Commit 8f9a4ffd authored by Rafael Monnerat's avatar Rafael Monnerat

slapos_slap_tool: No need revoke, only invalidate login is enough

See merge request nexedi/slapos.core!548
parents b67509f5 fcfda1e9
<type_roles> <type_roles>
<role id='Assignor'>
<property id='title'>Compute Node</property>
<property id='condition'>python: here.getParentValue().getPortalType() in ( "Software Instance",)</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromParentContentParent</property>
<multi_property id='categories'>local_role_group/computer</multi_property>
<multi_property id='base_category'>aggregate</multi_property>
</role>
<role id='Assignee'> <role id='Assignee'>
<property id='title'>The User Himself</property> <property id='title'>The User Himself</property>
<property id='condition'>python: here.getParentValue().getPortalType() in ("Person", "Software Instance", "Compute Node")</property> <property id='condition'>python: here.getParentValue().getPortalType() in ("Person", "Software Instance", "Compute Node")</property>
......
"""
This script returns a list of dictionaries which represent
the security groups which a person is member of. It extracts
the categories from the current content. It is useful in the
following cases:
- calculate a security group based on a given
category of the current object (ex. group). This
is used for example in ERP5 DMS to calculate
document security.
- assign local roles to a document based on
the person which the object related to through
a given base category (ex. destination). This
is used for example in ERP5 Project to calculate
Task / Task Report security.
The parameters are
base_category_list -- list of category values we need to retrieve
user_name -- string obtained from getSecurityManager().getUser().getId()
object -- object which we want to assign roles to
portal_type -- portal type of object
NOTE: for now, this script requires proxy manager
"""
category_list = []
if obj is None:
return []
for base_category in base_category_list:
category_list.append({base_category: [x.getParentValue().getRelativeUrl() for x in obj.getParentValue().getValueList(base_category)]})
return category_list
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="PythonScript" module="Products.PythonScripts.PythonScript"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="_reconstructor" module="copy_reg"/>
</klass>
<tuple>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
<global name="object" module="__builtin__"/>
<none/>
</tuple>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>base_category_list, user_name, obj, portal_type</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Manager</string>
</tuple>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>ERP5Type_getSecurityCategoryFromParentContentParent</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
...@@ -296,6 +296,7 @@ def makeTestSlapOSCodingStyleTestCase(tested_business_template): ...@@ -296,6 +296,7 @@ def makeTestSlapOSCodingStyleTestCase(tested_business_template):
'slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree', 'slapos_core/ERP5Type_getSecurityCategoryFromAggregateRelatedSoftwareInstanceInstanceTree',
'slapos_core/ERP5Type_getSecurityCategoryFromChildAssignmentList', 'slapos_core/ERP5Type_getSecurityCategoryFromChildAssignmentList',
'slapos_core/ERP5Type_getSecurityCategoryFromContentParent', 'slapos_core/ERP5Type_getSecurityCategoryFromContentParent',
'slapos_core/ERP5Type_getSecurityCategoryFromParentContentParent',
'slapos_core/ERP5Type_getSecurityCategoryFromParent', 'slapos_core/ERP5Type_getSecurityCategoryFromParent',
'slapos_core/ERP5Type_getSecurityCategoryMapping', 'slapos_core/ERP5Type_getSecurityCategoryMapping',
'slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection', 'slapos_core/Event_getSecurityCategoryFromMovementFollowUpAggregateComputeNodeDestinationSection',
......
...@@ -724,6 +724,25 @@ class TestERP5Login(TestSlapOSGroupRoleSecurityMixin): ...@@ -724,6 +724,25 @@ class TestERP5Login(TestSlapOSGroupRoleSecurityMixin):
class TestCertificateLogin(TestERP5Login): class TestCertificateLogin(TestERP5Login):
login_portal_type = "Certificate Login" login_portal_type = "Certificate Login"
def test_ComputeNodeCanAccessSoftwareInstanceLoginDocument(self):
software_instance = self.portal.software_instance_module.newContent(portal_type='Software Instance')
login = software_instance.newContent(portal_type=self.login_portal_type)
compute_node_reference = 'TESTCOMP-%s' % self.generateNewId()
compute_node = self.portal.compute_node_module.template_compute_node\
.Base_createCloneDocument(batch_mode=1)
compute_node.edit(reference=compute_node_reference)
partition = compute_node.newContent(portal_type='Compute Partition')
software_instance.edit(aggregate=partition.getRelativeUrl())
compute_node.updateLocalRolesOnSecurityGroups()
software_instance.updateLocalRolesOnSecurityGroups()
login.updateLocalRolesOnSecurityGroups()
self.assertSecurityGroup(login,
[self.user_id, software_instance.getUserId(), compute_node.getUserId()], False)
self.assertRoles(login, software_instance.getUserId(), ['Assignee'])
self.assertRoles(login, self.user_id, ['Owner'])
self.assertRoles(login, compute_node.getUserId(), ['Assignor'])
class TestGoogleLogin(TestERP5Login): class TestGoogleLogin(TestERP5Login):
login_portal_type = "Google Login" login_portal_type = "Google Login"
......
...@@ -232,9 +232,15 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow( ...@@ -232,9 +232,15 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow(
software_instance = self.portal.software_instance_module.newContent( software_instance = self.portal.software_instance_module.newContent(
portal_type='Software Instance', portal_type='Software Instance',
specialise=instance_tree.getRelativeUrl()) specialise=instance_tree.getRelativeUrl())
certificate_login = software_instance.newContent(
portal_type='Certificate Login')
self.assertSecurityGroup(software_instance, [self.user_id, 'G-COMPANY', self.assertSecurityGroup(software_instance, [self.user_id, 'G-COMPANY',
instance_tree.getReference()], instance_tree.getReference()],
False) False)
self.assertSecurityGroup(certificate_login, [self.user_id,
software_instance.getUserId()],
False)
compute_node = self.portal.compute_node_module.template_compute_node\ compute_node = self.portal.compute_node_module.template_compute_node\
.Base_createCloneDocument(batch_mode=1) .Base_createCloneDocument(batch_mode=1)
...@@ -250,6 +256,9 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow( ...@@ -250,6 +256,9 @@ class TestSlapOSLocalPermissionSlapOSInteractionWorkflow(
compute_node.getUserId(), instance_tree.getReference()], False) compute_node.getUserId(), instance_tree.getReference()], False)
self.assertSecurityGroup(partition, [self.user_id, self.assertSecurityGroup(partition, [self.user_id,
instance_tree.getReference()], True) instance_tree.getReference()], True)
self.assertSecurityGroup(certificate_login, [self.user_id,
compute_node.getUserId(), software_instance.getUserId()],
False)
def test_SlaveInstance_setSpecialise(self): def test_SlaveInstance_setSpecialise(self):
slave_instance = self.portal.software_instance_module.newContent( slave_instance = self.portal.software_instance_module.newContent(
......
...@@ -6,12 +6,6 @@ ...@@ -6,12 +6,6 @@
</pickle> </pickle>
<pickle> <pickle>
<dictionary> <dictionary>
<item>
<key> <string>_recorded_property_dict</string> </key>
<value>
<persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
</value>
</item>
<item> <item>
<key> <string>default_reference</string> </key> <key> <string>default_reference</string> </key>
<value> <string>testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow</string> </value> <value> <string>testSlapOSERP5LocalPermissionSlapOSInteractionWorkflow</string> </value>
...@@ -55,28 +49,13 @@ ...@@ -55,28 +49,13 @@
<item> <item>
<key> <string>workflow_history</string> </key> <key> <string>workflow_history</string> </key>
<value> <value>
<persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent> <persistent> <string encoding="base64">AAAAAAAAAAI=</string> </persistent>
</value> </value>
</item> </item>
</dictionary> </dictionary>
</pickle> </pickle>
</record> </record>
<record id="2" aka="AAAAAAAAAAI="> <record id="2" aka="AAAAAAAAAAI=">
<pickle>
<global name="PersistentMapping" module="Persistence.mapping"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>data</string> </key>
<value>
<dictionary/>
</value>
</item>
</dictionary>
</pickle>
</record>
<record id="3" aka="AAAAAAAAAAM=">
<pickle> <pickle>
<global name="PersistentMapping" module="Persistence.mapping"/> <global name="PersistentMapping" module="Persistence.mapping"/>
</pickle> </pickle>
...@@ -89,7 +68,7 @@ ...@@ -89,7 +68,7 @@
<item> <item>
<key> <string>component_validation_workflow</string> </key> <key> <string>component_validation_workflow</string> </key>
<value> <value>
<persistent> <string encoding="base64">AAAAAAAAAAQ=</string> </persistent> <persistent> <string encoding="base64">AAAAAAAAAAM=</string> </persistent>
</value> </value>
</item> </item>
</dictionary> </dictionary>
...@@ -98,7 +77,7 @@ ...@@ -98,7 +77,7 @@
</dictionary> </dictionary>
</pickle> </pickle>
</record> </record>
<record id="4" aka="AAAAAAAAAAQ="> <record id="3" aka="AAAAAAAAAAM=">
<pickle> <pickle>
<global name="WorkflowHistoryList" module="Products.ERP5Type.Workflow"/> <global name="WorkflowHistoryList" module="Products.ERP5Type.Workflow"/>
</pickle> </pickle>
......
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
<value> <value>
<tuple> <tuple>
<string>after_script/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllLocalRoles</string> <string>after_script/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllLocalRoles</string>
<string>after_script/portal_workflow/local_permission_slapos_interaction_workflow/script_Base_updateAllChildrenLocalRoles</string>
</tuple> </tuple>
</value> </value>
</item> </item>
......
"""
This script updates all local roles on sub-objects. It requires Assignor
proxy role since it may be called by owner in draft state.
"""
for child in state_change['object'].contentValues():
child.updateLocalRolesOnSecurityGroups()
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="Workflow Script" module="erp5.portal_type"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="_reconstructor" module="copy_reg"/>
</klass>
<tuple>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
<global name="object" module="__builtin__"/>
<none/>
</tuple>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_container</string> </key>
<value> <string>container</string> </value>
</item>
<item>
<key> <string>name_context</string> </key>
<value> <string>context</string> </value>
</item>
<item>
<key> <string>name_m_self</string> </key>
<value> <string>script</string> </value>
</item>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>_params</string> </key>
<value> <string>state_change</string> </value>
</item>
<item>
<key> <string>_proxy_roles</string> </key>
<value>
<tuple>
<string>Assignor</string>
</tuple>
</value>
</item>
<item>
<key> <string>description</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>script_Base_updateAllChildrenLocalRoles</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
...@@ -1954,14 +1954,22 @@ class TestSlapOSSlapToolInstanceAccess(TestSlapOSSlapToolMixin): ...@@ -1954,14 +1954,22 @@ class TestSlapOSSlapToolInstanceAccess(TestSlapOSSlapToolMixin):
self._makeComplexComputeNode() self._makeComplexComputeNode()
partition_id = self.destroy_requested_software_instance.getAggregateValue( partition_id = self.destroy_requested_software_instance.getAggregateValue(
portal_type='Compute Partition').getReference() portal_type='Compute Partition').getReference()
ssl_key = self.destroy_requested_software_instance.getSslKey()
ssl_cert = self.destroy_requested_software_instance.getSslCertificate()
self.login(self.destroy_requested_software_instance.getUserId()) self.login(self.destroy_requested_software_instance.getUserId())
response = self.portal_slap.destroyedComputerPartition(self.compute_node_id, response = self.portal_slap.destroyedComputerPartition(self.compute_node_id,
partition_id) partition_id)
self.assertEqual('None', response) self.assertEqual('None', response)
self.assertEqual('invalidated', self.assertEqual('invalidated',
self.destroy_requested_software_instance.getValidationState()) self.destroy_requested_software_instance.getValidationState())
self.assertEqual(None, self.destroy_requested_software_instance.getSslKey())
self.assertEqual(None, self.destroy_requested_software_instance.getSslCertificate()) certificate_login_list = self.destroy_requested_software_instance.objectValues(
portal_type="Certificate Login")
self.assertEqual(1, len(certificate_login_list))
self.assertEqual("invalidated", certificate_login_list[0].getValidationState())
self.assertEqual(ssl_key, self.destroy_requested_software_instance.getSslKey())
self.assertEqual(ssl_cert, self.destroy_requested_software_instance.getSslCertificate())
def assertInstanceRequestSimulator(self, args, kwargs): def assertInstanceRequestSimulator(self, args, kwargs):
stored = eval(open(self.instance_request_simulator).read()) #pylint: disable=eval-used stored = eval(open(self.instance_request_simulator).read()) #pylint: disable=eval-used
......
...@@ -890,10 +890,11 @@ class SlapTool(BaseTool): ...@@ -890,10 +890,11 @@ class SlapTool(BaseTool):
compute_partition_id) compute_partition_id)
if instance.getSlapState() == 'destroy_requested': if instance.getSlapState() == 'destroy_requested':
# remove certificate from SI
instance.revokeCertificate()
if instance.getValidationState() == 'validated': if instance.getValidationState() == 'validated':
instance.invalidate() instance.invalidate()
for login in instance.objectValues(portal_type="Certificate Login"):
if login.getValidationState() == 'validated':
login.invalidate()
@convertToREST @convertToREST
def _setComputePartitionConnectionXml(self, compute_node_id, def _setComputePartitionConnectionXml(self, compute_node_id,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment