F #1976: Test access rights to the security groups of a VNet and its ARs

2025-01-11 05:17:41 +03:00 · 2018-04-27 16:31:12 +02:00 · 2018-04-27 16:31:12 +02:00 · 098ce33e79
commit 098ce33e79
parent c903345806
8 changed files with 61 additions and 4 deletions
--- a/include/AddressRange.h
+++ b/include/AddressRange.h
@ -372,6 +372,19 @@ public:
        return security_groups;
    }

+    /**
+     *  Copy security groups into set
+     */
+    void get_security_groups(set<int>& sgs)
+    {
+        std::set<int>::const_iterator it;
+        
+        for (it = security_groups.begin(); it != security_groups.end(); ++it)
+        {
+            sgs.insert(*it);
+        }
+    }
+
    /*
     *  add_ar from AddressRangePool needs to access the internal representation
     *  of the AR to include it in the ARPool template.
--- a/include/AddressRangePool.h
+++ b/include/AddressRangePool.h
@ -308,6 +308,12 @@ public:
     */
    const set<int>& get_security_groups(int ar_id) const;

+    /**
+     *  Gets a the security group set of all ARs
+     *    @param sgs set with all the SG ids
+     */
+    void get_all_security_groups(set<int>& sgs);
+
    /**
     *  Generate a XML representation of the Address Range Pool
     *    @param sstream where the ARPool is written
--- a/include/VirtualNetwork.h
+++ b/include/VirtualNetwork.h
@ -459,6 +459,12 @@ public:
     */
    int get_template_attribute(const char * name, int& value, int ar_id) const;

+    /**
+     *  Adds the security group of the VNet and its ARs to the given set
+     *    @param sgs to put the sg ids in
+     */
+    void get_security_groups(set<int> & sgs);
+
    /**
     *    @return A copy of the VNET Template
     */
--- a/include/VirtualNetworkPool.h
+++ b/include/VirtualNetworkPool.h
@ -203,7 +203,8 @@ public:
            PoolObjectSQL::ObjectType   ot,
            VirtualMachineNic *         nic,
            int                         uid,
-            AuthRequest *               ar);
+            AuthRequest *               ar,
+            set<int> &                  sgs);

    //--------------------------------------------------------------------------
    // VNET Reservation interface
--- a/src/vm/VirtualMachineNic.cc
+++ b/src/vm/VirtualMachineNic.cc
@ -128,12 +128,12 @@ void VirtualMachineNic::authorize(PoolObjectSQL::ObjectType ot, int uid,
    VirtualNetworkPool * vnpool = nd.get_vnpool();
    SecurityGroupPool *  sgpool = nd.get_secgrouppool();

-    vnpool->authorize_nic(ot, this, uid, ar);
-
    set<int> sgroups;

    get_security_groups(sgroups);

+    vnpool->authorize_nic(ot, this, uid, ar, sgroups);
+
    for(set<int>::iterator it = sgroups.begin(); it != sgroups.end(); it++)
    {
        SecurityGroup * sgroup = sgpool->get(*it);
--- a/src/vnm/AddressRangePool.cc
+++ b/src/vnm/AddressRangePool.cc
@ -535,6 +535,16 @@ const set<int>& AddressRangePool::get_security_groups(int ar_id) const
    return it->second->get_security_groups();
 }

+void AddressRangePool::get_all_security_groups(set<int>& sgs)
+{
+    map<unsigned int, AddressRange *>::const_iterator it;
+
+    for (it=ar_pool.begin(); it!=ar_pool.end(); it++)
+    {
+        it->second->get_security_groups(sgs);
+    }
+}
+
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */

--- a/src/vnm/VirtualNetwork.cc
+++ b/src/vnm/VirtualNetwork.cc
@ -1284,7 +1284,25 @@ int VirtualNetwork::reserve_addr_by_mac(int rid, unsigned int rsize,
    return 0;
 }

+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
 bool VirtualNetwork::is_reservation() const
 {
    return parent_vid != -1;
 }
+
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
+void VirtualNetwork::get_security_groups(set<int> & sgs)
+{
+    std::set<int>::const_iterator it;
+  
+    for (it = security_groups.begin(); it != security_groups.end(); it++)
+    {
+        sgs.insert(*it);
+    }
+  
+    ar_pool.get_all_security_groups(sgs);
+}
--- a/src/vnm/VirtualNetworkPool.cc
+++ b/src/vnm/VirtualNetworkPool.cc
@ -302,7 +302,8 @@ void VirtualNetworkPool::authorize_nic(
        PoolObjectSQL::ObjectType   ot,
        VirtualMachineNic *         nic,
        int                         uid,
-        AuthRequest *               ar)
+        AuthRequest *               ar,
+        set<int> &                  sgs)
 {
    string           network;
    VirtualNetwork * vnet = 0;
@ -334,6 +335,8 @@ void VirtualNetworkPool::authorize_nic(

    vnet->get_permissions(perm);

+    vnet->get_security_groups(sgs);
+
    vnet->unlock();

    ar->add_auth(AuthRequest::USE, perm);