From 6bbf69adedb0e01dbb24578520756d183a6c1f38 Mon Sep 17 00:00:00 2001
From: Daniel Molina <dmolina@opennebula.org>
Date: Thu, 9 Apr 2015 12:09:57 +0200
Subject: [PATCH] feature #3652: Add option in onegate conf to disable
 available actions

---
 src/onegate/etc/onegate-server.conf | 18 ++++++++++++++++++
 src/onegate/onegate-server.rb       | 27 +++++++++++++++++++++++----
 2 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/src/onegate/etc/onegate-server.conf b/src/onegate/etc/onegate-server.conf
index ef3a864e35..c33930ddf0 100644
--- a/src/onegate/etc/onegate-server.conf
+++ b/src/onegate/etc/onegate-server.conf
@@ -57,3 +57,21 @@
 ################################################################################
 
 :oneflow_server: http://localhost:2474
+
+
+################################################################################
+# Permissions
+################################################################################
+
+:permissions:
+  :vm:
+    :show: true
+    :show_by_id: true
+    :update: true
+    :update_by_id: true
+    :action_by_id: true
+  :service:
+    :show: true
+    :change_cardinality: true
+
+
diff --git a/src/onegate/onegate-server.rb b/src/onegate/onegate-server.rb
index 89067bda55..5efe05f4dd 100644
--- a/src/onegate/onegate-server.rb
+++ b/src/onegate/onegate-server.rb
@@ -151,6 +151,15 @@ helpers do
             return OpenNebula::Error.new("Error parsing JSON: Wrong resource type")
         end
     end
+
+    def check_permissions(resource, action)
+        permissions = settings.config[:permissions]
+        unless permissions && permissions[resource] && permissions[resource][action]
+            error_msg = "Action (#{action}) on resource (#{resource}) not supported"
+            logger.error {error_msg} 
+            halt 403, error_msg
+        end
+    end
 end
 
 NIC_VALID_KEYS = %w(IP IP6_LINK IP6_SITE IP6_GLOBAL NETWORK MAC)
@@ -243,6 +252,8 @@ get '/' do
 end
 
 put '/vm' do
+    check_permissions(:vm, :update)
+
     client = authenticate(request.env, params)
 
     halt 401, "Not authorized" if client.nil?
@@ -262,6 +273,8 @@ put '/vm' do
 end
 
 get '/vm' do
+    check_permissions(:vm, :show)
+
     client = authenticate(request.env, params)
 
     halt 401, "Not authorized" if client.nil?
@@ -276,6 +289,8 @@ get '/vm' do
 end
 
 get '/service' do
+    check_permissions(:service, :show)
+
     client = authenticate(request.env, params)
 
     halt 401, "Not authorized" if client.nil?
@@ -312,6 +327,8 @@ get '/service' do
 end
 
 get '/vms/:id' do
+    check_permissions(:vm, :show_by_id)
+
     client = authenticate(request.env, params)
 
     halt 401, "Not authorized" if client.nil?
@@ -353,6 +370,8 @@ get '/vms/:id' do
 end
 
 post '/vms/:id/action' do
+    check_permissions(:vm, :action_by_id)
+
     client = authenticate(request.env, params)
 
     halt 401, "Not authorized" if client.nil?
@@ -438,6 +457,8 @@ post '/vms/:id/action' do
 end
 
 put '/service/role/:role' do
+    check_permissions(:service, :change_cardinality)
+
     client = authenticate(request.env, params)
 
     halt 401, "Not authorized" if client.nil?
@@ -484,11 +505,9 @@ put '/service/role/:role' do
     [200, ""]
 end
 
-#############
-# DEPRECATED
-#############
-
 put '/vms/:id' do
+    check_permissions(:vm, :update_by_id)
+
     client = authenticate(request.env, params)
 
     halt 401, "Not authorized" if client.nil?