1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-22 13:33:52 +03:00

Feature #687: Add correctness check for new rules

This commit is contained in:
Carlos Martín 2011-06-29 16:22:54 +02:00
parent 85fa48e604
commit 84f874bfc2
3 changed files with 162 additions and 7 deletions

View File

@ -58,6 +58,14 @@ public:
return str;
};
/**
* Returns whether or not the rule is malformed.
*
* @param error_str Returns the error message, if any
* @return true if the rule is wrong
*/
bool malformed(string& error_str) const;
/**
* Function to print the object into a string in XML format
*

View File

@ -225,14 +225,15 @@ int AclManager::add_rule(long long user, long long resource, long long rights,
return -1;
}
/*
if ( rule->malformed() )
if ( rule->malformed(error_str) )
{
oss << "Rule " << rule->to_str() << " is malformed: " << error_str;
error_str = oss.str();
delete rule;
NebulaLog::log("ACL", Log::INFO, "TODO");
return -2;
}
*/
rc = insert(rule);

View File

@ -27,6 +27,153 @@ const long long AclRule::ALL_ID = 0x400000000LL;
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool AclRule::malformed(string& error_str) const
{
ostringstream oss;
bool error = false;
// Check user
if ( (user & INDIVIDUAL_ID) != 0 && (user & GROUP_ID) != 0 )
{
error = true;
oss << "[user] INDIVIDUAL (#) and GROUP (@) bits are exclusive";
}
if ( (user & INDIVIDUAL_ID) != 0 && (user & ALL_ID) != 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[user] INDIVIDUAL (#) and ALL (*) bits are exclusive";
}
if ( (user & GROUP_ID) != 0 && (user & ALL_ID) != 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[user] GROUP (@) and ALL (*) bits are exclusive";
}
if ( user_id() < 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[user] ID cannot be negative";
}
if ( (user & ALL_ID) != 0 && user_id() != 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "when using the ALL bit, [user] ID must be 0";
}
// Check resource
if ( (resource & INDIVIDUAL_ID) != 0 && (resource & GROUP_ID) != 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] INDIVIDUAL (#) and GROUP (@) bits are exclusive";
}
if ( (resource & INDIVIDUAL_ID) != 0 && (resource & ALL_ID) != 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] INDIVIDUAL (#) and ALL (*) bits are exclusive";
}
if ( (resource & GROUP_ID) != 0 && (resource & ALL_ID) != 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] GROUP (@) and ALL (*) bits are exclusive";
}
if ( resource_id() < 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] ID cannot be negative";
}
if ( (resource & ALL_ID) != 0 && resource_id() != 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "when using the ALL bit, [resource] ID must be 0";
}
if ( (resource & 0xFF000000000LL) == 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] type is missing";
}
if ( (resource & 0xFFFFF00000000000LL) != 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "wrong [resource] type";
}
if ( error )
{
error_str = oss.str();
}
return error;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void AclRule::build_str()
{
ostringstream oss;
@ -53,13 +200,12 @@ void AclRule::build_str()
AuthRequest::IMAGE,
AuthRequest::USER,
AuthRequest::TEMPLATE,
AuthRequest::GROUP,
AuthRequest::ACL
AuthRequest::GROUP
};
bool prefix = false;
for ( int i = 0; i < 8; i++ )
for ( int i = 0; i < 7; i++ )
{
if ( (resource & objects[i]) != 0 )
{