From 7bfb930292aa451f09dcc86bbfd4f21378dc2e1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Fri, 23 Aug 2013 12:39:14 +0200 Subject: [PATCH] Feature #1742: Add a set of group IDs to Users --- include/AclManager.h | 4 +- include/AuthRequest.h | 7 +- include/Request.h | 2 + include/User.h | 45 ++- include/UserPool.h | 23 +- src/acl/AclManager.cc | 35 ++- src/authm/AuthManager.cc | 4 +- src/rm/Request.cc | 5 +- src/rm/RequestManagerAllocate.cc | 6 +- src/rm/RequestManagerChmod.cc | 2 +- src/rm/RequestManagerChown.cc | 7 +- src/rm/RequestManagerClone.cc | 2 +- src/rm/RequestManagerCluster.cc | 2 +- src/rm/RequestManagerDelete.cc | 2 +- src/rm/RequestManagerImage.cc | 2 +- src/rm/RequestManagerRename.cc | 2 +- src/rm/RequestManagerVMTemplate.cc | 2 +- src/rm/RequestManagerVirtualMachine.cc | 2 +- src/scheduler/src/sched/Scheduler.cc | 8 +- src/um/User.cc | 19 ++ src/um/UserPool.cc | 44 ++- src/vm/vm_file_var_syntax.cc | 387 +++++++++++-------------- src/vm/vm_file_var_syntax.h | 29 +- src/vm/vm_file_var_syntax.y | 14 +- 24 files changed, 358 insertions(+), 297 deletions(-) diff --git a/include/AclManager.h b/include/AclManager.h index e4e0fe7b1c..f234716a37 100644 --- a/include/AclManager.h +++ b/include/AclManager.h @@ -58,13 +58,13 @@ public: * authorizes the operation. * * @param uid The user ID requesting to be authorized - * @param gid Group ID of the user + * @param user_groups Set of group IDs that the user is part of * @param obj_perms The object's permission attributes * @param op The operation to be authorized * @return true if the authorization is granted by any rule */ const bool authorize(int uid, - int gid, + const set& user_groups, const PoolObjectAuth& obj_perms, AuthRequest::Operation op); diff --git a/include/AuthRequest.h b/include/AuthRequest.h index 13e48f24c7..b32bb2784c 100644 --- a/include/AuthRequest.h +++ b/include/AuthRequest.h @@ -18,6 +18,7 @@ #define AUTH_REQUEST_H_ #include +#include #include "ActionManager.h" #include "PoolObjectAuth.h" @@ -36,7 +37,7 @@ using namespace std; class AuthRequest : public SyncRequest { public: - AuthRequest(int _uid, int _gid): uid(_uid),gid(_gid),self_authorize(true){}; + AuthRequest(int _uid, set _gids): uid(_uid),gids(_gids),self_authorize(true){}; ~AuthRequest(){}; @@ -158,9 +159,9 @@ private: int uid; /** - * The user group ID + * The user groups ID set */ - int gid; + set gids; /** * Username to authenticate the user diff --git a/include/Request.h b/include/Request.h index 214f1fc9ec..a98628f509 100644 --- a/include/Request.h +++ b/include/Request.h @@ -73,6 +73,8 @@ protected: string uname; /**< name of the user */ string gname; /**< name of the user's group */ + set group_ids; /**< set of user's group ids */ + string session; /**< Session from ONE XML-RPC API */ int req_id; /**< Request ID for log messages */ diff --git a/include/User.h b/include/User.h index eb4836d739..3605b7f1a5 100644 --- a/include/User.h +++ b/include/User.h @@ -20,6 +20,7 @@ #include "PoolSQL.h" #include "UserTemplate.h" #include "Quotas.h" +#include "ObjectCollection.h" using namespace std; @@ -29,7 +30,7 @@ using namespace std; /** * The User class. */ -class User : public PoolObjectSQL +class User : public PoolObjectSQL, public ObjectCollection { public: @@ -180,6 +181,47 @@ public: */ int get_umask() const; + /** + * Returns a copy of the groups for the user + */ + set get_groups() + { + return get_collection_copy(); + }; + + // ************************************************************************* + // Group IDs set Management + // ************************************************************************* + + /** + * Adds a group ID to the groups set. + * + * @param id The new id + * @return 0 on success, -1 if the ID was already in the set + */ + int add_group(int group_id) + { + return add_collection_id(group_id); + } + + /** + * Deletes a group ID from the groups set. + * + * @param id The id + * @return 0 on success, + * -1 if the ID was not in the set, + * -2 if the group to delete is the main group + */ + int del_group(int group_id) + { + if( group_id == gid ) + { + return -2; + } + + return del_collection_id(group_id); + } + private: // ------------------------------------------------------------------------- // Friends @@ -310,6 +352,7 @@ protected: const string& _auth_driver, bool _enabled): PoolObjectSQL(id,USER,_uname,-1,_gid,"",_gname,table), + ObjectCollection("GROUPS"), quota("/USER/DATASTORE_QUOTA", "/USER/NETWORK_QUOTA", "/USER/IMAGE_QUOTA", diff --git a/include/UserPool.h b/include/UserPool.h index 0dc1b2e058..2bf05779ea 100644 --- a/include/UserPool.h +++ b/include/UserPool.h @@ -124,6 +124,7 @@ public: * @param gid of the user if authN succeeded -1 otherwise * @param uname of the user if authN succeeded "" otherwise * @param gname of the group if authN succeeded "" otherwise + * @param group_ids the user groups if authN succeeded, is empty otherwise * * @return false if authn failed, true otherwise */ @@ -131,7 +132,8 @@ public: int& uid, int& gid, string& uname, - string& gname); + string& gname, + set& group_ids); /** * Returns whether the operations described in a authorization request are * authorized ot not. @@ -217,7 +219,8 @@ private: int& user_id, int& group_id, string& uname, - string& gname); + string& gname, + set& group_ids); /** * Function to authenticate internal users using a server driver @@ -227,18 +230,20 @@ private: int& user_id, int& group_id, string& uname, - string& gname); + string& gname, + set& group_ids); /** * Function to authenticate external (not known) users */ - bool authenticate_external(const string& username, - const string& token, - int& user_id, - int& group_id, - string& uname, - string& gname); + bool authenticate_external(const string& username, + const string& token, + int& user_id, + int& group_id, + string& uname, + string& gname, + set& group_ids); /** * Factory method to produce User objects * @return a pointer to the new User diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index b455da5ee5..012ef8438a 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -132,7 +132,7 @@ AclManager::~AclManager() const bool AclManager::authorize( int uid, - int gid, + const set& user_groups, const PoolObjectAuth& obj_perms, AuthRequest::Operation op) { @@ -280,23 +280,28 @@ const bool AclManager::authorize( } // ---------------------------------------------------------- - // Look for rules that apply to the user's group + // Look for rules that apply to each one of the user's groups // ---------------------------------------------------------- - user_req = AclRule::GROUP_ID | gid; - auth = match_rules_wrapper(user_req, - resource_oid_req, - resource_gid_req, - resource_cid_req, - resource_all_req, - rights_req, - resource_oid_mask, - resource_gid_mask, - resource_cid_mask, - tmp_rules); - if ( auth == true ) + set::iterator g_it; + + for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++) { - return true; + user_req = AclRule::GROUP_ID | *g_it; + auth = match_rules_wrapper(user_req, + resource_oid_req, + resource_gid_req, + resource_cid_req, + resource_all_req, + rights_req, + resource_oid_mask, + resource_gid_mask, + resource_cid_mask, + tmp_rules); + if ( auth == true ) + { + return true; + } } oss.str("No more rules, permission not granted "); diff --git a/src/authm/AuthManager.cc b/src/authm/AuthManager.cc index 4c31b8500a..954cc36785 100644 --- a/src/authm/AuthManager.cc +++ b/src/authm/AuthManager.cc @@ -67,7 +67,7 @@ void AuthRequest::add_auth(Operation op, // Default conditions that grants permission : // User is oneadmin, or is in the oneadmin group - if ( uid == 0 || gid == GroupPool::ONEADMIN_ID ) + if ( uid == 0 || gids.count( GroupPool::ONEADMIN_ID ) == 1 ) { auth = true; } @@ -76,7 +76,7 @@ void AuthRequest::add_auth(Operation op, Nebula& nd = Nebula::instance(); AclManager* aclm = nd.get_aclm(); - auth = aclm->authorize(uid, gid, ob_perms, op); + auth = aclm->authorize(uid, gids, ob_perms, op); } oss << auth; // Store the ACL authorization result in the request diff --git a/src/rm/Request.cc b/src/rm/Request.cc index 231705d4d7..530efcf457 100644 --- a/src/rm/Request.cc +++ b/src/rm/Request.cc @@ -40,7 +40,8 @@ void Request::execute( att.uid, att.gid, att.uname, - att.gname); + att.gname, + att.group_ids); log_method_invoked(att, _paramList); @@ -240,7 +241,7 @@ bool Request::basic_authorization(int oid, perms.obj_type = auth_object; } - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); ar.add_auth(op, perms); diff --git a/src/rm/RequestManagerAllocate.cc b/src/rm/RequestManagerAllocate.cc index 028fba2644..e14ba8f7e1 100644 --- a/src/rm/RequestManagerAllocate.cc +++ b/src/rm/RequestManagerAllocate.cc @@ -34,7 +34,7 @@ bool RequestManagerAllocate::allocate_authorization( string tmpl_str = ""; - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); if ( tmpl != 0 ) { @@ -73,7 +73,7 @@ bool VirtualMachineAllocate::allocate_authorization( return true; } - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); string t64; string aname; @@ -459,7 +459,7 @@ void ImageAllocate::request_execute(xmlrpc_c::paramList const& params, if ( att.uid != 0 ) { - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); string tmpl_str; string aname; diff --git a/src/rm/RequestManagerChmod.cc b/src/rm/RequestManagerChmod.cc index 1e2c2de782..4e763b3a21 100644 --- a/src/rm/RequestManagerChmod.cc +++ b/src/rm/RequestManagerChmod.cc @@ -108,7 +108,7 @@ void RequestManagerChmod::request_execute(xmlrpc_c::paramList const& paramList, } } - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); ar.add_auth(op, perms); diff --git a/src/rm/RequestManagerChown.cc b/src/rm/RequestManagerChown.cc index a542c231dd..3a94979725 100644 --- a/src/rm/RequestManagerChown.cc +++ b/src/rm/RequestManagerChown.cc @@ -213,7 +213,7 @@ void RequestManagerChown::request_execute(xmlrpc_c::paramList const& paramList, if ( att.uid != 0 ) { - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); rc = get_info(pool, oid, auth_object, att, operms, oname); @@ -363,7 +363,7 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList, if ( att.uid != 0 ) { - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); ar.add_auth(auth_op, uperms); // MANAGE USER ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP @@ -399,6 +399,9 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList, user->set_group(ngid,ngname); + user->add_group(ngid); + user->del_group(old_gid); + upool->update(user); user->unlock(); diff --git a/src/rm/RequestManagerClone.cc b/src/rm/RequestManagerClone.cc index 02619348fb..ab2b6b357d 100644 --- a/src/rm/RequestManagerClone.cc +++ b/src/rm/RequestManagerClone.cc @@ -79,7 +79,7 @@ void RequestManagerClone::request_execute( { string tmpl_str = ""; - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); ar.add_auth(auth_op, perms); //USE OBJECT diff --git a/src/rm/RequestManagerCluster.cc b/src/rm/RequestManagerCluster.cc index 876b286915..a73a7ba549 100644 --- a/src/rm/RequestManagerCluster.cc +++ b/src/rm/RequestManagerCluster.cc @@ -70,7 +70,7 @@ void RequestManagerCluster::add_generic( if ( att.uid != 0 ) { - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); if ( cluster_id != ClusterPool::NONE_CLUSTER_ID ) { diff --git a/src/rm/RequestManagerDelete.cc b/src/rm/RequestManagerDelete.cc index aa1a0e7317..25e794d948 100644 --- a/src/rm/RequestManagerDelete.cc +++ b/src/rm/RequestManagerDelete.cc @@ -47,7 +47,7 @@ bool RequestManagerDelete::delete_authorization( object->unlock(); - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); ar.add_auth(auth_op, perms); // OBJECT diff --git a/src/rm/RequestManagerImage.cc b/src/rm/RequestManagerImage.cc index da2eed6e04..cb01d37820 100644 --- a/src/rm/RequestManagerImage.cc +++ b/src/rm/RequestManagerImage.cc @@ -357,7 +357,7 @@ void ImageClone::request_execute( if ( att.uid != 0 ) { - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); string tmpl_str; // ------------------ Check permissions and ACLs ---------------------- diff --git a/src/rm/RequestManagerRename.cc b/src/rm/RequestManagerRename.cc index 0c5ba2bcca..c5c899adcf 100644 --- a/src/rm/RequestManagerRename.cc +++ b/src/rm/RequestManagerRename.cc @@ -53,7 +53,7 @@ void RequestManagerRename::request_execute(xmlrpc_c::paramList const& paramList, if ( att.uid != 0 ) { - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); ar.add_auth(auth_op, operms); // MANAGE OBJECT diff --git a/src/rm/RequestManagerVMTemplate.cc b/src/rm/RequestManagerVMTemplate.cc index 5f0952f115..40f85b4e78 100644 --- a/src/rm/RequestManagerVMTemplate.cc +++ b/src/rm/RequestManagerVMTemplate.cc @@ -177,7 +177,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList if ( att.uid != 0 ) { - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); ar.add_auth(auth_op, perms); //USE TEMPLATE diff --git a/src/rm/RequestManagerVirtualMachine.cc b/src/rm/RequestManagerVirtualMachine.cc index d353fd322f..8841b5ea87 100644 --- a/src/rm/RequestManagerVirtualMachine.cc +++ b/src/rm/RequestManagerVirtualMachine.cc @@ -55,7 +55,7 @@ bool RequestManagerVirtualMachine::vm_authorization( object->unlock(); - AuthRequest ar(att.uid, att.gid); + AuthRequest ar(att.uid, att.group_ids); ar.add_auth(op, vm_perms); diff --git a/src/scheduler/src/sched/Scheduler.cc b/src/scheduler/src/sched/Scheduler.cc index a711899609..b7b95d2be5 100644 --- a/src/scheduler/src/sched/Scheduler.cc +++ b/src/scheduler/src/sched/Scheduler.cc @@ -431,8 +431,14 @@ void Scheduler::match() host_perms.oid = host->get_hid(); host_perms.obj_type = PoolObjectSQL::HOST; + // Even if the owner is in several groups, this request only + // uses the VM group ID + + set gids; + gids.insert(gid); + matched = acls->authorize(uid, - gid, + gids, host_perms, AuthRequest::MANAGE); } diff --git a/src/um/User.cc b/src/um/User.cc index 40fe011183..dd5eb08d8a 100644 --- a/src/um/User.cc +++ b/src/um/User.cc @@ -156,6 +156,9 @@ string& User::to_xml_extended(string& xml, bool extended) const string template_xml; string quota_xml; + string collection_xml; + + ObjectCollection::to_xml(collection_xml); int enabled_int = enabled?1:0; @@ -163,6 +166,7 @@ string& User::to_xml_extended(string& xml, bool extended) const "" "" << oid <<"" << "" << gid <<"" << + collection_xml << "" << gname <<"" << "" << name <<"" << "" << password <<"" << @@ -220,7 +224,22 @@ int User::from_xml(const string& xml) rc += obj_template->from_xml_node(content[0]); ObjectXML::free_nodes(content); + content.clear(); + ObjectXML::get_nodes("/USER/GROUPS", content); + + if (content.empty()) + { + return -1; + } + + // Set of IDs + rc += ObjectCollection::from_xml_node(content[0]); + + ObjectXML::free_nodes(content); + content.clear(); + + // Quotas rc += quota.from_xml(this); if (rc != 0) diff --git a/src/um/UserPool.cc b/src/um/UserPool.cc index 7e05d4de5a..457be81795 100644 --- a/src/um/UserPool.cc +++ b/src/um/UserPool.cc @@ -293,6 +293,9 @@ int UserPool::allocate ( // Build a new User object user = new User(-1, gid, uname, gname, upass, auth_driver, enabled); + // Add the primary group to the collection + user->add_collection_id(gid); + // Set a password for the OneGate tokens user->add_template_attribute("TOKEN_PASSWORD", one_util::random_password()); @@ -348,7 +351,8 @@ bool UserPool::authenticate_internal(User * user, int& user_id, int& group_id, string& uname, - string& gname) + string& gname, + set& group_ids) { bool result = false; @@ -367,6 +371,8 @@ bool UserPool::authenticate_internal(User * user, user_id = user->oid; group_id = user->gid; + group_ids = user->get_groups(); + uname = user->name; gname = user->gname; @@ -381,7 +387,7 @@ bool UserPool::authenticate_internal(User * user, return true; } - AuthRequest ar(user_id, group_id); + AuthRequest ar(user_id, group_ids); if ( auth_driver == UserPool::CORE_AUTH ) { @@ -459,7 +465,8 @@ bool UserPool::authenticate_server(User * user, int& user_id, int& group_id, string& uname, - string& gname) + string& gname, + set& group_ids) { bool result = false; @@ -480,7 +487,7 @@ bool UserPool::authenticate_server(User * user, auth_driver = user->auth_driver; - AuthRequest ar(user->oid, user->gid); + AuthRequest ar(user->oid, user->get_groups()); user->unlock(); @@ -502,6 +509,8 @@ bool UserPool::authenticate_server(User * user, user_id = user->oid; group_id = user->gid; + group_ids = user->get_groups(); + uname = user->name; gname = user->gname; @@ -580,12 +589,13 @@ auth_failure: /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ -bool UserPool::authenticate_external(const string& username, - const string& token, - int& user_id, - int& group_id, - string& uname, - string& gname) +bool UserPool::authenticate_external(const string& username, + const string& token, + int& user_id, + int& group_id, + string& uname, + string& gname, + set& group_ids) { ostringstream oss; istringstream is; @@ -598,7 +608,9 @@ bool UserPool::authenticate_external(const string& username, Nebula& nd = Nebula::instance(); AuthManager * authm = nd.get_authm(); - AuthRequest ar(-1,-1); + set empty_set; + + AuthRequest ar(-1,empty_set); if (authm == 0) { @@ -653,6 +665,7 @@ bool UserPool::authenticate_external(const string& username, } group_id = GroupPool::USERS_ID; + group_ids.insert( GroupPool::USERS_ID ); uname = mad_name; gname = GroupPool::USERS_NAME; @@ -694,7 +707,8 @@ bool UserPool::authenticate(const string& session, int& user_id, int& group_id, string& uname, - string& gname) + string& gname, + set& group_ids) { User * user = 0; string username; @@ -718,16 +732,16 @@ bool UserPool::authenticate(const string& session, if ( fnmatch(UserPool::SERVER_AUTH, driver.c_str(), 0) == 0 ) { - ar = authenticate_server(user,token,user_id,group_id,uname,gname); + ar = authenticate_server(user,token,user_id,group_id,uname,gname,group_ids); } else { - ar = authenticate_internal(user,token,user_id,group_id,uname,gname); + ar = authenticate_internal(user,token,user_id,group_id,uname,gname,group_ids); } } else { - ar = authenticate_external(username,token,user_id,group_id,uname,gname); + ar = authenticate_external(username,token,user_id,group_id,uname,gname,group_ids); } return ar; diff --git a/src/vm/vm_file_var_syntax.cc b/src/vm/vm_file_var_syntax.cc index b532e52859..d68d775b43 100644 --- a/src/vm/vm_file_var_syntax.cc +++ b/src/vm/vm_file_var_syntax.cc @@ -1,8 +1,8 @@ -/* A Bison parser, made by GNU Bison 2.7.12-4996. */ +/* A Bison parser, made by GNU Bison 2.5. */ /* Bison implementation for Yacc-like parsers in C - Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc. + Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -44,7 +44,7 @@ #define YYBISON 1 /* Bison version. */ -#define YYBISON_VERSION "2.7.12-4996" +#define YYBISON_VERSION "2.5" /* Skeleton name. */ #define YYSKELETON_NAME "yacc.c" @@ -58,6 +58,8 @@ /* Pull parsers. */ #define YYPULL 1 +/* Using locations. */ +#define YYLSP_NEEDED 1 /* Substitute the variable and function names. */ #define yyparse vm_file_var__parse @@ -70,7 +72,8 @@ #define yylloc vm_file_var__lloc /* Copy the first part of user declarations. */ -/* Line 371 of yacc.c */ + +/* Line 268 of yacc.c */ #line 17 "vm_file_var_syntax.y" #include @@ -145,7 +148,9 @@ int get_image_path(VirtualMachine * vm, Nebula& nd = Nebula::instance(); ImagePool * ipool = nd.get_ipool(); + UserPool * upool = nd.get_upool(); Image * img = 0; + User * user = 0; int iid = -1; PoolObjectAuth perm; @@ -218,7 +223,17 @@ int get_image_path(VirtualMachine * vm, img->unlock(); - AuthRequest ar(vm->get_uid(), vm->get_gid()); + set gids; + + user = upool->get(vm->get_uid(), true); + + if (user != 0) + { + gids = user->get_groups(); + user->unlock(); + } + + AuthRequest ar(vm->get_uid(), gids); ar.add_auth(AuthRequest::USE, perm); @@ -237,16 +252,14 @@ int get_image_path(VirtualMachine * vm, /* -------------------------------------------------------------------------- */ -/* Line 371 of yacc.c */ -#line 242 "vm_file_var_syntax.cc" -# ifndef YY_NULL -# if defined __cplusplus && 201103L <= __cplusplus -# define YY_NULL nullptr -# else -# define YY_NULL 0 -# endif -# endif +/* Line 268 of yacc.c */ +#line 258 "vm_file_var_syntax.cc" + +/* Enabling traces. */ +#ifndef YYDEBUG +# define YYDEBUG 0 +#endif /* Enabling verbose error messages. */ #ifdef YYERROR_VERBOSE @@ -256,18 +269,12 @@ int get_image_path(VirtualMachine * vm, # define YYERROR_VERBOSE 0 #endif -/* In a future release of Bison, this section will be replaced - by #include "vm_file_var_syntax.hh". */ -#ifndef YY_VM_FILE_VAR_VM_FILE_VAR_SYNTAX_HH_INCLUDED -# define YY_VM_FILE_VAR_VM_FILE_VAR_SYNTAX_HH_INCLUDED -/* Enabling traces. */ -#ifndef YYDEBUG -# define YYDEBUG 0 -#endif -#if YYDEBUG -extern int vm_file_var__debug; +/* Enabling the token table. */ +#ifndef YYTOKEN_TABLE +# define YYTOKEN_TABLE 0 #endif + /* Tokens. */ #ifndef YYTOKENTYPE # define YYTOKENTYPE @@ -287,19 +294,22 @@ extern int vm_file_var__debug; #endif + #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED typedef union YYSTYPE { -/* Line 387 of yacc.c */ -#line 190 "vm_file_var_syntax.y" + +/* Line 293 of yacc.c */ +#line 202 "vm_file_var_syntax.y" char * val_str; int val_int; char val_char; -/* Line 387 of yacc.c */ -#line 303 "vm_file_var_syntax.cc" + +/* Line 293 of yacc.c */ +#line 313 "vm_file_var_syntax.cc" } YYSTYPE; # define YYSTYPE_IS_TRIVIAL 1 # define yystype YYSTYPE /* obsolescent; will be withdrawn */ @@ -320,26 +330,11 @@ typedef struct YYLTYPE #endif -#ifdef YYPARSE_PARAM -#if defined __STDC__ || defined __cplusplus -int vm_file_var__parse (void *YYPARSE_PARAM); -#else -int vm_file_var__parse (); -#endif -#else /* ! YYPARSE_PARAM */ -#if defined __STDC__ || defined __cplusplus -int vm_file_var__parse (mem_collector * mc, VirtualMachine * vm, vector * img_ids, char ** errmsg); -#else -int vm_file_var__parse (); -#endif -#endif /* ! YYPARSE_PARAM */ - -#endif /* !YY_VM_FILE_VAR_VM_FILE_VAR_SYNTAX_HH_INCLUDED */ - /* Copy the second part of user declarations. */ -/* Line 390 of yacc.c */ -#line 343 "vm_file_var_syntax.cc" + +/* Line 343 of yacc.c */ +#line 338 "vm_file_var_syntax.cc" #ifdef short # undef short @@ -392,33 +387,24 @@ typedef short int yytype_int16; # if defined YYENABLE_NLS && YYENABLE_NLS # if ENABLE_NLS # include /* INFRINGES ON USER NAME SPACE */ -# define YY_(Msgid) dgettext ("bison-runtime", Msgid) +# define YY_(msgid) dgettext ("bison-runtime", msgid) # endif # endif # ifndef YY_ -# define YY_(Msgid) Msgid -# endif -#endif - -#ifndef __attribute__ -/* This feature is available in gcc versions 2.5 and later. */ -# if (! defined __GNUC__ || __GNUC__ < 2 \ - || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)) -# define __attribute__(Spec) /* empty */ +# define YY_(msgid) msgid # endif #endif /* Suppress unused-variable warnings by "using" E. */ #if ! defined lint || defined __GNUC__ -# define YYUSE(E) ((void) (E)) +# define YYUSE(e) ((void) (e)) #else -# define YYUSE(E) /* empty */ +# define YYUSE(e) /* empty */ #endif - /* Identity function, used to suppress warnings about constant conditions. */ #ifndef lint -# define YYID(N) (N) +# define YYID(n) (n) #else #if (defined __STDC__ || defined __C99__FUNC__ \ || defined __cplusplus || defined _MSC_VER) @@ -454,7 +440,6 @@ YYID (yyi) # if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \ || defined __cplusplus || defined _MSC_VER) # include /* INFRINGES ON USER NAME SPACE */ - /* Use EXIT_SUCCESS as a witness for stdlib.h. */ # ifndef EXIT_SUCCESS # define EXIT_SUCCESS 0 # endif @@ -548,20 +533,20 @@ union yyalloc #endif #if defined YYCOPY_NEEDED && YYCOPY_NEEDED -/* Copy COUNT objects from SRC to DST. The source and destination do +/* Copy COUNT objects from FROM to TO. The source and destination do not overlap. */ # ifndef YYCOPY # if defined __GNUC__ && 1 < __GNUC__ -# define YYCOPY(Dst, Src, Count) \ - __builtin_memcpy (Dst, Src, (Count) * sizeof (*(Src))) +# define YYCOPY(To, From, Count) \ + __builtin_memcpy (To, From, (Count) * sizeof (*(From))) # else -# define YYCOPY(Dst, Src, Count) \ - do \ - { \ - YYSIZE_T yyi; \ - for (yyi = 0; yyi < (Count); yyi++) \ - (Dst)[yyi] = (Src)[yyi]; \ - } \ +# define YYCOPY(To, From, Count) \ + do \ + { \ + YYSIZE_T yyi; \ + for (yyi = 0; yyi < (Count); yyi++) \ + (To)[yyi] = (From)[yyi]; \ + } \ while (YYID (0)) # endif # endif @@ -639,18 +624,18 @@ static const yytype_int8 yyrhs[] = /* YYRLINE[YYN] -- source line where rule number YYN was defined. */ static const yytype_uint8 yyrline[] = { - 0, 214, 214, 215, 219, 237 + 0, 226, 226, 227, 231, 249 }; #endif -#if YYDEBUG || YYERROR_VERBOSE || 0 +#if YYDEBUG || YYERROR_VERBOSE || YYTOKEN_TABLE /* YYTNAME[SYMBOL-NUM] -- String name of the symbol SYMBOL-NUM. First, the terminals, then, starting at YYNTOKENS, nonterminals. */ static const char *const yytname[] = { "$end", "error", "$undefined", "EQUAL", "COMMA", "OBRACKET", "CBRACKET", "EOA", "STRING", "VARIABLE", "RSTRING", "INTEGER", "$accept", - "vm_string", "vm_variable", YY_NULL + "vm_string", "vm_variable", 0 }; #endif @@ -716,10 +701,10 @@ static const yytype_uint8 yytable[] = 9, 14, 15, 16, 6, 0, 17 }; -#define yypact_value_is_default(Yystate) \ - (!!((Yystate) == (-8))) +#define yypact_value_is_default(yystate) \ + ((yystate) == (-8)) -#define yytable_value_is_error(Yytable_value) \ +#define yytable_value_is_error(yytable_value) \ YYID (0) static const yytype_int8 yycheck[] = @@ -763,24 +748,23 @@ static const yytype_uint8 yystos[] = #define YYRECOVERING() (!!yyerrstatus) -#define YYBACKUP(Token, Value) \ -do \ - if (yychar == YYEMPTY) \ - { \ - yychar = (Token); \ - yylval = (Value); \ - YYPOPSTACK (yylen); \ - yystate = *yyssp; \ - goto yybackup; \ - } \ - else \ - { \ +#define YYBACKUP(Token, Value) \ +do \ + if (yychar == YYEMPTY && yylen == 1) \ + { \ + yychar = (Token); \ + yylval = (Value); \ + YYPOPSTACK (1); \ + goto yybackup; \ + } \ + else \ + { \ yyerror (&yylloc, mc, vm, img_ids, errmsg, YY_("syntax error: cannot back up")); \ YYERROR; \ } \ while (YYID (0)) -/* Error token number */ + #define YYTERROR 1 #define YYERRCODE 256 @@ -789,28 +773,27 @@ while (YYID (0)) If N is 0, then set CURRENT to the empty location which ends the previous symbol: RHS[0] (always defined). */ +#define YYRHSLOC(Rhs, K) ((Rhs)[K]) #ifndef YYLLOC_DEFAULT -# define YYLLOC_DEFAULT(Current, Rhs, N) \ - do \ - if (YYID (N)) \ - { \ - (Current).first_line = YYRHSLOC (Rhs, 1).first_line; \ - (Current).first_column = YYRHSLOC (Rhs, 1).first_column; \ - (Current).last_line = YYRHSLOC (Rhs, N).last_line; \ - (Current).last_column = YYRHSLOC (Rhs, N).last_column; \ - } \ - else \ - { \ - (Current).first_line = (Current).last_line = \ - YYRHSLOC (Rhs, 0).last_line; \ - (Current).first_column = (Current).last_column = \ - YYRHSLOC (Rhs, 0).last_column; \ - } \ +# define YYLLOC_DEFAULT(Current, Rhs, N) \ + do \ + if (YYID (N)) \ + { \ + (Current).first_line = YYRHSLOC (Rhs, 1).first_line; \ + (Current).first_column = YYRHSLOC (Rhs, 1).first_column; \ + (Current).last_line = YYRHSLOC (Rhs, N).last_line; \ + (Current).last_column = YYRHSLOC (Rhs, N).last_column; \ + } \ + else \ + { \ + (Current).first_line = (Current).last_line = \ + YYRHSLOC (Rhs, 0).last_line; \ + (Current).first_column = (Current).last_column = \ + YYRHSLOC (Rhs, 0).last_column; \ + } \ while (YYID (0)) #endif -#define YYRHSLOC(Rhs, K) ((Rhs)[K]) - /* YY_LOCATION_PRINT -- Print the location on the stream. This macro was not mandated originally: define only if we know @@ -818,46 +801,10 @@ while (YYID (0)) #ifndef YY_LOCATION_PRINT # if defined YYLTYPE_IS_TRIVIAL && YYLTYPE_IS_TRIVIAL - -/* Print *YYLOCP on YYO. Private, do not rely on its existence. */ - -__attribute__((__unused__)) -#if (defined __STDC__ || defined __C99__FUNC__ \ - || defined __cplusplus || defined _MSC_VER) -static unsigned -yy_location_print_ (FILE *yyo, YYLTYPE const * const yylocp) -#else -static unsigned -yy_location_print_ (yyo, yylocp) - FILE *yyo; - YYLTYPE const * const yylocp; -#endif -{ - unsigned res = 0; - int end_col = 0 != yylocp->last_column ? yylocp->last_column - 1 : 0; - if (0 <= yylocp->first_line) - { - res += fprintf (yyo, "%d", yylocp->first_line); - if (0 <= yylocp->first_column) - res += fprintf (yyo, ".%d", yylocp->first_column); - } - if (0 <= yylocp->last_line) - { - if (yylocp->first_line < yylocp->last_line) - { - res += fprintf (yyo, "-%d", yylocp->last_line); - if (0 <= end_col) - res += fprintf (yyo, ".%d", end_col); - } - else if (0 <= end_col && yylocp->first_column < end_col) - res += fprintf (yyo, "-%d", end_col); - } - return res; - } - -# define YY_LOCATION_PRINT(File, Loc) \ - yy_location_print_ (File, &(Loc)) - +# define YY_LOCATION_PRINT(File, Loc) \ + fprintf (File, "%d.%d-%d.%d", \ + (Loc).first_line, (Loc).first_column, \ + (Loc).last_line, (Loc).last_column) # else # define YY_LOCATION_PRINT(File, Loc) ((void) 0) # endif @@ -865,6 +812,7 @@ yy_location_print_ (yyo, yylocp) /* YYLEX -- calling `yylex' with the right arguments. */ + #ifdef YYLEX_PARAM # define YYLEX yylex (&yylval, &yylloc, YYLEX_PARAM) #else @@ -919,8 +867,6 @@ yy_symbol_value_print (yyoutput, yytype, yyvaluep, yylocationp, mc, vm, img_ids, char ** errmsg; #endif { - FILE *yyo = yyoutput; - YYUSE (yyo); if (!yyvaluep) return; YYUSE (yylocationp); @@ -934,7 +880,11 @@ yy_symbol_value_print (yyoutput, yytype, yyvaluep, yylocationp, mc, vm, img_ids, # else YYUSE (yyoutput); # endif - YYUSE (yytype); + switch (yytype) + { + default: + break; + } } @@ -1185,11 +1135,12 @@ static int yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg, yytype_int16 *yyssp, int yytoken) { - YYSIZE_T yysize0 = yytnamerr (YY_NULL, yytname[yytoken]); + YYSIZE_T yysize0 = yytnamerr (0, yytname[yytoken]); YYSIZE_T yysize = yysize0; + YYSIZE_T yysize1; enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 }; /* Internationalized format string. */ - const char *yyformat = YY_NULL; + const char *yyformat = 0; /* Arguments of yyformat. */ char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM]; /* Number of reported tokens (one for the "unexpected", one per @@ -1249,13 +1200,11 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg, break; } yyarg[yycount++] = yytname[yyx]; - { - YYSIZE_T yysize1 = yysize + yytnamerr (YY_NULL, yytname[yyx]); - if (! (yysize <= yysize1 - && yysize1 <= YYSTACK_ALLOC_MAXIMUM)) - return 2; - yysize = yysize1; - } + yysize1 = yysize + yytnamerr (0, yytname[yyx]); + if (! (yysize <= yysize1 + && yysize1 <= YYSTACK_ALLOC_MAXIMUM)) + return 2; + yysize = yysize1; } } } @@ -1275,12 +1224,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg, # undef YYCASE_ } - { - YYSIZE_T yysize1 = yysize + yystrlen (yyformat); - if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM)) - return 2; - yysize = yysize1; - } + yysize1 = yysize + yystrlen (yyformat); + if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM)) + return 2; + yysize = yysize1; if (*yymsg_alloc < yysize) { @@ -1346,10 +1293,29 @@ yydestruct (yymsg, yytype, yyvaluep, yylocationp, mc, vm, img_ids, errmsg) yymsg = "Deleting"; YY_SYMBOL_PRINT (yymsg, yytype, yyvaluep, yylocationp); - YYUSE (yytype); + switch (yytype) + { + + default: + break; + } } +/* Prevent warnings from -Wmissing-prototypes. */ +#ifdef YYPARSE_PARAM +#if defined __STDC__ || defined __cplusplus +int yyparse (void *YYPARSE_PARAM); +#else +int yyparse (); +#endif +#else /* ! YYPARSE_PARAM */ +#if defined __STDC__ || defined __cplusplus +int yyparse (mem_collector * mc, VirtualMachine * vm, vector * img_ids, char ** errmsg); +#else +int yyparse (); +#endif +#endif /* ! YYPARSE_PARAM */ /*----------. @@ -1384,40 +1350,11 @@ yyparse (mc, vm, img_ids, errmsg) /* The lookahead symbol. */ int yychar; - -#if defined __GNUC__ && 407 <= __GNUC__ * 100 + __GNUC_MINOR__ -/* Suppress an incorrect diagnostic about yylval being uninitialized. */ -# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN \ - _Pragma ("GCC diagnostic push") \ - _Pragma ("GCC diagnostic ignored \"-Wuninitialized\"")\ - _Pragma ("GCC diagnostic ignored \"-Wmaybe-uninitialized\"") -# define YY_IGNORE_MAYBE_UNINITIALIZED_END \ - _Pragma ("GCC diagnostic pop") -#else -/* Default value used for initialization, for pacifying older GCCs - or non-GCC compilers. */ -static YYSTYPE yyval_default; -# define YY_INITIAL_VALUE(Value) = Value -#endif -static YYLTYPE yyloc_default -# if defined YYLTYPE_IS_TRIVIAL && YYLTYPE_IS_TRIVIAL - = { 1, 1, 1, 1 } -# endif -; -#ifndef YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN -# define YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN -# define YY_IGNORE_MAYBE_UNINITIALIZED_END -#endif -#ifndef YY_INITIAL_VALUE -# define YY_INITIAL_VALUE(Value) /* Nothing. */ -#endif - /* The semantic value of the lookahead symbol. */ -YYSTYPE yylval YY_INITIAL_VALUE(yyval_default); +YYSTYPE yylval; /* Location data for the lookahead symbol. */ -YYLTYPE yylloc = yyloc_default; - +YYLTYPE yylloc; /* Number of syntax errors so far. */ int yynerrs; @@ -1431,7 +1368,7 @@ YYLTYPE yylloc = yyloc_default; `yyvs': related to semantic values. `yyls': related to locations. - Refer to the stacks through separate pointers, to allow yyoverflow + Refer to the stacks thru separate pointers, to allow yyoverflow to reallocate them elsewhere. */ /* The state stack. */ @@ -1457,7 +1394,7 @@ YYLTYPE yylloc = yyloc_default; int yyn; int yyresult; /* Lookahead token as an internal (translated) token number. */ - int yytoken = 0; + int yytoken; /* The variables used to return semantic value and location from the action routines. */ YYSTYPE yyval; @@ -1476,9 +1413,10 @@ YYLTYPE yylloc = yyloc_default; Keep to zero when no symbol should be popped. */ int yylen = 0; - yyssp = yyss = yyssa; - yyvsp = yyvs = yyvsa; - yylsp = yyls = yylsa; + yytoken = 0; + yyss = yyssa; + yyvs = yyvsa; + yyls = yylsa; yystacksize = YYINITDEPTH; YYDPRINTF ((stderr, "Starting parse\n")); @@ -1487,7 +1425,21 @@ YYLTYPE yylloc = yyloc_default; yyerrstatus = 0; yynerrs = 0; yychar = YYEMPTY; /* Cause a token to be read. */ - yylsp[0] = yylloc; + + /* Initialize stack pointers. + Waste one element of value and location stack + so that they stay on the same level as the state stack. + The wasted elements are never initialized. */ + yyssp = yyss; + yyvsp = yyvs; + yylsp = yyls; + +#if defined YYLTYPE_IS_TRIVIAL && YYLTYPE_IS_TRIVIAL + /* Initialize the default location before parsing starts. */ + yylloc.first_line = yylloc.last_line = 1; + yylloc.first_column = yylloc.last_column = 1; +#endif + goto yysetstate; /*------------------------------------------------------------. @@ -1633,9 +1585,7 @@ yybackup: yychar = YYEMPTY; yystate = yyn; - YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN *++yyvsp = yylval; - YY_IGNORE_MAYBE_UNINITIALIZED_END *++yylsp = yylloc; goto yynewstate; @@ -1673,8 +1623,9 @@ yyreduce: switch (yyn) { case 4: -/* Line 1787 of yacc.c */ -#line 220 "vm_file_var_syntax.y" + +/* Line 1806 of yacc.c */ +#line 232 "vm_file_var_syntax.y" { string file((yyvsp[(1) - (7)].val_str)); string var1((yyvsp[(3) - (7)].val_str)); @@ -1695,8 +1646,9 @@ yyreduce: break; case 5: -/* Line 1787 of yacc.c */ -#line 238 "vm_file_var_syntax.y" + +/* Line 1806 of yacc.c */ +#line 250 "vm_file_var_syntax.y" { string file((yyvsp[(1) - (11)].val_str)); string var1((yyvsp[(3) - (11)].val_str)); @@ -1720,8 +1672,9 @@ yyreduce: break; -/* Line 1787 of yacc.c */ -#line 1725 "vm_file_var_syntax.cc" + +/* Line 1806 of yacc.c */ +#line 1678 "vm_file_var_syntax.cc" default: break; } /* User semantic actions sometimes alter yychar, and that requires @@ -1886,9 +1839,7 @@ yyerrlab1: YY_STACK_PRINT (yyss, yyssp); } - YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN *++yyvsp = yylval; - YY_IGNORE_MAYBE_UNINITIALIZED_END yyerror_range[2] = yylloc; /* Using YYLLOC is tempting, but would change the location of @@ -1917,7 +1868,7 @@ yyabortlab: yyresult = 1; goto yyreturn; -#if !defined yyoverflow || YYERROR_VERBOSE +#if !defined(yyoverflow) || YYERROR_VERBOSE /*-------------------------------------------------. | yyexhaustedlab -- memory exhaustion comes here. | `-------------------------------------------------*/ @@ -1959,8 +1910,9 @@ yyreturn: } -/* Line 2050 of yacc.c */ -#line 259 "vm_file_var_syntax.y" + +/* Line 2067 of yacc.c */ +#line 271 "vm_file_var_syntax.y" extern "C" void vm_file_var__error( @@ -1988,3 +1940,4 @@ extern "C" void vm_file_var__error( llocp->last_column); } } + diff --git a/src/vm/vm_file_var_syntax.h b/src/vm/vm_file_var_syntax.h index ba21e884af..ec594f7c05 100644 --- a/src/vm/vm_file_var_syntax.h +++ b/src/vm/vm_file_var_syntax.h @@ -1,8 +1,8 @@ -/* A Bison parser, made by GNU Bison 2.7.12-4996. */ +/* A Bison parser, made by GNU Bison 2.5. */ /* Bison interface for Yacc-like parsers in C - Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc. + Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -30,15 +30,6 @@ This special exception was added by the Free Software Foundation in version 2.2 of Bison. */ -#ifndef YY_VM_FILE_VAR_VM_FILE_VAR_SYNTAX_HH_INCLUDED -# define YY_VM_FILE_VAR_VM_FILE_VAR_SYNTAX_HH_INCLUDED -/* Enabling traces. */ -#ifndef YYDEBUG -# define YYDEBUG 0 -#endif -#if YYDEBUG -extern int vm_file_var__debug; -#endif /* Tokens. */ #ifndef YYTOKENTYPE @@ -59,25 +50,30 @@ extern int vm_file_var__debug; #endif + #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED typedef union YYSTYPE { -/* Line 2053 of yacc.c */ -#line 190 "vm_file_var_syntax.y" + +/* Line 2068 of yacc.c */ +#line 202 "vm_file_var_syntax.y" char * val_str; int val_int; char val_char; -/* Line 2053 of yacc.c */ -#line 75 "vm_file_var_syntax.hh" + +/* Line 2068 of yacc.c */ +#line 69 "vm_file_var_syntax.hh" } YYSTYPE; # define YYSTYPE_IS_TRIVIAL 1 # define yystype YYSTYPE /* obsolescent; will be withdrawn */ # define YYSTYPE_IS_DECLARED 1 #endif + + #if ! defined YYLTYPE && ! defined YYLTYPE_IS_DECLARED typedef struct YYLTYPE { @@ -91,4 +87,5 @@ typedef struct YYLTYPE # define YYLTYPE_IS_TRIVIAL 1 #endif -#endif /* !YY_VM_FILE_VAR_VM_FILE_VAR_SYNTAX_HH_INCLUDED */ + + diff --git a/src/vm/vm_file_var_syntax.y b/src/vm/vm_file_var_syntax.y index 2fc5df034a..acdc81c73c 100644 --- a/src/vm/vm_file_var_syntax.y +++ b/src/vm/vm_file_var_syntax.y @@ -87,7 +87,9 @@ int get_image_path(VirtualMachine * vm, Nebula& nd = Nebula::instance(); ImagePool * ipool = nd.get_ipool(); + UserPool * upool = nd.get_upool(); Image * img = 0; + User * user = 0; int iid = -1; PoolObjectAuth perm; @@ -160,7 +162,17 @@ int get_image_path(VirtualMachine * vm, img->unlock(); - AuthRequest ar(vm->get_uid(), vm->get_gid()); + set gids; + + user = upool->get(vm->get_uid(), true); + + if (user != 0) + { + gids = user->get_groups(); + user->unlock(); + } + + AuthRequest ar(vm->get_uid(), gids); ar.add_auth(AuthRequest::USE, perm);