Statistics
| Branch: | Tag: | Revision:

one / src / acl / AclRule.cc @ 84f874bf

History | View | Annotate | Download (7.07 KB)

1
/* -------------------------------------------------------------------------- */
2
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             */
3
/*                                                                            */
4
/* Licensed under the Apache License, Version 2.0 (the "License"); you may    */
5
/* not use this file except in compliance with the License. You may obtain    */
6
/* a copy of the License at                                                   */
7
/*                                                                            */
8
/* http://www.apache.org/licenses/LICENSE-2.0                                 */
9
/*                                                                            */
10
/* Unless required by applicable law or agreed to in writing, software        */
11
/* distributed under the License is distributed on an "AS IS" BASIS,          */
12
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
13
/* See the License for the specific language governing permissions and        */
14
/* limitations under the License.                                             */
15
/* -------------------------------------------------------------------------- */
16

    
17
#include "AclRule.h"
18
#include "AuthManager.h"
19

    
20
/* -------------------------------------------------------------------------- */
21
/* -------------------------------------------------------------------------- */
22

    
23
const long long AclRule::INDIVIDUAL_ID  = 0x100000000LL;
24
const long long AclRule::GROUP_ID       = 0x200000000LL;
25
const long long AclRule::ALL_ID         = 0x400000000LL;
26

    
27
/* -------------------------------------------------------------------------- */
28
/* -------------------------------------------------------------------------- */
29

    
30
bool AclRule::malformed(string& error_str) const
31
{
32
    ostringstream oss;
33
    bool error = false;
34

    
35
    // Check user
36

    
37
    if ( (user & INDIVIDUAL_ID) != 0 && (user & GROUP_ID) != 0 )
38
    {
39
        error = true;
40
        oss << "[user] INDIVIDUAL (#) and GROUP (@) bits are exclusive";
41
    }
42

    
43
    if ( (user & INDIVIDUAL_ID) != 0 && (user & ALL_ID) != 0 )
44
    {
45
        if ( error )
46
        {
47
            oss << "; ";
48
        }
49

    
50
        error = true;
51
        oss << "[user] INDIVIDUAL (#) and ALL (*) bits are exclusive";
52
    }
53

    
54
    if ( (user & GROUP_ID) != 0 && (user & ALL_ID) != 0 )
55
    {
56
        if ( error )
57
        {
58
            oss << "; ";
59
        }
60

    
61
        error = true;
62
        oss << "[user] GROUP (@) and ALL (*) bits are exclusive";
63
    }
64

    
65
    if ( user_id() < 0 )
66
    {
67
        if ( error )
68
        {
69
            oss << "; ";
70
        }
71

    
72
        error = true;
73
        oss << "[user] ID cannot be negative";
74
    }
75

    
76
    if ( (user & ALL_ID) != 0 && user_id() != 0 )
77
    {
78
        if ( error )
79
        {
80
            oss << "; ";
81
        }
82

    
83
        error = true;
84
        oss << "when using the ALL bit, [user] ID must be 0";
85
    }
86

    
87
    // Check resource
88

    
89
    if ( (resource & INDIVIDUAL_ID) != 0 && (resource & GROUP_ID) != 0 )
90
    {
91
        if ( error )
92
        {
93
            oss << "; ";
94
        }
95

    
96
        error = true;
97
        oss << "[resource] INDIVIDUAL (#) and GROUP (@) bits are exclusive";
98
    }
99

    
100
    if ( (resource & INDIVIDUAL_ID) != 0 && (resource & ALL_ID) != 0 )
101
    {
102
        if ( error )
103
        {
104
            oss << "; ";
105
        }
106

    
107
        error = true;
108
        oss << "[resource] INDIVIDUAL (#) and ALL (*) bits are exclusive";
109
    }
110

    
111
    if ( (resource & GROUP_ID) != 0 && (resource & ALL_ID) != 0 )
112
    {
113
        if ( error )
114
        {
115
            oss << "; ";
116
        }
117

    
118
        error = true;
119
        oss << "[resource] GROUP (@) and ALL (*) bits are exclusive";
120
    }
121

    
122
    if ( resource_id() < 0 )
123
    {
124
        if ( error )
125
        {
126
            oss << "; ";
127
        }
128

    
129
        error = true;
130
        oss << "[resource] ID cannot be negative";
131
    }
132

    
133
    if ( (resource & ALL_ID) != 0 && resource_id() != 0 )
134
    {
135
        if ( error )
136
        {
137
            oss << "; ";
138
        }
139

    
140
        error = true;
141
        oss << "when using the ALL bit, [resource] ID must be 0";
142
    }
143

    
144
    if ( (resource & 0xFF000000000LL) == 0 )
145
    {
146
        if ( error )
147
        {
148
            oss << "; ";
149
        }
150

    
151
        error = true;
152
        oss << "[resource] type is missing";
153
    }
154

    
155
    if ( (resource & 0xFFFFF00000000000LL) != 0 )
156
    {
157
        if ( error )
158
        {
159
            oss << "; ";
160
        }
161

    
162
        error = true;
163
        oss << "wrong [resource] type";
164
    }
165

    
166
    if ( error )
167
    {
168
        error_str = oss.str();
169
    }
170

    
171
    return error;
172
}
173

    
174
/* -------------------------------------------------------------------------- */
175
/* -------------------------------------------------------------------------- */
176

    
177
void AclRule::build_str()
178
{
179
    ostringstream oss;
180

    
181
    if ( (user & GROUP_ID) != 0 )
182
    {
183
        oss << "@" << user_id();
184
    }
185
    else if ( (user & INDIVIDUAL_ID) != 0 )
186
    {
187
        oss << "#" << user_id();
188
    }
189
    else
190
    {
191
        oss << "*";
192
    }
193

    
194
    oss << " ";
195

    
196
    AuthRequest::Object objects[] = {
197
            AuthRequest::VM,
198
            AuthRequest::HOST,
199
            AuthRequest::NET,
200
            AuthRequest::IMAGE,
201
            AuthRequest::USER,
202
            AuthRequest::TEMPLATE,
203
            AuthRequest::GROUP
204
    };
205

    
206
    bool prefix = false;
207

    
208
    for ( int i = 0; i < 7; i++ )
209
    {
210
        if ( (resource & objects[i]) != 0 )
211
        {
212
            if ( prefix )
213
            {
214
                oss << "+";
215
            }
216

    
217
            oss << AuthRequest::Object_to_str( objects[i] );
218
            prefix = true;
219
        }
220
    }
221

    
222
    oss << "/";
223

    
224
    if ( (resource & GROUP_ID) != 0 )
225
    {
226
        oss << "@" << resource_id();
227
    }
228
    else if ( (resource & INDIVIDUAL_ID) != 0 )
229
    {
230
        oss << "#" << resource_id();
231
    }
232
    else
233
    {
234
        oss << "*";
235
    }
236

    
237
    oss << " ";
238

    
239

    
240
    AuthRequest::Operation operations[] = {
241
            AuthRequest::CREATE,
242
            AuthRequest::DELETE,
243
            AuthRequest::USE,
244
            AuthRequest::MANAGE,
245
            AuthRequest::INFO,
246
            AuthRequest::INFO_POOL,
247
            AuthRequest::INFO_POOL_MINE,
248
            AuthRequest::INSTANTIATE,
249
            AuthRequest::CHOWN
250
    };
251

    
252
    prefix = false;
253

    
254
    for ( int i = 0; i < 9; i++ )
255
    {
256
        if ( (rights & operations[i]) != 0 )
257
        {
258
            if ( prefix )
259
            {
260
                oss << "+";
261
            }
262

    
263
            oss << AuthRequest::Operation_to_str( operations[i] );
264
            prefix = true;
265
        }
266
    }
267

    
268
    str = oss.str();
269
}
270

    
271
/* -------------------------------------------------------------------------- */
272
/* -------------------------------------------------------------------------- */
273

    
274
string& AclRule::to_xml(string& xml) const
275
{
276
    ostringstream   oss;
277

    
278
    oss <<
279
    "<RULE>"
280
        "<USER>"     << hex << user      << "</USER>"        <<
281
        "<RESOURCE>" << hex << resource  << "</RESOURCE>"    <<
282
        "<RIGHTS>"   << hex << rights    << "</RIGHTS>"      <<
283
        "<STRING>"   << str              << "</STRING>"      <<
284
    "</RULE>";
285

    
286
    xml = oss.str();
287

    
288
    return xml;
289
}
290

    
291
/* -------------------------------------------------------------------------- */
292
/* -------------------------------------------------------------------------- */