def test_permission_remove_group(mocker): with message(mocker, "permission_updated", permission="blog.main"): user_permission_update("blog.main", remove="alice") res = user_permission_list(full=True)['permissions'] assert res['blog.main']['allowed'] == [] assert res['blog.main']['corresponding_users'] == []
def test_permission_app_install(): app_install(os.path.join(get_test_apps_dir(), "permissions_app_ynh"), args="domain=%s&domain_2=%s&path=%s&is_public=0&admin=%s" % (maindomain, other_domains[0], "/urlpermissionapp", "alice"), force=True) res = user_permission_list(full=True)['permissions'] assert "permissions_app.main" in res assert "permissions_app.admin" in res assert "permissions_app.dev" in res assert res['permissions_app.main']['url'] == "/" assert res['permissions_app.admin']['url'] == "/admin" assert res['permissions_app.dev']['url'] == "/dev" assert res['permissions_app.main']['allowed'] == ["all_users"] assert set(res['permissions_app.main']['corresponding_users']) == set( ["alice", "bob"]) assert res['permissions_app.admin']['allowed'] == ["alice"] assert res['permissions_app.admin']['corresponding_users'] == ["alice"] assert res['permissions_app.dev']['allowed'] == [] assert set(res['permissions_app.dev']['corresponding_users']) == set() # Check that we get the right stuff in app_map, which is used to generate the ssowatconf assert maindomain + "/urlpermissionapp" in app_map(user="******").keys() user_permission_update("permissions_app.main", remove="all_users", add="bob") assert maindomain + "/urlpermissionapp" not in app_map(user="******").keys() assert maindomain + "/urlpermissionapp" in app_map(user="******").keys()
def test_permission_app_propagation_on_ssowat(): app_install(os.path.join(get_test_apps_dir(), "permissions_app_ynh"), args="domain=%s&domain_2=%s&path=%s&is_public=1&admin=%s" % (maindomain, other_domains[0], "/urlpermissionapp", "alice"), force=True) res = user_permission_list(full=True)['permissions'] assert "visitors" in res['permissions_app.main']['allowed'] assert "all_users" in res['permissions_app.main']['allowed'] app_webroot = "https://%s/urlpermissionapp" % maindomain assert can_access_webpage(app_webroot, logged_as=None) assert can_access_webpage(app_webroot, logged_as="alice") user_permission_update("permissions_app.main", remove=["visitors", "all_users"], add="bob") res = user_permission_list(full=True)['permissions'] assert not can_access_webpage(app_webroot, logged_as=None) assert not can_access_webpage(app_webroot, logged_as="alice") assert can_access_webpage(app_webroot, logged_as="bob") # Test admin access, as configured during install, only alice should be able to access it # alice gotta be allowed on the main permission to access the admin tho user_permission_update("permissions_app.main", remove="bob", add="all_users") assert not can_access_webpage(app_webroot + "/admin", logged_as=None) assert can_access_webpage(app_webroot + "/admin", logged_as="alice") assert not can_access_webpage(app_webroot + "/admin", logged_as="bob")
def test_permission_legacy_app_propagation_on_ssowat(): app_install(os.path.join(get_test_apps_dir(), "legacy_app_ynh"), args="domain=%s&domain_2=%s&path=%s" % (maindomain, other_domains[0], "/legacy"), force=True) # App is configured as public by default using the legacy unprotected_uri mechanics # It should automatically be migrated during the install res = user_permission_list(full=True)['permissions'] assert "visitors" in res['legacy_app.main']['allowed'] assert "all_users" in res['legacy_app.main']['allowed'] app_webroot = "https://%s/legacy" % maindomain assert can_access_webpage(app_webroot, logged_as=None) assert can_access_webpage(app_webroot, logged_as="alice") # Try to update the permission and check that permissions are still consistent user_permission_update("legacy_app.main", remove=["visitors", "all_users"], add="bob") assert not can_access_webpage(app_webroot, logged_as=None) assert not can_access_webpage(app_webroot, logged_as="alice") assert can_access_webpage(app_webroot, logged_as="bob")
def test_permission_add_group_that_doesnt_exist(mocker): with raiseYunohostError(mocker, "group_unknown"): user_permission_update("blog.main", add="doesnt_exist") res = user_permission_list(full=True)['permissions'] assert res['blog.main']['allowed'] == ["alice"] assert res['blog.main']['corresponding_users'] == ["alice"]
def test_permission_switch_show_tile_with_same_value(mocker): # Note that from the actionmap the value is passed as string, not as bool with message(mocker, "permission_updated", permission="wiki.main"): user_permission_update("wiki.main", show_tile="True") res = user_permission_list(full=True)['permissions'] assert res['wiki.main']['show_tile'] is True
def test_permission_add_and_remove_group(mocker): with message(mocker, "permission_updated", permission="wiki.main"): user_permission_update("wiki.main", add="alice", remove="all_users") res = user_permission_list(full=True)['permissions'] assert res['wiki.main']['allowed'] == ["alice"] assert res['wiki.main']['corresponding_users'] == ["alice"]
def test_permission_add_group(mocker): with message(mocker, "permission_updated", permission="wiki.main"): user_permission_update("wiki.main", add="alice") res = user_permission_list(full=True)['permissions'] assert set(res['wiki.main']['allowed']) == set(["all_users", "alice"]) assert set(res['wiki.main']['corresponding_users']) == set( ["alice", "bob"])
def run(self, *args): from yunohost.utils.ldap import _get_ldap_interface ldap = _get_ldap_interface() existing_perms_raw = ldap.search( "ou=permission,dc=yunohost,dc=org", "(objectclass=permissionYnh)", ["cn"] ) existing_perms = [perm["cn"][0] for perm in existing_perms_raw] # Add SSH and SFTP permissions ldap_map = read_yaml( "/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml" ) if "sftp.main" not in existing_perms: ldap.add( "cn=sftp.main,ou=permission", ldap_map["depends_children"]["cn=sftp.main,ou=permission"], ) if "ssh.main" not in existing_perms: ldap.add( "cn=ssh.main,ou=permission", ldap_map["depends_children"]["cn=ssh.main,ou=permission"], ) # Add a bash terminal to each users users = ldap.search( "ou=users,dc=yunohost,dc=org", filter="(loginShell=*)", attrs=["dn", "uid", "loginShell"], ) for user in users: if user["loginShell"][0] == "/bin/false": dn = user["dn"][0].replace(",dc=yunohost,dc=org", "") ldap.update(dn, {"loginShell": ["/bin/bash"]}) else: user_permission_update( "ssh.main", add=user["uid"][0], sync_perm=False ) permission_sync_to_user() # Somehow this is needed otherwise the PAM thing doesn't forget about the # old loginShell value ? subprocess.call(["nscd", "-i", "passwd"]) if ( "/etc/ssh/sshd_config" in manually_modified_files() and os.system( "grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config" ) != 0 ): logger.error(m18n.n("diagnosis_sshd_config_insecure"))
def test_permission_switch_protected(): user_permission_update("wiki.main", protected=True) res = user_permission_list(full=True)["permissions"] assert res["wiki.main"]["protected"] is True user_permission_update("wiki.main", protected=False) res = user_permission_list(full=True)["permissions"] assert res["wiki.main"]["protected"] is False
def test_permission_add_group_already_allowed(mocker): with message(mocker, "permission_already_allowed", permission="blog.main", group="alice"): user_permission_update("blog.main", add="alice") res = user_permission_list(full=True)["permissions"] assert res["blog.main"]["allowed"] == ["alice"] assert res["blog.main"]["corresponding_users"] == ["alice"]
def test_permission_remove_group_already_not_allowed(mocker): with message(mocker, "permission_already_disallowed", permission="blog.main", group="bob"): user_permission_update("blog.main", remove="bob") res = user_permission_list(full=True)['permissions'] assert res['blog.main']['allowed'] == ["alice"] assert res['blog.main']['corresponding_users'] == ["alice"]
def test_permission_switch_protected(): user_permission_update("wiki.main", protected=True) res = user_permission_list(full=True)['permissions'] assert res['wiki.main']['protected'] is True user_permission_update("wiki.main", protected=False) res = user_permission_list(full=True)['permissions'] assert res['wiki.main']['protected'] is False
def test_permission_switch_show_tile(mocker): # Note that from the actionmap the value is passed as string, not as bool # Try with lowercase with message(mocker, "permission_updated", permission="wiki.main"): user_permission_update("wiki.main", show_tile="false") res = user_permission_list(full=True)['permissions'] assert res['wiki.main']['show_tile'] is False # Try with uppercase with message(mocker, "permission_updated", permission="wiki.main"): user_permission_update("wiki.main", show_tile="TRUE") res = user_permission_list(full=True)['permissions'] assert res['wiki.main']['show_tile'] is True
def migrate_app_permission(app=None): logger.info(m18n.n("migration_0011_migrate_permission")) apps = _installed_apps() if app: if app not in apps: logger.error( "Can't migrate permission for app %s because it ain't installed..." % app ) apps = [] else: apps = [app] for app in apps: permission = app_setting(app, "allowed_users") path = app_setting(app, "path") domain = app_setting(app, "domain") url = "/" if domain and path else None if permission: known_users = list(user_list()["users"].keys()) allowed = [ user for user in permission.split(",") if user in known_users ] else: allowed = ["all_users"] permission_create( app + ".main", url=url, allowed=allowed, show_tile=True, protected=False, sync_perm=False, ) app_setting(app, "allowed_users", delete=True) # Migrate classic public app still using the legacy unprotected_uris if ( app_setting(app, "unprotected_uris") == "/" or app_setting(app, "skipped_uris") == "/" ): user_permission_update(app + ".main", add="visitors", sync_perm=False) permission_sync_to_user()
def test_permission_protected_update(mocker): res = user_permission_list(full=True)['permissions'] assert res['blog.api']['allowed'] == ["visitors"] with raiseYunohostError(mocker, "permission_protected"): user_permission_update("blog.api", remove="visitors") res = user_permission_list(full=True)['permissions'] assert res['blog.api']['allowed'] == ["visitors"] user_permission_update("blog.api", remove="visitors", force=True) res = user_permission_list(full=True)['permissions'] assert res['blog.api']['allowed'] == [] with raiseYunohostError(mocker, "permission_protected"): user_permission_update("blog.api", add="visitors") res = user_permission_list(full=True)['permissions'] assert res['blog.api']['allowed'] == []
def test_permission_update_permission_that_doesnt_exist(mocker): with raiseYunohostError(mocker, "permission_not_found"): user_permission_update("doesnt.exist", add="alice")
def migrate_legacy_permission_settings(app=None): logger.info(m18n.n("migrating_legacy_permission_settings")) apps = _installed_apps() if app: if app not in apps: logger.error( "Can't migrate permission for app %s because it ain't installed..." % app) apps = [] else: apps = [app] for app in apps: settings = _get_app_settings(app) or {} if settings.get("label"): user_permission_update(app + ".main", label=settings["label"], sync_perm=False) del settings["label"] def _setting(name): s = settings.get(name) return s.split(',') if s else [] skipped_urls = [uri for uri in _setting('skipped_uris') if uri != '/'] skipped_urls += ['re:' + regex for regex in _setting('skipped_regex')] unprotected_urls = [ uri for uri in _setting('unprotected_uris') if uri != '/' ] unprotected_urls += [ 're:' + regex for regex in _setting('unprotected_regex') ] protected_urls = [ uri for uri in _setting('protected_uris') if uri != '/' ] protected_urls += [ 're:' + regex for regex in _setting('protected_regex') ] if skipped_urls != []: permission_create(app + ".legacy_skipped_uris", additional_urls=skipped_urls, auth_header=False, label=legacy_permission_label(app, "skipped"), show_tile=False, allowed='visitors', protected=True, sync_perm=False) if unprotected_urls != []: permission_create(app + ".legacy_unprotected_uris", additional_urls=unprotected_urls, auth_header=True, label=legacy_permission_label( app, "unprotected"), show_tile=False, allowed='visitors', protected=True, sync_perm=False) if protected_urls != []: permission_create(app + ".legacy_protected_uris", additional_urls=protected_urls, auth_header=True, label=legacy_permission_label(app, "protected"), show_tile=False, allowed=user_permission_list()['permissions'][ app + ".main"]['allowed'], protected=True, sync_perm=False) legacy_permission_settings = [ "skipped_uris", "unprotected_uris", "protected_uris", "skipped_regex", "unprotected_regex", "protected_regex" ] for key in legacy_permission_settings: if key in settings: del settings[key] _set_app_settings(app, settings) permission_sync_to_user()
def run(self, *args): from yunohost.utils.ldap import _get_ldap_interface ldap = _get_ldap_interface() existing_perms_raw = ldap.search("ou=permission,dc=yunohost,dc=org", "(objectclass=permissionYnh)", ["cn"]) existing_perms = [perm["cn"][0] for perm in existing_perms_raw] # Add SSH and SFTP permissions if "sftp.main" not in existing_perms: ldap.add( "cn=sftp.main,ou=permission", { "cn": "sftp.main", "gidNumber": "5004", "objectClass": ["posixGroup", "permissionYnh"], "groupPermission": [], "authHeader": "FALSE", "label": "SFTP", "showTile": "FALSE", "isProtected": "TRUE", }, ) if "ssh.main" not in existing_perms: ldap.add( "cn=ssh.main,ou=permission", { "cn": "ssh.main", "gidNumber": "5003", "objectClass": ["posixGroup", "permissionYnh"], "groupPermission": [], "authHeader": "FALSE", "label": "SSH", "showTile": "FALSE", "isProtected": "TRUE", }, ) # Add a bash terminal to each users users = ldap.search( "ou=users,dc=yunohost,dc=org", filter="(loginShell=*)", attrs=["dn", "uid", "loginShell"], ) for user in users: if user["loginShell"][0] == "/bin/false": dn = user["dn"][0].replace(",dc=yunohost,dc=org", "") ldap.update(dn, {"loginShell": ["/bin/bash"]}) else: user_permission_update("ssh.main", add=user["uid"][0], sync_perm=False) permission_sync_to_user() # Somehow this is needed otherwise the PAM thing doesn't forget about the # old loginShell value ? subprocess.call(["nscd", "-i", "passwd"]) if ("/etc/ssh/sshd_config" in manually_modified_files() and os.system( "grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config" ) != 0): logger.error(m18n.n("diagnosis_sshd_config_insecure"))
def test_permission_change_label_with_same_value(mocker): with message(mocker, "permission_updated", permission="wiki.main"): user_permission_update("wiki.main", label="Wiki") res = user_permission_list(full=True)['permissions'] assert res['wiki.main']['label'] == "Wiki"
def test_permission_change_label(mocker): with message(mocker, "permission_updated", permission="wiki.main"): user_permission_update("wiki.main", label="New Wiki") res = user_permission_list(full=True)["permissions"] assert res["wiki.main"]["label"] == "New Wiki"