slapos_erp5: Allow compute node owner invalidate Certificate Login

89d3e3f0 · Rafael Monnerat · d2375d50 · 89d3e3f0 · 89d3e3f0 · 89d3e3f0
Commit 89d3e3f0 authored Aug 01, 2023 by Rafael Monnerat
4 changed files
--- a/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Certificate%20Login.xml
+++ b/master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Certificate%20Login.xml
@@ -7,8 +7,21 @@
   <multi_property id='base_category'>aggregate</multi_property>
  </role>
  <role id='Assignee'>
-   <property id='title'>The User Himself</property>
-   <property id='condition'>python: here.getParentValue().getPortalType() in ("Person", "Software Instance", "Compute Node")</property>
+   <property id='title'>Compute Node Agent</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromParentContent</property>
+   <multi_property id='categories'>local_role_group/user</multi_property>
+   <multi_property id='base_category'>source_administration</multi_property>
+  </role>
+  <role id='Assignee'>
+   <property id='title'>The User Himself (Compute Node)</property>
+   <property id='condition'>python: here.getParentValue().getPortalType() in ( "Compute Node", "Software Instance")</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromParent</property>
+   <multi_property id='categories'>local_role_group/computer</multi_property>
+   <multi_property id='base_category'>group</multi_property>
+  </role>
+  <role id='Assignee'>
+   <property id='title'>The User Himself (Person)</property>
+   <property id='condition'>python: here.getParentValue().getPortalType() == "Person"</property>
   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromParent</property>
   <multi_property id='categories'>local_role_group/user</multi_property>
   <multi_property id='base_category'>group</multi_property>

--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContent.py
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContent.py
+"""
+This script returns a list of dictionaries which represent
+the security groups which a person is member of. It extracts
+the categories from the current content. It is useful in the
+following cases:
+
+- calculate a security group based on a given
+  category of the current object (ex. group). This
+  is used for example in ERP5 DMS to calculate
+  document security.
+
+- assign local roles to a document based on
+  the person which the object related to through
+  a given base category (ex. destination). This
+  is used for example in ERP5 Project to calculate
+  Task / Task Report security.
+
+The parameters are
+
+  base_category_list -- list of category values we need to retrieve
+  user_name          -- string obtained from getSecurityManager().getUser().getId()
+  object             -- object which we want to assign roles to
+  portal_type        -- portal type of object
+
+NOTE: for now, this script requires proxy manager
+"""
+
+category_list = []
+
+if ob is None:
+  return []
+
+for base_category in base_category_list:
+  category_list.append({base_category: [x.getRelativeUrl() for x in ob.getParentValue().getValueList(base_category)]})
+
+return category_list
--- a/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContent.xml
+++ b/master/bt5/slapos_erp5/SkinTemplateItem/portal_skins/slapos_core/ERP5Type_getSecurityCategoryFromParentContent.xml
+<?xml version="1.0"?>
+<ZopeData>
+  <record id="1" aka="AAAAAAAAAAE=">
+    <pickle>
+      <global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
+    </pickle>
+    <pickle>
+      <dictionary>
+        <item>
+            <key> <string>_bind_names</string> </key>
+            <value>
+              <object>
+                <klass>
+                  <global name="_reconstructor" module="copy_reg"/>
+                </klass>
+                <tuple>
+                  <global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
+                  <global name="object" module="__builtin__"/>
+                  <none/>
+                </tuple>
+                <state>
+                  <dictionary>
+                    <item>
+                        <key> <string>_asgns</string> </key>
+                        <value>
+                          <dictionary>
+                            <item>
+                                <key> <string>name_container</string> </key>
+                                <value> <string>container</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_context</string> </key>
+                                <value> <string>context</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_m_self</string> </key>
+                                <value> <string>script</string> </value>
+                            </item>
+                            <item>
+                                <key> <string>name_subpath</string> </key>
+                                <value> <string>traverse_subpath</string> </value>
+                            </item>
+                          </dictionary>
+                        </value>
+                    </item>
+                  </dictionary>
+                </state>
+              </object>
+            </value>
+        </item>
+        <item>
+            <key> <string>_params</string> </key>
+            <value> <string>base_category_list, user_name, ob, portal_type</string> </value>
+        </item>
+        <item>
+            <key> <string>id</string> </key>
+            <value> <string>ERP5Type_getSecurityCategoryFromParentContent</string> </value>
+        </item>
+      </dictionary>
+    </pickle>
+  </record>
+</ZopeData>
--- a/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py
+++ b/master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5GroupRoleSecurity.py
@@ -682,11 +682,8 @@ class TestPerson(TestSlapOSGroupRoleSecurityMixin):
    self.assertRoles(person, project.getReference(), ['Auditor'])
    self.assertRoles(person, self.user_id, ['Owner'])

-
-
-class TestERP5Login(TestSlapOSGroupRoleSecurityMixin):
-
-  login_portal_type = "ERP5 Login"
+class TestCertificateLogin(TestSlapOSGroupRoleSecurityMixin):
+  login_portal_type = "Certificate Login"

  def test_PersonCanAccessLoginDocument(self):
    person = self.portal.person_module.newContent(portal_type='Person')
@@ -699,9 +696,6 @@ class TestERP5Login(TestSlapOSGroupRoleSecurityMixin):
    self.assertRoles(login, person.getUserId(), ['Assignee'])
    self.assertRoles(login, self.user_id, ['Owner'])

-class TestCertificateLogin(TestERP5Login):
-  login_portal_type = "Certificate Login"
-
  def test_ComputeNodeCanAccessSoftwareInstanceLoginDocument(self):
    software_instance = self.portal.software_instance_module.newContent(portal_type='Software Instance')
    login = software_instance.newContent(portal_type=self.login_portal_type)
@@ -717,7 +711,8 @@ class TestCertificateLogin(TestERP5Login):
    login.updateLocalRolesOnSecurityGroups()

    self.assertSecurityGroup(login,
-      [self.user_id, software_instance.getUserId(), compute_node.getUserId()], False)
+      [self.user_id, software_instance.getUserId(),
+       compute_node.getUserId()], False)
    self.assertRoles(login, software_instance.getUserId(), ['Assignee'])
    self.assertRoles(login, self.user_id, ['Owner'])
    self.assertRoles(login, compute_node.getUserId(), ['Assignor'])
@@ -733,6 +728,21 @@ class TestCertificateLogin(TestERP5Login):
    self.assertRoles(login, compute_node.getUserId(), ['Assignee'])
    self.assertRoles(login, self.user_id, ['Owner'])

+  def test_ComputeNodeSourceAdministrationCanAccessLoginDocument(self):
+    person = self.portal.person_module.newContent(portal_type='Person')
+    compute_node = self.portal.compute_node_module.newContent(
+      portal_type='Compute Node', source_administration=person.getRelativeUrl())
+    login = compute_node.newContent(portal_type=self.login_portal_type)
+    compute_node.updateLocalRolesOnSecurityGroups()
+    login.updateLocalRolesOnSecurityGroups()
+
+    self.assertSecurityGroup(login,
+        [self.user_id, compute_node.getUserId(),
+         person.getUserId()], False)
+    self.assertRoles(login, compute_node.getUserId(), ['Assignee'])
+    self.assertRoles(login, self.user_id, ['Owner'])
+    self.assertRoles(login, person.getUserId(), ['Assignee'])
+
  def test_SoftwareInstanceCanAccessLoginDocument(self):
    software_instance = self.portal.software_instance_module.newContent(portal_type='Software Instance')
    login = software_instance.newContent(portal_type=self.login_portal_type)
@@ -744,13 +754,26 @@ class TestCertificateLogin(TestERP5Login):
    self.assertRoles(login, software_instance.getUserId(), ['Assignee'])
    self.assertRoles(login, self.user_id, ['Owner'])

+class TestERP5Login(TestSlapOSGroupRoleSecurityMixin):
+  login_portal_type = "ERP5 Login"
+
+  def test_PersonCanAccessLoginDocument(self):
+    person = self.portal.person_module.newContent(portal_type='Person')
+    login = person.newContent(portal_type=self.login_portal_type)
+    person.updateLocalRolesOnSecurityGroups()
+    login.updateLocalRolesOnSecurityGroups()
+
+    self.assertSecurityGroup(login,
+        [self.user_id, person.getUserId()], False)
+    self.assertRoles(login, person.getUserId(), ['Assignee'])
+    self.assertRoles(login, self.user_id, ['Owner'])
+
 class TestGoogleLogin(TestERP5Login):
  login_portal_type = "Google Login"

 class TestFacebookLogin(TestERP5Login):
  login_portal_type = "Facebook Login"

-
 class TestPersonModule(TestSlapOSGroupRoleSecurityMixin):
  def test(self):
    module = self.portal.person_module