YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Make the PEP gods happy

Browse source
This commit is contained in:
Alexandre Aubin 2019-03-05 03:13:14 +01:00
parent 650232b1c3
commit bca4e39b24
3 changed files with 50 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/yunohost/data_migrations/0009_setup_group_permission.py
View file

@ -1,7 +1,6 @@
import yaml import yaml
import time import time
import os import os
import shutil
from moulinette import m18n from moulinette import m18n
from moulinette.core import init_authenticator from moulinette.core import init_authenticator
@ -9,8 +8,7 @@ from yunohost.utils.error import YunohostError
from moulinette.utils.log import getActionLogger from moulinette.utils.log import getActionLogger
from yunohost.tools import Migration from yunohost.tools import Migration
from yunohost.utils.filesystem import free_space_in_directory, space_used_by_directory from yunohost.user import user_group_add, user_group_update
from yunohost.user import user_list, user_group_add, user_group_update
from yunohost.app import app_setting, app_list from yunohost.app import app_setting, app_list
from yunohost.service import service_regen_conf from yunohost.service import service_regen_conf
from yunohost.permission import permission_add, permission_sync_to_user from yunohost.permission import permission_add, permission_sync_to_user
@ -22,6 +20,7 @@ logger = getActionLogger('yunohost.migration')
# Tools used also for restoration # Tools used also for restoration
################################################### ###################################################
def migrate_LDAP_db(auth): def migrate_LDAP_db(auth):
logger.info(m18n.n("migration_0009_update_LDAP_database")) logger.info(m18n.n("migration_0009_update_LDAP_database"))
try: try:
@ -46,7 +45,7 @@ def migrate_LDAP_db(auth):
logger.info(m18n.n("migration_0009_create_group")) logger.info(m18n.n("migration_0009_create_group"))
#Create a group for each yunohost user # Create a group for each yunohost user
user_list = auth.search('ou=users,dc=yunohost,dc=org', user_list = auth.search('ou=users,dc=yunohost,dc=org',
'(&(objectclass=person)(!(uid=root))(!(uid=nobody)))', '(&(objectclass=person)(!(uid=root))(!(uid=nobody)))',
['uid', 'uidNumber']) ['uid', 'uidNumber'])
@ -116,7 +115,7 @@ class MyMigration(Migration):
'user_rdn': 'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth'} 'user_rdn': 'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth'}
auth = init_authenticator(AUTH_IDENTIFIER, AUTH_PARAMETERS) auth = init_authenticator(AUTH_IDENTIFIER, AUTH_PARAMETERS)
#Update LDAP database # Update LDAP database
migrate_LDAP_db(auth) migrate_LDAP_db(auth)
# Migrate permission # Migrate permission
@ -126,7 +125,7 @@ class MyMigration(Migration):
except Exception as e: except Exception as e:
logger.warn(m18n.n("migration_0009_migration_failed_trying_to_rollback")) logger.warn(m18n.n("migration_0009_migration_failed_trying_to_rollback"))
os.system("systemctl stop slapd") os.system("systemctl stop slapd")
os.system("rm -r /etc/ldap/slapd.d") # To be sure that we don't keep some part of the old config os.system("rm -r /etc/ldap/slapd.d") # To be sure that we don't keep some part of the old config
os.system("cp -r --preserve %s/ldap_config/. /etc/ldap/" % backup_folder) os.system("cp -r --preserve %s/ldap_config/. /etc/ldap/" % backup_folder)
os.system("cp -r --preserve %s/ldap_db/. /var/lib/ldap/" % backup_folder) os.system("cp -r --preserve %s/ldap_db/. /var/lib/ldap/" % backup_folder)
os.system("cp -r --preserve %s/apps_settings/. /etc/yunohost/apps/" % backup_folder) os.system("cp -r --preserve %s/apps_settings/. /etc/yunohost/apps/" % backup_folder)

47
src/yunohost/permission.py
View file

@ -30,11 +30,12 @@ import random
from moulinette import m18n from moulinette import m18n
from moulinette.utils.log import getActionLogger from moulinette.utils.log import getActionLogger
from yunohost.utils.error import YunohostError from yunohost.utils.error import YunohostError
from yunohost.user import user_list, user_group_list from yunohost.user import user_list
from yunohost.log import is_unit_operation from yunohost.log import is_unit_operation
logger = getActionLogger('yunohost.user') logger = getActionLogger('yunohost.user')
def user_permission_list(auth, app=None, permission=None, username=None, group=None): def user_permission_list(auth, app=None, permission=None, username=None, group=None):
""" """
List permission for specific application List permission for specific application
@ -47,8 +48,6 @@ def user_permission_list(auth, app=None, permission=None, username=None, group=N
""" """
user_l = user_list(auth, ['uid'])['users']
permission_attrs = [ permission_attrs = [
'cn', 'cn',
'groupPermission', 'groupPermission',
@ -86,20 +85,20 @@ def user_permission_list(auth, app=None, permission=None, username=None, group=N
for u in res['inheritPermission']: for u in res['inheritPermission']:
user_name.append(u.split("=")[1].split(",")[0]) user_name.append(u.split("=")[1].split(",")[0])
# Don't show the result if the user diffined a specific permission, user or group # Don't show the result if the user defined a specific permission, user or group
if app and not app_name in app: if app and app_name not in app:
continue continue
if permission and not permission_name in permission: if permission and permission_name not in permission:
continue continue
if username[0] and not set(username) & set(user_name): if username[0] and not set(username) & set(user_name):
continue continue
if group[0] and not set(group) & set(group_name): if group[0] and not set(group) & set(group_name):
continue continue
if not app_name in permissions: if app_name not in permissions:
permissions[app_name] = {} permissions[app_name] = {}
permissions[app_name][permission_name] = {'allowed_users':[], 'allowed_groups':[]} permissions[app_name][permission_name] = {'allowed_users': [], 'allowed_groups': []}
for g in group_name: for g in group_name:
permissions[app_name][permission_name]['allowed_groups'].append(g) permissions[app_name][permission_name]['allowed_groups'].append(g)
for u in user_name: for u in user_name:
@ -160,16 +159,16 @@ def user_permission_update(operation_logger, auth, app=[], permission=None, add_
# Validate that the group exist # Validate that the group exist
for g in add_group: for g in add_group:
if not g in user_group_list(auth, ['cn'])['groups']: if g not in user_group_list(auth, ['cn'])['groups']:
raise YunohostError('group_unknown', group=g) raise YunohostError('group_unknown', group=g)
for u in add_username: for u in add_username:
if not u in user_list(auth, ['uid'])['users']: if u not in user_list(auth, ['uid'])['users']:
raise YunohostError('user_unknown', user=u) raise YunohostError('user_unknown', user=u)
for g in del_group: for g in del_group:
if not g in user_group_list(auth, ['cn'])['groups']: if g not in user_group_list(auth, ['cn'])['groups']:
raise YunohostError('group_unknown', group=g) raise YunohostError('group_unknown', group=g)
for u in del_username: for u in del_username:
if not u in user_list(auth, ['uid'])['users']: if u not in user_list(auth, ['uid'])['users']:
raise YunohostError('user_unknown', user=u) raise YunohostError('user_unknown', user=u)
# Merge user and group (note that we consider all user as a group) # Merge user and group (note that we consider all user as a group)
@ -193,7 +192,7 @@ def user_permission_update(operation_logger, auth, app=[], permission=None, add_
for a in app: for a in app:
for per in permission: for per in permission:
permission_name = per + '.' + a permission_name = per + '.' + a
if not permission_name in result: if permission_name not in result:
raise YunohostError('permission_not_found', permission=per, app=a) raise YunohostError('permission_not_found', permission=per, app=a)
new_per_dict[permission_name] = set() new_per_dict[permission_name] = set()
if 'groupPermission' in result[permission_name]: if 'groupPermission' in result[permission_name]:
@ -203,7 +202,7 @@ def user_permission_update(operation_logger, auth, app=[], permission=None, add_
if 'cn=all_users,ou=groups,dc=yunohost,dc=org' in new_per_dict[permission_name]: if 'cn=all_users,ou=groups,dc=yunohost,dc=org' in new_per_dict[permission_name]:
raise YunohostError('need_define_permission_before') raise YunohostError('need_define_permission_before')
group_name = 'cn=' + g + ',ou=groups,dc=yunohost,dc=org' group_name = 'cn=' + g + ',ou=groups,dc=yunohost,dc=org'
if not group_name in new_per_dict[permission_name]: if group_name not in new_per_dict[permission_name]:
logger.warning(m18n.n('group_already_disallowed', permission=per, app=a, group=g)) logger.warning(m18n.n('group_already_disallowed', permission=per, app=a, group=g))
else: else:
new_per_dict[permission_name].remove(group_name) new_per_dict[permission_name].remove(group_name)
@ -287,11 +286,11 @@ def user_permission_clear(operation_logger, auth, app=[], permission=None, sync_
for a in app: for a in app:
for per in permission: for per in permission:
permission_name = per + '.' + a permission_name = per + '.' + a
if not permission_name in result: if permission_name not in result:
raise YunohostError('permission_not_found', permission=per, app=a) raise YunohostError('permission_not_found', permission=per, app=a)
if 'groupPermission' in result[permission_name] and 'cn=all_users,ou=groups,dc=yunohost,dc=org' in result[permission_name]['groupPermission']: if 'groupPermission' in result[permission_name] and 'cn=all_users,ou=groups,dc=yunohost,dc=org' in result[permission_name]['groupPermission']:
logger.warning(m18n.n('permission_already_clear', permission=per, app=a)) logger.warning(m18n.n('permission_already_clear', permission=per, app=a))
continue continue
if auth.update('cn=%s,ou=permission' % permission_name, default_permission): if auth.update('cn=%s,ou=permission' % permission_name, default_permission):
logger.success(m18n.n('permission_updated', permission=per, app=a)) logger.success(m18n.n('permission_updated', permission=per, app=a))
else: else:
@ -311,7 +310,7 @@ def user_permission_clear(operation_logger, auth, app=[], permission=None, sync_
return user_permission_list(auth, app, permission) return user_permission_list(auth, app, permission)
@is_unit_operation(['permission','app']) @is_unit_operation(['permission', 'app'])
def permission_add(operation_logger, auth, app, permission, urls=None, default_allow=True, sync_perm=True): def permission_add(operation_logger, auth, app, permission, urls=None, default_allow=True, sync_perm=True):
""" """
Create a new permission for a specific application Create a new permission for a specific application
@ -325,7 +324,7 @@ def permission_add(operation_logger, auth, app, permission, urls=None, default_a
from yunohost.domain import _normalize_domain_path from yunohost.domain import _normalize_domain_path
# Validate uniqueness of permission in LDAP # Validate uniqueness of permission in LDAP
permission_name = str(permission + '.' + app) # str(...) Fix encoding issue permission_name = str(permission + '.' + app) # str(...) Fix encoding issue
conflict = auth.get_conflict({ conflict = auth.get_conflict({
'cn': permission_name 'cn': permission_name
}, base_dn='ou=permission,dc=yunohost,dc=org') }, base_dn='ou=permission,dc=yunohost,dc=org')
@ -366,7 +365,7 @@ def permission_add(operation_logger, auth, app, permission, urls=None, default_a
raise YunohostError('permission_creation_failed') raise YunohostError('permission_creation_failed')
@is_unit_operation(['permission','app']) @is_unit_operation(['permission', 'app'])
def permission_update(operation_logger, auth, app, permission, add_url=None, remove_url=None, sync_perm=True): def permission_update(operation_logger, auth, app, permission, add_url=None, remove_url=None, sync_perm=True):
""" """
Update a permission for a specific application Update a permission for a specific application
@ -380,7 +379,7 @@ def permission_update(operation_logger, auth, app, permission, add_url=None, rem
""" """
from yunohost.domain import _normalize_domain_path from yunohost.domain import _normalize_domain_path
permission_name = str(permission + '.' + app) # str(...) Fix encoding issue permission_name = str(permission + '.' + app) # str(...) Fix encoding issue
# Populate permission informations # Populate permission informations
result = auth.search(base='ou=permission,dc=yunohost,dc=org', result = auth.search(base='ou=permission,dc=yunohost,dc=org',
@ -389,7 +388,7 @@ def permission_update(operation_logger, auth, app, permission, add_url=None, rem
raise YunohostError('permission_not_found', permission=permission, app=app) raise YunohostError('permission_not_found', permission=permission, app=app)
permission_obj = result[0] permission_obj = result[0]
if not 'URL' in permission_obj: if 'URL' not in permission_obj:
permission_obj['URL'] = [] permission_obj['URL'] = []
url = set(permission_obj['URL']) url = set(permission_obj['URL'])
@ -412,7 +411,7 @@ def permission_update(operation_logger, auth, app, permission, add_url=None, rem
return user_permission_list(auth, app, permission) return user_permission_list(auth, app, permission)
operation_logger.start() operation_logger.start()
if auth.update('cn=%s,ou=permission' % permission_name, {'cn':permission_name, 'URL': url}): if auth.update('cn=%s,ou=permission' % permission_name, {'cn': permission_name, 'URL': url}):
if sync_perm: if sync_perm:
permission_sync_to_user(auth) permission_sync_to_user(auth)
logger.success(m18n.n('permission_updated', permission=permission, app=app)) logger.success(m18n.n('permission_updated', permission=permission, app=app))
@ -421,7 +420,7 @@ def permission_update(operation_logger, auth, app, permission, add_url=None, rem
raise YunohostError('premission_update_failed') raise YunohostError('premission_update_failed')
@is_unit_operation(['permission','app']) @is_unit_operation(['permission', 'app'])
def permission_remove(operation_logger, auth, app, permission, force=False, sync_perm=True): def permission_remove(operation_logger, auth, app, permission, force=False, sync_perm=True):
""" """
Remove a permission for a specific application Remove a permission for a specific application

37
src/yunohost/user.py
View file

@ -209,7 +209,7 @@ def user_create(operation_logger, auth, username, firstname, lastname, mail, pas
except subprocess.CalledProcessError: except subprocess.CalledProcessError:
if not os.path.isdir('/home/{0}'.format(username)): if not os.path.isdir('/home/{0}'.format(username)):
logger.warning(m18n.n('user_home_creation_failed'), logger.warning(m18n.n('user_home_creation_failed'),
exc_info=1) exc_info=1)
# Create group for user and add to group 'all_users' # Create group for user and add to group 'all_users'
user_group_add(auth, groupname=username, gid=uid, sync_perm=False) user_group_add(auth, groupname=username, gid=uid, sync_perm=False)
@ -220,7 +220,7 @@ def user_create(operation_logger, auth, username, firstname, lastname, mail, pas
logger.success(m18n.n('user_created')) logger.success(m18n.n('user_created'))
hook_callback('post_user_create', hook_callback('post_user_create',
args=[username, mail, password, firstname, lastname]) args=[username, mail, password, firstname, lastname])
return {'fullname': fullname, 'username': username, 'mail': mail} return {'fullname': fullname, 'username': username, 'mail': mail}
@ -469,10 +469,10 @@ def user_info(auth, username):
else: else:
raise YunohostError('user_info_failed') raise YunohostError('user_info_failed')
# #
# Group subcategory # Group subcategory
# #
#
def user_group_list(auth, fields=None): def user_group_list(auth, fields=None):
""" """
List users List users
@ -485,9 +485,9 @@ def user_group_list(auth, fields=None):
""" """
group_attr = { group_attr = {
'cn' : 'groupname', 'cn': 'groupname',
'member' : 'members', 'member': 'members',
'permission' : 'permission' 'permission': 'permission'
} }
attrs = ['cn'] attrs = ['cn']
groups = {} groups = {}
@ -531,11 +531,12 @@ def user_group_list(auth, fields=None):
groupname = entry[group_attr['cn']] groupname = entry[group_attr['cn']]
groups[groupname] = entry groups[groupname] = entry
return {'groups' : groups}
return {'groups': groups}
@is_unit_operation([('groupname', 'user')]) @is_unit_operation([('groupname', 'user')])
def user_group_add(operation_logger, auth, groupname,gid=None, sync_perm=True): def user_group_add(operation_logger, auth, groupname, gid=None, sync_perm=True):
""" """
Create group Create group
@ -645,7 +646,7 @@ def user_group_update(operation_logger, auth, groupname, add_user=None, remove_u
add_user = [add_user] add_user = [add_user]
for user in add_user: for user in add_user:
if not user in existing_users: if user not in existing_users:
raise YunohostError('user_unknown', user=user) raise YunohostError('user_unknown', user=user)
for user in add_user: for user in add_user:
@ -717,38 +718,44 @@ def user_group_info(auth, groupname):
result_dict['member'] = {m.split("=")[1].split(",")[0] for m in group['member']} result_dict['member'] = {m.split("=")[1].split(",")[0] for m in group['member']}
return result_dict return result_dict
# #
# Permission subcategory # Permission subcategory
# #
#
import yunohost.permission
def user_permission_list(auth, app=None, permission=None, username=None, group=None, sync_perm=True): def user_permission_list(auth, app=None, permission=None, username=None, group=None, sync_perm=True):
import yunohost.permission
return yunohost.permission.user_permission_list(auth, app, permission, username, group) return yunohost.permission.user_permission_list(auth, app, permission, username, group)
@is_unit_operation([('app', 'user')]) @is_unit_operation([('app', 'user')])
def user_permission_add(operation_logger, auth, app, permission="main", username=None, group=None, sync_perm=True): def user_permission_add(operation_logger, auth, app, permission="main", username=None, group=None, sync_perm=True):
import yunohost.permission
return yunohost.permission.user_permission_update(operation_logger, auth, app, permission=permission, return yunohost.permission.user_permission_update(operation_logger, auth, app, permission=permission,
add_username=username, add_group=group, add_username=username, add_group=group,
del_username=None, del_group=None, del_username=None, del_group=None,
sync_perm=sync_perm) sync_perm=sync_perm)
@is_unit_operation([('app', 'user')]) @is_unit_operation([('app', 'user')])
def user_permission_remove(operation_logger, auth, app, permission="main", username=None, group=None, sync_perm=True): def user_permission_remove(operation_logger, auth, app, permission="main", username=None, group=None, sync_perm=True):
import yunohost.permission
return yunohost.permission.user_permission_update(operation_logger, auth, app, permission=permission, return yunohost.permission.user_permission_update(operation_logger, auth, app, permission=permission,
add_username=None, add_group=None, add_username=None, add_group=None,
del_username=username, del_group=group, del_username=username, del_group=group,
sync_perm=sync_perm) sync_perm=sync_perm)
@is_unit_operation([('app', 'user')]) @is_unit_operation([('app', 'user')])
def user_permission_clear(operation_logger, auth, app, permission=None, sync_perm=True): def user_permission_clear(operation_logger, auth, app, permission=None, sync_perm=True):
import yunohost.permission
return yunohost.permission.user_permission_clear(operation_logger, auth, app, permission, return yunohost.permission.user_permission_clear(operation_logger, auth, app, permission,
sync_perm=sync_perm) sync_perm=sync_perm)
# #
# SSH subcategory # SSH subcategory
# #
#
import yunohost.ssh import yunohost.ssh