Acl

4648da41 · Matthieu Lamalle · Lionel Morin · 5ba57f2c · 4648da41 · 5ba57f2c
Commit 4648da41 authored Mar 19, 2019 by Matthieu Lamalle Committed by Lionel Morin Mar 19, 2019
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,7 +38,7 @@ RUN git clone "${CONTAINERPILOT_REPO_URL}" "/tmp/orchestrate" \

 # API messages description
 ARG MESSAGES_API_REPO_URL=https://gitlab.mim.ovh/EOLE/Zephir/messages-api.git
-ARG MESSAGES_API_REPO_REF=0.0.5-dev
+ARG MESSAGES_API_REPO_REF=0.0.6-dev

 RUN git clone "${MESSAGES_API_REPO_URL}" "/tmp/messages-api" \
    && cd /tmp/messages-api \
@@ -47,13 +47,12 @@ RUN git clone "${MESSAGES_API_REPO_URL}" "/tmp/messages-api" \

 # Common python Zéphir library
 ARG PYTHON_ZEPHIR_REPO_URL=https://gitlab.mim.ovh/EOLE/Zephir/python-zephir.git
-ARG PYTHON_ZEPHIR_REPO_REF=0.0.2-dev
+ARG PYTHON_ZEPHIR_REPO_REF=0.0.3-dev

 RUN git clone "${PYTHON_ZEPHIR_REPO_URL}" "/tmp/python-zephir" \
    && cd /tmp/python-zephir \
    && git checkout "${PYTHON_ZEPHIR_REPO_REF}"

-
 ####
 #### Target layer
 ####
@@ -64,7 +63,7 @@ MAINTAINER Pôle EOLE <eole@ac-dijon.fr>
 # Packages required for working service
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -y && apt-get install -y \
-    gnupg \
+   gnupg \
    jq \
    locales \
    openssl \
@@ -76,6 +75,7 @@ RUN apt-get update -y && apt-get install -y \
    python3-psycopg2 \
    python3-requests \
    python3-yaml \
+    python3-pip \
    sqitch \
    tzdata

@@ -95,6 +95,9 @@ ENV LC_ALL fr_FR.UTF-8
 RUN ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime
 RUN dpkg-reconfigure --frontend noninteractive tzdata

+RUN pip3 install casbin
+
+
 # Sqitch
 RUN sqitch config --user user.name 'Equipe EOLE'\
    && sqitch config --user user.email 'eole@ac-dijon.fr'
@@ -115,6 +118,7 @@ COPY --from=build /tmp/orchestrate/${services_conf_filename}.ctmpl ${services_co

 # Install libraries required by service
 COPY --from=build /tmp/python-zephir/zephir /usr/lib/python3/dist-packages/zephir
+COPY --from=build /tmp/python-zephir/acl /etc/acl
 COPY --from=build /tmp/messages-api/messages /srv/messages

 # Manage container with ContainerPilot
@@ -133,3 +137,4 @@ COPY src/python/server /usr/lib/python3/dist-packages/server
 RUN mkdir -p /srv/bin
 COPY scripts/* /srv/bin/
 COPY migrations /migrations
+COPY acl/* /etc/acl/
\ No newline at end of file
--- a/acl/model.conf
+++ b/acl/model.conf
-[request_definition]
-r = sub, obj, act
-
-[policy_definition]
-p = sub, obj, act
-
-[role_definition]
-g = _, _
-
-[policy_effect]
-e = some(where (p.eft == allow))
-
-[matchers]
-m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
\ No newline at end of file
--- a/acl/policy.csv
+++ b/acl/policy.csv
-p, admin, server/*, create
-p, admin, server/*, describe
-p, admin, server/*, delete
-p, admin, server/*, update
+p, admin, v1.server.create, allowed
+p, admin, v1.server.update, allowed
+p, admin, v1.server.delete, allowed

-p, user, server/*, describe
+p, admin, v1.serverselection.create, allowed
+p, admin, v1.serverselection.update, allowed
+p, admin, v1.serverselection.delete, allowed
+p, admin, v1.serverselection.server.add, allowed
+p, admin, v1.serverselection.server.remove, allowed
+p, admin, v1.serverselection.user.add, allowed
+p, admin, v1.serverselection.user.remove, allowed
+p, admin, v1.serverselection.user.update, allowed
+
+p, manager, v1.server.exec.deploy, allowed
+p, manager, v1.server.exec.command, allowed
+p, manager, v1.server.peering-conf.get, allowed
+p, manager, v1.server.exec.list, allowed
+p, manager, v1.server.exec.describe, allowed
+
+p, manager, v1.serverselection.exec.deploy, allowed
+p, manager, v1.serverselection.exec.command, allowed
+
+p, viewer, v1.server.list, allowed
+p, viewer, v1.server.describe, allowed
+p, viewer, v1.server.config.get, allowed
+
+p, viewer, v1.serverselection.list, allowed
+p, viewer, v1.serverselection.describe, allowed

 g, owner, admin
+g, admin, manager
+g, manager, viewer
--- a/migrations/deploy/server_schema.sql
+++ b/migrations/deploy/server_schema.sql
@@ -21,7 +21,7 @@ CREATE TABLE ServerSelection (
  ServerSelectionId SERIAL PRIMARY KEY,
  ServerSelectionName VARCHAR(255) NOT NULL,
  ServerSelectionDescription VARCHAR(255) NOT NULL,
-  ServerSelectionServersId INTEGER [],
+  ServerSelectionServersId INTEGER [] DEFAULT '{}',
  ServerSelectionUsers hstore,
  Dynamique BOOLEAN NOT NULL,
  Requete VARCHAR(255)

--- a/scripts/controller
+++ b/scripts/controller
@@ -22,7 +22,7 @@ from server.serverselection.lib import ServerSelection
 from server.serverselection.error import (ServerSelectionError,
                                 ServerSelectionErrorDatabaseNotAvailable,
                                 ServerSelectionErrorDbConnection,
-                                 ServerSelectionErrorInvalidServerSelectionId,                                 
+                                 ServerSelectionErrorInvalidServerSelectionId,
                                 ServerSelectionErrorServerSelectionNameNotProvided,
                                 ServerSelectionErrorUnknownServerSelectionId,
                                 ServerSelectionErrorDuplicateServerSelectionName,
@@ -43,11 +43,75 @@ class ServerRunner(ZephirCommonController):
        self.serverselection = ServerSelection()
        self.conn = None

+     # GET ROLE
+    def get_profil_for_server(self, cursor, uri, message_arguments):
+        if 'serverid' in message_arguments:
+            server_id = message_arguments['serverid']
+        if 'server_id' in message_arguments:
+            server_id = message_arguments['server_id']
+
+        if '_session_user' not in message_arguments:
+            return 'root'
+        else:
+            profils = self._get_serverselection_user_server_role(cursor, server_id, message_arguments['_session_user']['username'])
+            for profil in profils:
+                if 'role' in profil:
+                    role = profil['role']
+                    if self.policy.enforce(role, uri, 'allowed'):
+                        return role
+            return None
+
+
+    def get_profil_for_serverselection(self, cursor, uri, message_arguments):
+        serverselection_id = message_arguments['serverselectionid']
+        if '_session_user' not in message_arguments:
+            return 'root'
+        else:
+            if message_arguments['_session_user']['profil'] == 'root':
+                role = message_arguments['_session_user']['profil']
+            else:
+                profil = self._get_serverselection_user_role(cursor, serverselection_id, message_arguments['_session_user']['username'])
+                if not 'role' in profil:
+                    return None
+                role = profil['role']
+            if self.policy.enforce(role, uri, 'allowed'):
+                return role
+            return None
+
+    def get_profil_for_all(self, cursor, uri, message_arguments):
+        server_ok = False
+        serverselection_ok = False
+
+        server_role = self.get_profil_for_server(cursor, uri, message_arguments)
+        if server_role is None :
+            return None
+        for role in server_role:
+            if self.policy.enforce(role, uri, 'allowed'):
+                server_ok = True
+        if not server_ok:
+            return None
+
+        serverselection_role = self.get_profil_for_serverselection(cursor, uri, message_arguments)
+        if serverselection_role is None :
+            return None
+        for role in serverselection_role:
+            if self.policy.enforce(role, uri, 'allowed'):
+                serverselection_ok = True
+        if not serverselection_ok:
+            return None
+
+        return role
+
    @register_wamp('v1.server.list', notification_uri=None, database=True)
-    async def list_servers(self, cursor):
+    async def list_servers(self, cursor, _session_user):
        try:
-            return self.server.list_servers(cursor)
-
+            if _session_user['profil'] == 'root':
+                return self.server.list_servers(cursor)
+            else:
+                ret = []
+                for server_id in self._list_user_servers(cursor, _session_user).get('serverselectionserversid', []):
+                    ret.append(self._describe_server(cursor, server_id, False, False))
+                return ret
        except ServerErrorDatabaseNotAvailable as err:
            raise ApplicationError('server.error.database-not-available', reason=str(err))

@@ -57,14 +121,16 @@ class ServerRunner(ZephirCommonController):
        except ServerError as err:
            raise ApplicationError('server.error', reason=str(err))

-    @register_wamp('v1.server.describe', notification_uri=None, database=True)
-    async def describe_server(self, cursor, serverid, configuration):
+    @register_wamp('v1.server.describe', notification_uri=None, database=True, profil_adapter='get_profil_for_server')
+    async def describe_server(self, cursor,_session_user, serverid, configuration):
+        return self._describe_server(cursor, serverid, configuration, True)
+
+    def _describe_server(self, cursor, serverid, configuration, environment):
        try:
-            server = self.server.describe_server(cursor, serverid)
+            server = self.server.describe_server(cursor, serverid, environment)
            if configuration:
                server['configuration'] = serverid
            return server
-
        except ServerErrorDatabaseNotAvailable as err:
            raise ApplicationError('server.error.database-not-available', reason=str(err))
        except ServerErrorDbConnection as err:
@@ -84,6 +150,7 @@ class ServerRunner(ZephirCommonController):
        else:
            return b'{}'

+    #FIXME a supprimer, cf server.describe avec configuration=True
    @register_wamp('v1.server.config.get', notification_uri=None, database=True)
    async def get_config(self, cursor, serverid):
        return {'configuration': serverid}
@@ -95,6 +162,7 @@ class ServerRunner(ZephirCommonController):
            return json.dumps(values).encode()
        else:
            return b'{}'
+    #FIXME END

    @register_wamp('v1.server.create', notification_uri='v1.server.created', database=True)
    async def create_server(self, cursor, _session_user, servername, serverdescription, servermodelid, serverpassphrase):
@@ -125,8 +193,8 @@ class ServerRunner(ZephirCommonController):
        except ServerError as err:
            raise ApplicationError('server.error', reason=str(err))

-    @register_wamp('v1.server.update', notification_uri='v1.server.updated', database=True)
-    async def update_server(self, cursor, serverid, servername, serverdescription):
+    @register_wamp('v1.server.update', notification_uri='v1.server.updated', database=True, profil_adapter='get_profil_for_server')
+    async def update_server(self, cursor, _session_user, serverid, servername, serverdescription):
        try:
            return self.server.update_server(cursor, serverid, servername, serverdescription)

@@ -143,10 +211,11 @@ class ServerRunner(ZephirCommonController):
        except ServerError as err:
            raise ApplicationError('server.error', reason=str(err))

-    @register_wamp('v1.server.delete', notification_uri='v1.server.deleted', database=True)
-    async def delete_server(self, cursor, serverid):
+    @register_wamp('v1.server.delete', notification_uri='v1.server.deleted', database=True, profil_adapter='get_profil_for_server')
+    async def delete_server(self, cursor,_session_user, serverid):
        try:
            return self.server.delete_server(cursor, serverid)
+
        except ServerErrorDatabaseNotAvailable as err:
            raise ApplicationError('server.error.database-not-available', reason=str(err))
        except ServerErrorDbConnection as err:
@@ -158,11 +227,12 @@ class ServerRunner(ZephirCommonController):
        except ServerError as err:
            raise ApplicationError('server.error', reason=str(err))

-    @register_wamp('v1.server.peering-conf.get', notification_uri='v1.server.peering-conf.sent')
-    async def get_peering_conf(self, serverid):
+    @register_wamp('v1.server.peering-conf.get', notification_uri='v1.server.peering-conf.sent', database=True, profil_adapter='get_profil_for_server')
+    async def get_peering_conf(self, cursor, _session_user, serverid):
        try:
            secret = await self.call('v1.vault.secret.get', secretkey="{}_peeringconf".format(serverid))
            return secret['secret']
+
        except ServerErrorPeeringConfNotAvailable as err:
            raise ApplicationError('server.error.peering-conf-not-available', reason=str(err))
        except ServerError as err:
@@ -188,11 +258,8 @@ class ServerRunner(ZephirCommonController):
            raise ApplicationError('server.registering.error',
                                   reason=str(err))

-    @register_wamp('v1.server.exec.command', notification_uri='v1.server.executed', database=True)
-    async def exec_cmd_on_server(self, cursor, server_id, command):
-        return await self._exec_cmd_on_server(cursor, server_id, command)
-
-    async def _exec_cmd_on_server(self, cursor, server_id, command):
+    @register_wamp('v1.server.exec.command', notification_uri='v1.server.executed', database=True, profil_adapter='get_profil_for_server')
+    async def exec_cmd_on_server(self, cursor,_session_user, server_id, command):
        """
        Transfer command transmitted to automation (salt, ...)
        """
@@ -230,8 +297,8 @@ class ServerRunner(ZephirCommonController):
                dico['return'] = result['return']
        return dico

-    @register_wamp('v1.server.exec.list', notification_uri=None, database=True)
-    async def exec_job_on_server(self, cursor, server_id):
+    @register_wamp('v1.server.exec.list', notification_uri=None, database=True, profil_adapter='get_profil_for_server')
+    async def exec_job_on_server(self, cursor,_session_user, server_id):
        automation, automation_command = self.server.get_automation_command(cursor, server_id)
        if automation == 'salt':
            results = await self.call('v1.execution.salt.job.list',
@@ -298,10 +365,10 @@ class ServerRunner(ZephirCommonController):
        except ServerError as err:
            raise ApplicationError('server.error', reason=str(err))

-    @register_wamp('v1.serverselection.list', notification_uri=None, database=True)
-    async def list_serverselections(self, cursor):
+    def _list_user_servers(self, cursor, _session_user):
        try:
-            return self.serverselection.list_serverselections(cursor)
+            username = _session_user['username']
+            return self.serverselection.list_user_servers(cursor, username)

        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
@@ -310,49 +377,70 @@ class ServerRunner(ZephirCommonController):
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))

-    @register_wamp('v1.serverselection.describe', notification_uri=None, database=True)
-    async def describe_serverselection(self, cursor, serverselectionid):
+    @register_wamp('v1.serverselection.list', notification_uri=None, database=True)
+    async def list_serverselections(self, cursor, _session_user):
        try:
-            return self.serverselection.describe_serverselection(cursor, serverselectionid)            
+            if _session_user['profil'] == 'root':
+                return self.serverselection.list_serverselections(cursor)
+            else:
+                return self._list_user_serverselections(cursor, _session_user)

        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
        except ServerSelectionErrorDbConnection as err:
            raise ApplicationError('serverselection.error.db-connection', reason=str(err))
-        except ServerSelectionErrorInvalidServerSelectionId as err:
-            raise ApplicationError('serverselection.error.invalid_server_id', reason=str(err))
-        except ServerSelectionErrorUnknownServerSelectionId as err:
-            raise ApplicationError('serverselection.error.unknown_server_id', reason=str(err))
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))
-   
+
    @register_wamp('v1.serverselection.user.list', notification_uri=None, database=True)
    async def list_user_serverselections(self, cursor, _session_user):
+        return self._list_user_serverselections(cursor, _session_user)
+
+    def _list_user_serverselections(self, cursor, _session_user):
        try:
-            serverselectionuser = _session_user['username']
-            return self.serverselection.list_user_serverselections(cursor, serverselectionuser)            
-        
+            username = _session_user['username']
+            return self.serverselection.list_user_serverselections(cursor, username)
+
        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
        except ServerSelectionErrorDbConnection as err:
            raise ApplicationError('serverselection.error.db-connection', reason=str(err))
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))
-    
+
+    @register_wamp('v1.serverselection.describe', notification_uri=None, database=True, profil_adapter='get_profil_for_serverselection')
+    async def describe_serverselection(self, cursor, _session_user, serverselectionid):
+        return self._describe_serverselection(cursor, _session_user, serverselectionid)
+
+    def _describe_serverselection(self, cursor, _session_user, serverselectionid):
+        try:
+            return self.serverselection.describe_serverselection(cursor, serverselectionid)
+
+        except ServerSelectionErrorDatabaseNotAvailable as err:
+            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
+        except ServerSelectionErrorDbConnection as err:
+            raise ApplicationError('serverselection.error.db-connection', reason=str(err))
+        except ServerSelectionErrorInvalidServerSelectionId as err:
+            raise ApplicationError('serverselection.error.invalid_server_id', reason=str(err))
+        except ServerSelectionErrorUnknownServerSelectionId as err:
+            raise ApplicationError('serverselection.error.unknown_server_id', reason=str(err))
+        except ServerSelectionError as err:
+            raise ApplicationError('serverselection.error', reason=str(err))
+
    @register_wamp('v1.serverselection.user.default', notification_uri=None, database=True)
    async def default_user_serverselection(self, cursor, _session_user):
        return self._default_user_serverselection(cursor, _session_user)

    def _default_user_serverselection(self, cursor, _session_user):
        try:
-            serverselectionuser = _session_user['username']            
-            return self.serverselection.default_user_serverselection(cursor, serverselectionuser)  
+            username = _session_user['username']
+            return self.serverselection.default_user_serverselection(cursor, username)

        except ServerSelectionEmptyRecordDatabaseError as err:
-            serverselectionname = serverselectionuser + "_DEFAULT"
-            serverselectiondescription = serverselectionuser + " server selection"
-            self.serverselection.create_serverselection(cursor, serverselectionname, serverselectiondescription, serverselectionuser)
-            return self.serverselection.default_user_serverselection(cursor, serverselectionuser)  
+            serverselectionname = username + "_DEFAULT"
+            serverselectiondescription = username + " server selection"
+            self._create_default_user_serverselection(cursor, serverselectionname, serverselectiondescription, username)
+            return self.serverselection.default_user_serverselection(cursor, username)

        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
@@ -361,40 +449,45 @@ class ServerRunner(ZephirCommonController):
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))

-    @register_wamp('v1.serverselection.user.server.list', notification_uri=None, database=True)
-    async def list_user_servers(self, cursor, _session_user):
+    def _create_default_user_serverselection(self, cursor, serverselectionname, serverselectiondescription, username):
        try:
-            serverselectionuser = _session_user['username']            
-            return self.serverselection.list_user_servers(cursor, serverselectionuser)  
+            return self.serverselection.create_serverselection(cursor, serverselectionname, serverselectiondescription, username)

        except ServerSelectionErrorDatabaseNotAvailable as err:
-            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
+            raise ApplicationError('serverselection.error.database-not-available', reason=str(err))
        except ServerSelectionErrorDbConnection as err:
            raise ApplicationError('serverselection.error.db-connection', reason=str(err))
+        except ServerSelectionErrorDuplicateServerSelectionName as err:
+            raise ApplicationError('serverselection.static.create.error.duplicate_serverselection', reason=str(err))
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))


-
    @register_wamp('v1.serverselection.create', notification_uri=None, database=True)
    async def create_serverselection(self, cursor, serverselectionname, serverselectiondescription, _session_user):
        try:
-            serverselectionuser = _session_user['username']
-            return self.serverselection.create_serverselection(cursor, serverselectionname, serverselectiondescription, serverselectionuser)
+            if _session_user['profil'] in ['root', 'admin'] or ('_DEFAULT' not in serverselectionname and _session_user['profil'] not in ['root', 'admin']):
+                username = _session_user['username']
+                return self.serverselection.create_serverselection(cursor, serverselectionname, serverselectiondescription, username)
+            else:
+                raise Exception(_('Unable to create _DEFAULT serverselection'))

        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database-not-available', reason=str(err))
        except ServerSelectionErrorDbConnection as err:
-            raise ApplicationError('serverselection.error.db-connection', reason=str(err))       
+            raise ApplicationError('serverselection.error.db-connection', reason=str(err))
        except ServerSelectionErrorDuplicateServerSelectionName as err:
-            raise ApplicationError('serverselection.static.create.error.duplicate_serverselection', reason=str(err))    
+            raise ApplicationError('serverselection.static.create.error.duplicate_serverselection', reason=str(err))
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))

-    @register_wamp('v1.serverselection.update', notification_uri=None, database=True)
-    async def update_serverselection(self, cursor, serverselectionid, serverselectionname, serverselectiondescription, dynamique, requete):
-        try:            
-            return self.serverselection.update_serverselection(cursor, serverselectionid, serverselectionname, serverselectiondescription, dynamique, requete)
+    @register_wamp('v1.serverselection.update', notification_uri=None, database=True, profil_adapter='get_profil_for_serverselection')
+    async def update_serverselection(self, cursor,_session_user, serverselectionid, serverselectionname, serverselectiondescription, dynamique, requete):
+        try:
+            if '_DEFAULT' not in serverselectionname:
+                return self.serverselection.update_serverselection(cursor, serverselectionid, serverselectionname, serverselectiondescription, dynamique, requete)
+            else:
+                raise Exception(_('Unable to update _DEFAULT serverselection'))

        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database-not-available', reason=str(err))
@@ -407,10 +500,11 @@ class ServerRunner(ZephirCommonController):
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))

-    @register_wamp('v1.serverselection.delete', notification_uri=None, database=True)
-    async def delete_serverselection(self, cursor, serverselectionid):
+    @register_wamp('v1.serverselection.delete', notification_uri=None, database=True, profil_adapter='get_profil_for_serverselection')
+    async def delete_serverselection(self, cursor,_session_user, serverselectionid):
        try:
            return self.serverselection.delete_serverselection(cursor, serverselectionid)
+
        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
        except ServerSelectionErrorDbConnection as err:
@@ -422,22 +516,23 @@ class ServerRunner(ZephirCommonController):
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))

-    @register_wamp('v1.serverselection.server.add', notification_uri=None, database=True)
-    async def add_server_to_selection(self, cursor, serverselectionserversid, serverselectionid):
+    @register_wamp('v1.serverselection.server.add', notification_uri=None, database=True, profil_adapter='get_profil_for_all')
+    async def add_server_to_selection(self, cursor, _session_user, serverid, serverselectionid):
        try:
-            return self.serverselection.add_server_to_selection(cursor, serverselectionserversid, serverselectionid)
+            return self.serverselection.add_server_to_selection(cursor, serverid, serverselectionid)

        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database-not-available', reason=str(err))
        except ServerSelectionErrorDbConnection as err:
-            raise ApplicationError('serverselection.error.db-connection', reason=str(err))       
+            raise ApplicationError('serverselection.error.db-connection', reason=str(err))
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))
-   
-    @register_wamp('v1.serverselection.server.remove', notification_uri=None, database=True)
-    async def remove_server_from_selection(self, cursor, serverselectionserversid, serverselectionid):
+
+    @register_wamp('v1.serverselection.server.remove', notification_uri=None, database=True, profil_adapter='get_profil_for_serverselection')
+    async def remove_server_from_selection(self, cursor,_session_user, serverid, serverselectionid):
        try:
-            return self.serverselection.remove_server_from_selection(cursor, serverselectionserversid, serverselectionid)
+            return self.serverselection.remove_server_from_selection(cursor, serverid, serverselectionid)
+
        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
        except ServerSelectionErrorDbConnection as err:
@@ -445,14 +540,15 @@ class ServerRunner(ZephirCommonController):
        except ServerSelectionErrorInvalidServerSelectionId as err:
            raise ApplicationError('serverselection.error.invalid_serverselection_id', reason=str(err))
        except ServerSelectionErrorUnknownServerSelectionId as err:
-            raise ApplicationError('serverselection.error.unknown_serverselection_id', reason=str(err))       
+            raise ApplicationError('serverselection.error.unknown_serverselection_id', reason=str(err))
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))
- 
-    @register_wamp('v1.serverselection.user.add', notification_uri=None, database=True)
-    async def add_user_to_serverselection(self, cursor, serverselectionid, serverselectionuser, serverselectionuserrole):
+
+    @register_wamp('v1.serverselection.user.add', notification_uri=None, database=True, profil_adapter='get_profil_for_serverselection')
+    async def add_user_to_serverselection(self, cursor,_session_user, serverselectionid, username, role):
        try:
-            return self.serverselection.add_user_to_serverselection(cursor, serverselectionid, serverselectionuser, serverselectionuserrole)
+            return self.serverselection.add_user_to_serverselection(cursor, serverselectionid, username, role)
+
        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
        except ServerSelectionErrorDbConnection as err:
@@ -460,14 +556,18 @@ class ServerRunner(ZephirCommonController):
        except ServerSelectionErrorInvalidServerSelectionId as err:
            raise ApplicationError('serverselection.error.invalid_serverselection_id', reason=str(err))
        except ServerSelectionErrorUnknownServerSelectionId as err:
-            raise ApplicationError('serverselection.error.unknown_serverselection_id', reason=str(err))       
+            raise ApplicationError('serverselection.error.unknown_serverselection_id', reason=str(err))
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))

-    @register_wamp('v1.serverselection.user.remove', notification_uri=None, database=True)
-    async def remove_user_from_serverselection(self, cursor, serverselectionid, serverselectionuser):
+    @register_wamp('v1.serverselection.user.remove', notification_uri=None, database=True, profil_adapter='get_profil_for_serverselection')
+    async def remove_user_from_serverselection(self, cursor, _session_user, serverselectionid, username):
        try:
-            return self.serverselection.remove_user_from_serverselection(cursor, serverselectionid, serverselectionuser)
+            if _session_user['profil'] != 'owner':
+                return self.serverselection.remove_user_from_serverselection(cursor, serverselectionid, username)
+            else:
+                raise Exception(_('Can not remove user with role owner from serverseleciton'))
+
        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
        except ServerSelectionErrorDbConnection as err:
@@ -475,14 +575,14 @@ class ServerRunner(ZephirCommonController):
        except ServerSelectionErrorInvalidServerSelectionId as err:
            raise ApplicationError('serverselection.error.invalid_serverselection_id', reason=str(err))
        except ServerSelectionErrorUnknownServerSelectionId as err:
-            raise ApplicationError('serverselection.error.unknown_serverselection_id', reason=str(err))       
+            raise ApplicationError('serverselection.error.unknown_serverselection_id', reason=str(err))
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))
-   
-    @register_wamp('v1.serverselection.user.update', notification_uri=None, database=True)
-    async def update_user_to_serverselection(self, cursor, serverselectionid, serverselectionuser, serverselectionuserrole):
+
+    @register_wamp('v1.serverselection.user.update', notification_uri=None, database=True, profil_adapter='get_profil_for_serverselection')
+    async def update_user_to_serverselection(self, cursor,_session_user, serverselectionid, username, role):
        try:
-            return self.serverselection.update_user_to_serverselection(cursor, serverselectionid, serverselectionuser, serverselectionuserrole)
+            return self.serverselection.update_user_to_serverselection(cursor, serverselectionid, username, role)

        except ServerSelectionErrorDatabaseNotAvailable as err:
            raise ApplicationError('serverselection.error.database_not_available', reason=str(err))
@@ -491,15 +591,20 @@ class ServerRunner(ZephirCommonController):
        except ServerSelectionErrorInvalidServerSelectionId as err:
            raise ApplicationError('serverselection.error.invalid_serverselection_id', reason=str(err))
        except ServerSelectionErrorUnknownServerSelectionId as err:
-            raise ApplicationError('serverselection.error.unknown_serverselection_id', reason=str(err))       
+            raise ApplicationError('serverselection.error.unknown_serverselection_id', reason=str(err))
        except ServerSelectionError as err:
            raise ApplicationError('serverselection.error', reason=str(err))
-    
+
    @register_wamp('v1.serverselection.user.role.get', notification_uri=None, database=True)
-    async def get_serverselection_user_role(self, cursor, serverselectionid, username):
+    async def get_serverselection_user_role(self, cursor, _session_user, serverselectionid, username):
+        return self._get_serverselection_user_role(cursor, serverselectionid, _session_user['username'])
+
+    def _get_serverselection_user_role(self, cursor, serverselectionid, username):
        try:
            return self.serverselection.get_serverselection_user_role(cursor, serverselectionid, username)