def clean_user_groups():
for u in user_list()["users"]:
user_delete(u)
for g in user_group_list()["groups"]:
if g not in ["all_users", "visitors"]:
user_group_delete(g)
def teardown_function(function):
assert tmp_backup_directory_is_empty()
reset_ssowat_conf()
delete_all_backups()
uninstall_test_apps_if_needed()
markers = {
m.name: {
'args': m.args,
'kwargs': m.kwargs
}
for m in function.__dict__.get("pytestmark", [])
}
if "clean_opt_dir" in markers:
shutil.rmtree("/opt/test_backup_output_directory")
if "alice" in user_list()["users"]:
user_delete("alice")
if "with_custom_domain" in markers:
domain = markers['with_custom_domain']['args'][0]
domain_remove(domain)
def test_del_user(mocker):
with message(mocker, "user_deleted"):
user_delete("alice")
group_res = user_group_list()["groups"]
assert "alice" not in user_list()
assert "alice" not in group_res
assert "alice" not in group_res["all_users"]["members"]
def test_create_user(mocker):
with message(mocker, "user_created"):
user_create("albert", "Albert", "Good", maindomain, "test123Ynh")
group_res = user_group_list()["groups"]
assert "albert" in user_list()["users"]
assert "albert" in group_res
assert "albert" in group_res["albert"]["members"]
assert "albert" in group_res["all_users"]["members"]
def app_addaccess(auth, apps, users):
"""
Grant access right to users (everyone by default)
Keyword argument:
users
apps
"""
from yunohost.user import user_list, user_info
from yunohost.hook import hook_callback
if not users:
users = []
for user in user_list(auth)['users']:
users.append(user['username'])
if not isinstance(users, list): users = [users]
if not isinstance(apps, list): apps = [apps]
for app in apps:
if not _is_installed(app):
raise MoulinetteError(errno.EINVAL, m18n.n('app_not_installed',
app))
with open(apps_setting_path + app + '/settings.yml') as f:
app_settings = yaml.load(f)
if 'mode' not in app_settings:
app_setting(app, 'mode', 'private')
app_settings['mode'] = 'private'
if app_settings['mode'] == 'private':
if 'allowed_users' in app_settings:
new_users = app_settings['allowed_users']
else:
new_users = ''
for allowed_user in users:
if allowed_user not in new_users.split(','):
try:
user_info(auth, allowed_user)
except MoulinetteError:
continue
if new_users == '':
new_users = allowed_user
else:
new_users = new_users + ',' + allowed_user
app_setting(app, 'allowed_users', new_users.strip())
hook_callback('post_app_addaccess', [app, new_users])
app_ssowatconf(auth)
return {'allowed_users': new_users.split(',')}
def app_addaccess(auth, apps, users):
"""
Grant access right to users (everyone by default)
Keyword argument:
users
apps
"""
from yunohost.user import user_list, user_info
from yunohost.hook import hook_callback
if not users:
users = []
for user in user_list(auth)['users']:
users.append(user['username'])
if not isinstance(users, list): users = [users]
if not isinstance(apps, list): apps = [apps]
for app in apps:
if not _is_installed(app):
raise MoulinetteError(errno.EINVAL,
m18n.n('app_not_installed', app))
with open(apps_setting_path + app +'/settings.yml') as f:
app_settings = yaml.load(f)
if 'mode' not in app_settings:
app_setting(app, 'mode', 'private')
app_settings['mode'] = 'private'
if app_settings['mode'] == 'private':
if 'allowed_users' in app_settings:
new_users = app_settings['allowed_users']
else:
new_users = ''
for allowed_user in users:
if allowed_user not in new_users.split(','):
try:
user_info(auth, allowed_user)
except MoulinetteError:
continue
if new_users == '':
new_users = allowed_user
else:
new_users = new_users +','+ allowed_user
app_setting(app, 'allowed_users', new_users.strip())
hook_callback('post_app_addaccess', args=[app, new_users])
app_ssowatconf(auth)
return { 'allowed_users': new_users.split(',') }
def app_removeaccess(auth, apps, users):
"""
Revoke access right to users (everyone by default)
Keyword argument:
users
apps
"""
from yunohost.user import user_list
from yunohost.hook import hook_callback
remove_all = False
if not users:
remove_all = True
if not isinstance(users, list): users = [users]
if not isinstance(apps, list): apps = [apps]
for app in apps:
new_users = ''
if not _is_installed(app):
raise MoulinetteError(errno.EINVAL, m18n.n('app_not_installed',
app))
with open(apps_setting_path + app + '/settings.yml') as f:
app_settings = yaml.load(f)
if 'skipped_uris' not in app_settings or app_settings[
'skipped_uris'] != '/':
if remove_all:
new_users = ''
elif 'allowed_users' in app_settings:
for allowed_user in app_settings['allowed_users'].split(','):
if allowed_user not in users:
if new_users == '':
new_users = allowed_user
else:
new_users = new_users + ',' + allowed_user
else:
new_users = ''
for user in user_list(auth)['users']:
if user['username'] not in users:
if new_users == '':
new_users = user['username']
new_users = new_users + ',' + user['username']
app_setting(app, 'allowed_users', new_users.strip())
hook_callback('post_app_removeaccess', [app, new_users])
app_ssowatconf(auth)
return {'allowed_users': new_users.split(',')}
def app_removeaccess(auth, apps, users):
"""
Revoke access right to users (everyone by default)
Keyword argument:
users
apps
"""
from yunohost.user import user_list
from yunohost.hook import hook_callback
remove_all = False
if not users:
remove_all = True
if not isinstance(users, list): users = [users]
if not isinstance(apps, list): apps = [apps]
for app in apps:
new_users = ''
if not _is_installed(app):
raise MoulinetteError(errno.EINVAL,
m18n.n('app_not_installed', app))
with open(apps_setting_path + app +'/settings.yml') as f:
app_settings = yaml.load(f)
if 'skipped_uris' not in app_settings or app_settings['skipped_uris'] != '/':
if remove_all:
new_users = ''
elif 'allowed_users' in app_settings:
for allowed_user in app_settings['allowed_users'].split(','):
if allowed_user not in users:
if new_users == '':
new_users = allowed_user
else:
new_users = new_users +','+ allowed_user
else:
new_users=''
for user in user_list(auth)['users']:
if user['username'] not in users:
if new_users == '':
new_users = user['username']
new_users=new_users+','+user['username']
app_setting(app, 'allowed_users', new_users.strip())
hook_callback('post_app_removeaccess', args=[app, new_users])
app_ssowatconf(auth)
return { 'allowed_users': new_users.split(',') }
def clean_user_groups_permission():
for u in user_list()['users']:
user_delete(u)
for g in user_group_list()['groups']:
if g not in ["all_users", "visitors"]:
user_group_delete(g)
for p in user_permission_list()['permissions']:
if any(
p.startswith(name) for name in
["wiki", "blog", "site", "web", "permissions_app"]):
permission_delete(p, force=True, sync_perm=False)
socket.getaddrinfo = prv_getaddrinfo
def migrate_app_permission(app=None):
logger.info(m18n.n("migration_0011_migrate_permission"))
apps = _installed_apps()
if app:
if app not in apps:
logger.error(
"Can't migrate permission for app %s because it ain't installed..."
% app
)
apps = []
else:
apps = [app]
for app in apps:
permission = app_setting(app, "allowed_users")
path = app_setting(app, "path")
domain = app_setting(app, "domain")
url = "/" if domain and path else None
if permission:
known_users = list(user_list()["users"].keys())
allowed = [
user for user in permission.split(",") if user in known_users
]
else:
allowed = ["all_users"]
permission_create(
app + ".main",
url=url,
allowed=allowed,
show_tile=True,
protected=False,
sync_perm=False,
)
app_setting(app, "allowed_users", delete=True)
# Migrate classic public app still using the legacy unprotected_uris
if (
app_setting(app, "unprotected_uris") == "/"
or app_setting(app, "skipped_uris") == "/"
):
user_permission_update(app + ".main", add="visitors", sync_perm=False)
permission_sync_to_user()
def app_ssowatconf(auth):
"""
Regenerate SSOwat configuration file
"""
from yunohost.domain import domain_list
from yunohost.user import user_list
with open('/etc/yunohost/current_host', 'r') as f:
main_domain = f.readline().rstrip()
domains = domain_list(auth)['domains']
users = {}
for user in user_list(auth)['users']:
users[user['username']] = app_map(user=user['username'])
skipped_urls = []
skipped_regex = []
unprotected_urls = []
unprotected_regex = []
protected_urls = []
protected_regex = []
redirected_regex = {
main_domain + '/yunohost[\/]?$':
'https://' + main_domain + '/yunohost/sso/'
}
apps = {}
try:
apps_list = app_list()['apps']
except:
apps_list = []
for app in apps_list:
if _is_installed(app['id']):
with open(apps_setting_path + app['id'] + '/settings.yml') as f:
app_settings = yaml.load(f)
if 'skipped_uris' in app_settings:
for item in app_settings['skipped_uris'].split(','):
if item[-1:] == '/':
item = item[:-1]
skipped_urls.append(app_settings['domain'] +
app_settings['path'][:-1] + item)
if 'skipped_regex' in app_settings:
for item in app_settings['skipped_regex'].split(','):
skipped_regex.append(item)
if 'unprotected_uris' in app_settings:
for item in app_settings['unprotected_uris'].split(','):
if item[-1:] == '/':
item = item[:-1]
unprotected_urls.append(app_settings['domain'] +
app_settings['path'][:-1] +
item)
if 'unprotected_regex' in app_settings:
for item in app_settings['unprotected_regex'].split(','):
unprotected_regex.append(item)
if 'protected_uris' in app_settings:
for item in app_settings['protected_uris'].split(','):
if item[-1:] == '/':
item = item[:-1]
protected_urls.append(app_settings['domain'] +
app_settings['path'][:-1] + item)
if 'protected_regex' in app_settings:
for item in app_settings['protected_regex'].split(','):
protected_regex.append(item)
for domain in domains:
skipped_urls.extend(['/yunohost/admin', '/yunohost/api'])
conf_dict = {
'portal_domain': main_domain,
'portal_path': '/yunohost/sso/',
'additional_headers': {
'Auth-User': '******',
'Remote-User': '******',
'Name': 'cn',
'Email': 'mail'
},
'domains': domains,
'skipped_urls': skipped_urls,
'unprotected_urls': unprotected_urls,
'protected_urls': protected_urls,
'skipped_regex': skipped_regex,
'unprotected_regex': unprotected_regex,
'protected_regex': protected_regex,
'redirected_regex': redirected_regex,
'users': users,
}
with open('/etc/ssowat/conf.json', 'w+') as f:
json.dump(conf_dict, f, sort_keys=True, indent=4)
msignals.display(m18n.n('ssowat_conf_generated'), 'success')
def test_list_users():
res = user_list()["users"]
assert "alice" in res
assert "bob" in res
assert "jack" in res
def app_ssowatconf(auth):
"""
Regenerate SSOwat configuration file
"""
from yunohost.domain import domain_list
from yunohost.user import user_list
with open('/etc/yunohost/current_host', 'r') as f:
main_domain = f.readline().rstrip()
domains = domain_list(auth)['domains']
users = {}
for user in user_list(auth)['users']:
users[user['username']] = app_map(user=user['username'])
skipped_urls = []
skipped_regex = []
unprotected_urls = []
unprotected_regex = []
protected_urls = []
protected_regex = []
redirected_regex = { main_domain +'/yunohost[\/]?$': 'https://'+ main_domain +'/yunohost/sso/' }
redirected_urls ={}
apps = {}
try:
apps_list = app_list()['apps']
except:
apps_list = []
for app in apps_list:
if _is_installed(app['id']):
with open(apps_setting_path + app['id'] +'/settings.yml') as f:
app_settings = yaml.load(f)
if 'skipped_uris' in app_settings:
for item in app_settings['skipped_uris'].split(','):
if item[-1:] == '/':
item = item[:-1]
skipped_urls.append(app_settings['domain'] + app_settings['path'][:-1] + item)
if 'skipped_regex' in app_settings:
for item in app_settings['skipped_regex'].split(','):
skipped_regex.append(item)
if 'unprotected_uris' in app_settings:
for item in app_settings['unprotected_uris'].split(','):
if item[-1:] == '/':
item = item[:-1]
unprotected_urls.append(app_settings['domain'] + app_settings['path'][:-1] + item)
if 'unprotected_regex' in app_settings:
for item in app_settings['unprotected_regex'].split(','):
unprotected_regex.append(item)
if 'protected_uris' in app_settings:
for item in app_settings['protected_uris'].split(','):
if item[-1:] == '/':
item = item[:-1]
protected_urls.append(app_settings['domain'] + app_settings['path'][:-1] + item)
if 'redirected_urls' in app_settings:
redirected_urls.update(app_settings['redirected_urls'])
if 'redirected_regex' in app_settings:
redirected_regex.update(app_settings['redirected_regex'])
for domain in domains:
skipped_urls.extend(['/yunohost/admin', '/yunohost/api'])
conf_dict = {
'portal_domain': main_domain,
'portal_path': '/yunohost/sso/',
'additional_headers': {
'Auth-User': '******',
'Remote-User': '******',
'Name': 'cn',
'Email': 'mail'
},
'domains': domains,
'skipped_urls': skipped_urls,
'unprotected_urls': unprotected_urls,
'protected_urls': protected_urls,
'skipped_regex': skipped_regex,
'unprotected_regex': unprotected_regex,
'protected_regex': protected_regex,
'redirected_urls': redirected_urls,
'redirected_regex': redirected_regex,
'users': users,
}
with open('/etc/ssowat/conf.json', 'w+') as f:
json.dump(conf_dict, f, sort_keys=True, indent=4)
msignals.display(m18n.n('ssowat_conf_generated'), 'success')
def translate_legacy_rules_in_ssowant_conf_json_persistent():
persistent_file_name = "/etc/ssowat/conf.json.persistent"
if not os.path.exists(persistent_file_name):
return
# Ugly hack to try not to misarably fail migration
persistent = read_yaml(persistent_file_name)
legacy_rules = [
"skipped_urls", "unprotected_urls", "protected_urls", "skipped_regex",
"unprotected_regex", "protected_regex"
]
if not any(legacy_rule in persistent for legacy_rule in legacy_rules):
return
if not isinstance(persistent.get("permissions"), dict):
persistent["permissions"] = {}
skipped_urls = persistent.get("skipped_urls", []) + [
"re:" + r for r in persistent.get("skipped_regex", [])
]
protected_urls = persistent.get("protected_urls", []) + [
"re:" + r for r in persistent.get("protected_regex", [])
]
unprotected_urls = persistent.get("unprotected_urls", []) + [
"re:" + r for r in persistent.get("unprotected_regex", [])
]
known_users = list(user_list()["users"].keys())
for legacy_rule in legacy_rules:
if legacy_rule in persistent:
del persistent[legacy_rule]
if skipped_urls:
persistent["permissions"]['custom_skipped'] = {
"users": [],
"label":
"Custom permissions - skipped",
"show_tile":
False,
"auth_header":
False,
"public":
True,
"uris":
skipped_urls + persistent["permissions"].get("custom_skipped",
{}).get("uris", []),
}
if unprotected_urls:
persistent["permissions"]['custom_unprotected'] = {
"users": [],
"label":
"Custom permissions - unprotected",
"show_tile":
False,
"auth_header":
True,
"public":
True,
"uris":
unprotected_urls + persistent["permissions"].get(
"custom_unprotected", {}).get("uris", []),
}
if protected_urls:
persistent["permissions"]['custom_protected'] = {
"users":
known_users,
"label":
"Custom permissions - protected",
"show_tile":
False,
"auth_header":
True,
"public":
False,
"uris":
protected_urls + persistent["permissions"].get(
"custom_protected", {}).get("uris", []),
}
write_to_json(persistent_file_name, persistent, sort_keys=True, indent=4)
logger.warning(
"Yunohost automatically translated some legacy rules in /etc/ssowat/conf.json.persistent to match the new permission system"
)