diff --git a/data/helpers.d/setting b/data/helpers.d/setting index abf6ab3d4..7edeed588 100644 --- a/data/helpers.d/setting +++ b/data/helpers.d/setting @@ -1,5 +1,7 @@ #!/bin/bash +migrate_to_permission_deprecitated_warning="/!\\ Packagers! This app is still using the skipped/protected/unprotected_uris/regex settings which are now obsolete and deprecated... Instead, you should use the new helpers 'ynh_permission_{create,urls,update,delete}' and the 'visitors' group to initialize the public/private access. Check out the documentation at the bottom of yunohost.org/groups_and_permissions to learn how to use the new permission mechanism.\n" + # Get an application setting # # usage: ynh_app_setting_get --app=app --key=key @@ -66,7 +68,7 @@ ynh_app_setting_delete() { # ynh_app_setting() { - if [[ "$1" == "delete" ]] && [[ "$3" =~ ^(unprotected|skipped)_ ]] + if [[ "$1" == "delete" ]] && [[ "$3" =~ ^(unprotected|skipped)_ ]] then current_value=$(ynh_app_setting_get --app=$app --key=$3) fi @@ -89,8 +91,6 @@ else: elif action == "set": if key in ['redirected_urls', 'redirected_regex']: value = yaml.load(value) - if any(key.startswith(word+"_") for word in ["unprotected", "protected", "skipped"]): - sys.stderr.write("/!\\ Packagers! This app is still using the skipped/protected/unprotected_uris/regex settings which are now obsolete and deprecated... Instead, you should use the new helpers 'ynh_permission_{create,urls,update,delete}' and the 'visitors' group to initialize the public/private access. Check out the documentation at the bottom of yunohost.org/groups_and_permissions to learn how to use the new permission mechanism.\n") settings[key] = value else: raise ValueError("action should either be get, set or delete") @@ -102,12 +102,23 @@ EOF # We need this because app temporarily set the app as unprotected to configure it with curl... if [[ "$3" =~ ^(unprotected|skipped)_ ]] then - if [[ "$1" == "set" ]] && [[ "${4:-}" == "/" ]] + if [[ "$1" == "delete" ]] then - ynh_permission_update --permission "main" --add "visitors" - elif [[ "$1" == "delete" ]] && [[ "${current_value:-}" == "/" ]] && [[ -n "$(ynh_app_setting_get --app=$2 --key='is_public' )" ]] - then - ynh_permission_update --permission "main" --remove "visitors" + if [[ "${current_value:-}" == "/" ]] && [[ -n "$(ynh_app_setting_get --app=$2 --key='is_public' )" ]] + then + ynh_permission_update --permission "main" --remove "visitors" + else + if [ "$3" == "skipped_uris" ] && ynh_permission_exists --permission legacy_skipped_uris + then + ynh_permission_delete --permission legacy_skipped_uris + elif [ "$3" == "unprotected_uris" ] && ynh_permission_exists --permission legacy_unprotected_uris + then + ynh_permission_delete --permission legacy_unprotected_uris + elif [ "$3" == "protected_uris" ] && ynh_permission_exists --permission legacy_protected_uris + then + ynh_permission_delete --permission legacy_protected_uris + fi + fi fi fi } @@ -253,7 +264,7 @@ ynh_permission_create() { protected=",protected=False" fi fi - + yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('$app.$permission' $url $additional_urls $auth_header $allowed $label $show_tile $protected , sync_perm=False)" } @@ -294,7 +305,7 @@ ynh_permission_exists() { # Redefine the url associated to a permission # -# usage: ynh_permission_url --permission "permission" [--url "url"] [--add_url "new-url" [ "other-new-url" ]] [--remove_url "old-url" [ "other-old-url"]] +# usage: ynh_permission_url --permission "permission" [--url "url"] [--add_url "new-url" [ "other-new-url" ]] [--remove_url "old-url" [ "other-old-url"]] # [--auth_header true|false][--clear_urls] # | arg: permission - the name for the permission (by default a permission named "main" is removed automatically when the app is removed) # | arg: url - (optional) URL for which access will be allowed/forbidden. diff --git a/src/yunohost/app.py b/src/yunohost/app.py index 038040524..9db9c9918 100644 --- a/src/yunohost/app.py +++ b/src/yunohost/app.py @@ -1245,98 +1245,6 @@ def app_ssowatconf(): app_settings = read_yaml(APPS_SETTING_PATH + app + '/settings.yml') - ## BEGIN Legacy part ## - - if 'domain' not in app_settings: - continue - if 'path' not in app_settings: - continue - - # This 'no_sso' settings sound redundant to not having $path defined .... - # At least from what I can see, all apps using it don't have a path defined ... - if 'no_sso' in app_settings: - continue - - domain = app_settings['domain'] - path = app_settings['path'].rstrip('/') - - def _sanitized_absolute_url(perm_url): - # Nominal case : url is relative to the app's path - if perm_url.startswith("/"): - perm_domain = domain - perm_path = path + perm_url.rstrip("/") - # Otherwise, the urls starts with a domain name, like domain.tld/foo/bar - # We want perm_domain = domain.tld and perm_path = "/foo/bar" - else: - perm_domain, perm_path = perm_url.split("/", 1) - perm_path = "/" + perm_path.rstrip("/") - - perm_path = perm_path if perm_path.strip() != "" else "/" - - return perm_domain + perm_path - - # Skipped - skipped_urls = [_sanitized_absolute_url(uri) for uri in _get_setting(app_settings, 'skipped_uris')] - skipped_urls += ['re:' + regex for regex in _get_setting(app_settings, 'skipped_regex')] - - # Legacy permission system using (un)protected_uris and _regex managed in app settings... - unprotected_urls = [_sanitized_absolute_url(uri) for uri in _get_setting(app_settings, 'unprotected_uris')] - protected_urls = [_sanitized_absolute_url(uri) for uri in _get_setting(app_settings, 'protected_uris')] - unprotected_urls += ['re:' + regex for regex in _get_setting(app_settings, 'unprotected_regex')] - protected_urls += ['re:' + regex for regex in _get_setting(app_settings, 'protected_regex')] - - if skipped_urls == [] and unprotected_urls == [] and protected_urls == []: - continue - - # Manage compatibility with old protected, unprotected, skipped urls !! - this_app_perms = {name: info for name, info in all_permissions.items() if name.startswith(app + ".")} - for perm_name, perm_info in this_app_perms.items(): - - # Ignore permissions for which there's no url defined - if not perm_info["url"]: - continue - - url = _sanitized_absolute_url(perm_info["url"]) - perm_info["url"] = url - if "visitors" in perm_info["allowed"]: - # Legacy stuff : we remove now protected-urls that might have been declared as unprotected earlier... - protected_urls = [u for u in protected_urls if u != url] - else: - # Legacy stuff : we remove now unprotected-urls / skipped-urls that might have been declared as protected earlier... - unprotected_urls = [u for u in unprotected_urls if u != url] - skipped_urls = [u for u in skipped_urls if u != url] - - # Create special permission for legacy apps - if skipped_urls != []: - permissions[app + ".legacy_skipped_urls"] = { - "users": [], - "label": "Legacy permission - skipped_urls for app :" + app, - "show_tile": False, - "auth_header": False, - "public": True, - "uris": skipped_urls - } - if unprotected_urls != []: - permissions[app + ".legacy_unprotected_urls"] = { - "users": all_permissions[app + '.main']['corresponding_users'], - "label": "Legacy permission - unprotected_urls for app :" + app, - "show_tile": False, - "auth_header": True, - "public": True, - "uris": unprotected_urls - } - if protected_urls != []: - permissions[app + ".legacy_protected_urls"] = { - "users": all_permissions[app + '.main']['corresponding_users'], - "label": "Legacy permission - protected_urls for app :" + app, - "show_tile": False, - "auth_header": True, - "public": False, - "uris": protected_urls - } - - ## END Legacy part ## - # Redirected redirected_urls.update(app_settings.get('redirected_urls', {})) redirected_regex.update(app_settings.get('redirected_regex', {})) diff --git a/src/yunohost/backup.py b/src/yunohost/backup.py index 3530718d2..5018d627e 100644 --- a/src/yunohost/backup.py +++ b/src/yunohost/backup.py @@ -1292,6 +1292,7 @@ class RestoreManager(): restore_app_failed -- Raised if the restore bash script failed """ from yunohost.user import user_group_list + from yunohost.app import app_setting from yunohost.permission import permission_create, permission_delete, user_permission_list, permission_sync_to_user def copytree(src, dst, symlinks=False, ignore=None): @@ -1388,6 +1389,14 @@ class RestoreManager(): setup_group_permission = _get_migration_by_name("setup_group_permission") setup_group_permission.migrate_app_permission(app=app_instance_name) + # Migrate old settings + if app_setting(app, 'skipped_uris') is not None or \ + app_setting(app, 'unprotected_uris') is not None or \ + app_setting(app, 'protected_uris') is not None: + from yunohost.tools import _get_migration_by_name + extends_permissions_features_1 = _get_migration_by_name("extends_permissions_features_1") + extends_permissions_features_1.migrate_skipped_unprotected_protected_uris(app=app_instance_name) + # Prepare env. var. to pass to script env_dict = self._get_env_var(app_instance_name) diff --git a/src/yunohost/data_migrations/0015_extends_permissions_features_1.py b/src/yunohost/data_migrations/0015_extends_permissions_features_1.py index 9bbe8baeb..69511761d 100644 --- a/src/yunohost/data_migrations/0015_extends_permissions_features_1.py +++ b/src/yunohost/data_migrations/0015_extends_permissions_features_1.py @@ -76,6 +76,50 @@ class MyMigration(Migration): }) + def migrate_skipped_unprotected_protected_uris(self, app=None): + logger.info(m18n.n("migration_0015_migrate_old_app_settings")) + apps = _installed_apps() + + if app: + if app not in apps: + logger.error("Can't migrate permission for app %s because it ain't installed..." % app) + apps = [] + else: + apps = [app] + + def _get_setting(app, name): + s = app_setting(app, name) + return s.split(',') if s else [] + + for app in apps: + skipped_urls = [_sanitized_absolute_url(uri) for uri in app_setting(app, 'skipped_uris')] + skipped_urls += ['re:' + regex for regex in app_setting(app, 'skipped_regex')] + unprotected_urls = [_sanitized_absolute_url(uri) for uri in app_setting(app, 'unprotected_uris')] + unprotected_urls += ['re:' + regex for regex in app_setting(app, 'unprotected_regex')] + protected_urls = [_sanitized_absolute_url(uri) for uri in app_setting(app, 'protected_uris')] + protected_urls += ['re:' + regex for regex in app_setting(app, 'protected_regex')] + + if skipped_urls != []: + permission_create(app+".legacy_skipped_uris", additional_urls=skipped_urls, + auth_header=False, label='Legacy permission - skipped_urls for app : ' + app, + show_tile=False, allowed='visitors', protected=True, sync_perm=False) + if unprotected_urls != []: + permission_create(app+".legacy_unprotected_uris", additional_urls=unprotected_urls, + auth_header=True, label='Legacy permission - unprotected_uris for app : ' + app, + show_tile=False, allowed='visitors', protected=True, sync_perm=False) + if protected_urls != []: + permission_create(app+".legacy_protected_uris", additional_urls=protected_urls, + auth_header=True, label='Legacy permission - protected_uris for app : ' + app, + show_tile=False, allowed=permission_list()['permissions']['allowed'], + protected=True, sync_perm=False) + + app_setting(app, 'skipped_uris', delete=True) + app_setting(app, 'unprotected_uris', delete=True) + app_setting(app, 'protected_uris', delete=True) + + permission_sync_to_user() + + def run(self): # FIXME : what do we really want to do here ... @@ -100,7 +144,8 @@ class MyMigration(Migration): # Update LDAP database self.add_new_ldap_attributes() - app_ssowatconf() + # Migrate old settings + self.migrate_skipped_unprotected_protected_uris() except Exception as e: logger.warn(m18n.n("migration_0011_migration_failed_trying_to_rollback"))