[pve-devel] r4993 - pve-access-control/trunk

svn-commits at proxmox.com svn-commits at proxmox.com
Fri Aug 13 09:42:58 CEST 2010


Author: dietmar
Date: 2010-08-13 07:42:58 +0000 (Fri, 13 Aug 2010)
New Revision: 4993

Added:
   pve-access-control/trunk/ACL.pm
Modified:
   pve-access-control/trunk/AccessControl.pm
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/Makefile
   pve-access-control/trunk/pveum
Log:
	* AccessControl.pm (modify_acl): strict error checking - use 'die'
	instead of 'warn', moved to ACL.pm



Added: pve-access-control/trunk/ACL.pm
===================================================================
--- pve-access-control/trunk/ACL.pm	                        (rev 0)
+++ pve-access-control/trunk/ACL.pm	2010-08-13 07:42:58 UTC (rev 4993)
@@ -0,0 +1,111 @@
+package PVE::API2::ACL;
+
+use strict;
+use warnings;
+use PVE::INotify qw (read_file write_file);
+use PVE::AccessControl;
+
+use PVE::SafeSyslog;
+
+use Data::Dumper; # fixme: remove
+
+use PVE::RESTHandler;
+
+use base qw(PVE::RESTHandler);
+
+# fixme: format, what data exactly??
+__PACKAGE__->register_method ({
+    name => 'read_acl', 
+    path => '', 
+    method => 'GET',
+    description => "Get Access Control List (ACLs).",
+    parameters => {
+	additionalProperties => 0,
+	properties => {},
+    },
+    returns => {},
+    code => sub {
+	my ($conn, $resp, $param) = @_;
+    
+	my $res = [];
+
+	my $usercfg = read_file("usercfg");
+ 
+	return $usercfg->{acl};
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'update_acl', 
+    protected => 1,
+    path => '', 
+    method => 'PUT',
+    description => "Update Access Control List.",
+    parameters => {
+   	additionalProperties => 0,
+	properties => {
+	    path => { type => 'string' },
+	    uglist => { type => 'string' },
+	    roles => { type => 'string' },
+	    propagate => { type => 'boolean', optional => 1 },
+	    delete => { type => 'boolean', optional => 1 },
+	},
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($conn, $resp, $param) = @_;
+
+	PVE::AccessControl::lock_user_config(
+	    sub {
+			
+		my $cfg = read_file("usercfg");
+
+		my $propagate = $param->{propagate} ? 1 : 0;
+
+		my $path = PVE::AccessControl::normalize_path($param->{path});
+
+		die "invalid ACL path '$param->{path}'\n" if !$path;
+
+		foreach my $role (PVE::AccessControl::split_list($param->{roles})) {
+		    PVE::AccessControl::verify_rolename($role);
+		    die "role '$role' does not exist\n" 
+			if !$cfg->{roles}->{$role};
+
+		    foreach my $ug (PVE::AccessControl::split_list($param->{uglist})) {
+
+			if ($ug =~ m/^@(\w+)$/) {
+			    my $group = $1;
+
+			    die "group '$group' does not exist\n"
+				if !$cfg->{groups}->{$group};
+
+			    if ($param->{delete}) {
+				delete($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
+			    } else {
+				$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
+			    }
+			} else {
+			    my $username = PVE::AccessControl::verify_username($ug);
+
+			    die "user '$username' does not exist\n"
+				if !$cfg->{users}->{$username};
+
+			    if ($param->{delete}) {
+				delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
+			    } else {
+				$cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
+			    } 
+			}
+		    }
+		}
+
+		write_file("usercfg", $cfg);
+	    });
+
+	my $err = $@;
+
+	die "ACL update failed: $err" if $err;
+
+	return undef;
+    }});
+
+1;

Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm	2010-08-13 06:28:47 UTC (rev 4992)
+++ pve-access-control/trunk/AccessControl.pm	2010-08-13 07:42:58 UTC (rev 4993)
@@ -437,60 +437,6 @@
 
 }
 
-sub modify_acl {
-
-    my ($pathtxt, $uglist, $rolelist, $opts) = @_;
-
-    lock_user_config(sub {
-
-	my $cfg = read_file($userconfigpath);
-	my $propagate = $opts->{propagate} ? 1 : 0;
-	if (my $path = normalize_path($pathtxt)) {
-	    foreach my $role (split_list($rolelist)) {
-		if ((!verify_rolename($role, 1)) || (!$cfg->{roles}->{$role})) {
-		    warn "user config - ignore invalid role name '$role' in acl\n";
-		    next;
-		}
-
-		foreach my $ug (split_list($uglist)) {
-		    if ($ug =~ m/^@(\w+)$/) {
-			my $group = $1;
-			if ($cfg->{groups}->{$group}) { # group exists
-			    if ($opts->{delete}) {
-				delete ($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
-			    } else {
-				$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
-			    }
-			} else {
-			    warn "user config - ignore invalid acl group '$group'\n";
-			}
-		    } elsif (verify_username($ug, 1)) {
-			if ($cfg->{users}->{$ug}) { # user exists
-			    if ($opts->{delete}) {
-				delete ($cfg->{acl}->{$path}->{users}->{$ug}->{$role});
-			    } else {
-			    $cfg->{acl}->{$path}->{users}->{$ug}->{$role} = $propagate;
-			    }
-			} else {
-			    warn "user config - ignore invalid acl member '$ug'\n";
-			}
-		    } else {
-			warn "user config - invalid user/group '$ug' in acl\n";
-		    }
-		}
-	    }
-	} else {
-	    warn "user config - ignore invalid path in acl '$pathtxt'\n";
-	}
-
-	write_file($userconfigpath, $cfg);
-    });
-
-    my $err = $@;
-
-    die "acl modify failed: $err" if $err;
-}
-
 my $valid_privs = {
     'VM.Create' => 1,
     'VM.Remove' => 1,

Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2010-08-13 06:28:47 UTC (rev 4992)
+++ pve-access-control/trunk/ChangeLog	2010-08-13 07:42:58 UTC (rev 4993)
@@ -1,3 +1,8 @@
+2010-08-13  Proxmox Support Team  <support at proxmox.com>
+
+	* AccessControl.pm (modify_acl): strict error checking - use 'die'
+	instead of 'warn', moved to ACL.pm
+
 2010-08-12  Proxmox Support Team  <support at proxmox.com>
 
 	* Group.pm: use the new RESTHandler for API methods

Modified: pve-access-control/trunk/Makefile
===================================================================
--- pve-access-control/trunk/Makefile	2010-08-13 06:28:47 UTC (rev 4992)
+++ pve-access-control/trunk/Makefile	2010-08-13 07:42:58 UTC (rev 4993)
@@ -1,4 +1,4 @@
-RELEASE=1.4
+RELEASE=2.0
 
 VERSION=0.1
 PACKAGE=libpve-access-control
@@ -17,6 +17,7 @@
 DEB=${PACKAGE}_${VERSION}-${PKGREL}_${ARCH}.deb
 
 API2_SOURCES= 		\
+	ACL.pm		\
 	Role.pm		\
 	Group.pm	\
 	User.pm

Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum	2010-08-13 06:28:47 UTC (rev 4992)
+++ pve-access-control/trunk/pveum	2010-08-13 07:42:58 UTC (rev 4993)
@@ -9,6 +9,8 @@
 use PVE::INotify;
 use PVE::API2::User;
 use PVE::API2::Group;
+use PVE::API2::Role;
+use PVE::API2::ACL;
 
 use Data::Dumper; # fixme: remove
 
@@ -139,37 +141,25 @@
 
     my $opts = {};
 
-    if (!GetOptions ($opts, 'propagate')) {
-        exit (-1);
-    }
+    $opts->{path} = shift;
+    $opts->{uglist} = shift;
+    $opts->{roles} = shift;
 
-    die "wrong number of arguments\n" if scalar (@ARGV) != 3;
-    my $pathtxt = shift;
-    my $uglist = shift;
-    my $rolelist = shift;
+    PVE::API2::ACL->cli_handler('update_acl', \@ARGV, $opts);
 
-    print_usage("syntax error") 
-	if !$pathtxt && !$rolelist && !$uglist;
-
-    PVE::AccessControl::modify_acl($pathtxt, $uglist, $rolelist, $opts);
-
     exit(0);
 
 } elsif ($cmd eq 'acldel') {
 
     my $opts = {};
-    die "wrong number of arguments\n" if scalar (@ARGV) != 3;
-    my $pathtxt = shift;
-    my $uglist = shift;
-    my $rolelist = shift;
 
+    $opts->{path} = shift;
+    $opts->{uglist} = shift;
+    $opts->{roles} = shift;
     $opts->{delete} = 1;
 
-    print_usage("syntax error") 
-	if !$pathtxt && !$rolelist && !$uglist;
+    PVE::API2::ACL->cli_handler('update_acl', \@ARGV, $opts);
 
-    PVE::AccessControl::modify_acl($pathtxt, $uglist, $rolelist, $opts);
-
     exit(0);
 
 } else {



More information about the pve-devel mailing list