Fix access control for VNET reservations with group Resource Providers

include/PoolObjectAuth.h

@@ -43,7 +43,10 @@ public:
         group_a(0),
         other_u(0),
         other_m(0),
-        other_a(0) {};
+        other_a(0),
+        disable_all_acl(false),
+        disable_cluster_acl(false),
+        disable_group_acl(false) {};
 
     void get_acl_rules(AclRule& owner_rule,
                        AclRule& group_rule,
@@ -75,6 +78,10 @@ public:
     int other_u;
     int other_m;
     int other_a;
+
+    bool disable_all_acl;     // All objects of this type (e.g. NET/*)
+    bool disable_cluster_acl; // All objects in a cluster (e.g. NET/%100)
+    bool disable_group_acl;   // All objects own by this group (e.g. NET/@101)
 };
 
 #endif /*POOL_OBJECT_AUTH_H_*/

include/PoolObjectSQL.h

@@ -585,7 +585,7 @@ public:
      *  attributes
      *    @param auths to be filled
      */
-    void get_permissions(PoolObjectAuth& auths);
+    virtual void get_permissions(PoolObjectAuth& auths);
 
 protected:
 

include/VirtualNetwork.h

@@ -56,6 +56,14 @@ public:
         return new VirtualNetworkTemplate;
     }
 
+    /**
+     *  Fills a auth class to perform an authZ/authN request based on the object
+     *  attributes. Disables the cluster and all NET rules (NET* and NET/%) for
+     *  reservations.
+     *    @param auths to be filled
+     */
+    void get_permissions(PoolObjectAuth& auths);
+
     // *************************************************************************
     // Address Range management interface
     // *************************************************************************

src/acl/AclManager.cc

@@ -222,7 +222,7 @@ const bool AclManager::authorize(
 
     long long resource_gid_req;
 
-    if ( obj_perms.gid >= 0 )
+    if ((obj_perms.gid >= 0) && (!obj_perms.disable_group_acl))
     {
         resource_gid_req = obj_perms.obj_type |
                            AclRule::GROUP_ID |
@@ -235,7 +235,7 @@ const bool AclManager::authorize(
 
     long long resource_cid_req;
 
-    if ( obj_perms.cid >= 0 )
+    if ((obj_perms.cid >= 0) && (!obj_perms.disable_cluster_acl))
     {
         resource_cid_req = obj_perms.obj_type |
                            AclRule::CLUSTER_ID |
@@ -246,7 +246,17 @@ const bool AclManager::authorize(
         resource_cid_req = AclRule::NONE_ID;
     }
 
-    long long resource_all_req  = obj_perms.obj_type | AclRule::ALL_ID;
+    long long resource_all_req ;
+
+    if (!obj_perms.disable_all_acl)
+    {
+        resource_all_req = obj_perms.obj_type | AclRule::ALL_ID;
+    }
+    else
+    {
+        resource_all_req = AclRule::NONE_ID;
+    }
+
     long long rights_req        = op;
 
     long long resource_oid_mask = obj_perms.obj_type |

src/vnm/VirtualNetwork.cc

@@ -19,6 +19,7 @@
 #include "VirtualNetworkPool.h"
 #include "VirtualNetworkTemplate.h"
 #include "AddressRange.h"
+#include "PoolObjectAuth.h"
 
 #include "NebulaLog.h"
 
@@ -67,6 +68,20 @@ VirtualNetwork::~VirtualNetwork()
     delete obj_template;
 }
 
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
+void VirtualNetwork::get_permissions(PoolObjectAuth& auths)
+{
+    PoolObjectSQL::get_permissions(auths);
+
+    if (parent_vid != -1)
+    {
+        auths.disable_cluster_acl = true;
+        auths.disable_all_acl     = true;
+    }
+}
+
 /* ************************************************************************** */
 /* Virtual Network :: Database Access Functions                               */
 /* ************************************************************************** */