[IMP] cetmix_tower_server: Access rules

Add access rules for tower keys Task: 4300
cetmix · Jan 29, 2025 · 3da1941 · 3da1941
1 parent aa494bb
commit 3da1941
Show file tree

Hide file tree

Showing 9 changed files with 546 additions and 521 deletions.
diff --git a/cetmix_tower_server/README.rst b/cetmix_tower_server/README.rst
diff --git a/cetmix_tower_server/__manifest__.py b/cetmix_tower_server/__manifest__.py
@@ -25,6 +25,7 @@
         "security/cx_tower_variable_value_security.xml",
         "security/cx_tower_plan_security.xml",
         "security/cx_tower_plan_line_security.xml",
+        "security/cx_tower_key_security.xml",
         "security/cx_tower_plan_line_action_security.xml",
         "security/cx_tower_plan_log_security.xml",
         "security/cx_tower_server_log_security.xml",

diff --git a/cetmix_tower_server/models/__init__.py b/cetmix_tower_server/models/__init__.py
@@ -23,3 +23,4 @@
 from . import cx_tower_server_template
 from . import cetmix_tower
 from . import cx_tower_variable_option
+from . import res_partner
diff --git a/cetmix_tower_server/models/res_partner.py b/cetmix_tower_server/models/res_partner.py
@@ -0,0 +1,16 @@
+# Copyright (C) 2025 Cetmix OÜ
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+
+from odoo import fields, models
+
+
+class ResPartner(models.Model):
+    _inherit = "res.partner"
+
+    server_ids = fields.One2many(
+        string="Servers",
+        comodel_name="cx.tower.server",
+        inverse_name="partner_id",
+        help="Cetmix Tower servers that belong to this partner",
+    )
diff --git a/cetmix_tower_server/security/cx_tower_key_security.xml b/cetmix_tower_server/security/cx_tower_key_security.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo>
+
+    <record id="cx_tower_key_rule_group_manager_access" model="ir.rule">
+        <field name="name">Tower Key: manager access rule</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field name="domain_force">
+            [
+            "|",
+            "&amp;",
+            ("server_id", "=", False),
+            ("server_ssh_ids", "=", False),
+            "|",
+            "|",
+            ("server_id.message_partner_ids", "in", [user.partner_id.id]),
+            ("server_ssh_ids.message_partner_ids", "in", [user.partner_id.id]),
+            ("partner_id.server_ids.message_partner_ids", "in", [user.partner_id.id]),
+            ]
+        </field>
+        <field name="groups" eval="[(4, ref('cetmix_tower_server.group_manager'))]" />
+    </record>
+
+    <record id="cx_tower_key_rule_group_root_access" model="ir.rule">
+        <field name="name">Tower Key: root access rule</field>
+        <field name="model_id" ref="model_cx_tower_key" />
+        <field name="domain_force">[(1, "=", 1)]</field>
+        <field name="groups" eval="[(4,ref('cetmix_tower_server.group_root'))]" />
+    </record>
+
+</odoo>
diff --git a/cetmix_tower_server/security/ir.model.access.csv b/cetmix_tower_server/security/ir.model.access.csv
@@ -18,7 +18,6 @@ access_command_manager,Command->Manager,model_cx_tower_command,group_manager,1,1
 access_command_root,Command->Root,model_cx_tower_command,group_root,1,1,1,1
 access_execute_command_user,Execute Command->User,model_cx_tower_command_execute_wizard,group_user,1,1,1,1
 access_execute_plan_user,Execute Plan->User,model_cx_tower_plan_execute_wizard,group_user,1,1,1,1
-access_key_user,Key->User,model_cx_tower_key,group_user,1,0,0,0
 access_key_manager,Key->Manager,model_cx_tower_key,group_manager,1,1,1,0
 access_key_root,Key->Root,model_cx_tower_key,group_root,1,1,1,1
 access_command_log_user,Command Log->User,model_cx_tower_command_log,group_user,1,0,0,0

diff --git a/cetmix_tower_server/static/description/index.html b/cetmix_tower_server/static/description/index.html
diff --git a/cetmix_tower_server/tests/test_command.py b/cetmix_tower_server/tests/test_command.py
@@ -511,6 +511,7 @@ def test_execute_command_with_keys(self):
 
     def test_user_access_rule(self):
         """Test user access rule"""
+
         # Create the test command
         test_command = self.Command.create({"name": "Test command"})
 

diff --git a/cetmix_tower_server/tests/test_key.py b/cetmix_tower_server/tests/test_key.py
@@ -30,9 +30,6 @@ def test_key_creation(self):
     def test_key_access_rights(self):
         """Test private key security features"""
 
-        # Default message returned instead of key value
-        SECRET_VALUE_PLACEHOLDER = self.Key.SECRET_VALUE_PLACEHOLDER
-
         # Store key value
         self.write_and_invalidate(self.key_1, **{"secret_value": "pepe"})
 
@@ -45,15 +42,9 @@ def test_key_access_rights(self):
         # Add user to group
         self.add_to_group(self.user_bob, "cetmix_tower_server.group_user")
 
-        # Get value
-        key_value = key_bob.secret_value
-
-        # Ensure placeholder is used instead of the key value
-        self.assertEqual(
-            key_value,
-            SECRET_VALUE_PLACEHOLDER,
-            msg="Must return placeholder '{}'".format(SECRET_VALUE_PLACEHOLDER),
-        )
+        with self.assertRaises(AccessError):
+            # Get value
+            key_value = key_bob.secret_value
 
         # Test write
         with self.assertRaises(AccessError):