feature #200: Auth for VirtualNetworks

src/rm/RequestManagerVirtualNetworkAllocate.cc

@@ -17,6 +17,8 @@
 #include "RequestManager.h"
 #include "NebulaLog.h"
 
+#include "AuthManager.h"
+
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
@@ -64,6 +66,19 @@ void RequestManager::VirtualNetworkAllocate::execute(
     uid = user->get_uid();
 
     user->unlock();
+    
+    //Authorize the operation
+    if ( uid != 0 ) // uid == 0 means oneadmin
+    {
+        AuthRequest ar(uid);
+
+        ar.add_auth(AuthRequest::NET,-1,AuthRequest::CREATE,0,false);
+
+        if (UserPool::authorize(ar) == -1)
+        {
+            goto error_authorize;
+        }
+    }
 
     rc = vnpool->allocate(uid,stemplate,&nid);
 
@@ -91,6 +106,10 @@ error_session:
 error_get_user:
     oss << "User not recognized, cannot allocate VirtualNetwork";
     goto error_common;
+    
+error_authorize:
+    oss << "User not authorized to create a VirtualNetwork";
+    goto error_common;
 
 error_vn_allocate:
     oss << "Error allocating VN with template: " << endl << stemplate;

src/rm/RequestManagerVirtualNetworkDelete.cc

@@ -17,6 +17,8 @@
 #include "RequestManager.h"
 #include "NebulaLog.h"
 
+#include "AuthManager.h"
+
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
@@ -45,6 +47,27 @@ void RequestManager::VirtualNetworkDelete::execute(
     session   = xmlrpc_c::value_string(paramList.getString(0));
     nid       = xmlrpc_c::value_int   (paramList.getInt   (1));
     
+    // Only oneadmin or the VN owner can perform operations upon the VN
+    rc = VirtualNetworkDelete::upool->authenticate(session);
+    
+    if ( rc == -1 )                             
+    {                                            
+        goto error_authenticate;                     
+    }
+    
+    //Authorize the operation
+    if ( rc != 0 ) // rc == 0 means oneadmin
+    {
+        AuthRequest ar(rc);
+
+        ar.add_auth(AuthRequest::NET,nid,AuthRequest::DELETE,0,false);
+
+        if (UserPool::authorize(ar) == -1)
+        {
+            goto error_authorize;
+        }
+    }
+    
     // Retrieve VN from the pool 
     vn = vnpool->get(nid,true);    
    
@@ -54,14 +77,6 @@ void RequestManager::VirtualNetworkDelete::execute(
     }
 
     uid = vn->get_uid();
-
-    // Only oneadmin or the VN owner can perform operations upon the VN
-    rc = VirtualNetworkDelete::upool->authenticate(session);
-    
-    if ( rc != 0 && rc != uid)                             
-    {                                            
-        goto error_authenticate;                     
-    }
    
     rc = vnpool->drop(vn);
 
@@ -79,8 +94,11 @@ void RequestManager::VirtualNetworkDelete::execute(
     return;
 
 error_authenticate:
-    vn->unlock();
-    oss << "User cannot delete VN";
+    oss << "User not authenticated, aborting VirtualNetworkDelete call";
+    goto error_common;
+    
+error_authorize:
+    oss << "User not authorized to delete Virtual Network with NID = " << nid;
     goto error_common;
 
 error_vn_get:

src/rm/RequestManagerVirtualNetworkInfo.cc

@@ -17,6 +17,8 @@
 #include "RequestManager.h"
 #include "NebulaLog.h"
 
+#include "AuthManager.h"
+
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
@@ -51,7 +53,7 @@ void RequestManager::VirtualNetworkInfo::execute(
     {
         goto error_authenticate;
     }
-
+    
     vn = vnpool->get(nid,true);
                                               
     if ( vn == 0 )                             
@@ -59,6 +61,23 @@ void RequestManager::VirtualNetworkInfo::execute(
         goto error_vn_get;                     
     }
     
+    //Authorize the operation
+    if ( rc != 0 ) // rc == 0 means oneadmin
+    {
+        AuthRequest ar(rc);
+
+        ar.add_auth(AuthRequest::NET,
+                    nid,
+                    AuthRequest::USE,
+                    0,
+                    vn->isPublic());
+
+        if (UserPool::authorize(ar) == -1)
+        {
+            goto error_authorize;
+        }
+    }
+    
     oss << *vn;
     
     vn->unlock();
@@ -82,9 +101,14 @@ error_authenticate:
 error_vn_get:
     oss << "Error getting Virtual Network with NID = " << nid; 
     goto error_common;
+    
+error_authorize:
+    vn->unlock();
+    oss << "User not authorized to view VirtualNetwork" << 
+           ", VirtualNetworkInfo call aborted.";
+    goto error_common;
 
 error_common:
-
     arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE
     arrayData.push_back(xmlrpc_c::value_string(oss.str()));
 

src/rm/RequestManagerVirtualNetworkPublish.cc

@@ -65,9 +65,21 @@ void RequestManager::VirtualNetworkPublish::execute(
         goto error_vn_get;                     
     }
     
-    if ( uid != 0 && uid != vn->get_uid() )
+    //Authorize the operation
+    if ( uid != 0 ) // uid == 0 means oneadmin
     {
-        goto error_authorization;
+        AuthRequest ar(uid);
+
+        ar.add_auth(AuthRequest::NET,
+                    nid,
+                    AuthRequest::MANAGE,
+                    0,
+                    vn->isPublic());
+
+        if (UserPool::authorize(ar) == -1)
+        {
+            goto error_authorize;
+        }
     }
 
     vn->publish(publish_flag);
@@ -95,7 +107,7 @@ error_vn_get:
     oss << "[VirtualNetworkPublish] Error getting VN with ID = " << nid; 
     goto error_common;
     
-error_authorization:
+error_authorize:
     oss << "[VirtualNetworkPublish] User not authorized to (un)publish VN" << 
            ", aborting call.";
     vn->unlock();