def test_permission_remove_group(mocker):
with message(mocker, "permission_updated", permission="blog.main"):
user_permission_update("blog.main", remove="alice")
res = user_permission_list(full=True)['permissions']
assert res['blog.main']['allowed'] == []
assert res['blog.main']['corresponding_users'] == []
def test_permission_app_install():
app_install(os.path.join(get_test_apps_dir(), "permissions_app_ynh"),
args="domain=%s&domain_2=%s&path=%s&is_public=0&admin=%s" %
(maindomain, other_domains[0], "/urlpermissionapp", "alice"),
force=True)
res = user_permission_list(full=True)['permissions']
assert "permissions_app.main" in res
assert "permissions_app.admin" in res
assert "permissions_app.dev" in res
assert res['permissions_app.main']['url'] == "/"
assert res['permissions_app.admin']['url'] == "/admin"
assert res['permissions_app.dev']['url'] == "/dev"
assert res['permissions_app.main']['allowed'] == ["all_users"]
assert set(res['permissions_app.main']['corresponding_users']) == set(
["alice", "bob"])
assert res['permissions_app.admin']['allowed'] == ["alice"]
assert res['permissions_app.admin']['corresponding_users'] == ["alice"]
assert res['permissions_app.dev']['allowed'] == []
assert set(res['permissions_app.dev']['corresponding_users']) == set()
# Check that we get the right stuff in app_map, which is used to generate the ssowatconf
assert maindomain + "/urlpermissionapp" in app_map(user="******").keys()
user_permission_update("permissions_app.main",
remove="all_users",
add="bob")
assert maindomain + "/urlpermissionapp" not in app_map(user="******").keys()
assert maindomain + "/urlpermissionapp" in app_map(user="******").keys()
def test_permission_app_propagation_on_ssowat():
app_install(os.path.join(get_test_apps_dir(), "permissions_app_ynh"),
args="domain=%s&domain_2=%s&path=%s&is_public=1&admin=%s" %
(maindomain, other_domains[0], "/urlpermissionapp", "alice"),
force=True)
res = user_permission_list(full=True)['permissions']
assert "visitors" in res['permissions_app.main']['allowed']
assert "all_users" in res['permissions_app.main']['allowed']
app_webroot = "https://%s/urlpermissionapp" % maindomain
assert can_access_webpage(app_webroot, logged_as=None)
assert can_access_webpage(app_webroot, logged_as="alice")
user_permission_update("permissions_app.main",
remove=["visitors", "all_users"],
add="bob")
res = user_permission_list(full=True)['permissions']
assert not can_access_webpage(app_webroot, logged_as=None)
assert not can_access_webpage(app_webroot, logged_as="alice")
assert can_access_webpage(app_webroot, logged_as="bob")
# Test admin access, as configured during install, only alice should be able to access it
# alice gotta be allowed on the main permission to access the admin tho
user_permission_update("permissions_app.main",
remove="bob",
add="all_users")
assert not can_access_webpage(app_webroot + "/admin", logged_as=None)
assert can_access_webpage(app_webroot + "/admin", logged_as="alice")
assert not can_access_webpage(app_webroot + "/admin", logged_as="bob")
def test_permission_legacy_app_propagation_on_ssowat():
app_install(os.path.join(get_test_apps_dir(), "legacy_app_ynh"),
args="domain=%s&domain_2=%s&path=%s" %
(maindomain, other_domains[0], "/legacy"),
force=True)
# App is configured as public by default using the legacy unprotected_uri mechanics
# It should automatically be migrated during the install
res = user_permission_list(full=True)['permissions']
assert "visitors" in res['legacy_app.main']['allowed']
assert "all_users" in res['legacy_app.main']['allowed']
app_webroot = "https://%s/legacy" % maindomain
assert can_access_webpage(app_webroot, logged_as=None)
assert can_access_webpage(app_webroot, logged_as="alice")
# Try to update the permission and check that permissions are still consistent
user_permission_update("legacy_app.main",
remove=["visitors", "all_users"],
add="bob")
assert not can_access_webpage(app_webroot, logged_as=None)
assert not can_access_webpage(app_webroot, logged_as="alice")
assert can_access_webpage(app_webroot, logged_as="bob")
def test_permission_add_group_that_doesnt_exist(mocker):
with raiseYunohostError(mocker, "group_unknown"):
user_permission_update("blog.main", add="doesnt_exist")
res = user_permission_list(full=True)['permissions']
assert res['blog.main']['allowed'] == ["alice"]
assert res['blog.main']['corresponding_users'] == ["alice"]
def test_permission_switch_show_tile_with_same_value(mocker):
# Note that from the actionmap the value is passed as string, not as bool
with message(mocker, "permission_updated", permission="wiki.main"):
user_permission_update("wiki.main", show_tile="True")
res = user_permission_list(full=True)['permissions']
assert res['wiki.main']['show_tile'] is True
def test_permission_add_and_remove_group(mocker):
with message(mocker, "permission_updated", permission="wiki.main"):
user_permission_update("wiki.main", add="alice", remove="all_users")
res = user_permission_list(full=True)['permissions']
assert res['wiki.main']['allowed'] == ["alice"]
assert res['wiki.main']['corresponding_users'] == ["alice"]
def test_permission_add_group(mocker):
with message(mocker, "permission_updated", permission="wiki.main"):
user_permission_update("wiki.main", add="alice")
res = user_permission_list(full=True)['permissions']
assert set(res['wiki.main']['allowed']) == set(["all_users", "alice"])
assert set(res['wiki.main']['corresponding_users']) == set(
["alice", "bob"])
def run(self, *args):
from yunohost.utils.ldap import _get_ldap_interface
ldap = _get_ldap_interface()
existing_perms_raw = ldap.search(
"ou=permission,dc=yunohost,dc=org", "(objectclass=permissionYnh)", ["cn"]
)
existing_perms = [perm["cn"][0] for perm in existing_perms_raw]
# Add SSH and SFTP permissions
ldap_map = read_yaml(
"/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml"
)
if "sftp.main" not in existing_perms:
ldap.add(
"cn=sftp.main,ou=permission",
ldap_map["depends_children"]["cn=sftp.main,ou=permission"],
)
if "ssh.main" not in existing_perms:
ldap.add(
"cn=ssh.main,ou=permission",
ldap_map["depends_children"]["cn=ssh.main,ou=permission"],
)
# Add a bash terminal to each users
users = ldap.search(
"ou=users,dc=yunohost,dc=org",
filter="(loginShell=*)",
attrs=["dn", "uid", "loginShell"],
)
for user in users:
if user["loginShell"][0] == "/bin/false":
dn = user["dn"][0].replace(",dc=yunohost,dc=org", "")
ldap.update(dn, {"loginShell": ["/bin/bash"]})
else:
user_permission_update(
"ssh.main", add=user["uid"][0], sync_perm=False
)
permission_sync_to_user()
# Somehow this is needed otherwise the PAM thing doesn't forget about the
# old loginShell value ?
subprocess.call(["nscd", "-i", "passwd"])
if (
"/etc/ssh/sshd_config" in manually_modified_files()
and os.system(
"grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config"
)
!= 0
):
logger.error(m18n.n("diagnosis_sshd_config_insecure"))
def test_permission_switch_protected():
user_permission_update("wiki.main", protected=True)
res = user_permission_list(full=True)["permissions"]
assert res["wiki.main"]["protected"] is True
user_permission_update("wiki.main", protected=False)
res = user_permission_list(full=True)["permissions"]
assert res["wiki.main"]["protected"] is False
def test_permission_add_group_already_allowed(mocker):
with message(mocker,
"permission_already_allowed",
permission="blog.main",
group="alice"):
user_permission_update("blog.main", add="alice")
res = user_permission_list(full=True)["permissions"]
assert res["blog.main"]["allowed"] == ["alice"]
assert res["blog.main"]["corresponding_users"] == ["alice"]
def test_permission_remove_group_already_not_allowed(mocker):
with message(mocker,
"permission_already_disallowed",
permission="blog.main",
group="bob"):
user_permission_update("blog.main", remove="bob")
res = user_permission_list(full=True)['permissions']
assert res['blog.main']['allowed'] == ["alice"]
assert res['blog.main']['corresponding_users'] == ["alice"]
def test_permission_switch_protected():
user_permission_update("wiki.main", protected=True)
res = user_permission_list(full=True)['permissions']
assert res['wiki.main']['protected'] is True
user_permission_update("wiki.main", protected=False)
res = user_permission_list(full=True)['permissions']
assert res['wiki.main']['protected'] is False
def test_permission_switch_show_tile(mocker):
# Note that from the actionmap the value is passed as string, not as bool
# Try with lowercase
with message(mocker, "permission_updated", permission="wiki.main"):
user_permission_update("wiki.main", show_tile="false")
res = user_permission_list(full=True)['permissions']
assert res['wiki.main']['show_tile'] is False
# Try with uppercase
with message(mocker, "permission_updated", permission="wiki.main"):
user_permission_update("wiki.main", show_tile="TRUE")
res = user_permission_list(full=True)['permissions']
assert res['wiki.main']['show_tile'] is True
def migrate_app_permission(app=None):
logger.info(m18n.n("migration_0011_migrate_permission"))
apps = _installed_apps()
if app:
if app not in apps:
logger.error(
"Can't migrate permission for app %s because it ain't installed..."
% app
)
apps = []
else:
apps = [app]
for app in apps:
permission = app_setting(app, "allowed_users")
path = app_setting(app, "path")
domain = app_setting(app, "domain")
url = "/" if domain and path else None
if permission:
known_users = list(user_list()["users"].keys())
allowed = [
user for user in permission.split(",") if user in known_users
]
else:
allowed = ["all_users"]
permission_create(
app + ".main",
url=url,
allowed=allowed,
show_tile=True,
protected=False,
sync_perm=False,
)
app_setting(app, "allowed_users", delete=True)
# Migrate classic public app still using the legacy unprotected_uris
if (
app_setting(app, "unprotected_uris") == "/"
or app_setting(app, "skipped_uris") == "/"
):
user_permission_update(app + ".main", add="visitors", sync_perm=False)
permission_sync_to_user()
def test_permission_protected_update(mocker):
res = user_permission_list(full=True)['permissions']
assert res['blog.api']['allowed'] == ["visitors"]
with raiseYunohostError(mocker, "permission_protected"):
user_permission_update("blog.api", remove="visitors")
res = user_permission_list(full=True)['permissions']
assert res['blog.api']['allowed'] == ["visitors"]
user_permission_update("blog.api", remove="visitors", force=True)
res = user_permission_list(full=True)['permissions']
assert res['blog.api']['allowed'] == []
with raiseYunohostError(mocker, "permission_protected"):
user_permission_update("blog.api", add="visitors")
res = user_permission_list(full=True)['permissions']
assert res['blog.api']['allowed'] == []
def test_permission_update_permission_that_doesnt_exist(mocker):
with raiseYunohostError(mocker, "permission_not_found"):
user_permission_update("doesnt.exist", add="alice")
def migrate_legacy_permission_settings(app=None):
logger.info(m18n.n("migrating_legacy_permission_settings"))
apps = _installed_apps()
if app:
if app not in apps:
logger.error(
"Can't migrate permission for app %s because it ain't installed..."
% app)
apps = []
else:
apps = [app]
for app in apps:
settings = _get_app_settings(app) or {}
if settings.get("label"):
user_permission_update(app + ".main",
label=settings["label"],
sync_perm=False)
del settings["label"]
def _setting(name):
s = settings.get(name)
return s.split(',') if s else []
skipped_urls = [uri for uri in _setting('skipped_uris') if uri != '/']
skipped_urls += ['re:' + regex for regex in _setting('skipped_regex')]
unprotected_urls = [
uri for uri in _setting('unprotected_uris') if uri != '/'
]
unprotected_urls += [
're:' + regex for regex in _setting('unprotected_regex')
]
protected_urls = [
uri for uri in _setting('protected_uris') if uri != '/'
]
protected_urls += [
're:' + regex for regex in _setting('protected_regex')
]
if skipped_urls != []:
permission_create(app + ".legacy_skipped_uris",
additional_urls=skipped_urls,
auth_header=False,
label=legacy_permission_label(app, "skipped"),
show_tile=False,
allowed='visitors',
protected=True,
sync_perm=False)
if unprotected_urls != []:
permission_create(app + ".legacy_unprotected_uris",
additional_urls=unprotected_urls,
auth_header=True,
label=legacy_permission_label(
app, "unprotected"),
show_tile=False,
allowed='visitors',
protected=True,
sync_perm=False)
if protected_urls != []:
permission_create(app + ".legacy_protected_uris",
additional_urls=protected_urls,
auth_header=True,
label=legacy_permission_label(app, "protected"),
show_tile=False,
allowed=user_permission_list()['permissions'][
app + ".main"]['allowed'],
protected=True,
sync_perm=False)
legacy_permission_settings = [
"skipped_uris", "unprotected_uris", "protected_uris",
"skipped_regex", "unprotected_regex", "protected_regex"
]
for key in legacy_permission_settings:
if key in settings:
del settings[key]
_set_app_settings(app, settings)
permission_sync_to_user()
def run(self, *args):
from yunohost.utils.ldap import _get_ldap_interface
ldap = _get_ldap_interface()
existing_perms_raw = ldap.search("ou=permission,dc=yunohost,dc=org",
"(objectclass=permissionYnh)", ["cn"])
existing_perms = [perm["cn"][0] for perm in existing_perms_raw]
# Add SSH and SFTP permissions
if "sftp.main" not in existing_perms:
ldap.add(
"cn=sftp.main,ou=permission",
{
"cn": "sftp.main",
"gidNumber": "5004",
"objectClass": ["posixGroup", "permissionYnh"],
"groupPermission": [],
"authHeader": "FALSE",
"label": "SFTP",
"showTile": "FALSE",
"isProtected": "TRUE",
},
)
if "ssh.main" not in existing_perms:
ldap.add(
"cn=ssh.main,ou=permission",
{
"cn": "ssh.main",
"gidNumber": "5003",
"objectClass": ["posixGroup", "permissionYnh"],
"groupPermission": [],
"authHeader": "FALSE",
"label": "SSH",
"showTile": "FALSE",
"isProtected": "TRUE",
},
)
# Add a bash terminal to each users
users = ldap.search(
"ou=users,dc=yunohost,dc=org",
filter="(loginShell=*)",
attrs=["dn", "uid", "loginShell"],
)
for user in users:
if user["loginShell"][0] == "/bin/false":
dn = user["dn"][0].replace(",dc=yunohost,dc=org", "")
ldap.update(dn, {"loginShell": ["/bin/bash"]})
else:
user_permission_update("ssh.main",
add=user["uid"][0],
sync_perm=False)
permission_sync_to_user()
# Somehow this is needed otherwise the PAM thing doesn't forget about the
# old loginShell value ?
subprocess.call(["nscd", "-i", "passwd"])
if ("/etc/ssh/sshd_config" in manually_modified_files() and os.system(
"grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config"
) != 0):
logger.error(m18n.n("diagnosis_sshd_config_insecure"))
def test_permission_change_label_with_same_value(mocker):
with message(mocker, "permission_updated", permission="wiki.main"):
user_permission_update("wiki.main", label="Wiki")
res = user_permission_list(full=True)['permissions']
assert res['wiki.main']['label'] == "Wiki"
def test_permission_change_label(mocker):
with message(mocker, "permission_updated", permission="wiki.main"):
user_permission_update("wiki.main", label="New Wiki")
res = user_permission_list(full=True)["permissions"]
assert res["wiki.main"]["label"] == "New Wiki"
