feature #203: Auth for USERS

include/AuthManager.h

@@ -290,7 +290,8 @@ public:
         VM,
         HOST,
         NET,
-        IMAGE
+        IMAGE,
+        USER
     };
 
     /**

src/authm/AuthManager.cc

@@ -84,6 +84,7 @@ void AuthRequest::add_auth(Object        ob,
         case HOST:  oss << "HOST:" ; break;
         case NET:   oss << "NET:" ; break;
         case IMAGE: oss << "IMAGE:" ; break;
+        case USER:  oss << "USER:" ; break;
     }
 
     if (op == CREATE) //encode the ob_id, it is a template

src/rm/RequestManagerUserAllocate.cc

@@ -17,6 +17,8 @@
 #include "RequestManager.h"
 #include "NebulaLog.h"
 
+#include "AuthManager.h"
+
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
@@ -48,13 +50,29 @@ void RequestManager::UserAllocate::execute(
     username     = xmlrpc_c::value_string(paramList.getString(1));
     password     = xmlrpc_c::value_string(paramList.getString(2));
     
-    // Only oneadmin can add users
     rc = UserAllocate::upool->authenticate(session);
     
-    if ( rc != 0 )                             
+    if ( rc == -1 )                             
     {                                            
         goto error_authenticate;                     
     }
+    
+    //Authorize the operation
+    if ( rc != 0 ) // rc == 0 means oneadmin
+    {
+        AuthRequest ar(rc);
+
+        ar.add_auth(AuthRequest::USER,
+                    -1,
+                    AuthRequest::CREATE,
+                    0,
+                    false);
+
+        if (UserPool::authorize(ar) == -1)
+        {
+            goto error_authorize;
+        }
+    }
 
     // Let's make sure that the user doesn't exist in the database
     user = UserAllocate::upool->get(username,false);
@@ -85,16 +103,20 @@ void RequestManager::UserAllocate::execute(
     return;
 
 error_authenticate:
-    oss << "User not authorized to add new users";
+    oss << "User not authenticated, aborting UserAllocate call.";
     goto error_common;
     
+error_authorize:
+    oss << "User not authorized to add new users, aborting UserAllocate call.";
+    goto error_common;  
+     
 error_duplicate:
-    oss << "Existing user, cannot duplicate";
+    oss << "Existing user, cannot duplicate.";
     goto error_common;
 
 
 error_allocate:
-    oss << "Error allocating user";
+    oss << "Error allocating user.";
     goto error_common;
 
 error_common:

src/rm/RequestManagerUserDelete.cc

@@ -17,6 +17,8 @@
 #include "RequestManager.h"
 #include "NebulaLog.h"
 
+#include "AuthManager.h"
+
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
@@ -48,13 +50,29 @@ void RequestManager::UserDelete::execute(
         goto error_oneadmin_deletion;
     }
     
-    // Only oneadmin can delete users
     rc = UserDelete::upool->authenticate(session);
     
-    if ( rc != 0 )
+    if ( rc == -1 )
     {
         goto error_authenticate;
     }
+    
+    //Authorize the operation
+    if ( rc != 0 ) // rc == 0 means oneadmin
+    {
+        AuthRequest ar(rc);
+
+        ar.add_auth(AuthRequest::USER,
+                    uid,
+                    AuthRequest::DELETE,
+                    0,
+                    false);
+
+        if (UserPool::authorize(ar) == -1)
+        {
+            goto error_authorize;
+        }
+    }
 
     // Now let's get the user 
     user = UserDelete::upool->get(uid,true);
@@ -89,7 +107,12 @@ error_oneadmin_deletion:
     goto error_common;
 
 error_authenticate:
-    oss << "User not authorized to delete users";
+    oss << "User not authenticated, aborting UserDelete call.";
+    goto error_common;
+
+error_authorize:
+    oss << "User not authorized to delete user with uid " << uid 
+        << ", aborting UserDelete call.";
     goto error_common;
     
 error_get_user: