app/permissions: Move permissions data out of LDAP, introduce a new 'app core' config panel allowing to change the app logo, label, etc.

conf/slapd/config.ldif

@@ -206,18 +206,18 @@ olcMemberOfMemberAD: member
 olcMemberOfMemberOfAD: memberOf
 structuralObjectClass: olcMemberOf
 
-# Link permission <-> groupes
-dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcMemberOf
-olcOverlay: {1}memberof
-olcMemberOfDangling: error
-olcMemberOfDanglingError: constraintViolation
-olcMemberOfRefInt: TRUE
-olcMemberOfGroupOC: permissionYnh
-olcMemberOfMemberAD: groupPermission
-olcMemberOfMemberOfAD: permission
-structuralObjectClass: olcMemberOf
+# Link permission <-> groupes (OBSOLETE)
+#dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
+#objectClass: olcOverlayConfig
+#objectClass: olcMemberOf
+#olcOverlay: {1}memberof
+#olcMemberOfDangling: error
+#olcMemberOfDanglingError: constraintViolation
+#olcMemberOfRefInt: TRUE
+#olcMemberOfGroupOC: permissionYnh
+#olcMemberOfMemberAD: groupPermission
+#olcMemberOfMemberOfAD: permission
+#structuralObjectClass: olcMemberOf
 
 # Link permission <-> user
 dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config

conf/slapd/db_init.ldif

@@ -55,7 +55,6 @@ objectClass: posixGroup
 objectClass: groupOfNamesYnh
 gidNumber: 4002
 cn: all_users
-permission: cn=mail.main,ou=permission,dc=yunohost,dc=org
 
 dn: cn=visitors,ou=groups,dc=yunohost,dc=org
 objectClass: posixGroup
@@ -64,32 +63,19 @@ gidNumber: 4003
 cn: visitors
 
 dn: cn=mail.main,ou=permission,dc=yunohost,dc=org
-groupPermission: cn=all_users,ou=groups,dc=yunohost,dc=org
 cn: mail.main
 objectClass: posixGroup
 objectClass: permissionYnh
-isProtected: TRUE
-label: E-mail
 gidNumber: 5001
-showTile: FALSE
-authHeader: FALSE
 
 dn: cn=ssh.main,ou=permission,dc=yunohost,dc=org
 cn: ssh.main
 objectClass: posixGroup
 objectClass: permissionYnh
-isProtected: TRUE
-label: SSH
 gidNumber: 5003
-showTile: FALSE
-authHeader: FALSE
 
 dn: cn=sftp.main,ou=permission,dc=yunohost,dc=org
 cn: sftp.main
 objectClass: posixGroup
 objectClass: permissionYnh
-isProtected: TRUE
-label: SFTP
 gidNumber: 5004
-showTile: FALSE
-authHeader: FALSE

conf/slapd/permission.ldif

@@ -9,28 +9,28 @@ olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.1 NAME 'permission'
   DESC 'YunoHost permission on user and group side'
   SUP distinguishedName )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.2 NAME 'groupPermission'
-  DESC 'YunoHost permission for a group on permission side'
+  DESC 'YunoHost permission for a group on permission side' OBSOLETE
   SUP distinguishedName )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.3 NAME 'inheritPermission'
   DESC 'YunoHost permission for user on permission side'
   SUP distinguishedName )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.4 NAME 'URL'
-  DESC 'YunoHost permission main URL'
+  DESC 'YunoHost permission main URL' OBSOLETE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.5 NAME 'additionalUrls'
-  DESC 'YunoHost permission additionnal URL'
+  DESC 'YunoHost permission additionnal URL' OBSOLETE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.6 NAME 'authHeader'
-  DESC 'YunoHost application, enable authentication header'
+  DESC 'YunoHost application, enable authentication header' OBSOLETE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.7 NAME 'label'
-  DESC 'YunoHost permission label, also used for the tile name in the SSO'
+  DESC 'YunoHost permission label, also used for the tile name in the SSO' OBSOLETE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.8 NAME 'showTile'
-  DESC 'YunoHost application, show/hide the tile in the SSO for this permission'
+  DESC 'YunoHost application, show/hide the tile in the SSO for this permission' OBSOLETE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.9 NAME 'isProtected'
-  DESC 'YunoHost application permission protection'
+  DESC 'YunoHost application permission protection' OBSOLETE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 # OBJECTCLASS
 # For Applications
@@ -39,12 +39,12 @@ olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.1 NAME 'groupOfNamesYnh'
   SUP top AUXILIARY
   MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ permission ) )
 olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.2 NAME 'permissionYnh'
-  DESC 'a YunoHost application'
+  DESC 'a YunoHost permission'
   SUP top AUXILIARY
-  MUST ( cn $ authHeader $ label $ showTile $ isProtected )
-  MAY ( groupPermission $ inheritPermission $ URL $ additionalUrls ) )
+  MUST ( cn )
+  MAY ( groupPermission $ inheritPermission $ URL $ additionalUrls $ authHeader $ label $ showTile $ isProtected ) )
 # For User
 olcObjectClasses: ( 1.3.6.1.4.1.17953.9.2.3 NAME 'userPermissionYnh'
-  DESC 'a YunoHost application'
+  DESC 'a YunoHost user with permission attributes'
   SUP top AUXILIARY
   MAY ( permission ) )

helpers/helpers.v1.d/permission

@@ -21,7 +21,7 @@
 # Create a new permission for the app
 #
 # Example 1: `ynh_permission_create --permission=admin --url=/admin --additional_urls=domain.tld/admin /superadmin --allowed=alice bob \
-#                                  --label="My app admin" --show_tile=true`
+#                                  --show_tile=true`
 #
 # This example will create a new permission permission with this following effect:
 # - A tile named "My app admin" in the SSO will be available for the users alice and bob. This tile will point to the relative url '/admin'.
@@ -31,7 +31,7 @@
 # Example 2:
 #
 #     ynh_permission_create --permission=api --url=domain.tld/api --auth_header=false --allowed=visitors \
-#                                  --label="MyApp API" --protected=true
+#                                  --protected=true
 #
 # This example will create a new protected permission. So the admin won't be able to add/remove the visitors group of this permission.
 # In case of an API with need to be always public it avoid that the admin break anything.
@@ -43,14 +43,13 @@
 #
 #
 # usage: ynh_permission_create --permission="permission" [--url="url"] [--additional_urls="second-url" [ "third-url" ]] [--auth_header=true|false]
-#                                                        [--allowed=group1 [ group2 ]] [--label="label"] [--show_tile=true|false]
+#                                                        [--allowed=group1 [ group2 ]] [--show_tile=true|false]
 #                                                        [--protected=true|false]
 # | arg: -p, --permission=       - the name for the permission (by default a permission named "main" already exist)
 # | arg: -u, --url=              - (optional) URL for which access will be allowed/forbidden. Note that if 'show_tile' is enabled, this URL will be the URL of the tile.
 # | arg: -A, --additional_urls=  - (optional) List of additional URL for which access will be allowed/forbidden
 # | arg: -h, --auth_header=      - (optional) Define for the URL of this permission, if SSOwat pass the authentication header to the application. Default is true
 # | arg: -a, --allowed=          - (optional) A list of group/user to allow for the permission
-# | arg: -l, --label=            - (optional) Define a name for the permission. This label will be shown on the SSO and in the admin. Default is "APP_LABEL (permission name)".
 # | arg: -t, --show_tile=        - (optional) Define if a tile will be shown in the SSO. If yes the name of the tile will be the 'label' parameter. Defaults to false for the permission different than 'main'.
 # | arg: -P, --protected=        - (optional) Define if this permission is protected. If it is protected the administrator won't be able to add or remove the visitors group of this permission. Defaults to 'false'.
 #
@@ -84,21 +83,19 @@
 ynh_permission_create() {
     # Declare an array to define the options of this helper.
     local legacy_args=puAhaltP
-    local -A args_array=([p]=permission= [u]=url= [A]=additional_urls= [h]=auth_header= [a]=allowed= [l]=label= [t]=show_tile= [P]=protected=)
+    local -A args_array=([p]=permission= [u]=url= [A]=additional_urls= [h]=auth_header= [a]=allowed= [t]=show_tile= [P]=protected=)
     local permission
     local url
     local additional_urls
     local auth_header
     local allowed
-    local label
     local show_tile
     local protected
     ynh_handle_getopts_args "$@"
     url=${url:-}
     additional_urls=${additional_urls:-}
     auth_header=${auth_header:-}
     allowed=${allowed:-}
-    label=${label:-}
     show_tile=${show_tile:-}
     protected=${protected:-}
 
@@ -134,12 +131,6 @@ ynh_permission_create() {
         allowed=",allowed=['${allowed//;/\',\'}']"
     fi
 
-    if [[ -n ${label:-} ]]; then
-        label=",label='$label'"
-    else
-        label=",label='$permission'"
-    fi
-
     if [[ -n ${show_tile:-} ]]; then
         if [ $show_tile == "true" ]; then
             show_tile=",show_tile=True"
@@ -156,7 +147,7 @@ ynh_permission_create() {
         fi
     fi
 
-    yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('$app.$permission' $url $additional_urls $auth_header $allowed $label $show_tile $protected)"
+    yunohost tools shell -c "from yunohost.permission import permission_create; permission_create('$app.$permission' $url $additional_urls $auth_header $allowed $show_tile $protected)"
 }
 
 # Remove a permission for the app (note that when the app is removed all permission is automatically removed)
@@ -266,29 +257,26 @@ ynh_permission_url() {
 # Update a permission for the app
 #
 # usage: ynh_permission_update --permission "permission" [--add="group" ["group" ...]] [--remove="group" ["group" ...]]
-#                                                        [--label="label"] [--show_tile=true|false] [--protected=true|false]
+#                                                        [--show_tile=true|false] [--protected=true|false]
 # | arg: -p, --permission= - the name for the permission (by default a permission named "main" already exist)
 # | arg: -a, --add=        - the list of group or users to enable add to the permission
 # | arg: -r, --remove=     - the list of group or users to remove from the permission
-# | arg: -l, --label=      - (optional) Define a name for the permission. This label will be shown on the SSO and in the admin.
 # | arg: -t, --show_tile=  - (optional) Define if a tile will be shown in the SSO
 # | arg: -P, --protected=  - (optional) Define if this permission is protected. If it is protected the administrator won't be able to add or remove the visitors group of this permission.
 #
 # Requires YunoHost version 3.7.0 or higher.
 ynh_permission_update() {
     # Declare an array to define the options of this helper.
     local legacy_args=parltP
-    local -A args_array=([p]=permission= [a]=add= [r]=remove= [l]=label= [t]=show_tile= [P]=protected=)
+    local -A args_array=([p]=permission= [a]=add= [r]=remove= [t]=show_tile= [P]=protected=)
     local permission
     local add
     local remove
-    local label
     local show_tile
     local protected
     ynh_handle_getopts_args "$@"
     add=${add:-}
     remove=${remove:-}
-    label=${label:-}
     show_tile=${show_tile:-}
     protected=${protected:-}
 
@@ -311,10 +299,6 @@ ynh_permission_update() {
         remove=",remove=['${remove//';'/"','"}']"
     fi
 
-    if [[ -n $label ]]; then
-        label=",label='$label'"
-    fi
-
     if [[ -n $show_tile ]]; then
         if [ $show_tile == "true" ]; then
             show_tile=",show_tile=True"
@@ -331,7 +315,7 @@ ynh_permission_update() {
         fi
     fi
 
-    yunohost tools shell -c "from yunohost.permission import user_permission_update; user_permission_update('$app.$permission' $add $remove $label $show_tile $protected , force=True)"
+    yunohost tools shell -c "from yunohost.permission import user_permission_update; user_permission_update('$app.$permission' $add $remove $show_tile $protected , force=True)"
 }
 
 # Check if a permission has an user

hooks/backup/20-conf_ynh_settings

@@ -29,6 +29,7 @@ backup_dir="${1}/conf/ynh"
 
 # Backup the configuration
 ynh_backup "/etc/yunohost/firewall.yml" "${backup_dir}/firewall.yml"
+ynh_backup "/etc/yunohost/permissions.yml" "${backup_dir}/permissions.yml"
 ynh_backup "/etc/yunohost/current_host" "${backup_dir}/current_host"
 [ ! -d "/etc/yunohost/portal" ] || ynh_backup "/etc/yunohost/portal" "${backup_dir}/portal"
 [ ! -d "/etc/yunohost/domains" ] || ynh_backup "/etc/yunohost/domains" "${backup_dir}/domains"

hooks/conf_regen/06-slapd

@@ -162,7 +162,10 @@ objectClass: top"
         nscd -i group
     fi
 
-    [ -z "$regen_conf_files" ] && exit 0
+    if [ -z "$regen_conf_files" ] && [ $FORCE == "false" ]
+    then
+        exit 0
+    fi
 
     # regenerate LDAP config directory from slapd.conf
     echo "Regenerate LDAP config directory from config.ldif"

hooks/restore/20-conf_ynh_settings

@@ -22,6 +22,7 @@ backup_dir="$1/conf/ynh"
 
 cp -a "${backup_dir}/current_host" /etc/yunohost/current_host
 cp -a "${backup_dir}/firewall.yml" /etc/yunohost/firewall.yml
+cp -a "${backup_dir}/permissions.yml" /etc/yunohost/permissions.yml
 [ ! -d "${backup_dir}/portal" ] || cp -a "${backup_dir]}/portal" /etc/yunohost/portal
 [ ! -d "${backup_dir}/domains" ] || cp -a "${backup_dir}/domains" /etc/yunohost/domains
 [ ! -e "${backup_dir}/settings.yml" ] || cp -a "${backup_dir}/settings.yml" "/etc/yunohost/settings.yml"