Andrew Bogott has uploaded a new change for review.
https://gerrit.wikimedia.org/r/270160
Change subject: Update OpenStackNovaUser to use proper OpenStackNovaProject
calls
......................................................................
Update OpenStackNovaUser to use proper OpenStackNovaProject calls
Previously it dove right into ldap for project info, which won't
work when projects move out of ldap.
Bug: T115029
Change-Id: Iba88ed3417e84763bd04e3907d3c9d0277530edc
---
M nova/OpenStackNovaUser.php
1 file changed, 28 insertions(+), 62 deletions(-)
git pull
ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OpenStackManager
refs/changes/60/270160/1
diff --git a/nova/OpenStackNovaUser.php b/nova/OpenStackNovaUser.php
index 52a12f8..98611e6 100644
--- a/nova/OpenStackNovaUser.php
+++ b/nova/OpenStackNovaUser.php
@@ -162,22 +162,12 @@
global $wgAuth;
global $wgOpenStackManagerLDAPProjectBaseDN;
- # All projects have a owner attribute, project
- # roles do not
$projects = array();
- $filter = "(&(objectclass=groupofnames)(member=$this->userDN))";
- $result = LdapAuthenticationPlugin::ldap_list(
$wgAuth->ldapconn, $wgOpenStackManagerLDAPProjectBaseDN, $filter );
- if ( $result ) {
- $entries = LdapAuthenticationPlugin::ldap_get_entries(
$wgAuth->ldapconn, $result );
- if ( $entries ) {
- # First entry is always a count
- array_shift( $entries );
- foreach ( $entries as $entry ) {
- $projects[] = $entry['cn'][0];
- }
+ $allprojects = OpenStackNovaProject::getAllProjects();
+ foreach ( $allprojects as $project ) {
+ if ( in_array( $this->getUsername(),
$project->getMembers() ) ) {
+ $projects[] = $project->getId();
}
- } else {
- $wgAuth->printDebug( "No result found when searching
for user's projects", NONSENSITIVE );
}
return $projects;
}
@@ -197,24 +187,19 @@
return $roles;
}
- # All projects have a owner attribute, project
- # roles do not
$roles = array();
- $filter =
"(&(objectclass=organizationalrole)(roleoccupant=$this->userDN))";
- $result = LdapAuthenticationPlugin::ldap_search(
$wgAuth->ldapconn, $wgOpenStackManagerLDAPProjectBaseDN, $filter );
- if ( $result ) {
- $entries = LdapAuthenticationPlugin::ldap_get_entries(
$wgAuth->ldapconn, $result );
- if ( $entries ) {
- # First entry is always a count
- array_shift( $entries );
- foreach ( $entries as $entry ) {
- $roles[] = $entry['cn'][0];
+ $projects = $this->getProjects();
+ foreach ( $projects as $projectid ) {
+ $project = OpenStackNovaProject::getProjectById(
$projectid );
+ $projectroles = $project->getRoles();
+ foreach ( $projectroles as $role ) {
+ if ( in_array( $this->getUsername(),
$role->getMembers() ) ) {
+ $roles[] = $role->getRoleName();
}
}
- $roles = array_unique( $roles );
- } else {
- $wgAuth->printDebug( "No result found when searching
for user's roles", NONSENSITIVE );
}
+
+ $roles = array_unique( $roles );
$key = wfMemcKey( 'openstackmanager', 'roles',
$this->getUsername() );
$wgMemc->set( $key, $roles, '3600' );
return $roles;
@@ -236,19 +221,8 @@
return (bool)$inProject;
}
- $filter =
"(&(cn=$project)(member=$this->userDN)(objectclass=groupofnames))";
- $result = LdapAuthenticationPlugin::ldap_search(
$wgAuth->ldapconn, $wgOpenStackManagerLDAPProjectBaseDN, $filter );
- $ret = false;
- if ( $result ) {
- $entries = LdapAuthenticationPlugin::ldap_get_entries(
$wgAuth->ldapconn, $result );
- if ( $entries ) {
- if ( $entries['count'] == "0" ) {
- $wgAuth->printDebug( "Couldn't find the
user in project: $project", NONSENSITIVE );
- } else {
- $ret = true;
- }
- }
- }
+ $ret = in_array( $project, $this->getProjects() );
+
$wgMemc->set( $key, (int)$ret, $cacheLength );
return $ret;
}
@@ -258,40 +232,32 @@
* @param string $projectname
* @return bool
*/
- function inRole( $role, $projectname ) {
+ function inRole( $role, $projectid ) {
global $wgAuth;
global $wgMemc;
- if ( !$projectname ) {
+ if ( !$projectid ) {
return false;
}
- $key = wfMemcKey( 'openstackmanager',
"projectrole-$projectname-$role", $this->userDN );
- $cacheLength = 3600;
+ $key = wfMemcKey( 'openstackmanager',
"projectrole-$projectid-$role", $this->userDN );
$inRole = $wgMemc->get( $key );
if ( is_int( $inRole ) ) {
return (bool)$inRole;
}
- $ret = false;
- # Check project specific role
- $project = OpenStackNovaProject::getProjectByName( $projectname
);
- if ( ! $project ) {
- $wgMemc->set( $key, 0, $cacheLength );
+ $project = new OpenStackNovaProject( $projectid );
+ $role = OpenStackNovaRole::getProjectRoleByName( $role,
$project );
+ if ( ! $role ) {
return false;
}
- $filter = "(&(cn=$role)(roleoccupant=$this->userDN))";
- $result = LdapAuthenticationPlugin::ldap_search(
$wgAuth->ldapconn, $project->projectDN, $filter );
- if ( $result ) {
- $entries = LdapAuthenticationPlugin::ldap_get_entries(
$wgAuth->ldapconn, $result );
- if ( $entries ) {
- if ( $entries['count'] == "0" ) {
- $wgAuth->printDebug( "Couldn't find the
user in role: $role", NONSENSITIVE );
- } else {
- $ret = true;
- }
- }
+
+ $ret = false;
+ if ( in_array( $this->getUsername(), $role->getMembers() ) ) {
+ $ret = true;
}
- $wgMemc->set( $key, (int)$ret, $cacheLength );
+ // Invalidating this properly is hard, so cache just long
enough for a single action
+ $wgMemc->set( $key, (int)$ret, 30 );
+
return $ret;
}
--
To view, visit https://gerrit.wikimedia.org/r/270160
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iba88ed3417e84763bd04e3907d3c9d0277530edc
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OpenStackManager
Gerrit-Branch: wmf/1.27.0-wmf.13
Gerrit-Owner: Andrew Bogott <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
