def set_security_rules(workspace, layer, access_rights, auth,
geoserver_workspace):
geoserver_workspace = geoserver_workspace or workspace
layer_info = None
if not access_rights or not access_rights.get(
'read') or not access_rights.get('write'):
layer_info = layman_util.get_publication_info(
workspace,
LAYER_TYPE,
layer,
context={'keys': [
'access_rights',
]})
read_roles = access_rights.get(
'read') if access_rights and access_rights.get(
'read') else layer_info['access_rights']['read']
write_roles = access_rights.get(
'write') if access_rights and access_rights.get(
'write') else layer_info['access_rights']['write']
security_read_roles = gs_common.layman_users_to_geoserver_roles(read_roles)
gs_util.ensure_layer_security_roles(geoserver_workspace, layer,
security_read_roles, 'r', auth)
security_write_roles = gs_common.layman_users_to_geoserver_roles(
write_roles)
gs_util.ensure_layer_security_roles(geoserver_workspace, layer,
security_write_roles, 'w', auth)
def patch_layer(workspace, layername, title, description, access_rights=None):
if not get_layer_info(workspace, layername):
return
geoserver_workspace = get_geoserver_workspace(workspace)
info = layman_util.get_publication_info(workspace,
LAYER_TYPE,
layername,
context={
'keys': [
'style_type',
'file',
],
})
file_type = info['file']['file_type']
if file_type == settings.FILE_TYPE_VECTOR:
if info['style_type'] == 'sld':
gs_util.patch_feature_type(geoserver_workspace,
layername,
title=title,
description=description,
auth=settings.LAYMAN_GS_AUTH)
if info['style_type'] == 'qml':
gs_util.patch_wms_layer(geoserver_workspace,
layername,
title=title,
description=description,
auth=settings.LAYMAN_GS_AUTH)
elif file_type == settings.FILE_TYPE_RASTER:
store = get_geotiff_store_name(layername)
gs_util.patch_coverage(geoserver_workspace,
layername,
store,
title=title,
description=description,
auth=settings.LAYMAN_GS_AUTH)
else:
raise NotImplementedError(f"Unknown file type: {file_type}")
clear_cache(workspace)
if access_rights and access_rights.get('read'):
security_read_roles = gs_common.layman_users_to_geoserver_roles(
access_rights['read'])
gs_util.ensure_layer_security_roles(geoserver_workspace, layername,
security_read_roles, 'r',
settings.LAYMAN_GS_AUTH)
if access_rights and access_rights.get('write'):
security_write_roles = gs_common.layman_users_to_geoserver_roles(
access_rights['write'])
gs_util.ensure_layer_security_roles(geoserver_workspace, layername,
security_write_roles, 'w',
settings.LAYMAN_GS_AUTH)
def patch_layer(workspace, layername, title, description, access_rights=None):
geoserver_workspace = get_geoserver_workspace(workspace)
info = layer_util.get_layer_info(workspace, layername, context={'keys': ['style_type'], })
if info['style_type'] == 'sld':
gs_util.patch_feature_type(geoserver_workspace, layername, title=title, description=description, auth=settings.LAYMAN_GS_AUTH)
clear_cache(workspace)
if access_rights and access_rights.get('read'):
security_read_roles = gs_common.layman_users_to_geoserver_roles(access_rights['read'])
gs_util.ensure_layer_security_roles(geoserver_workspace, layername, security_read_roles, 'r', settings.LAYMAN_GS_AUTH)
if access_rights and access_rights.get('write'):
security_write_roles = gs_common.layman_users_to_geoserver_roles(access_rights['write'])
gs_util.ensure_layer_security_roles(geoserver_workspace, layername, security_write_roles, 'w', settings.LAYMAN_GS_AUTH)
def upgrade_1_8():
logger.info(f'Upgrade to version 1.8.x')
with app.app_context():
logger.info(f' Creating prime_db_schema')
schema_initialization.check_schema_name(settings.LAYMAN_PRIME_SCHEMA)
schema_initialization.ensure_schema(settings.LAYMAN_PRIME_SCHEMA)
logger.info(f' Ensuring users')
from ..util import get_usernames, ensure_whole_user, check_username
all_usernames = get_usernames()
for username in all_usernames:
logger.info(f' Ensuring user {username}')
check_username(username)
ensure_whole_user(username)
logger.info(f' Ensuring GS rules')
# Delete old rules for workspaces
for username in all_usernames:
headers_json = {
'Accept': 'application/json',
'Content-type': 'application/json',
}
for type in ['w', 'r']:
response = requests.delete(urljoin(
settings.LAYMAN_GS_REST_SECURITY_ACL_LAYERS,
username + '.*.' + type),
headers=headers_json,
auth=settings.LAYMAN_GS_AUTH)
if response.status_code != 404:
response.raise_for_status()
# Create rules for publications/layers
for username in all_usernames:
logger.info(f' Ensuring GS rules for user {username}')
for (_, _, layer), info in layman_util.get_publication_infos(
username, LAYER_TYPE).items():
logger.info(
f' Ensuring GS rules for user {username} and layer {layer}'
)
for type in ['read', 'write']:
security_read_roles = gs_common.layman_users_to_geoserver_roles(
info['access_rights'][type])
gs_util.ensure_layer_security_roles(
username, layer, security_read_roles, type[0],
settings.LAYMAN_GS_AUTH)
def test_geoserver_everyone_rights_repair():
workspace = 'test_geoserver_everyone_rights_repair_workspace'
layer = 'test_geoserver_everyone_rights_repair_layer'
expected_roles1 = {'ROLE_ANONYMOUS'}
expected_roles2 = {'ROLE_ANONYMOUS', 'ROLE_AUTHENTICATED'}
process_client.publish_workspace_layer(workspace, layer)
for right_type in ['read', 'write']:
gs_util.ensure_layer_security_roles(workspace, layer, expected_roles1,
right_type[0], auth)
assert_roles(workspace, layer, expected_roles1)
with app.app_context():
upgrade_v1_9.geoserver_everyone_rights_repair()
assert_roles(workspace, layer, expected_roles2)
process_client.delete_workspace_layer(workspace, layer)
def patch_layer(workspace, layername, title, description, access_rights=None):
if not get_layer_info(workspace, layername):
return
info = layman_util.get_publication_info(workspace, LAYER_TYPE, layername, context={'keys': ['file', ]})
file_type = info['file']['file_type']
if file_type != settings.FILE_TYPE_VECTOR:
raise NotImplementedError(f"Unknown file type: {file_type}")
gs_util.patch_feature_type(workspace, layername, title=title, description=description, auth=settings.LAYMAN_GS_AUTH)
clear_cache(workspace)
if access_rights and access_rights.get('read'):
security_read_roles = gs_common.layman_users_to_geoserver_roles(access_rights['read'])
gs_util.ensure_layer_security_roles(workspace, layername, security_read_roles, 'r', settings.LAYMAN_GS_AUTH)
if access_rights and access_rights.get('write'):
security_write_roles = gs_common.layman_users_to_geoserver_roles(access_rights['write'])
gs_util.ensure_layer_security_roles(workspace, layername, security_write_roles, 'w', settings.LAYMAN_GS_AUTH)
def patch_layer(workspace, layername, title, description, access_rights=None):
gs_util.patch_feature_type(workspace,
layername,
title=title,
description=description,
auth=settings.LAYMAN_GS_AUTH)
clear_cache(workspace)
if access_rights and access_rights.get('read'):
security_read_roles = gs_common.layman_users_to_geoserver_roles(
access_rights['read'])
gs_util.ensure_layer_security_roles(workspace, layername,
security_read_roles, 'r',
settings.LAYMAN_GS_AUTH)
if access_rights and access_rights.get('write'):
security_write_roles = gs_common.layman_users_to_geoserver_roles(
access_rights['write'])
gs_util.ensure_layer_security_roles(workspace, layername,
security_write_roles, 'w',
settings.LAYMAN_GS_AUTH)
def geoserver_everyone_rights_repair():
logger.info(
f' Starting - access rights EVERYONE is not propagated to GeoServer for authenticated users'
)
select_layers = f"select w.name, p.name " \
f"from {DB_SCHEMA}.publications p inner join {DB_SCHEMA}.workspaces w on w.id = p.id_workspace " \
f"where p.type = 'layman.layer' "
publication_infos = db_util.run_query(select_layers)
select_rights = f"""select (select rtrim(concat(case when u.id is not null then w.name || ',' end,
string_agg(w2.name, ',') || ',',
case when p.everyone_can_read then '{settings.RIGHTS_EVERYONE_ROLE}' || ',' end
), ',')
from _prime_schema.rights r inner join
_prime_schema.users u2 on r.id_user = u2.id inner join
_prime_schema.workspaces w2 on w2.id = u2.id_workspace
where r.id_publication = p.id
and r.type = %s) can_read_users
from _prime_schema.workspaces w inner join
_prime_schema.publications p on p.id_workspace = w.id
and p.type = 'layman.layer' left join
_prime_schema.users u on u.id_workspace = w.id
where w.name = %s
and p.name = %s"""
for (workspace, publication_name) in publication_infos:
for right_type in ['read', 'write']:
users_roles = db_util.run_query(
select_rights, (right_type, workspace, publication_name))[0]
security_roles = gs_common.layman_users_to_geoserver_roles(
users_roles)
logger.info(
f' Setting security roles for: ({workspace}/{publication_name}).{right_type} '
f'to ({security_roles}) from layman roles ({users_roles})')
gs_util.ensure_layer_security_roles(workspace, publication_name,
security_roles, right_type[0],
settings.LAYMAN_GS_AUTH)
logger.info(
f' DONE - access rights EVERYONE is not propagated to GeoServer for authenticated users'
)