diff --git a/src/rm/RequestManagerImageDelete.cc b/src/rm/RequestManagerImageDelete.cc index f56473f114..403833f137 100644 --- a/src/rm/RequestManagerImageDelete.cc +++ b/src/rm/RequestManagerImageDelete.cc @@ -15,10 +15,12 @@ /* -------------------------------------------------------------------------- */ #include "RequestManager.h" -#include "NebulaLog.h" +#include "NebulaLog.h" #include "Nebula.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -55,6 +57,19 @@ void RequestManager::ImageDelete::execute( } uid = rc; + + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(AuthRequest::IMAGE,iid,AuthRequest::DELETE,0,false); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } // Get image from the ImagePool image = ImageDelete::ipool->get(iid,true); @@ -64,11 +79,6 @@ void RequestManager::ImageDelete::execute( goto error_image_get; } - if ( uid != 0 && uid != image->get_uid() ) - { - goto error_authorization; - } - rc = ImageDelete::ipool->drop(image); if ( rc < 0 ) @@ -98,9 +108,8 @@ error_image_get: oss << "Error getting image with ID = " << iid; goto error_common; -error_authorization: +error_authorize: oss << "User not authorized to delete image, aborting ImageDelete call."; - image->unlock(); goto error_common; error_delete: diff --git a/src/rm/RequestManagerImageEnable.cc b/src/rm/RequestManagerImageEnable.cc index 6d5cec9dcb..2f16ee6417 100644 --- a/src/rm/RequestManagerImageEnable.cc +++ b/src/rm/RequestManagerImageEnable.cc @@ -15,10 +15,12 @@ /* -------------------------------------------------------------------------- */ #include "RequestManager.h" -#include "NebulaLog.h" +#include "NebulaLog.h" #include "Nebula.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -57,6 +59,19 @@ void RequestManager::ImageEnable::execute( uid = rc; + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(AuthRequest::IMAGE,iid,AuthRequest::MANAGE,0,false); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } + // Get image from the ImagePool image = ImageEnable::ipool->get(iid,true); @@ -65,11 +80,6 @@ void RequestManager::ImageEnable::execute( goto error_image_get; } - if ( uid != 0 && uid != image->get_uid() ) - { - goto error_authorization; - } - rc = image->enable(enable_flag); if ( rc < 0 ) @@ -101,10 +111,9 @@ error_image_get: oss << "[ImageEnable] Error getting image with ID = " << iid; goto error_common; -error_authorization: +error_authorize: oss << "[ImageEnable] User not authorized to enable/disable image" << " attributes, aborting call."; - image->unlock(); goto error_common; error_enable: diff --git a/src/rm/RequestManagerImageInfo.cc b/src/rm/RequestManagerImageInfo.cc index b16860a7a5..a21adaee2f 100644 --- a/src/rm/RequestManagerImageInfo.cc +++ b/src/rm/RequestManagerImageInfo.cc @@ -17,6 +17,8 @@ #include "RequestManager.h" #include "NebulaLog.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -27,8 +29,8 @@ void RequestManager::ImageInfo::execute( string session; int iid; - int uid; - int rc; + int uid; // Image owner user id + int rc; // Requesting user id Image * image; ostringstream oss; @@ -56,10 +58,27 @@ void RequestManager::ImageInfo::execute( // Check if it is a valid user rc = ImageInfo::upool->authenticate(session); - if ( rc != 0 && rc != uid && !image->isPublic()) + if ( rc == -1 ) { goto error_authenticate; } + + //Authorize the operation + if ( rc != 0 ) // rc == 0 means oneadmin + { + AuthRequest ar(rc); + + ar.add_auth(AuthRequest::IMAGE, + iid, + AuthRequest::USE, + 0, + image->isPublic()); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } oss << *image; @@ -82,13 +101,17 @@ error_image_get: goto error_common; error_authenticate: - oss << "User doesn't exist, or not authorized to use image with " << +oss << "Cannot authenticate user, aborting ImageInfo call."; + image->unlock(); + goto error_common; + +error_authorize: + oss << "User not authorized to use image with " << "ID = " << iid << " , ImageInfo call aborted."; image->unlock(); goto error_common; error_common: - arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE arrayData.push_back(xmlrpc_c::value_string(oss.str())); diff --git a/src/rm/RequestManagerImagePublish.cc b/src/rm/RequestManagerImagePublish.cc index f88c328b72..cfd0bc8bd9 100644 --- a/src/rm/RequestManagerImagePublish.cc +++ b/src/rm/RequestManagerImagePublish.cc @@ -15,10 +15,12 @@ /* -------------------------------------------------------------------------- */ #include "RequestManager.h" -#include "NebulaLog.h" +#include "NebulaLog.h" #include "Nebula.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -57,6 +59,23 @@ void RequestManager::ImagePublish::execute( uid = rc; + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(AuthRequest::IMAGE, + iid, + AuthRequest::MANAGE, + 0, + image->isPublic()); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } + // Get image from the ImagePool image = ImagePublish::ipool->get(iid,true); @@ -65,11 +84,6 @@ void RequestManager::ImagePublish::execute( goto error_image_get; } - if ( uid != 0 && uid != image->get_uid() ) - { - goto error_authorization; - } - image->publish(publish_flag); ImagePublish::ipool->update(image); @@ -95,10 +109,9 @@ error_image_get: oss << "[ImagePublish] Error getting image with ID = " << iid; goto error_common; -error_authorization: +error_authorize: oss << "[ImagePublish] User not authorized to publish/unpublish image" << ", aborting call."; - image->unlock(); goto error_common; error_common: diff --git a/src/rm/RequestManagerImageRemoveAttribute.cc b/src/rm/RequestManagerImageRemoveAttribute.cc index 348fefb4bf..b00c88c1ef 100644 --- a/src/rm/RequestManagerImageRemoveAttribute.cc +++ b/src/rm/RequestManagerImageRemoveAttribute.cc @@ -15,10 +15,12 @@ /* -------------------------------------------------------------------------- */ #include "RequestManager.h" -#include "NebulaLog.h" +#include "NebulaLog.h" #include "Nebula.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -56,6 +58,23 @@ void RequestManager::ImageRemoveAttribute::execute( } uid = rc; + + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(AuthRequest::IMAGE, + iid, + AuthRequest::MANAGE, + 0, + image->isPublic()); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } // Get image from the ImagePool image = ImageRemoveAttribute::ipool->get(iid,true); @@ -65,12 +84,6 @@ void RequestManager::ImageRemoveAttribute::execute( goto error_image_get; } - - if ( uid != 0 && uid != image->get_uid() ) - { - goto error_authorization; - } - rc = ImageRemoveAttribute::ipool->remove_attribute(image, name); if ( rc < 0 ) @@ -99,10 +112,9 @@ error_image_get: oss << "[ImageRemoveAttribute] Error getting image with ID = " << iid; goto error_common; -error_authorization: +error_authorize: oss << "[ImageRemoveAttribute] User not authorized to remove image" << " attributes aborting call."; - image->unlock(); goto error_common; error_remove_attribute: diff --git a/src/rm/RequestManagerImageUpdate.cc b/src/rm/RequestManagerImageUpdate.cc index 780eac63f4..4af4a054a7 100644 --- a/src/rm/RequestManagerImageUpdate.cc +++ b/src/rm/RequestManagerImageUpdate.cc @@ -15,10 +15,12 @@ /* -------------------------------------------------------------------------- */ #include "RequestManager.h" -#include "NebulaLog.h" +#include "NebulaLog.h" #include "Nebula.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -58,6 +60,23 @@ void RequestManager::ImageUpdate::execute( } uid = rc; + + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(AuthRequest::IMAGE, + iid, + AuthRequest::MANAGE, + 0, + image->isPublic()); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } // Get image from the ImagePool image = ImageUpdate::ipool->get(iid,true); @@ -67,11 +86,6 @@ void RequestManager::ImageUpdate::execute( goto error_image_get; } - if ( uid != 0 && uid != image->get_uid() ) - { - goto error_authorization; - } - // This will perform the update on the DB as well, // so no need to do it manually rc = ImageUpdate::ipool->replace_attribute(image, name, value); @@ -102,10 +116,9 @@ error_image_get: oss << "Error getting image with ID = " << iid; goto error_common; -error_authorization: +error_authorize: oss << "User not authorized to modify image attributes " << ", aborting ImageUpdate call."; - image->unlock(); goto error_common; error_update: