access_token: post upgrade constraint to enable PAS plugins

bt5/erp5_access_token/PortalTypePropertySheetTemplateItem/property_sheet_list.xml

@@ -6,4 +6,7 @@
   <item>Reference</item>
   <item>Url</item>
  </portal_type>
+ <portal_type id="Template Tool">
+  <item>TemplateToolERP5AccessTokenExtractionPluginConstraint</item>
+ </portal_type>
 </property_sheet_list>
\ No newline at end of file

bt5/erp5_access_token/PropertySheetTemplateItem/portal_property_sheets/TemplateToolERP5AccessTokenExtractionPluginConstraint.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Property Sheet" module="erp5.portal_type"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_count</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
+        <item>
+            <key> <string>_mt_index</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+            </value>
+        </item>
+        <item>
+            <key> <string>_tree</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent>
+            </value>
+        </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>TemplateToolERP5AccessTokenExtractionPluginConstraint</string> </value>
+        </item>
+        <item>
+            <key> <string>portal_type</string> </key>
+            <value> <string>Property Sheet</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="Length" module="BTrees.Length"/>
+    </pickle>
+    <pickle> <int>0</int> </pickle>
+  </record>
+  <record id="3" aka="AAAAAAAAAAM=">
+    <pickle>
+      <global name="OOBTree" module="BTrees.OOBTree"/>
+    </pickle>
+    <pickle>
+      <none/>
+    </pickle>
+  </record>
+  <record id="4" aka="AAAAAAAAAAQ=">
+    <pickle>
+      <global name="OOBTree" module="BTrees.OOBTree"/>
+    </pickle>
+    <pickle>
+      <none/>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_access_token/PropertySheetTemplateItem/portal_property_sheets/TemplateToolERP5AccessTokenExtractionPluginConstraint/ERP5AccessTokenExtractionPlugin_existence_constraint.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Script Constraint" module="erp5.portal_type"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_identity_criterion</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
+            </value>
+        </item>
+        <item>
+            <key> <string>_range_criterion</string> </key>
+            <value>
+              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+            </value>
+        </item>
+        <item>
+            <key> <string>categories</string> </key>
+            <value>
+              <tuple>
+                <string>constraint_type/post_upgrade</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5AccessTokenExtractionPlugin_existence_constraint</string> </value>
+        </item>
+        <item>
+            <key> <string>portal_type</string> </key>
+            <value> <string>Script Constraint</string> </value>
+        </item>
+        <item>
+            <key> <string>script_id</string> </key>
+            <value> <string>TemplateTool_checkERP5AccessTokenExtractionPluginExistenceConsistency</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="2" aka="AAAAAAAAAAI=">
+    <pickle>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>data</string> </key>
+            <value>
+              <dictionary/>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+  <record id="3" aka="AAAAAAAAAAM=">
+    <pickle>
+      <global name="PersistentMapping" module="Persistence.mapping"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>data</string> </key>
+            <value>
+              <dictionary/>
+            </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/TemplateTool_checkERP5AccessTokenExtractionPluginExistenceConsistency.py

+acl_users = context.getPortalObject().acl_users
+token_extraction_id = "erp5_access_token_plugin"
+
+access_token_plugin_list = [
+    plugin for plugin in acl_users.objectValues()
+    if plugin.meta_type == 'ERP5 Access Token Extraction Plugin']
+
+if len(access_token_plugin_list) > 1:
+  return ["More than one plugin found: %s" % access_token_plugin_list]
+
+error_list = []
+if not access_token_plugin_list:
+  # A dumb http extraction plugin is required as fallback if we use an access token
+  # since https://github.com/Nexedi/erp5/commit/0bee523da0075c6efe3c06296dddd01d9dd5045a
+  # we enable it automatically at site creation, but for compatibility with old instances
+  # make sure it is created if needed
+  if 'erp5_dumb_http_extraction' not in acl_users.objectIds():
+    error_list.append("erp5_dumb_http_extraction is missing")
+    if fixit:
+      dispacher = acl_users.manage_addProduct['ERP5Security']
+      dispacher.addERP5DumbHTTPExtractionPlugin('erp5_dumb_http_extraction')
+      acl_users.erp5_dumb_http_extraction.manage_activateInterfaces(('IExtractionPlugin', ))
+
+  error_list.append("erp5_access_token_plugin is missing")
+  if fixit:
+    dispacher = acl_users.manage_addProduct['ERP5Security']
+    dispacher.addERP5AccessTokenExtractionPlugin(token_extraction_id)
+    access_token_plugin_list = [getattr(acl_users, token_extraction_id)]
+
+if access_token_plugin_list:
+  access_token_plugin, = access_token_plugin_list
+  # We only check that our plugin is enabled for IAuthenticationPlugin, this covers both
+  # cases where plugin was not enabled at all or was enabled only for IExtractionPlugin
+  IAuthenticationPlugin = [
+    # Products.PluggableAuthService.interfaces.plugins.IAuthenticationPlugin cannot
+    # be imported in restricted python but we can get it this way.
+      x for x in acl_users.plugins.listPluginTypeInfo()
+      if x['id'] == 'IAuthenticationPlugin'][0]['interface']
+  if (access_token_plugin.getId()
+        not in acl_users.plugins.listPluginIds(IAuthenticationPlugin)):
+    error_list.append("erp5_access_token_plugin is not activated")
+    if fixit:
+      access_token_plugin.manage_activateInterfaces((
+          'IExtractionPlugin',
+          'IAuthenticationPlugin',))
+return error_list

bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/TemplateTool_checkERP5AccessTokenExtractionPluginExistenceConsistency.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>Script_magic</string> </key>
+            <value> <int>3</int> </value>
+        </item>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                </klass>
+                <tuple/>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>fixit=False</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>TemplateTool_checkERP5AccessTokenExtractionPluginExistenceConsistency</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

bt5/erp5_access_token/TestTemplateItem/portal_components/test.erp5.testERP5AccessToken.py

@@ -29,6 +29,7 @@
 
 from ZPublisher.HTTPRequest import HTTPRequest
 from ZPublisher.HTTPResponse import HTTPResponse
+from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlugin
 from DateTime import DateTime
 import base64
 import StringIO
@@ -55,7 +56,6 @@ class AccessTokenTestCase(ERP5TypeTestCase):
 
 
 class TestERP5AccessTokenSkins(AccessTokenTestCase):
-  test_token_extraction_id = 'test_erp5_access_token_extraction'
 
   def generateNewId(self):
     return str(self.portal.portal_ids.generateNewId(
@@ -66,27 +66,13 @@ class TestERP5AccessTokenSkins(AccessTokenTestCase):
     This is ran before anything, used to set the environment
     """
     self.new_id = self.generateNewId()
-    self._setupAccessTokenExtraction()
+    self.portal.portal_templates.TemplateTool_checkERP5AccessTokenExtractionPluginExistenceConsistency(
+        fixit=True)
     self.tic()
 
-  def _setupAccessTokenExtraction(self):
-    pas = self.portal.acl_users
-    access_extraction_list = [q for q in pas.objectValues() \
-        if q.meta_type == 'ERP5 Access Token Extraction Plugin']
-    if len(access_extraction_list) == 0:
-      dispacher = pas.manage_addProduct['ERP5Security']
-      dispacher.addERP5AccessTokenExtractionPlugin(self.test_token_extraction_id)
-      getattr(pas, self.test_token_extraction_id).manage_activateInterfaces(
-        ('IExtractionPlugin', 'IAuthenticationPlugin'))
-    elif len(access_extraction_list) == 1:
-      self.test_token_extraction_id = access_extraction_list[0].getId()
-    elif len(access_extraction_list) > 1:
-      raise ValueError
-    self.commit()
-
   def _getTokenCredential(self, request):
     """Authenticate the request and return (user_id, login) or None if not authorized."""
-    plugin = getattr(self.portal.acl_users, self.test_token_extraction_id)
+    plugin = self.portal.acl_users.erp5_access_token_plugin
     return plugin.authenticateCredentials(plugin.extractCredentials(request))
 
   def _createRestrictedAccessToken(self, new_id, person, method, url_string):
@@ -412,3 +398,27 @@ class TestERP5DumbHTTPExtractionPlugin(AccessTokenTestCase):
     request = self.do_fake_request("GET", {"HTTP_AUTHORIZATION": "Basic " + base64.b64encode("%s:test" % self.new_id)})
     ret = ERP5DumbHTTPExtractionPlugin("default_extraction").extractCredentials(request)
     self.assertEqual(ret, {'login': self.new_id, 'password': 'test', 'remote_host': 'bobo.remote.host', 'remote_address': '204.183.226.81 '})
+
+
+class TestERP5AccessTokenUpgraderEnablePlugin(AccessTokenTestCase):
+  def afterSetUp(self):
+    # disable plugin if it had been enabled by another test.
+    acl_users = self.portal.acl_users
+    acl_users.manage_delObjects(ids=[
+      x.getId() for x in
+        acl_users.objectValues(spec=('ERP5 Access Token Extraction Plugin',))])
+    self.commit()
+
+  def test_post_upgrade_constraint_enable_plugin(self):
+    consistency_list = self.portal.portal_templates.checkConsistency(
+        filter={"constraint_type": "post_upgrade"})
+    self.assertIn(
+        'erp5_access_token_plugin is missing',
+        [x.message for x in consistency_list])
+    self.portal.portal_templates.checkConsistency(
+        fixit=True,
+        filter={"constraint_type": "post_upgrade"})
+    self.commit()
+    self.assertIn(
+      'erp5_access_token_plugin',
+      self.portal.acl_users.plugins.listPluginIds(IAuthenticationPlugin))
\ No newline at end of file

bt5/erp5_access_token/bt/template_portal_type_property_sheet_list

 One Time Restricted Access Token | Url
 Restricted Access Token | Reference
 Restricted Access Token | Url
+Template Tool | TemplateToolERP5AccessTokenExtractionPluginConstraint
\ No newline at end of file

bt5/erp5_access_token/bt/template_property_sheet_id_list

+TemplateToolERP5AccessTokenExtractionPluginConstraint
\ No newline at end of file