[pve-devel] r4866 - pve-access-control/trunk

svn-commits at proxmox.com svn-commits at proxmox.com
Fri Jul 2 10:45:10 CEST 2010


Author: dietmar
Date: 2010-07-02 08:45:10 +0000 (Fri, 02 Jul 2010)
New Revision: 4866

Modified:
   pve-access-control/trunk/AccessControl.pm
   pve-access-control/trunk/ChangeLog
Log:
	(verify_username): add $noerr parameter, raise exeption if
	user name contain invalid characters and $noerr is not set
	(verify_groupname): add $noerr parameter, raise exeption if
	group name contain invalid characters and $noerr is not set
	(verify_rolename): add $noerr parameter, raise exeption if
	role name contain invalid characters and $noerr is not set



Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm	2010-07-02 07:46:03 UTC (rev 4865)
+++ pve-access-control/trunk/AccessControl.pm	2010-07-02 08:45:10 UTC (rev 4866)
@@ -454,7 +454,7 @@
 sub user_enabled {
     my ($usercfg, $username) = @_;
 
-    return undef if !verify_username ($username);
+    return undef if !verify_username ($username, 1);
  
     return 1 if $usercfg && $usercfg->{users}->{$username} &&
 	$usercfg->{users}->{$username}->{enabled};
@@ -468,30 +468,33 @@
 sub authenticate_user {
     my ($username, $password) = @_;
 
-    die "auth failed: no username specified\n" if !$username;
+    eval {
+
+	die "no username specified\n" if !$username;
  
-    my ($user, $domain);
+	my ($user, $domain);
 
-    ($username, $user, $domain) = verify_username ($username);
-
-    die "auth failed: username '$username' contains invalid characters\n" if !$username;
+	($username, $user, $domain) = verify_username ($username);
  
-    my $usercfg = load_user_config();
+	my $usercfg = load_user_config();
 
-    die "auth failed: no such user ('$username')\n" if !user_enabled($usercfg, $username);
+	die "no such user ('$username')\n" if !user_enabled($usercfg, $username);
 
-    if (!$domain) {
-	if ($username eq 'root') { # always use PAM for root
+	if (!$domain) {
+	    if ($username eq 'root') { # always use PAM for root
+		authenticate_user_pam($username, $password);
+	    } else {
+		authenticate_user_pve($username, $password);
+	    }
+	} elsif ($domain eq 'localhost') {
 	    authenticate_user_pam($username, $password);
 	} else {
-	    authenticate_user_pve($username, $password);
+	    die "unknown auth domain '$domain'\n";
 	}
-    } elsif ($domain eq 'localhost') {
-	authenticate_user_pam($username, $password);
-    } else {
-	die "auth failed: unknown auth domain '$domain'\n";
-    }
+    };
 
+    die "auth failed: $@" if $@;
+
     return $username;
 }
 
@@ -510,8 +513,6 @@
 	my $domain;
 
 	($username, undef, $domain) = verify_username ($username);
-
-	die "username '$username' contains invalid characters\n" if !$username;
 	
 	my $usercfg = load_user_config();
 
@@ -577,7 +578,6 @@
     lock_user_config (sub {
 
 	($username, undef, undef) = verify_username ($username);
-	die "username '$username' contains invalid characters\n" if !$username;
 
 	my $usercfg = load_user_config();
 
@@ -676,7 +676,7 @@
     
 	my $usercfg = load_user_config();
 
-	die "'$group' - invalid characters in group name\n" if (!verify_groupname ($group));
+	verify_groupname ($group);
 	
 	die "group '$group' already exists\n" 
 	    if $usercfg->{groups}->{$group};
@@ -698,7 +698,7 @@
 
     lock_user_config (sub {
 
-	die "'$group' - invalid characters in group name\n" if (!verify_groupname ($group));
+	verify_groupname ($group);
 
 	my $usercfg = load_user_config();
 
@@ -760,7 +760,7 @@
 	
 	my $usercfg = load_user_config();
 
-	die "invalid characters in role name\n" if !verify_rolename ($role);
+	verify_rolename ($role);
 
 	if ($opts->{create}) {
 	    die "can't add role '$role' - role already exists\n" if $usercfg->{roles}->{$role};	
@@ -796,7 +796,7 @@
 
 	my $usercfg = load_user_config();
 
-	die "invalid characters in role name\n" if !verify_rolename ($role);
+	verify_rolename ($role);
 
 	delete ($usercfg->{roles}->{$role})
 	    if $usercfg->{roles}->{$role};
@@ -836,7 +836,7 @@
 } 
 
 sub verify_username {
-    my ($username) = @_;
+    my ($username, $noerr) = @_;
 
     $username =~ s/root\@localhost/root/;
 
@@ -846,13 +846,18 @@
 	return wantarray ? ($username, $1, $3) : $username;
     }
 
+    die "user name '$username' contains invalid characters\n" if !$noerr && !$username;
+
     return undef;
 }
 
 sub verify_groupname {
-    my ($groupname) = @_;
+    my ($groupname, $noerr) = @_;
 
     if ($groupname !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+	die "group name '$groupname' contains invalid characters\n" if !$noerr;
+
 	return undef;
     }
     
@@ -860,9 +865,12 @@
 }
 
 sub verify_rolename {
-    my ($rolename) = @_;
+    my ($rolename, $noerr) = @_;
 
     if ($rolename !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+	die "role name '$rolename' contains invalid characters\n" if !$noerr;
+
 	return undef;
     }
     
@@ -910,14 +918,14 @@
 	    if ($et eq 'user') {
 		my ($user, $enabled) = @data;
 
-		if (!verify_username ($user)) {
+		if (!verify_username ($user, 1)) {
 		    warn "user config - ignore user '$user' - invalid characters in user name\n";
 		    next;
 		}
 	    
 		$enabled = $enabled ? 1 : 0;
 
-		#if (!verify_groupname ($group)) {
+		#if (!verify_groupname ($group, 1)) {
 		#    warn "user config - ignore user '$user' - invalid characters in group name\n";
 		#    next;
 		#}
@@ -934,7 +942,7 @@
 	    } elsif ($et eq 'group') {
 		my ($group, $userlist) = @data;
 
-		if (!verify_groupname ($group)) {
+		if (!verify_groupname ($group, 1)) {
 		    warn "user config - ignore group '$group' - invalid characters in group name\n";
 		    next;
 		}
@@ -944,7 +952,7 @@
 
 		foreach my $user (split_list ($userlist)) {
 
-		    if (!verify_username ($user)) {
+		    if (!verify_username ($user, 1)) {
 			warn "user config - ignore invalid group member '$user'\n";
 			next;
 		    }
@@ -960,7 +968,7 @@
 	    } elsif ($et eq 'role') {
 		my ($role, $privlist) = @data;
 		
-		if (!verify_rolename ($role)) {
+		if (!verify_rolename ($role, 1)) {
 		    warn "user config - ignore role '$role' - invalid characters in role name\n";
 		    next;
 		}
@@ -982,7 +990,7 @@
 		if (my $path = normalize_path ($pathtxt)) {
 		    foreach my $role (split_list ($rolelist)) {
 			
-			if (!verify_rolename ($role)) {
+			if (!verify_rolename ($role, 1)) {
 			    warn "user config - ignore invalid role name '$role' in acl\n";
 			    next;
 			}
@@ -995,7 +1003,7 @@
 				} else {
 				    warn "user config - ignore invalid acl group '$group'\n";
 				}
-			    } elsif (verify_username ($ug)) {
+			    } elsif (verify_username ($ug, 1)) {
 				if ($cfg->{users}->{$ug}) { # user exists 
 				    $cfg->{acl}->{$path}->{users}->{$ug}->{$role} = $propagate;
 				} else {

Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2010-07-02 07:46:03 UTC (rev 4865)
+++ pve-access-control/trunk/ChangeLog	2010-07-02 08:45:10 UTC (rev 4866)
@@ -11,6 +11,12 @@
 	(modify_role): check for exceptions after lock_user_config()
 	(delete_role): check for exceptions after lock_user_config(),
 	raise invalid characters exception
+	(verify_username): add $noerr parameter, raise exeption if
+	user name contain invalid characters and $noerr is not set
+	(verify_groupname): add $noerr parameter, raise exeption if
+	group name contain invalid characters and $noerr is not set
+	(verify_rolename): add $noerr parameter, raise exeption if
+	role name contain invalid characters and $noerr is not set
 
 2010-07-01  Proxmox Support Team  <support at proxmox.com>
 



More information about the pve-devel mailing list