slapos_erp5&cloud: Reimplement (and speed up) security to use...

slapos_erp5&cloud: Reimplement (and speed up) security to use ERP5User_getUserSecurityCategoryValueList

 No need external script for this.

 This change introduces a test change on testSlapOSCloudShadow, that
 include R-COMPUTER and R-INSTANCE for shadow users.

 After check, this feature (shadow) is not used for compute node or
 software instance users, so despite it is not needed (introduced 12yr
 ago), I kept just for reference.

 If those tests eventually break or cause problem, it is safe to remove
 them later on.

master/bt5/slapos_cloud/ExtensionTemplateItem/portal_components/extension.erp5.SlapOSSecurity.py

@@ -25,86 +25,12 @@
 #
 ##############################################################################
 
-from Products.ERP5Security.ERP5GroupManager import ConsistencyError
+#from Products.ERP5Security.ERP5GroupManager import ConsistencyError
 from AccessControl.SecurityManagement import getSecurityManager, \
              setSecurityManager, newSecurityManager
 from AccessControl import Unauthorized
 
 
-def getComputeNodeSecurityCategory(self, base_category_list, user_name,
-                                ob, portal_type):
-  """
-  This script returns a list of dictionaries which represent
-  the security groups which a compute_node is member of.
-  """
-  category_list = []
-
-  compute_node_list = self.portal_catalog.unrestrictedSearchResults(
-    portal_type='Compute Node',
-    user_id=user_name,
-    validation_state="validated",
-    limit=2,
-  )
-
-  if len(compute_node_list) == 1:
-    category_dict = {}
-    for base_category in base_category_list:
-      if base_category == "role":
-        category_list.append(
-         {base_category: ['role/computer']})
-      elif base_category == "destination_project":
-        compute_node = compute_node_list[0]
-        project = compute_node.getFollowUpValue(portal_type='Project')
-        if project is not None:
-          category_dict.setdefault(base_category, []).append(project.getRelativeUrl())
-      else:
-        raise NotImplementedError('Not supported base category: %s' % base_category)
-    category_list.append(category_dict)
-  elif len(compute_node_list) > 1:
-    raise ConsistencyError("Error: There is more than one Compute Node " \
-                            "with reference '%s'" % user_name)
-
-  return category_list
-
-def getSoftwareInstanceSecurityCategory(self, base_category_list, user_name,
-                                ob, portal_type): 
-  """
-  This script returns a list of dictionaries which represent
-  the security groups which a Software Instance is member of.
-  """
-  category_list = []
-
-  software_instance_list = self.portal_catalog.unrestrictedSearchResults(
-    portal_type='Software Instance',
-    user_id=user_name,
-    validation_state="validated",
-    limit=2,
-  )
-
-  if len(software_instance_list) == 1:
-    category_dict = {}
-    for base_category in base_category_list:
-      if base_category == "role":
-        category_dict.setdefault(base_category, []).extend(['role/instance'])
-      elif base_category == "destination_project":
-        software_instance = software_instance_list[0]
-        project = software_instance.getFollowUpValue(portal_type='Project')
-        if project is not None:
-          category_dict.setdefault(base_category, []).append(project.getRelativeUrl())
-      elif base_category == "aggregate":
-        software_instance = software_instance_list[0]
-        instance_tree = software_instance.getSpecialiseValue(portal_type='Instance Tree')
-        if instance_tree is not None:
-          category_dict.setdefault(base_category, []).append(instance_tree.getRelativeUrl())
-      else:
-        raise NotImplementedError('Not supported base category: %s' % base_category)
-    category_list.append(category_dict)
-  elif len(software_instance_list) > 1:
-    raise ConsistencyError("Error: There is more than one Software Instance " \
-                            "with reference %r" % user_name)
-
-  return category_list
-
 def restrictMethodAsShadowUser(self, shadow_document=None, callable_object=None,
     argument_list=None, argument_dict=None):
   """

master/bt5/slapos_cloud/TestTemplateItem/portal_components/test.erp5.testSlapOSCloudShadow.py

@@ -96,7 +96,7 @@ class TestSlapOSShadowComputeNode(TestSlapOSSecurityMixin):
     self.login(shadow_user_id)
     user = getSecurityManager().getUser()
     self.assertIn('Authenticated', user.getRoles())
-    self.assertSameSet(['R-SHADOW-COMPUTENODE', 'SHADOW-%s' % user_id],
+    self.assertSameSet(['R-COMPUTER', 'R-SHADOW-COMPUTENODE', 'SHADOW-%s' % user_id],
       user.getGroups())
 
   def test_inactive(self):
@@ -136,7 +136,7 @@ class TestSlapOSShadowSoftwareInstance(TestSlapOSSecurityMixin):
     self.login(shadow_user_id)
     user = getSecurityManager().getUser()
     self.assertIn('Authenticated', user.getRoles())
-    self.assertSameSet(['R-SHADOW-SOFTWAREINSTANCE', 'SHADOW-%s' % user_id],
+    self.assertSameSet(['R-INSTANCE', 'R-SHADOW-SOFTWAREINSTANCE', 'SHADOW-%s' % user_id],
       user.getGroups())
 
   def test_inactive(self):

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getComputeNodeSecurityCategory.xml

-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_function</string> </key>
-            <value> <string>getComputeNodeSecurityCategory</string> </value>
-        </item>
-        <item>
-            <key> <string>_module</string> </key>
-            <value> <string>SlapOSSecurity</string> </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getComputeNodeSecurityCategory</string> </value>
-        </item>
-        <item>
-            <key> <string>title</string> </key>
-            <value> <string></string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.py

-"""
-Core security script - defines the way to get security groups of the current user.
-
-WARNING: providing such script in erp5_dms could be dangerous
-if this conflicts with an existing production site which uses
-deprecated ERP5Type_asSecurityGroupIdList
-"""
-
-return (
-  # Person security
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['function']),
-  ('ERP5Type_getSecurityCategoryFromAssignmentParent', ['function']),
-  # XXX TODO check that only validated project are used
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project']),
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project', 'function']),
-  
-  # Compute Node security
-  ('ERP5Type_getComputeNodeSecurityCategory', ['role']),
-
-  # Instance security
-  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['role']),
-  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['destination_project']),
-  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['destination_project', 'role']),
-  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['aggregate']),
-
-)

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSoftwareInstanceSecurityCategory.xml

-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_function</string> </key>
-            <value> <string>getSoftwareInstanceSecurityCategory</string> </value>
-        </item>
-        <item>
-            <key> <string>_module</string> </key>
-            <value> <string>SlapOSSecurity</string> </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getSoftwareInstanceSecurityCategory</string> </value>
-        </item>
-        <item>
-            <key> <string>title</string> </key>
-            <value> <string></string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5User_getUserSecurityCategoryValueList.py

+# Please see ERP5User_getSecurityCategoryValueFromAssignment for more informations
+# on what this script outputs.
+
+portal_type = context.getPortalType()
+if portal_type == 'Person':
+  return context.ERP5User_getSecurityCategoryValueFromAssignment(
+    rule_dict={
+      ('function',): ((), ('function',)),
+      ('destination_project',): ((), ),
+      ('destination_project', 'function'): ((), ),
+    },
+  )
+
+category_list = []
+portal = context.getPortalObject()
+
+if portal_type == 'Compute Node':
+  category_list.append({
+    'role': (
+      (portal.portal_categories.role.computer, False),
+      ),
+    })
+
+elif portal_type == 'Software Instance':
+  instance_role = portal.portal_categories.role.instance
+  category_list.append({'role': ((instance_role, False),),})
+
+  project = context.getFollowUpValue(portal_type='Project')
+  if project is not None:
+    category_list.append(({'destination_project': ((project, False),)}))
+    category_list.append(
+      ({
+        'role': ((instance_role, False),),
+        'destination_project': ((project, False),)
+      })
+    )
+
+  instance_tree = context.getSpecialiseValue(portal_type='Instance Tree')
+  if instance_tree is not None:
+    category_list.append({'aggregate': ((instance_tree, False),),})
+
+else:
+  raise NotImplementedError(
+    'Unsupported portal type as user:' % portal_type)
+
+return category_list

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.xml → master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5User_getUserSecurityCategoryValueList.xml

@@ -54,7 +54,7 @@
         </item>
         <item>
             <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getSecurityCategoryMapping</string> </value>
+            <value> <string>ERP5User_getUserSecurityCategoryValueList</string> </value>
         </item>
       </dictionary>
     </pickle>

master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSCodingStyle.py

@@ -197,8 +197,8 @@ def makeTestSlapOSCodingStyleTestCase(tested_business_template):
         'slapos_administration/z_search_unindexed_security_uid',
         'slapos_administration/z_get_uid_group_from_roles_and_users',
         'slapos_administration/SoftwareInstance_renewCertificate',
-        'slapos_core/ERP5Type_getSecurityCategoryMapping',
         'slapos_core/ERP5Type_asSecurityGroupIdSet',
+        'slapos_core/ERP5User_getUserSecurityCategoryValueList',
         'slapos_base/Login_getFastExpirationReferenceList',
         'slapos_base/Login_isLoginBlocked',
         'slapos_base/Login_isPasswordExpired',