[pve-devel] r5521 - in pve-access-control/trunk: . PVE test
svn-commits at proxmox.com
svn-commits at proxmox.com
Tue Feb 15 10:37:39 CET 2011
Author: dietmar
Date: 2011-02-15 10:37:38 +0100 (Tue, 15 Feb 2011)
New Revision: 5521
Modified:
pve-access-control/trunk/ChangeLog
pve-access-control/trunk/PVE/AccessControl.pm
pve-access-control/trunk/test/perm-test1.pl
Log:
* test/perm-test1.pl: modified to use new PVE::ACLCache class.
* PVE/AccessControl.pm: add new class PVE::ACLCache (speed up ACL
checks)
Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog 2011-02-14 10:56:49 UTC (rev 5520)
+++ pve-access-control/trunk/ChangeLog 2011-02-15 09:37:38 UTC (rev 5521)
@@ -1,3 +1,10 @@
+2011-02-15 Proxmox Support Team <support at proxmox.com>
+
+ * test/perm-test1.pl: modified to use new PVE::ACLCache class.
+
+ * PVE/AccessControl.pm: add new class PVE::ACLCache (speed up ACL
+ checks)
+
2011-01-27 Proxmox Support Team <support at proxmox.com>
* pveum (auth): remove auth method - we do not use it any
Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm 2011-02-14 10:56:49 UTC (rev 5520)
+++ pve-access-control/trunk/PVE/AccessControl.pm 2011-02-15 09:37:38 UTC (rev 5521)
@@ -1054,4 +1054,90 @@
return 1;
}
+package PVE::ACLCache;
+
+use strict;
+use warnings;
+
+sub new {
+ my ($class, $user_cfg) = @_;
+
+ my $self = {
+ cfg => $user_cfg,
+ cache => {},
+ };
+
+ bless $self;
+
+ return $self;
+}
+
+sub compile {
+ my ($self, $user) = @_;
+
+ if ($user eq 'root') { # root can do anything
+ return {'/' => 'Administrator'};
+ }
+
+ my $res = {};
+ my $cfg = $self->{cfg};
+
+ foreach my $path (sort keys %{$cfg->{acl}}) {
+ my @ra = PVE::AccessControl::roles($cfg, $user, $path);
+
+ my $privs = {};
+ foreach my $role (@ra) {
+ if (my $privset = $cfg->{roles}->{$role}) {
+ foreach my $p (keys %$privset) {
+ $privs->{$p} = 1;
+ }
+ }
+ }
+
+ $res->{$path} = $privs;
+ }
+
+ return $res;
+}
+
+sub permissions {
+ my ($self, $user, $path) = @_;
+
+ my $cache = $self->{cache};
+
+ my $acl = $cache->{$user};
+
+ if (!$acl) {
+ $acl = $cache->{$user} = $self->compile($user);
+ }
+
+ my $perm;
+
+ if (!($perm = $acl->{$path})) {
+ $perm = {};
+ foreach my $p (sort keys %$acl) {
+ my $final = ($path eq $p);
+
+ next if !(($p eq '/') || $final || ($path =~ m|^$p/|));
+
+ $perm = $acl->{$p};
+ }
+ $acl->{$path} = $perm;
+ }
+
+ return $perm;
+}
+
+sub check {
+ my ($self, $user, $path, $privs) = @_;
+
+ my $perm = $self->permissions($user, $path);
+
+ foreach my $priv (@$privs) {
+ return undef if !$perm->{$priv};
+ };
+
+ return 1;
+};
+
1;
Modified: pve-access-control/trunk/test/perm-test1.pl
===================================================================
--- pve-access-control/trunk/test/perm-test1.pl 2011-02-14 10:56:49 UTC (rev 5520)
+++ pve-access-control/trunk/test/perm-test1.pl 2011-02-15 09:37:38 UTC (rev 5521)
@@ -1,26 +1,31 @@
#!/usr/bin/perl -w
use strict;
+use PVE::Tools;
use PVE::AccessControl;
use Getopt::Long;
my $cfgfn = "user.cfg.ex1";
-my $fh = IO::File->new ($cfgfn, 'r') ||
- die "can't open file $cfgfn - $!\n";
-my $cfg = PVE::AccessControl::parse_config ($cfgfn, $fh);
-$fh->close();
+my $ucdata = PVE::Tools::file_get_contents($cfgfn);
+my $cfg = PVE::AccessControl::parse_user_config ($cfgfn, $ucdata);
+my $acl = PVE::ACLCache->new($cfg);
sub check_permission {
my ($user, $path, $expected_result) = @_;
my $perm = PVE::AccessControl::permission($cfg, $user, $path);
-
my $res = join(',', sort keys %$perm);
+ die "unexpected result - need '${expected_result}'\n"
+ if $res ne $expected_result;
+
+ $perm = $acl->permissions($user, $path);
+ $res = join(',', sort keys %$perm);
+ die "unexpected result (compiled) - need '${expected_result}'\n"
+ if $res ne $expected_result;
+
print "$path:$user:$res\n";
- die "unexpected result - need '${expected_result}'\n"
- if $res ne $expected_result;
}
check_permission('max', '/', '');
More information about the pve-devel
mailing list