Bug #3659: Restricted VM attr apply to the VM Template also

2025-03-29 18:50:08 +03:00 · 2015-03-06 17:35:10 +01:00 · 2015-03-06 17:35:10 +01:00 · 58cc44b955
commit 58cc44b955
parent aa87e0b919
3 changed files with 44 additions and 18 deletions
--- a/include/RequestManagerAllocate.h
+++ b/include/RequestManagerAllocate.h
@ -251,6 +251,10 @@ public:
                      int& id,
                      string& error_str,
                      RequestAttributes& att);
+
+    bool allocate_authorization(Template *          obj_template,
+                                RequestAttributes&  att,
+                                PoolObjectAuth *    cluster_perms);
 };

 /* ------------------------------------------------------------------------- */
--- a/src/rm/RequestManagerAllocate.cc
+++ b/src/rm/RequestManagerAllocate.cc
@ -525,6 +525,46 @@ int TemplateAllocate::pool_allocate(
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */

+bool TemplateAllocate::allocate_authorization(
+        Template *          tmpl,
+        RequestAttributes&  att,
+        PoolObjectAuth *    cluster_perms)
+{
+    if ( att.uid == UserPool::ONEADMIN_ID )
+    {
+        return true;
+    }
+
+    AuthRequest ar(att.uid, att.group_ids);
+    string      t64;
+    string      aname;
+
+    VirtualMachineTemplate * ttmpl = static_cast<VirtualMachineTemplate *>(tmpl);
+
+    // ------------ Check template for restricted attributes -------------------
+
+    if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
+    {
+        if (ttmpl->check(aname))
+        {
+            ostringstream oss;
+
+            oss << "VM Template includes a restricted attribute " << aname;
+
+            failure_response(AUTHORIZATION,
+                    authorization_error(oss.str(), att),
+                    att);
+
+            return false;
+        }
+    }
+
+    return true;
+}
+
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
 int HostAllocate::pool_allocate(
        xmlrpc_c::paramList const&  paramList,
        Template *                  tmpl,
--- a/src/rm/RequestManagerVMTemplate.cc
+++ b/src/rm/RequestManagerVMTemplate.cc
@ -79,24 +79,6 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList

    rtmpl->unlock();

-    // Check template for restricted attributes, only if owner is not oneadmin
-    if (perms.uid!=UserPool::ONEADMIN_ID && perms.gid!=GroupPool::ONEADMIN_ID)
-    {
-        if (tmpl->check(aname))
-        {
-            ostringstream oss;
-
-            oss << "VM Template includes a restricted attribute " << aname;
-
-            failure_response(AUTHORIZATION,
-                    authorization_error(oss.str(), att),
-                    att);
-
-            delete tmpl;
-            return;
-        }
-    }
-
    // Parse & merge user attributes (check if the request user is not oneadmin)
    if (!str_uattrs.empty())
    {