YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Propagate changes to other parts of the code relying on groups and permissions

Browse source
This commit is contained in:
Alexandre Aubin 2019-09-12 00:20:22 +02:00
parent d5b2fb7a71
commit a92ff53077
3 changed files with 44 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
src/yunohost/app.py
View file

@ -465,7 +465,7 @@ def app_change_url(operation_logger, app, domain, path):
""" """
from yunohost.hook import hook_exec, hook_callback from yunohost.hook import hook_exec, hook_callback
from yunohost.domain import _normalize_domain_path, _get_conflicting_apps from yunohost.domain import _normalize_domain_path, _get_conflicting_apps
from yunohost.permission import permission_update from yunohost.permission import permission_urls
installed = _is_installed(app) installed = _is_installed(app)
if not installed: if not installed:
@ -555,7 +555,7 @@ def app_change_url(operation_logger, app, domain, path):
app_setting(app, 'domain', value=domain) app_setting(app, 'domain', value=domain)
app_setting(app, 'path', value=path) app_setting(app, 'path', value=path)
permission_update(app, permission="main", add_url=[domain+path], remove_url=[old_domain+old_path], sync_perm=True) permission_urls(app+".main", add=[domain+path], remove=[old_domain+old_path], sync_perm=True)
# avoid common mistakes # avoid common mistakes
if _run_service_command("reload", "nginx") is False: if _run_service_command("reload", "nginx") is False:
@ -738,7 +738,7 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu
from yunohost.utils.ldap import _get_ldap_interface from yunohost.utils.ldap import _get_ldap_interface
from yunohost.hook import hook_add, hook_remove, hook_exec, hook_callback from yunohost.hook import hook_add, hook_remove, hook_exec, hook_callback
from yunohost.log import OperationLogger from yunohost.log import OperationLogger
from yunohost.permission import permission_create, permission_update, permission_delete, permission_sync_to_user from yunohost.permission import permission_create, permission_urls, permission_delete, permission_sync_to_user
ldap = _get_ldap_interface() ldap = _get_ldap_interface()
# Fetch or extract sources # Fetch or extract sources
@ -875,7 +875,7 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu
# Create permission before the install (useful if the install script redefine the permission) # Create permission before the install (useful if the install script redefine the permission)
# Note that sync_perm is disabled to avoid triggering a whole bunch of code and messages # Note that sync_perm is disabled to avoid triggering a whole bunch of code and messages
# can't be sure that we don't have one case when it's needed # can't be sure that we don't have one case when it's needed
permission_create(app=app_instance_name, permission="main", sync_perm=False) permission_create(app_instance_name+".main", sync_perm=False)
# Execute the app install script # Execute the app install script
install_retcode = 1 install_retcode = 1
@ -910,11 +910,9 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu
args=[app_instance_name], env=env_dict_remove args=[app_instance_name], env=env_dict_remove
)[0] )[0]
# Remove all permission in LDAP # Remove all permission in LDAP
result = ldap.search(base='ou=permission,dc=yunohost,dc=org', for permission_name in user_permission_list()["permissions"].keys():
filter='(&(objectclass=permissionYnh)(cn=*.%s))' % app_instance_name, attrs=['cn']) if permission_name.startswith(app_instance_name+"."):
permission_list = [p['cn'][0] for p in result] permission_delete(permission_name, force=True)
for l in permission_list:
permission_delete(app_instance_name, l.split('.')[0], force=True)
if remove_retcode != 0: if remove_retcode != 0:
msg = m18n.n('app_not_properly_removed', msg = m18n.n('app_not_properly_removed',
@ -960,8 +958,7 @@ def app_install(operation_logger, app, label=None, args=None, no_remove_on_failu
domain = app_settings.get('domain', None) domain = app_settings.get('domain', None)
path = app_settings.get('path', None) path = app_settings.get('path', None)
if domain and path: if domain and path:
permission_update(app_instance_name, permission="main", add_url=[domain+path], sync_perm=False) permission_urls(app_instance_name+".main", add=[domain+path], sync_perm=False)
permission_sync_to_user() permission_sync_to_user()
logger.success(m18n.n('installation_complete')) logger.success(m18n.n('installation_complete'))
@ -978,7 +975,6 @@ def app_remove(operation_logger, app):
app -- App(s) to delete app -- App(s) to delete
""" """
from yunohost.utils.ldap import _get_ldap_interface
from yunohost.hook import hook_exec, hook_remove, hook_callback from yunohost.hook import hook_exec, hook_remove, hook_callback
from yunohost.permission import permission_delete, permission_sync_to_user from yunohost.permission import permission_delete, permission_sync_to_user
if not _is_installed(app): if not _is_installed(app):
@ -1026,12 +1022,9 @@ def app_remove(operation_logger, app):
hook_remove(app) hook_remove(app)
# Remove all permission in LDAP # Remove all permission in LDAP
ldap = _get_ldap_interface() for permission_name in user_permission_list()["permissions"].keys():
result = ldap.search(base='ou=permission,dc=yunohost,dc=org', if permission_name.startswith(app+"."):
filter='(&(objectclass=permissionYnh)(cn=*.%s))' % app, attrs=['cn']) permission_delete(permission_name, force=True, sync_perm=False)
permission_list = [p['cn'][0] for p in result]
for l in permission_list:
permission_delete(app, l.split('.')[0], force=True, sync_perm=False)
permission_sync_to_user() permission_sync_to_user()

61
src/yunohost/backup.py
View file

@ -703,6 +703,10 @@ class BackupManager():
self._import_to_list_to_backup(env_dict["YNH_BACKUP_CSV"]) self._import_to_list_to_backup(env_dict["YNH_BACKUP_CSV"])
# backup permissions # backup permissions
#
# FIXME : why can't we instead use a simple yaml file to store the
# relevant info and recreate the permission object from it ...
#
logger.debug(m18n.n('backup_permission', app=app)) logger.debug(m18n.n('backup_permission', app=app))
ldap_url = "ldap:///dc=yunohost,dc=org???(&(objectClass=permissionYnh)(cn=*.%s))" % app ldap_url = "ldap:///dc=yunohost,dc=org???(&(objectClass=permissionYnh)(cn=*.%s))" % app
os.system("slapcat -b dc=yunohost,dc=org -H '%s' -l '%s/permission.ldif'" % (ldap_url, settings_dir)) os.system("slapcat -b dc=yunohost,dc=org -H '%s' -l '%s/permission.ldif'" % (ldap_url, settings_dir))
@ -919,7 +923,7 @@ class RestoreManager():
successfull_apps = self.targets.list("apps", include=["Success", "Warning"]) successfull_apps = self.targets.list("apps", include=["Success", "Warning"])
permission_sync_to_user(force=False) permission_sync_to_user()
if os.path.ismount(self.work_dir): if os.path.ismount(self.work_dir):
ret = subprocess.call(["umount", self.work_dir]) ret = subprocess.call(["umount", self.work_dir])
@ -1183,18 +1187,11 @@ class RestoreManager():
if system_targets == []: if system_targets == []:
return return
from yunohost.utils.ldap import _get_ldap_interface from yunohost.permission import permission_create, user_permission_update, user_permission_list
ldap = _get_ldap_interface()
# Backup old permission for apps # Backup old permission for apps
# We need to do that because in case of an app is installed we can't remove the permission for this app # We need to do that because in case of an app is installed we can't remove the permission for this app
old_apps_permission = [] old_apps_permission = user_permission_list(ignore_system_perms=True)["permissions"]
try:
old_apps_permission = ldap.search('ou=permission,dc=yunohost,dc=org',
'(&(objectClass=permissionYnh)(!(cn=main.mail))(!(cn=main.xmpp))(!(cn=main.sftp)))',
['cn', 'objectClass', 'groupPermission', 'URL', 'gidNumber'])
except:
logger.info(m18n.n('apps_permission_not_found'))
# Start register change on system # Start register change on system
operation_logger = OperationLogger('backup_restore_system') operation_logger = OperationLogger('backup_restore_system')
@ -1232,12 +1229,11 @@ class RestoreManager():
regen_conf() regen_conf()
# Check if we need to do the migration 0009 : setup group and permission # Check that at least a group exists (all_users) to know if we need to
# do the migration 0011 : setup group and permission
#
# Legacy code # Legacy code
result = ldap.search('ou=groups,dc=yunohost,dc=org', if not user_group_list["groups"]:
'(&(objectclass=groupOfNamesYnh)(cn=all_users))',
['cn'])
if not result:
from yunohost.tools import _get_migration_by_name from yunohost.tools import _get_migration_by_name
setup_group_permission = _get_migration_by_name("setup_group_permission") setup_group_permission = _get_migration_by_name("setup_group_permission")
# Update LDAP schema restart slapd # Update LDAP schema restart slapd
@ -1245,22 +1241,16 @@ class RestoreManager():
regen_conf(names=['slapd'], force=True) regen_conf(names=['slapd'], force=True)
setup_group_permission.migrate_LDAP_db() setup_group_permission.migrate_LDAP_db()
# Remove all permission for all app which sill in the LDAP # Remove all permission for all app which is still in the LDAP
for per in ldap.search('ou=permission,dc=yunohost,dc=org', for permission_name in user_permission_list(ignore_system_perms=True)["permissions"].keys():
'(&(objectClass=permissionYnh)(!(cn=mail.main))(!(cn=xmpp.main))(!(cn=sftp.main)))', permission_delete(permission_name)
['cn']):
if not ldap.remove('cn=%s,ou=permission' % per['cn'][0]):
raise YunohostError('permission_deletion_failed',
permission=per['cn'][0].split('.')[0],
app=per['cn'][0].split('.')[1])
# Restore permission for the app which is installed # Restore permission for the app which is installed
for per in old_apps_permission: for permission_name, permission_infos in old_apps_permission.items():
# FIXME : will come here later to fix this following previous commits ... app_name = permission_name.split(".")[0]
permission_name, app_name = per['cn'][0].split('.')
if _is_installed(app_name): if _is_installed(app_name):
if not ldap.add('cn=%s,ou=permission' % per['cn'][0], per): permission_create(permission_name, urls=permission_infos["urls"], sync_perm=False)
raise YunohostError('apps_permission_restoration_failed', permission=permission_name, app=app_name) user_permission_update(permission_name, remove="all_users", add=permission_infos["allowed"])
def _restore_apps(self): def _restore_apps(self):
@ -1368,6 +1358,10 @@ class RestoreManager():
restore_script = os.path.join(tmp_folder_for_app_restore, 'restore') restore_script = os.path.join(tmp_folder_for_app_restore, 'restore')
# Restore permissions # Restore permissions
#
# FIXME : why can't we instead use a simple yaml file to store the
# relevant info and recreate the permission object from it ...
#
if os.path.isfile(app_settings_in_archive + '/permission.ldif'): if os.path.isfile(app_settings_in_archive + '/permission.ldif'):
filtred_entries = ['entryUUID', 'creatorsName', 'createTimestamp', 'entryCSN', 'structuralObjectClass', filtred_entries = ['entryUUID', 'creatorsName', 'createTimestamp', 'entryCSN', 'structuralObjectClass',
'modifiersName', 'modifyTimestamp', 'inheritPermission', 'memberUid'] 'modifiersName', 'modifyTimestamp', 'inheritPermission', 'memberUid']
@ -1422,7 +1416,6 @@ class RestoreManager():
operation_logger.start() operation_logger.start()
# Execute remove script # Execute remove script
# TODO: call app_remove instead
if hook_exec(remove_script, args=[app_instance_name], if hook_exec(remove_script, args=[app_instance_name],
env=env_dict_remove)[0] != 0: env=env_dict_remove)[0] != 0:
msg = m18n.n('app_not_properly_removed', app=app_instance_name) msg = m18n.n('app_not_properly_removed', app=app_instance_name)
@ -1434,12 +1427,10 @@ class RestoreManager():
# Cleaning app directory # Cleaning app directory
shutil.rmtree(app_settings_new_path, ignore_errors=True) shutil.rmtree(app_settings_new_path, ignore_errors=True)
# Remove all permission in LDAP # Remove all permission in LDAP for this app
result = ldap.search(base='ou=permission,dc=yunohost,dc=org', for permission_name in user_permission_list()["permissions"].keys():
filter='(&(objectclass=permissionYnh)(cn=*.%s))' % app_instance_name, attrs=['cn']) if permission_name.startswith(app_instance_name+"."):
permission_list = [p['cn'][0] for p in result] permission_delete(permission_name, force=True)
for l in permission_list:
permission_delete(app_instance_name, l.split('.')[0], force=True)
# TODO Cleaning app hooks # TODO Cleaning app hooks
else: else:

9
src/yunohost/permission.py
View file

@ -36,6 +36,8 @@ from yunohost.log import is_unit_operation
logger = getActionLogger('yunohost.user') logger = getActionLogger('yunohost.user')
SYSTEM_PERMS = ["mail", "xmpp", "stfp"]
# #
# #
# The followings are the methods exposed through the "yunohost user permission" interface # The followings are the methods exposed through the "yunohost user permission" interface
@ -43,7 +45,7 @@ logger = getActionLogger('yunohost.user')
# #
def user_permission_list(short=False, full=False): def user_permission_list(short=False, full=False, ignore_system_perms=True):
""" """
List permissions and corresponding accesses List permissions and corresponding accesses
""" """
@ -62,8 +64,11 @@ def user_permission_list(short=False, full=False):
for infos in permissions_infos: for infos in permissions_infos:
name = infos['cn'][0] name = infos['cn'][0]
permissions[name] = {}
if ignore_system_perms and name.split(".")[0] in SYSTEM_PERMS:
continue
permissions[name] = {}
permissions[name]["allowed"] = [_ldap_path_extract(p, "cn") for p in infos.get('groupPermission', [])] permissions[name]["allowed"] = [_ldap_path_extract(p, "cn") for p in infos.get('groupPermission', [])]
if full: if full: