slapos_erp5&cloud: Reimplement (and speed up) security to use...

slapos_erp5&cloud: Reimplement (and speed up) security to use ERP5User_getUserSecurityCategoryValueList

slapos_erp5&cloud: Reimplement (and speed up) security to use...
slapos_erp5&cloud: Reimplement (and speed up) security to use ERP5User_getUserSecurityCategoryValueList
bb3a8e72 · Rafael Monnerat · 426e392d · bb3a8e72 · 426e392d · 426e392d
Commit bb3a8e72 authored Dec 11, 2024 by Rafael Monnerat
6 changed files
--- a/master/bt5/slapos_cloud/ExtensionTemplateItem/portal_components/extension.erp5.SlapOSSecurity.py
+++ b/master/bt5/slapos_cloud/ExtensionTemplateItem/portal_components/extension.erp5.SlapOSSecurity.py
@@ -25,83 +25,45 @@
 #
 ##############################################################################
-from Products.ERP5Security.ERP5GroupManager import ConsistencyError
+#from Products.ERP5Security.ERP5GroupManager import ConsistencyError
 from AccessControl.SecurityManagement import getSecurityManager, \
             setSecurityManager, newSecurityManager
 from AccessControl import Unauthorized
+def getSlapOSUserSecurityCategoryValue(self):
-def getComputeNodeSecurityCategory(self, base_category_list, user_name,
-                                ob, portal_type):
  """
  This script returns a list of dictionaries which represent
  the security groups which a compute_node is member of.
  """
  category_list = []
+  if self.getPortalType() == 'Compute Node':
+    category_list.append({
+      'role': (
+        (self.getPortalObject().portal_categories.role.computer, False),
+      ),
+    })
-  compute_node_list = self.portal_catalog.unrestrictedSearchResults(
+  elif self.getPortalType() == 'Software Instance':
-    portal_type='Compute Node',
+    instance_role = self.getPortalObject().portal_categories.role.instance
-    user_id=user_name,
+    category_list.append({'role': ((instance_role, False),),})
-    validation_state="validated",
-    limit=2,
-  )
-  if len(compute_node_list) == 1:
+    project = self.getFollowUpValue(portal_type='Project')
-    category_dict = {}
+    if project is not None:
-    for base_category in base_category_list:
+      category_list.append(({'destination_project': ((project, False),)}))
-      if base_category == "role":
+      category_list.append(
-        category_list.append(
+        ({
-         {base_category: ['role/computer']})
+          'destination_project': ((project, False),),
-      elif base_category == "destination_project":
+          'role': ((instance_role, False),)
-        compute_node = compute_node_list[0]
+        })
-        project = compute_node.getFollowUpValue(portal_type='Project')
+      )
-        if project is not None:
-          category_dict.setdefault(base_category, []).append(project.getRelativeUrl())
-      else:
-        raise NotImplementedError('Not supported base category: %s' % base_category)
-    category_list.append(category_dict)
-  elif len(compute_node_list) > 1:
-    raise ConsistencyError("Error: There is more than one Compute Node " \
-                            "with reference '%s'" % user_name)
-  return category_list
+    instance_tree = self.getSpecialiseValue(portal_type='Instance Tree')
+    if instance_tree is not None:
+      category_list.append({'aggregate': ((instance_tree, False),),})
-def getSoftwareInstanceSecurityCategory(self, base_category_list, user_name,
+  else:
-                                ob, portal_type): 
+    raise NotImplementedError(
-  """
+      'Unsupported portal type as user:' % self.getPortalType())
-  This script returns a list of dictionaries which represent
-  the security groups which a Software Instance is member of.
-  """
-  category_list = []
-  software_instance_list = self.portal_catalog.unrestrictedSearchResults(
-    portal_type='Software Instance',
-    user_id=user_name,
-    validation_state="validated",
-    limit=2,
-  )
-  if len(software_instance_list) == 1:
-    category_dict = {}
-    for base_category in base_category_list:
-      if base_category == "role":
-        category_dict.setdefault(base_category, []).extend(['role/instance'])
-      elif base_category == "destination_project":
-        software_instance = software_instance_list[0]
-        project = software_instance.getFollowUpValue(portal_type='Project')
-        if project is not None:
-          category_dict.setdefault(base_category, []).append(project.getRelativeUrl())
-      elif base_category == "aggregate":
-        software_instance = software_instance_list[0]
-        instance_tree = software_instance.getSpecialiseValue(portal_type='Instance Tree')
-        if instance_tree is not None:
-          category_dict.setdefault(base_category, []).append(instance_tree.getRelativeUrl())
-      else:
-        raise NotImplementedError('Not supported base category: %s' % base_category)
-    category_list.append(category_dict)
-  elif len(software_instance_list) > 1:
-    raise ConsistencyError("Error: There is more than one Software Instance " \
-                            "with reference %r" % user_name)
  return category_list

--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.py
-"""
-Core security script - defines the way to get security groups of the current user.
-WARNING: providing such script in erp5_dms could be dangerous
-if this conflicts with an existing production site which uses
-deprecated ERP5Type_asSecurityGroupIdList
-"""
-return (
-  # Person security
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['function']),
-  ('ERP5Type_getSecurityCategoryFromAssignmentParent', ['function']),
-  # XXX TODO check that only validated project are used
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project']),
-  ('ERP5Type_getSecurityCategoryFromAssignment', ['destination_project', 'function']),
-  # Compute Node security
-  ('ERP5Type_getComputeNodeSecurityCategory', ['role']),
-  # Instance security
-  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['role']),
-  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['destination_project']),
-  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['destination_project', 'role']),
-  ('ERP5Type_getSoftwareInstanceSecurityCategory', ['aggregate']),
-)
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSoftwareInstanceSecurityCategory.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSoftwareInstanceSecurityCategory.xml
-<?xml version="1.0"?>
-<ZopeData>
-  <record id="1" aka="AAAAAAAAAAE=">
-    <pickle>
-      <global name="ExternalMethod" module="Products.ExternalMethod.ExternalMethod"/>
-    </pickle>
-    <pickle>
-      <dictionary>
-        <item>
-            <key> <string>_function</string> </key>
-            <value> <string>getSoftwareInstanceSecurityCategory</string> </value>
-        </item>
-        <item>
-            <key> <string>_module</string> </key>
-            <value> <string>SlapOSSecurity</string> </value>
-        </item>
-        <item>
-            <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getSoftwareInstanceSecurityCategory</string> </value>
-        </item>
-        <item>
-            <key> <string>title</string> </key>
-            <value> <string></string> </value>
-        </item>
-      </dictionary>
-    </pickle>
-  </record>
-</ZopeData>
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getComputeNodeSecurityCategory.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getComputeNodeSecurityCategory.xml
@@ -8,7 +8,7 @@
      <dictionary>
        <item>
            <key> <string>_function</string> </key>
-            <value> <string>getComputeNodeSecurityCategory</string> </value>
+            <value> <string>getSlapOSUserSecurityCategoryValue</string> </value>
        </item>
        <item>
            <key> <string>_module</string> </key>
@@ -16,7 +16,7 @@
        </item>
        <item>
            <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getComputeNodeSecurityCategory</string> </value>
+            <value> <string>ERP5User_getSlapOSUserSecurityCategoryValue</string> </value>
        </item>
        <item>
            <key> <string>title</string> </key>

--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5User_getUserSecurityCategoryValueList.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5User_getUserSecurityCategoryValueList.py
+if context.getPortalType() == 'Person':
+  return context.ERP5User_getSecurityCategoryValueFromAssignment(
+    rule_dict={
+      ('function',): ((), ('function',)),
+      ('destination_project',): ((), ),
+      ('destination_project', 'function'): ((), ),
+    },
+  )
+return context.ERP5User_getSlapOSUserSecurityCategoryValue()
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryMapping.xml
@@ -54,7 +54,7 @@
        </item>
        <item>
            <key> <string>id</string> </key>
-            <value> <string>ERP5Type_getSecurityCategoryMapping</string> </value>
+            <value> <string>ERP5User_getUserSecurityCategoryValueList</string> </value>
        </item>
      </dictionary>
    </pickle>