slapos_erp5: draft Remote Node security

master/bt5/slapos_erp5/PortalTypeRolesTemplateItem/Remote%20Node.xml

+<type_roles>
+  <role id='Auditor'>
+   <property id='title'>Project Customer</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/customer</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
+  <role id='Assignee'>
+   <property id='title'>Project Production Agent</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/agent</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
+  <role id='Assignor'>
+   <property id='title'>Project Production Manager</property>
+   <property id='description'>XXX add local role group</property>
+   <property id='condition'>python: context.getFollowUp("") != ""</property>
+   <property id='base_category_script'>ERP5Type_getSecurityCategoryFromContent</property>
+   <multi_property id='category'>function/production/manager</multi_property>
+   <multi_property id='base_category'>follow_up</multi_property>
+  </role>
+</type_roles>
\ No newline at end of file

master/bt5/slapos_erp5/TestTemplateItem/portal_components/test.erp5.testSlapOSERP5VirtualMasterScenario.py

@@ -40,6 +40,27 @@ class TestSlapOSVirtualMasterScenario(DefaultScenarioMixin):
     project.validate()
     return project
 
+  def requestRemoteNode(self, project):
+    remote_node = self.portal.compute_node_module.newContent(
+      portal_type='Remote Node',
+      title='remote-%s' % self.generateNewId(),
+      follow_up_value=project,
+      # XXX
+      capacity_scope='close'
+    )
+    self.setServerOpenPublic(remote_node)
+    remote_node.setCapacityScope('open')
+
+    # XXX format
+    partition = remote_node.newContent(
+      portal_type='Compute Partition',
+      reference='slapremote0'
+    )
+    partition.markFree()
+    partition.validate()
+    remote_node.validate()
+    return remote_node
+
   def addSoftwareProduct(self, title, project, public_server_software,
                          public_instance_type):
     software_product = self.portal.software_product_module.newContent(
@@ -726,6 +747,94 @@ class TestSlapOSVirtualMasterScenario(DefaultScenarioMixin):
     assert last_message is None, last_message
 
 
+  def test_virtual_master_on_remote_tree_without_accounting_scenario(self):
+    # create a default project
+    project = self.addProject()
+    self.web_site = self.portal.web_site_module.slapos_master_panel
+
+    preference = self.portal.portal_preferences.slapos_default_system_preference
+    preference.edit(
+      preferred_subscription_assignment_category_list=[
+        'function/customer',
+        'role/client',
+        'destination_project/%s' % project.getRelativeUrl()
+      ]
+    )
+
+    # some preparation
+    self.logout()
+
+    # lets join as slapos administrator, which will own few compute_nodes
+    owner_reference = 'owner-%s' % self.generateNewId()
+    self.joinSlapOS(self.web_site, owner_reference)
+
+    self.login()
+    owner_person = self.portal.portal_catalog.getResultValue(
+      portal_type="ERP5 Login",
+      reference=owner_reference).getParentValue()
+
+    # first slapos administrator assignment can only be created by
+    # the erp5 manager
+    self.addProjectProductionManagerAssignment(owner_person, project)
+    self.tic()
+
+    # hooray, now it is time to create compute_nodes
+    self.login(owner_person.getUserId())
+
+    remote_server = self.requestRemoteNode(project)
+
+    # and install some software on them
+    public_server_software = self.generateNewSoftwareReleaseUrl()
+
+    remote_server.requestSoftwareRelease(software_release_url=public_server_software,
+                                         state='available')
+
+    #software_product, release_variation, type_variation = self.addSoftwareProduct(
+    public_instance_type = 'public type'
+    software_product, software_release, software_type = self.addSoftwareProduct(
+      "instance product", project, public_server_software, public_instance_type
+    )
+
+    self.addAllocationSupply("for compute node", remote_server, software_product,
+                             software_release, software_type,
+                             is_slave_on_same_instance_tree_allocable=True)
+
+    # join as the another visitor and request software instance on public
+    # compute_node
+    self.logout()
+    public_reference = 'public-%s' % self.generateNewId()
+    self.joinSlapOS(self.web_site, public_reference)
+
+    self.login()
+    public_person = self.portal.portal_catalog.getResultValue(
+      portal_type="ERP5 Login",
+      reference=public_reference).getParentValue()
+
+    public_instance_title = 'Public title %s' % self.generateNewId()
+    self.checkRemoteInstanceAllocation(public_person.getUserId(),
+        public_reference, public_instance_title,
+        public_server_software, public_instance_type,
+        remote_server, project.getReference())
+
+    self.tic()
+
+    self.login()
+    # Ensure no unexpected object has been created
+    # 3 (can reduce to 2) assignment, 1 instance tree, 1 remote node, 1 software installation
+    # 1 software instance
+    # 2 credential request
+    # 1 software product
+    # 3 allocation supply/line/cell
+    related_object_list = project.Base_getRelatedObjectList(**{'category.category_strict_membership': 1})
+    assert len(related_object_list) == 13, [x.getRelativeUrl() for x in related_object_list]
+
+    self.stepcheckERP5Consistency()
+
+    # after accept, an email is send containing the reset link
+    last_message = self.portal.MailHost._last_message
+    assert last_message is None, last_message
+
+
   def test_open_order_with_service_scenario(self):
 
     # create a default project

master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputeNode_edit.xml

@@ -34,6 +34,7 @@
               <tuple>
                 <string>Compute Node</string>
                 <string>Instance Node</string>
+                <string>Remote Node</string>
               </tuple>
             </value>
         </item>

master/bt5/slapos_erp5/WorkflowTemplateItem/portal_workflow/local_permission_slapos_interaction_workflow/interaction_ComputeNode_reindexObject.xml

@@ -31,6 +31,7 @@
             <value>
               <tuple>
                 <string>Compute Node</string>
+                <string>Remote Node</string>
               </tuple>
             </value>
         </item>

master/bt5/slapos_erp5/bt/template_portal_type_role_list

@@ -70,6 +70,7 @@ Project Module
 Purchase Invoice Transaction
 Regularisation Request
 Regularisation Request Module
+Remote Node
 Restricted Access Token
 Sale Invoice Transaction
 Sale Packing List