Merge remote-tracking branch 'origin/feature-4411'

2025-03-23 22:50:09 +03:00 · 2016-07-01 12:20:52 +02:00 · 2016-07-01 12:20:52 +02:00 · 916f6707c8
commit 916f6707c8
parent 57779b33e4 e8f9de4bb2
4 changed files with 85 additions and 1 deletions
--- a/include/Nebula.h
+++ b/include/Nebula.h
@ -438,6 +438,16 @@ public:
        return get_conf_attribute("MARKET_MAD_CONF", mk_name, value);
    };

+    /**
+     *  Gets an Auth driver configuration attribute
+     */
+    int get_auth_conf_attribute(
+        const string& driver_name,
+        const VectorAttribute* &value) const
+    {
+        return get_conf_attribute("AUTH_DRIVER_CONF", driver_name, value);
+    };
+
    /**
     *  Gets an XML document with all of the configuration attributes
     *    @return the XML
--- a/include/RequestManagerUser.h
+++ b/include/RequestManagerUser.h
@ -50,6 +50,7 @@ protected:

    virtual int user_action(int                        user_id,
                            xmlrpc_c::paramList const& _paramList,
+                            RequestAttributes&         att,
                            string&                    error_str ) = 0;

    /* -------------------------------------------------------------------- */
@ -74,6 +75,7 @@ public:

    int user_action(int                        user_id,
                    xmlrpc_c::paramList const& _paramList,
+                    RequestAttributes&         att,
                    string&                    err);
 };

@ -96,6 +98,7 @@ public:

    int user_action(int                        user_id,
                    xmlrpc_c::paramList const& _paramList,
+                    RequestAttributes&         att,
                    string&                    err);
 };

@ -117,6 +120,7 @@ public:

    int user_action(int                        user_id,
                    xmlrpc_c::paramList const& _paramList,
+                    RequestAttributes&         att,
                    string&                    err);
 };

--- a/share/etc/oned.conf
+++ b/share/etc/oned.conf
@ -999,3 +999,48 @@ MARKET_MAD_CONF = [
    REQUIRED_ATTRS = "ACCESS_KEY_ID,SECRET_ACCESS_KEY,REGION,BUCKET",
    APP_ACTIONS = "create, delete, monitor"
 ]
+
+#*******************************************************************************
+# Authentication Driver Behavior Definition
+#*******************************************************************************
+# The configuration for each driver is defined in AUTH_DRIVER_CONF. These
+# values must not be modified since they define the driver behavior.
+#   name            : name of the auth driver
+#   password_change : allow the end users to change their own password. Oneadmin
+#                     can still change other user's passwords
+#*******************************************************************************
+
+AUTH_DRIVER_CONF = [
+    NAME = "core",
+    PASSWORD_CHANGE = "YES"
+]
+
+AUTH_DRIVER_CONF = [
+    NAME = "public",
+    PASSWORD_CHANGE = "NO"
+]
+
+AUTH_DRIVER_CONF = [
+    NAME = "ssh",
+    PASSWORD_CHANGE = "YES"
+]
+
+AUTH_DRIVER_CONF = [
+    NAME = "x509",
+    PASSWORD_CHANGE = "NO"
+]
+
+AUTH_DRIVER_CONF = [
+    NAME = "ldap",
+    PASSWORD_CHANGE = "YES"
+]
+
+AUTH_DRIVER_CONF = [
+    NAME = "server_cipher",
+    PASSWORD_CHANGE = "NO"
+]
+
+AUTH_DRIVER_CONF = [
+    NAME = "server_x509",
+    PASSWORD_CHANGE = "NO"
+]
--- a/src/rm/RequestManagerUser.cc
+++ b/src/rm/RequestManagerUser.cc
@ -40,7 +40,7 @@ void RequestManagerUser::
        return;
    }

-    if ( user_action(id, paramList, att.resp_msg) < 0 )
+    if ( user_action(id, paramList, att, att.resp_msg) < 0 )
    {
        failure_response(ACTION, att);
        return;
@ -54,12 +54,17 @@ void RequestManagerUser::

 int UserChangePassword::user_action(int     user_id,
                                    xmlrpc_c::paramList const& paramList,
+                                    RequestAttributes&         att,
                                    string& error_str)
 {

    string new_pass = xmlrpc_c::value_string(paramList.getString(2));
    User * user;

+    string driver;
+    bool   allowed = false;
+    const VectorAttribute* auth_conf;
+
    user = static_cast<User *>(pool->get(user_id,true));

    if ( user == 0 )
@ -67,6 +72,24 @@ int UserChangePassword::user_action(int     user_id,
        return -1;
    }

+    driver = user->get_auth_driver();
+
+    if (Nebula::instance().get_auth_conf_attribute(driver, auth_conf) == 0)
+    {
+        auth_conf->vector_value("PASSWORD_CHANGE", allowed);
+    }
+
+    if (!allowed &&
+        att.uid != UserPool::ONEADMIN_ID &&
+        att.gid != GroupPool::ONEADMIN_ID)
+    {
+        error_str = "Password for driver '"+user->get_auth_driver()+
+                    "' cannot be changed.";
+
+        user->unlock();
+        return -1;
+    }
+
    int rc = user->set_password(new_pass, error_str);

    if ( rc == 0 )
@ -84,6 +107,7 @@ int UserChangePassword::user_action(int     user_id,

 int UserChangeAuth::user_action(int     user_id,
                                xmlrpc_c::paramList const& paramList,
+                                RequestAttributes&         att,
                                string& error_str)
 {
    string new_auth = xmlrpc_c::value_string(paramList.getString(2));
@ -131,6 +155,7 @@ int UserChangeAuth::user_action(int     user_id,

 int UserSetQuota::user_action(int     user_id,
                              xmlrpc_c::paramList const& paramList,
+                              RequestAttributes&         att,
                              string& error_str)
 {