Initial commit: OCA Server Auth packages (29 packages)

odoo-bringout-oca-server-auth-vault/vault/models/vault_right.py

@@ -0,0 +1,110 @@
+# © 2021 Florian Kantelberg - initOS GmbH
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+from odoo import _, api, fields, models
+
+
+class VaultRight(models.Model):
+    _name = "vault.right"
+    _description = _("Vault rights")
+    _inherit = ["vault.abstract"]
+    _order = "user_id"
+
+    vault_id = fields.Many2one(
+        "vault",
+        "Vault",
+        readonly=True,
+        required=True,
+        ondelete="cascade",
+    )
+    master_key = fields.Char(related="vault_id.master_key", readonly=True, store=False)
+    user_id = fields.Many2one(
+        "res.users",
+        "User",
+        domain=[("keys", "!=", False)],
+        required=True,
+    )
+    public_key = fields.Char(compute="_compute_public_key", readonly=True, store=False)
+    perm_create = fields.Boolean(
+        "Create",
+        default=lambda self: self._get_is_owner(),
+        help="Allow to create in the vault",
+    )
+    perm_write = fields.Boolean(
+        "Write",
+        default=lambda self: self._get_is_owner(),
+        help="Allow to write to the vault",
+    )
+    perm_share = fields.Boolean(
+        "Share",
+        default=lambda self: self._get_is_owner(),
+        help="Allow to share a vault with new users",
+    )
+    perm_delete = fields.Boolean(
+        "Delete",
+        default=lambda self: self._get_is_owner(),
+        help="Allow to delete a vault",
+    )
+
+    perm_user = fields.Many2one(related="vault_id.perm_user", store=False)
+    allowed_read = fields.Boolean(related="vault_id.allowed_read", store=False)
+    allowed_create = fields.Boolean(related="vault_id.allowed_create", store=False)
+    allowed_write = fields.Boolean(related="vault_id.allowed_write", store=False)
+    allowed_share = fields.Boolean(related="vault_id.allowed_share", store=False)
+    allowed_delete = fields.Boolean(related="vault_id.allowed_delete", store=False)
+
+    # Encrypted with the public key of the user
+    key = fields.Char()
+
+    _sql_constraints = (
+        ("user_uniq", "UNIQUE(user_id, vault_id)", _("The user must be unique")),
+    )
+
+    def _get_is_owner(self):
+        return self.env.user == self.vault_id.user_id
+
+    @api.depends("user_id")
+    def _compute_public_key(self):
+        for rec in self:
+            rec.public_key = rec.user_id.active_key.public
+
+    def log_access(self):
+        for rec in self:
+            rights = ", ".join(
+                sorted(
+                    ["read"]
+                    + [
+                        right
+                        for right in ["create", "write", "share", "delete"]
+                        if getattr(rec, f"perm_{right}", False)
+                    ]
+                )
+            )
+
+            rec.vault_id.log_info(
+                f"Grant access to user {rec.user_id.display_name}: {rights}"
+            )
+
+    @api.model_create_multi
+    def create(self, vals_list):
+        res = super().create(vals_list)
+        if not res.allowed_share and not res.env.su:
+            self.raise_access_error()
+
+        res.log_access()
+        return res
+
+    def write(self, values):
+        res = super().write(values)
+        perms = ["perm_write", "perm_delete", "perm_share", "perm_create"]
+        if any(x in values for x in perms):
+            self.log_access()
+
+        return res
+
+    def unlink(self):
+        for rec in self:
+            rec.vault_id.log_info(f"Removed user {self.user_id.display_name}")
+            rec.vault_id.reencrypt_required = True
+
+        return super().unlink()