[pve-devel] r4866 - pve-access-control/trunk
svn-commits at proxmox.com
svn-commits at proxmox.com
Fri Jul 2 10:45:10 CEST 2010
Author: dietmar
Date: 2010-07-02 08:45:10 +0000 (Fri, 02 Jul 2010)
New Revision: 4866
Modified:
pve-access-control/trunk/AccessControl.pm
pve-access-control/trunk/ChangeLog
Log:
(verify_username): add $noerr parameter, raise exeption if
user name contain invalid characters and $noerr is not set
(verify_groupname): add $noerr parameter, raise exeption if
group name contain invalid characters and $noerr is not set
(verify_rolename): add $noerr parameter, raise exeption if
role name contain invalid characters and $noerr is not set
Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm 2010-07-02 07:46:03 UTC (rev 4865)
+++ pve-access-control/trunk/AccessControl.pm 2010-07-02 08:45:10 UTC (rev 4866)
@@ -454,7 +454,7 @@
sub user_enabled {
my ($usercfg, $username) = @_;
- return undef if !verify_username ($username);
+ return undef if !verify_username ($username, 1);
return 1 if $usercfg && $usercfg->{users}->{$username} &&
$usercfg->{users}->{$username}->{enabled};
@@ -468,30 +468,33 @@
sub authenticate_user {
my ($username, $password) = @_;
- die "auth failed: no username specified\n" if !$username;
+ eval {
+
+ die "no username specified\n" if !$username;
- my ($user, $domain);
+ my ($user, $domain);
- ($username, $user, $domain) = verify_username ($username);
-
- die "auth failed: username '$username' contains invalid characters\n" if !$username;
+ ($username, $user, $domain) = verify_username ($username);
- my $usercfg = load_user_config();
+ my $usercfg = load_user_config();
- die "auth failed: no such user ('$username')\n" if !user_enabled($usercfg, $username);
+ die "no such user ('$username')\n" if !user_enabled($usercfg, $username);
- if (!$domain) {
- if ($username eq 'root') { # always use PAM for root
+ if (!$domain) {
+ if ($username eq 'root') { # always use PAM for root
+ authenticate_user_pam($username, $password);
+ } else {
+ authenticate_user_pve($username, $password);
+ }
+ } elsif ($domain eq 'localhost') {
authenticate_user_pam($username, $password);
} else {
- authenticate_user_pve($username, $password);
+ die "unknown auth domain '$domain'\n";
}
- } elsif ($domain eq 'localhost') {
- authenticate_user_pam($username, $password);
- } else {
- die "auth failed: unknown auth domain '$domain'\n";
- }
+ };
+ die "auth failed: $@" if $@;
+
return $username;
}
@@ -510,8 +513,6 @@
my $domain;
($username, undef, $domain) = verify_username ($username);
-
- die "username '$username' contains invalid characters\n" if !$username;
my $usercfg = load_user_config();
@@ -577,7 +578,6 @@
lock_user_config (sub {
($username, undef, undef) = verify_username ($username);
- die "username '$username' contains invalid characters\n" if !$username;
my $usercfg = load_user_config();
@@ -676,7 +676,7 @@
my $usercfg = load_user_config();
- die "'$group' - invalid characters in group name\n" if (!verify_groupname ($group));
+ verify_groupname ($group);
die "group '$group' already exists\n"
if $usercfg->{groups}->{$group};
@@ -698,7 +698,7 @@
lock_user_config (sub {
- die "'$group' - invalid characters in group name\n" if (!verify_groupname ($group));
+ verify_groupname ($group);
my $usercfg = load_user_config();
@@ -760,7 +760,7 @@
my $usercfg = load_user_config();
- die "invalid characters in role name\n" if !verify_rolename ($role);
+ verify_rolename ($role);
if ($opts->{create}) {
die "can't add role '$role' - role already exists\n" if $usercfg->{roles}->{$role};
@@ -796,7 +796,7 @@
my $usercfg = load_user_config();
- die "invalid characters in role name\n" if !verify_rolename ($role);
+ verify_rolename ($role);
delete ($usercfg->{roles}->{$role})
if $usercfg->{roles}->{$role};
@@ -836,7 +836,7 @@
}
sub verify_username {
- my ($username) = @_;
+ my ($username, $noerr) = @_;
$username =~ s/root\@localhost/root/;
@@ -846,13 +846,18 @@
return wantarray ? ($username, $1, $3) : $username;
}
+ die "user name '$username' contains invalid characters\n" if !$noerr && !$username;
+
return undef;
}
sub verify_groupname {
- my ($groupname) = @_;
+ my ($groupname, $noerr) = @_;
if ($groupname !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+ die "group name '$groupname' contains invalid characters\n" if !$noerr;
+
return undef;
}
@@ -860,9 +865,12 @@
}
sub verify_rolename {
- my ($rolename) = @_;
+ my ($rolename, $noerr) = @_;
if ($rolename !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+ die "role name '$rolename' contains invalid characters\n" if !$noerr;
+
return undef;
}
@@ -910,14 +918,14 @@
if ($et eq 'user') {
my ($user, $enabled) = @data;
- if (!verify_username ($user)) {
+ if (!verify_username ($user, 1)) {
warn "user config - ignore user '$user' - invalid characters in user name\n";
next;
}
$enabled = $enabled ? 1 : 0;
- #if (!verify_groupname ($group)) {
+ #if (!verify_groupname ($group, 1)) {
# warn "user config - ignore user '$user' - invalid characters in group name\n";
# next;
#}
@@ -934,7 +942,7 @@
} elsif ($et eq 'group') {
my ($group, $userlist) = @data;
- if (!verify_groupname ($group)) {
+ if (!verify_groupname ($group, 1)) {
warn "user config - ignore group '$group' - invalid characters in group name\n";
next;
}
@@ -944,7 +952,7 @@
foreach my $user (split_list ($userlist)) {
- if (!verify_username ($user)) {
+ if (!verify_username ($user, 1)) {
warn "user config - ignore invalid group member '$user'\n";
next;
}
@@ -960,7 +968,7 @@
} elsif ($et eq 'role') {
my ($role, $privlist) = @data;
- if (!verify_rolename ($role)) {
+ if (!verify_rolename ($role, 1)) {
warn "user config - ignore role '$role' - invalid characters in role name\n";
next;
}
@@ -982,7 +990,7 @@
if (my $path = normalize_path ($pathtxt)) {
foreach my $role (split_list ($rolelist)) {
- if (!verify_rolename ($role)) {
+ if (!verify_rolename ($role, 1)) {
warn "user config - ignore invalid role name '$role' in acl\n";
next;
}
@@ -995,7 +1003,7 @@
} else {
warn "user config - ignore invalid acl group '$group'\n";
}
- } elsif (verify_username ($ug)) {
+ } elsif (verify_username ($ug, 1)) {
if ($cfg->{users}->{$ug}) { # user exists
$cfg->{acl}->{$path}->{users}->{$ug}->{$role} = $propagate;
} else {
Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog 2010-07-02 07:46:03 UTC (rev 4865)
+++ pve-access-control/trunk/ChangeLog 2010-07-02 08:45:10 UTC (rev 4866)
@@ -11,6 +11,12 @@
(modify_role): check for exceptions after lock_user_config()
(delete_role): check for exceptions after lock_user_config(),
raise invalid characters exception
+ (verify_username): add $noerr parameter, raise exeption if
+ user name contain invalid characters and $noerr is not set
+ (verify_groupname): add $noerr parameter, raise exeption if
+ group name contain invalid characters and $noerr is not set
+ (verify_rolename): add $noerr parameter, raise exeption if
+ role name contain invalid characters and $noerr is not set
2010-07-01 Proxmox Support Team <support at proxmox.com>
More information about the pve-devel
mailing list