[IMP] cetmix_tower_server: Access to server fields

[GabbasovDinar]

Limit access to the following fields of the cx.tower.server ​model to Manager and Root:

• OS
• IP v4 Address
• IP v6 Address
• SSH username
• SSH Port
• SSS auth mode
• SSH key
• Use sudo

Task: 4116

Summary by CodeRabbit

Summary by CodeRabbit

• Security Enhancements

  • Added group-based access control for server connection settings.
  • Restricted sensitive server configuration fields to the manager group.
  • Modified SSH connection field permissions to make some optional.

• User Interface

  • Introduced a new kanban view for managers, displaying specific server details.
  • Refined search view with group-based visibility for the "Operating System" field and "Group By OS" filter.

• Documentation

  • Updated configuration documentation to clarify field visibility based on user access levels.

[coderabbitai]

Walkthrough

The pull request modifies the CxTowerServer class in the cetmix_tower_server/models/cx_tower_server.py file and updates the view configurations in cetmix_tower_server/views/cx_tower_server_view.xml. The primary focus is on enhancing access control for sensitive server connection settings by introducing group-based restrictions. Several fields related to server connection details are now limited to users with permissions from the cetmix_tower_server.group_manager group. Additionally, a new kanban view is created, and the search view is updated to reflect these access controls.

Changes

File	Change Summary
cetmix_tower_server/models/cx_tower_server.py	- Added groups="cetmix_tower_server.group_manager" to multiple fields: - ip_v4_address - ip_v6_address - ssh_port - ssh_username - ssh_password (removed required=True constraint) - ssh_key_id - ssh_auth_mode - use_sudo - os_id - Updated execute_command method to use self.sudo() for checking user context.
cetmix_tower_server/views/cx_tower_server_view.xml	- Created new kanban view cx_tower_server_view_kanban_manager with group restrictions. - Updated search view to restrict visibility of os_id and group_by_os filter to the manager group. - Modified visibility of "Operating System," "IPv4 Address," and "IPv6 Address" fields in the new manager-specific view.
cetmix_tower_server/readme/CONFIGURE.md	- Added note regarding user access levels in the server configuration section, indicating that some fields are visible based on the current user access level.
cetmix_tower_server/models/cetmix_tower.py	- Added line in server_check_ssh_connection method to elevate access rights of server object using server.sudo() for SSH configuration access.

Possibly related PRs

• [14.0][IMP] server_check_ssh_connection: Implement SSH connection check #174: The changes in this PR involve the server_check_ssh_connection method in the CetmixTower class, which relates to SSH connection handling, similar to the modifications in the CxTowerServer class that enhance access control for SSH-related fields. Both PRs focus on improving the management of SSH connections and sensitive information.

Suggested labels

bot is merging ⏳, approved

Suggested reviewers

• ivs-cetmix
• Aldeigja

Finishing Touches

• 📝 Generate Docstrings (Beta)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

cetmix_tower_server/models/cx_tower_server.py (2)

743-747: Ensure consistent use of sudo() throughout the method.

While adding sudo() for checking ssh_username and use_sudo attributes is good for security, consider applying it consistently to all attribute accesses in this method for better maintainability.

Consider applying this pattern:

-if self.sudo().ssh_username != "root" and self.sudo().use_sudo:
-    sudo = self.sudo().use_sudo
+self_sudo = self.sudo()
+if self_sudo.ssh_username != "root" and self_sudo.use_sudo:
+    sudo = self_sudo.use_sudo

-elif sudo and self.sudo().ssh_username == "root":
+elif sudo and self_sudo.ssh_username == "root":
    sudo = None

---

Line range hint 563-574: Enhance error handling in the _connect method.

While adding sudo() for server connection is good, consider improving the error handling to provide more specific error messages based on the type of connection failure (e.g., authentication failure, network unreachable, etc.).

Consider this approach:

 self = self.sudo()
 try:
     client = SSH(
         host=self.ip_v4_address or self.ip_v6_address,
         port=self.ssh_port,
         username=self.ssh_username,
         mode=self.ssh_auth_mode,
         password=self._get_password(),
         ssh_key=self._get_ssh_key(),
     )
 except Exception as e:
+    error_msg = str(e)
+    if "Authentication failed" in error_msg:
+        error_msg = _("SSH authentication failed. Please check your credentials.")
+    elif "Connection refused" in error_msg:
+        error_msg = _("Connection refused. Please check if the server is running and accessible.")
+    elif "Network is unreachable" in error_msg:
+        error_msg = _("Network is unreachable. Please check your network connection.")
     if raise_on_error:
-        raise ValidationError(_("SSH connection error %(err)s", err=e)) from e
+        raise ValidationError(_("SSH connection error: %(err)s", err=error_msg)) from e
     else:
-        return False, e
+        return False, error_msg

cetmix_tower_server/views/cx_tower_server_view.xml (2)

108-135: Consider removing redundant group restriction in view.

Since the fields (os_id, ip_v4_address, ip_v6_address) already have group restrictions defined at the model level, the groups_id field in the view might be unnecessary. The model-level restrictions will automatically handle the access control.

Consider this simplified approach:

 <record id="cx_tower_server_view_kanban_manager" model="ir.ui.view">
     <field name="name">cx.tower.server.view.kanban</field>
     <field name="model">cx.tower.server</field>
     <field
         name="inherit_id"
         ref="cetmix_tower_server.cx_tower_server_view_kanban"
     />
-    <field
-        name="groups_id"
-        eval="[(4, ref('cetmix_tower_server.group_manager'))]"
-    />
     <field name="arch" type="xml">
         <xpath expr="//div[hasclass('o_kanban_primary_right')]" position="inside">
             <!-- ... rest of the view definition ... -->
         </xpath>
     </field>
 </record>

---

Line range hint 375-399: Optimize group restrictions in search view.

The groups attribute on the os_id field is redundant as it's already restricted at the model level. However, the group restriction on the "Group By OS" filter is correct and necessary as it's a view-specific feature.

Consider this optimization:

-    <field name="os_id" groups="cetmix_tower_server.group_manager" />
+    <field name="os_id" />
     <field name="tag_ids" />
     <!-- ... other fields ... -->
     <filter
         string="OS"
         name="group_by_os"
         domain="[]"
         context="{'group_by': 'os_id'}"
         groups="cetmix_tower_server.group_manager"
     />

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b1e01f1 and 7e6dad2.

📒 Files selected for processing (2)

• cetmix_tower_server/models/cx_tower_server.py (6 hunks)
• cetmix_tower_server/views/cx_tower_server_view.xml (3 hunks)

🧰 Additional context used

📓 Learnings (1)

cetmix_tower_server/views/cx_tower_server_view.xml (1)

Learnt from: ivs-cetmix
PR: cetmix/cetmix-tower#147
File: cetmix_tower_server/views/cx_tower_file_view.xml:160-160
Timestamp: 2024-11-24T22:56:35.204Z
Learning: In Odoo, when groups are defined at the model level, it's unnecessary to specify them again in the view fields.

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test with OCB

🔇 Additional comments (1)

cetmix_tower_server/models/cx_tower_server.py (1)

Line range hint 282-340: Well-structured security enhancement for sensitive server fields!

The consistent application of group-based access control (groups="cetmix_tower_server.group_manager") to all sensitive server connection fields is a good security practice. This ensures that only users with appropriate permissions can access critical server details.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

cetmix_tower_server/views/cx_tower_server_view.xml (1)

375-375: Consider removing redundant group restrictions.

Based on previous feedback, when groups are defined at the model level, it's unnecessary to specify them again in the view fields.

-                <field name="os_id" groups="cetmix_tower_server.group_manager" />
+                <field name="os_id" />

-                        groups="cetmix_tower_server.group_manager"
+                        

Also applies to: 399-399

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7e6dad2 and 022d74c.

📒 Files selected for processing (3)

• cetmix_tower_server/models/cx_tower_server.py (6 hunks)
• cetmix_tower_server/readme/CONFIGURE.md (1 hunks)
• cetmix_tower_server/views/cx_tower_server_view.xml (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• cetmix_tower_server/models/cx_tower_server.py

🧰 Additional context used

📓 Learnings (1)

cetmix_tower_server/views/cx_tower_server_view.xml (1)

Learnt from: ivs-cetmix
PR: cetmix/cetmix-tower#147
File: cetmix_tower_server/views/cx_tower_file_view.xml:160-160
Timestamp: 2024-11-24T22:56:35.204Z
Learning: In Odoo, when groups are defined at the model level, it's unnecessary to specify them again in the view fields.

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test with OCB

🔇 Additional comments (2)

cetmix_tower_server/views/cx_tower_server_view.xml (1)

108-135: LGTM! Well-structured view inheritance for manager-specific fields.

The implementation correctly extends the base kanban view while maintaining proper access control and visibility conditions.

cetmix_tower_server/readme/CONFIGURE.md (1)

43-44: LGTM! Clear documentation update.

The added note effectively communicates the access-level-based field visibility to users.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

cetmix_tower_server/views/cx_tower_server_view.xml (2)

108-135: Consider removing redundant field declarations.

Based on the retrieved learning from PR #147, since these fields (os_id, ip_v4_address, ip_v6_address) are already defined with group restrictions at the model level, it's unnecessary to create a separate inherited view just for managers. The base kanban view can directly use these fields, and Odoo will automatically handle the access control.

Consider removing this entire view and moving the field declarations to the base kanban view's content section. The model-level group restrictions will automatically apply.

---

375-375: Optimize group restrictions in search view.

• The group restriction on the os_id field (line 375) is redundant if the field is already restricted at the model level.
• However, the group restriction on the "Group By OS" filter (line 399) should be retained as it's a view-specific feature.

Remove the redundant group restriction from the os_id field while keeping it for the "Group By OS" filter:

-                <field name="os_id" groups="cetmix_tower_server.group_manager" />
+                <field name="os_id" />

Also applies to: 399-399

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 022d74c and da74aec.

📒 Files selected for processing (3)

• cetmix_tower_server/models/cx_tower_server.py (6 hunks)
• cetmix_tower_server/readme/CONFIGURE.md (1 hunks)
• cetmix_tower_server/views/cx_tower_server_view.xml (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• cetmix_tower_server/readme/CONFIGURE.md
• cetmix_tower_server/models/cx_tower_server.py

🧰 Additional context used

📓 Learnings (1)

cetmix_tower_server/views/cx_tower_server_view.xml (1)

Learnt from: ivs-cetmix
PR: cetmix/cetmix-tower#147
File: cetmix_tower_server/views/cx_tower_file_view.xml:160-160
Timestamp: 2024-11-24T22:56:35.204Z
Learning: In Odoo, when groups are defined at the model level, it's unnecessary to specify them again in the view fields.

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test with OCB

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

cetmix_tower_server/models/cx_tower_server.py (1)

563-563: Avoid Overwriting self with self.sudo()

Reassigning self with self.sudo() can lead to confusion and unintended side effects. It's clearer and safer to store the result in a new variable or use self.sudo() directly when accessing attributes.

Refactor the code to avoid reassigning self:

 def _connect(self, raise_on_error=True):
     self.ensure_one()
-    self = self.sudo()
     try:
+        sudo_self = self.sudo()
         client = SSH(
-            host=self.ip_v4_address or self.ip_v6_address,
-            port=self.ssh_port,
-            username=self.ssh_username,
-            mode=self.ssh_auth_mode,
-            password=self._get_password(),
-            ssh_key=self._get_ssh_key(),
+            host=sudo_self.ip_v4_address or sudo_self.ip_v6_address,
+            port=sudo_self.ssh_port,
+            username=sudo_self.ssh_username,
+            mode=sudo_self.ssh_auth_mode,
+            password=sudo_self._get_password(),
+            ssh_key=sudo_self._get_ssh_key(),
         )

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da74aec and d04cce2.

📒 Files selected for processing (4)

• cetmix_tower_server/models/cetmix_tower.py (1 hunks)
• cetmix_tower_server/models/cx_tower_server.py (6 hunks)
• cetmix_tower_server/readme/CONFIGURE.md (1 hunks)
• cetmix_tower_server/views/cx_tower_server_view.xml (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• cetmix_tower_server/readme/CONFIGURE.md
• cetmix_tower_server/views/cx_tower_server_view.xml

🧰 Additional context used

📓 Learnings (1)

cetmix_tower_server/models/cetmix_tower.py (1)

Learnt from: ivs-cetmix
PR: cetmix/cetmix-tower#174
File: cetmix_tower_server/models/cetmix_tower.py:130-132
Timestamp: 2025-01-06T12:28:58.379Z
Learning: SSH credentials (username, password, and/or key) are controlled at the server level, so an additional validation in the `server_check_ssh_connection` method is not needed.

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test with OCB

🔇 Additional comments (3)

cetmix_tower_server/models/cx_tower_server.py (2)

677-677: Ensure Elevated Access is Necessary

Using self.sudo() in get_variable_values suggests that elevated permissions are required. Confirm that this is necessary and that it doesn't unintentionally expose sensitive data to unauthorized users.

Please verify that self.sudo() is required here and consider potential security implications.

---

743-744: Consistent Use of Elevated Permissions

Accessing ssh_username and use_sudo with self.sudo() ensures that fields restricted by groups are accessible. Ensure that this pattern is used consistently where needed and that it complies with your security model.

Also applies to: 747-747

cetmix_tower_server/models/cetmix_tower.py (1)

134-136: Verify Necessity of Elevating server to sudo()

Adding server = server.sudo() elevates access rights to all fields of server. According to previous learnings, SSH credentials are managed at the server level, and additional validation might not be necessary.

Based on retrieved learnings:

Learning: SSH credentials (username, password, and/or key) are controlled at the server level, so an additional validation in the `server_check_ssh_connection` method is not needed.

Please verify if elevating server to sudo() is required in this context, and ensure it aligns with the application's security policies without introducing unintended access.

✅ Verification successful

The sudo() elevation is necessary and correctly implemented

The elevation is required to access sensitive SSH credentials (password, keys) which are protected fields. This follows the application's security model where sensitive fields require elevated access, as evidenced by similar patterns across the codebase for handling SSH credentials and secret values.

🏁 Scripts executed

The following scripts were executed for the analysis:

Error: No shell scripts found

---

Script:

#!/bin/bash
# Get the complete file content
cat cetmix_tower_server/models/cetmix_tower.py

# Look for similar sudo() patterns
rg "sudo\(\)" -A 3 -B 3

# Look for field definitions that might be sensitive
ast-grep --pattern 'fields.$_ = fields.$_($$$)'

Length of output: 20443

[ivs-cetmix]

We have changed the flow so need to update the test coverage accordingly.
Eg we need to ensure that user with group "Tower/User" can still run SSH commands with no issues.

[ivs-cetmix]

Question: why do we need to add group attribute to the view definition?

[GabbasovDinar]

I agree, I will fix it