Commit ed92d54a authored by Rafael Monnerat's avatar Rafael Monnerat

slapos_erp5&cloud: Reimplement (and speed up) security to use...

slapos_erp5&cloud: Reimplement (and speed up) security to use ERP5User_getUserSecurityCategoryValueList

 No need external script for this.

 This change introduces a test change on testSlapOSCloudShadow, that
 include R-COMPUTER and R-INSTANCE for shadow users.

 After check, this feature (shadow) is not used for compute node or
 software instance users, so despite it is not needed (introduced 12yr
 ago), I kept just for reference.

 If those tests eventually break or cause problem, it is safe to remove
 them later on.
parent f99d671c
Pipeline #38653 failed with stage
in 0 seconds
...@@ -25,86 +25,12 @@ ...@@ -25,86 +25,12 @@
# #
############################################################################## ##############################################################################
from Products.ERP5Security.ERP5GroupManager import ConsistencyError #from Products.ERP5Security.ERP5GroupManager import ConsistencyError
from AccessControl.SecurityManagement import getSecurityManager, \ from AccessControl.SecurityManagement import getSecurityManager, \
setSecurityManager, newSecurityManager setSecurityManager, newSecurityManager
from AccessControl import Unauthorized from AccessControl import Unauthorized
def getComputeNodeSecurityCategory(self, base_category_list, user_name,
ob, portal_type):
"""
This script returns a list of dictionaries which represent
the security groups which a compute_node is member of.
"""
category_list = []
compute_node_list = self.portal_catalog.unrestrictedSearchResults(
portal_type='Compute Node',
user_id=user_name,
validation_state="validated",
limit=2,
)
if len(compute_node_list) == 1:
category_dict = {}
for base_category in base_category_list:
if base_category == "role":
category_list.append(
{base_category: ['role/computer']})
elif base_category == "destination_project":
compute_node = compute_node_list[0]
project = compute_node.getFollowUpValue(portal_type='Project')
if project is not None:
category_dict.setdefault(base_category, []).append(project.getRelativeUrl())
else:
raise NotImplementedError('Not supported base category: %s' % base_category)
category_list.append(category_dict)
elif len(compute_node_list) > 1:
raise ConsistencyError("Error: There is more than one Compute Node " \
"with reference '%s'" % user_name)
return category_list
def getSoftwareInstanceSecurityCategory(self, base_category_list, user_name,
ob, portal_type):
"""
This script returns a list of dictionaries which represent
the security groups which a Software Instance is member of.
"""
category_list = []
software_instance_list = self.portal_catalog.unrestrictedSearchResults(
portal_type='Software Instance',
user_id=user_name,
validation_state="validated",
limit=2,
)
if len(software_instance_list) == 1:
category_dict = {}
for base_category in base_category_list:
if base_category == "role":
category_dict.setdefault(base_category, []).extend(['role/instance'])
elif base_category == "destination_project":
software_instance = software_instance_list[0]
project = software_instance.getFollowUpValue(portal_type='Project')
if project is not None:
category_dict.setdefault(base_category, []).append(project.getRelativeUrl())
elif base_category == "aggregate":
software_instance = software_instance_list[0]
instance_tree = software_instance.getSpecialiseValue(portal_type='Instance Tree')
if instance_tree is not None:
category_dict.setdefault(base_category, []).append(instance_tree.getRelativeUrl())
else:
raise NotImplementedError('Not supported base category: %s' % base_category)
category_list.append(category_dict)
elif len(software_instance_list) > 1:
raise ConsistencyError("Error: There is more than one Software Instance " \
"with reference %r" % user_name)
return category_list
def restrictMethodAsShadowUser(self, shadow_document=None, callable_object=None, def restrictMethodAsShadowUser(self, shadow_document=None, callable_object=None,
argument_list=None, argument_dict=None): argument_list=None, argument_dict=None):
""" """
......
...@@ -96,7 +96,7 @@ class TestSlapOSShadowComputeNode(TestSlapOSSecurityMixin): ...@@ -96,7 +96,7 @@ class TestSlapOSShadowComputeNode(TestSlapOSSecurityMixin):
self.login(shadow_user_id) self.login(shadow_user_id)
user = getSecurityManager().getUser() user = getSecurityManager().getUser()
self.assertIn('Authenticated', user.getRoles()) self.assertIn('Authenticated', user.getRoles())
self.assertSameSet(['R-SHADOW-COMPUTENODE', 'SHADOW-%s' % user_id], self.assertSameSet(['R-COMPUTER', 'R-SHADOW-COMPUTENODE', 'SHADOW-%s' % user_id],
user.getGroups()) user.getGroups())
def test_inactive(self): def test_inactive(self):
...@@ -136,7 +136,7 @@ class TestSlapOSShadowSoftwareInstance(TestSlapOSSecurityMixin): ...@@ -136,7 +136,7 @@ class TestSlapOSShadowSoftwareInstance(TestSlapOSSecurityMixin):
self.login(shadow_user_id) self.login(shadow_user_id)
user = getSecurityManager().getUser() user = getSecurityManager().getUser()
self.assertIn('Authenticated', user.getRoles()) self.assertIn('Authenticated', user.getRoles())
self.assertSameSet(['R-SHADOW-SOFTWAREINSTANCE', 'SHADOW-%s' % user_id], self.assertSameSet(['R-INSTANCE', 'R-SHADOW-SOFTWAREINSTANCE', 'SHADOW-%s' % user_id],
user.getGroups()) user.getGroups())
def test_inactive(self): def test_inactive(self):
......
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_function</string> </key>
<value> <string>getComputeNodeSecurityCategory</string> </value>
</item>
<item>
<key> <string>_module</string> </key>
<value> <string>SlapOSSecurity</string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>ERP5Type_getComputeNodeSecurityCategory</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string></string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
"""
Core security script - defines the way to get security groups of the current user.
WARNING: providing such script in erp5_dms could be dangerous
if this conflicts with an existing production site which uses
deprecated ERP5Type_asSecurityGroupIdList
"""
return (
# Person security
('ERP5Type_getSecurityCategoryFromAssignment', ['function']),
('ERP5Type_getSecurityCategoryFromAssignmentParent', ['function']),
# XXX TODO check that only validated project are used
('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project']),
('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project', 'function']),
# Compute Node security
('ERP5Type_getComputeNodeSecurityCategory', ['role']),
# Instance security
('ERP5Type_getSoftwareInstanceSecurityCategory', ['role']),
('ERP5Type_getSoftwareInstanceSecurityCategory', ['destination_project']),
('ERP5Type_getSoftwareInstanceSecurityCategory', ['destination_project', 'role']),
('ERP5Type_getSoftwareInstanceSecurityCategory', ['aggregate']),
)
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_function</string> </key>
<value> <string>getSoftwareInstanceSecurityCategory</string> </value>
</item>
<item>
<key> <string>_module</string> </key>
<value> <string>SlapOSSecurity</string> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>ERP5Type_getSoftwareInstanceSecurityCategory</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <string></string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
# Please see ERP5User_getSecurityCategoryValueFromAssignment for more informations
# on what this script outputs.
portal_type = context.getPortalType()
if portal_type == 'Person':
return context.ERP5User_getSecurityCategoryValueFromAssignment(
rule_dict={
('function',): ((), ('function',)),
('destination_project',): ((), ),
('destination_project', 'function'): ((), ),
},
)
category_list = []
portal = context.getPortalObject()
if portal_type == 'Compute Node':
category_list.append({
'role': (
(portal.portal_categories.role.computer, False),
),
})
elif portal_type == 'Software Instance':
instance_role = portal.portal_categories.role.instance
category_list.append({'role': ((instance_role, False),),})
project = context.getFollowUpValue(portal_type='Project')
if project is not None:
category_list.append(({'destination_project': ((project, False),)}))
category_list.append(
({
'role': ((instance_role, False),),
'destination_project': ((project, False),)
})
)
instance_tree = context.getSpecialiseValue(portal_type='Instance Tree')
if instance_tree is not None:
category_list.append({'aggregate': ((instance_tree, False),),})
else:
raise NotImplementedError(
'Unsupported portal type as user:' % portal_type)
return category_list
...@@ -54,7 +54,7 @@ ...@@ -54,7 +54,7 @@
</item> </item>
<item> <item>
<key> <string>id</string> </key> <key> <string>id</string> </key>
<value> <string>ERP5Type_getSecurityCategoryMapping</string> </value> <value> <string>ERP5User_getUserSecurityCategoryValueList</string> </value>
</item> </item>
</dictionary> </dictionary>
</pickle> </pickle>
......
...@@ -197,8 +197,8 @@ def makeTestSlapOSCodingStyleTestCase(tested_business_template): ...@@ -197,8 +197,8 @@ def makeTestSlapOSCodingStyleTestCase(tested_business_template):
'slapos_administration/z_search_unindexed_security_uid', 'slapos_administration/z_search_unindexed_security_uid',
'slapos_administration/z_get_uid_group_from_roles_and_users', 'slapos_administration/z_get_uid_group_from_roles_and_users',
'slapos_administration/SoftwareInstance_renewCertificate', 'slapos_administration/SoftwareInstance_renewCertificate',
'slapos_core/ERP5Type_getSecurityCategoryMapping',
'slapos_core/ERP5Type_asSecurityGroupIdSet', 'slapos_core/ERP5Type_asSecurityGroupIdSet',
'slapos_core/ERP5User_getUserSecurityCategoryValueList',
'slapos_base/Login_getFastExpirationReferenceList', 'slapos_base/Login_getFastExpirationReferenceList',
'slapos_base/Login_isLoginBlocked', 'slapos_base/Login_isLoginBlocked',
'slapos_base/Login_isPasswordExpired', 'slapos_base/Login_isPasswordExpired',
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment