From 04eae40df37de2b82baf33649ef8105b00fad499 Mon Sep 17 00:00:00 2001 From: index-git Date: Wed, 3 Jan 2024 16:36:06 +0100 Subject: [PATCH] Delete technical roles from former GeoServer role service --- CHANGELOG.md | 1 + src/layman/upgrade/__init__.py | 3 ++ src/layman/upgrade/upgrade_v1_23.py | 46 ++++++++++++++++++++++++++++- 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32cacec6b..34b72d87a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ - [#165](https://github.com/LayerManager/layman/issues/165) Add column `role_name` to table `rights` in prime DB schema. Add constraint that exactly one of columns `role_name` and `id_user` is not null. - [#165](https://github.com/LayerManager/layman/issues/165) Create DB schema `_role_service` that can be used as [role service](doc/security.md#role-service). #### Data migrations +- [#165](https://github.com/LayerManager/layman/issues/165) Delete technical roles and user-role relations in GeoServer `default` role service, which is now replaced by JDBC role service. ### Changes - [#165](https://github.com/LayerManager/layman/issues/165) Prior to this version, Layman enabled to use [usernames](doc/models.md#username) and pseudo-role `EVERYONE` in access rights. From now on, Layman accepts also [role names](doc/models.md#role). - [#165](https://github.com/LayerManager/layman/issues/165) Roles (except of `EVERYONE`) are managed by [role service](doc/security.md#role-service). diff --git a/src/layman/upgrade/__init__.py b/src/layman/upgrade/__init__.py index aa2253819..6f9df0eac 100644 --- a/src/layman/upgrade/__init__.py +++ b/src/layman/upgrade/__init__.py @@ -71,6 +71,9 @@ upgrade_v1_22.remove_authn_txt_files, upgrade_v1_22.insert_map_layer_relations, ]), + ((1, 23, 0), [ + upgrade_v1_23.delete_user_roles, + ]), ], } diff --git a/src/layman/upgrade/upgrade_v1_23.py b/src/layman/upgrade/upgrade_v1_23.py index 06de9bb99..9e084add4 100644 --- a/src/layman/upgrade/upgrade_v1_23.py +++ b/src/layman/upgrade/upgrade_v1_23.py @@ -1,8 +1,11 @@ +from urllib.parse import urljoin import logging +import requests -from geoserver import util as gs_util +from geoserver import util as gs_util, GS_REST, GS_REST_TIMEOUT from db import util as db_util from layman import settings +from layman.common.prime_db_schema import users logger = logging.getLogger(__name__) DB_SCHEMA = settings.LAYMAN_PRIME_SCHEMA @@ -124,3 +127,44 @@ def create_role_service_schema(): db_util.run_statement(create_user_roles_view) gs_util.reload(settings.LAYMAN_GS_AUTH) + + +def delete_user_roles(): + logger.info(f' Delete user roles from GeoServer') + + role_service = 'default' + gs_rest_roles_service = urljoin(GS_REST, f'security/roles/service/{role_service}/') + + for user in users.get_usernames(): + logger.info(f' Delete user {user}') + for role in [f'USER_{user}', settings.LAYMAN_GS_ROLE]: + r_url = urljoin(gs_rest_roles_service, f'role/{role}/user/{user}/') + response = requests.delete( + r_url, + headers=gs_util.headers_json, + auth=settings.LAYMAN_GS_AUTH, + timeout=GS_REST_TIMEOUT, + ) + association_not_exists = response.status_code == 404 + if not association_not_exists: + response.raise_for_status() + + response = requests.delete( + urljoin(gs_rest_roles_service, 'role/' + role), + headers=gs_util.headers_json, + auth=settings.LAYMAN_GS_AUTH, + timeout=GS_REST_TIMEOUT, + ) + role_not_exists = response.status_code == 404 + if not role_not_exists: + response.raise_for_status() + + response = requests.delete( + urljoin(gs_rest_roles_service, 'role/' + settings.LAYMAN_GS_ROLE), + headers=gs_util.headers_json, + auth=settings.LAYMAN_GS_AUTH, + timeout=GS_REST_TIMEOUT, + ) + role_not_exists = response.status_code == 404 + if not role_not_exists: + response.raise_for_status()