From dfc37a48c382c7adf6cb2e1dcecf63d2baa580d6 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 2 Jan 2022 03:30:57 +0100 Subject: [PATCH] manifestv2: forget about webpath ressource, replace with permissions ressource --- src/app.py | 69 +++++++++----------- src/utils/resources.py | 142 ++++++++++++++++++++++++++--------------- 2 files changed, 119 insertions(+), 92 deletions(-) diff --git a/src/app.py b/src/app.py index d2aa0fa65..5e67f620b 100644 --- a/src/app.py +++ b/src/app.py @@ -859,13 +859,13 @@ def app_install( # If packaging_format v2+, save all install questions as settings if packaging_format >= 2: - for arg_name, arg_value in args.items(): + for question in questions: - # ... except is_public .... - if arg_name == "is_public": + # Except user-provider passwords + if question.type == "password": continue - app_settings[arg_name] = arg_value + app_settings[question.name] = question.value _set_app_settings(app_instance_name, app_settings) @@ -878,36 +878,27 @@ def app_install( recursive=True, ) - # Initialize the main permission for the app - # The permission is initialized with no url associated, and with tile disabled - # For web app, the root path of the app will be added as url and the tile - # will be enabled during the app install. C.f. 'app_register_url()' below - # or the webpath resource - if packaging_format >= 2: - if args.get("init_permission_main"): - init_main_perm_allowed = args.get("init_permission_main") - else: - init_main_perm_allowed = ["visitors"] if not args.get("is_public") else ["all_users"] - - else: - init_main_perm_allowed = ["all_users"] - - permission_create( - app_instance_name + ".main", - allowed=init_main_perm_allowed, - label=label if label else manifest["name"], - show_tile=False, - protected=False, - ) - if packaging_format >= 2: from yunohost.utils.resources import AppResourceManager try: - AppResourceManager(app_instance_name, wanted=manifest["resources"], current={}).apply() + AppResourceManager(app_instance_name, wanted=manifest, current={}).apply() except Exception: # FIXME : improve error handling .... - AppResourceManager(app_instance_name, wanted={}, current=manifest["resources"]).apply() + AppResourceManager(app_instance_name, wanted={}, current=manifest).apply() raise + else: + # Initialize the main permission for the app + # The permission is initialized with no url associated, and with tile disabled + # For web app, the root path of the app will be added as url and the tile + # will be enabled during the app install. C.f. 'app_register_url()' below + # or the webpath resource + permission_create( + app_instance_name + ".main", + allowed=["all_users"], + label=label if label else manifest["name"], + show_tile=False, + protected=False, + ) # Prepare env. var. to pass to script env_dict = _make_environment_for_app_script( @@ -1008,15 +999,15 @@ def app_install( if packaging_format >= 2: from yunohost.utils.resources import AppResourceManager try: - AppResourceManager(app_instance_name, wanted={}, current=manifest["resources"]).apply() + AppResourceManager(app_instance_name, wanted={}, current=manifest).apply() except Exception: # FIXME : improve error handling .... raise - - # Remove all permission in LDAP - for permission_name in user_permission_list()["permissions"].keys(): - if permission_name.startswith(app_instance_name + "."): - permission_delete(permission_name, force=True, sync_perm=False) + else: + # Remove all permission in LDAP + for permission_name in user_permission_list()["permissions"].keys(): + if permission_name.startswith(app_instance_name + "."): + permission_delete(permission_name, force=True, sync_perm=False) if remove_retcode != 0: msg = m18n.n("app_not_properly_removed", app=app_instance_name) @@ -1116,18 +1107,18 @@ def app_remove(operation_logger, app, purge=False): finally: shutil.rmtree(tmp_workdir_for_app) - # Remove all permission in LDAP - for permission_name in user_permission_list(apps=[app])["permissions"].keys(): - permission_delete(permission_name, force=True, sync_perm=False) - packaging_format = manifest["packaging_format"] if packaging_format >= 2: try: from yunohost.utils.resources import AppResourceManager - AppResourceManager(app, wanted={}, current=manifest["resources"]).apply() + AppResourceManager(app, wanted={}, current=manifest).apply() except Exception: # FIXME : improve error handling .... raise + else: + # Remove all permission in LDAP + for permission_name in user_permission_list(apps=[app])["permissions"].keys(): + permission_delete(permission_name, force=True, sync_perm=False) if os.path.exists(app_setting_path): shutil.rmtree(app_setting_path) diff --git a/src/utils/resources.py b/src/utils/resources.py index b0956a2d0..23c1a7a5a 100644 --- a/src/utils/resources.py +++ b/src/utils/resources.py @@ -41,29 +41,23 @@ class AppResourceManager: def __init__(self, app: str, current: Dict, wanted: Dict): self.app = app - self.current = current - self.wanted = wanted + self.current = current.get("resources", {}) + self.wanted = wanted.get("resources", {}) + + # c.f. the permission ressources where we need the app label >_> + self.wanted_manifest = wanted def apply(self, **context): - for name, infos in self.wanted.items(): - resource = AppResourceClassesByType[name](infos, self.app) - # FIXME: not a great place to check this because here - # we already started an operation - # We should find a way to validate this before actually starting - # the install procedure / theoperation log - if name not in self.current.keys(): - resource.validate_availability(context=context) - for name, infos in reversed(self.current.items()): if name not in self.wanted.keys(): - resource = AppResourceClassesByType[name](infos, self.app) + resource = AppResourceClassesByType[name](infos, self.app, self) # FIXME : i18n, better info strings logger.info(f"Deprovisionning {name} ...") resource.deprovision(context=context) for name, infos in self.wanted.items(): - resource = AppResourceClassesByType[name](infos, self.app) + resource = AppResourceClassesByType[name](infos, self.app, self) if name not in self.current.keys(): # FIXME : i18n, better info strings logger.info(f"Provisionning {name} ...") @@ -75,9 +69,10 @@ class AppResourceManager: class AppResource: - def __init__(self, properties: Dict[str, Any], app: str): + def __init__(self, properties: Dict[str, Any], app: str, manager: str): self.app = app + self.manager = manager for key, value in self.default_properties.items(): if isinstance(value, str): @@ -101,9 +96,6 @@ class AppResource: from yunohost.app import app_setting app_setting(self.app, key, delete=True) - def validate_availability(self, context: Dict): - pass - def _run_script(self, action, script, env={}, user="root"): from yunohost.app import _make_tmp_workdir_for_app, _make_environment_for_app_script @@ -131,7 +123,7 @@ ynh_abort_if_errors #print(ret) -class WebpathResource(AppResource): +class PermissionsResource(AppResource): """ is_provisioned -> main perm exists is_available -> perm urls do not conflict @@ -147,38 +139,98 @@ class WebpathResource(AppResource): restore -> handled by the core, should be integrated in there (restore .ldif/yml?) """ - type = "webpath" + type = "permissions" priority = 10 default_properties = { - "full_domain": False, } - def validate_availability(self, context): + default_perm_properties = { + "url": None, + "additional_urls": [], + "auth_header": True, + "allowed": None, + "show_tile": None, # To be automagically set to True by default if an url is defined and show_tile not provided + "protected": False, + } - from yunohost.app import _assert_no_conflicting_apps - domain = self.get_setting("domain") - path = self.get_setting("path") if not self.full_domain else "/" - _assert_no_conflicting_apps(domain, path, ignore_app=self.app) + def __init__(self, properties: Dict[str, Any], *args, **kwargs): + + for perm, infos in properties.items(): + properties[perm] = copy.copy(self.default_perm_properties) + properties[perm].update(infos) + if properties[perm]["show_tile"] is None: + properties[perm]["show_tile"] = bool(properties[perm]["url"]) + + if isinstance(properties["main"]["url"], str) and properties["main"]["url"] != "/": + raise YunohostError("URL for the 'main' permission should be '/' for webapps (or undefined/None for non-webapps). Note that / refers to the install url of the app") + + super().__init__({"permissions": properties}, *args, **kwargs) def provision_or_update(self, context: Dict): from yunohost.permission import ( - permission_url, + permission_create, + #permission_url, + permission_delete, + user_permission_list, user_permission_update, permission_sync_to_user, ) - if context.get("action") == "install": - permission_url(f"{self.app}.main", url="/", sync_perm=False) - user_permission_update(f"{self.app}.main", show_tile=True, sync_perm=False) - permission_sync_to_user() + # Delete legacy is_public setting if not already done + self.delete_setting(f"is_public") + + existing_perms = user_permission_list(short=True, apps=[self.app])["permissions"] + for perm in existing_perms: + if perm.split(".") not in self.permissions.keys(): + permission_delete(perm, force=True, sync_perm=False) + + for perm, infos in self.permissions.items(): + if f"{self.app}.{perm}" not in existing_perms: + # Use the 'allowed' key from the manifest, + # or use the 'init_{perm}_permission' from the install questions + # which is temporarily saved as a setting as an ugly hack to pass the info to this piece of code... + init_allowed = infos["allowed"] or self.get_setting(f"init_{perm}_permission") or [] + permission_create( + f"{self.app}.{perm}", + allowed=init_allowed, + # This is why the ugly hack with self.manager and wanted_manifest exists >_> + label=self.manager.wanted_manifest["name"] if perm == "main" else perm, + url=infos["url"], + additional_urls=infos["additional_urls"], + auth_header=infos["auth_header"], + sync_perm=False, + ) + self.delete_setting(f"init_{perm}_permission") + + user_permission_update( + f"{self.app}.{perm}", + show_tile=infos["show_tile"], + protected=infos["protected"], + sync_perm=False + ) + else: + pass + # FIXME : current implementation of permission_url is hell for + # easy declarativeness of additional_urls >_> ... + #permission_url(f"{self.app}.{perm}", url=infos["url"], auth_header=infos["auth_header"], sync_perm=False) + + permission_sync_to_user() def deprovision(self, context: Dict): - self.delete_setting("domain") - self.delete_setting("path") - # FIXME : theoretically here, should also remove the url in the main permission ? - # but is that worth the trouble ? + + from yunohost.permission import ( + permission_delete, + user_permission_list, + permission_sync_to_user, + ) + + existing_perms = user_permission_list(short=True, apps=[self.app])["permissions"] + for perm in existing_perms: + permission_delete(perm, force=True, sync_perm=False) + + permission_sync_to_user() class SystemuserAppResource(AppResource): @@ -205,19 +257,11 @@ class SystemuserAppResource(AppResource): "allow_sftp": [] } - def validate_availability(self, context): - pass - # FIXME : do we care if user already exists ? shouldnt we assume that user $app corresponds to the app ...? - - # FIXME : but maybe we should at least check that no corresponding yunohost user exists - - #if os.system(f"getent passwd {self.username} &>/dev/null") != 0: - # raise YunohostValidationError(f"User {self.username} already exists") - #if os.system(f"getent group {self.username} &>/dev/null") != 0: - # raise YunohostValidationError(f"Group {self.username} already exists") - def provision_or_update(self, context: Dict): + # FIXME : validate that no yunohost user exists with that name? + # and/or that no system user exists during install ? + if not check_output(f"getent passwd {self.app} &>/dev/null || true").strip(): # FIXME: improve error handling ? cmd = f"useradd --system --user-group {self.app}" @@ -291,9 +335,6 @@ class InstalldirAppResource(AppResource): # FIXME: change default dir to /opt/stuff if app ain't a webapp ... # FIXME: what do in a scenario where the location changed - def validate_availability(self, context): - pass - def provision_or_update(self, context: Dict): current_install_dir = self.get_setting("install_dir") @@ -354,11 +395,6 @@ class DatadirAppResource(AppResource): "group": "__APP__:rx", } - def validate_availability(self, context): - pass - # Nothing to do ? If datadir already exists then it may be legit data - # from a previous install - def provision_or_update(self, context: Dict): current_data_dir = self.get_setting("data_dir")