From 6ab7f3e13c5ac6f9ef25c9a6f91bc5091b7c2bb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tino=20V=C3=A1zquez?= Date: Fri, 9 Jul 2010 19:53:45 +0200 Subject: [PATCH] feature #200: Auth for VirtualNetworks --- .../RequestManagerVirtualNetworkAllocate.cc | 19 ++++++++++ src/rm/RequestManagerVirtualNetworkDelete.cc | 38 ++++++++++++++----- src/rm/RequestManagerVirtualNetworkInfo.cc | 28 +++++++++++++- src/rm/RequestManagerVirtualNetworkPublish.cc | 18 +++++++-- 4 files changed, 88 insertions(+), 15 deletions(-) diff --git a/src/rm/RequestManagerVirtualNetworkAllocate.cc b/src/rm/RequestManagerVirtualNetworkAllocate.cc index 791d0f4b57..2520fbcbc9 100644 --- a/src/rm/RequestManagerVirtualNetworkAllocate.cc +++ b/src/rm/RequestManagerVirtualNetworkAllocate.cc @@ -17,6 +17,8 @@ #include "RequestManager.h" #include "NebulaLog.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -64,6 +66,19 @@ void RequestManager::VirtualNetworkAllocate::execute( uid = user->get_uid(); user->unlock(); + + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(AuthRequest::NET,-1,AuthRequest::CREATE,0,false); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } rc = vnpool->allocate(uid,stemplate,&nid); @@ -91,6 +106,10 @@ error_session: error_get_user: oss << "User not recognized, cannot allocate VirtualNetwork"; goto error_common; + +error_authorize: + oss << "User not authorized to create a VirtualNetwork"; + goto error_common; error_vn_allocate: oss << "Error allocating VN with template: " << endl << stemplate; diff --git a/src/rm/RequestManagerVirtualNetworkDelete.cc b/src/rm/RequestManagerVirtualNetworkDelete.cc index b16e9803aa..6ffe35e113 100644 --- a/src/rm/RequestManagerVirtualNetworkDelete.cc +++ b/src/rm/RequestManagerVirtualNetworkDelete.cc @@ -17,6 +17,8 @@ #include "RequestManager.h" #include "NebulaLog.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -45,6 +47,27 @@ void RequestManager::VirtualNetworkDelete::execute( session = xmlrpc_c::value_string(paramList.getString(0)); nid = xmlrpc_c::value_int (paramList.getInt (1)); + // Only oneadmin or the VN owner can perform operations upon the VN + rc = VirtualNetworkDelete::upool->authenticate(session); + + if ( rc == -1 ) + { + goto error_authenticate; + } + + //Authorize the operation + if ( rc != 0 ) // rc == 0 means oneadmin + { + AuthRequest ar(rc); + + ar.add_auth(AuthRequest::NET,nid,AuthRequest::DELETE,0,false); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } + // Retrieve VN from the pool vn = vnpool->get(nid,true); @@ -54,14 +77,6 @@ void RequestManager::VirtualNetworkDelete::execute( } uid = vn->get_uid(); - - // Only oneadmin or the VN owner can perform operations upon the VN - rc = VirtualNetworkDelete::upool->authenticate(session); - - if ( rc != 0 && rc != uid) - { - goto error_authenticate; - } rc = vnpool->drop(vn); @@ -79,8 +94,11 @@ void RequestManager::VirtualNetworkDelete::execute( return; error_authenticate: - vn->unlock(); - oss << "User cannot delete VN"; + oss << "User not authenticated, aborting VirtualNetworkDelete call"; + goto error_common; + +error_authorize: + oss << "User not authorized to delete Virtual Network with NID = " << nid; goto error_common; error_vn_get: diff --git a/src/rm/RequestManagerVirtualNetworkInfo.cc b/src/rm/RequestManagerVirtualNetworkInfo.cc index 046f74b20d..5649c96b35 100644 --- a/src/rm/RequestManagerVirtualNetworkInfo.cc +++ b/src/rm/RequestManagerVirtualNetworkInfo.cc @@ -17,6 +17,8 @@ #include "RequestManager.h" #include "NebulaLog.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -51,7 +53,7 @@ void RequestManager::VirtualNetworkInfo::execute( { goto error_authenticate; } - + vn = vnpool->get(nid,true); if ( vn == 0 ) @@ -59,6 +61,23 @@ void RequestManager::VirtualNetworkInfo::execute( goto error_vn_get; } + //Authorize the operation + if ( rc != 0 ) // rc == 0 means oneadmin + { + AuthRequest ar(rc); + + ar.add_auth(AuthRequest::NET, + nid, + AuthRequest::USE, + 0, + vn->isPublic()); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } + oss << *vn; vn->unlock(); @@ -82,9 +101,14 @@ error_authenticate: error_vn_get: oss << "Error getting Virtual Network with NID = " << nid; goto error_common; + +error_authorize: + vn->unlock(); + oss << "User not authorized to view VirtualNetwork" << + ", VirtualNetworkInfo call aborted."; + goto error_common; error_common: - arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE arrayData.push_back(xmlrpc_c::value_string(oss.str())); diff --git a/src/rm/RequestManagerVirtualNetworkPublish.cc b/src/rm/RequestManagerVirtualNetworkPublish.cc index 985ae289b0..42d8030491 100644 --- a/src/rm/RequestManagerVirtualNetworkPublish.cc +++ b/src/rm/RequestManagerVirtualNetworkPublish.cc @@ -65,9 +65,21 @@ void RequestManager::VirtualNetworkPublish::execute( goto error_vn_get; } - if ( uid != 0 && uid != vn->get_uid() ) + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin { - goto error_authorization; + AuthRequest ar(uid); + + ar.add_auth(AuthRequest::NET, + nid, + AuthRequest::MANAGE, + 0, + vn->isPublic()); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } } vn->publish(publish_flag); @@ -95,7 +107,7 @@ error_vn_get: oss << "[VirtualNetworkPublish] Error getting VN with ID = " << nid; goto error_common; -error_authorization: +error_authorize: oss << "[VirtualNetworkPublish] User not authorized to (un)publish VN" << ", aborting call."; vn->unlock();