mirror of
https://github.com/YunoHost/yunohost.git
synced 2024-09-03 20:06:10 +02:00
Migrate old skipped,unprotected,protected_uris and create permission instead
This commit is contained in:
Josué Tille
parent
03bc568276
commit
fe5ca24222
4 changed files with 76 additions and 103 deletions
|
|
@ -1,5 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
migrate_to_permission_deprecitated_warning="/!\\ Packagers! This app is still using the skipped/protected/unprotected_uris/regex settings which are now obsolete and deprecated... Instead, you should use the new helpers 'ynh_permission_{create,urls,update,delete}' and the 'visitors' group to initialize the public/private access. Check out the documentation at the bottom of yunohost.org/groups_and_permissions to learn how to use the new permission mechanism.\n"
|
||||||
|
|
||||||
# Get an application setting
|
# Get an application setting
|
||||||
#
|
#
|
||||||
# usage: ynh_app_setting_get --app=app --key=key
|
# usage: ynh_app_setting_get --app=app --key=key
|
||||||
|
|
@ -89,8 +91,6 @@ else:
|
||||||
elif action == "set":
|
elif action == "set":
|
||||||
if key in ['redirected_urls', 'redirected_regex']:
|
if key in ['redirected_urls', 'redirected_regex']:
|
||||||
value = yaml.load(value)
|
value = yaml.load(value)
|
||||||
if any(key.startswith(word+"_") for word in ["unprotected", "protected", "skipped"]):
|
|
||||||
sys.stderr.write("/!\\ Packagers! This app is still using the skipped/protected/unprotected_uris/regex settings which are now obsolete and deprecated... Instead, you should use the new helpers 'ynh_permission_{create,urls,update,delete}' and the 'visitors' group to initialize the public/private access. Check out the documentation at the bottom of yunohost.org/groups_and_permissions to learn how to use the new permission mechanism.\n")
|
|
||||||
settings[key] = value
|
settings[key] = value
|
||||||
else:
|
else:
|
||||||
raise ValueError("action should either be get, set or delete")
|
raise ValueError("action should either be get, set or delete")
|
||||||
|
|
@ -102,12 +102,23 @@ EOF
|
||||||
# We need this because app temporarily set the app as unprotected to configure it with curl...
|
# We need this because app temporarily set the app as unprotected to configure it with curl...
|
||||||
if [[ "$3" =~ ^(unprotected|skipped)_ ]]
|
if [[ "$3" =~ ^(unprotected|skipped)_ ]]
|
||||||
then
|
then
|
||||||
if [[ "$1" == "set" ]] && [[ "${4:-}" == "/" ]]
|
if [[ "$1" == "delete" ]]
|
||||||
then
|
then
|
||||||
ynh_permission_update --permission "main" --add "visitors"
|
if [[ "${current_value:-}" == "/" ]] && [[ -n "$(ynh_app_setting_get --app=$2 --key='is_public' )" ]]
|
||||||
elif [[ "$1" == "delete" ]] && [[ "${current_value:-}" == "/" ]] && [[ -n "$(ynh_app_setting_get --app=$2 --key='is_public' )" ]]
|
|
||||||
then
|
then
|
||||||
ynh_permission_update --permission "main" --remove "visitors"
|
ynh_permission_update --permission "main" --remove "visitors"
|
||||||
|
else
|
||||||
|
if [ "$3" == "skipped_uris" ] && ynh_permission_exists --permission legacy_skipped_uris
|
||||||
|
then
|
||||||
|
ynh_permission_delete --permission legacy_skipped_uris
|
||||||
|
elif [ "$3" == "unprotected_uris" ] && ynh_permission_exists --permission legacy_unprotected_uris
|
||||||
|
then
|
||||||
|
ynh_permission_delete --permission legacy_unprotected_uris
|
||||||
|
elif [ "$3" == "protected_uris" ] && ynh_permission_exists --permission legacy_protected_uris
|
||||||
|
then
|
||||||
|
ynh_permission_delete --permission legacy_protected_uris
|
||||||
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1245,98 +1245,6 @@ def app_ssowatconf():
|
||||||
|
|
||||||
app_settings = read_yaml(APPS_SETTING_PATH + app + '/settings.yml')
|
app_settings = read_yaml(APPS_SETTING_PATH + app + '/settings.yml')
|
||||||
|
|
||||||
## BEGIN Legacy part ##
|
|
||||||
|
|
||||||
if 'domain' not in app_settings:
|
|
||||||
continue
|
|
||||||
if 'path' not in app_settings:
|
|
||||||
continue
|
|
||||||
|
|
||||||
# This 'no_sso' settings sound redundant to not having $path defined ....
|
|
||||||
# At least from what I can see, all apps using it don't have a path defined ...
|
|
||||||
if 'no_sso' in app_settings:
|
|
||||||
continue
|
|
||||||
|
|
||||||
domain = app_settings['domain']
|
|
||||||
path = app_settings['path'].rstrip('/')
|
|
||||||
|
|
||||||
def _sanitized_absolute_url(perm_url):
|
|
||||||
# Nominal case : url is relative to the app's path
|
|
||||||
if perm_url.startswith("/"):
|
|
||||||
perm_domain = domain
|
|
||||||
perm_path = path + perm_url.rstrip("/")
|
|
||||||
# Otherwise, the urls starts with a domain name, like domain.tld/foo/bar
|
|
||||||
# We want perm_domain = domain.tld and perm_path = "/foo/bar"
|
|
||||||
else:
|
|
||||||
perm_domain, perm_path = perm_url.split("/", 1)
|
|
||||||
perm_path = "/" + perm_path.rstrip("/")
|
|
||||||
|
|
||||||
perm_path = perm_path if perm_path.strip() != "" else "/"
|
|
||||||
|
|
||||||
return perm_domain + perm_path
|
|
||||||
|
|
||||||
# Skipped
|
|
||||||
skipped_urls = [_sanitized_absolute_url(uri) for uri in _get_setting(app_settings, 'skipped_uris')]
|
|
||||||
skipped_urls += ['re:' + regex for regex in _get_setting(app_settings, 'skipped_regex')]
|
|
||||||
|
|
||||||
# Legacy permission system using (un)protected_uris and _regex managed in app settings...
|
|
||||||
unprotected_urls = [_sanitized_absolute_url(uri) for uri in _get_setting(app_settings, 'unprotected_uris')]
|
|
||||||
protected_urls = [_sanitized_absolute_url(uri) for uri in _get_setting(app_settings, 'protected_uris')]
|
|
||||||
unprotected_urls += ['re:' + regex for regex in _get_setting(app_settings, 'unprotected_regex')]
|
|
||||||
protected_urls += ['re:' + regex for regex in _get_setting(app_settings, 'protected_regex')]
|
|
||||||
|
|
||||||
if skipped_urls == [] and unprotected_urls == [] and protected_urls == []:
|
|
||||||
continue
|
|
||||||
|
|
||||||
# Manage compatibility with old protected, unprotected, skipped urls !!
|
|
||||||
this_app_perms = {name: info for name, info in all_permissions.items() if name.startswith(app + ".")}
|
|
||||||
for perm_name, perm_info in this_app_perms.items():
|
|
||||||
|
|
||||||
# Ignore permissions for which there's no url defined
|
|
||||||
if not perm_info["url"]:
|
|
||||||
continue
|
|
||||||
|
|
||||||
url = _sanitized_absolute_url(perm_info["url"])
|
|
||||||
perm_info["url"] = url
|
|
||||||
if "visitors" in perm_info["allowed"]:
|
|
||||||
# Legacy stuff : we remove now protected-urls that might have been declared as unprotected earlier...
|
|
||||||
protected_urls = [u for u in protected_urls if u != url]
|
|
||||||
else:
|
|
||||||
# Legacy stuff : we remove now unprotected-urls / skipped-urls that might have been declared as protected earlier...
|
|
||||||
unprotected_urls = [u for u in unprotected_urls if u != url]
|
|
||||||
skipped_urls = [u for u in skipped_urls if u != url]
|
|
||||||
|
|
||||||
# Create special permission for legacy apps
|
|
||||||
if skipped_urls != []:
|
|
||||||
permissions[app + ".legacy_skipped_urls"] = {
|
|
||||||
"users": [],
|
|
||||||
"label": "Legacy permission - skipped_urls for app :" + app,
|
|
||||||
"show_tile": False,
|
|
||||||
"auth_header": False,
|
|
||||||
"public": True,
|
|
||||||
"uris": skipped_urls
|
|
||||||
}
|
|
||||||
if unprotected_urls != []:
|
|
||||||
permissions[app + ".legacy_unprotected_urls"] = {
|
|
||||||
"users": all_permissions[app + '.main']['corresponding_users'],
|
|
||||||
"label": "Legacy permission - unprotected_urls for app :" + app,
|
|
||||||
"show_tile": False,
|
|
||||||
"auth_header": True,
|
|
||||||
"public": True,
|
|
||||||
"uris": unprotected_urls
|
|
||||||
}
|
|
||||||
if protected_urls != []:
|
|
||||||
permissions[app + ".legacy_protected_urls"] = {
|
|
||||||
"users": all_permissions[app + '.main']['corresponding_users'],
|
|
||||||
"label": "Legacy permission - protected_urls for app :" + app,
|
|
||||||
"show_tile": False,
|
|
||||||
"auth_header": True,
|
|
||||||
"public": False,
|
|
||||||
"uris": protected_urls
|
|
||||||
}
|
|
||||||
|
|
||||||
## END Legacy part ##
|
|
||||||
|
|
||||||
# Redirected
|
# Redirected
|
||||||
redirected_urls.update(app_settings.get('redirected_urls', {}))
|
redirected_urls.update(app_settings.get('redirected_urls', {}))
|
||||||
redirected_regex.update(app_settings.get('redirected_regex', {}))
|
redirected_regex.update(app_settings.get('redirected_regex', {}))
|
||||||
|
|
|
||||||
|
|
@ -1292,6 +1292,7 @@ class RestoreManager():
|
||||||
restore_app_failed -- Raised if the restore bash script failed
|
restore_app_failed -- Raised if the restore bash script failed
|
||||||
"""
|
"""
|
||||||
from yunohost.user import user_group_list
|
from yunohost.user import user_group_list
|
||||||
|
from yunohost.app import app_setting
|
||||||
from yunohost.permission import permission_create, permission_delete, user_permission_list, permission_sync_to_user
|
from yunohost.permission import permission_create, permission_delete, user_permission_list, permission_sync_to_user
|
||||||
|
|
||||||
def copytree(src, dst, symlinks=False, ignore=None):
|
def copytree(src, dst, symlinks=False, ignore=None):
|
||||||
|
|
@ -1388,6 +1389,14 @@ class RestoreManager():
|
||||||
setup_group_permission = _get_migration_by_name("setup_group_permission")
|
setup_group_permission = _get_migration_by_name("setup_group_permission")
|
||||||
setup_group_permission.migrate_app_permission(app=app_instance_name)
|
setup_group_permission.migrate_app_permission(app=app_instance_name)
|
||||||
|
|
||||||
|
# Migrate old settings
|
||||||
|
if app_setting(app, 'skipped_uris') is not None or \
|
||||||
|
app_setting(app, 'unprotected_uris') is not None or \
|
||||||
|
app_setting(app, 'protected_uris') is not None:
|
||||||
|
from yunohost.tools import _get_migration_by_name
|
||||||
|
extends_permissions_features_1 = _get_migration_by_name("extends_permissions_features_1")
|
||||||
|
extends_permissions_features_1.migrate_skipped_unprotected_protected_uris(app=app_instance_name)
|
||||||
|
|
||||||
# Prepare env. var. to pass to script
|
# Prepare env. var. to pass to script
|
||||||
env_dict = self._get_env_var(app_instance_name)
|
env_dict = self._get_env_var(app_instance_name)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -76,6 +76,50 @@ class MyMigration(Migration):
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
||||||
|
def migrate_skipped_unprotected_protected_uris(self, app=None):
|
||||||
|
logger.info(m18n.n("migration_0015_migrate_old_app_settings"))
|
||||||
|
apps = _installed_apps()
|
||||||
|
|
||||||
|
if app:
|
||||||
|
if app not in apps:
|
||||||
|
logger.error("Can't migrate permission for app %s because it ain't installed..." % app)
|
||||||
|
apps = []
|
||||||
|
else:
|
||||||
|
apps = [app]
|
||||||
|
|
||||||
|
def _get_setting(app, name):
|
||||||
|
s = app_setting(app, name)
|
||||||
|
return s.split(',') if s else []
|
||||||
|
|
||||||
|
for app in apps:
|
||||||
|
skipped_urls = [_sanitized_absolute_url(uri) for uri in app_setting(app, 'skipped_uris')]
|
||||||
|
skipped_urls += ['re:' + regex for regex in app_setting(app, 'skipped_regex')]
|
||||||
|
unprotected_urls = [_sanitized_absolute_url(uri) for uri in app_setting(app, 'unprotected_uris')]
|
||||||
|
unprotected_urls += ['re:' + regex for regex in app_setting(app, 'unprotected_regex')]
|
||||||
|
protected_urls = [_sanitized_absolute_url(uri) for uri in app_setting(app, 'protected_uris')]
|
||||||
|
protected_urls += ['re:' + regex for regex in app_setting(app, 'protected_regex')]
|
||||||
|
|
||||||
|
if skipped_urls != []:
|
||||||
|
permission_create(app+".legacy_skipped_uris", additional_urls=skipped_urls,
|
||||||
|
auth_header=False, label='Legacy permission - skipped_urls for app : ' + app,
|
||||||
|
show_tile=False, allowed='visitors', protected=True, sync_perm=False)
|
||||||
|
if unprotected_urls != []:
|
||||||
|
permission_create(app+".legacy_unprotected_uris", additional_urls=unprotected_urls,
|
||||||
|
auth_header=True, label='Legacy permission - unprotected_uris for app : ' + app,
|
||||||
|
show_tile=False, allowed='visitors', protected=True, sync_perm=False)
|
||||||
|
if protected_urls != []:
|
||||||
|
permission_create(app+".legacy_protected_uris", additional_urls=protected_urls,
|
||||||
|
auth_header=True, label='Legacy permission - protected_uris for app : ' + app,
|
||||||
|
show_tile=False, allowed=permission_list()['permissions']['allowed'],
|
||||||
|
protected=True, sync_perm=False)
|
||||||
|
|
||||||
|
app_setting(app, 'skipped_uris', delete=True)
|
||||||
|
app_setting(app, 'unprotected_uris', delete=True)
|
||||||
|
app_setting(app, 'protected_uris', delete=True)
|
||||||
|
|
||||||
|
permission_sync_to_user()
|
||||||
|
|
||||||
|
|
||||||
def run(self):
|
def run(self):
|
||||||
|
|
||||||
# FIXME : what do we really want to do here ...
|
# FIXME : what do we really want to do here ...
|
||||||
|
|
@ -100,7 +144,8 @@ class MyMigration(Migration):
|
||||||
# Update LDAP database
|
# Update LDAP database
|
||||||
self.add_new_ldap_attributes()
|
self.add_new_ldap_attributes()
|
||||||
|
|
||||||
app_ssowatconf()
|
# Migrate old settings
|
||||||
|
self.migrate_skipped_unprotected_protected_uris()
|
||||||
|
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
logger.warn(m18n.n("migration_0011_migration_failed_trying_to_rollback"))
|
logger.warn(m18n.n("migration_0011_migration_failed_trying_to_rollback"))
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue