Migration 1.9.0-1: recalculate GS security rules.

src/layman/upgrade/__init__.py

@@ -10,7 +10,8 @@
 
 
 DATA_MIGRATIONS = [
-    ((1, 9, 0), [upgrade_v1_9.initialize_data_versioning, ]),
+    ((1, 9, 0), [upgrade_v1_9.initialize_data_versioning,
+                 upgrade_v1_9.geoserver_everyone_rights_repair]),
 ]
 
 

src/layman/upgrade/upgrade_v1_9.py

@@ -1,14 +1,16 @@
 import logging
 
 from layman import settings
-from layman.common.prime_db_schema import util as db_util
+from layman.layer import LAYER_TYPE
+from layman.common import geoserver as gs_common
+from layman.common.prime_db_schema import util as db_util, publications
 DB_SCHEMA = settings.LAYMAN_PRIME_SCHEMA
 
 logger = logging.getLogger(__name__)
 
 
 def initialize_data_versioning():
-    logger.info(f'    Starting data versioning initialization')
+    logger.info(f'    Starting - data versioning initialization')
 
     sql_create_table = f'''CREATE TABLE IF NOT EXISTS {DB_SCHEMA}.data_version
     (
@@ -29,4 +31,19 @@ def initialize_data_versioning():
     sql_insert = f'''insert into {DB_SCHEMA}.data_version (major_version, minor_version, patch_version, migration) values (1, 9, 0, 0);'''
     db_util.run_statement(sql_insert)
 
-    logger.info(f'    Data versioning initialization DONE')
+    logger.info(f'    DONE - data versioning initialization')
+
+
+# repair for issue #200
+def geoserver_everyone_rights_repair():
+    logger.info(f'    Starting - access rights EVERYONE is not propagated to GeoServer for authenticated users')
+    publication_infos = publications.get_publication_infos(pub_type=LAYER_TYPE)
+    for (workspace, publication_type, publication_name), info in publication_infos.items():
+        for right_type in ['read', 'write']:
+            users_roles = info['access_rights'][right_type]
+            security_roles = gs_common.layman_users_to_geoserver_roles(users_roles)
+            logger.info(f'    Setting security roles for: ({workspace}/{publication_name}).{right_type} '
+                        f'to ({security_roles}) from layman roles ({users_roles})')
+            gs_common.ensure_layer_security_roles(workspace, publication_name, security_roles, right_type[0], settings.LAYMAN_GS_AUTH)
+
+    logger.info(f'    DONE - access rights EVERYONE is not propagated to GeoServer for authenticated users')

src/layman/upgrade/upgrade_v1_9_test.py

@@ -0,0 +1,37 @@
+import pytest
+
+from . import upgrade_v1_9
+from layman import settings, app
+from layman.common import geoserver as gs_common
+from test import process_client
+DB_SCHEMA = settings.LAYMAN_PRIME_SCHEMA
+
+auth = settings.LAYMAN_GS_AUTH
+
+
+def assert_roles(workspace,
+                 layer,
+                 expected_roles):
+    for right_type in ['read', 'write']:
+        rule = f'{workspace}.{layer}.{right_type[0]}'
+        roles = gs_common.get_security_roles(rule, auth)
+        assert roles == expected_roles
+
+
+@pytest.mark.usefixtures('ensure_layman')
+def test_geoserver_everyone_rights_repair():
+    workspace = 'test_geoserver_everyone_rights_repair_workspace'
+    layer = 'test_geoserver_everyone_rights_repair_layer'
+    expected_roles1 = {'ROLE_ANONYMOUS'}
+    expected_roles2 = {'ROLE_ANONYMOUS', 'ROLE_AUTHENTICATED'}
+
+    process_client.publish_layer(workspace, layer)
+    for right_type in ['read', 'write']:
+        gs_common.ensure_layer_security_roles(workspace, layer, expected_roles1, right_type[0], auth)
+
+    assert_roles(workspace, layer, expected_roles1)
+
+    with app.app_context():
+        upgrade_v1_9.geoserver_everyone_rights_repair()
+
+    assert_roles(workspace, layer, expected_roles2)