Add framework for user groups per application

Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

actions/users

@@ -72,6 +72,9 @@ def parse_arguments():
     subparser.add_argument(
         'username', help='LDAP user to retrieve the groups for')
 
+    subparser = subparsers.add_parser(
+        'get-all-groups', help='Get a list of all the LDAP groups in the system')
+
     subparser = subparsers.add_parser(
         'add-user-to-group', help='Add an LDAP user to an LDAP group')
     subparser.add_argument('username', help='LDAP user to add to group')
@@ -343,6 +346,17 @@ def subcommand_remove_user_from_group(arguments):
     flush_cache()
 
 
+def subcommand_get_all_groups(_):
+    """Get all user groups"""
+    get_groups = "getent group".split()
+    cut_names = "cut -d: -f1".split()
+    groups = subprocess.Popen(get_groups, stdout=subprocess.PIPE, shell=False)
+    trimmed_groups = subprocess.Popen(cut_names, stdin=groups.stdout,
+                                      stdout=subprocess.PIPE, shell=False)
+    groups.stdout.close()
+    print(trimmed_groups.communicate()[0].decode())
+
+
 def flush_cache():
     """Flush nscd cache."""
     _run(['nscd', '--invalidate=passwd'])

data/etc/apache2/conf-available/tt-rss-plinth.conf

@@ -7,10 +7,13 @@ Alias /tt-rss-app /usr/share/tt-rss/www
 
 <Location /tt-rss>
     Include includes/freedombox-single-sign-on.conf
+    <IfModule mod_auth_pubtkt.c>
+        TKTAuthToken "newsfeed" "admin"
+    </IfModule>
 </Location>
 
 <Location /tt-rss-app>
     Include includes/freedombox-auth-ldap.conf
     Require valid-user
-    # TODO Restrict access to `news` group
+    # TODO Restrict access to `newsfeed` group
 </Location>

plinth/modules/ttrss/__init__.py

@@ -28,6 +28,7 @@ from plinth import cfg
 from plinth import frontpage
 from plinth import service as service_module
 from plinth.menu import main_menu
+from plinth.modules.users import add_group
 from .manifest import clients
 
 
@@ -94,6 +95,7 @@ def setup(helper, old_version=None):
             is_enabled=is_enabled, enable=enable, disable=disable)
     helper.call('post', service.notify_enabled, None, True)
     helper.call('post', add_shortcut)
+    add_group('newsfeed')
 
 
 def add_shortcut():

plinth/modules/users/__init__.py

@@ -24,6 +24,7 @@ import subprocess
 
 from plinth import action_utils
 from plinth import actions
+from plinth.errors import ActionError
 from plinth.menu import main_menu
 
 
@@ -94,3 +95,12 @@ def add_group(group):
 def remove_group(group):
     """Remove an LDAP group."""
     actions.superuser_run('users', options=['remove-group', group])
+
+
+def get_all_groups():
+    """Retrieve the set of all LDAP groups in the system"""
+    try:
+        groups = actions.superuser_run('users', options=['get-all-groups'])
+        return set(groups.strip().split())
+    except ActionError:
+        return {}

plinth/modules/users/forms.py

@@ -29,13 +29,22 @@ from plinth import actions
 from plinth.errors import ActionError
 from plinth.modules import first_boot
 from plinth.modules.security import set_restricted_access
+from plinth.modules.users import get_all_groups
 from plinth.utils import is_user_admin
 from plinth import module_loader
 
-GROUP_CHOICES = (
-    ('admin', _('admin')),
-    ('wiki', _('wiki')),
-)
+PLINTH_APP_GROUPS = {
+    'admin',
+    'newsfeed',
+ }
+
+
+def get_group_choices():
+    groups = PLINTH_APP_GROUPS.intersection(get_all_groups())
+    return ((group, _(group)) for group in groups)
+
+
+GROUP_CHOICES = get_group_choices()
 
 
 class ValidNewUsernameCheckMixin(object):