Merge branch 'feature-687' of git.opennebula.org:one into feature-687

include/AclManager.h

@@ -100,12 +100,7 @@ public:
     /**
      *  Bootstraps the database table(s) associated to the ACL Manager
      */
-    static void bootstrap(SqlDB * _db)
-    {
-        ostringstream oss(db_bootstrap);
-
-        _db->exec(oss);
-    };
+    static void bootstrap(SqlDB * _db);
 
     /**
      *  Dumps the rule set in XML format.
@@ -227,7 +222,19 @@ private:
      *    @param rule to insert
      *    @return 0 on success
      */
-    int insert(AclRule * rule);
+    int insert(AclRule * rule)
+    {
+        return insert(rule, db);
+    };
+
+    /**
+     *  Inserts the ACL rule in the database.
+     *    @param rule to insert
+     *    @db db pointer
+     *
+     *    @return 0 on success
+     */
+    static int insert(AclRule * rule, SqlDB * db);
 
     /**
      *  Drops an ACL rule from the database

src/acl/AclManager.cc

@@ -268,7 +268,7 @@ bool AclManager::match_rules(
           &&
           (
             // Rule grants permission for all objects of this type
-            ( it->second->resource == resource_all_req )
+            ( ( it->second->resource & resource_all_req ) == resource_all_req )
             ||
             // Or rule's object type and group object ID match
             ( ( it->second->resource & resource_gid_mask ) == resource_gid_req )
@@ -463,6 +463,21 @@ int AclManager::del_rule(int oid, string& error_str)
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
+void AclManager::bootstrap(SqlDB * _db)
+{
+    ostringstream oss(db_bootstrap);
+
+    _db->exec(oss);
+
+    // Add a default rule
+    // @1 VM+NET+IMAGE+TEMPLATE/* CREATE+INFO_POOL_MINE
+    AclRule default_rule(0, 0x200000001LL, 0x2d400000000LL, 0x41LL);
+    insert(&default_rule, _db);
+}
+
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
 void AclManager::update_lastOID()
 {
     // db->escape_str is not used for 'table' since its name can't be set in
@@ -548,7 +563,7 @@ int AclManager::select()
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
-int AclManager::insert(AclRule * rule)
+int AclManager::insert(AclRule * rule, SqlDB * db)
 {
     ostringstream   oss;
     int             rc;

src/authm/test/AuthManagerTest.cc

@@ -237,41 +237,43 @@ public:
 
     void self_authorize()
     {
-        set<int> empty_set;
+        // Make all users belong to the USERS (1) group
+        set<int> gid_set;
+        gid_set.insert(1);
 
-        AuthRequest ar(2, empty_set);
-        AuthRequest ar1(2, empty_set);
-        AuthRequest ar2(3, empty_set);
-        AuthRequest ar3(4, empty_set);
-        AuthRequest ar4(2, empty_set);
-        AuthRequest ar5(0, empty_set);
-        AuthRequest ar6(0, empty_set);
+        AuthRequest ar(2, gid_set);
+        AuthRequest ar1(2, gid_set);
+        AuthRequest ar2(3, gid_set);
+        AuthRequest ar3(4, gid_set);
+        AuthRequest ar4(2, gid_set);
+        AuthRequest ar5(0, gid_set);
+        AuthRequest ar6(0, gid_set);
 
-        ar.add_auth(AuthRequest::VM,"dGhpcy",0,AuthRequest::CREATE,2,false);
-        ar.add_auth(AuthRequest::NET,2,0,AuthRequest::USE,2,false);
-        ar.add_auth(AuthRequest::IMAGE,3,0,AuthRequest::USE,4,true);
+        ar.add_auth(AuthRequest::VM,"dGhpcy",-1,AuthRequest::CREATE,2,false);
+        ar.add_auth(AuthRequest::NET,2,1,AuthRequest::USE,2,false);
+        ar.add_auth(AuthRequest::IMAGE,3,1,AuthRequest::USE,4,true);
 
         CPPUNIT_ASSERT(ar.plain_authorize() == true);
 
-        ar1.add_auth(AuthRequest::VM,"dGhpcy",0,AuthRequest::CREATE,2,false);
-        ar1.add_auth(AuthRequest::NET,2,0,AuthRequest::USE,2,false);
-        ar1.add_auth(AuthRequest::IMAGE,3,0,AuthRequest::USE,4,false);
+        ar1.add_auth(AuthRequest::VM,"dGhpcy",-1,AuthRequest::CREATE,2,false);
+        ar1.add_auth(AuthRequest::NET,2,1,AuthRequest::USE,2,false);
+        ar1.add_auth(AuthRequest::IMAGE,3,1,AuthRequest::USE,4,false);
 
         CPPUNIT_ASSERT(ar1.plain_authorize() == false);
 
-        ar2.add_auth(AuthRequest::HOST,"dGhpcy",0,AuthRequest::CREATE,0,false);
+        ar2.add_auth(AuthRequest::HOST,"dGhpcy",-1,AuthRequest::CREATE,0,false);
         CPPUNIT_ASSERT(ar2.plain_authorize() == false);
 
-        ar3.add_auth(AuthRequest::VM,5,0,AuthRequest::MANAGE,2,false);
+        ar3.add_auth(AuthRequest::VM,5,1,AuthRequest::MANAGE,2,false);
         CPPUNIT_ASSERT(ar3.plain_authorize() == false);
 
-        ar4.add_auth(AuthRequest::VM,4,0,AuthRequest::MANAGE,2,false);
+        ar4.add_auth(AuthRequest::VM,4,1,AuthRequest::MANAGE,2,false);
         CPPUNIT_ASSERT(ar4.plain_authorize() == true);
 
-        ar5.add_auth(AuthRequest::HOST,4,0,AuthRequest::MANAGE,0,false);
+        ar5.add_auth(AuthRequest::HOST,4,-1,AuthRequest::MANAGE,0,false);
         CPPUNIT_ASSERT(ar5.plain_authorize() == true);
 
-        ar6.add_auth(AuthRequest::HOST,4,0,AuthRequest::CREATE,0,false);
+        ar6.add_auth(AuthRequest::HOST,4,-1,AuthRequest::CREATE,0,false);
         CPPUNIT_ASSERT(ar6.plain_authorize() == true);
     }
 

src/rm/RequestManagerPoolInfoFilter.cc

@@ -84,11 +84,11 @@ void RequestManagerPoolInfoFilter::request_execute(xmlrpc_c::paramList const& pa
 
         case MINE_GROUP:
 
-            uid_filter << "uid = " << uid << " OR gid = " << gid;
+            uid_filter << "uid = " << uid;
 
             for ( it = group_ids.begin() ; it != group_ids.end(); it++ )
             {
-                where_string << " OR gid = " << *it;
+                uid_filter << " OR gid = " << *it;
             }
 
             request_op = AuthRequest::INFO_POOL_MINE;

src/sunstone/etc/sunstone-plugins.yaml

@@ -1,16 +1,19 @@
 ---
 - plugins/dashboard-tab.js:
-    :ALL: true
+    :ALL: false
     :user:
     :group:
+        oneadmin: true
 - plugins/hosts-tab.js:
-    :ALL: true
+    :ALL: false
     :user:
     :group:
+        oneadmin: true
 - plugins/groups-tab.js:
-    :ALL: true
+    :ALL: false
     :user:
     :group:
+        oneadmin: true
 - plugins/templates-tab.js:
     :ALL: true
     :user:
@@ -28,6 +31,7 @@
     :user:
     :group:
 - plugins/users-tab.js:
-    :ALL: true
+    :ALL: false
     :user:
     :group:
+        oneadmin: true

src/sunstone/models/SunstonePlugins.rb

@@ -69,19 +69,28 @@ class SunstonePlugins
         @installed_plugins.include? plugin
     end
 
-    def authorized_plugins(user,group=nil)
+    def authorized_plugins(user, group)
         auth_plugins = {"user-plugins"=>Array.new, "plugins"=>Array.new}
 
         @plugins_conf.each do |plugin_conf|
             plugin = plugin_conf.keys.first
-            perms = plugin_conf[plugin]
+            perms  = plugin_conf[plugin]
+
             if installed?(plugin)
                 p_path, p_name = plugin.split('/')
 
-                if perms[:user] and perms[:user][user]
-                    auth_plugins[p_path] << p_name
-                elsif perms[:group] and perms[:group][group]
-                    auth_plugins[p_path] << p_name
+                if perms[:user] and perms[:user].has_key? user
+                    if perms[:user][user]
+                        auth_plugins[p_path] << p_name
+                    else
+                        next
+                    end
+                elsif perms[:group] and perms[:group].has_key? group
+                    if perms[:group][group]
+                        auth_plugins[p_path] << p_name
+                    else
+                        next
+                    end
                 elsif perms[:ALL]
                     auth_plugins[p_path] << p_name
                 end

src/sunstone/models/SunstoneServer.rb

@@ -41,9 +41,13 @@ class SunstoneServer
             return [500, false]
         end
 
-        user_pass = user_pool["USER[NAME=\"#{user}\"]/PASSWORD"]
+        user_pass   =  user_pool["USER[NAME=\"#{user}\"]/PASSWORD"]
+        user_id     =  user_pool["USER[NAME=\"#{user}\"]/ID"]
+        user_gid    =  user_pool["USER[NAME=\"#{user}\"]/GID"]
+        user_gname  =  user_pool["USER[NAME=\"#{user}\"]/GNAME"]
+
         if user_pass == sha1_pass
-            return [204, user_pool["USER[NAME=\"#{user}\"]/ID"]]
+            return [204, [user_id, user_gid, user_gname]]
         else
             return [401, nil]
         end

src/sunstone/sunstone-server.rb

@@ -15,7 +15,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
 # See the License for the specific language governing permissions and        #
 # limitations under the License.                                             #
-#--------------------------------------------------------------------------- # 
+#--------------------------------------------------------------------------- #
 
 ONE_LOCATION = ENV["ONE_LOCATION"]
 
@@ -76,11 +76,13 @@ helpers do
 
             rc = SunstoneServer.authorize(user, sha1_pass)
             if rc[1]
-                session[:user]     = user
-                session[:user_id]  = rc[1]
-                session[:password] = sha1_pass
-                session[:ip]       = request.ip
-                session[:remember] = params[:remember]
+                session[:user]          = user
+                session[:user_id]       = rc[1][0]
+                session[:user_gid]      = rc[1][1]
+                session[:user_gname]    = rc[1][2]
+                session[:password]      = sha1_pass
+                session[:ip]            = request.ip
+                session[:remember]      = params[:remember]
 
                 if params[:remember]
                     env['rack.session.options'][:expire_after] = 30*60*60*24
@@ -137,7 +139,7 @@ get '/' do
                         :expires=>time)
 
     p = SunstonePlugins.new
-    @plugins = p.authorized_plugins(session[:user])
+    @plugins = p.authorized_plugins(session[:user], session[:user_gname])
 
     erb :index
 end