From 772015379998b52f840cff86f73c33208684c611 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Thu, 1 Oct 2020 10:00:06 +0200
Subject: [PATCH] Update to 2020-10-01 10:00

---
 roles/mayan_edms/defaults/main.yml             | 13 +++++++++++++
 roles/mayan_edms/tasks/directories.yml         |  1 +
 roles/mayan_edms/tasks/install.yml             |  4 ++++
 roles/mayan_edms/templates/auth.py.j2          | 16 +++++++++++++++-
 roles/mayan_edms/templates/mayan-edms.j2       |  6 ++++++
 roles/squid/files/acl/software_various.domains |  5 +++++
 6 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 roles/mayan_edms/templates/mayan-edms.j2

diff --git a/roles/mayan_edms/defaults/main.yml b/roles/mayan_edms/defaults/main.yml
index 7180ee5..a9d9b52 100644
--- a/roles/mayan_edms/defaults/main.yml
+++ b/roles/mayan_edms/defaults/main.yml
@@ -74,6 +74,19 @@ mayan_ldap_group_type: "{{ ad_auth | default(False) | ternary('NestedActiveDirec
 # LDAP filter to search for groups
 mayan_ldap_group_filter: "{{ ad_auth | default(False) | ternary('(objectClass=group)','(objectClass=posixGroup)') }}"
 
+# Define user flags based on group membership, for example :
+#
+# mayan_ldap_flags_by_group:
+#   is_active:
+#     - CN=Users,DC=example,DC=org
+#   is_staff:
+#     - CN=IT,OU=Groups,DC=example,DC=org
+#   is_superuser:
+#     - CN=Role_Infra_Admin,OU=Roles,DC=example,DC=org
+#     - CN=Domain Admins,OU=Groups,DC=example,DC=org
+mayan_ldap_flags_by_group: {}
+
+
 # If defined, will either require user to be part of one of those groups,
 # or forbid access to membres of those groups
 # mayan_ldap_require_group:
diff --git a/roles/mayan_edms/tasks/directories.yml b/roles/mayan_edms/tasks/directories.yml
index b448a2b..aebdfae 100644
--- a/roles/mayan_edms/tasks/directories.yml
+++ b/roles/mayan_edms/tasks/directories.yml
@@ -24,4 +24,5 @@
       mode: 750
     - path: "{{ mayan_root_dir }}/fuse"
       mode: 700
+    - path: "{{ mayan_root_dir }}/input"
   tags: mayan
diff --git a/roles/mayan_edms/tasks/install.yml b/roles/mayan_edms/tasks/install.yml
index 1aef398..edf8863 100644
--- a/roles/mayan_edms/tasks/install.yml
+++ b/roles/mayan_edms/tasks/install.yml
@@ -77,6 +77,10 @@
     virtualenv_python: /usr/bin/python3
   tags: mayan
 
+- name: Install mayan-edms wrapper
+  template: src=mayan-edms.j2 dest=/usr/local/bin/mayan-edms mode=755
+  tags: mayan
+
 - name: Install Mayan EDMS
   pip:
     name:
diff --git a/roles/mayan_edms/templates/auth.py.j2 b/roles/mayan_edms/templates/auth.py.j2
index a61cd53..53d665a 100644
--- a/roles/mayan_edms/templates/auth.py.j2
+++ b/roles/mayan_edms/templates/auth.py.j2
@@ -1,7 +1,7 @@
 import ldap
 
 from django_auth_ldap.config import (
-    LDAPSearch, LDAPSearchUnion, {{ mayan_ldap_group_type }}
+    LDAPSearch, LDAPSearchUnion, LDAPGroupQuery, {{ mayan_ldap_group_type }}
 )
 
 from mayan.settings.production import *
@@ -60,11 +60,25 @@ AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
 
 AUTH_LDAP_GROUP_TYPE = {{ mayan_ldap_group_type }}()
 
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+{% for key in mayan_ldap_flags_by_group.keys() %}
+{% if mayan_ldap_flags_by_group[key] | length > 0 %}
+    '{{ key }}': (
+{% for group in mayan_ldap_flags_by_group[key] %}
+        LDAPGroupQuery('{{ group }}') {{ '|' if not loop.last }}
+{% endfor %}
+    ),
+{% endif %}
+{% endfor %}
+}
+
 AUTHENTICATION_BACKENDS = (
     'django_auth_ldap.backend.LDAPBackend',
     'django.contrib.auth.backends.ModelBackend'
 )
 
+AUTH_LDAP_MIRROR_GROUPS = True
+
 {% if mayan_auth_custom_conf is defined %}
 {{ mayan_auth_custom_conf }}
 {% endif %}
diff --git a/roles/mayan_edms/templates/mayan-edms.j2 b/roles/mayan_edms/templates/mayan-edms.j2
new file mode 100644
index 0000000..a2d0d42
--- /dev/null
+++ b/roles/mayan_edms/templates/mayan-edms.j2
@@ -0,0 +1,6 @@
+#!/bin/bash -e
+
+set -o allexport
+. {{ mayan_root_dir }}/config/.env
+set +o allexport
+{{ mayan_root_dir }}/venv/bin/python {{ mayan_root_dir }}/venv/bin/mayan-edms.py $@
diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains
index 5e0ed31..e658667 100644
--- a/roles/squid/files/acl/software_various.domains
+++ b/roles/squid/files/acl/software_various.domains
@@ -200,6 +200,7 @@ graylog2-releases.s3.eu-west-1.amazonaws.com
 
 # NPM / NodeJS
 registry.npmjs.org
+registry.npmjs.com
 
 # Asterisk / FreePBX
 ast.tucny.com
@@ -290,6 +291,10 @@ static.crates.io
 npm.fontawesome.com
 dl.fontawesome.com
 
+# Google fonts
+fonts.googleapis.com
+fonts.gstatic.com
+
 # Jitsi
 download.jitsi.org
 # Needed to build Jitsi Meet