YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Migrate old skipped,unprotected,protected_uris and create permission instead

Browse source
This commit is contained in:
Josué Tille 2020-04-02 16:17:48 +02:00
parent 03bc568276
commit fe5ca24222
No known key found for this signature in database
GPG key ID: 716A6C99B04194EF
4 changed files with 76 additions and 103 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
data/helpers.d/setting
View file

@ -1,5 +1,7 @@
#!/bin/bash
migrate_to_permission_deprecitated_warning="/!\\ Packagers! This app is still using the skipped/protected/unprotected_uris/regex settings which are now obsolete and deprecated... Instead, you should use the new helpers 'ynh_permission_{create,urls,update,delete}' and the 'visitors' group to initialize the public/private access. Check out the documentation at the bottom of yunohost.org/groups_and_permissions to learn how to use the new permission mechanism.\n"
# Get an application setting
#
# usage: ynh_app_setting_get --app=app --key=key
@ -66,7 +68,7 @@ ynh_app_setting_delete() {
#
ynh_app_setting()
{
if [[ "$1" == "delete" ]] && [[ "$3" =~ ^(unprotected|skipped)_ ]]
if [[ "$1" == "delete" ]] && [[ "$3" =~ ^(unprotected|skipped)_ ]]
then
current_value=$(ynh_app_setting_get --app=$app --key=$3)
fi
@ -89,8 +91,6 @@ else:
elif action == "set":
if key in ['redirected_urls', 'redirected_regex']:
value = yaml.load(value)
if any(key.startswith(word+"_") for word in ["unprotected", "protected", "skipped"]):
sys.stderr.write("/!\\ Packagers! This app is still using the skipped/protected/unprotected_uris/regex settings which are now obsolete and deprecated... Instead, you should use the new helpers 'ynh_permission_{create,urls,update,delete}' and the 'visitors' group to initialize the public/private access. Check out the documentation at the bottom of yunohost.org/groups_and_permissions to learn how to use the new permission mechanism.\n")
settings[key] = value
else:
raise ValueError("action should either be get, set or delete")
@ -102,12 +102,23 @@ EOF
# We need this because app temporarily set the app as unprotected to configure it with curl...
if [[ "$3" =~ ^(unprotected|skipped)_ ]]
then
if [[ "$1" == "set" ]] && [[ "${4:-}" == "/" ]]
if [[ "$1" == "delete" ]]
then
ynh_permission_update --permission "main" --add "visitors"
elif [[ "$1" == "delete" ]] && [[ "${current_value:-}" == "/" ]] && [[ -n "$(ynh_app_setting_get --app=$2 --key='is_public' )" ]]
then
ynh_permission_update --permission "main" --remove "visitors"
if [[ "${current_value:-}" == "/" ]] && [[ -n "$(ynh_app_setting_get --app=$2 --key='is_public' )" ]]
then
ynh_permission_update --permission "main" --remove "visitors"
else
if [ "$3" == "skipped_uris" ] && ynh_permission_exists --permission legacy_skipped_uris
then
ynh_permission_delete --permission legacy_skipped_uris
elif [ "$3" == "unprotected_uris" ] && ynh_permission_exists --permission legacy_unprotected_uris
then
ynh_permission_delete --permission legacy_unprotected_uris
elif [ "$3" == "protected_uris" ] && ynh_permission_exists --permission legacy_protected_uris
then
ynh_permission_delete --permission legacy_protected_uris
fi
fi
fi
fi
}
@ -253,7 +264,7 @@ ynh_permission_create() {
protected=",protected=False"
fi
fi
yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('$app.$permission' $url $additional_urls $auth_header $allowed $label $show_tile $protected , sync_perm=False)"
}
@ -294,7 +305,7 @@ ynh_permission_exists() {
# Redefine the url associated to a permission
#
# usage: ynh_permission_url --permission "permission" [--url "url"] [--add_url "new-url" [ "other-new-url" ]] [--remove_url "old-url" [ "other-old-url"]]
# usage: ynh_permission_url --permission "permission" [--url "url"] [--add_url "new-url" [ "other-new-url" ]] [--remove_url "old-url" [ "other-old-url"]]
# [--auth_header true|false][--clear_urls]
# | arg: permission - the name for the permission (by default a permission named "main" is removed automatically when the app is removed)
# | arg: url - (optional) URL for which access will be allowed/forbidden.

92
src/yunohost/app.py
View file

@ -1245,98 +1245,6 @@ def app_ssowatconf():
app_settings = read_yaml(APPS_SETTING_PATH + app + '/settings.yml')
## BEGIN Legacy part ##
if 'domain' not in app_settings:
continue
if 'path' not in app_settings:
continue
# This 'no_sso' settings sound redundant to not having $path defined ....
# At least from what I can see, all apps using it don't have a path defined ...
if 'no_sso' in app_settings:
continue
domain = app_settings['domain']
path = app_settings['path'].rstrip('/')
def _sanitized_absolute_url(perm_url):
# Nominal case : url is relative to the app's path
if perm_url.startswith("/"):
perm_domain = domain
perm_path = path + perm_url.rstrip("/")
# Otherwise, the urls starts with a domain name, like domain.tld/foo/bar
# We want perm_domain = domain.tld and perm_path = "/foo/bar"
else:
perm_domain, perm_path = perm_url.split("/", 1)
perm_path = "/" + perm_path.rstrip("/")
perm_path = perm_path if perm_path.strip() != "" else "/"
return perm_domain + perm_path
# Skipped
skipped_urls = [_sanitized_absolute_url(uri) for uri in _get_setting(app_settings, 'skipped_uris')]
skipped_urls += ['re:' + regex for regex in _get_setting(app_settings, 'skipped_regex')]
# Legacy permission system using (un)protected_uris and _regex managed in app settings...
unprotected_urls = [_sanitized_absolute_url(uri) for uri in _get_setting(app_settings, 'unprotected_uris')]
protected_urls = [_sanitized_absolute_url(uri) for uri in _get_setting(app_settings, 'protected_uris')]
unprotected_urls += ['re:' + regex for regex in _get_setting(app_settings, 'unprotected_regex')]
protected_urls += ['re:' + regex for regex in _get_setting(app_settings, 'protected_regex')]
if skipped_urls == [] and unprotected_urls == [] and protected_urls == []:
continue
# Manage compatibility with old protected, unprotected, skipped urls !!
this_app_perms = {name: info for name, info in all_permissions.items() if name.startswith(app + ".")}
for perm_name, perm_info in this_app_perms.items():
# Ignore permissions for which there's no url defined
if not perm_info["url"]:
continue
url = _sanitized_absolute_url(perm_info["url"])
perm_info["url"] = url
if "visitors" in perm_info["allowed"]:
# Legacy stuff : we remove now protected-urls that might have been declared as unprotected earlier...
protected_urls = [u for u in protected_urls if u != url]
else:
# Legacy stuff : we remove now unprotected-urls / skipped-urls that might have been declared as protected earlier...
unprotected_urls = [u for u in unprotected_urls if u != url]
skipped_urls = [u for u in skipped_urls if u != url]
# Create special permission for legacy apps
if skipped_urls != []:
permissions[app + ".legacy_skipped_urls"] = {
"users": [],
"label": "Legacy permission - skipped_urls for app :" + app,
"show_tile": False,
"auth_header": False,
"public": True,
"uris": skipped_urls
}
if unprotected_urls != []:
permissions[app + ".legacy_unprotected_urls"] = {
"users": all_permissions[app + '.main']['corresponding_users'],
"label": "Legacy permission - unprotected_urls for app :" + app,
"show_tile": False,
"auth_header": True,
"public": True,
"uris": unprotected_urls
}
if protected_urls != []:
permissions[app + ".legacy_protected_urls"] = {
"users": all_permissions[app + '.main']['corresponding_users'],
"label": "Legacy permission - protected_urls for app :" + app,
"show_tile": False,
"auth_header": True,
"public": False,
"uris": protected_urls
}
## END Legacy part ##
# Redirected
redirected_urls.update(app_settings.get('redirected_urls', {}))
redirected_regex.update(app_settings.get('redirected_regex', {}))

9
src/yunohost/backup.py
View file

@ -1292,6 +1292,7 @@ class RestoreManager():
restore_app_failed -- Raised if the restore bash script failed
"""
from yunohost.user import user_group_list
from yunohost.app import app_setting
from yunohost.permission import permission_create, permission_delete, user_permission_list, permission_sync_to_user
def copytree(src, dst, symlinks=False, ignore=None):
@ -1388,6 +1389,14 @@ class RestoreManager():
setup_group_permission = _get_migration_by_name("setup_group_permission")
setup_group_permission.migrate_app_permission(app=app_instance_name)
# Migrate old settings
if app_setting(app, 'skipped_uris') is not None or \
app_setting(app, 'unprotected_uris') is not None or \
app_setting(app, 'protected_uris') is not None:
from yunohost.tools import _get_migration_by_name
extends_permissions_features_1 = _get_migration_by_name("extends_permissions_features_1")
extends_permissions_features_1.migrate_skipped_unprotected_protected_uris(app=app_instance_name)
# Prepare env. var. to pass to script
env_dict = self._get_env_var(app_instance_name)

47
src/yunohost/data_migrations/0015_extends_permissions_features_1.py
View file

@ -76,6 +76,50 @@ class MyMigration(Migration):
})
def migrate_skipped_unprotected_protected_uris(self, app=None):
logger.info(m18n.n("migration_0015_migrate_old_app_settings"))
apps = _installed_apps()
if app:
if app not in apps:
logger.error("Can't migrate permission for app %s because it ain't installed..." % app)
apps = []
else:
apps = [app]
def _get_setting(app, name):
s = app_setting(app, name)
return s.split(',') if s else []
for app in apps:
skipped_urls = [_sanitized_absolute_url(uri) for uri in app_setting(app, 'skipped_uris')]
skipped_urls += ['re:' + regex for regex in app_setting(app, 'skipped_regex')]
unprotected_urls = [_sanitized_absolute_url(uri) for uri in app_setting(app, 'unprotected_uris')]
unprotected_urls += ['re:' + regex for regex in app_setting(app, 'unprotected_regex')]
protected_urls = [_sanitized_absolute_url(uri) for uri in app_setting(app, 'protected_uris')]
protected_urls += ['re:' + regex for regex in app_setting(app, 'protected_regex')]
if skipped_urls != []:
permission_create(app+".legacy_skipped_uris", additional_urls=skipped_urls,
auth_header=False, label='Legacy permission - skipped_urls for app : ' + app,
show_tile=False, allowed='visitors', protected=True, sync_perm=False)
if unprotected_urls != []:
permission_create(app+".legacy_unprotected_uris", additional_urls=unprotected_urls,
auth_header=True, label='Legacy permission - unprotected_uris for app : ' + app,
show_tile=False, allowed='visitors', protected=True, sync_perm=False)
if protected_urls != []:
permission_create(app+".legacy_protected_uris", additional_urls=protected_urls,
auth_header=True, label='Legacy permission - protected_uris for app : ' + app,
show_tile=False, allowed=permission_list()['permissions']['allowed'],
protected=True, sync_perm=False)
app_setting(app, 'skipped_uris', delete=True)
app_setting(app, 'unprotected_uris', delete=True)
app_setting(app, 'protected_uris', delete=True)
permission_sync_to_user()
def run(self):
# FIXME : what do we really want to do here ...
@ -100,7 +144,8 @@ class MyMigration(Migration):
# Update LDAP database
self.add_new_ldap_attributes()
app_ssowatconf()
# Migrate old settings
self.migrate_skipped_unprotected_protected_uris()
except Exception as e:
logger.warn(m18n.n("migration_0011_migration_failed_trying_to_rollback"))