def user_group_info(groupname):
"""
Get user informations
Keyword argument:
groupname -- Groupname to get informations
"""
from yunohost.utils.ldap import _get_ldap_interface, _ldap_path_extract
ldap = _get_ldap_interface()
# Fetch info for this group
result = ldap.search('ou=groups,dc=yunohost,dc=org', "cn=" + groupname,
["cn", "member", "permission"])
if not result:
raise YunohostError('group_unknown', group=groupname)
infos = result[0]
# Format data
return {
'members':
[_ldap_path_extract(p, "uid") for p in infos.get("member", [])],
'permissions':
[_ldap_path_extract(p, "cn") for p in infos.get("permission", [])]
}
def user_group_list(short=False, full=False, include_primary_groups=True):
"""
List users
Keyword argument:
short -- Only list the name of the groups without any additional info
full -- List all the info available for each groups
include_primary_groups -- Include groups corresponding to users (which should always only contains this user)
This option is set to false by default in the action map because we don't want to have
these displayed when the user runs `yunohost user group list`, but internally we do want
to list them when called from other functions
"""
# Fetch relevant informations
from yunohost.utils.ldap import _get_ldap_interface, _ldap_path_extract
ldap = _get_ldap_interface()
groups_infos = ldap.search(
"ou=groups,dc=yunohost,dc=org",
"(objectclass=groupOfNamesYnh)",
["cn", "member", "permission"],
)
# Parse / organize information to be outputed
users = user_list()["users"]
groups = {}
for infos in groups_infos:
name = infos["cn"][0]
if not include_primary_groups and name in users:
continue
groups[name] = {}
groups[name]["members"] = [
_ldap_path_extract(p, "uid") for p in infos.get("member", [])
]
if full:
groups[name]["permissions"] = [
_ldap_path_extract(p, "cn")
for p in infos.get("permission", [])
]
if short:
groups = list(groups.keys())
return {"groups": groups}
def user_permission_list(short=False,
full=False,
ignore_system_perms=False,
absolute_urls=False):
"""
List permissions and corresponding accesses
"""
# Fetch relevant informations
from yunohost.app import app_setting, _installed_apps
from yunohost.utils.ldap import _get_ldap_interface, _ldap_path_extract
ldap = _get_ldap_interface()
permissions_infos = ldap.search(
"ou=permission,dc=yunohost,dc=org",
"(objectclass=permissionYnh)",
[
"cn",
"groupPermission",
"inheritPermission",
"URL",
"additionalUrls",
"authHeader",
"label",
"showTile",
"isProtected",
],
)
# Parse / organize information to be outputed
apps = sorted(_installed_apps())
apps_base_path = {
app: app_setting(app, "domain") + app_setting(app, "path")
for app in apps
if app_setting(app, "domain") and app_setting(app, "path")
}
permissions = {}
for infos in permissions_infos:
name = infos["cn"][0]
if ignore_system_perms and name.split(".")[0] in SYSTEM_PERMS:
continue
app = name.split(".")[0]
perm = {}
perm["allowed"] = [
_ldap_path_extract(p, "cn")
for p in infos.get("groupPermission", [])
]
if full:
perm["corresponding_users"] = [
_ldap_path_extract(p, "uid")
for p in infos.get("inheritPermission", [])
]
perm["auth_header"] = infos.get("authHeader", [False])[0] == "TRUE"
perm["label"] = infos.get("label", [None])[0]
perm["show_tile"] = infos.get("showTile", [False])[0] == "TRUE"
perm["protected"] = infos.get("isProtected", [False])[0] == "TRUE"
perm["url"] = infos.get("URL", [None])[0]
perm["additional_urls"] = infos.get("additionalUrls", [])
if absolute_urls:
app_base_path = (
apps_base_path[app] if app in apps_base_path else ""
) # Meh in some situation where the app is currently installed/removed, this function may be called and we still need to act as if the corresponding permission indeed exists ... dunno if that's really the right way to proceed but okay.
perm["url"] = _get_absolute_url(perm["url"], app_base_path)
perm["additional_urls"] = [
_get_absolute_url(url, app_base_path)
for url in perm["additional_urls"]
]
permissions[name] = perm
# Make sure labels for sub-permissions are the form " Applabel (Sublabel) "
if full:
subpermissions = {
k: v
for k, v in permissions.items() if not k.endswith(".main")
}
for name, infos in subpermissions.items():
main_perm_name = name.split(".")[0] + ".main"
if main_perm_name not in permissions:
logger.debug(
"Uhoh, unknown permission %s ? (Maybe we're in the process or deleting the perm for this app...)"
% main_perm_name)
continue
main_perm_label = permissions[main_perm_name]["label"]
infos["sublabel"] = infos["label"]
infos["label"] = "%s (%s)" % (main_perm_label, infos["label"])
if short:
permissions = list(permissions.keys())
return {"permissions": permissions}
def check_LDAP_db_integrity():
# Here we check that all attributes in all object are sychronized.
# Here is the list of attributes per object:
# user : memberOf, permission
# group : member, permission
# permission : groupPermission, inheritPermission
#
# The idea is to check that all attributes on all sides of object are sychronized.
# One part should be done automatically by the "memberOf" overlay of LDAP.
# The other part is done by the the "permission_sync_to_user" function of the permission module
from yunohost.utils.ldap import _get_ldap_interface, _ldap_path_extract
ldap = _get_ldap_interface()
user_search = ldap.search(
'ou=users,dc=yunohost,dc=org',
'(&(objectclass=person)(!(uid=root))(!(uid=nobody)))',
['uid', 'memberOf', 'permission'])
group_search = ldap.search('ou=groups,dc=yunohost,dc=org',
'(objectclass=groupOfNamesYnh)',
['cn', 'member', 'memberUid', 'permission'])
permission_search = ldap.search(
'ou=permission,dc=yunohost,dc=org', '(objectclass=permissionYnh)',
['cn', 'groupPermission', 'inheritPermission', 'memberUid'])
user_map = {u['uid'][0]: u for u in user_search}
group_map = {g['cn'][0]: g for g in group_search}
permission_map = {p['cn'][0]: p for p in permission_search}
for user in user_search:
user_dn = 'uid=' + user['uid'][0] + ',ou=users,dc=yunohost,dc=org'
group_list = [_ldap_path_extract(m, "cn") for m in user['memberOf']]
permission_list = [
_ldap_path_extract(m, "cn") for m in user.get('permission', [])
]
# This user's DN sould be found in all groups it is a member of
for group in group_list:
assert user_dn in group_map[group]['member']
# This user's DN should be found in all perms it has access to
for permission in permission_list:
assert user_dn in permission_map[permission]['inheritPermission']
for permission in permission_search:
permission_dn = 'cn=' + permission['cn'][
0] + ',ou=permission,dc=yunohost,dc=org'
# inheritPermission uid's should match memberUids
user_list = [
_ldap_path_extract(m, "uid")
for m in permission.get('inheritPermission', [])
]
assert set(user_list) == set(permission.get('memberUid', []))
# This perm's DN should be found on all related users it is related to
for user in user_list:
assert permission_dn in user_map[user]['permission']
# Same for groups : we should find the permission's DN for all related groups
group_list = [
_ldap_path_extract(m, "cn")
for m in permission.get('groupPermission', [])
]
for group in group_list:
assert permission_dn in group_map[group]['permission']
# The list of user in the group should be a subset of all users related to the current permission
users_in_group = [
_ldap_path_extract(m, "uid")
for m in group_map[group].get("member", [])
]
assert set(users_in_group) <= set(user_list)
for group in group_search:
group_dn = 'cn=' + group['cn'][0] + ',ou=groups,dc=yunohost,dc=org'
user_list = [
_ldap_path_extract(m, "uid") for m in group.get("member", [])
]
# For primary groups, we should find that :
# - len(user_list) is 1 (a primary group has only 1 member)
# - the group name should be an existing yunohost user
# - memberUid is empty (meaning no other member than the corresponding user)
if group['cn'][0] in user_list:
assert len(user_list) == 1
assert group["cn"][0] in user_map
assert group.get('memberUid', []) == []
# Otherwise, user_list and memberUid should have the same content
else:
assert set(user_list) == set(group.get('memberUid', []))
# For all users members, this group should be in the "memberOf" on the other side
for user in user_list:
assert group_dn in user_map[user]['memberOf']
# For all the permissions of this group, the group should be among the "groupPermission" on the other side
permission_list = [
_ldap_path_extract(m, "cn") for m in group.get('permission', [])
]
for permission in permission_list:
assert group_dn in permission_map[permission]['groupPermission']
# And the list of user of this group (user_list) should be a subset of all allowed users for this perm...
allowed_user_list = [
_ldap_path_extract(m, "uid")
for m in permission_map[permission].get(
'inheritPermission', [])
]
assert set(user_list) <= set(allowed_user_list)
