slapos_slap_tool: No need revoke, only invalidate login is enough

See merge request nexedi/slapos.core!548

master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Certificate%20Login.xml

 <type_roles>
+  <role id='Assignor'>
+   <property id='title'>Compute Node</property>
+   <property id='condition'>python: here.getParentValue().getPortalType() in ( "Software Instance",)</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromParentContentParent</property>
+   <multi_property id='categories'>local_role_group/computer</multi_property>
+   <multi_property id='base_category'>aggregate</multi_property>
+  </role>
   <role id='Assignee'>
    <property id='title'>The User Himself</property>
    <property id='condition'>python: here.getParentValue().getPortalType() in ("Person", "Software Instance", "Compute Node")</property>

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContentParent.py

+"""
+This script returns a list of dictionaries which represent
+the security groups which a person is member of. It extracts
+the categories from the current content. It is useful in the
+following cases:
+
+- calculate a security group based on a given
+  category of the current object (ex. group). This
+  is used for example in ERP5 DMS to calculate
+  document security.
+
+- assign local roles to a document based on
+  the person which the object related to through
+  a given base category (ex. destination). This
+  is used for example in ERP5 Project to calculate
+  Task / Task Report security.
+
+The parameters are
+
+  base_category_list -- list of category values we need to retrieve
+  user_name          -- string obtained from getSecurityManager().getUser().getId()
+  object             -- object which we want to assign roles to
+  portal_type        -- portal type of object
+
+NOTE: for now, this script requires proxy manager
+"""
+
+category_list = []
+
+if obj is None:
+  return []
+
+for base_category in base_category_list:
+  category_list.append({base_category: [x.getParentValue().getRelativeUrl() for x in obj.getParentValue().getValueList(base_category)]})
+
+return category_list

master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContentParent.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="_reconstructor" module="copy_reg"/>
+                </klass>
+                <tuple>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                  <global name="object" module="__builtin__"/>
+                  <none/>
+                </tuple>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>base_category_list, user_name, obj, portal_type</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Manager</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Type_getSecurityCategoryFromParentContentParent</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSCodingStyle.py

@@ -296,6 +296,7 @@ def makeTestSlapOSCodingStyleTestCase(tested_business_template):
         'slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree',
         'slapos_core/ERP5Type_getSecurityCategoryFromChildAssignmentList',
         'slapos_core/ERP5Type_getSecurityCategoryFromContentParent',
+        'slapos_core/ERP5Type_getSecurityCategoryFromParentContentParent',
         'slapos_core/ERP5Type_getSecurityCategoryFromParent',
         'slapos_core/ERP5Type_getSecurityCategoryMapping',
         'slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection',

master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py

@@ -724,6 +724,25 @@ class TestERP5Login(TestSlapOSGroupRoleSecurityMixin):
 class TestCertificateLogin(TestERP5Login):
   login_portal_type = "Certificate Login"
 
+  def test_ComputeNodeCanAccessSoftwareInstanceLoginDocument(self):
+    software_instance = self.portal.software_instance_module.newContent(portal_type='Software Instance')
+    login = software_instance.newContent(portal_type=self.login_portal_type)
+    compute_node_reference = 'TESTCOMP-%s' % self.generateNewId()
+    compute_node = self.portal.compute_node_module.template_compute_node\
+        .Base_createCloneDocument(batch_mode=1)
+    compute_node.edit(reference=compute_node_reference)
+    partition = compute_node.newContent(portal_type='Compute Partition')
+    software_instance.edit(aggregate=partition.getRelativeUrl())
+
+    compute_node.updateLocalRolesOnSecurityGroups()
+    software_instance.updateLocalRolesOnSecurityGroups()
+    login.updateLocalRolesOnSecurityGroups()
+
+    self.assertSecurityGroup(login,
+      [self.user_id, software_instance.getUserId(), compute_node.getUserId()], False)
+    self.assertRoles(login, software_instance.getUserId(), ['Assignee'])
+    self.assertRoles(login, self.user_id, ['Owner'])
+    self.assertRoles(login, compute_node.getUserId(), ['Assignor'])
 
 class TestGoogleLogin(TestERP5Login):
   login_portal_type = "Google Login"

master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow.py

@@ -232,9 +232,15 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow(
     software_instance = self.portal.software_instance_module.newContent(
         portal_type='Software Instance',
         specialise=instance_tree.getRelativeUrl())
+    certificate_login = software_instance.newContent(
+        portal_type='Certificate Login')
+    
     self.assertSecurityGroup(software_instance, [self.user_id, 'G-COMPANY',
         instance_tree.getReference()],
         False)
+    self.assertSecurityGroup(certificate_login, [self.user_id,
+      software_instance.getUserId()],
+        False)
 
     compute_node = self.portal.compute_node_module.template_compute_node\
         .Base_createCloneDocument(batch_mode=1)
@@ -250,6 +256,9 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow(
         compute_node.getUserId(), instance_tree.getReference()], False)
     self.assertSecurityGroup(partition, [self.user_id,
         instance_tree.getReference()], True)
+    self.assertSecurityGroup(certificate_login, [self.user_id,
+        compute_node.getUserId(), software_instance.getUserId()],
+        False)
 
   def test_SlaveInstance_setSpecialise(self):
     slave_instance = self.portal.software_instance_module.newContent(

master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow.xml

@@ -6,12 +6,6 @@
     </pickle>
     <pickle>
       <dictionary>
-        <item>
-            <key> <string>_recorded_property_dict</string> </key>
-            <value>
-              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
-            </value>
-        </item>
         <item>
             <key> <string>default_reference</string> </key>
             <value> <string>testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow</string> </value>
@@ -55,28 +49,13 @@
         <item>
             <key> <string>workflow_history</string> </key>
             <value>
-              <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
+              <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
             </value>
         </item>
       </dictionary>
     </pickle>
   </record>
   <record id="2" aka="AAAAAAAAAAI=">
-    <pickle>
-      <global name="PersistentMapping" module="Persistence.mapping"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>data</string> </key>
-            <value>
-              <dictionary/>
-            </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-  <record id="3" aka="AAAAAAAAAAM=">
     <pickle>
       <global name="PersistentMapping" module="Persistence.mapping"/>
     </pickle>
@@ -89,7 +68,7 @@
                 <item>
                     <key> <string>component_validation_workflow</string> </key>
                     <value>
-                      <persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent>
+                      <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
                     </value>
                 </item>
               </dictionary>
@@ -98,7 +77,7 @@
       </dictionary>
     </pickle>
   </record>
-  <record id="4" aka="AAAAAAAAAAQ=">
+  <record id="3" aka="AAAAAAAAAAM=">
     <pickle>
       <global name="WorkflowHistoryList" module="Products.ERP5Type.Workflow"/>
     </pickle>

master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_SoftwareInstance_edit.xml

@@ -11,6 +11,7 @@
             <value>
               <tuple>
                 <string>after_script/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllLocalRoles</string>
+                <string>after_script/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllChildrenLocalRoles</string>
               </tuple>
             </value>
         </item>

master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllChildrenLocalRoles.py

+"""
+This script updates all local roles on sub-objects. It requires Assignor
+proxy role since it may be called by owner in draft state.
+"""
+for child in state_change['object'].contentValues():
+  child.updateLocalRolesOnSecurityGroups()

master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllChildrenLocalRoles.xml

+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="Workflow Script" module="erp5.portal_type"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="_reconstructor" module="copy_reg"/>
+                </klass>
+                <tuple>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                  <global name="object" module="__builtin__"/>
+                  <none/>
+                </tuple>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>state_change</string> </value>
+        </item>
+        <item>
+            <key> <string>_proxy_roles</string> </key>
+            <value>
+              <tuple>
+                <string>Assignor</string>
+              </tuple>
+            </value>
+        </item>
+        <item>
+            <key> <string>description</string> </key>
+            <value>
+              <none/>
+            </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>script_Base_updateAllChildrenLocalRoles</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>

master/bt5/slapos_slap_tool/TestTemplateItem/portal_components/test.erp5.testSlapOSSlapTool.py

@@ -1954,14 +1954,22 @@ class TestSlapOSSlapToolInstanceAccess(TestSlapOSSlapToolMixin):
     self._makeComplexComputeNode()
     partition_id = self.destroy_requested_software_instance.getAggregateValue(
         portal_type='Compute Partition').getReference()
+    ssl_key = self.destroy_requested_software_instance.getSslKey()
+    ssl_cert = self.destroy_requested_software_instance.getSslCertificate()
     self.login(self.destroy_requested_software_instance.getUserId())
     response = self.portal_slap.destroyedComputerPartition(self.compute_node_id,
       partition_id)
     self.assertEqual('None', response)
     self.assertEqual('invalidated',
         self.destroy_requested_software_instance.getValidationState())
-    self.assertEqual(None, self.destroy_requested_software_instance.getSslKey())
-    self.assertEqual(None, self.destroy_requested_software_instance.getSslCertificate())
+    
+    certificate_login_list = self.destroy_requested_software_instance.objectValues(
+      portal_type="Certificate Login")
+    self.assertEqual(1, len(certificate_login_list))
+    self.assertEqual("invalidated", certificate_login_list[0].getValidationState())
+    
+    self.assertEqual(ssl_key, self.destroy_requested_software_instance.getSslKey())
+    self.assertEqual(ssl_cert, self.destroy_requested_software_instance.getSslCertificate())
 
   def assertInstanceRequestSimulator(self, args, kwargs):
     stored = eval(open(self.instance_request_simulator).read()) #pylint: disable=eval-used

master/bt5/slapos_slap_tool/ToolComponentTemplateItem/portal_components/tool.erp5.SlapTool.py

@@ -890,10 +890,11 @@ class SlapTool(BaseTool):
         compute_partition_id)
 
     if instance.getSlapState() == 'destroy_requested':
-      # remove certificate from SI
-      instance.revokeCertificate()
       if instance.getValidationState() == 'validated':
         instance.invalidate()
+      for login in instance.objectValues(portal_type="Certificate Login"):
+        if login.getValidationState() == 'validated':
+          login.invalidate()
 
   @convertToREST
   def _setComputePartitionConnectionXml(self, compute_node_id,