[IMP] cetmix_tower_server: Access rules

[GabbasovDinar]

Added new security rules for tower key management

Task: 4300

Summary by CodeRabbit

• Security Enhancements

  • Added a new security-related XML file for key management.
  • Implemented access control rules for the cx_tower_key model based on user groups and permissions.

• Data Model Updates

  • Introduced server_ids field to link partners with servers.
  • Expanded model relationships to improve data associations.

• Testing Improvements

  • Enhanced test coverage for user access rules.
  • Added comprehensive tests for command and key access permissions.

• Documentation Updates

  • Updated URLs and formatting in the README and HTML documentation to reflect version changes.

[coderabbitai]

Walkthrough

This pull request introduces security enhancements for the Cetmix Tower Server Management application. Key changes include the addition of a new security XML file, an extension of the res.partner model with a server_ids field, and the implementation of access control rules for the cx_tower_key model. These modifications aim to improve access management and establish more granular permissions for users interacting with server and key-related resources.

Changes

File	Change Summary
cetmix_tower_server/__manifest__.py	Added new security XML file "security/cx_tower_key_security.xml" to module data
cetmix_tower_server/models/__init__.py	Added import for res_partner module
cetmix_tower_server/models/res_partner.py	Added server_ids field to ResPartner model, creating a one-to-many relationship with cx.tower.server
cetmix_tower_server/security/cx_tower_key_security.xml	Introduced two access control rules for cx_tower_key model: - Manager access rule with conditional permissions - Root access rule with unrestricted access
cetmix_tower_server/tests/test_command.py	Added test_user_access_rule method to verify command access based on user roles
cetmix_tower_server/tests/test_key.py	Simplified access rights testing by removing placeholder checks
cetmix_tower_server/README.rst	Updated URLs and formatting in documentation
cetmix_tower_server/static/description/index.html	Updated URLs and corrected formatting issues in HTML documentation

Possibly related PRs

• [14.0][IMP] cetmix_tower_server: UI/UX imporovents #134: The main PR adds a new security-related XML file in the manifest, which is related to the security improvements discussed in the retrieved PR that enhances user interface and experience, including access control features.
• [14.0][FIX] cetmix_tower_server: Fix attributes #138: This PR modifies the XML configuration for views, including access control rules, which aligns with the main PR's focus on security management enhancements.
• [14.0] cetmix_tower_server: add files access rules #148: The addition of a new security configuration file in the main PR is directly related to the changes in access rules for file management introduced in this retrieved PR.

Suggested labels

merged 🎉, approved

Suggested reviewers

• ivs-cetmix
• Aldeigja

✨ Finishing Touches

• 📝 Generate Docstrings (Beta)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

cetmix_tower_server/tests/test_command.py (1)

Line range hint 514-614: Consider breaking down the test into smaller, focused test methods.

While the test provides comprehensive coverage of access rules, it would be more maintainable if split into separate test methods for each scenario (e.g., default access, group membership, follower access).

Consider refactoring like this:

-    def test_user_access_rule(self):
-        """Test user access rule"""
+    def test_default_command_access_level(self):
+        """Test default access level and basic user access"""
+        test_command = self.Command.create({"name": "Test command"})
+        self.assertEqual(test_command.access_level, "2")
+        # ... rest of default access testing
+
+    def test_group_membership_access(self):
+        """Test how group membership affects command access"""
+        test_command = self.Command.create({"name": "Test command"})
+        # ... group membership testing
+
+    def test_follower_access_rules(self):
+        """Test server follower access rules"""
+        test_command = self.Command.create({"name": "Test command"})
+        # ... follower access testing

cetmix_tower_server/security/cx_tower_key_security.xml (1)

4-21: Consider specifying CRUD permissions explicitly.

While default permissions can be relied upon as per the retrieved learning, it's a good practice to explicitly define the intended permissions for clarity and maintainability.

Example:

 <record id="cx_tower_key_rule_group_manager_access" model="ir.rule">
     <field name="name">Tower Key: manager access rule</field>
     <field name="model_id" ref="model_cx_tower_key" />
+    <field name="perm_read" eval="True"/>
+    <field name="perm_write" eval="True"/>
+    <field name="perm_create" eval="True"/>
+    <field name="perm_unlink" eval="True"/>
     ...
 </record>

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aa494bb and ddf1ed4.

⛔ Files ignored due to path filters (1)

• cetmix_tower_server/security/ir.model.access.csv is excluded by !**/*.csv

📒 Files selected for processing (6)

• cetmix_tower_server/__manifest__.py (1 hunks)
• cetmix_tower_server/models/__init__.py (1 hunks)
• cetmix_tower_server/models/res_partner.py (1 hunks)
• cetmix_tower_server/security/cx_tower_key_security.xml (1 hunks)
• cetmix_tower_server/tests/test_command.py (1 hunks)
• cetmix_tower_server/tests/test_key.py (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• cetmix_tower_server/models/init.py

🧰 Additional context used

📓 Learnings (1)

cetmix_tower_server/security/cx_tower_key_security.xml (2)

Learnt from: Aldeigja
PR: cetmix/cetmix-tower#98
File: cetmix_tower_server/security/cx_tower_variable_value_security.xml:99-117
Timestamp: 2024-11-28T20:05:47.614Z
Learning: In Odoo's security model, group rules unify, meaning that access is granted if any rule allows it. Therefore, when a subscription check is already included in a prior rule, subsequent rules can focus solely on other conditions like `create_uid` without duplicating the subscription check.

In `cetmix_tower_server/security/cx_tower_variable_value_security.xml`, when defining access rules for managers deleting their own variable values in server templates, it's sufficient to check `create_uid` if the subscription to the server template has been validated in a previous rule.

Learnt from: Aldeigja
PR: cetmix/cetmix-tower#98
File: cetmix_tower_server/security/cx_tower_plan_line_security.xml:38-50
Timestamp: 2024-11-20T22:04:20.044Z
Learning: In `cetmix_tower_server/security/*.xml` files, when defining access control rules for Odoo models, if the intention is to grant full permissions (read, create, write, unlink) within the domain specified, it is acceptable to omit the `perm_*` fields and rely on default permission values.

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test with OCB

🔇 Additional comments (5)

cetmix_tower_server/models/res_partner.py (1)

11-15: LGTM! Well-structured field definition.

The One2many field is properly defined with clear naming and correct relationship parameters.

cetmix_tower_server/__manifest__.py (1)

28-28: LGTM! Security file properly declared.

The security file is added in the correct section, maintaining consistency with other security declarations.

cetmix_tower_server/tests/test_key.py (1)

45-47: LGTM! Clear and focused security test.

The test properly verifies access control by asserting the AccessError is raised when attempting unauthorized access.

cetmix_tower_server/security/cx_tower_key_security.xml (2)

11-12: Review the permissive condition for unassigned servers.

The current domain allows access to records where both server_id and server_ssh_ids are False. This might be too permissive as it grants access to orphaned or unassigned keys.

Consider if this is intentional or if additional conditions should be added to restrict access to unassigned keys.

---

27-27: Verify the group reference exists.

The rule references cetmix_tower_server.group_root. Please ensure this group is properly defined in the module's security files.

✅ Verification successful

Group reference verification successful

The group_root is properly defined in cetmix_tower_server/security/cetmix_tower_server_groups.xml, ensuring the security rule's group reference is valid.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the group_root definition exists

# Search for group_root definition in security files
rg -l "id=\"group_root\"" "cetmix_tower_server/security/"

Length of output: 115

[ivs-cetmix]

You have added new access rules. This means you must add access rules to check those new rules to ensure they are working properly.
There must be test for:

1. Keys. Ensure that access rules are respected.
2. Commands: Ensure that new rules don't break the command flow.

User may not have access to a secret, but if he runs a command this secret still needed to be rendered properly.
Eg If someone with the "User" access lever runs a Flight Plan and there is a command that has a secret in it, all 3 steps of the secret resolution must pass:

• Server secret
• Partner secret
• Global secret

[ivs-cetmix]

You have added new access rules. This means you must add access rules to check those new rules to ensure they are working properly.

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's limits when posting large numbers of comments.

Actionable comments posted: 2

🧹 Nitpick comments (6)

cetmix_tower_server/tests/test_command.py (3)

514-514: Consider splitting this test method into smaller, focused test cases.

The test_user_access_rule method covers multiple test scenarios. Consider breaking it down into smaller, focused test methods for better maintainability and readability:

• test_default_command_access_level
• test_user_group_permissions
• test_access_level_modifications
• test_command_visibility
• test_follower_access_rules

---

Line range hint 523-532: Consider enhancing assertion messages.

While the test logic is correct, the assertion messages could be more descriptive:

-self.assertEqual(test_command.access_level, "2")
+self.assertEqual(test_command.access_level, "2", "Default command access level should be 2")

 with self.assertRaises(AccessError):
-    command_name = test_command_1_as_bob.name
+    command_name = test_command_1_as_bob.name  # noqa: F841
+    self.fail("User without proper group access should not be able to read command name")

---

Line range hint 549-558: Consider using parameterized tests for access level checks.

This section tests access level modifications. Consider using parameterized tests to make it more maintainable:

@parameterized.expand([
    ("1", "2", True),  # (initial_level, target_level, should_succeed)
    ("2", "3", False),
])
def test_access_level_modification(self, initial_level, target_level, should_succeed):
    command = self.Command.with_user(self.user_bob).create(
        {"name": "Test Command", "access_level": initial_level}
    )
    if should_succeed:
        command.write({"access_level": target_level})
        self.assertEqual(command.access_level, target_level)
    else:
        with self.assertRaises(AccessError):
            command.write({"access_level": target_level})

cetmix_tower_server/static/description/index.html (3)

472-472: Consider using relative paths for image references.

The documentation uses absolute GitHub raw content URLs for images. This tightly couples the documentation to a specific GitHub repository and branch. Consider using relative paths instead for better maintainability.

Example change for one of the image references:

-<img alt="User profile" src="https://raw.githubusercontent.com/cetmix/cetmix-tower/14.0/cetmix_tower_server/static/description/images/user_profile.png" />
+<img alt="User profile" src="images/user_profile.png" />

Also applies to: 1029-1029, 1166-1166, 1264-1264, 1271-1271

---

1201-1206: Improve clarity of path variable limitations.

The documentation about path variables could be clearer about the limitations and security implications.

Apply this diff to improve the clarity:

-<li><strong>Path</strong>: Directory where command will be executed. Important: this
-field does not support variables! Ensure that user has access to
-this location even if you run command using sudo.</li>
+<li><strong>Path</strong>: Directory where command will be executed. 
+<strong>Important security note</strong>: 
+- This field does not support variable substitution
+- Ensure the executing user has appropriate filesystem permissions for this path
+- Access rights must be verified even when using sudo execution
+</li>

---

1220-1222: Improve formatting of validation error warning.

The warning about validation errors could be formatted better for emphasis and clarity.

Apply this diff to improve the formatting:

-<strong>IMPORTANT:</strong> Button will be show only if single server is selected. If you try to run a command for several servers from code, you will get a ValidationError.
+<strong>IMPORTANT:</strong> 
+- Button will only be shown when a single server is selected
+- Attempting to run a command for multiple servers via code will raise a ValidationError

🛑 Comments failed to post (2)

cetmix_tower_server/static/description/index.html (2)

1129-1130: ⚠️ Potential issue

Fix broken relative links in documentation.

The documentation contains broken relative links to CONFIGURE.md which don't exist in the current context.

Apply this diff to fix the links:

-<a class="reference external" href="CONFIGURE.md/#configure-a-server-template">Server Template</a>
+<a class="reference external" href="#configure-a-server-template">Server Template</a>

-<a class="reference external" href="CONFIGURE.md/#configure-a-flight-plan">Flight Plan</a>
+<a class="reference external" href="#configure-a-flight-plan">Flight Plan</a>

Also applies to: 1137-1138

---

372-372: ⚠️ Potential issue

Security: Replace plaintext HTTP URLs with HTTPS.

The documentation contains insecure plaintext HTTP URLs that should be updated to use HTTPS for better security.

Apply this diff to fix the HTTP URL:

-<a class="reference external" href="http://cetmix.com/tower">Cetmix Tower</a>
+<a class="reference external" href="https://cetmix.com/tower">Cetmix Tower</a>

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 ast-grep (0.31.1)

[warning] 372-372: "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
Context: Cetmix Tower
Note: [CWE-319] Authentication Bypass by Primary Weakness [REFERENCES]
- https://cwe.mitre.org/data/definitions/319.html

(plaintext-http-link-html)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

cetmix_tower_server/tests/test_command.py (5)

514-514: Consider splitting the test method into smaller, focused test cases.

The test method covers multiple scenarios and is quite long. Consider breaking it down into separate test methods for better maintainability and readability:

• test_user_access_rule_default_access_level
• test_user_access_rule_group_permissions
• test_user_access_rule_manager_access
• test_user_access_rule_root_access
• test_user_access_rule_follower_access

---

Line range hint 516-524: Consider moving test data setup to setUp method.

The test command creation and initial assertions could be moved to the setUp method since they're used across multiple test cases. This would improve test maintainability and reduce code duplication.

 def setUp(self, *args, **kwargs):
     super().setUp(*args, **kwargs)
+    # Create the test command
+    self.test_command = self.Command.create({"name": "Test command"})
+    # Ensure that default command access_level is equal to 2
+    self.assertEqual(self.test_command.access_level, "2")

---

Line range hint 525-533: Add assertions for group membership state.

After removing the user from groups, add assertions to verify the user's group membership state. This helps ensure the test's preconditions are met.

 # Remove bob from all cxtower_server groups
 self.remove_from_group(
     self.user_bob,
     [
         "cetmix_tower_server.group_user",
         "cetmix_tower_server.group_manager",
         "cetmix_tower_server.group_root",
     ],
 )
+# Verify user is not in any groups
+self.assertFalse(self.user_bob.has_group('cetmix_tower_server.group_user'))
+self.assertFalse(self.user_bob.has_group('cetmix_tower_server.group_manager'))
+self.assertFalse(self.user_bob.has_group('cetmix_tower_server.group_root'))

---

Line range hint 534-540: Enhance error message in AccessError test.

When testing for AccessError, include a more descriptive assertion message that explains the expected behavior.

 # Ensure that regular user cannot access the command
 test_command_1_as_bob = test_command.with_user(self.user_bob)
 with self.assertRaises(AccessError):
-    command_name = test_command_1_as_bob.name
+    command_name = test_command_1_as_bob.name, "User without proper group access should not be able to read command name"

---

Line range hint 591-607: Add test cases for edge cases in access level changes.

The test could benefit from additional edge cases when testing access level changes:

• Attempting to set an invalid access level
• Attempting to set the same access level
• Testing access level changes with different user types

 # Try to demote the access_level of new_command to 2
 restricted_command.with_user(self.user_bob).write({"access_level": "2"})
 self.assertEqual(restricted_command.access_level, "2")
+
+# Test edge cases for access level changes
+with self.assertRaises(ValueError):
+    restricted_command.with_user(self.user_bob).write({"access_level": "4"})
+
+# Test setting same access level
+restricted_command.with_user(self.user_bob).write({"access_level": "2"})
+self.assertEqual(restricted_command.access_level, "2")

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3da1941 and 4203086.

⛔ Files ignored due to path filters (1)

• cetmix_tower_server/security/ir.model.access.csv is excluded by !**/*.csv

📒 Files selected for processing (8)

• cetmix_tower_server/README.rst (25 hunks)
• cetmix_tower_server/__manifest__.py (1 hunks)
• cetmix_tower_server/models/__init__.py (1 hunks)
• cetmix_tower_server/models/res_partner.py (1 hunks)
• cetmix_tower_server/security/cx_tower_key_security.xml (1 hunks)
• cetmix_tower_server/static/description/index.html (28 hunks)
• cetmix_tower_server/tests/test_command.py (1 hunks)
• cetmix_tower_server/tests/test_key.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (6)

• cetmix_tower_server/models/init.py
• cetmix_tower_server/manifest.py
• cetmix_tower_server/models/res_partner.py
• cetmix_tower_server/tests/test_key.py
• cetmix_tower_server/README.rst
• cetmix_tower_server/security/cx_tower_key_security.xml

🧰 Additional context used

🪛 ast-grep (0.31.1)

cetmix_tower_server/static/description/index.html

[warning] 372-372: "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
Context: Cetmix Tower
Note: [CWE-319] Authentication Bypass by Primary Weakness [REFERENCES]
- https://cwe.mitre.org/data/definitions/319.html

(plaintext-http-link-html)

🔇 Additional comments (3)

cetmix_tower_server/static/description/index.html (3)

472-472: LGTM! Image references are properly configured.

The image references are correctly structured:

• Use HTTPS for secure content delivery
• Paths match the module version
• Use raw.githubusercontent.com domain for direct access

Also applies to: 1029-1029, 1166-1166, 1264-1264, 1271-1271

---

Line range hint 1-1301: LGTM! Documentation is well-structured and comprehensive.

The documentation:

• Has clear sections for configuration, usage, and best practices
• Includes properly formatted code examples
• Provides detailed explanations for each feature

---

Line range hint 1-24: LGTM! HTML structure follows best practices.

The HTML document:

• Uses proper DOCTYPE declaration
• Has well-organized head section
• Contains properly scoped CSS

🧰 Tools

🪛 ast-grep (0.31.1)

[warning] 371-371: "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
Context:
Note: [CWE-319] Authentication Bypass by Primary Weakness [REFERENCES]
- https://cwe.mitre.org/data/definitions/319.html

(plaintext-http-link-html)

---

[warning] 372-372: "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
Context: Cetmix Tower
Note: [CWE-319] Authentication Bypass by Primary Weakness [REFERENCES]
- https://cwe.mitre.org/data/definitions/319.html

(plaintext-http-link-html)

[coderabbitai]

⚠️ Potential issue

Security: Replace HTTP URLs with HTTPS.

The documentation contains plaintext HTTP URLs which could pose security risks. These should be updated to use HTTPS.

Apply this diff to fix the security issue:

-<p><a class="reference external image-reference" href="http://cetmix.com/tower">
+<p><a class="reference external image-reference" href="https://cetmix.com/tower">
-<a class="reference external" href="http://cetmix.com/tower">Cetmix Tower</a>
+<a class="reference external" href="https://cetmix.com/tower">Cetmix Tower</a>

Also applies to: 413-413

🧰 Tools

🪛 ast-grep (0.31.1)

[warning] 372-372: "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
Context: Cetmix Tower
Note: [CWE-319] Authentication Bypass by Primary Weakness [REFERENCES]
- https://cwe.mitre.org/data/definitions/319.html

(plaintext-http-link-html)