_path --app "app" --permission "permission" --url "url" ["url" ...] +# | arg: app - the application id +# | arg: permission - the name for the permission +# | arg: url - the FULL url for the the permission (ex domain.tld/apps/admin) +ynh_permission_add_path() { + declare -Ar args_array=( [a]=app= [p]=permission= [u]=url= ) + local app + local permission + local url + ynh_handle_getopts_args "$@" + + yunohost tools shell -c "from yunohost.permission import permission_update; permission_update(auth, '$app', '$permission', add_url=['${url//';'/"','"}'])" +} + +# Remove a path managed by the SSO +# +# usage: ynh_permission_del_path --app "app" --permission "permission" --url "url" ["url" ...] +# | arg: app - the application id +# | arg: permission - the name for the permission +# | arg: url - the FULL url for the the permission (ex domain.tld/apps/admin) +ynh_permission_del_path() { + declare -Ar args_array=( [a]=app= [p]=permission= [u]=url= ) + local app + local permission + local url + ynh_handle_getopts_args "$@" + + yunohost tools shell -c "from yunohost.permission import permission_update; permission_update(auth, '$app', '$permission', remove_url=['${url//';'/"','"}'])" +} diff --git a/src/yunohost/app.py b/src/yunohost/app.py index 72755a5c5..99b688322 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -710,7 +710,7 @@ def app_install(operation_logger, auth, app, label=None, args=None, no_remove_on """ from yunohost.hook import hook_add, hook_remove, hook_exec, hook_callback from yunohost.log import OperationLogger - from yunohost.permission import permission_add, permission_update + from yunohost.permission import permission_add, permission_update, permission_remove # Fetch or extract sources try: @@ -867,6 +867,13 @@ def app_install(operation_logger, auth, app, label=None, args=None, no_remove_on os.path.join(extracted_app_folder, 'scripts/remove'), args=[app_instance_name], env=env_dict_remove ) + # Remove all permission in LDAP + result = auth.search(base='ou=permission,dc=yunohost,dc=org', + filter='(&(objectclass=permissionYnh)(cn=*.%s))' % app_instance_name, attrs=['cn']) + permission_list = [p['cn'][0] for p in result] + for l in permission_list: + permission_remove(auth, app_instance_name, l.split('.')[0], force=True) + if remove_retcode != 0: msg = m18n.n('app_not_properly_removed', app=app_instance_name) diff --git a/src/yunohost/permission.py b/src/yunohost/permission.py index df53e9b6b..4b77df70f 100644 --- a/src/yunohost/permission.py +++ b/src/yunohost/permission.py @@ -316,7 +316,7 @@ def user_permission_clear(operation_logger, auth, app=[], permission=None): @is_unit_operation(['permission','app']) -def permission_add(operation_logger, auth, app, permission, url=None): +def permission_add(operation_logger, auth, app, permission, url=None, default_allow=True): """ Create a new permission for a specific application @@ -348,8 +348,9 @@ def permission_add(operation_logger, auth, app, permission, url=None): 'objectClass': ['top', 'permissionYnh', 'posixGroup'], 'cn': permission_name, 'gidNumber': gid, - 'groupPermission': 'cn=all_users,ou=groups,dc=yunohost,dc=org' } + if default_allow: + attr_dict['groupPermission'] = 'cn=all_users,ou=groups,dc=yunohost,dc=org' if url: attr_dict['URL'] = []