Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: app/permissions: Move permissions data out of LDAP #1917

Draft
wants to merge 1 commit into
base: dev
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 0 additions & 12 deletions conf/slapd/db_init.ldif
Original file line number Diff line number Diff line change
Expand Up @@ -68,28 +68,16 @@ groupPermission: cn=all_users,ou=groups,dc=yunohost,dc=org
cn: mail.main
objectClass: posixGroup
objectClass: permissionYnh
isProtected: TRUE
label: E-mail
gidNumber: 5001
showTile: FALSE
authHeader: FALSE

dn: cn=ssh.main,ou=permission,dc=yunohost,dc=org
cn: ssh.main
objectClass: posixGroup
objectClass: permissionYnh
isProtected: TRUE
label: SSH
gidNumber: 5003
showTile: FALSE
authHeader: FALSE

dn: cn=sftp.main,ou=permission,dc=yunohost,dc=org
cn: sftp.main
objectClass: posixGroup
objectClass: permissionYnh
isProtected: TRUE
label: SFTP
gidNumber: 5004
showTile: FALSE
authHeader: FALSE
16 changes: 8 additions & 8 deletions conf/slapd/permission.ldif
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,22 @@ olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.3 NAME 'inheritPermission'
DESC 'YunoHost permission for user on permission side'
SUP distinguishedName )
olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.4 NAME 'URL'
DESC 'YunoHost permission main URL'
DESC 'YunoHost permission main URL' OBSOLETE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.5 NAME 'additionalUrls'
DESC 'YunoHost permission additionnal URL'
DESC 'YunoHost permission additionnal URL' OBSOLETE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.6 NAME 'authHeader'
DESC 'YunoHost application, enable authentication header'
DESC 'YunoHost application, enable authentication header' OBSOLETE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.7 NAME 'label'
DESC 'YunoHost permission label, also used for the tile name in the SSO'
DESC 'YunoHost permission label, also used for the tile name in the SSO' OBSOLETE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.8 NAME 'showTile'
DESC 'YunoHost application, show/hide the tile in the SSO for this permission'
DESC 'YunoHost application, show/hide the tile in the SSO for this permission' OBSOLETE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.9 NAME 'isProtected'
DESC 'YunoHost application permission protection'
DESC 'YunoHost application permission protection' OBSOLETE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
# OBJECTCLASS
# For Applications
Expand All @@ -41,8 +41,8 @@ olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.1 NAME 'groupOfNamesYnh'
olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.2 NAME 'permissionYnh'
DESC 'a YunoHost application'
SUP top AUXILIARY
MUST ( cn $ authHeader $ label $ showTile $ isProtected )
MAY ( groupPermission $ inheritPermission $ URL $ additionalUrls ) )
MUST ( cn )
MAY ( groupPermission $ inheritPermission $ URL $ additionalUrls $ authHeader $ label $ showTile $ isProtected ) )
# For User
olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.3 NAME 'userPermissionYnh'
DESC 'a YunoHost application'
Expand Down
32 changes: 8 additions & 24 deletions helpers/helpers.v1.d/permission
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
# Create a new permission for the app
#
# Example 1: `ynh_permission_create --permission=admin --url=/admin --additional_urls=domain.tld/admin /superadmin --allowed=alice bob \
# --label="My app admin" --show_tile=true`
# --show_tile=true`
#
# This example will create a new permission permission with this following effect:
# - A tile named "My app admin" in the SSO will be available for the users alice and bob. This tile will point to the relative url '/admin'.
Expand All @@ -31,7 +31,7 @@
# Example 2:
#
# ynh_permission_create --permission=api --url=domain.tld/api --auth_header=false --allowed=visitors \
# --label="MyApp API" --protected=true
# --protected=true
#
# This example will create a new protected permission. So the admin won't be able to add/remove the visitors group of this permission.
# In case of an API with need to be always public it avoid that the admin break anything.
Expand All @@ -43,14 +43,13 @@
#
#
# usage: ynh_permission_create --permission="permission" [--url="url"] [--additional_urls="second-url" [ "third-url" ]] [--auth_header=true|false]
# [--allowed=group1 [ group2 ]] [--label="label"] [--show_tile=true|false]
# [--allowed=group1 [ group2 ]] [--show_tile=true|false]
# [--protected=true|false]
# | arg: -p, --permission= - the name for the permission (by default a permission named "main" already exist)
# | arg: -u, --url= - (optional) URL for which access will be allowed/forbidden. Note that if 'show_tile' is enabled, this URL will be the URL of the tile.
# | arg: -A, --additional_urls= - (optional) List of additional URL for which access will be allowed/forbidden
# | arg: -h, --auth_header= - (optional) Define for the URL of this permission, if SSOwat pass the authentication header to the application. Default is true
# | arg: -a, --allowed= - (optional) A list of group/user to allow for the permission
# | arg: -l, --label= - (optional) Define a name for the permission. This label will be shown on the SSO and in the admin. Default is "APP_LABEL (permission name)".
# | arg: -t, --show_tile= - (optional) Define if a tile will be shown in the SSO. If yes the name of the tile will be the 'label' parameter. Defaults to false for the permission different than 'main'.
# | arg: -P, --protected= - (optional) Define if this permission is protected. If it is protected the administrator won't be able to add or remove the visitors group of this permission. Defaults to 'false'.
#
Expand Down Expand Up @@ -84,21 +83,19 @@
ynh_permission_create() {
# Declare an array to define the options of this helper.
local legacy_args=puAhaltP
local -A args_array=([p]=permission= [u]=url= [A]=additional_urls= [h]=auth_header= [a]=allowed= [l]=label= [t]=show_tile= [P]=protected=)
local -A args_array=([p]=permission= [u]=url= [A]=additional_urls= [h]=auth_header= [a]=allowed= [t]=show_tile= [P]=protected=)
local permission
local url
local additional_urls
local auth_header
local allowed
local label
local show_tile
local protected
ynh_handle_getopts_args "$@"
url=${url:-}
additional_urls=${additional_urls:-}
auth_header=${auth_header:-}
allowed=${allowed:-}
label=${label:-}
show_tile=${show_tile:-}
protected=${protected:-}

Expand Down Expand Up @@ -134,12 +131,6 @@ ynh_permission_create() {
allowed=",allowed=['${allowed//;/\',\'}']"
fi

if [[ -n ${label:-} ]]; then
label=",label='$label'"
else
label=",label='$permission'"
fi

if [[ -n ${show_tile:-} ]]; then
if [ $show_tile == "true" ]; then
show_tile=",show_tile=True"
Expand All @@ -156,7 +147,7 @@ ynh_permission_create() {
fi
fi

yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('$app.$permission' $url $additional_urls $auth_header $allowed $label $show_tile $protected)"
yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('$app.$permission' $url $additional_urls $auth_header $allowed $show_tile $protected)"
}

# Remove a permission for the app (note that when the app is removed all permission is automatically removed)
Expand Down Expand Up @@ -266,29 +257,26 @@ ynh_permission_url() {
# Update a permission for the app
#
# usage: ynh_permission_update --permission "permission" [--add="group" ["group" ...]] [--remove="group" ["group" ...]]
# [--label="label"] [--show_tile=true|false] [--protected=true|false]
# [--show_tile=true|false] [--protected=true|false]
# | arg: -p, --permission= - the name for the permission (by default a permission named "main" already exist)
# | arg: -a, --add= - the list of group or users to enable add to the permission
# | arg: -r, --remove= - the list of group or users to remove from the permission
# | arg: -l, --label= - (optional) Define a name for the permission. This label will be shown on the SSO and in the admin.
# | arg: -t, --show_tile= - (optional) Define if a tile will be shown in the SSO
# | arg: -P, --protected= - (optional) Define if this permission is protected. If it is protected the administrator won't be able to add or remove the visitors group of this permission.
#
# Requires YunoHost version 3.7.0 or higher.
ynh_permission_update() {
# Declare an array to define the options of this helper.
local legacy_args=parltP
local -A args_array=([p]=permission= [a]=add= [r]=remove= [l]=label= [t]=show_tile= [P]=protected=)
local -A args_array=([p]=permission= [a]=add= [r]=remove= [t]=show_tile= [P]=protected=)
local permission
local add
local remove
local label
local show_tile
local protected
ynh_handle_getopts_args "$@"
add=${add:-}
remove=${remove:-}
label=${label:-}
show_tile=${show_tile:-}
protected=${protected:-}

Expand All @@ -311,10 +299,6 @@ ynh_permission_update() {
remove=",remove=['${remove//';'/"','"}']"
fi

if [[ -n $label ]]; then
label=",label='$label'"
fi

if [[ -n $show_tile ]]; then
if [ $show_tile == "true" ]; then
show_tile=",show_tile=True"
Expand All @@ -331,7 +315,7 @@ ynh_permission_update() {
fi
fi

yunohost tools shell -c "from yunohost.permission import user_permission_update; user_permission_update('$app.$permission' $add $remove $label $show_tile $protected , force=True)"
yunohost tools shell -c "from yunohost.permission import user_permission_update; user_permission_update('$app.$permission' $add $remove $show_tile $protected , force=True)"
}

# Check if a permission has an user
Expand Down
5 changes: 4 additions & 1 deletion hooks/conf_regen/06-slapd
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,10 @@ objectClass: top"
nscd -i group
fi

[ -z "$regen_conf_files" ] && exit 0
if [ -z "$regen_conf_files" ] && [ $FORCE == "false" ]
then
exit 0
fi

# regenerate LDAP config directory from slapd.conf
echo "Regenerate LDAP config directory from config.ldif"
Expand Down
46 changes: 18 additions & 28 deletions src/app.py
Original file line number Diff line number Diff line change
Expand Up @@ -131,15 +131,11 @@ def app_info(app, full=False, upgradable=False):

setting_path = os.path.join(APPS_SETTING_PATH, app)
local_manifest = _get_manifest_of_app(setting_path)
permissions = user_permission_list(full=True, absolute_urls=True, apps=[app])[
"permissions"
]

settings = _get_app_settings(app)

ret = {
"description": _value_for_locale(local_manifest["description"]),
"name": permissions.get(app + ".main", {}).get("label", local_manifest["name"]),
"name": settings.get("label", local_manifest["name"]),
"version": local_manifest.get("version", "-"),
}

Expand Down Expand Up @@ -247,12 +243,13 @@ def app_info(app, full=False, upgradable=False):
and local_manifest["resources"].get("data_dir") is not None
)

ret["permissions"] = permissions
ret["label"] = permissions.get(app + ".main", {}).get("label")
ret["permissions"] = user_permission_list(full=True, absolute_urls=True, apps=[app])[
"permissions"
]

# FIXME : this is the same stuff as "name" ... maybe we should get rid of "name" ?
ret["label"] = settings.get("label", local_manifest["name"])

if not ret["label"]:
logger.debug(f"Failed to get label for app {app}, maybe it is not a webapp?")
ret["label"] = local_manifest["name"]
return ret


Expand Down Expand Up @@ -1149,13 +1146,20 @@ def app_install(
shutil.rmtree(app_setting_path)
os.makedirs(app_setting_path)

# Hotfix for bug in the webadmin while we fix the actual issue :D
if label == "undefined":
label = None

# Set initial app settings
app_settings = {
"id": app_instance_name,
"install_time": int(time.time()),
"current_revision": manifest.get("remote", {}).get("revision", "?"),
}

if label:
app_settings["label"] = label

# If packaging_format v2+, save all install options as settings
if packaging_format >= 2:
for option in options:
Expand All @@ -1180,15 +1184,6 @@ def app_install(
recursive=True,
)

# Hotfix for bug in the webadmin while we fix the actual issue :D
if label == "undefined":
label = None

# Override manifest name by given label
# This info is also later picked-up by the 'permission' resource initialization
if label:
manifest["name"] = label

if packaging_format >= 2:
from yunohost.utils.resources import AppResourceManager

Expand All @@ -1210,7 +1205,6 @@ def app_install(
permission_create(
app_instance_name + ".main",
allowed=["all_users"],
label=manifest["name"],
show_tile=False,
protected=False,
)
Expand Down Expand Up @@ -1686,10 +1680,11 @@ def app_ssowatconf():

# New permission system
for perm_name, perm_info in all_permissions.items():

uris = (
[]
+ ([perm_info["url"]] if perm_info["url"] else [])
+ perm_info["additional_urls"]
+ ([perm_info["url"]] if perm_info.get("url") else [])
+ perm_info.get("additional_urls", [])
)

# Ignore permissions for which there's no url defined
Expand Down Expand Up @@ -1814,19 +1809,14 @@ def app_ssowatconf():


def app_change_label(app, new_label):
from yunohost.permission import user_permission_update

installed = _is_installed(app)
if not installed:
raise YunohostValidationError(
"app_not_installed", app=app, all_apps=_get_all_installed_apps_id()
)
logger.warning(m18n.n("app_label_deprecated"))
user_permission_update(app + ".main", label=new_label)


# actions todo list:
# * docstring
app_setting(app, "label", new_label)


def app_action_list(app):
Expand Down
13 changes: 1 addition & 12 deletions src/backup.py
Original file line number Diff line number Diff line change
Expand Up @@ -1297,19 +1297,14 @@ def _restore_system(self):

# Restore permission for apps installed
for permission_name, permission_infos in old_apps_permission.items():
app_name, perm_name = permission_name.split(".")
app_name, _ = permission_name.split(".")
if _is_installed(app_name):
permission_create(
permission_name,
allowed=permission_infos["allowed"],
url=permission_infos["url"],
additional_urls=permission_infos["additional_urls"],
auth_header=permission_infos["auth_header"],
label=(
permission_infos["label"]
if perm_name == "main"
else permission_infos["sublabel"]
),
show_tile=permission_infos["show_tile"],
protected=permission_infos["protected"],
sync_perm=False,
Expand Down Expand Up @@ -1429,18 +1424,12 @@ def copytree(src, dst, symlinks=False, ignore=None):
g for g in permission_infos["allowed"] if g in existing_groups
]

perm_name = permission_name.split(".")[1]
permission_create(
permission_name,
allowed=should_be_allowed,
url=permission_infos.get("url"),
additional_urls=permission_infos.get("additional_urls"),
auth_header=permission_infos.get("auth_header"),
label=(
permission_infos.get("label")
if perm_name == "main"
else permission_infos.get("sublabel")
),
show_tile=permission_infos.get("show_tile", True),
protected=permission_infos.get("protected", False),
sync_perm=False,
Expand Down
Loading
Loading