Commit e0b68bdb authored by Vincent Pelletier's avatar Vincent Pelletier

ERP5Site_checkOAuth2ResourceServerPostUpgradeConsistency: Do not lock ERP5 users out

When there is no enabled extractor plugin, PAS internally uses the DumbHTTPExtractor
class. When installing the OAuth2 resource server plugin, it activates itself as an extractor,
disabling this default mechanism. This is most likely unexpected to the admin, so in such
situation create & enable the ERP5 plugin which inherits from DumbHTTPExtractor, to
preserve basic authentiation.
If such plugin exists but is disabled, assume the admin forgot to enable it, and do it for them.
If any extraction plugin is already enabled, do nothing new.
parent c6b59bd6
error_list = []
user_folder = context.getPortalObject().acl_users user_folder = context.getPortalObject().acl_users
plugins = user_folder.plugins
plugin_id = 'erp5_oauth2_resource' # XXX hardcoded
ERP5Security = user_folder.manage_addProduct['ERP5Security']
# XXX: cannot import interface classes, but they are available through listPluginTypeInfo...
for info in plugins.listPluginTypeInfo():
if info['id'] == 'IExtractionPlugin':
IExtractionPlugin = info['interface']
break
else:
IExtractionPlugin = None # This should probably never happen, IExtractionPlugin is a very old plugin type
basic_auth_extractor_value = None
for plugin_value in user_folder.objectValues(): for plugin_value in user_folder.objectValues():
# Note: does not check plugin personalities registration, but these are # Note: does not check plugin personalities registration, but these are
# automaticly done on plugin creation, so unregistering them should be # automaticly done on plugin creation, so unregistering them should be
# a conscious admin action, that should likely be respected. # a conscious admin action, that should likely be respected.
# XXX: testing the type would be nicer than testing the meta_type attribute # XXX: testing the type would be nicer than testing the meta_type attribute
if getattr(plugin_value, 'meta_type', None) == 'ERP5 OAuth2 Resource Server Plugin': meta_type = getattr(plugin_value, 'meta_type', None)
break if meta_type == 'ERP5 OAuth2 Resource Server Plugin':
else: return []
plugin_id = 'erp5_oauth2_resource' # XXX hardcoded elif meta_type == 'ERP5 Dumb HTTP Extraction Plugin':
error_list.append('PAS plugin %r does not exist' % (plugin_id, )) basic_auth_extractor_value = plugin_value
error_list = [
'PAS plugin %r does not exist' % (plugin_id, ),
]
if fixit:
ERP5Security.addERP5OAuth2ResourceServerPlugin(id=plugin_id)
if IExtractionPlugin is not None:
if not plugins.listPlugins(IExtractionPlugin):
# When there is no pre-existing and enabled extraction plugin, enabling oauth will override PAS's default extraction plugin (DumbHTTPExtractor).
# This could prevent the user from logging in, so add (if no instance of the ERP5 Dumb HTTP Extraction Plugin meta-type exists) and enable it.
error_list.append('No pre-existing enabled IExtractionPlugin, will enable ERP5 Dumb HTTP Extraction Plugin')
if fixit: if fixit:
user_folder.manage_addProduct['ERP5Security'].addERP5OAuth2ResourceServerPlugin( if basic_auth_extractor_value is None:
id=plugin_id, basic_auth_extractor_value = ERP5Security.addERP5DumbHTTPExtractionPlugin(
id='erp5_dumb_http_extraction_plugin', # XXX: hardcoded
)
plugins.activatePlugin(
IExtractionPlugin,
basic_auth_extractor_value.getId(),
) )
return error_list return error_list
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment