From fef8cdbf0877808fd57265c737b1beb9336251da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Mon, 2 Jan 2012 21:17:20 +0100 Subject: [PATCH] Rename Permissions class to PoolObjectAuth and move it to its own .h file --- include/AclManager.h | 2 +- include/AuthManager.h | 16 +-- include/PoolObjectAuth.h | 147 +++++++++++++++++++++++++ include/PoolObjectSQL.h | 64 +---------- include/Request.h | 1 + src/acl/AclManager.cc | 80 ++------------ src/authm/AuthManager.cc | 10 +- src/authm/test/AuthManagerTest.cc | 7 +- src/image/ImagePool.cc | 10 +- src/pool/PoolObjectSQL.cc | 6 +- src/rm/Request.cc | 2 +- src/rm/RequestManagerAllocate.cc | 4 +- src/rm/RequestManagerVMTemplate.cc | 2 +- src/rm/RequestManagerVirtualMachine.cc | 6 +- src/scheduler/src/sched/Scheduler.cc | 4 +- src/vnm/VirtualNetworkPool.cc | 10 +- 16 files changed, 205 insertions(+), 166 deletions(-) create mode 100644 include/PoolObjectAuth.h diff --git a/include/AclManager.h b/include/AclManager.h index 72485f93d5..95f44e26b0 100644 --- a/include/AclManager.h +++ b/include/AclManager.h @@ -63,7 +63,7 @@ public: const bool authorize(int uid, int gid, AuthRequest::Object obj_type, - Permissions * obj_perms, + PoolObjectAuth * obj_perms, AuthRequest::Operation op); /** diff --git a/include/AuthManager.h b/include/AuthManager.h index 394f48cc79..0ae2923640 100644 --- a/include/AuthManager.h +++ b/include/AuthManager.h @@ -29,7 +29,7 @@ using namespace std; //Forward definitions class AuthRequest; -class Permissions; +class PoolObjectAuth; /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -353,9 +353,9 @@ public: * @param op the operation to be authorized * @param ob_perms object's permission attributes */ - void add_auth(Object ob, - Operation op, - Permissions* ob_perms) + void add_auth(Object ob, + Operation op, + PoolObjectAuth * ob_perms) { add_auth(ob, op, ob_perms, ""); } @@ -372,10 +372,10 @@ public: * @param ob_template new object's template. If it is empty, * it will be ignored */ - void add_auth(Object ob, - Operation op, - Permissions* ob_perms, - string ob_template); + void add_auth(Object ob, + Operation op, + PoolObjectAuth * ob_perms, + string ob_template); /** * Gets the authorization requests in a single string diff --git a/include/PoolObjectAuth.h b/include/PoolObjectAuth.h new file mode 100644 index 0000000000..92d171e806 --- /dev/null +++ b/include/PoolObjectAuth.h @@ -0,0 +1,147 @@ +/* -------------------------------------------------------------------------- */ +/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) */ +/* */ +/* Licensed under the Apache License, Version 2.0 (the "License"); you may */ +/* not use this file except in compliance with the License. You may obtain */ +/* a copy of the License at */ +/* */ +/* http://www.apache.org/licenses/LICENSE-2.0 */ +/* */ +/* Unless required by applicable law or agreed to in writing, software */ +/* distributed under the License is distributed on an "AS IS" BASIS, */ +/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */ +/* See the License for the specific language governing permissions and */ +/* limitations under the License. */ +/* -------------------------------------------------------------------------- */ + +#ifndef POOL_OBJECT_AUTH_H_ +#define POOL_OBJECT_AUTH_H_ + +#include "PoolObjectSQL.h" +#include "AuthManager.h" +#include "AclRule.h" + +class PoolObjectAuth +{ +public: + PoolObjectAuth(PoolObjectSQL* obj) + { + oid = obj->oid; + uid = obj->uid; + gid = obj->gid; + + owner_u = obj->owner_u; + owner_m = obj->owner_m; + owner_a = obj->owner_a; + + group_u = obj->group_u; + group_m = obj->group_m; + group_a = obj->group_a; + + other_u = obj->other_u; + other_m = obj->other_m; + other_a = obj->other_a; + }; + + PoolObjectAuth(): + oid(-1), + uid(-1), + gid(-1), + owner_u(1), + owner_m(1), + owner_a(0), + group_u(0), + group_m(0), + group_a(0), + other_u(0), + other_m(0), + other_a(0) + {}; + + void get_acl_rules( AclRule* owner_rule, + AclRule* group_rule, + AclRule* other_rule) + { + long long perm_user, perm_resource, perm_rights; + + perm_resource = obj_type | AclRule::INDIVIDUAL_ID | oid; + + // Rule "#uid ob_type/#oid user_rights" + + perm_user = AclRule::INDIVIDUAL_ID | uid; + perm_rights = 0; + if ( owner_u == 1 ) + { + perm_rights = perm_rights | AuthRequest::USE; + } + if ( owner_m == 1 ) + { + perm_rights = perm_rights | AuthRequest::MANAGE; + } + if ( owner_a == 1 ) + { + perm_rights = perm_rights | AuthRequest::ADMIN; + } + + owner_rule = new AclRule(0, perm_user, perm_resource, perm_rights); + + + // Rule "@gid ob_type/#oid group_rights" + perm_user = AclRule::GROUP_ID | gid; + perm_rights = 0; + + if ( group_u == 1 ) + { + perm_rights = perm_rights | AuthRequest::USE; + } + if ( group_m == 1 ) + { + perm_rights = perm_rights | AuthRequest::MANAGE; + } + if ( group_a == 1 ) + { + perm_rights = perm_rights | AuthRequest::ADMIN; + } + + group_rule = new AclRule(0, perm_user, perm_resource, perm_rights); + + // Rule "* ob_type/#oid others_rights" + perm_user = AclRule::ALL_ID; + perm_rights = 0; + + if ( other_u == 1 ) + { + perm_rights = perm_rights | AuthRequest::USE; + } + if ( other_m == 1 ) + { + perm_rights = perm_rights | AuthRequest::MANAGE; + } + if ( other_a == 1 ) + { + perm_rights = perm_rights | AuthRequest::ADMIN; + } + + other_rule = new AclRule(0, perm_user, perm_resource, perm_rights); + }; + + AuthRequest::Object obj_type; + + int oid; + int uid; + int gid; + + int owner_u; + int owner_m; + int owner_a; + + int group_u; + int group_m; + int group_a; + + int other_u; + int other_m; + int other_a; +}; + +#endif /*POOL_OBJECT_AUTH_H_*/ diff --git a/include/PoolObjectSQL.h b/include/PoolObjectSQL.h index cb29405a56..d02dd5703c 100644 --- a/include/PoolObjectSQL.h +++ b/include/PoolObjectSQL.h @@ -20,13 +20,13 @@ #include "ObjectSQL.h" #include "ObjectXML.h" #include "Template.h" -#include "AclRule.h" + #include #include using namespace std; -class Permissions; +class PoolObjectAuth; /** * PoolObject class. Provides a SQL backend interface for Pool components. Each @@ -313,7 +313,7 @@ public: // Permissions // ------------------------------------------------------------------------ - Permissions* get_permissions(); + PoolObjectAuth* get_permissions(); protected: @@ -462,7 +462,7 @@ private: */ friend class PoolSQL; - friend class Permissions; + friend class PoolObjectAuth; /** * The mutex for the PoolObject. This implementation assumes that the mutex @@ -481,60 +481,4 @@ private: static const char * error_attribute_name; }; -class Permissions -{ -public: - Permissions(PoolObjectSQL* obj) - { - oid = obj->oid; - uid = obj->uid; - gid = obj->gid; - - owner_u = obj->owner_u; - owner_m = obj->owner_m; - owner_a = obj->owner_a; - - group_u = obj->group_u; - group_m = obj->group_m; - group_a = obj->group_a; - - other_u = obj->other_u; - other_m = obj->other_m; - other_a = obj->other_a; - }; - - Permissions(): - oid(-1), - uid(-1), - gid(-1), - owner_u(1), - owner_m(1), - owner_a(0), - group_u(0), - group_m(0), - group_a(0), - other_u(0), - other_m(0), - other_a(0) - {}; - -// AuthRequest::Object obj_type; - - int oid; - int uid; - int gid; - - int owner_u; - int owner_m; - int owner_a; - - int group_u; - int group_m; - int group_a; - - int other_u; - int other_m; - int other_a; -}; - #endif /*POOL_OBJECT_SQL_H_*/ diff --git a/include/Request.h b/include/Request.h index 6c737a5f94..d2d3c0cfae 100644 --- a/include/Request.h +++ b/include/Request.h @@ -22,6 +22,7 @@ #include "RequestManager.h" #include "AuthManager.h" +#include "PoolObjectAuth.h" using namespace std; diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index bdf6f22b28..7935557700 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -18,7 +18,7 @@ #include "AclManager.h" #include "NebulaLog.h" -#include "PoolObjectSQL.h" +#include "PoolObjectAuth.h" /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -120,7 +120,7 @@ const bool AclManager::authorize( int uid, int gid, AuthRequest::Object obj_type, - Permissions * obj_perms, + PoolObjectAuth * obj_perms, AuthRequest::Operation op) { ostringstream oss; @@ -188,78 +188,18 @@ const bool AclManager::authorize( // --------------------------------------------------- // Create temporary rules from the object permissions // --------------------------------------------------- + + AclRule * owner_rule = 0; + AclRule * group_rule = 0; + AclRule * other_rule = 0; multimap tmp_rules; - if ( obj_perms->oid >= 0 ) // If oid is -1, this is a new obj. creation - { - long long perm_user, perm_resource, perm_rights; - AclRule * tmp_rule; + obj_perms->get_acl_rules(owner_rule, group_rule, other_rule); - perm_resource = obj_type | AclRule::INDIVIDUAL_ID | obj_perms->oid; + tmp_rules.insert( make_pair(owner_rule->user, owner_rule) ); + tmp_rules.insert( make_pair(group_rule->user, group_rule) ); + tmp_rules.insert( make_pair(other_rule->user, other_rule) ); - // Rule "#uid ob_type/#oid user_rights" - - perm_user = AclRule::INDIVIDUAL_ID | obj_perms->uid; - perm_rights = 0; - if ( obj_perms->owner_u == 1 ) - { - perm_rights = perm_rights | AuthRequest::USE; - } - if ( obj_perms->owner_m == 1 ) - { - perm_rights = perm_rights | AuthRequest::MANAGE; - } - if ( obj_perms->owner_a == 1 ) - { - perm_rights = perm_rights | AuthRequest::ADMIN; - } - - tmp_rule = new AclRule(0, perm_user, perm_resource, perm_rights); - - tmp_rules.insert( make_pair(tmp_rule->user, tmp_rule) ); - - // Rule "@gid ob_type/#oid group_rights" - perm_user = AclRule::GROUP_ID | obj_perms->gid; - perm_rights = 0; - - if ( obj_perms->group_u == 1 ) - { - perm_rights = perm_rights | AuthRequest::USE; - } - if ( obj_perms->group_m == 1 ) - { - perm_rights = perm_rights | AuthRequest::MANAGE; - } - if ( obj_perms->group_a == 1 ) - { - perm_rights = perm_rights | AuthRequest::ADMIN; - } - - tmp_rule = new AclRule(0, perm_user, perm_resource, perm_rights); - - tmp_rules.insert( make_pair(tmp_rule->user, tmp_rule) ); - - // Rule "* ob_type/#oid others_rights" - perm_user = AclRule::ALL_ID; - perm_rights = 0; - - if ( obj_perms->other_u == 1 ) - { - perm_rights = perm_rights | AuthRequest::USE; - } - if ( obj_perms->other_m == 1 ) - { - perm_rights = perm_rights | AuthRequest::MANAGE; - } - if ( obj_perms->other_a == 1 ) - { - perm_rights = perm_rights | AuthRequest::ADMIN; - } - - tmp_rule = new AclRule(0, perm_user, perm_resource, perm_rights); - - tmp_rules.insert( make_pair(tmp_rule->user, tmp_rule) ); - } // --------------------------------------------------- // Look for rules that apply to everyone // --------------------------------------------------- diff --git a/src/authm/AuthManager.cc b/src/authm/AuthManager.cc index 918990c0ee..199a95ebad 100644 --- a/src/authm/AuthManager.cc +++ b/src/authm/AuthManager.cc @@ -17,7 +17,7 @@ #include "AuthManager.h" #include "NebulaLog.h" #include "SSLTools.h" -#include "PoolObjectSQL.h" +#include "PoolObjectAuth.h" #include "Nebula.h" /* -------------------------------------------------------------------------- */ @@ -30,10 +30,10 @@ const char * AuthManager::auth_driver_name = "auth_exe"; /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ -void AuthRequest::add_auth(Object ob, - Operation op, - Permissions* ob_perms, - string ob_template) +void AuthRequest::add_auth(Object ob, + Operation op, + PoolObjectAuth * ob_perms, + string ob_template) { // TODO: object's public flag is not used, it will disappear bool pub = false; diff --git a/src/authm/test/AuthManagerTest.cc b/src/authm/test/AuthManagerTest.cc index 3b577a82cd..8921bd6d8c 100644 --- a/src/authm/test/AuthManagerTest.cc +++ b/src/authm/test/AuthManagerTest.cc @@ -26,6 +26,7 @@ #include "AuthManager.h" #include "Template.h" #include "NebulaLog.h" +#include "PoolObjectAuth.h" #include #include @@ -184,7 +185,7 @@ public: "NET:4:MANAGE:5:1:0 " "HOST:6:MANAGE:7:1:0 0"; - Permissions perm; + PoolObjectAuth perm; perm.gid = 0; perm.uid = -1; @@ -300,7 +301,7 @@ public: AuthRequest ar5(0, 1); AuthRequest ar6(0, 1); - Permissions perm; + PoolObjectAuth perm; perm.oid = -1; perm.gid = -1; @@ -320,7 +321,7 @@ public: CPPUNIT_ASSERT(ar.core_authorize() == true); - perm = Permissions(); + perm = PoolObjectAuth(); perm.oid = -1; perm.gid = -1; diff --git a/src/image/ImagePool.cc b/src/image/ImagePool.cc index 0b0aef86c6..6f1570c1ab 100644 --- a/src/image/ImagePool.cc +++ b/src/image/ImagePool.cc @@ -21,6 +21,7 @@ #include "ImagePool.h" #include "AuthManager.h" #include "Nebula.h" +#include "PoolObjectAuth.h" /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -293,8 +294,9 @@ int ImagePool::disk_attribute(VectorAttribute * disk, void ImagePool::authorize_disk(VectorAttribute * disk,int uid, AuthRequest * ar) { - string source; - Image * img = 0; + string source; + Image * img = 0; + PoolObjectAuth * perm = 0; if (!(source = disk->vector_value("IMAGE")).empty()) { @@ -324,10 +326,10 @@ void ImagePool::authorize_disk(VectorAttribute * disk,int uid, AuthRequest * ar) return; } - Permissions* perm = img->get_permissions(); + perm = img->get_permissions(); + img->unlock(); ar->add_auth(AuthRequest::IMAGE, AuthRequest::USE, perm); - img->unlock(); delete perm; } diff --git a/src/pool/PoolObjectSQL.cc b/src/pool/PoolObjectSQL.cc index e83ae5f6d9..4764969df7 100644 --- a/src/pool/PoolObjectSQL.cc +++ b/src/pool/PoolObjectSQL.cc @@ -15,7 +15,7 @@ /* -------------------------------------------------------------------------- */ #include "PoolObjectSQL.h" -#include "AuthManager.h" +#include "PoolObjectAuth.h" #include "SSLTools.h" /* -------------------------------------------------------------------------- */ @@ -246,9 +246,9 @@ int PoolObjectSQL::perms_from_xml() /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ -Permissions* PoolObjectSQL::get_permissions() +PoolObjectAuth* PoolObjectSQL::get_permissions() { - return new Permissions(this); + return new PoolObjectAuth(this); } /* -------------------------------------------------------------------------- */ diff --git a/src/rm/Request.cc b/src/rm/Request.cc index 9ce59d19be..7e338508df 100644 --- a/src/rm/Request.cc +++ b/src/rm/Request.cc @@ -57,7 +57,7 @@ bool Request::basic_authorization(int oid, RequestAttributes& att) { PoolObjectSQL * object; - Permissions * perms = 0; + PoolObjectAuth * perms = 0; if ( att.uid == 0 ) { diff --git a/src/rm/RequestManagerAllocate.cc b/src/rm/RequestManagerAllocate.cc index e382f0bbf2..c6acc12bcd 100644 --- a/src/rm/RequestManagerAllocate.cc +++ b/src/rm/RequestManagerAllocate.cc @@ -31,7 +31,7 @@ bool RequestManagerAllocate::allocate_authorization(Template * tmpl, return true; } - Permissions * perms = new Permissions(); + PoolObjectAuth * perms = new PoolObjectAuth(); perms->uid = att.uid; AuthRequest ar(att.uid, att.gid); @@ -71,7 +71,7 @@ bool VirtualMachineAllocate::allocate_authorization(Template * tmpl, return true; } - Permissions * perms = new Permissions; + PoolObjectAuth * perms = new PoolObjectAuth; perms->uid = att.uid; AuthRequest ar(att.uid, att.gid); diff --git a/src/rm/RequestManagerVMTemplate.cc b/src/rm/RequestManagerVMTemplate.cc index 645d6e3637..149f5437c4 100644 --- a/src/rm/RequestManagerVMTemplate.cc +++ b/src/rm/RequestManagerVMTemplate.cc @@ -28,7 +28,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList int rc, vid; - Permissions * perms; + PoolObjectAuth * perms; Nebula& nd = Nebula::instance(); VirtualMachinePool* vmpool = nd.get_vmpool(); diff --git a/src/rm/RequestManagerVirtualMachine.cc b/src/rm/RequestManagerVirtualMachine.cc index 2839bdfbf3..ed6901177c 100644 --- a/src/rm/RequestManagerVirtualMachine.cc +++ b/src/rm/RequestManagerVirtualMachine.cc @@ -26,7 +26,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, RequestAttributes& att) { PoolObjectSQL * object; - Permissions * vm_perms; + PoolObjectAuth * vm_perms; if ( att.uid == 0 ) { @@ -56,7 +56,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, if (hid != -1) { - Permissions * host_perm = new Permissions(); + PoolObjectAuth * host_perm = new PoolObjectAuth(); host_perm->oid = hid; ar.add_auth(AuthRequest::HOST, AuthRequest::MANAGE, host_perm); @@ -65,7 +65,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, } else if (tmpl != 0) { - Permissions * image_perm; + PoolObjectAuth * image_perm = new PoolObjectAuth(); image_perm->uid = att.uid; string t64; diff --git a/src/scheduler/src/sched/Scheduler.cc b/src/scheduler/src/sched/Scheduler.cc index 08c654e4b1..84152bee4b 100644 --- a/src/scheduler/src/sched/Scheduler.cc +++ b/src/scheduler/src/sched/Scheduler.cc @@ -32,7 +32,7 @@ #include "Scheduler.h" #include "RankPolicy.h" #include "NebulaLog.h" -#include "PoolObjectSQL.h" +#include "PoolObjectAuth.h" using namespace std; @@ -344,7 +344,7 @@ void Scheduler::match() } else { - Permissions * host_perms = new Permissions(); + PoolObjectAuth * host_perms = new PoolObjectAuth(); host_perms->oid = host->get_hid(); matched = acls->authorize(uid, diff --git a/src/vnm/VirtualNetworkPool.cc b/src/vnm/VirtualNetworkPool.cc index ed1ad0923b..e2e1b51097 100644 --- a/src/vnm/VirtualNetworkPool.cc +++ b/src/vnm/VirtualNetworkPool.cc @@ -18,7 +18,7 @@ #include "UserPool.h" #include "NebulaLog.h" #include "Nebula.h" - +#include "PoolObjectAuth.h" #include "AuthManager.h" #include #include @@ -246,6 +246,7 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic, { string network; VirtualNetwork * vnet = 0; + PoolObjectAuth * perm = 0; if (!(network = nic->vector_value("NETWORK")).empty()) { @@ -265,7 +266,10 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic, return; } - ar->add_auth(AuthRequest::NET, AuthRequest::USE, vnet->get_permissions()); - + perm = vnet->get_permissions(); vnet->unlock(); + + ar->add_auth(AuthRequest::NET, AuthRequest::USE, perm); + + delete perm; }