mirror of
https://github.com/OpenNebula/one.git
synced 2024-12-22 13:33:52 +03:00
Feature #687: Add correctness check for new rules
This commit is contained in:
parent
85fa48e604
commit
84f874bfc2
@ -58,6 +58,14 @@ public:
|
||||
return str;
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns whether or not the rule is malformed.
|
||||
*
|
||||
* @param error_str Returns the error message, if any
|
||||
* @return true if the rule is wrong
|
||||
*/
|
||||
bool malformed(string& error_str) const;
|
||||
|
||||
/**
|
||||
* Function to print the object into a string in XML format
|
||||
*
|
||||
|
@ -225,14 +225,15 @@ int AclManager::add_rule(long long user, long long resource, long long rights,
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
if ( rule->malformed() )
|
||||
if ( rule->malformed(error_str) )
|
||||
{
|
||||
oss << "Rule " << rule->to_str() << " is malformed: " << error_str;
|
||||
error_str = oss.str();
|
||||
|
||||
delete rule;
|
||||
NebulaLog::log("ACL", Log::INFO, "TODO");
|
||||
return -2;
|
||||
}
|
||||
*/
|
||||
|
||||
|
||||
rc = insert(rule);
|
||||
|
||||
|
@ -27,6 +27,153 @@ const long long AclRule::ALL_ID = 0x400000000LL;
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
bool AclRule::malformed(string& error_str) const
|
||||
{
|
||||
ostringstream oss;
|
||||
bool error = false;
|
||||
|
||||
// Check user
|
||||
|
||||
if ( (user & INDIVIDUAL_ID) != 0 && (user & GROUP_ID) != 0 )
|
||||
{
|
||||
error = true;
|
||||
oss << "[user] INDIVIDUAL (#) and GROUP (@) bits are exclusive";
|
||||
}
|
||||
|
||||
if ( (user & INDIVIDUAL_ID) != 0 && (user & ALL_ID) != 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "[user] INDIVIDUAL (#) and ALL (*) bits are exclusive";
|
||||
}
|
||||
|
||||
if ( (user & GROUP_ID) != 0 && (user & ALL_ID) != 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "[user] GROUP (@) and ALL (*) bits are exclusive";
|
||||
}
|
||||
|
||||
if ( user_id() < 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "[user] ID cannot be negative";
|
||||
}
|
||||
|
||||
if ( (user & ALL_ID) != 0 && user_id() != 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "when using the ALL bit, [user] ID must be 0";
|
||||
}
|
||||
|
||||
// Check resource
|
||||
|
||||
if ( (resource & INDIVIDUAL_ID) != 0 && (resource & GROUP_ID) != 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "[resource] INDIVIDUAL (#) and GROUP (@) bits are exclusive";
|
||||
}
|
||||
|
||||
if ( (resource & INDIVIDUAL_ID) != 0 && (resource & ALL_ID) != 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "[resource] INDIVIDUAL (#) and ALL (*) bits are exclusive";
|
||||
}
|
||||
|
||||
if ( (resource & GROUP_ID) != 0 && (resource & ALL_ID) != 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "[resource] GROUP (@) and ALL (*) bits are exclusive";
|
||||
}
|
||||
|
||||
if ( resource_id() < 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "[resource] ID cannot be negative";
|
||||
}
|
||||
|
||||
if ( (resource & ALL_ID) != 0 && resource_id() != 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "when using the ALL bit, [resource] ID must be 0";
|
||||
}
|
||||
|
||||
if ( (resource & 0xFF000000000LL) == 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "[resource] type is missing";
|
||||
}
|
||||
|
||||
if ( (resource & 0xFFFFF00000000000LL) != 0 )
|
||||
{
|
||||
if ( error )
|
||||
{
|
||||
oss << "; ";
|
||||
}
|
||||
|
||||
error = true;
|
||||
oss << "wrong [resource] type";
|
||||
}
|
||||
|
||||
if ( error )
|
||||
{
|
||||
error_str = oss.str();
|
||||
}
|
||||
|
||||
return error;
|
||||
}
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
void AclRule::build_str()
|
||||
{
|
||||
ostringstream oss;
|
||||
@ -53,13 +200,12 @@ void AclRule::build_str()
|
||||
AuthRequest::IMAGE,
|
||||
AuthRequest::USER,
|
||||
AuthRequest::TEMPLATE,
|
||||
AuthRequest::GROUP,
|
||||
AuthRequest::ACL
|
||||
AuthRequest::GROUP
|
||||
};
|
||||
|
||||
bool prefix = false;
|
||||
|
||||
for ( int i = 0; i < 8; i++ )
|
||||
for ( int i = 0; i < 7; i++ )
|
||||
{
|
||||
if ( (resource & objects[i]) != 0 )
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user