Draft migration for new admins group

2024-09-03 20:06:10 +02:00 · 2022-01-11 18:15:34 +01:00 · 2022-01-11 18:15:34 +01:00 · 4cb8c91475
commit 4cb8c91475
parent 9126beffc2
1 changed files with 86 additions and 0 deletions
--- a/src/migrations/0024_new_admins_group.py
+++ b/src/migrations/0024_new_admins_group.py
@ -0,0 +1,86 @@
+import os
+from moulinette.utils.log import getActionLogger
+
+from yunohost.utils.error import YunohostError
+from yunohost.tools import Migration
+
+logger = getActionLogger("yunohost.migration")
+
+###################################################
+# Tools used also for restoration
+###################################################
+
+
+class MyMigration(Migration):
+    """
+    Add new permissions around SSH/SFTP features
+    """
+
+    introduced_in_version = "11.1"  # FIXME?
+    dependencies = []
+
+    @Migration.ldap_migration
+    def run(self, *args):
+
+        from yunohost.user import user_list, user_info, user_group_update
+        from yunohost.utils.ldap import _get_ldap_interface
+
+        ldap = _get_ldap_interface()
+
+        all_users = user_list()["users"].keys()
+        new_admin_user = None
+        for user in all_users:
+            if any(alias.startswith("root@") for alias in user_info(user).get("mail-aliases", [])):
+                new_admin_user = user
+                break
+
+        if not new_admin_user:
+            new_admin_user = os.environ.get("YNH_NEW_ADMIN_USER")
+            if new_admin_user:
+                assert new_admin_user in all_users, f"{new_admin_user} is not an existing yunohost user"
+            else:
+                raise YunohostError(
+                    # FIXME: i18n
+                    """The very first user created on this Yunohost instance could not be found, and therefore this migration can not be ran. You should re-run this migration as soon as possible from the command line with, after choosing which user should become the admin:
+
+export YNH_NEW_ADMIN_USER=some_existing_username
+yunohost tools migrations run""",
+                    raw_msg=True
+                )
+
+        stuff_to_delete = [
+            "cn=admin,ou=sudo",
+            "cn=admins,ou=sudo"
+            "cn=admin",
+            "cn=admins,ou=groups",
+        ]
+
+        for stuff in stuff_to_delete:
+            if ldap.search(stuff):
+                ldap.remove(stuff)
+
+        ldap.add(
+            "cn=admins,ou=sudo",
+            {
+                "cn": ["admins"],
+                "objectClass": ["top", "sudoRole"],
+                "sudoCommand": ["ALL"],
+                "sudoUser": ["%admins"],
+                "sudoHost": ["ALL"],
+            }
+        )
+
+        ldap.add(
+            "cn=admins,ou=groups",
+            {
+                "cn": ["admins"],
+                "objectClass": ["top", "posixGroup", "groupOfNamesYnh", "mailGroup"],
+                "gidNumber": [4001],
+                "mail": ["root", "admin", "admins", "webmaster", "postmaster", "abuse"],
+            }
+        )
+
+        user_group_update(groupname="admins", add=new_admin_user, sync_perm=True)
+
+    def run_after_system_restore(self):
+        self.run()