Merge branch 'acl' into 'develop'

Acl

See merge request !7

Dockerfile

@@ -38,7 +38,7 @@ RUN git clone "${CONTAINERPILOT_REPO_URL}" "/tmp/orchestrate" \
 
 # API messages description
 ARG MESSAGES_API_REPO_URL=https://gitlab.mim.ovh/EOLE/Zephir/messages-api.git
-ARG MESSAGES_API_REPO_REF=0.0.5-dev
+ARG MESSAGES_API_REPO_REF=0.0.6-dev
 
 RUN git clone "${MESSAGES_API_REPO_URL}" "/tmp/messages-api" \
     && cd /tmp/messages-api \
@@ -47,13 +47,12 @@ RUN git clone "${MESSAGES_API_REPO_URL}" "/tmp/messages-api" \
 
 # Common python Zéphir library
 ARG PYTHON_ZEPHIR_REPO_URL=https://gitlab.mim.ovh/EOLE/Zephir/python-zephir.git
-ARG PYTHON_ZEPHIR_REPO_REF=0.0.2-dev
+ARG PYTHON_ZEPHIR_REPO_REF=0.0.3-dev
 
 RUN git clone "${PYTHON_ZEPHIR_REPO_URL}" "/tmp/python-zephir" \
     && cd /tmp/python-zephir \
     && git checkout "${PYTHON_ZEPHIR_REPO_REF}"
 
-
 ####
 #### Target layer
 ####
@@ -64,7 +63,7 @@ MAINTAINER Pôle EOLE <eole@ac-dijon.fr>
 # Packages required for working service
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -y && apt-get install -y \
-    gnupg \
+   gnupg \
     jq \
     locales \
     openssl \
@@ -76,6 +75,7 @@ RUN apt-get update -y && apt-get install -y \
     python3-psycopg2 \
     python3-requests \
     python3-yaml \
+    python3-pip \
     sqitch \
     tzdata
 
@@ -95,6 +95,9 @@ ENV LC_ALL fr_FR.UTF-8
 RUN ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime
 RUN dpkg-reconfigure --frontend noninteractive tzdata
 
+RUN pip3 install casbin
+
+
 # Sqitch
 RUN sqitch config --user user.name 'Equipe EOLE'\
     && sqitch config --user user.email 'eole@ac-dijon.fr'
@@ -115,6 +118,7 @@ COPY --from=build /tmp/orchestrate/${services_conf_filename}.ctmpl ${services_co
 
 # Install libraries required by service
 COPY --from=build /tmp/python-zephir/zephir /usr/lib/python3/dist-packages/zephir
+COPY --from=build /tmp/python-zephir/acl /etc/acl
 COPY --from=build /tmp/messages-api/messages /srv/messages
 
 # Manage container with ContainerPilot
@@ -133,3 +137,4 @@ COPY src/python/server /usr/lib/python3/dist-packages/server
 RUN mkdir -p /srv/bin
 COPY scripts/* /srv/bin/
 COPY migrations /migrations
+COPY acl/* /etc/acl/
\ No newline at end of file

acl/model.conf

-[request_definition]
-r = sub, obj, act
-
-[policy_definition]
-p = sub, obj, act
-
-[role_definition]
-g = _, _
-
-[policy_effect]
-e = some(where (p.eft == allow))
-
-[matchers]
-m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
\ No newline at end of file

acl/policy.csv

-p, admin, server/*, create
-p, admin, server/*, describe
-p, admin, server/*, delete
-p, admin, server/*, update
+p, admin, v1.server.create, allowed
+p, admin, v1.server.update, allowed
+p, admin, v1.server.delete, allowed
 
-p, user, server/*, describe
+p, admin, v1.serverselection.create, allowed
+p, admin, v1.serverselection.update, allowed
+p, admin, v1.serverselection.delete, allowed
+p, admin, v1.serverselection.server.add, allowed
+p, admin, v1.serverselection.server.remove, allowed
+p, admin, v1.serverselection.user.add, allowed
+p, admin, v1.serverselection.user.remove, allowed
+p, admin, v1.serverselection.user.update, allowed
+
+p, manager, v1.server.exec.deploy, allowed
+p, manager, v1.server.exec.command, allowed
+p, manager, v1.server.peering-conf.get, allowed
+p, manager, v1.server.exec.list, allowed
+p, manager, v1.server.exec.describe, allowed
+
+p, manager, v1.serverselection.exec.deploy, allowed
+p, manager, v1.serverselection.exec.command, allowed
+
+p, viewer, v1.server.list, allowed
+p, viewer, v1.server.describe, allowed
+p, viewer, v1.server.config.get, allowed
+
+p, viewer, v1.serverselection.list, allowed
+p, viewer, v1.serverselection.describe, allowed
 
 g, owner, admin
+g, admin, manager
+g, manager, viewer

migrations/deploy/server_schema.sql

@@ -21,7 +21,7 @@ CREATE TABLE ServerSelection (
   ServerSelectionId SERIAL PRIMARY KEY,
   ServerSelectionName VARCHAR(255) NOT NULL,
   ServerSelectionDescription VARCHAR(255) NOT NULL,
-  ServerSelectionServersId INTEGER [],
+  ServerSelectionServersId INTEGER [] DEFAULT '{}',
   ServerSelectionUsers hstore,
   Dynamique BOOLEAN NOT NULL,
   Requete VARCHAR(255)

src/python/server/server/lib.py

@@ -31,12 +31,12 @@ class Server():
         """
         return list_all_servers(cursor)
 
-    def describe_server(self, cursor, serverid):
+    def describe_server(self, cursor, serverid, environment):
         """Get server information asynchronously from database
 
         :param `int` serverid: server identifier
         """
-        return fetch_server_dict(cursor, serverid)
+        return fetch_server_dict(cursor, serverid, environment)
 
     def create_server(self, cursor, servername, serverdescription, servermodelid):
         """Creates a server in database

src/python/server/server/query.py

@@ -10,6 +10,14 @@ FETCH_ALL_SERVERS = '''
     FROM server
  '''
 
+"""
+Fetch one server based on its ID
+"""
+FETCH_SERVER_ENV = '''
+    SELECT serverid, servername, serverdescription, servermodelid, zoneid, machineid, automation, serverenvironment, lastpeerconnection
+    FROM server
+    WHERE serverid = %s
+'''
 """
 Fetch one server based on its ID
 """
@@ -150,11 +158,14 @@ def list_all_servers(cursor):
     return ret
 
 
-def fetch_server_dict(cursor, serverid: int):
-    server = fetchone(cursor, FETCH_SERVER, (serverid,), raises=False)
+def fetch_server_dict(cursor, serverid: int, environment: bool):
+    if environment:
+        server = fetchone(cursor, FETCH_SERVER_ENV, (serverid,), raises=False)
+    else:
+        server = fetchone(cursor, FETCH_SERVER, (serverid,), raises=False)
     if server is None:
         raise ServerErrorUnknownServerId(_('Unable to find a server with ID {}').format(serverid))
-    return server_row_to_dict(server, serverenvironment=True)
+    return server_row_to_dict(server, serverenvironment=environment)
 
 
 def fetch_server(cursor, serverid: int):

src/python/server/serverselection/lib.py

@@ -36,38 +36,38 @@ class ServerSelection():
         """
         return fetch_serverselection_dict(cursor, serverselectionid)
     
-    def list_user_serverselections(self, cursor, serverselectionuser):
+    def list_user_serverselections(self, cursor, username):
         """Get serverselections of a user
 
-        :param str serverselectionuser: user name to be add to the serverselection
+        :param str username: user name to be add to the serverselection
         """
-        return fetch_all_user_serverselections(cursor, serverselectionuser)
+        return fetch_all_user_serverselections(cursor, username)
     
-    def list_user_servers(self, cursor, serverselectionuser):
+    def list_user_servers(self, cursor, username):
         """Get serverselections of a user
 
-        :param str serverselectionuser: user name to be add to the serverselection
+        :param str username: user name to be add to the serverselection
         """
-        return fetch_all_user_servers(cursor, serverselectionuser)
+        return fetch_all_user_servers(cursor, username)
     
-    def default_user_serverselection(self, cursor, serverselectionuser):
+    def default_user_serverselection(self, cursor, username):
         """Get the default serverselection of a user
 
-        :param str serverselectionuser: user name to be add to the serverselection
+        :param str username: user name to be add to the serverselection
         """
-        return fetch_default_user_serverselection(cursor, serverselectionuser)
+        return fetch_default_user_serverselection(cursor, username)
 
-    def create_serverselection(self, cursor, serverselectionname, serverselectiondescription, serverselectionuser):
+    def create_serverselection(self, cursor, serverselectionname, serverselectiondescription, username):
         """Creates a serverselection in database
 
         :param str serverselectionname: serverselection name
         :param str serverselectiondescription: servermodel identifier
-        :param str serverselectionuser: user name to be add to the serverselection
-        :param str serverselectionuserrole: user role to be add to the serverselection
+        :param str username: user name to be add to the serverselection
+        :param str usernamerole: user role to be add to the serverselection
         :return: newly created serverselection identifier
         :rtype: int
         """
-        return insert_serverselection(cursor, serverselectionname, serverselectiondescription, serverselectionuser)
+        return insert_serverselection(cursor, serverselectionname, serverselectiondescription, username)
 
     def update_serverselection(self, cursor, serverselectionid, serverselectionname, serverselectiondescription, dynamique, requete):
         """Updates a serverselection in database
@@ -92,28 +92,28 @@ class ServerSelection():
     def erase_serverselection(self, cursor):
         erase_serverselection(cursor)
 
-    def add_server_to_selection(self, cursor, serverselectionserversid, serverselectionid):
+    def add_server_to_selection(self, cursor, serverid, serverselectionid):
         """Add a server to a serverselection in database
 
-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
         :param int serverselectionid: serverselection identifier        
         :return bool: True for addition success, False either
         """
-        return add_server_to_serverselection(cursor, serverselectionserversid, serverselectionid)
+        return add_server_to_serverselection(cursor, serverid, serverselectionid)
     
-    def remove_server_from_selection(self, cursor, serverselectionserversid, serverselectionid):
+    def remove_server_from_selection(self, cursor, serverid, serverselectionid):
         """Remove a server from a serverselection in database
 
-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
         :param int serverselectionid: serverselection identifier        
         :return bool: True for addition success, False either
         """
-        return remove_server_from_serverselection(cursor, serverselectionserversid, serverselectionid)
+        return remove_server_from_serverselection(cursor, serverid, serverselectionid)
     
     def add_user_to_serverselection(self, cursor, serverselectionid, username, role):
         """Add a user to a serverselection
 
-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
         :param str username: user name to be add to the serverseleciton
         :param str role: user role to be add to the serverseleciton    
         :return bool: True for addition success, False either
@@ -123,7 +123,7 @@ class ServerSelection():
     def remove_user_from_serverselection(self, cursor, serverselectionid, username):
         """Remove a user from a serverselection
 
-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
         :param int serverselectionid: serverselection identifier      
         :param str username: user name to be add to the serverseleciton  
         :return bool: True for addition success, False either
@@ -133,7 +133,7 @@ class ServerSelection():
     def update_user_to_serverselection(self, cursor, serverselectionid, username, role):
         """Update a user from a serverselection
 
-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
         :param str username: user name to be add to the serverseleciton
         :param str role: user role to be add to the serverseleciton    
         :return bool: True for addition success, False either
@@ -143,7 +143,7 @@ class ServerSelection():
     def get_serverselection_user_role(self, cursor, serverselectionid, username):
         """Update a user from a serverselection
 
-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
         :param str username: user name to be add to the serverseleciton
         :param str role: user role to be add to the serverseleciton    
         :return bool: True for addition success, False either
@@ -153,7 +153,7 @@ class ServerSelection():
     def get_serverselection_user_server_role(self, cursor, serverid, username):
         """Update a user from a serverselection
 
-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
         :param str username: user name to be add to the serverseleciton
         :param str role: user role to be add to the serverseleciton    
         :return bool: True for addition success, False either

src/python/server/serverselection/query.py

@@ -28,7 +28,7 @@ FETCH_ALL_USER_SERVERSELECTIONS = '''
     FROM serverselection
     WHERE exist(serverselectionusers, %s)
  '''
- 
+
 """
 Fetch the default serverselection of a user
 """
@@ -77,6 +77,7 @@ SERVERSELECTION_ADD_SERVER = '''
     UPDATE serverselection
     SET serverselectionserversid = array_append(serverselectionserversid, %s)
     WHERE serverselectionid = %s
+    AND NOT (%s = ANY (serverselectionserversid))
     RETURNING *
 '''
 
@@ -91,7 +92,7 @@ SERVERSELECTION_REMOVE_SERVER = '''
 '''
 
 """
-Add User and Role to serverselection 
+Add User and Role to serverselection
 """
 SERVERSELECTION_ADD_USER = '''
     UPDATE serverselection
@@ -101,7 +102,7 @@ SERVERSELECTION_ADD_USER = '''
 '''
 
 """
-Remove User from serverselection 
+Remove User from serverselection
 """
 SERVERSELECTION_REMOVE_USER = '''
     UPDATE serverselection
@@ -111,7 +112,7 @@ SERVERSELECTION_REMOVE_USER = '''
 '''
 
 """
-Update User's Role from serverselection 
+Update User's Role from serverselection
 """
 SERVERSELECTION_UPDATE_USER = '''
     UPDATE serverselection
@@ -128,7 +129,7 @@ SERVERSELECTION_USER_SERVER_LIST = '''
     FROM (
         SELECT DISTINCT unnest(serverselectionserversid)
         FROM serverselection
-        WHERE exist(serverselectionusers, %s)) 
+        WHERE exist(serverselectionusers, %s))
     AS dt(c)
 '''
 
@@ -139,6 +140,7 @@ FETCH_ROLE_USER_SERVERSELECTION = '''
     SELECT serverselectionid, serverselectionusers->%s AS role
     FROM serverselection
     WHERE serverselectionid = %s
+    AND serverselectionusers->%s IS NOT NULL
  '''
 
 """
@@ -148,6 +150,7 @@ FETCH_ROLE_USER_SERVER_SERVERSELECTION = '''
     SELECT serverselectionid, serverselectionusers->%s AS role
     FROM serverselection
     WHERE %s = ANY(serverselectionserversid)
+    AND serverselectionusers->%s IS NOT NULL
  '''
 
 """
@@ -170,7 +173,7 @@ def serverselection_row_to_dict(serverselection):
     try:
         serverselection_obj = {'serverselectionid': serverselection['serverselectionid'],
                   'serverselectionname': serverselection['serverselectionname'],
-                  'serverselectiondescription': serverselection['serverselectiondescription']}    
+                  'serverselectiondescription': serverselection['serverselectiondescription']}
         if serverselection['serverselectionserversid'] is not None:
             serverselection_obj['serverselectionserversid'] = serverselection['serverselectionserversid']
         if serverselection['serverselectionusers'] is not None:
@@ -180,32 +183,32 @@ def serverselection_row_to_dict(serverselection):
         if serverselection['requete'] is not None:
             serverselection_obj['requete'] = serverselection['requete']
     except KeyError:
-        serverselection_obj = {}    
-        raise(ServerSelectionEmptyRecordDatabaseError('No ServerSelection found'))        
+        serverselection_obj = {}
+        raise(ServerSelectionEmptyRecordDatabaseError('No ServerSelection found'))
     return serverselection_obj
 
-def serverselection_serversid_dict(serverselection):    
-    serverselection_obj = {}    
-    if serverselection['serverselectionserversid'] is not None:        
-        serverselection_obj['serverselectionserversid'] = serverselection['serverselectionserversid']  
+def serverselection_serversid_dict(serverselection):
+    serverselection_obj = {}
+    if serverselection['serverselectionserversid'] is not None:
+        serverselection_obj['serverselectionserversid'] = serverselection['serverselectionserversid']
     return serverselection_obj
 
-def serverselection_role_dict(serverselection, serverselectionuser):    
+def serverselection_role_dict(serverselection, serverselectionuser):
     try:
         serverselection_obj = {'serverselectionid': serverselection['serverselectionid'],
-                        'username': serverselectionuser}    
+                        'username': serverselectionuser}
         if serverselection['role'] is not None:
             serverselection_obj['role'] = serverselection['role']
     except KeyError:
-        serverselection_obj = {}    
-        raise(ServerSelectionEmptyRecordDatabaseError('No ServerSelection found'))        
+        serverselection_obj = {}
+        raise(ServerSelectionEmptyRecordDatabaseError('No ServerSelection found'))
     return serverselection_obj
 
 def fetch_serverselection_user_role(cursor, serverselectionuser, serverselectionid):
-    return serverselection_role_dict(fetchone(cursor, FETCH_ROLE_USER_SERVERSELECTION, (serverselectionuser, serverselectionid), raises=True), serverselectionuser)
+    return serverselection_role_dict(fetchone(cursor, FETCH_ROLE_USER_SERVERSELECTION, (serverselectionuser, serverselectionid, serverselectionuser), raises=True), serverselectionuser)
 
 def fetch_serverselection_user_server_role(cursor, serverselectionuser, serverid):
-    cursor.execute(FETCH_ROLE_USER_SERVER_SERVERSELECTION, (serverselectionuser, serverid))
+    cursor.execute(FETCH_ROLE_USER_SERVER_SERVERSELECTION, (serverselectionuser, serverid, serverselectionuser))
     ret = []
     for serverselection in cursor.fetchall():
         ret.append(serverselection_role_dict(serverselection, serverselectionuser))
@@ -214,13 +217,13 @@ def fetch_serverselection_user_server_role(cursor, serverselectionuser, serverid
 def list_all_serverselections(cursor):
     cursor.execute(FETCH_ALL_SERVERSELECTIONS)
     ret = []
-    for serverselection in cursor.fetchall():        
+    for serverselection in cursor.fetchall():
         ret.append(serverselection_row_to_dict(serverselection))
     return ret
 
-def fetch_serverselection_dict(cursor, serverselectionid):   
+def fetch_serverselection_dict(cursor, serverselectionid):
     return serverselection_row_to_dict(fetchone(cursor, FETCH_SERVERSELECTION, (serverselectionid,), raises=True))
-  
+
 def fetch_serverselection(cursor, serverselectionid):
     fetched = fetchone(cursor, FETCH_SERVERSELECTION, (serverselectionid,))
     if fetched is None:
@@ -244,9 +247,9 @@ def fetch_default_user_serverselection(cursor, serverselectionuser):
 
 def fetch_all_user_servers(cursor, serverselectionuser):
     return serverselection_serversid_dict(fetchone(cursor, SERVERSELECTION_USER_SERVER_LIST, (serverselectionuser,), raises=True))
-   
 
-def insert_serverselection(cursor, serverselectionname, serverselectiondescription, serverselectionuser):    
+
+def insert_serverselection(cursor, serverselectionname, serverselectiondescription, serverselectionuser):
     serverselectionuserrolehstore = serverselectionuser + '=>"owner"'
     return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_INSERT, (serverselectionname, serverselectiondescription, serverselectionuserrolehstore), raises=True))
 
@@ -257,7 +260,7 @@ def delete_serverselection(cursor, serverselectionid):
     return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_DELETE, (serverselectionid,), raises=True))
 
 def add_server_to_serverselection(cursor, serverselectionserversid, serverselectionid):
-    return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_ADD_SERVER, (serverselectionserversid, serverselectionid), raises=True))
+    return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_ADD_SERVER, (serverselectionserversid, serverselectionid, serverselectionserversid), raises=True))
 
 def remove_server_from_serverselection(cursor, serverselectionserversid, serverselectionid):
     return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_REMOVE_SERVER, (serverselectionserversid, serverselectionid), raises=True))