From 2449b2cda181cc661c8c407a6e1417b770ea19bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Mon, 4 Jul 2011 18:06:46 +0200 Subject: [PATCH 1/5] Feature #687: Bug in ACL rule matching, it was missing a mask --- src/acl/AclManager.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index 490efcbf28..2e77a505e6 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -268,7 +268,7 @@ bool AclManager::match_rules( && ( // Rule grants permission for all objects of this type - ( it->second->resource == resource_all_req ) + ( ( it->second->resource & resource_all_req ) == resource_all_req ) || // Or rule's object type and group object ID match ( ( it->second->resource & resource_gid_mask ) == resource_gid_req ) From e65f80a161df3b57dd3b3a368350535fb0bc185f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Mon, 4 Jul 2011 19:09:47 +0200 Subject: [PATCH 2/5] Feature #687: Bug in one.*.poolinfo xml-rpc methods, wrong WHERE clause --- src/rm/RequestManagerPoolInfoFilter.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rm/RequestManagerPoolInfoFilter.cc b/src/rm/RequestManagerPoolInfoFilter.cc index b3875a2dc2..37e416294d 100644 --- a/src/rm/RequestManagerPoolInfoFilter.cc +++ b/src/rm/RequestManagerPoolInfoFilter.cc @@ -84,11 +84,11 @@ void RequestManagerPoolInfoFilter::request_execute(xmlrpc_c::paramList const& pa case MINE_GROUP: - uid_filter << "uid = " << uid << " OR gid = " << gid; + uid_filter << "uid = " << uid; for ( it = group_ids.begin() ; it != group_ids.end(); it++ ) { - where_string << " OR gid = " << *it; + uid_filter << " OR gid = " << *it; } request_op = AuthRequest::INFO_POOL_MINE; From 27e04919b2caa2018a584f615f85297cfb4de52f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Mon, 4 Jul 2011 19:14:43 +0200 Subject: [PATCH 3/5] Feature #687: Add a default ACL rule at bootstrap --- include/AclManager.h | 21 ++++++++++++++------- src/acl/AclManager.cc | 17 ++++++++++++++++- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/include/AclManager.h b/include/AclManager.h index bff6f519ba..f37864a716 100644 --- a/include/AclManager.h +++ b/include/AclManager.h @@ -95,12 +95,7 @@ public: /** * Bootstraps the database table(s) associated to the ACL Manager */ - static void bootstrap(SqlDB * _db) - { - ostringstream oss(db_bootstrap); - - _db->exec(oss); - }; + static void bootstrap(SqlDB * _db); /** * Dumps the rule set in XML format. @@ -220,7 +215,19 @@ private: * @param rule to insert * @return 0 on success */ - int insert(AclRule * rule); + int insert(AclRule * rule) + { + return insert(rule, db); + }; + + /** + * Inserts the ACL rule in the database. + * @param rule to insert + * @db db pointer + * + * @return 0 on success + */ + static int insert(AclRule * rule, SqlDB * db); /** * Drops an ACL rule from the database diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index 2e77a505e6..8081c31314 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -464,6 +464,21 @@ int AclManager::del_rule(int oid, string& error_str) /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ +void AclManager::bootstrap(SqlDB * _db) +{ + ostringstream oss(db_bootstrap); + + _db->exec(oss); + + // Add a default rule + // @1 VM+NET+IMAGE+TEMPLATE/* CREATE+INFO_POOL_MINE + AclRule default_rule(0, 0x200000001LL, 0x2d400000000LL, 0x41LL); + insert(&default_rule, _db); +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + void AclManager::update_lastOID() { // db->escape_str is not used for 'table' since its name can't be set in @@ -549,7 +564,7 @@ int AclManager::select() /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ -int AclManager::insert(AclRule * rule) +int AclManager::insert(AclRule * rule, SqlDB * db) { ostringstream oss; int rc; From 90fc30f6af03b6b2a77f9c4e84a542bb8f944b34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Tue, 5 Jul 2011 12:47:40 +0200 Subject: [PATCH 4/5] Feature #687: Change Auth. unit test to report the object groups --- src/authm/test/AuthManagerTest.cc | 40 ++++++++++++++++--------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/src/authm/test/AuthManagerTest.cc b/src/authm/test/AuthManagerTest.cc index cb105d24d0..8feaf66590 100644 --- a/src/authm/test/AuthManagerTest.cc +++ b/src/authm/test/AuthManagerTest.cc @@ -237,41 +237,43 @@ public: void self_authorize() { - set empty_set; + // Make all users belong to the USERS (1) group + set gid_set; + gid_set.insert(1); - AuthRequest ar(2, empty_set); - AuthRequest ar1(2, empty_set); - AuthRequest ar2(3, empty_set); - AuthRequest ar3(4, empty_set); - AuthRequest ar4(2, empty_set); - AuthRequest ar5(0, empty_set); - AuthRequest ar6(0, empty_set); + AuthRequest ar(2, gid_set); + AuthRequest ar1(2, gid_set); + AuthRequest ar2(3, gid_set); + AuthRequest ar3(4, gid_set); + AuthRequest ar4(2, gid_set); + AuthRequest ar5(0, gid_set); + AuthRequest ar6(0, gid_set); - ar.add_auth(AuthRequest::VM,"dGhpcy",0,AuthRequest::CREATE,2,false); - ar.add_auth(AuthRequest::NET,2,0,AuthRequest::USE,2,false); - ar.add_auth(AuthRequest::IMAGE,3,0,AuthRequest::USE,4,true); + ar.add_auth(AuthRequest::VM,"dGhpcy",-1,AuthRequest::CREATE,2,false); + ar.add_auth(AuthRequest::NET,2,1,AuthRequest::USE,2,false); + ar.add_auth(AuthRequest::IMAGE,3,1,AuthRequest::USE,4,true); CPPUNIT_ASSERT(ar.plain_authorize() == true); - ar1.add_auth(AuthRequest::VM,"dGhpcy",0,AuthRequest::CREATE,2,false); - ar1.add_auth(AuthRequest::NET,2,0,AuthRequest::USE,2,false); - ar1.add_auth(AuthRequest::IMAGE,3,0,AuthRequest::USE,4,false); + ar1.add_auth(AuthRequest::VM,"dGhpcy",-1,AuthRequest::CREATE,2,false); + ar1.add_auth(AuthRequest::NET,2,1,AuthRequest::USE,2,false); + ar1.add_auth(AuthRequest::IMAGE,3,1,AuthRequest::USE,4,false); CPPUNIT_ASSERT(ar1.plain_authorize() == false); - ar2.add_auth(AuthRequest::HOST,"dGhpcy",0,AuthRequest::CREATE,0,false); + ar2.add_auth(AuthRequest::HOST,"dGhpcy",-1,AuthRequest::CREATE,0,false); CPPUNIT_ASSERT(ar2.plain_authorize() == false); - ar3.add_auth(AuthRequest::VM,5,0,AuthRequest::MANAGE,2,false); + ar3.add_auth(AuthRequest::VM,5,1,AuthRequest::MANAGE,2,false); CPPUNIT_ASSERT(ar3.plain_authorize() == false); - ar4.add_auth(AuthRequest::VM,4,0,AuthRequest::MANAGE,2,false); + ar4.add_auth(AuthRequest::VM,4,1,AuthRequest::MANAGE,2,false); CPPUNIT_ASSERT(ar4.plain_authorize() == true); - ar5.add_auth(AuthRequest::HOST,4,0,AuthRequest::MANAGE,0,false); + ar5.add_auth(AuthRequest::HOST,4,-1,AuthRequest::MANAGE,0,false); CPPUNIT_ASSERT(ar5.plain_authorize() == true); - ar6.add_auth(AuthRequest::HOST,4,0,AuthRequest::CREATE,0,false); + ar6.add_auth(AuthRequest::HOST,4,-1,AuthRequest::CREATE,0,false); CPPUNIT_ASSERT(ar6.plain_authorize() == true); } From 6a970223574d5eae2f1273e7268cae52972fbe85 Mon Sep 17 00:00:00 2001 From: Jaime Melis Date: Tue, 5 Jul 2011 15:31:25 +0200 Subject: [PATCH 5/5] feature #573: Add support for groups and define a default policy --- src/sunstone/etc/sunstone-plugins.yaml | 12 ++++++++---- src/sunstone/models/SunstonePlugins.rb | 21 +++++++++++++++------ src/sunstone/models/SunstoneServer.rb | 8 ++++++-- src/sunstone/sunstone-server.rb | 16 +++++++++------- 4 files changed, 38 insertions(+), 19 deletions(-) diff --git a/src/sunstone/etc/sunstone-plugins.yaml b/src/sunstone/etc/sunstone-plugins.yaml index 05b6eb0aed..133556742c 100644 --- a/src/sunstone/etc/sunstone-plugins.yaml +++ b/src/sunstone/etc/sunstone-plugins.yaml @@ -1,16 +1,19 @@ --- - plugins/dashboard-tab.js: - :ALL: true + :ALL: false :user: :group: + oneadmin: true - plugins/hosts-tab.js: - :ALL: true + :ALL: false :user: :group: + oneadmin: true - plugins/groups-tab.js: - :ALL: true + :ALL: false :user: :group: + oneadmin: true - plugins/templates-tab.js: :ALL: true :user: @@ -28,6 +31,7 @@ :user: :group: - plugins/users-tab.js: - :ALL: true + :ALL: false :user: :group: + oneadmin: true diff --git a/src/sunstone/models/SunstonePlugins.rb b/src/sunstone/models/SunstonePlugins.rb index e9246437f2..63b08e550b 100644 --- a/src/sunstone/models/SunstonePlugins.rb +++ b/src/sunstone/models/SunstonePlugins.rb @@ -69,19 +69,28 @@ class SunstonePlugins @installed_plugins.include? plugin end - def authorized_plugins(user,group=nil) + def authorized_plugins(user, group) auth_plugins = {"user-plugins"=>Array.new, "plugins"=>Array.new} @plugins_conf.each do |plugin_conf| plugin = plugin_conf.keys.first - perms = plugin_conf[plugin] + perms = plugin_conf[plugin] + if installed?(plugin) p_path, p_name = plugin.split('/') - if perms[:user] and perms[:user][user] - auth_plugins[p_path] << p_name - elsif perms[:group] and perms[:group][group] - auth_plugins[p_path] << p_name + if perms[:user] and perms[:user].has_key? user + if perms[:user][user] + auth_plugins[p_path] << p_name + else + next + end + elsif perms[:group] and perms[:group].has_key? group + if perms[:group][group] + auth_plugins[p_path] << p_name + else + next + end elsif perms[:ALL] auth_plugins[p_path] << p_name end diff --git a/src/sunstone/models/SunstoneServer.rb b/src/sunstone/models/SunstoneServer.rb index d654f50649..0ed284f9a7 100644 --- a/src/sunstone/models/SunstoneServer.rb +++ b/src/sunstone/models/SunstoneServer.rb @@ -41,9 +41,13 @@ class SunstoneServer return [500, false] end - user_pass = user_pool["USER[NAME=\"#{user}\"]/PASSWORD"] + user_pass = user_pool["USER[NAME=\"#{user}\"]/PASSWORD"] + user_id = user_pool["USER[NAME=\"#{user}\"]/ID"] + user_gid = user_pool["USER[NAME=\"#{user}\"]/GID"] + user_gname = user_pool["USER[NAME=\"#{user}\"]/GNAME"] + if user_pass == sha1_pass - return [204, user_pool["USER[NAME=\"#{user}\"]/ID"]] + return [204, [user_id, user_gid, user_gname]] else return [401, nil] end diff --git a/src/sunstone/sunstone-server.rb b/src/sunstone/sunstone-server.rb index 96a15d8a03..5c63fc18ac 100755 --- a/src/sunstone/sunstone-server.rb +++ b/src/sunstone/sunstone-server.rb @@ -15,7 +15,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # # See the License for the specific language governing permissions and # # limitations under the License. # -#--------------------------------------------------------------------------- # +#--------------------------------------------------------------------------- # ONE_LOCATION = ENV["ONE_LOCATION"] @@ -76,11 +76,13 @@ helpers do rc = SunstoneServer.authorize(user, sha1_pass) if rc[1] - session[:user] = user - session[:user_id] = rc[1] - session[:password] = sha1_pass - session[:ip] = request.ip - session[:remember] = params[:remember] + session[:user] = user + session[:user_id] = rc[1][0] + session[:user_gid] = rc[1][1] + session[:user_gname] = rc[1][2] + session[:password] = sha1_pass + session[:ip] = request.ip + session[:remember] = params[:remember] if params[:remember] env['rack.session.options'][:expire_after] = 30*60*60*24 @@ -137,7 +139,7 @@ get '/' do :expires=>time) p = SunstonePlugins.new - @plugins = p.authorized_plugins(session[:user]) + @plugins = p.authorized_plugins(session[:user], session[:user_gname]) erb :index end