slapos_erp5: Compute Node is assignor on Certificate Login from Software Instance

Compute Node must be able to invalidate Certificate Login whenever the Software Instance is destroyed.

slapos_erp5: Compute Node is assignor on Certificate Login from Software Instance
Compute Node must be able to invalidate Certificate Login whenever the Software Instance is destroyed.
fcfda1e9 · Rafael Monnerat · f8cebc62 · fcfda1e9 · fcfda1e9 · fcfda1e9
Commit fcfda1e9 authored Jun 28, 2023 by Rafael Monnerat
10 changed files
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Certificate%20Login.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Certificate%20Login.xml
 <type_roles>
+  <role id='Assignor'>
+   <property id='title'>Compute Node</property>
+   <property id='condition'>python: here.getParentValue().getPortalType() in ( "Software Instance",)</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromParentContentParent</property>
+   <multi_property id='categories'>local_role_group/computer</multi_property>
+   <multi_property id='base_category'>aggregate</multi_property>
+  </role>
  <role id='Assignee'>
   <property id='title'>The User Himself</property>
   <property id='condition'>python: here.getParentValue().getPortalType() in ("Person", "Software Instance", "Compute Node")</property>

--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContentParent.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContentParent.py
+"""
+This script returns a list of dictionaries which represent
+the security groups which a person is member of. It extracts
+the categories from the current content. It is useful in the
+following cases:
+
+- calculate a security group based on a given
+  category of the current object (ex. group). This
+  is used for example in ERP5 DMS to calculate
+  document security.
+
+- assign local roles to a document based on
+  the person which the object related to through
+  a given base category (ex. destination). This
+  is used for example in ERP5 Project to calculate
+  Task / Task Report security.
+
+The parameters are
+
+  base_category_list -- list of category values we need to retrieve
+  user_name          -- string obtained from getSecurityManager().getUser().getId()
+  object             -- object which we want to assign roles to
+  portal_type        -- portal type of object
+
+NOTE: for now, this script requires proxy manager
+"""
+
+category_list = []
+
+if obj is None:
+  return []
+
+for base_category in base_category_list:
+  category_list.append({base_category: [x.getParentValue().getRelativeUrl() for x in obj.getParentValue().getValueList(base_category)]})
+
+return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContentParent.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContentParent.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="_reconstructor" module="copy_reg"/>
+                </klass>
+                <tuple>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                  <global name="object" module="__builtin__"/>
+                  <none/>
+                </tuple>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Type_getSecurityCategoryFromParentContentParent</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSCodingStyle.py
+++ b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSCodingStyle.py
@@ -296,6 +296,7 @@ def makeTestSlapOSCodingStyleTestCase(tested_business_template):
        'slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree',
        'slapos_core/ERP5Type_getSecurityCategoryFromChildAssignmentList',
        'slapos_core/ERP5Type_getSecurityCategoryFromContentParent',
+        'slapos_core/ERP5Type_getSecurityCategoryFromParentContentParent',
        'slapos_core/ERP5Type_getSecurityCategoryFromParent',
        'slapos_core/ERP5Type_getSecurityCategoryMapping',
        'slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection',

--- a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py
+++ b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py
@@ -724,6 +724,25 @@ class TestERP5Login(TestSlapOSGroupRoleSecurityMixin):
 class TestCertificateLogin(TestERP5Login):
  login_portal_type = "Certificate Login"

+  def test_ComputeNodeCanAccessSoftwareInstanceLoginDocument(self):
+    software_instance = self.portal.software_instance_module.newContent(portal_type='Software Instance')
+    login = software_instance.newContent(portal_type=self.login_portal_type)
+    compute_node_reference = 'TESTCOMP-%s' % self.generateNewId()
+    compute_node = self.portal.compute_node_module.template_compute_node\
+        .Base_createCloneDocument(batch_mode=1)
+    compute_node.edit(reference=compute_node_reference)
+    partition = compute_node.newContent(portal_type='Compute Partition')
+    software_instance.edit(aggregate=partition.getRelativeUrl())
+
+    compute_node.updateLocalRolesOnSecurityGroups()
+    software_instance.updateLocalRolesOnSecurityGroups()
+    login.updateLocalRolesOnSecurityGroups()
+
+    self.assertSecurityGroup(login,
+      [self.user_id, software_instance.getUserId(), compute_node.getUserId()], False)
+    self.assertRoles(login, software_instance.getUserId(), ['Assignee'])
+    self.assertRoles(login, self.user_id, ['Owner'])
+    self.assertRoles(login, compute_node.getUserId(), ['Assignor'])

 class TestGoogleLogin(TestERP5Login):
  login_portal_type = "Google Login"

--- a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow.py
+++ b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow.py
@@ -232,9 +232,15 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow(
    software_instance = self.portal.software_instance_module.newContent(
        portal_type='Software Instance',
        specialise=instance_tree.getRelativeUrl())
+    certificate_login = software_instance.newContent(
+        portal_type='Certificate Login')
+    
    self.assertSecurityGroup(software_instance, [self.user_id, 'G-COMPANY',
        instance_tree.getReference()],
        False)
+    self.assertSecurityGroup(certificate_login, [self.user_id,
+      software_instance.getUserId()],
+        False)

    compute_node = self.portal.compute_node_module.template_compute_node\
        .Base_createCloneDocument(batch_mode=1)
@@ -250,6 +256,9 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow(
        compute_node.getUserId(), instance_tree.getReference()], False)
    self.assertSecurityGroup(partition, [self.user_id,
        instance_tree.getReference()], True)
+    self.assertSecurityGroup(certificate_login, [self.user_id,
+        compute_node.getUserId(), software_instance.getUserId()],
+        False)

  def test_SlaveInstance_setSpecialise(self):
    slave_instance = self.portal.software_instance_module.newContent(

--- a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow.xml
+++ b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow.xml
@@ -6,12 +6,6 @@
    </pickle>
    <pickle>
      <dictionary>
-        <item>
-            <key> <string>_recorded_property_dict</string> </key>
-            <value>
-              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
-            </value>
-        </item>
        <item>
            <key> <string>default_reference</string> </key>
            <value> <string>testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow</string> </value>
@@ -55,28 +49,13 @@
        <item>
            <key> <string>workflow_history</string> </key>
            <value>
-              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
            </value>
        </item>
      </dictionary>
    </pickle>
  </record>
  <record id="2" aka="AAAAAAAAAAI=">
-    <pickle>
-      <global name="PersistentMapping" module="Persistence.mapping"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>data</string> </key>
-            <value>
-              <dictionary/>
-            </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-  <record id="3" aka="AAAAAAAAAAM=">
    <pickle>
      <global name="PersistentMapping" module="Persistence.mapping"/>
    </pickle>
@@ -89,7 +68,7 @@
                <item>
                    <key> <string>component_validation_workflow</string> </key>
                    <value>
-                      <persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent>
+                      <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
                    </value>
                </item>
              </dictionary>
@@ -98,7 +77,7 @@
      </dictionary>
    </pickle>
  </record>
-  <record id="4" aka="AAAAAAAAAAQ=">
+  <record id="3" aka="AAAAAAAAAAM=">
    <pickle>
      <global name="WorkflowHistoryList" module="Products.ERP5Type.Workflow"/>
    </pickle>

--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_SoftwareInstance_edit.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_SoftwareInstance_edit.xml
@@ -11,6 +11,7 @@
            <value>
              <tuple>
                <string>after_script/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllLocalRoles</string>
+                <string>after_script/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllChildrenLocalRoles</string>
              </tuple>
            </value>
        </item>

--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllChildrenLocalRoles.py
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllChildrenLocalRoles.py
+"""
+This script updates all local roles on sub-objects. It requires Assignor
+proxy role since it may be called by owner in draft state.
+"""
+for child in state_change['object'].contentValues():
+  child.updateLocalRolesOnSecurityGroups()
--- a/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllChildrenLocalRoles.xml
+++ b/master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllChildrenLocalRoles.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Workflow Script" module="erp5.portal_type"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="_reconstructor" module="copy_reg"/>
+                </klass>
+                <tuple>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                  <global name="object" module="__builtin__"/>
+                  <none/>
+                </tuple>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>state_change</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Assignor</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>script_Base_updateAllChildrenLocalRoles</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>