blob: 4c7aaa360ddefcee81e48f247f8135e484a26eb8 [file] [log] [blame]
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import logging
from optparse import OptionParser
from pprint import pformat
import bson
from pylons import tmpl_context as c
from ming.base import Object
from allura import model as M
from allura.command.show_models import dfs, build_model_inheritance_graph
log = logging.getLogger('update-acls')
options = None
optparser = OptionParser(usage='allurapaste script <ini file> -- %prog [options] [neighborhood1...]')
optparser.add_option('-t', '--test', dest='test', action='store_true')
main_db = M.main_doc_session.db
c_neighborhood = main_db.neighborhood
c_project = main_db.project
c_user = main_db.user
c_project_role = main_db.project_role
c.project = Object(
database_uri=c_project.find().next()['database_uri'])
project_db = M.project_doc_session.db
c_app_config = project_db.config
def main():
global options
options, neighborhoods = optparser.parse_args()
if neighborhoods:
log.info('Updating neighborhoods: %s', neighborhoods)
q_neighborhoods = list(c_neighborhood.find(dict(name={'$in': neighborhoods })))
neighborhood_ids=[ n['_id'] for n in q_neighborhoods ]
q_projects = list(c_project.find(dict(neighborhood_id={'$in': neighborhood_ids})))
project_ids = list(p['_id'] for p in q_projects)
q_app_config = list(c_app_config.find(dict(project_id={'$in': project_ids})))
log.info('... %d neighborhoods', len(q_neighborhoods))
log.info('... %d projects', len(q_projects))
log.info('... %d app configs', len(q_app_config))
else:
q_neighborhoods = c_neighborhood.find()
q_projects = c_project.find()
q_app_config = c_app_config.find()
log.info('Updating all neighborhoods')
# Update project acls
log.info('====================================')
log.info('Update project ACLs')
for p in q_projects:
update_project_acl(p)
if not options.test: c_project.save(p)
# Update neighborhood acls
log.info('====================================')
log.info('Update neighborhood ACLs')
for n in q_neighborhoods:
p = c_project.find(dict(
neighborhood_id=n['_id'], shortname='--init--')).next()
update_neighborhood_acl(n,p)
if not options.test:
c_neighborhood.save(n)
c_project.save(p)
graph = build_model_inheritance_graph()
# Update app config acls
log.info('====================================')
log.info('Update appconfig ACLs')
for ac in q_app_config:
simple_acl_update(ac, 'app_config')
if not options.test: c_app_config.save(ac)
# Update artifact acls
log.info('====================================')
log.info('Update artifact ACLs for %s', ac['_id'])
for _, a_cls in dfs(M.Artifact, graph):
c_artifact = project_db[a_cls.__mongometa__.name]
for a in c_artifact.find(dict(app_config_id=ac['_id'])):
empty_acl = a['acl'] == []
simple_acl_update(a, a_cls.__mongometa__.name)
if not options.test and not empty_acl: c_artifact.save(a)
def update_project_acl(project_doc):
'''Convert the old dict-style ACL to a list of ALLOW ACEs. Also move the
security,tool,delete perms to 'admin'
'''
if not isinstance(project_doc['acl'], dict):
log.warning('Project %s is already updated', project_doc['shortname'])
return
perm_map = dict(
read='read',
create='create',
update='update',
security='admin',
tool='admin',
delete='admin')
new_acl = []
for perm, role_ids in sorted(project_doc['acl'].iteritems()):
perm = perm_map[perm]
for rid in role_ids:
if c_project_role.find(dict(_id=rid)).count() == 0: continue
_grant(new_acl, perm, rid)
if options.test:
log.info('--- update %s\n%s\n%s\n---',
project_doc['shortname'],
pformat(_format_acd(project_doc['acl'])),
pformat(map(_format_ace, new_acl)))
project_doc['acl'] = new_acl
def update_neighborhood_acl(neighborhood_doc, init_doc):
'''Convert nbhd admins users to --init-- project admins'''
if options.test: log.info('Update nbhd %s', neighborhood_doc['name'])
if 'acl' not in neighborhood_doc:
log.warning('Neighborhood %s already updated', neighborhood_doc['name'])
return
p = Object(init_doc)
p.root_project=p
r_anon = _project_role(init_doc['_id'], '*anonymous')
r_auth = _project_role(init_doc['_id'], '*authenticated')
r_admin = _project_role(init_doc['_id'], 'Admin')
acl = neighborhood_doc['acl']
new_acl = list(init_doc['acl'])
assert acl['read'] == [None] # nbhd should be public
for uid in acl['admin'] + acl['moderate']:
u = c_user.find(dict(_id=uid)).next()
if options.test:
log.info('... grant nbhd admin to: %s', u['username'])
continue
role = _project_role(init_doc['_id'], user_id=uid)
if r_admin['_id'] not in role['roles']:
role['roles'].append(r_admin['_id'])
c_project_role.save(role)
_grant(new_acl, 'read', r_anon['_id'])
_grant(new_acl, 'admin', r_admin['_id'])
_grant(new_acl, 'register', r_admin['_id'])
if acl['create'] == [ ]:
if options.test: log.info('grant register to auth')
_grant(new_acl, 'register', r_auth['_id'])
del neighborhood_doc['acl']
if options.test:
log.info('--- new init acl:\n%s\n%s\n---',
pformat(_format_acd(init_doc['acl'])),
pformat(map(_format_ace, new_acl)))
init_doc['acl'] = new_acl
def _project_role(project_id, name=None, user_id=None):
doc = dict(project_id=project_id)
if name:
doc['name'] = name
else:
doc['user_id'] = user_id
for role in c_project_role.find(doc):
return role
assert name is None
doc.update(
_id=bson.ObjectId(),
roles=[])
c_project_role.save(doc)
return doc
def simple_acl_update(doc, collection_name):
'''Update dict-style to list-style ACL'''
if not isinstance(doc['acl'], dict):
log.warning('Already upgraded %s: %s', collection_name, doc)
return
new_acl = []
for perm, role_ids in sorted(doc['acl'].iteritems()):
for rid in role_ids:
_grant(new_acl, perm, rid)
if options.test and doc['acl']:
log.info('--- update %s %s\n%s\n%s\n---',
collection_name, doc['_id'],
pformat(_format_acd(doc['acl'])),
pformat(map(_format_ace, new_acl)))
doc['acl'] = new_acl
def _grant(acl, permission, role_id):
ace = dict(
access='ALLOW',
permission=permission,
role_id=role_id)
if ace not in acl:
acl.append(ace)
def _format_ace(ace):
if isinstance(ace, basestring): return ace
return '(%s, %s, %s)' % (
ace['access'], ace['permission'], _format_role(ace['role_id']))
def _format_role(rid):
for role in c_project_role.find(dict(_id=rid)):
if role['name']:
return role['name']
if role['user_id']:
u = c_user.find(_id=role['user_id']).next()
return u['username']
break
return '--invalid--'
def _format_acd(acd):
return dict(
(k, map(_format_role, v))
for k,v in acd.iteritems())
if __name__ == '__main__':
main()