From efd0b8acb3f4f098697c8c30bd196dacda39b704 Mon Sep 17 00:00:00 2001
From: Alejandro Sirgo Rica <asirgo@soleta.eu>
Date: Thu, 18 Jul 2024 15:34:09 +0200
Subject: ogcp: add image restrict functionality

Add center scope restriction using /image/restrict.

Add view in Images to update scope permissions.

Disable images in Commands for image update and restore if the
client belongs to a disabled center.

Consolidate template code to render scope selection checkboxes.
---
 ogcp/forms/action_forms.py                |  17 +++-
 ogcp/templates/actions/image_config.html  |  24 ++++++
 ogcp/templates/actions/image_details.html |  22 ++++-
 ogcp/templates/auth/user_form.html        |  13 +--
 ogcp/templates/images.html                |   4 +
 ogcp/templates/scopes_checkbox_group.html |  16 ++++
 ogcp/views.py                             | 130 ++++++++++++++++++++++++------
 7 files changed, 185 insertions(+), 41 deletions(-)
 create mode 100644 ogcp/templates/actions/image_config.html
 create mode 100644 ogcp/templates/scopes_checkbox_group.html

diff --git a/ogcp/forms/action_forms.py b/ogcp/forms/action_forms.py
index e72e37c..82958fb 100644
--- a/ogcp/forms/action_forms.py
+++ b/ogcp/forms/action_forms.py
@@ -7,7 +7,8 @@
 
 from wtforms import (
     Form, SubmitField, HiddenField, SelectField, BooleanField, IntegerField,
-    StringField, RadioField, FormField, FieldList, DecimalField, TextAreaField
+    StringField, RadioField, FormField, FieldList, DecimalField, TextAreaField,
+    SelectMultipleField
 )
 from wtforms.validators import InputRequired
 from flask_wtf import FlaskForm
@@ -236,6 +237,20 @@ class ImageDetailsForm(FlaskForm):
     permissions = StringField(label=_l('Permissions'))
     software_id = StringField(label=_l('Software id'))
     checksum = StringField(label=_l('Checksum'))
+    scopes = SelectMultipleField(
+        label=_l('Allowed scopes'),
+        description=_l('No scope selection gives full access'),
+    )
+
+class ImageConfigForm(FlaskForm):
+    image_id = HiddenField()
+    server = HiddenField()
+    name = HiddenField()
+    scopes = SelectMultipleField(
+        label=_l('Allowed scopes'),
+        description=_l('No scope selection gives full access'),
+    )
+    submit = SubmitField(label=_l('Submit'))
 
 class ServerForm(FlaskForm):
     name = StringField(label=_l('Name'),
diff --git a/ogcp/templates/actions/image_config.html b/ogcp/templates/actions/image_config.html
new file mode 100644
index 0000000..c286683
--- /dev/null
+++ b/ogcp/templates/actions/image_config.html
@@ -0,0 +1,24 @@
+{% extends 'images.html' %}
+{% import "bootstrap/wtf.html" as wtf %}
+
+{% set btn_back = true %}
+
+{% block content %}
+
+<h2 class="mx-5 subhead-heading">{{_('Update image')}}</h2>
+
+<form  class="form mx-5" method="POST" action="{{ url_for('action_image_config') }}">
+    {{ form.hidden_tag() }}
+
+    {{ form.image_id() }}
+    {{ form.server() }}
+    {{ form.name() }}
+
+    {% include 'scopes_checkbox_group.html' %}
+
+    <div class="form-group">
+        {{ form.submit(class="btn btn-primary") }}
+    </div>
+  </form>
+
+{% endblock %}
diff --git a/ogcp/templates/actions/image_details.html b/ogcp/templates/actions/image_details.html
index 87105cb..ab66503 100644
--- a/ogcp/templates/actions/image_details.html
+++ b/ogcp/templates/actions/image_details.html
@@ -7,9 +7,23 @@
 
 <h2 class="mx-5 subhead-heading">{{_('Image details')}}</h2>
 
-{{ wtf.quick_form(form,
-                  method='post',
-                  button_map={'create': 'primary'},
-                  extra_classes="mx-5") }}
+<div class="container mx-5">
+    <form class="form" method="POST">
+        {{ form.hidden_tag() }}
+
+        {% for field in form if field.type != 'CSRFToken' and field.name not in ['scopes'] %}
+        {% if not field.flags.hidden %}
+        <div class="form-group row">
+            <label for="name" class="col-sm-2 col-form-label">{{ field.label.text }}</label>
+            <div class="col-sm-9">
+                {{ field(class="form-control") }}
+            </div>
+        </div>
+        {% endif %}
+        {% endfor %}
+
+        {% include 'scopes_checkbox_group.html' %}
+    </form>
+</div>
 
 {% endblock %}
diff --git a/ogcp/templates/auth/user_form.html b/ogcp/templates/auth/user_form.html
index bd2f396..ae34490 100644
--- a/ogcp/templates/auth/user_form.html
+++ b/ogcp/templates/auth/user_form.html
@@ -104,18 +104,7 @@
             </table>
         </div>
 
-        <div class="form-group">
-            {{ form.scopes.label(class_='form-label') }}
-            <div class="form-text text-muted">{{ form.scopes.description }}</div>
-            <div>
-                {% for value, label, checked in form.scopes.iter_choices() %}
-                    <div class="form-check">
-                        <input class="form-check-input" type="checkbox" name="{{ form.scopes.name }}" value="{{ value }}" {% if checked %} checked {% endif %}>
-                        <label class="form-check-label">{{ label }}</label>
-                    </div>
-                {% endfor %}
-            </div>
-        </div>
+        {% include 'scopes_checkbox_group.html' %}
     </div>
 
     <div class="form-group">
diff --git a/ogcp/templates/images.html b/ogcp/templates/images.html
index 00bb2e4..462e68d 100644
--- a/ogcp/templates/images.html
+++ b/ogcp/templates/images.html
@@ -67,6 +67,10 @@
     <input class="btn btn-light" type="submit" value="{{ _('Delete image') }}"
         form="imagesForm" formaction="{{ url_for('action_image_delete') }}" formmethod="get">
     {% endif %}
+    {% if current_user.get_permission('IMAGE', 'UPDATE') %}
+    <input class="btn btn-light" type="submit" value="{{ _('Update image') }}"
+        form="imagesForm" formaction="{{ url_for('action_image_config') }}" formmethod="get">
+    {% endif %}
 {% endif %}
   {% if btn_back %}
     <button class="btn btn-danger ml-3" type="button" id="backButton" onclick="history.back()">
diff --git a/ogcp/templates/scopes_checkbox_group.html b/ogcp/templates/scopes_checkbox_group.html
new file mode 100644
index 0000000..0ebf15a
--- /dev/null
+++ b/ogcp/templates/scopes_checkbox_group.html
@@ -0,0 +1,16 @@
+{% if form is defined and form.scopes is defined %}
+
+<div class="form-group">
+    {{ form.scopes.label(class_='form-label') }}
+    <div class="mx-4">
+        <div class="form-text text-muted">{{ form.scopes.description }}</div>
+        {% for value, label, checked in form.scopes.iter_choices() %}
+            <div class="form-check">
+                <input class="form-check-input" type="checkbox" name="{{ form.scopes.name }}" value="{{ value }}" {% if checked %} checked {% endif %}>
+                <label class="form-check-label">{{ label }}</label>
+            </div>
+        {% endfor %}
+    </div>
+</div>
+
+{% endif %}
\ No newline at end of file
diff --git a/ogcp/views.py b/ogcp/views.py
index b8f43c7..525ed3a 100644
--- a/ogcp/views.py
+++ b/ogcp/views.py
@@ -14,7 +14,7 @@ from ogcp.forms.action_forms import (
     RoomForm, DeleteRoomForm, CenterForm, DeleteCenterForm, OgliveForm,
     GenericForm, SelectClientForm, ImageUpdateForm, ImportClientsForm,
     ServerForm, DeleteRepositoryForm, RepoForm, FolderForm, CacheForm,
-    ClientMoveForm, RunScriptForm
+    ClientMoveForm, RunScriptForm, ImageConfigForm
 )
 from flask_login import (
     current_user, LoginManager,
@@ -779,22 +779,31 @@ def search_image(images_list, image_id):
             return image
     return False
 
-def get_images_grouped_by_repos_from_server(server):
+def filter_images_allowed_in_center(server, images, center_id):
+    res = []
+    for image in images:
+        r = server.get('/image/restrict', {'image': image['id']})
+        if not r:
+            raise ServerError
+        if r.status_code != requests.codes.ok:
+            raise ServerErrorCode
+        allowed_scopes = r.json().get('scopes')
+        if not allowed_scopes or center_id in allowed_scopes:
+            res.append(image)
+    return res
+
+def get_images_from_repo(server, repo_id):
     r = server.get('/images')
     if not r:
         raise ServerError
     if r.status_code != requests.codes.ok:
         raise ServerErrorCode
     images = r.json()['images']
-    repos={}
-
+    res=[]
     for image in images:
-        repo_id=image['repo_id']
-        if repo_id not in repos:
-            repos[repo_id] = [image]
-        else:
-            repos[repo_id].append(image)
-    return repos
+        if image['repo_id'] == repo_id:
+            res.append(image)
+    return res
 
 def get_clients_repo(server, ips):
     repo_id=None
@@ -912,7 +921,9 @@ def action_image_restore():
             flash(_(f'There was a problem sending the image restore command'), category='error')
         return redirect(url_for('commands'))
     else:
-        ips = parse_elements(request.args.to_dict())
+        params = request.args.to_dict()
+        center_id = int(params.get('scope-center'))
+        ips = parse_elements(params)
         if not validate_elements(ips):
             return redirect(url_for('commands'))
         form.ips.data = ' '.join(ips)
@@ -930,16 +941,19 @@ def action_image_restore():
             flash(_(f'Computers have different repos assigned'), category='error')
             return redirect(url_for('commands'))
         try:
-            images = get_images_grouped_by_repos_from_server(server)
+            images = get_images_from_repo(server, repo_id)
+
+            if not images:
+                flash(_(f'Computer(s) assigned to a repo with no images'), category='error')
+                return redirect(url_for('commands'))
+
+            images = filter_images_allowed_in_center(server, images, center_id)
         except ServerError:
             return ogserver_down('commands')
         except ServerErrorCode:
             return ogserver_error('commands')
 
-        if repo_id not in images:
-            flash(_(f'Computer(s) assigned to a repo with no images'), category='error')
-            return redirect(url_for('commands'))
-        for image in images[repo_id]:
+        for image in images:
             form.image.choices.append((image['id'], image['name']))
 
         part_choices = []
@@ -2276,6 +2290,8 @@ def action_image_create():
                                    if client_repo_id == repo['id']]
         form.repository.render_kw = {'readonly': True}
 
+        form.scopes.choices = get_available_centers()
+
         scopes, clients = get_scopes(set(ips))
         return render_template('actions/image_create.html', form=form,
                                scopes=scopes)
@@ -2326,7 +2342,9 @@ def action_image_update():
                   category='error')
         return redirect(url_for('commands'))
 
-    ips = parse_elements(request.args.to_dict())
+    params = request.args.to_dict()
+    center_id = int(params.get('scope-center'))
+    ips = parse_elements(params)
     if not validate_elements(ips, max_len=1):
         return redirect(url_for('commands'))
     form.ip.data = ' '.join(ips)
@@ -2340,17 +2358,19 @@ def action_image_update():
 
     repo_id = r.json()['repo_id']
     try:
-        images = get_images_grouped_by_repos_from_server(server)
+        images = get_images_from_repo(server, repo_id)
+
+        if not images:
+            flash(_(f'Computer(s) assigned to a repo with no images'), category='error')
+            return redirect(url_for('commands'))
+
+        images = filter_images_allowed_in_center(server, images, center_id)
     except ServerError:
         return ogserver_down('commands')
     except ServerErrorCode:
         return ogserver_error('commands')
 
-    if repo_id not in images:
-        flash(_('Computer is assigned to a repo with no images'),
-              category='error')
-        return redirect(url_for('commands'))
-    for image in images[repo_id]:
+    for image in images:
         form.image.choices.append((image['id'], image['name']))
 
     r = server.get('/client/setup', payload={'client': list(ips)})
@@ -2381,7 +2401,7 @@ def action_image_update():
         )
 
         if part['image']:
-            for image in images[repo_id]:
+            for image in images:
                 if image['id'] == part['image']:
                     part_content[partition_value] = part['image']
                     break
@@ -3450,6 +3470,15 @@ def action_image_info():
     except ServerErrorCode:
         return ogserver_error('images')
 
+    r = server.get('/image/restrict', {'image': image['id']})
+    if not r:
+        raise ServerError
+    if r.status_code != requests.codes.ok:
+        raise ServerErrorCode
+
+    form.scopes.choices = get_available_centers()
+    form.scopes.data = [str(scope) for scope in r.json().get('scopes')]
+
     return render_template('actions/image_details.html', form=form,
                            responses=responses)
 
@@ -3492,6 +3521,59 @@ def action_image_delete():
                                image_name=image_name.split('_', 1)[0], image_id=image_id,
                                responses=responses)
 
+@app.route('/action/image/config', methods=['GET', 'POST'])
+@login_required
+def action_image_config():
+    form = ImageConfigForm(request.form)
+    if request.method == 'POST':
+        image_id = int(form.image_id.data)
+        server = get_server_from_ip_port(form.server.data)
+
+        scope_list = [int(scope) for scope in form.scopes.data]
+
+        payload = {'image': image_id, 'scopes': scope_list}
+
+        r = server.post('/image/restrict', payload)
+        if not r:
+            return ogserver_down('images')
+        if r.status_code != requests.codes.ok:
+            return ogserver_error('images')
+
+        flash(_('Image updated successfully'), category='info')
+        return redirect(url_for('images'))
+    else:
+        params = request.args.to_dict()
+        images = [(name, imgid) for name, imgid in params.items()
+                  if name != 'csrf_token' and name != 'image-server']
+        if not validate_elements(images, max_len=1):
+            return redirect(url_for('images'))
+
+        image_name, image_id = images[0]
+        image_name=image_name.split('_', 1)[0]
+        server = get_server_from_ip_port(params['image-server'])
+
+        form.image_id.data = image_id
+
+        r = server.get('/image/restrict', {'image': int(image_id)})
+        if not r:
+            return ogserver_down('images')
+        if r.status_code != requests.codes.ok:
+            return ogserver_error('images')
+
+        form.server.data = params['image-server']
+        form.scopes.choices = get_available_centers()
+        form.scopes.data = [str(scope) for scope in r.json().get('scopes')]
+
+        try:
+            responses = get_images_grouped_by_repos()
+        except ServerError:
+            return ogserver_down('images')
+        except ServerErrorCode:
+            return ogserver_error('images')
+
+        return render_template('actions/image_config.html', form=form,
+                               responses=responses)
+
 @app.route('/action/log', methods=['GET'])
 @login_required
 def action_legacy_log():
-- 
cgit v1.2.3-18-g5258