Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

app/permissions: Move permissions data out of LDAP, introduce a new 'app core' config panel allowing to change the app logo, label, etc. #1917

Merged
merged 16 commits into from
Feb 22, 2025
Merged

app/permissions: Move permissions data out of LDAP, introduce a new 'app core' config panel allowing to change the app logo, label, etc. #1917

merged 16 commits into from
Feb 22, 2025

Conversation

alexAubin
Copy link
Member

@alexAubin alexAubin commented Jul 21, 2024
edited
Loading

The problem

As foretold a while ago, for various reason, we are going to want to tweak the permission datastructure (because of the auth header policy evolution, or being able to tweak the label, description, logo in the portal) and all the infos are currently in LDAP for not real reason beyond the fact that this is where we store the user<->group<->ACL relationships - but all the other infos (label, url, show_tile etc.) are only meant to be used by ssowat without relying on LDAP.

This is not practical because everytime we want to change the datastructure, we need an LDAP migration, and having everything in settings would also to just simply be able to edit a flat yaml text file which has plenty of benefits.

Solution

  • Move all permission infos out of LDAP : url, additional_urls, label, show_tile, and protected infos, but also the "allowed" list of group/users
  • The old LDAP attributes are marked as OBSOLETE, couldn't be removed entirely otherwise LDAP will spit warnings because the old info still exists in DB ... and yet it cannot be removed either because LDAP supposedly doesnt know about them ...
  • The perm infos are now part of the app settings, using a special _permissions key which is a dict mapping each perm to the corresponding infos
  • The "system perm" infos are stored in a new configuration file, /etc/yunohost/permissions.yml
  • The "allowed/member" relationship between user and permission is resynchronized to the LDAP (from the "truth source" being the app settings + system perm conf) using an internal function _sync_permissions_with_ldap which may also be called manually from CLI using yunohot user permissions ldapsync ... this CLI command is mainly here for debugging purpose and/or scenario in which somebody tweaks access rights manually in the app settings ... Kind of similar to yunohost app ssowatconf
  • Drop the group<->perm relationship from LDAP because it's not needed anymore
  • Remove --short option for yunohost user permission list because it was pretty much unused and confusing because the return type of the function was different with/without this option
  • Remove yunohost user permission reset <app> because it's pretty much unused and exists mainly because of the legacy permission system
  • user_permission_create/update/delete do not generate an operation log anymore because it felt a bit bloated that it did ... especially now that what it does is mainly to edit the app settings ... but admin-triggered operation like user_permission_update (from CLI/API) or add/remove members will generate a "flash" operation

PR Status

Yolodraft

  • Rereview the migration after the second iteration that also moves the "allowed" info
  • Rereview the sync_perm=True/False because the ldap sync function doesn't call app_ssowat anymoar

How to test

...

@alexAubin alexAubin changed the base branch from dev to bookworm July 21, 2024 18:05
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch 3 times, most recently from 30015ca to ab7a33b Compare July 22, 2024 15:11
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch 3 times, most recently from 6ac59cc to c5580a0 Compare August 5, 2024 18:42
Base automatically changed from bookworm to dev October 31, 2024 20:12
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch from c5580a0 to 9340666 Compare November 6, 2024 18:08
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch 5 times, most recently from 0175053 to b31c49d Compare December 1, 2024 01:37
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch from 2b651cf to 6896dc8 Compare December 13, 2024 16:59
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch from 6896dc8 to a0960b6 Compare January 31, 2025 17:12
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 5, 2025
View reviewed changes
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch 9 times, most recently from 77d78fc to 0770277 Compare February 5, 2025 23:06
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch from 0770277 to c2a3fc4 Compare February 6, 2025 15:02
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch 2 times, most recently from 8de021b to 40dfb00 Compare February 7, 2025 20:41
@zamentur
Copy link
Member

zamentur commented Feb 7, 2025

Currently, /etc/ssowat/conf.json and /etc/yunohost/portal/DOMAIN.json contain structure like this:

"APP.main": {
    "users": [ LIST_OF_USERS ]
}

If you have hundreds of users, you have for each permissions and in each of this file, all allowed users listed, even if you use groups to define those permission.

I understand that we need some cache to avoid perf issue with ldap request. Could it be possible to factorize those file with something like:
/var/cache/yunohost/groups.yml

all_users: [ USER_LIST ]
other_group: [ "user1","user2" ]

And refer to it in /etc/ssowat/conf.json and /etc/yunohost/portal/DOMAIN.json with something like this instead:

"APP.main": {
    "allowed": [ "other_group", "user3" ]
}

Next we could recompile the "flat" list of allowed users in _get_portal_settings().
In /etc/ssowat/conf.json, we could simply have a copy of groups:

groups:
  all_users: [ USER_LIST ]
  other_group: [ "user1","user2" ]

Or even directly give read write on /var/cache/yunohost/groups.yml to ssowat lua code...

May be an other PR. It's just it seems to me quite annoying to have tons of users listed in each apps main permissions.

@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch 2 times, most recently from c7f75ab to 90c7283 Compare February 9, 2025 14:28
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch 2 times, most recently from 2b19d29 to fc64aae Compare February 12, 2025 18:31
@alexAubin
app/permissions: draft new 'core' app config panel to edit the permis…
1536ae1 
…sion stuff and upgrade/change_url/uninstall the app
@alexAubin alexAubin force-pushed the move-perm-data-out-of-ldap branch from fc64aae to 1536ae1 Compare February 13, 2025 06:53
@Axolotle Axolotle mentioned this pull request Feb 14, 2025
Merged
alexAubin and others added 11 commits February 17, 2025 18:28
@alexAubin
app/permission: i18n for new config panel
2ca085a
@alexAubin
app/permission: fix tests, missing app_ssowatconf after provisioning/…
27a0163 
…deprovisioning perms
@alexAubin
permissions: cleanup migration 0028_delete_legacy_xmpp_permission, su…
c1253b7 
…perseded by migration 0033
@Axolotle
feat: add collapsed prop to section's config panel
f722c27
@Axolotle
feat(app): set non-main permissions section to collapsed state
d7975a6
@alexAubin
app/configpanel: handle the core actions: upgrade, change_url, uninta…
fbdf49f 
…lled, triggered via the config panel
@alexAubin
apps.py: autoformat
3f8f1b9
@alexAubin
app/permissions: convert the 'description' type to 'string' instead o…
695815f 
…f textarea
@alexAubin
Misc cleaning forgotten debug code
d7d2cf2
@alexAubin
configpanel: fix/workaround case where the webclient resends an unmod…
fa5990f 
…ified file path for some reason
@alexAubin
Merge branch 'dev' into move-perm-data-out-of-ldap
9ebeea5
@alexAubin alexAubin marked this pull request as ready for review February 22, 2025 14:40
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 22, 2025
View reviewed changes
maintenance/missing_i18n_keys.py
@@ -184,6 +184,32 @@
if key in domain_settings_with_help_key:
yield f"domain_config_{key}_help"

# App config panel
app_config = toml.load(open(ROOT + "share/config_app.toml"))

Check warning

Code scanning / CodeQL

File is not always closed Warning

File is opened but is not closed.
src/app.py
@@ -69,7 +79,7 @@
if TYPE_CHECKING:
from pydantic.typing import AbstractSetIntStr, MappingIntStrAny

from yunohost.utils.configpanel import ConfigPanelModel, RawSettings
from yunohost.utils.configpanel import ConfigPanelModel, RawSettings, RawConfig

Check notice

Code scanning / CodeQL

Unused import Note

Import of 'ConfigPanelModel' is not used.
Import of 'RawSettings' is not used.
Import of 'RawConfig' is not used.

Copilot Autofix AI 9 days ago

To fix the problem, we need to remove the unused imports from the code. Specifically, we should delete the line that imports ConfigPanelModel, RawSettings, and RawConfig from yunohost.utils.configpanel. This will clean up the code and remove the unnecessary dependency.

Suggested changeset 1
src/app.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/app.py b/src/app.py
--- a/src/app.py
+++ b/src/app.py
@@ -81,3 +81,3 @@
 
-    from yunohost.utils.configpanel import ConfigPanelModel, RawSettings, RawConfig
+
     from yunohost.utils.form import FormModel
EOF
@@ -81,3 +81,3 @@

from yunohost.utils.configpanel import ConfigPanelModel, RawSettings, RawConfig

from yunohost.utils.form import FormModel
Copilot is powered by AI and may make mistakes. Always verify output.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.
src/app.py
return AppConfigPanel(app).run_action(
action, args=args, args_file=args_file, operation_logger=operation_logger
)
def app_action_run(app, action, args=None, args_file=None, core=False):

Check notice

Code scanning / CodeQL

Explicit returns mixed with implicit (fall through) returns Note

Mixing implicit and explicit returns may indicate an error as implicit returns always return None.
src/utils/form.py
@@ -2061,7 +2062,10 @@
# - we doesn't want to give a specific value
# - we want to keep the previous value
# - we want the default value
context[option.id] = None
if option.readonly:
context[option.id] = option.normalize(form[option.id])

Check failure

Code scanning / CodeQL

Modification of parameter with default Error

This expression mutates a
default value
Loading
.
src/utils/form.py
if option.readonly:
context[option.id] = option.normalize(form[option.id])
else:
context[option.id] = None

Check failure

Code scanning / CodeQL

Modification of parameter with default Error

This expression mutates a
default value
Loading
.
@alexAubin alexAubin changed the title WIP: app/permissions: Move permissions data out of LDAP app/permissions: Move permissions data out of LDAP, introduce a new 'app core' config panel allowing to change the app logo, label, etc. Feb 22, 2025
@alexAubin alexAubin merged commit 4c38c40 into dev Feb 22, 2025
3 of 4 checks passed
@alexAubin alexAubin deleted the move-perm-data-out-of-ldap branch February 22, 2025 14:42
This was referenced Feb 24, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
🚧 refactoring work needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexAubin @zamentur @Axolotle