From 3df4f4f9953ace53746987524eaa51616a365692 Mon Sep 17 00:00:00 2001 From: "Ruben S. Montero" Date: Wed, 17 Sep 2014 17:05:01 +0200 Subject: [PATCH] Fix access control for VNET reservations with group Resource Providers --- include/PoolObjectAuth.h | 9 ++++++++- include/PoolObjectSQL.h | 2 +- include/VirtualNetwork.h | 8 ++++++++ src/acl/AclManager.cc | 16 +++++++++++++--- src/vnm/VirtualNetwork.cc | 15 +++++++++++++++ 5 files changed, 45 insertions(+), 5 deletions(-) diff --git a/include/PoolObjectAuth.h b/include/PoolObjectAuth.h index 6a2509909f..9d27f1f874 100644 --- a/include/PoolObjectAuth.h +++ b/include/PoolObjectAuth.h @@ -43,7 +43,10 @@ public: group_a(0), other_u(0), other_m(0), - other_a(0) {}; + other_a(0), + disable_all_acl(false), + disable_cluster_acl(false), + disable_group_acl(false) {}; void get_acl_rules(AclRule& owner_rule, AclRule& group_rule, @@ -75,6 +78,10 @@ public: int other_u; int other_m; int other_a; + + bool disable_all_acl; // All objects of this type (e.g. NET/*) + bool disable_cluster_acl; // All objects in a cluster (e.g. NET/%100) + bool disable_group_acl; // All objects own by this group (e.g. NET/@101) }; #endif /*POOL_OBJECT_AUTH_H_*/ diff --git a/include/PoolObjectSQL.h b/include/PoolObjectSQL.h index bf1d3b119f..c235b3a4e0 100644 --- a/include/PoolObjectSQL.h +++ b/include/PoolObjectSQL.h @@ -585,7 +585,7 @@ public: * attributes * @param auths to be filled */ - void get_permissions(PoolObjectAuth& auths); + virtual void get_permissions(PoolObjectAuth& auths); protected: diff --git a/include/VirtualNetwork.h b/include/VirtualNetwork.h index 33216b3443..84bd33bb99 100644 --- a/include/VirtualNetwork.h +++ b/include/VirtualNetwork.h @@ -56,6 +56,14 @@ public: return new VirtualNetworkTemplate; } + /** + * Fills a auth class to perform an authZ/authN request based on the object + * attributes. Disables the cluster and all NET rules (NET* and NET/%) for + * reservations. + * @param auths to be filled + */ + void get_permissions(PoolObjectAuth& auths); + // ************************************************************************* // Address Range management interface // ************************************************************************* diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index 6d0c07659d..c12f68232f 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -222,7 +222,7 @@ const bool AclManager::authorize( long long resource_gid_req; - if ( obj_perms.gid >= 0 ) + if ((obj_perms.gid >= 0) && (!obj_perms.disable_group_acl)) { resource_gid_req = obj_perms.obj_type | AclRule::GROUP_ID | @@ -235,7 +235,7 @@ const bool AclManager::authorize( long long resource_cid_req; - if ( obj_perms.cid >= 0 ) + if ((obj_perms.cid >= 0) && (!obj_perms.disable_cluster_acl)) { resource_cid_req = obj_perms.obj_type | AclRule::CLUSTER_ID | @@ -246,7 +246,17 @@ const bool AclManager::authorize( resource_cid_req = AclRule::NONE_ID; } - long long resource_all_req = obj_perms.obj_type | AclRule::ALL_ID; + long long resource_all_req ; + + if (!obj_perms.disable_all_acl) + { + resource_all_req = obj_perms.obj_type | AclRule::ALL_ID; + } + else + { + resource_all_req = AclRule::NONE_ID; + } + long long rights_req = op; long long resource_oid_mask = obj_perms.obj_type | diff --git a/src/vnm/VirtualNetwork.cc b/src/vnm/VirtualNetwork.cc index 1e0f4e758c..ce3c0941c4 100644 --- a/src/vnm/VirtualNetwork.cc +++ b/src/vnm/VirtualNetwork.cc @@ -19,6 +19,7 @@ #include "VirtualNetworkPool.h" #include "VirtualNetworkTemplate.h" #include "AddressRange.h" +#include "PoolObjectAuth.h" #include "NebulaLog.h" @@ -67,6 +68,20 @@ VirtualNetwork::~VirtualNetwork() delete obj_template; } +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + +void VirtualNetwork::get_permissions(PoolObjectAuth& auths) +{ + PoolObjectSQL::get_permissions(auths); + + if (parent_vid != -1) + { + auths.disable_cluster_acl = true; + auths.disable_all_acl = true; + } +} + /* ************************************************************************** */ /* Virtual Network :: Database Access Functions */ /* ************************************************************************** */