Merge branch 'acl' into 'develop'

Acl See merge request !7

Merge branch 'acl' into 'develop'
Acl See merge request !7
00976788 · Lionel Morin · 5ba57f2c · 4648da41 · 00976788 · 5ba57f2c
Commit 00976788 authored Mar 19, 2019 by Lionel Morin
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,7 +38,7 @@ RUN git clone "${CONTAINERPILOT_REPO_URL}" "/tmp/orchestrate" \

 # API messages description
 ARG MESSAGES_API_REPO_URL=https://gitlab.mim.ovh/EOLE/Zephir/messages-api.git
-ARG MESSAGES_API_REPO_REF=0.0.5-dev
+ARG MESSAGES_API_REPO_REF=0.0.6-dev

 RUN git clone "${MESSAGES_API_REPO_URL}" "/tmp/messages-api" \
    && cd /tmp/messages-api \
@@ -47,13 +47,12 @@ RUN git clone "${MESSAGES_API_REPO_URL}" "/tmp/messages-api" \

 # Common python Zéphir library
 ARG PYTHON_ZEPHIR_REPO_URL=https://gitlab.mim.ovh/EOLE/Zephir/python-zephir.git
-ARG PYTHON_ZEPHIR_REPO_REF=0.0.2-dev
+ARG PYTHON_ZEPHIR_REPO_REF=0.0.3-dev

 RUN git clone "${PYTHON_ZEPHIR_REPO_URL}" "/tmp/python-zephir" \
    && cd /tmp/python-zephir \
    && git checkout "${PYTHON_ZEPHIR_REPO_REF}"

-
 ####
 #### Target layer
 ####
@@ -64,7 +63,7 @@ MAINTAINER Pôle EOLE <eole@ac-dijon.fr>
 # Packages required for working service
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -y && apt-get install -y \
-    gnupg \
+   gnupg \
    jq \
    locales \
    openssl \
@@ -76,6 +75,7 @@ RUN apt-get update -y && apt-get install -y \
    python3-psycopg2 \
    python3-requests \
    python3-yaml \
+    python3-pip \
    sqitch \
    tzdata

@@ -95,6 +95,9 @@ ENV LC_ALL fr_FR.UTF-8
 RUN ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime
 RUN dpkg-reconfigure --frontend noninteractive tzdata

+RUN pip3 install casbin
+
+
 # Sqitch
 RUN sqitch config --user user.name 'Equipe EOLE'\
    && sqitch config --user user.email 'eole@ac-dijon.fr'
@@ -115,6 +118,7 @@ COPY --from=build /tmp/orchestrate/${services_conf_filename}.ctmpl ${services_co

 # Install libraries required by service
 COPY --from=build /tmp/python-zephir/zephir /usr/lib/python3/dist-packages/zephir
+COPY --from=build /tmp/python-zephir/acl /etc/acl
 COPY --from=build /tmp/messages-api/messages /srv/messages

 # Manage container with ContainerPilot
@@ -133,3 +137,4 @@ COPY src/python/server /usr/lib/python3/dist-packages/server
 RUN mkdir -p /srv/bin
 COPY scripts/* /srv/bin/
 COPY migrations /migrations
+COPY acl/* /etc/acl/
\ No newline at end of file
--- a/acl/model.conf
+++ b/acl/model.conf
-[request_definition]
-r = sub, obj, act
-
-[policy_definition]
-p = sub, obj, act
-
-[role_definition]
-g = _, _
-
-[policy_effect]
-e = some(where (p.eft == allow))
-
-[matchers]
-m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
\ No newline at end of file
--- a/acl/policy.csv
+++ b/acl/policy.csv
-p, admin, server/*, create
-p, admin, server/*, describe
-p, admin, server/*, delete
-p, admin, server/*, update
+p, admin, v1.server.create, allowed
+p, admin, v1.server.update, allowed
+p, admin, v1.server.delete, allowed

-p, user, server/*, describe
+p, admin, v1.serverselection.create, allowed
+p, admin, v1.serverselection.update, allowed
+p, admin, v1.serverselection.delete, allowed
+p, admin, v1.serverselection.server.add, allowed
+p, admin, v1.serverselection.server.remove, allowed
+p, admin, v1.serverselection.user.add, allowed
+p, admin, v1.serverselection.user.remove, allowed
+p, admin, v1.serverselection.user.update, allowed
+
+p, manager, v1.server.exec.deploy, allowed
+p, manager, v1.server.exec.command, allowed
+p, manager, v1.server.peering-conf.get, allowed
+p, manager, v1.server.exec.list, allowed
+p, manager, v1.server.exec.describe, allowed
+
+p, manager, v1.serverselection.exec.deploy, allowed
+p, manager, v1.serverselection.exec.command, allowed
+
+p, viewer, v1.server.list, allowed
+p, viewer, v1.server.describe, allowed
+p, viewer, v1.server.config.get, allowed
+
+p, viewer, v1.serverselection.list, allowed
+p, viewer, v1.serverselection.describe, allowed

 g, owner, admin
+g, admin, manager
+g, manager, viewer
--- a/migrations/deploy/server_schema.sql
+++ b/migrations/deploy/server_schema.sql
@@ -21,7 +21,7 @@ CREATE TABLE ServerSelection (
  ServerSelectionId SERIAL PRIMARY KEY,
  ServerSelectionName VARCHAR(255) NOT NULL,
  ServerSelectionDescription VARCHAR(255) NOT NULL,
-  ServerSelectionServersId INTEGER [],
+  ServerSelectionServersId INTEGER [] DEFAULT '{}',
  ServerSelectionUsers hstore,
  Dynamique BOOLEAN NOT NULL,
  Requete VARCHAR(255)

--- a/scripts/controller
+++ b/scripts/controller
--- a/src/python/server/server/lib.py
+++ b/src/python/server/server/lib.py
@@ -31,12 +31,12 @@ class Server():
        """
        return list_all_servers(cursor)

-    def describe_server(self, cursor, serverid):
+    def describe_server(self, cursor, serverid, environment):
        """Get server information asynchronously from database

        :param `int` serverid: server identifier
        """
-        return fetch_server_dict(cursor, serverid)
+        return fetch_server_dict(cursor, serverid, environment)

    def create_server(self, cursor, servername, serverdescription, servermodelid):
        """Creates a server in database

--- a/src/python/server/server/query.py
+++ b/src/python/server/server/query.py
@@ -10,6 +10,14 @@ FETCH_ALL_SERVERS = '''
    FROM server
 '''

+"""
+Fetch one server based on its ID
+"""
+FETCH_SERVER_ENV = '''
+    SELECT serverid, servername, serverdescription, servermodelid, zoneid, machineid, automation, serverenvironment, lastpeerconnection
+    FROM server
+    WHERE serverid = %s
+'''
 """
 Fetch one server based on its ID
 """
@@ -150,11 +158,14 @@ def list_all_servers(cursor):
    return ret


-def fetch_server_dict(cursor, serverid: int):
-    server = fetchone(cursor, FETCH_SERVER, (serverid,), raises=False)
+def fetch_server_dict(cursor, serverid: int, environment: bool):
+    if environment:
+        server = fetchone(cursor, FETCH_SERVER_ENV, (serverid,), raises=False)
+    else:
+        server = fetchone(cursor, FETCH_SERVER, (serverid,), raises=False)
    if server is None:
        raise ServerErrorUnknownServerId(_('Unable to find a server with ID {}').format(serverid))
-    return server_row_to_dict(server, serverenvironment=True)
+    return server_row_to_dict(server, serverenvironment=environment)


 def fetch_server(cursor, serverid: int):

--- a/src/python/server/serverselection/lib.py
+++ b/src/python/server/serverselection/lib.py
@@ -36,38 +36,38 @@ class ServerSelection():
        """
        return fetch_serverselection_dict(cursor, serverselectionid)
    
-    def list_user_serverselections(self, cursor, serverselectionuser):
+    def list_user_serverselections(self, cursor, username):
        """Get serverselections of a user

-        :param str serverselectionuser: user name to be add to the serverselection
+        :param str username: user name to be add to the serverselection
        """
-        return fetch_all_user_serverselections(cursor, serverselectionuser)
+        return fetch_all_user_serverselections(cursor, username)
    
-    def list_user_servers(self, cursor, serverselectionuser):
+    def list_user_servers(self, cursor, username):
        """Get serverselections of a user

-        :param str serverselectionuser: user name to be add to the serverselection
+        :param str username: user name to be add to the serverselection
        """
-        return fetch_all_user_servers(cursor, serverselectionuser)
+        return fetch_all_user_servers(cursor, username)
    
-    def default_user_serverselection(self, cursor, serverselectionuser):
+    def default_user_serverselection(self, cursor, username):
        """Get the default serverselection of a user

-        :param str serverselectionuser: user name to be add to the serverselection
+        :param str username: user name to be add to the serverselection
        """
-        return fetch_default_user_serverselection(cursor, serverselectionuser)
+        return fetch_default_user_serverselection(cursor, username)

-    def create_serverselection(self, cursor, serverselectionname, serverselectiondescription, serverselectionuser):
+    def create_serverselection(self, cursor, serverselectionname, serverselectiondescription, username):
        """Creates a serverselection in database

        :param str serverselectionname: serverselection name
        :param str serverselectiondescription: servermodel identifier
-        :param str serverselectionuser: user name to be add to the serverselection
-        :param str serverselectionuserrole: user role to be add to the serverselection
+        :param str username: user name to be add to the serverselection
+        :param str usernamerole: user role to be add to the serverselection
        :return: newly created serverselection identifier
        :rtype: int
        """
-        return insert_serverselection(cursor, serverselectionname, serverselectiondescription, serverselectionuser)
+        return insert_serverselection(cursor, serverselectionname, serverselectiondescription, username)

    def update_serverselection(self, cursor, serverselectionid, serverselectionname, serverselectiondescription, dynamique, requete):
        """Updates a serverselection in database
@@ -92,28 +92,28 @@ class ServerSelection():
    def erase_serverselection(self, cursor):
        erase_serverselection(cursor)

-    def add_server_to_selection(self, cursor, serverselectionserversid, serverselectionid):
+    def add_server_to_selection(self, cursor, serverid, serverselectionid):
        """Add a server to a serverselection in database

-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
        :param int serverselectionid: serverselection identifier        
        :return bool: True for addition success, False either
        """
-        return add_server_to_serverselection(cursor, serverselectionserversid, serverselectionid)
+        return add_server_to_serverselection(cursor, serverid, serverselectionid)
    
-    def remove_server_from_selection(self, cursor, serverselectionserversid, serverselectionid):
+    def remove_server_from_selection(self, cursor, serverid, serverselectionid):
        """Remove a server from a serverselection in database

-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
        :param int serverselectionid: serverselection identifier        
        :return bool: True for addition success, False either
        """
-        return remove_server_from_serverselection(cursor, serverselectionserversid, serverselectionid)
+        return remove_server_from_serverselection(cursor, serverid, serverselectionid)
    
    def add_user_to_serverselection(self, cursor, serverselectionid, username, role):
        """Add a user to a serverselection

-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
        :param str username: user name to be add to the serverseleciton
        :param str role: user role to be add to the serverseleciton    
        :return bool: True for addition success, False either
@@ -123,7 +123,7 @@ class ServerSelection():
    def remove_user_from_serverselection(self, cursor, serverselectionid, username):
        """Remove a user from a serverselection

-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
        :param int serverselectionid: serverselection identifier      
        :param str username: user name to be add to the serverseleciton  
        :return bool: True for addition success, False either
@@ -133,7 +133,7 @@ class ServerSelection():
    def update_user_to_serverselection(self, cursor, serverselectionid, username, role):
        """Update a user from a serverselection

-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
        :param str username: user name to be add to the serverseleciton
        :param str role: user role to be add to the serverseleciton    
        :return bool: True for addition success, False either
@@ -143,7 +143,7 @@ class ServerSelection():
    def get_serverselection_user_role(self, cursor, serverselectionid, username):
        """Update a user from a serverselection

-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
        :param str username: user name to be add to the serverseleciton
        :param str role: user role to be add to the serverseleciton    
        :return bool: True for addition success, False either
@@ -153,7 +153,7 @@ class ServerSelection():
    def get_serverselection_user_server_role(self, cursor, serverid, username):
        """Update a user from a serverselection

-        :param int serverselectionserversid: server identifier
+        :param int serverid: server identifier
        :param str username: user name to be add to the serverseleciton
        :param str role: user role to be add to the serverseleciton    
        :return bool: True for addition success, False either

--- a/src/python/server/serverselection/query.py
+++ b/src/python/server/serverselection/query.py
@@ -28,7 +28,7 @@ FETCH_ALL_USER_SERVERSELECTIONS = '''
    FROM serverselection
    WHERE exist(serverselectionusers, %s)
 '''
- 
+
 """
 Fetch the default serverselection of a user
 """
@@ -77,6 +77,7 @@ SERVERSELECTION_ADD_SERVER = '''
    UPDATE serverselection
    SET serverselectionserversid = array_append(serverselectionserversid, %s)
    WHERE serverselectionid = %s
+    AND NOT (%s = ANY (serverselectionserversid))
    RETURNING *
 '''

@@ -91,7 +92,7 @@ SERVERSELECTION_REMOVE_SERVER = '''
 '''

 """
-Add User and Role to serverselection 
+Add User and Role to serverselection
 """
 SERVERSELECTION_ADD_USER = '''
    UPDATE serverselection
@@ -101,7 +102,7 @@ SERVERSELECTION_ADD_USER = '''
 '''

 """
-Remove User from serverselection 
+Remove User from serverselection
 """
 SERVERSELECTION_REMOVE_USER = '''
    UPDATE serverselection
@@ -111,7 +112,7 @@ SERVERSELECTION_REMOVE_USER = '''
 '''

 """
-Update User's Role from serverselection 
+Update User's Role from serverselection
 """
 SERVERSELECTION_UPDATE_USER = '''
    UPDATE serverselection
@@ -128,7 +129,7 @@ SERVERSELECTION_USER_SERVER_LIST = '''
    FROM (
        SELECT DISTINCT unnest(serverselectionserversid)
        FROM serverselection
-        WHERE exist(serverselectionusers, %s)) 
+        WHERE exist(serverselectionusers, %s))
    AS dt(c)
 '''

@@ -139,6 +140,7 @@ FETCH_ROLE_USER_SERVERSELECTION = '''
    SELECT serverselectionid, serverselectionusers->%s AS role
    FROM serverselection
    WHERE serverselectionid = %s
+    AND serverselectionusers->%s IS NOT NULL
 '''

 """
@@ -148,6 +150,7 @@ FETCH_ROLE_USER_SERVER_SERVERSELECTION = '''
    SELECT serverselectionid, serverselectionusers->%s AS role
    FROM serverselection
    WHERE %s = ANY(serverselectionserversid)
+    AND serverselectionusers->%s IS NOT NULL
 '''

 """
@@ -170,7 +173,7 @@ def serverselection_row_to_dict(serverselection):
    try:
        serverselection_obj = {'serverselectionid': serverselection['serverselectionid'],
                  'serverselectionname': serverselection['serverselectionname'],
-                  'serverselectiondescription': serverselection['serverselectiondescription']}    
+                  'serverselectiondescription': serverselection['serverselectiondescription']}
        if serverselection['serverselectionserversid'] is not None:
            serverselection_obj['serverselectionserversid'] = serverselection['serverselectionserversid']
        if serverselection['serverselectionusers'] is not None:
@@ -180,32 +183,32 @@ def serverselection_row_to_dict(serverselection):
        if serverselection['requete'] is not None:
            serverselection_obj['requete'] = serverselection['requete']
    except KeyError:
-        serverselection_obj = {}    
-        raise(ServerSelectionEmptyRecordDatabaseError('No ServerSelection found'))        
+        serverselection_obj = {}
+        raise(ServerSelectionEmptyRecordDatabaseError('No ServerSelection found'))
    return serverselection_obj

-def serverselection_serversid_dict(serverselection):    
-    serverselection_obj = {}    
-    if serverselection['serverselectionserversid'] is not None:        
-        serverselection_obj['serverselectionserversid'] = serverselection['serverselectionserversid']  
+def serverselection_serversid_dict(serverselection):
+    serverselection_obj = {}
+    if serverselection['serverselectionserversid'] is not None:
+        serverselection_obj['serverselectionserversid'] = serverselection['serverselectionserversid']
    return serverselection_obj

-def serverselection_role_dict(serverselection, serverselectionuser):    
+def serverselection_role_dict(serverselection, serverselectionuser):
    try:
        serverselection_obj = {'serverselectionid': serverselection['serverselectionid'],
-                        'username': serverselectionuser}    
+                        'username': serverselectionuser}
        if serverselection['role'] is not None:
            serverselection_obj['role'] = serverselection['role']
    except KeyError:
-        serverselection_obj = {}    
-        raise(ServerSelectionEmptyRecordDatabaseError('No ServerSelection found'))        
+        serverselection_obj = {}
+        raise(ServerSelectionEmptyRecordDatabaseError('No ServerSelection found'))
    return serverselection_obj

 def fetch_serverselection_user_role(cursor, serverselectionuser, serverselectionid):
-    return serverselection_role_dict(fetchone(cursor, FETCH_ROLE_USER_SERVERSELECTION, (serverselectionuser, serverselectionid), raises=True), serverselectionuser)
+    return serverselection_role_dict(fetchone(cursor, FETCH_ROLE_USER_SERVERSELECTION, (serverselectionuser, serverselectionid, serverselectionuser), raises=True), serverselectionuser)

 def fetch_serverselection_user_server_role(cursor, serverselectionuser, serverid):
-    cursor.execute(FETCH_ROLE_USER_SERVER_SERVERSELECTION, (serverselectionuser, serverid))
+    cursor.execute(FETCH_ROLE_USER_SERVER_SERVERSELECTION, (serverselectionuser, serverid, serverselectionuser))
    ret = []
    for serverselection in cursor.fetchall():
        ret.append(serverselection_role_dict(serverselection, serverselectionuser))
@@ -214,13 +217,13 @@ def fetch_serverselection_user_server_role(cursor, serverselectionuser, serverid
 def list_all_serverselections(cursor):
    cursor.execute(FETCH_ALL_SERVERSELECTIONS)
    ret = []
-    for serverselection in cursor.fetchall():        
+    for serverselection in cursor.fetchall():
        ret.append(serverselection_row_to_dict(serverselection))
    return ret

-def fetch_serverselection_dict(cursor, serverselectionid):   
+def fetch_serverselection_dict(cursor, serverselectionid):
    return serverselection_row_to_dict(fetchone(cursor, FETCH_SERVERSELECTION, (serverselectionid,), raises=True))
-  
+
 def fetch_serverselection(cursor, serverselectionid):
    fetched = fetchone(cursor, FETCH_SERVERSELECTION, (serverselectionid,))
    if fetched is None:
@@ -244,9 +247,9 @@ def fetch_default_user_serverselection(cursor, serverselectionuser):

 def fetch_all_user_servers(cursor, serverselectionuser):
    return serverselection_serversid_dict(fetchone(cursor, SERVERSELECTION_USER_SERVER_LIST, (serverselectionuser,), raises=True))
-   

-def insert_serverselection(cursor, serverselectionname, serverselectiondescription, serverselectionuser):    
+
+def insert_serverselection(cursor, serverselectionname, serverselectiondescription, serverselectionuser):
    serverselectionuserrolehstore = serverselectionuser + '=>"owner"'
    return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_INSERT, (serverselectionname, serverselectiondescription, serverselectionuserrolehstore), raises=True))

@@ -257,7 +260,7 @@ def delete_serverselection(cursor, serverselectionid):
    return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_DELETE, (serverselectionid,), raises=True))

 def add_server_to_serverselection(cursor, serverselectionserversid, serverselectionid):
-    return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_ADD_SERVER, (serverselectionserversid, serverselectionid), raises=True))
+    return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_ADD_SERVER, (serverselectionserversid, serverselectionid, serverselectionserversid), raises=True))

 def remove_server_from_serverselection(cursor, serverselectionserversid, serverselectionid):
    return serverselection_row_to_dict(fetchone(cursor, SERVERSELECTION_REMOVE_SERVER, (serverselectionserversid, serverselectionid), raises=True))