Revision 0659115f

View differences:

include/AuthManager.h
276 276
     */
277 277
    enum Operation
278 278
    {
279
        CREATE, /** Authorization to create an object (host, vm, net, image)*/
280
        DELETE, /** Authorization to delete an object */
281
        USE,    /** Authorization to use an object */
282
        MANAGE  /** Authorization to manage an object */
279
        CREATE,  /** Authorization to create an object (host, vm, net, image)*/
280
        DELETE,  /** Authorization to delete an object */
281
        USE,     /** Authorization to use an object */
282
        MANAGE,  /** Authorization to manage an object */
283
        INFO     /** Authorization to view an object */
283 284
    };
284 285

  
285 286
    /**
......
291 292
        HOST,
292 293
        NET,
293 294
        IMAGE,
294
        USER
295
        USER,
296
        CLUSTER
295 297
    };
296 298

  
297 299
    /**
src/authm/AuthManager.cc
80 80

  
81 81
    switch (ob)
82 82
    {
83
        case VM:    oss << "VM:" ; break;
84
        case HOST:  oss << "HOST:" ; break;
85
        case NET:   oss << "NET:" ; break;
86
        case IMAGE: oss << "IMAGE:" ; break;
87
        case USER:  oss << "USER:" ; break;
83
        case VM:       oss << "VM:" ; break;
84
        case HOST:     oss << "HOST:" ; break;
85
        case NET:      oss << "NET:" ; break;
86
        case IMAGE:    oss << "IMAGE:" ; break;
87
        case USER:     oss << "USER:" ; break;
88
        case CLUSTER:  oss << "CLUSTER:" ; break;
88 89
    }
89 90

  
90 91
    if (op == CREATE) //encode the ob_id, it is a template
......
123 124
        case MANAGE:
124 125
            oss << "MANAGE:" ;
125 126
            break;
127
            
128
        case INFO:
129
            oss << "INFO:" ;
130
            break;
126 131
    }
127 132

  
128 133
    oss << owner << ":" << pub;
......
166 171
            case MANAGE:
167 172
                auth = owner == uid;
168 173
                break;
174
                
175
            case INFO: // This is for completeness, as the only INFO existing 
176
                       // is for UserPool, and just oneadmin can see it
177
                break;
169 178
        }
170 179
    }
171 180

  
src/rm/RequestManagerClusterAdd.cc
61 61
    if ( rc != 0 ) // rc == 0 means oneadmin
62 62
    {
63 63
        AuthRequest ar(rc);
64

  
64
        
65 65
        ar.add_auth(AuthRequest::HOST,hid,AuthRequest::MANAGE,0,false);
66
        ar.add_auth(AuthRequest::CLUSTER,clid,AuthRequest::USE,0,false);
66 67

  
67 68
        if (UserPool::authorize(ar) == -1)
68 69
        {
......
107 108
    goto error_common;
108 109

  
109 110
error_authorize:
110
    oss.str(authorization_error(method_name, "MANAGE", "HOST", rc, hid));
111
    oss.str(authorization_error(method_name, "USE", "CLUSTER", rc, clid));
111 112
    goto error_common;
112 113

  
113 114
error_host_get:
......
116 117

  
117 118
error_cluster_add:
118 119
    host->unlock();
119
    oss.str(action_error(method_name, "MANAGE", "HOST", hid, rc));
120
    oss.str(action_error(method_name, "USE", "CLUSTER", clid, rc));
120 121
    goto error_common;
121 122

  
122 123
error_common:
src/rm/RequestManagerClusterAllocate.cc
59 59
    {
60 60
        AuthRequest ar(rc);
61 61

  
62
        ar.add_auth(AuthRequest::HOST,-1,AuthRequest::MANAGE,0,false);
62
        ar.add_auth(AuthRequest::CLUSTER,-1,AuthRequest::CREATE,0,false);
63 63

  
64 64
        if (UserPool::authorize(ar) == -1)
65 65
        {
......
91 91
    goto error_common;
92 92

  
93 93
error_authorize:
94
    oss.str(authorization_error(method_name, "MANAGE", "HOST", rc, -1));
94
    oss.str(authorization_error(method_name, "CREATE", "CLUSTER", rc, -1));
95 95
    goto error_common;
96 96

  
97 97
error_cluster_allocate:
src/rm/RequestManagerClusterDelete.cc
58 58
    {
59 59
        AuthRequest ar(rc);
60 60

  
61
        ar.add_auth(AuthRequest::HOST,-1,AuthRequest::MANAGE,0,false);
61
        ar.add_auth(AuthRequest::CLUSTER,clid,AuthRequest::DELETE,0,false);
62 62

  
63 63
        if (UserPool::authorize(ar) == -1)
64 64
        {
......
89 89
    goto error_common;
90 90

  
91 91
error_authorize:
92
    oss.str(authorization_error(method_name, "MANAGE", "HOST", rc, -1));
92
    oss.str(authorization_error(method_name, "DELETE", "CLUSTER", rc, clid));
93 93
    goto error_common;
94 94

  
95 95
error_cluster_delete:
src/rm/RequestManagerHostInfo.cc
24 24
    xmlrpc_c::paramList const& paramList,
25 25
    xmlrpc_c::value *   const  retval)
26 26
{
27
    string  session;
28

  
29
    int     hid;
30
    int     rc;
31
    Host *  host;
27
    string        session;
28
                  
29
    int           hid;
30
    int           rc;
31
    Host *        host;
32 32

  
33 33
    ostringstream oss;
34 34
    
src/rm/RequestManagerImageAllocate.cc
51 51

  
52 52

  
53 53
    // First, we need to authenticate the user
54
    rc = ImageAllocate::upool->authenticate(session);
54
    uid = ImageAllocate::upool->authenticate(session);
55 55

  
56
    if ( rc == -1 )
56
    if ( uid == -1 )
57 57
    {
58 58
        goto error_authenticate;
59 59
    }
60 60
    
61
    uid = rc;
62
    
63 61
    rc = ImageAllocate::ipool->allocate(uid,image_template,&iid);
64 62

  
65 63
    if ( rc < 0 )
src/rm/RequestManagerImageDelete.cc
33 33
    int                 iid;
34 34
    int                 uid;
35 35
    int                 rc;
36
    
37
    int                 image_owner;
38
    bool                is_public;
36 39

  
37 40
    Image             * image;
38 41

  
......
51 54

  
52 55

  
53 56
    // First, we need to authenticate the user
54
    rc = ImageDelete::upool->authenticate(session);
57
    uid = ImageDelete::upool->authenticate(session);
55 58

  
56
    if ( rc == -1 )
59
    if ( uid == -1 )
57 60
    {
58 61
        goto error_authenticate;
59 62
    }
63
    
64
    // Get image from the ImagePool
65
    image = ImageDelete::ipool->get(iid,true);
60 66

  
61
    uid = rc;
67
    if ( image == 0 )
68
    {
69
        goto error_image_get;
70
    }
71
    
72
    image_owner = image->get_uid();
73
    is_public   = image->isPublic();
74
    
75
    image->unlock();
62 76
    
63 77
    //Authorize the operation
64 78
    if ( uid != 0 ) // uid == 0 means oneadmin
65 79
    {
66 80
        AuthRequest ar(uid);
67 81

  
68
        ar.add_auth(AuthRequest::IMAGE,iid,AuthRequest::DELETE,0,false);
82
        ar.add_auth(AuthRequest::IMAGE,
83
                    iid,
84
                    AuthRequest::DELETE,
85
                    image_owner,
86
                    is_public);
69 87

  
70 88
        if (UserPool::authorize(ar) == -1)
71 89
        {
src/rm/RequestManagerImageEnable.cc
35 35
    int                 uid;
36 36
    int                 rc;
37 37
    
38
    int                 image_owner;
39
    bool                is_public;
40
    
38 41
    Image             * image;
39 42

  
40 43
    ostringstream       oss;
......
52 55
    enable_flag = xmlrpc_c::value_boolean(paramList.getBoolean(2));
53 56

  
54 57
    // First, we need to authenticate the user
55
    rc = ImageEnable::upool->authenticate(session);
58
    uid = ImageEnable::upool->authenticate(session);
56 59

  
57
    if ( rc == -1 )
60
    if ( uid == -1 )
58 61
    {
59 62
        goto error_authenticate;
60 63
    }
61 64
    
62
    uid = rc;
65
    // Get image from the ImagePool
66
    image = ImageEnable::ipool->get(iid,true);    
67
                                                 
68
    if ( image == 0 )                             
69
    {                                            
70
        goto error_image_get;                     
71
    }
72
    
73
    image_owner = image->get_uid();
74
    is_public   = image->isPublic();
75
    
76
    image->unlock();
63 77
    
64 78
    //Authorize the operation
65 79
    if ( uid != 0 ) // uid == 0 means oneadmin
66 80
    {
67 81
        AuthRequest ar(uid);
68 82

  
69
        ar.add_auth(AuthRequest::IMAGE,iid,AuthRequest::MANAGE,0,false);
83
        ar.add_auth(AuthRequest::IMAGE,
84
                    iid,
85
                    AuthRequest::MANAGE,
86
                    image_owner,
87
                    is_public);
70 88

  
71 89
        if (UserPool::authorize(ar) == -1)
72 90
        {
src/rm/RequestManagerImageInfo.cc
28 28
{
29 29
    string  session;
30 30

  
31
    int     iid;
32
    int     uid;     // Image owner user id
33
    int     rc;      // Requesting user id 
34
    Image * image;
35

  
31
    int           iid;
32
    int           uid;     // Image owner user id
33
    int           rc;      // Requesting user id 
34
    Image *       image;
35
                  
36 36
    ostringstream oss;
37 37
    
38
    const string        method_name = "ImageInfo";
38
    const string  method_name = "ImageInfo";
39 39

  
40 40
    /*   -- RPC specific vars --  */
41 41
    vector<xmlrpc_c::value> arrayData;
......
65 65
        goto error_authenticate;
66 66
    }
67 67
    
68
    //Authorize the operation
69
    if ( rc != 0 ) // rc == 0 means oneadmin
70
    {
71
        AuthRequest ar(rc);
72

  
73
        ar.add_auth(AuthRequest::IMAGE,
74
                    iid,
75
                    AuthRequest::USE,
76
                    0,
77
                    image->isPublic());
78

  
79
        if (UserPool::authorize(ar) == -1)
80
        {
81
            goto error_authorize;
82
        }
83
    }
84

  
85 68
    oss << *image;
86 69

  
87 70
    image->unlock();
......
107 90
    image->unlock();
108 91
    goto error_common;
109 92

  
110
error_authorize:
111
    oss.str(authorization_error(method_name, "USE", "IMAGE", rc, iid));
112
    image->unlock();
113
    goto error_common;
114

  
115 93
error_common:
116 94
    arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE
117 95
    arrayData.push_back(xmlrpc_c::value_string(oss.str()));
src/rm/RequestManagerImagePoolInfo.cc
46 46
    filter_flag = xmlrpc_c::value_int(paramList.getInt(1));
47 47

  
48 48
    // Check if it is a valid user
49
    rc = ImagePoolInfo::upool->authenticate(session);
49
    uid = ImagePoolInfo::upool->authenticate(session);
50 50

  
51
    if ( rc == -1 )
51
    if ( uid == -1 )
52 52
    {
53 53
        goto error_authenticate;
54 54
    }
55

  
56
    uid = rc;
57 55
    
58 56
    where_string.str("");
59 57
    
......
70 68
    switch(filter_flag)
71 69
    {
72 70
        case -2:
73
            if ( uid != 0 )
74
            {
75
                goto error_authorization;
76
            }
71
            // TODO define authentication bug #278
77 72
            // where remains empty.
78 73
            break;
79 74
        case -1:
80 75
            where_string << "UID=" << uid << " OR public = 'YES'";
81 76
            break;
82 77
        default:
83
            // Only oneadmin or the user can list a specific user's images.
84
            if ( uid != 0 && uid != filter_flag )
85
            {
86
                goto error_authorization;
87
            }
88 78
            where_string << "UID=" << filter_flag;
89 79
    }
90 80

  
......
114 104
    oss.str(authenticate_error(method_name));    
115 105
    goto error_common;
116 106

  
117
error_authorization:
118
    oss.str(authorization_error(method_name, "USE", "IMAGE", uid, NULL));
119
    goto error_common;
120
    
121 107
error_filter_flag:
122 108
    oss << "Incorrect filter_flag, must be >= -2.";
123 109
    goto error_common;
src/rm/RequestManagerImagePublish.cc
33 33
    int                 iid;
34 34
    bool                publish_flag; 
35 35
    int                 uid;
36
    int                 rc;
36
    
37
    int                 image_owner;
38
    bool                is_public;
37 39
    
38 40
    Image             * image;
39 41

  
......
52 54
    publish_flag = xmlrpc_c::value_boolean(paramList.getBoolean(2));
53 55

  
54 56
    // First, we need to authenticate the user
55
    rc = ImagePublish::upool->authenticate(session);
57
    uid = ImagePublish::upool->authenticate(session);
56 58

  
57
    if ( rc == -1 )
59
    if ( uid == -1 )
58 60
    {
59 61
        goto error_authenticate;
60 62
    }
61 63
    
62
    uid = rc;
64
    // Get image from the ImagePool
65
    image = ImagePublish::ipool->get(iid,true);    
66
                                                 
67
    if ( image == 0 )                             
68
    {                                            
69
        goto error_image_get;                     
70
    }
71
    
72
    image_owner = image->get_uid();
73
    is_public   = image->isPublic();
74
    
75
    image->unlock();
63 76
    
64 77
    //Authorize the operation
65 78
    if ( uid != 0 ) // uid == 0 means oneadmin
......
69 82
        ar.add_auth(AuthRequest::IMAGE,
70 83
                    iid,
71 84
                    AuthRequest::MANAGE,
72
                    0,
73
                    image->isPublic());
85
                    image_owner,
86
                    is_public);
74 87

  
75 88
        if (UserPool::authorize(ar) == -1)
76 89
        {
......
78 91
        }
79 92
    }
80 93
    
81
    // Get image from the ImagePool
82
    image = ImagePublish::ipool->get(iid,true);    
83
                                                 
94
    // Get the image locked again
95
    image = ImagePublish::ipool->get(iid,true);  
96
    
84 97
    if ( image == 0 )                             
85 98
    {                                            
86 99
        goto error_image_get;                     
87
    }
100
    } 
88 101
    
89 102
    image->publish(publish_flag);
90 103
    
src/rm/RequestManagerImageRemoveAttribute.cc
34 34
    int                 iid;
35 35
    int                 uid;
36 36
    int                 rc;
37
    
38
    int                 image_owner;
39
    bool                is_public;
37 40

  
38 41
    Image             * image;
39 42

  
......
52 55
    name     = xmlrpc_c::value_string(paramList.getString(2));
53 56

  
54 57
    // First, we need to authenticate the user
55
    rc = ImageRemoveAttribute::upool->authenticate(session);
58
    uid = ImageRemoveAttribute::upool->authenticate(session);
56 59

  
57
    if ( rc == -1 )
60
    if ( uid == -1 )
58 61
    {
59 62
        goto error_authenticate;
60 63
    }
64
    
65
    // Get image from the ImagePool
66
    image = ImageRemoveAttribute::ipool->get(iid,true);
61 67

  
62
    uid = rc;
68
    if ( image == 0 )
69
    {
70
        goto error_image_get;
71
    }
72
    
73
    image_owner = image->get_uid();
74
    is_public   = image->isPublic();
75
    
76
    image->unlock();
63 77
    
64 78
    //Authorize the operation
65 79
    if ( uid != 0 ) // uid == 0 means oneadmin
......
69 83
        ar.add_auth(AuthRequest::IMAGE,
70 84
                    iid,
71 85
                    AuthRequest::MANAGE,
72
                    0,
73
                    image->isPublic());
86
                    image_owner,
87
                    is_public);
74 88

  
75 89
        if (UserPool::authorize(ar) == -1)
76 90
        {
src/rm/RequestManagerImageUpdate.cc
35 35
    string              name;
36 36
    string              value;
37 37
    int                 rc;
38
    
39
    int                 image_owner;
40
    bool                is_public;
38 41

  
39 42
    Image             * image;
40 43

  
......
53 56
    value    = xmlrpc_c::value_string(paramList.getString(3));
54 57

  
55 58
    // First, we need to authenticate the user
56
    rc = ImageUpdate::upool->authenticate(session);
59
    uid = ImageUpdate::upool->authenticate(session);
57 60

  
58
    if ( rc == -1 )
61
    if ( uid == -1 )
59 62
    {
60 63
        goto error_authenticate;
61 64
    }
65
    
66
    // Get image from the ImagePool
67
    image = ImageUpdate::ipool->get(iid,true);
62 68

  
63
    uid = rc;
69
    if ( image == 0 )
70
    {
71
        goto error_image_get;
72
    }
73
    
74
    image_owner = image->get_uid();
75
    is_public   = image->isPublic();
76
    
77
    image->unlock();    
64 78
    
65 79
    //Authorize the operation
66 80
    if ( uid != 0 ) // uid == 0 means oneadmin
......
70 84
        ar.add_auth(AuthRequest::IMAGE,
71 85
                    iid,
72 86
                    AuthRequest::MANAGE,
73
                    0,
74
                    image->isPublic());
87
                    image_owner,
88
                    is_public);
75 89

  
76 90
        if (UserPool::authorize(ar) == -1)
77 91
        {
src/rm/RequestManagerUserPoolInfo.cc
17 17
#include "RequestManager.h"
18 18
#include "NebulaLog.h"
19 19

  
20
#include "AuthManager.h"
21

  
20 22
/* -------------------------------------------------------------------------- */
21 23
/* -------------------------------------------------------------------------- */
22 24

  
......
26 28
{ 
27 29
    string              session;
28 30

  
29
    int                 rc;     
31
    int                 rc; 
32
    int                 uid;    
30 33
    ostringstream       oss;
31 34
    
32 35
    const string        method_name = "UserPoolInfo";
......
41 44
    session      = xmlrpc_c::value_string(paramList.getString(0));
42 45

  
43 46
    // Only oneadmin can list the whole user pool
44
    rc = UserPoolInfo::upool->authenticate(session);
47
    uid = UserPoolInfo::upool->authenticate(session);
45 48
    
46
    if ( rc != 0 )                             
49
    if ( uid == -1 )                             
47 50
    {                                            
48 51
        goto error_authenticate;                     
49 52
    }
50 53
    
51
    // Now let's get the info
52
        
54
    //Authorize the operation
55
    if ( uid != 0 ) // uid == 0 means oneadmin
56
    {
57
        AuthRequest ar(uid);
58

  
59
        ar.add_auth(AuthRequest::USER,
60
                    -1,
61
                    AuthRequest::INFO,
62
                    0,
63
                    false);
64

  
65
        if (UserPool::authorize(ar) == -1)
66
        {
67
            goto error_authorize;
68
        }
69
    }
70
    
71
    // Now let's get the info    
53 72
    rc = UserPoolInfo::upool->dump(oss,"");
54 73
    
55 74
    if ( rc != 0 )                             
......
71 90
error_authenticate:
72 91
    oss.str(authenticate_error(method_name));  
73 92
    goto error_common;
93

  
94
error_authorize:
95
    oss.str(authorization_error(method_name, "INFO", "USER", uid, -1));
96
    goto error_common;
74 97
    
75 98
error_dumping:
76
    oss.str(get_error(method_name, "IMAGE", -1));
99
    oss.str(get_error(method_name, "USER", -1));
77 100
    goto error_common;
78 101

  
79 102
error_common:
src/rm/RequestManagerVirtualNetworkInfo.cc
63 63
        goto error_vn_get;                     
64 64
    }
65 65
    
66
    //Authorize the operation
67
    if ( rc != 0 ) // rc == 0 means oneadmin
68
    {
69
        AuthRequest ar(rc);
70

  
71
        ar.add_auth(AuthRequest::NET,
72
                    nid,
73
                    AuthRequest::USE,
74
                    0,
75
                    vn->isPublic());
76

  
77
        if (UserPool::authorize(ar) == -1)
78
        {
79
            goto error_authorize;
80
        }
81
    }
82
    
83 66
    oss << *vn;
84 67
    
85 68
    vn->unlock();
......
104 87
    oss.str(get_error(method_name, "NET", nid));
105 88
    goto error_common;
106 89
    
107
error_authorize:
108
    vn->unlock();
109
    oss.str(authorization_error(method_name, "USE", "NET", rc, nid));
110
    goto error_common;
111

  
112 90
error_common:
113 91
    arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE
114 92
    arrayData.push_back(xmlrpc_c::value_string(oss.str()));
src/rm/RequestManagerVirtualNetworkPoolInfo.cc
63 63
     *     -1  :: User's VMs
64 64
     *    >=0  :: UID User's VMs
65 65
     **/
66
     
67
     // TODO define authorization (bug #278)
66 68
    if (filter_flag == -1)
67 69
    {
68 70
        User::split_secret(session,username,password);
src/rm/RequestManagerVirtualNetworkPublish.cc
52 52
    publish_flag = xmlrpc_c::value_boolean(paramList.getBoolean(2));
53 53

  
54 54
    // First, we need to authenticate the user
55
    rc = VirtualNetworkPublish::upool->authenticate(session);
55
    uid = VirtualNetworkPublish::upool->authenticate(session);
56 56

  
57
    if ( rc == -1 )
57
    if ( uid == -1 )
58 58
    {
59 59
        goto error_authenticate;
60 60
    }
61 61
    
62
    uid = rc;
63
    
64 62
    // Get virtual network from the VirtualNetworkPool
65 63
    vn = VirtualNetworkPublish::vnpool->get(nid,true);    
66 64
                                                 

Also available in: Unified diff