mirror of
https://github.com/OpenNebula/one.git
synced 2024-12-24 21:34:01 +03:00
feture-754: OpenNebula core sends information about the ACL authZ result to the driver. Improved formating of auth strings. Check trivial authZ requests.
This commit is contained in:
parent
22574704e4
commit
65606e7faf
@ -385,17 +385,26 @@ public:
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the authorization requests in a single string
|
* Gets the authorization requests in a single string
|
||||||
* @return a space separated list of auth requests.
|
* @return a space separated list of auth requests, or an empty string if
|
||||||
|
* no auth requests were added
|
||||||
*/
|
*/
|
||||||
string get_auths()
|
string get_auths()
|
||||||
{
|
{
|
||||||
ostringstream oss;
|
ostringstream oss;
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
for (unsigned int i=0; i<auths.size(); i++)
|
if ( auths.empty() )
|
||||||
|
{
|
||||||
|
return string();
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i=0; i<auths.size()-1; i++)
|
||||||
{
|
{
|
||||||
oss << auths[i] << " ";
|
oss << auths[i] << " ";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
oss << auths[i];
|
||||||
|
|
||||||
return oss.str();
|
return oss.str();
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -71,9 +71,11 @@ private:
|
|||||||
* "AUTHORIZE OPERATION_ID USER_ID REQUEST1 REQUEST2..."
|
* "AUTHORIZE OPERATION_ID USER_ID REQUEST1 REQUEST2..."
|
||||||
* @param oid an id to identify the request.
|
* @param oid an id to identify the request.
|
||||||
* @param uid the user id.
|
* @param uid the user id.
|
||||||
* @param requests space separated list of requests in the form OP:OBJ:ID
|
* @param requests space separated list of requests in the form OP:OB:ID
|
||||||
|
* @param acl is the authorization result using the ACL engine for
|
||||||
|
* this request
|
||||||
*/
|
*/
|
||||||
void authorize(int oid, int uid, const string& requests) const;
|
void authorize(int oid, int uid, const string& requests, bool acl) const;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sends an authorization request to the MAD:
|
* Sends an authorization request to the MAD:
|
||||||
|
@ -285,7 +285,8 @@ void AuthManager::authorize_action(AuthRequest * ar)
|
|||||||
|
|
||||||
if (authm_md == 0)
|
if (authm_md == 0)
|
||||||
{
|
{
|
||||||
goto error_driver;
|
ar->message = "Could not find Authorization driver";
|
||||||
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
// ------------------------------------------------------------------------
|
// ------------------------------------------------------------------------
|
||||||
@ -300,15 +301,23 @@ void AuthManager::authorize_action(AuthRequest * ar)
|
|||||||
|
|
||||||
auths = ar->get_auths();
|
auths = ar->get_auths();
|
||||||
|
|
||||||
authm_md->authorize(ar->id, ar->uid, auths);
|
if ( auths.empty() )
|
||||||
|
{
|
||||||
|
ar->message = "Empty authorization string";
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
authm_md->authorize(ar->id, ar->uid, auths, ar->self_authorize);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
|
|
||||||
error_driver:
|
error:
|
||||||
ar->result = false;
|
ar->result = false;
|
||||||
ar->message = "Could not find Authorization driver";
|
|
||||||
ar->notify();
|
ar->notify();
|
||||||
|
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* -------------------------------------------------------------------------- */
|
/* -------------------------------------------------------------------------- */
|
||||||
/* -------------------------------------------------------------------------- */
|
/* -------------------------------------------------------------------------- */
|
||||||
|
|
||||||
|
@ -25,11 +25,14 @@
|
|||||||
/* Driver ASCII Protocol Implementation */
|
/* Driver ASCII Protocol Implementation */
|
||||||
/* ************************************************************************** */
|
/* ************************************************************************** */
|
||||||
|
|
||||||
void AuthManagerDriver::authorize(int oid, int uid, const string& reqs) const
|
void AuthManagerDriver::authorize(int oid,
|
||||||
|
int uid,
|
||||||
|
const string& reqs,
|
||||||
|
bool acl) const
|
||||||
{
|
{
|
||||||
ostringstream os;
|
ostringstream os;
|
||||||
|
|
||||||
os << "AUTHORIZE " << oid << " " << uid << " " << reqs << endl;
|
os << "AUTHORIZE " << oid << " " << uid << " " << reqs << " " << acl <<endl;
|
||||||
|
|
||||||
write(os);
|
write(os);
|
||||||
}
|
}
|
||||||
|
@ -182,7 +182,7 @@ public:
|
|||||||
string astr = "VM:VGhpcyBpcyBhIHRlbXBsYXRlCg==:CREATE:-1:0:0 "
|
string astr = "VM:VGhpcyBpcyBhIHRlbXBsYXRlCg==:CREATE:-1:0:0 "
|
||||||
"IMAGE:2:USE:3:0:0 "
|
"IMAGE:2:USE:3:0:0 "
|
||||||
"NET:4:DELETE:5:1:0 "
|
"NET:4:DELETE:5:1:0 "
|
||||||
"HOST:6:MANAGE:7:1:0";
|
"HOST:6:MANAGE:7:1:0 0";
|
||||||
|
|
||||||
ar.add_auth(AuthRequest::VM,
|
ar.add_auth(AuthRequest::VM,
|
||||||
"This is a template\n",
|
"This is a template\n",
|
||||||
@ -214,7 +214,6 @@ public:
|
|||||||
|
|
||||||
am->trigger(AuthManager::AUTHORIZE,&ar);
|
am->trigger(AuthManager::AUTHORIZE,&ar);
|
||||||
ar.wait();
|
ar.wait();
|
||||||
|
|
||||||
/*
|
/*
|
||||||
if ( ar.result != false )
|
if ( ar.result != false )
|
||||||
{
|
{
|
||||||
@ -229,6 +228,56 @@ public:
|
|||||||
//*/
|
//*/
|
||||||
CPPUNIT_ASSERT(ar.result==false);
|
CPPUNIT_ASSERT(ar.result==false);
|
||||||
CPPUNIT_ASSERT(ar.message==astr);
|
CPPUNIT_ASSERT(ar.message==astr);
|
||||||
|
|
||||||
|
AuthRequest ar1(2, 2);
|
||||||
|
|
||||||
|
string astr1= "VM:VGhpcyBpcyBhIHRlbXBsYXRlCg==:CREATE:-1:0:0 0";
|
||||||
|
|
||||||
|
ar1.add_auth(AuthRequest::VM,
|
||||||
|
"This is a template\n",
|
||||||
|
0,
|
||||||
|
AuthRequest::CREATE,
|
||||||
|
-1,
|
||||||
|
false);
|
||||||
|
|
||||||
|
am->trigger(AuthManager::AUTHORIZE,&ar1);
|
||||||
|
ar1.wait();
|
||||||
|
/*
|
||||||
|
if ( ar1.result != false )
|
||||||
|
{
|
||||||
|
cout << endl << "ar.result: " << ar1.result << endl;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ar1.message != astr1 )
|
||||||
|
{
|
||||||
|
cout << endl << "ar.message: " << ar1.message;
|
||||||
|
cout << endl << "expected: " << astr1 << endl;
|
||||||
|
}
|
||||||
|
//*/
|
||||||
|
CPPUNIT_ASSERT(ar1.result==false);
|
||||||
|
CPPUNIT_ASSERT(ar1.message==astr1);
|
||||||
|
|
||||||
|
AuthRequest ar2(2, 2);
|
||||||
|
|
||||||
|
string astr2= "Empty authorization string";
|
||||||
|
|
||||||
|
|
||||||
|
am->trigger(AuthManager::AUTHORIZE,&ar2);
|
||||||
|
ar2.wait();
|
||||||
|
/*
|
||||||
|
if ( ar1.result != false )
|
||||||
|
{
|
||||||
|
cout << endl << "ar.result: " << ar1.result << endl;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ar1.message != astr1 )
|
||||||
|
{
|
||||||
|
cout << endl << "ar.message: " << ar1.message;
|
||||||
|
cout << endl << "expected: " << astr1 << endl;
|
||||||
|
}
|
||||||
|
//*/
|
||||||
|
CPPUNIT_ASSERT(ar2.result==false);
|
||||||
|
CPPUNIT_ASSERT(ar2.message==astr2);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user