Merge branch '8.0-next'

Normation · Jan 5, 2024 · 9deed72 · 9deed72
2 parents 179979b + 0d6f328
commit 9deed72
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 51 deletions.
diff --git a/...tions/src/main/scala/com/normation/plugins/apiauthorizations/UserTokenApiDefinition.scala b/...tions/src/main/scala/com/normation/plugins/apiauthorizations/UserTokenApiDefinition.scala
@@ -87,9 +87,9 @@ class UserApi(
     val schema = API.GetApiToken
     def process0(version: ApiVersion, path: ApiPath, req: Req, params: DefaultParams, authzToken: AuthzToken): LiftResponse = {
       readApi
-        .getById(ApiAccountId(authzToken.actor.name))
+        .getById(ApiAccountId(authzToken.qc.actor.name))
         .map(RestAccountsResponse.fromRedacted(_))
-        .chainError(s"Error when trying to get user '${authzToken.actor.name}' API token")
+        .chainError(s"Error when trying to get user '${authzToken.qc.actor.name}' API token")
         .toLiftResponseOne(params, schema, None)
     }
   }
@@ -101,20 +101,20 @@ class UserApi(
       val secret  = ApiToken.generate_secret(tokenGenerator)
       val hash    = ApiToken.hash(secret)
       val account = ApiAccount(
-        ApiAccountId(authzToken.actor.name),
+        ApiAccountId(authzToken.qc.actor.name),
         ApiAccountKind.User,
-        ApiAccountName(authzToken.actor.name),
+        ApiAccountName(authzToken.qc.actor.name),
         ApiToken(hash),
-        s"API token for user '${authzToken.actor.name}'",
+        s"API token for user '${authzToken.qc.actor.name}'",
         isEnabled = true,
         now,
         now
       )
 
       writeApi
-        .save(account, ModificationId(uuidGen.newUuid), authzToken.actor)
+        .save(account, ModificationId(uuidGen.newUuid), authzToken.qc.actor)
         .map(RestAccountsResponse.fromUnredacted(_, secret))
-        .chainError(s"Error when trying to save user '${authzToken.actor.name}' API token")
+        .chainError(s"Error when trying to save user '${authzToken.qc.actor.name}' API token")
         .toLiftResponseOne(params, schema, None)
     }
   }
@@ -123,9 +123,9 @@ class UserApi(
     val schema = API.DeleteApiToken
     def process0(version: ApiVersion, path: ApiPath, req: Req, params: DefaultParams, authzToken: AuthzToken): LiftResponse = {
       writeApi
-        .delete(ApiAccountId(authzToken.actor.name), ModificationId(uuidGen.newUuid), authzToken.actor)
+        .delete(ApiAccountId(authzToken.qc.actor.name), ModificationId(uuidGen.newUuid), authzToken.qc.actor)
         .map(RestAccountIdResponse(_))
-        .chainError(s"Error when trying to delete user '${authzToken.actor.name}' API token")
+        .chainError(s"Error when trying to delete user '${authzToken.qc.actor.name}' API token")
         .toLiftResponseOne(params, schema, None)
     }
   }
@@ -134,9 +134,9 @@ class UserApi(
     val schema = API.UpdateApiToken
     def process0(version: ApiVersion, path: ApiPath, req: Req, params: DefaultParams, authzToken: AuthzToken): LiftResponse = {
       readApi
-        .getById(ApiAccountId(authzToken.actor.name))
+        .getById(ApiAccountId(authzToken.qc.actor.name))
         .map(RestAccountsResponse.fromRedacted(_))
-        .chainError(s"Error when trying to get user '${authzToken.actor.name}' API token")
+        .chainError(s"Error when trying to get user '${authzToken.qc.actor.name}' API token")
         .toLiftResponseOne(params, schema, None)
     }
   }

diff --git a/...thorizations/src/test/scala/com/normation/plugins/apiauthorizations/api/UserApiTest.scala b/...thorizations/src/test/scala/com/normation/plugins/apiauthorizations/api/UserApiTest.scala
@@ -12,6 +12,7 @@ import com.normation.rudder.api.ApiAccountName
 import com.normation.rudder.api.ApiAuthorization
 import com.normation.rudder.api.ApiToken
 import com.normation.rudder.api.ApiVersion
+import com.normation.rudder.facts.nodes.NodeSecurityContext
 import com.normation.rudder.rest.RestTestSetUp
 import com.normation.rudder.rest.TraitTestApiFromYamlFiles
 import java.nio.file.Files
@@ -59,6 +60,7 @@ class UserApiTest extends Specification with TraitTestApiFromYamlFiles with Logg
       val account                              = RudderAccount.Api(accounts(ApiAccountId("user1")))
       def checkRights(auth: AuthorizationType) = true
       def getApiAuthz                          = ApiAuthorization.RW
+      def nodePerms                            = NodeSecurityContext.All
     }
     val getCurrentUser = user1
   }

diff --git a/auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala b/auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala
@@ -140,7 +140,7 @@ object AuthBackendsConf extends RudderPluginModule {
 
     override def allowedToUseBackend(name: String): Boolean = {
       // same behavior for all authentication backends: only depends on the plugin status
-      pluginStatusService.isEnabled
+      pluginStatusService.isEnabled()
     }
   }
 
@@ -150,7 +150,7 @@ object AuthBackendsConf extends RudderPluginModule {
     override def authenticationBackends:            Set[String] = oauthBackendNames
     override def name:                              String      =
       s"Oauth2 and OpenID Connect authentication backends provider: '${authenticationBackends.mkString("','")}"
-    override def allowedToUseBackend(name: String): Boolean     = pluginStatusService.isEnabled
+    override def allowedToUseBackend(name: String): Boolean     = pluginStatusService.isEnabled()
   })
 
   lazy val isOauthConfiguredByUser = {

diff --git a/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala b/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala
@@ -286,7 +286,7 @@ object ChangeValidationConf extends RudderPluginModule {
           roChangeRequestRepository,
           RudderConfig.roRuleRepository,
           RudderConfig.roNodeGroupRepository,
-          RudderConfig.nodeInfoService
+          RudderConfig.nodeFactRepository
         )
       ),
       () => RudderConfig.configService.rudder_workflow_enabled().toBox,

diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/DataTypes.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/DataTypes.scala
@@ -71,7 +71,7 @@ object ChangeValidationLoggerPure extends NamedZioLogger {
 }
 
 /**
-  * Case class used for serializing and deserializing the list of supervised targets from 
+  * Case class used for serializing and deserializing the list of supervised targets from
   * the old file format.
   */
 final case class OldFileFormat(supervised: List[String])

diff --git a/...e-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala b/...e-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala
@@ -4,19 +4,20 @@ import com.normation.box._
 import com.normation.errors.IOResult
 import com.normation.eventlog.EventActor
 import com.normation.inventory.domain.NodeId
-import com.normation.rudder.domain.nodes.NodeInfo
 import com.normation.rudder.domain.policies.Rule
 import com.normation.rudder.domain.policies.SimpleTarget
+import com.normation.rudder.facts.nodes.NodeFactRepository
+import com.normation.rudder.facts.nodes.QueryContext
 import com.normation.rudder.repository.FullNodeGroupCategory
 import com.normation.rudder.repository.RoNodeGroupRepository
 import com.normation.rudder.repository.RoRuleRepository
-import com.normation.rudder.services.nodes.NodeInfoService
 import com.normation.rudder.services.workflows.DirectiveChangeRequest
 import com.normation.rudder.services.workflows.GlobalParamChangeRequest
 import com.normation.rudder.services.workflows.NodeGroupChangeRequest
 import com.normation.rudder.services.workflows.RuleChangeRequest
 import net.liftweb.common.Box
 import net.liftweb.common.Full
+import scala.collection.MapView
 
 object bddMock {
   val USER_AUTH_NEEDED = Map(
@@ -59,7 +60,7 @@ class NodeGroupValidationNeeded(
     repos:             RoChangeRequestRepository,
     ruleLib:           RoRuleRepository,
     groupLib:          RoNodeGroupRepository,
-    nodeInfoService:   NodeInfoService
+    nodeFactRepo:      NodeFactRepository
 ) extends ValidationNeeded {
 
   /*
@@ -74,12 +75,13 @@ class NodeGroupValidationNeeded(
   override def forRule(actor: EventActor, change: RuleChangeRequest): Box[Boolean] = {
     val start = System.currentTimeMillis()
     val res   = (for {
-      groups     <- groupLib.getFullGroupLibrary()
-      nodeInfo   <- nodeInfoService.getAll()
-      supervised <- supervisedTargets()
+      groups          <- groupLib.getFullGroupLibrary()
+      // I think it's ok to have that, it will need a deeper change when we will want to have per-tenant change validation
+      arePolicyServer <- nodeFactRepo.getAll()(QueryContext.systemQC)
+      supervised      <- supervisedTargets()
     } yield {
       val targets = Set(change.newRule) ++ change.previousRule.toSet
-      checkNodeTargetByRule(groups, nodeInfo, supervised, targets)
+      checkNodeTargetByRule(groups, arePolicyServer.mapValues(_.rudderSettings.isPolicyServer), supervised, targets)
     }).toBox
     ChangeValidationLogger.Metrics.debug(
       s"Check rule '${change.newRule.name}' [${change.newRule.id.serialize}] change requestion need for validation in ${System
@@ -93,18 +95,18 @@ class NodeGroupValidationNeeded(
    * is supervised.
    */
   def checkNodeTargetByRule(
-      groups:      FullNodeGroupCategory,
-      allNodeInfo: Map[NodeId, NodeInfo],
-      monitored:   Set[SimpleTarget],
-      rules:       Set[Rule]
+      groups:          FullNodeGroupCategory,
+      arePolicyServer: MapView[NodeId, Boolean],
+      monitored:       Set[SimpleTarget],
+      rules:           Set[Rule]
   ): Boolean = {
-    val monitoredNodes = groups.getNodeIds(monitored.map(identity), allNodeInfo)
+    val monitoredNodes = groups.getNodeIds(monitored.map(identity), arePolicyServer)
     val changes        = rules.flatMap(_.targets)
-    val exists         = groups.getNodeIds(changes, allNodeInfo).exists(nodeId => monitoredNodes.contains(nodeId))
+    val exists         = groups.getNodeIds(changes, arePolicyServer).exists(nodeId => monitoredNodes.contains(nodeId))
     // we want to let the log knows why the change request need validation
     if (exists && ChangeValidationLogger.isDebugEnabled) {
       rules.foreach { rule =>
-        groups.getNodeIds(rule.targets, allNodeInfo).find(nodeId => monitoredNodes.contains(nodeId)).foreach { node =>
+        groups.getNodeIds(rule.targets, arePolicyServer).find(nodeId => monitoredNodes.contains(nodeId)).foreach { node =>
           ChangeValidationLogger.debug(
             s"Node '${node.value}' belongs to both a supervised group and is a target of rule '${rule.name}' [${rule.id.serialize}]"
           )
@@ -133,14 +135,14 @@ class NodeGroupValidationNeeded(
     val start = System.currentTimeMillis()
 
     val res = (for {
-      groups      <- groupLib.getFullGroupLibrary()
-      allNodeInfo <- nodeInfoService.getAll()
-      groups      <- groupLib.getFullGroupLibrary()
-      allNodeInfo <- nodeInfoService.getAll()
-      supervised  <- supervisedTargets()
+      groups     <- groupLib.getFullGroupLibrary()
+      nodeFacts  <- nodeFactRepo.getAll()(QueryContext.systemQC)
+      supervised <- supervisedTargets()
     } yield {
       val targetNodes = change.newGroup.serverList ++ change.previousGroup.map(_.serverList).getOrElse(Set())
-      val exists      = groups.getNodeIds(supervised.map(identity), allNodeInfo).find(nodeId => targetNodes.contains(nodeId))
+      val exists      = groups
+        .getNodeIds(supervised.map(identity), nodeFacts.mapValues(_.rudderSettings.isPolicyServer))
+        .find(nodeId => targetNodes.contains(nodeId))
 
       // we want to let the log knows why the change request need validation
       exists.foreach { nodeId =>
@@ -170,9 +172,9 @@ class NodeGroupValidationNeeded(
       newRules    = change.updatedRules
       supervised <- supervisedTargets()
       groups     <- groupLib.getFullGroupLibrary()
-      nodeInfo   <- nodeInfoService.getAll()
+      nodeFacts  <- nodeFactRepo.getAll()(QueryContext.systemQC)
     } yield {
-      checkNodeTargetByRule(groups, nodeInfo, supervised, (rules ++ newRules).toSet)
+      checkNodeTargetByRule(groups, nodeFacts.mapValues(_.rudderSettings.isPolicyServer), supervised, (rules ++ newRules).toSet)
     }).toBox
     ChangeValidationLogger.Metrics.debug(
       s"Check directive '${change.newDirective.name}' [${change.newDirective.id.uid.serialize}] change requestion need for validation in ${System

diff --git a/...lidation/src/main/scala/com/normation/plugins/changevalidation/api/ChangeRequestApi.scala b/...lidation/src/main/scala/com/normation/plugins/changevalidation/api/ChangeRequestApi.scala
@@ -72,7 +72,7 @@ import com.normation.rudder.rest.lift.LiftApiModuleProvider
 import com.normation.rudder.services.workflows.CommitAndDeployChangeRequestService
 import com.normation.rudder.services.workflows.WorkflowLevelService
 import com.normation.rudder.web.services.CurrentUser
-import com.normation.utils.Control.boxSequence
+import com.normation.utils.Control.sequence
 import net.liftweb.common.Box
 import net.liftweb.common.EmptyBox
 import net.liftweb.common.Failure
@@ -228,7 +228,7 @@ class ChangeRequestApiImpl(
 
             for {
               crIds <- readWorkflow.getAllByState(status) ?~ ("Could not fetch ChangeRequests")
-              crs   <- boxSequence(crIds.map(readChangeRequest.get)).map(_.flatten) ?~ ("Could not fetch ChangeRequests")
+              crs   <- sequence(crIds.map(readChangeRequest.get)).map(_.flatten) ?~ ("Could not fetch ChangeRequests")
             } yield {
               val result = JArray(crs.map(serialize(_, status, version)).toList)
               Full(result)
@@ -241,8 +241,8 @@ class ChangeRequestApiImpl(
           checkWorkflow match {
             case Full(_) =>
               (for {
-                res     <- boxSequence(statuses.map(listChangeRequestsByStatus)) ?~ ("Could not fetch ChangeRequests")
-                results <- boxSequence(res) ?~ ("Could not fetch ChangeRequests") ?~ ("Could not fetch ChangeRequests")
+                res     <- sequence(statuses.map(listChangeRequestsByStatus)) ?~ ("Could not fetch ChangeRequests")
+                results <- sequence(res) ?~ ("Could not fetch ChangeRequests") ?~ ("Could not fetch ChangeRequests")
               } yield {
                 val res: JValue = (results foldRight JArray(List()))(concatenateJArray)
                 toJsonResponse(None, res)
@@ -344,7 +344,7 @@ class ChangeRequestApiImpl(
                   )
                 )
             reason    <- restExtractor.extractReason(req) ?~ "There was an error while extracting reason message"
-            result    <- func(crId, authzToken.actor, reason) ?~! (s"Could not decline ChangeRequest ${id}")
+            result    <- func(crId, authzToken.qc.actor, reason) ?~! (s"Could not decline ChangeRequest ${id}")
           } yield {
             val jsonChangeRequest = List(serialize(changeRequest, result, version))
             toJsonResponse(Some(id.toString), ("changeRequests" -> JArray(jsonChangeRequest)))
@@ -417,7 +417,7 @@ class ChangeRequestApiImpl(
                       )
                     )
                 reason    <- restExtractor.extractReason(req) ?~ "There was an error while extracting reason message"
-                result    <- func(crId, authzToken.actor, reason) ?~! (s"Could not accept ChangeRequest ${id}")
+                result    <- func(crId, authzToken.qc.actor, reason) ?~! (s"Could not accept ChangeRequest ${id}")
               } yield {
                 val jsonChangeRequest = List(serialize(changeRequest, result, version))
                 toJsonResponse(Some(id), ("changeRequests" -> JArray(jsonChangeRequest)))
@@ -502,7 +502,7 @@ class ChangeRequestApiImpl(
               toJsonError(Some(id), message)
             } else {
               val newCR = ChangeRequest.updateInfo(changeRequest, newInfo)
-              writeChangeRequest.updateChangeRequest(newCR, authzToken.actor, None) match {
+              writeChangeRequest.updateChangeRequest(newCR, authzToken.qc.actor, None) match {
                 case Full(cr) =>
                   val jsonChangeRequest = List(serialize(cr, status, version))
                   toJsonResponse(Some(id), ("changeRequests" -> JArray(jsonChangeRequest)))

diff --git a/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApiImpl.scala b/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApiImpl.scala
@@ -117,7 +117,7 @@ class DataSourceApiImpl(
     ): LiftResponse = {
       // reloadData OneNode All datasources
       dataSourceRepo
-        .onUserAskUpdateNode(authzToken.actor, NodeId(nodeId))
+        .onUserAskUpdateNode(authzToken.qc.actor, NodeId(nodeId))
         .forkDaemon
         .as(s"Data for node '${nodeId}', for all configured data sources, is going to be updated")
         .toLiftResponseOne(params, schema, None)
@@ -137,7 +137,7 @@ class DataSourceApiImpl(
     ): LiftResponse = {
       // reloadData AllNodes One datasources
       dataSourceRepo
-        .onUserAskUpdateAllNodesFor(authzToken.actor, DataSourceId(datasourceId))
+        .onUserAskUpdateAllNodesFor(authzToken.qc.actor, DataSourceId(datasourceId))
         .forkDaemon
         .as(s"Data for all nodes, for data source '${datasourceId}', are going to be updated")
         .toLiftResponseOne(params, schema, None)
@@ -158,7 +158,7 @@ class DataSourceApiImpl(
       val (datasourceId, nodeId) = ids
       // reloadData OneNode One datasource
       dataSourceRepo
-        .onUserAskUpdateNodeFor(authzToken.actor, NodeId(nodeId), DataSourceId(datasourceId))
+        .onUserAskUpdateNodeFor(authzToken.qc.actor, NodeId(nodeId), DataSourceId(datasourceId))
         .forkDaemon
         .as(s"Data for node '${nodeId}', for data source '${datasourceId}', is going to be updated")
         .toLiftResponseOne(params, schema, None)
@@ -179,7 +179,7 @@ class DataSourceApiImpl(
 
       val modId                 = ModificationId(uuidGen.newUuid)
       def cause(nodeId: NodeId) =
-        UpdateCause(modId, authzToken.actor, Some(s"API request to clear '${datasourceId}' on node '${nodeId.value}'"), false)
+        UpdateCause(modId, authzToken.qc.actor, Some(s"API request to clear '${datasourceId}' on node '${nodeId.value}'"), false)
 
       (for {
         nodes <- nodeInfoService.getAllNodes()
@@ -205,7 +205,7 @@ class DataSourceApiImpl(
       val (datasourceId, nodeId) = ids
       val cause                  = UpdateCause(
         ModificationId(uuidGen.newUuid),
-        authzToken.actor,
+        authzToken.qc.actor,
         Some(s"API request to clear '${datasourceId}' on node '${nodeId}'"),
         false
       )
@@ -227,7 +227,7 @@ class DataSourceApiImpl(
     def process0(version: ApiVersion, path: ApiPath, req: Req, params: DefaultParams, authzToken: AuthzToken): LiftResponse = {
       // reloadData All Nodes All Datasources
       dataSourceRepo
-        .onUserAskUpdateAllNodes(authzToken.actor)
+        .onUserAskUpdateAllNodes(authzToken.qc.actor)
         .forkDaemon
         .as("Data for all nodes, for all configured data sources are going to be updated")
         .toLiftResponseOne(params, schema, None)
@@ -284,7 +284,7 @@ class DataSourceApiImpl(
                     DataSourceId(sourceId),
                     UpdateCause(
                       ModificationId(uuidGen.newUuid),
-                      authzToken.actor,
+                      authzToken.qc.actor,
                       Some(s"Deletion of datasource '${sourceId}' requested by API")
                     )
                   )