B #6315: Fix remove of restricted vector attributes (#2731)

2025-01-21 18:03:38 +03:00 · 2023-09-18 16:17:59 +02:00 · 2023-09-18 16:17:59 +02:00 · 534823e7f1
commit 534823e7f1
parent f5d6f11730
14 changed files with 29 additions and 27 deletions
--- a/include/GroupTemplate.h
+++ b/include/GroupTemplate.h
@ -32,9 +32,9 @@ public:
    // -------------------------------------------------------------------------
    // Restricted attributes interface implementation
    // -------------------------------------------------------------------------
-    bool check_restricted(std::string& rs_attr, const Template* base) override
+    bool check_restricted(std::string& rs_attr, const Template* base, bool append) override
    {
-        return Template::check_restricted(rs_attr, base, restricted);
+        return Template::check_restricted(rs_attr, base, restricted, append);
    }

    bool check_restricted(std::string& rs_attr) override
--- a/include/ImageTemplate.h
+++ b/include/ImageTemplate.h
@ -53,9 +53,9 @@ public:
    // -------------------------------------------------------------------------
    // Restricted attributes interface implementation
    // -------------------------------------------------------------------------
-    bool check_restricted(std::string& rs_attr, const Template* base) override
+    bool check_restricted(std::string& rs_attr, const Template* base, bool append) override
    {
-        return Template::check_restricted(rs_attr, base, restricted);
+        return Template::check_restricted(rs_attr, base, restricted, append);
    }

    bool check_restricted(std::string& rs_attr) override
--- a/include/Template.h
+++ b/include/Template.h
@ -460,7 +460,7 @@ public:
     *   The version of this method without base template just look for any
     *   restricted attribute.
     */
-    virtual bool check_restricted(std::string& rs_attr, const Template* base)
+    virtual bool check_restricted(std::string& rs_attr, const Template* base, bool append)
    {
        return false;
    }
@ -549,7 +549,7 @@ protected:
     *    in the template
     */
    bool check_restricted(std::string& rs_attr, const Template* base,
-           const std::map<std::string, std::set<std::string> >& ras);
+           const std::map<std::string, std::set<std::string> >& ras, bool append);

    bool check_restricted(std::string& rs_attr,
           const std::map<std::string, std::set<std::string> >& ras);
--- a/include/UserTemplate.h
+++ b/include/UserTemplate.h
@ -32,9 +32,9 @@ public:
    // -------------------------------------------------------------------------
    // Restricted attributes interface implementation
    // -------------------------------------------------------------------------
-    bool check_restricted(std::string& rs_attr, const Template* base) override
+    bool check_restricted(std::string& rs_attr, const Template* base, bool append) override
    {
-        return Template::check_restricted(rs_attr, base, restricted);
+        return Template::check_restricted(rs_attr, base, restricted, append);
    }

    bool check_restricted(std::string& rs_attr) override
--- a/include/VirtualMachine.h
+++ b/include/VirtualMachine.h
@ -1224,9 +1224,9 @@ public:
     *    @param ra the restricted attribute found to be different
     *    @return true if a different restricted is found
     */
-    bool check_restricted(std::string& ra, VirtualMachineTemplate * tgt) const
+    bool check_restricted(std::string& ra, VirtualMachineTemplate * tgt, bool append) const
    {
-        return tgt->check_restricted(ra, obj_template.get());
+        return tgt->check_restricted(ra, obj_template.get(), append);
    }

    // -------------------------------------------------------------------------
--- a/include/VirtualMachineTemplate.h
+++ b/include/VirtualMachineTemplate.h
@ -72,9 +72,9 @@ public:
    // -------------------------------------------------------------------------
    // Restricted attributes interface implementation
    // -------------------------------------------------------------------------
-    bool check_restricted(std::string& rs_attr, const Template* base) override
+    bool check_restricted(std::string& rs_attr, const Template* base, bool append) override
    {
-        return Template::check_restricted(rs_attr, base, restricted);
+        return Template::check_restricted(rs_attr, base, restricted, append);
    }

    bool check_restricted(std::string& rs_attr) override
--- a/include/VirtualNetworkTemplate.h
+++ b/include/VirtualNetworkTemplate.h
@ -39,9 +39,9 @@ public:
    // -------------------------------------------------------------------------
    // Restricted attributes interface implementation
    // -------------------------------------------------------------------------
-    bool check_restricted(std::string& rs_attr, const Template* base) override
+    bool check_restricted(std::string& rs_attr, const Template* base, bool append) override
    {
-        return Template::check_restricted(rs_attr, base, restricted);
+        return Template::check_restricted(rs_attr, base, restricted, append);
    }

    bool check_restricted(std::string& rs_attr) override
--- a/src/pool/PoolObjectSQL.cc
+++ b/src/pool/PoolObjectSQL.cc
@ -278,7 +278,7 @@ int PoolObjectSQL::replace_template(
    if (obj_template)
    {
        if ( keep_restricted &&
-             new_tmpl->check_restricted(ra, obj_template.get()) )
+             new_tmpl->check_restricted(ra, obj_template.get(), false) )
        {
            error = "Tried to change restricted attribute: " + ra;

@ -339,11 +339,12 @@ int PoolObjectSQL::append_template(
    if ( obj_template )
    {
        if (keep_restricted &&
-            new_tmpl->check_restricted(rname, obj_template.get()))
+            new_tmpl->check_restricted(rname, obj_template.get(), true))
        {
            error ="User Template includes a restricted attribute " + rname;
            return -1;
        }
+        old_tmpl = std::make_unique<Template>(*obj_template);
        obj_template->merge(new_tmpl.get());
    }
    else
--- a/src/rm/RequestManagerVMTemplate.cc
+++ b/src/rm/RequestManagerVMTemplate.cc
@ -320,7 +320,7 @@ Request::ErrorCode VMTemplateInstantiate::merge(

 	if (!att.is_admin())
 	{
-        if (uattrs.check_restricted(aname, tmpl))
+        if (uattrs.check_restricted(aname, tmpl, true))
 		{
 			att.resp_msg ="User Template includes a restricted attribute " + aname;

--- a/src/rm/RequestManagerVNTemplate.cc
+++ b/src/rm/RequestManagerVNTemplate.cc
@ -208,7 +208,7 @@ Request::ErrorCode VNTemplateInstantiate::merge(

    if (!att.is_admin())
    {
-        if (uattrs.check_restricted(aname, tmpl))
+        if (uattrs.check_restricted(aname, tmpl, true))
        {
            att.resp_msg ="User Template includes a restricted attribute " + aname;

--- a/src/rm/RequestManagerVirtualMachine.cc
+++ b/src/rm/RequestManagerVirtualMachine.cc
@ -3646,7 +3646,7 @@ void VirtualMachineUpdateConf::request_execute(
    {
        string aname;

-        if ( vm->check_restricted(aname, uc_tmpl.get()) )
+        if ( vm->check_restricted(aname, uc_tmpl.get(), update_type == 1) )
        {
            att.resp_msg = "Template includes a restricted attribute " + aname;
            failure_response(AUTHORIZATION, att);
--- a/src/template/Template.cc
+++ b/src/template/Template.cc
@ -787,17 +787,18 @@ static bool restricted_values(const string& vname, const set<string>& vsubs,
 }

 bool Template::check_restricted(string& ra, const Template* base,
-        const std::map<std::string, std::set<std::string> >& ras)
+        const std::map<std::string, std::set<std::string> >& ras, bool append)
 {
    for ( auto rit = ras.begin(); rit != ras.end(); ++rit )
    {
        if (!(rit->second).empty())
        {
            vector<string> rvalues, rvalues_base;
-            bool has_restricted;

-            has_restricted = restricted_values(rit->first, rit->second, this, rvalues);
-            restricted_values(rit->first, rit->second, base, rvalues_base);
+            bool new_restricted  = restricted_values(rit->first, rit->second, this, rvalues);
+            bool base_restricted = restricted_values(rit->first, rit->second, base, rvalues_base);
+            
+            bool has_restricted = new_restricted || (!append && base_restricted);

            if ( rvalues != rvalues_base && has_restricted)
            {
--- a/src/vm/VirtualMachine.cc
+++ b/src/vm/VirtualMachine.cc
@ -2807,7 +2807,7 @@ int VirtualMachine::replace_template(
    if (user_obj_template)
    {
        if (keep_restricted &&
-            new_tmpl->check_restricted(ra, user_obj_template.get()))
+            new_tmpl->check_restricted(ra, user_obj_template.get(), false))
        {
            error = "Tried to change restricted attribute: " + ra;

@ -2860,7 +2860,7 @@ int VirtualMachine::append_template(
    auto old_user_tmpl = make_unique<VirtualMachineTemplate>(*user_obj_template);

    if (keep_restricted &&
-        new_tmpl->check_restricted(rname, user_obj_template.get()))
+        new_tmpl->check_restricted(rname, user_obj_template.get(), true))
    {
        error ="User Template includes a restricted attribute " + rname;

--- a/src/vnm/VirtualNetwork.cc
+++ b/src/vnm/VirtualNetwork.cc
@ -1469,7 +1469,7 @@ int VirtualNetwork::replace_template(const std::string& tmpl_str,
    }

    if ( keep_restricted &&
-            new_tmpl->check_restricted(ra, obj_template.get()) )
+            new_tmpl->check_restricted(ra, obj_template.get(), false) )
    {
        error = "Tried to change restricted attribute: " + ra;

@ -1521,7 +1521,7 @@ int VirtualNetwork::append_template(
    set_updated_attributes(new_tmpl.get(), false);

    if (keep_restricted &&
-        new_tmpl->check_restricted(rname, obj_template.get()))
+        new_tmpl->check_restricted(rname, obj_template.get(), true))
    {
        error ="User Template includes a restricted attribute " + rname;
        return -1;