app/permissions: more refactoring to also move the 'allowed' perm inf…

…o out of LDAP

conf/slapd/config.ldif

@@ -206,18 +206,18 @@ olcMemberOfMemberAD: member
 olcMemberOfMemberOfAD: memberOf
 structuralObjectClass: olcMemberOf
 
-# Link permission <-> groupes
-dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcMemberOf
-olcOverlay: {1}memberof
-olcMemberOfDangling: error
-olcMemberOfDanglingError: constraintViolation
-olcMemberOfRefInt: TRUE
-olcMemberOfGroupOC: permissionYnh
-olcMemberOfMemberAD: groupPermission
-olcMemberOfMemberOfAD: permission
-structuralObjectClass: olcMemberOf
+# Link permission <-> groupes (OBSOLETE)
+#dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
+#objectClass: olcOverlayConfig
+#objectClass: olcMemberOf
+#olcOverlay: {1}memberof
+#olcMemberOfDangling: error
+#olcMemberOfDanglingError: constraintViolation
+#olcMemberOfRefInt: TRUE
+#olcMemberOfGroupOC: permissionYnh
+#olcMemberOfMemberAD: groupPermission
+#olcMemberOfMemberOfAD: permission
+#structuralObjectClass: olcMemberOf
 
 # Link permission <-> user
 dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config

conf/slapd/db_init.ldif

@@ -55,7 +55,6 @@ objectClass: posixGroup
 objectClass: groupOfNamesYnh
 gidNumber: 4002
 cn: all_users
-permission: cn=mail.main,ou=permission,dc=yunohost,dc=org
 
 dn: cn=visitors,ou=groups,dc=yunohost,dc=org
 objectClass: posixGroup
@@ -64,7 +63,6 @@ gidNumber: 4003
 cn: visitors
 
 dn: cn=mail.main,ou=permission,dc=yunohost,dc=org
-groupPermission: cn=all_users,ou=groups,dc=yunohost,dc=org
 cn: mail.main
 objectClass: posixGroup
 objectClass: permissionYnh

conf/slapd/permission.ldif

@@ -9,7 +9,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.1 NAME 'permission'
   DESC 'YunoHost permission on user and group side'
   SUP distinguishedName )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.2 NAME 'groupPermission'
-  DESC 'YunoHost permission for a group on permission side'
+  DESC 'YunoHost permission for a group on permission side' OBSOLETE
   SUP distinguishedName )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.3 NAME 'inheritPermission'
   DESC 'YunoHost permission for user on permission side'
@@ -39,12 +39,12 @@ olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.1 NAME 'groupOfNamesYnh'
   SUP top AUXILIARY
   MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ permission ) )
 olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.2 NAME 'permissionYnh'
-  DESC 'a YunoHost application'
+  DESC 'a YunoHost permission'
   SUP top AUXILIARY
   MUST ( cn )
   MAY ( groupPermission $ inheritPermission $ URL $ additionalUrls $ authHeader $ label $ showTile $ isProtected ) )
 # For User
 olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.3 NAME 'userPermissionYnh'
-  DESC 'a YunoHost application'
+  DESC 'a YunoHost user with permission attributes'
   SUP top AUXILIARY
   MAY ( permission ) )

hooks/backup/20-conf_ynh_settings

@@ -29,6 +29,7 @@ backup_dir="${1}/conf/ynh"
 
 # Backup the configuration
 ynh_backup "/etc/yunohost/firewall.yml" "${backup_dir}/firewall.yml"
+ynh_backup "/etc/yunohost/permissions.yml" "${backup_dir}/permissions.yml"
 ynh_backup "/etc/yunohost/current_host" "${backup_dir}/current_host"
 [ ! -d "/etc/yunohost/portal" ] || ynh_backup "/etc/yunohost/portal" "${backup_dir}/portal"
 [ ! -d "/etc/yunohost/domains" ] || ynh_backup "/etc/yunohost/domains" "${backup_dir}/domains"

hooks/restore/20-conf_ynh_settings

@@ -22,6 +22,7 @@ backup_dir="$1/conf/ynh"
 
 cp -a "${backup_dir}/current_host" /etc/yunohost/current_host
 cp -a "${backup_dir}/firewall.yml" /etc/yunohost/firewall.yml
+cp -a "${backup_dir}/permissions.yml" /etc/yunohost/permissions.yml
 [ ! -d "${backup_dir}/portal" ] || cp -a "${backup_dir]}/portal" /etc/yunohost/portal
 [ ! -d "${backup_dir}/domains" ] || cp -a "${backup_dir}/domains" /etc/yunohost/domains
 [ ! -e "${backup_dir}/settings.yml" ] || cp -a "${backup_dir}/settings.yml" "/etc/yunohost/settings.yml"

share/actionsmap.yml

@@ -343,10 +343,6 @@ user:
                         apps:
                             help: Apps to list permission for (all by default)
                             nargs: "*"
-                        -s:
-                            full: --short
-                            help: Only list permission names
-                            action: store_true
                         -f:
                             full: --full
                             help: Display all info known about each permission, including the full user list of each group it is granted to.
@@ -405,13 +401,9 @@ user:
                             extra:
                                 pattern: *pattern_username
 
-                ## user_permission_reset()
-                reset:
-                    action_help: Reset allowed groups to the default (all_users) for a given permission
-                    api: DELETE /users/permissions/<permission>
-                    arguments:
-                        permission:
-                            help: Permission to manage (e.g. mail or nextcloud or wordpress.editors) (use "yunohost user permission list" and "yunohost user permission -f" to see all the current permissions)
+                ## user_permission_ldapsync()
+                ldapsync:
+                    action_help: Resynchronize permissions to LDAP from app settings. This is a purely technical command, only meant to be ran if you manually modified permission settings in app, which is absolutely not recommended. 
 
         ssh:
             subcategory_help: Manage ssh access

src/app.py

@@ -563,7 +563,7 @@ def app_upgrade(
         hook_exec_with_script_debug_if_failure,
         hook_remove,
     )
-    from yunohost.permission import permission_sync_to_user
+    from yunohost.permission import _sync_permissions_with_ldap
     from yunohost.regenconf import manually_modified_files
     from yunohost.utils.legacy import _patch_legacy_helpers
 
@@ -877,7 +877,7 @@ def app_upgrade(
             if upgrade_failed or broke_the_system:
                 if not continue_on_failure or broke_the_system:
                     # display this if there are remaining apps
-                    if apps[number + 1 :]:
+                    if apps[number + 1:]:
                         not_upgraded_apps = apps[number:]
                         if broke_the_system and not continue_on_failure:
                             logger.error(
@@ -947,7 +947,7 @@ def app_upgrade(
             hook_callback("post_app_upgrade", env=env_dict)
             operation_logger.success()
 
-    permission_sync_to_user()
+    _sync_permissions_with_ldap()
 
     logger.success(m18n.n("upgrade_complete"))
 
@@ -1061,7 +1061,7 @@ def app_install(
     from yunohost.permission import (
         permission_create,
         permission_delete,
-        permission_sync_to_user,
+        _sync_permissions_with_ldap,
         user_permission_list,
     )
     from yunohost.regenconf import manually_modified_files
@@ -1352,7 +1352,7 @@ def app_install(
             shutil.rmtree(app_setting_path)
             shutil.rmtree(extracted_app_folder)
 
-            permission_sync_to_user()
+            _sync_permissions_with_ldap()
 
             raise YunohostError(failure_message_with_debug_instructions, raw_msg=True)
 
@@ -1402,7 +1402,7 @@ def app_remove(operation_logger, app, purge=False, force_workdir=None):
     from yunohost.hook import hook_callback, hook_exec, hook_remove
     from yunohost.permission import (
         permission_delete,
-        permission_sync_to_user,
+        _sync_permissions_with_ldap,
         user_permission_list,
     )
     from yunohost.utils.legacy import _patch_legacy_helpers
@@ -1488,7 +1488,7 @@ def app_remove(operation_logger, app, purge=False, force_workdir=None):
     else:
         logger.warning(m18n.n("app_not_properly_removed", app=app))
 
-    permission_sync_to_user()
+    _sync_permissions_with_ldap()
     _assert_system_is_sane_for_app(manifest, "post")
 
 
@@ -1584,7 +1584,7 @@ def app_register_url(app, domain, path):
         path -- The path to be registered (e.g. /coffee)
     """
     from yunohost.permission import (
-        permission_sync_to_user,
+        _sync_permissions_with_ldap,
         permission_url,
         user_permission_update,
     )
@@ -1615,7 +1615,7 @@ def app_register_url(app, domain, path):
     # the tile using the permission helpers.
     permission_url(app + ".main", url="/", sync_perm=False)
     user_permission_update(app + ".main", show_tile=True, sync_perm=False)
-    permission_sync_to_user()
+    _sync_permissions_with_ldap()
 
 
 def app_ssowatconf():

src/backup.py

@@ -734,12 +734,6 @@ def _collect_app_files(self, app):
 
             self._import_to_list_to_backup(env_dict["YNH_BACKUP_CSV"])
 
-            # backup permissions
-            logger.debug(m18n.n("backup_permission", app=app))
-            permissions = user_permission_list(full=True, apps=[app])["permissions"]
-            this_app_permissions = {name: infos for name, infos in permissions.items()}
-            write_to_yaml(f"{settings_dir}/permissions.yml", this_app_permissions)
-
         except Exception as e:
             logger.debug(e)
             abs_tmp_app_dir = os.path.join(self.work_dir, "apps/", app)
@@ -968,9 +962,11 @@ def clean(self):
         End a restore operations by cleaning the working directory and
         regenerate ssowat conf (if some apps were restored)
         """
-        from .permission import permission_sync_to_user
+        from yunohost.app import app_ssowatconf
+        from yunohost.permission import _sync_permissions_with_ldap
 
-        permission_sync_to_user()
+        _sync_permissions_with_ldap()
+        app_ssowatconf()
 
         if os.path.ismount(self.work_dir):
             ret = subprocess.call(["umount", self.work_dir])
@@ -1221,18 +1217,19 @@ def _restore_system(self):
         if system_targets == []:
             return
 
+        from yunohost.app import app_ssowatconf
         from yunohost.permission import (
-            permission_create,
-            permission_delete,
-            permission_sync_to_user,
-            user_permission_list,
+            #permission_create,
+            #permission_delete,
+            _sync_permissions_with_ldap,
+            #user_permission_list,
         )
 
         # Backup old permission for apps
         # We need to do that because in case of an app is installed we can't remove the permission for this app
-        old_apps_permission = user_permission_list(ignore_system_perms=True, full=True)[
-            "permissions"
-        ]
+        #old_apps_permission = user_permission_list(ignore_system_perms=True, full=True)[
+        #    "permissions"
+        #]
 
         # Start register change on system
         operation_logger = OperationLogger("backup_restore_system")
@@ -1290,27 +1287,28 @@ def _restore_system(self):
         )
 
         # Remove all permission for all app still in the LDAP
-        for permission_name in user_permission_list(ignore_system_perms=True)[
-            "permissions"
-        ].keys():
-            permission_delete(permission_name, force=True, sync_perm=False)
+        #for permission_name in user_permission_list(ignore_system_perms=True)[
+        #    "permissions"
+        #].keys():
+        #    permission_delete(permission_name, force=True, sync_perm=False)
 
         # Restore permission for apps installed
-        for permission_name, permission_infos in old_apps_permission.items():
-            app_name, _ = permission_name.split(".")
-            if _is_installed(app_name):
-                permission_create(
-                    permission_name,
-                    allowed=permission_infos["allowed"],
-                    url=permission_infos["url"],
-                    additional_urls=permission_infos["additional_urls"],
-                    auth_header=permission_infos["auth_header"],
-                    show_tile=permission_infos["show_tile"],
-                    protected=permission_infos["protected"],
-                    sync_perm=False,
-                )
-
-        permission_sync_to_user()
+        #for permission_name, permission_infos in old_apps_permission.items():
+        #    app_name, _ = permission_name.split(".")
+        #    if _is_installed(app_name):
+        #        permission_create(
+        #            permission_name,
+        #            allowed=permission_infos["allowed"],
+        #            url=permission_infos["url"],
+        #            additional_urls=permission_infos["additional_urls"],
+        #            auth_header=permission_infos["auth_header"],
+        #            show_tile=permission_infos["show_tile"],
+        #            protected=permission_infos["protected"],
+        #            sync_perm=False,
+        #        )
+
+        _sync_permissions_with_ldap()
+        app_ssowatconf()
 
     def _restore_apps(self):
         """Restore all apps targeted"""
@@ -1342,7 +1340,8 @@ def _restore_app(self, app_instance_name):
         app_instance_name -- (string) The app name to restore (no app with this
                              name should be already install)
         """
-        from yunohost.permission import permission_create, permission_sync_to_user
+        from yunohost.app import app_ssowatconf
+        from yunohost.permission import permission_create, _sync_permissions_with_ldap
         from yunohost.user import user_group_list
         from yunohost.utils.legacy import _patch_legacy_helpers
 
@@ -1404,41 +1403,6 @@ def copytree(src, dst, symlinks=False, ignore=None):
             chown(tmp_workdir_for_app, "root", None, True)
             restore_script = os.path.join(tmp_workdir_for_app, "restore")
 
-            # Restore permissions
-            if not os.path.isfile(f"{app_settings_new_path}/permissions.yml"):
-                raise YunohostError(
-                    "Didnt find a permssions.yml for the app !?", raw_msg=True
-                )
-
-            permissions = read_yaml(f"{app_settings_new_path}/permissions.yml")
-            existing_groups = user_group_list()["groups"]
-
-            for permission_name, permission_infos in permissions.items():
-                if "allowed" not in permission_infos:
-                    logger.warning(
-                        f"'allowed' key corresponding to allowed groups for permission {permission_name} not found when restoring app {app_instance_name} … You might have to reconfigure permissions yourself."
-                    )
-                    should_be_allowed = ["all_users"]
-                else:
-                    should_be_allowed = [
-                        g for g in permission_infos["allowed"] if g in existing_groups
-                    ]
-
-                permission_create(
-                    permission_name,
-                    allowed=should_be_allowed,
-                    url=permission_infos.get("url"),
-                    additional_urls=permission_infos.get("additional_urls"),
-                    auth_header=permission_infos.get("auth_header"),
-                    show_tile=permission_infos.get("show_tile", True),
-                    protected=permission_infos.get("protected", False),
-                    sync_perm=False,
-                )
-
-            permission_sync_to_user()
-
-            os.remove(f"{app_settings_new_path}/permissions.yml")
-
             _tools_migrations_run_before_app_restore(
                 backup_version=self.info["from_yunohost_version"],
                 app_id=app_instance_name,

src/migrations/0028_delete_legacy_xmpp_permission.py

@@ -41,12 +41,13 @@ class MyMigration(Migration):
 
     @Migration.ldap_migration
     def run(self, *args):
-        from yunohost.permission import permission_delete, user_permission_list
+        #from yunohost.permission import permission_delete, user_permission_list
 
         self.ldap_migration_started = True
 
-        if "xmpp.main" in user_permission_list()["permissions"]:
-            permission_delete("xmpp.main", force=True)
+        # FIXME : xmpp will be implicitly deleted after perm refactor ?
+        #if "xmpp.main" in user_permission_list()["permissions"]:
+        #    permission_delete("xmpp.main", force=True)
 
     def run_after_system_restore(self):
         self.run()