[pve-devel] r5521 - in pve-access-control/trunk: . PVE test

svn-commits at proxmox.com svn-commits at proxmox.com
Tue Feb 15 10:37:39 CET 2011


Author: dietmar
Date: 2011-02-15 10:37:38 +0100 (Tue, 15 Feb 2011)
New Revision: 5521

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/AccessControl.pm
   pve-access-control/trunk/test/perm-test1.pl
Log:
	* test/perm-test1.pl: modified to use new PVE::ACLCache class.

	* PVE/AccessControl.pm: add new class PVE::ACLCache (speed up ACL
	checks)



Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-02-14 10:56:49 UTC (rev 5520)
+++ pve-access-control/trunk/ChangeLog	2011-02-15 09:37:38 UTC (rev 5521)
@@ -1,3 +1,10 @@
+2011-02-15  Proxmox Support Team  <support at proxmox.com>
+
+	* test/perm-test1.pl: modified to use new PVE::ACLCache class.
+
+	* PVE/AccessControl.pm: add new class PVE::ACLCache (speed up ACL
+	checks)
+
 2011-01-27  Proxmox Support Team  <support at proxmox.com>
 
 	* pveum (auth): remove auth method - we do not use it any

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-02-14 10:56:49 UTC (rev 5520)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-02-15 09:37:38 UTC (rev 5521)
@@ -1054,4 +1054,90 @@
     return 1;
 }
 
+package PVE::ACLCache;
+
+use strict;
+use warnings;
+
+sub new {
+    my ($class, $user_cfg) = @_;
+
+    my $self = {
+	cfg => $user_cfg,
+	cache => {},
+    };
+
+    bless $self;
+
+    return $self;
+}
+
+sub compile {
+    my ($self, $user) = @_;
+
+    if ($user eq 'root') { # root can do anything
+	return {'/' => 'Administrator'};
+    } 
+
+    my $res = {};
+    my $cfg = $self->{cfg};
+
+    foreach my $path (sort keys %{$cfg->{acl}}) {
+	my @ra = PVE::AccessControl::roles($cfg, $user, $path);
+
+	my $privs = {};
+	foreach my $role (@ra) {
+	    if (my $privset = $cfg->{roles}->{$role}) {
+		foreach my $p (keys %$privset) {
+		    $privs->{$p} = 1;
+		}
+	    }
+	}
+
+	$res->{$path} = $privs;
+    }
+
+    return $res;
+}
+
+sub permissions {
+    my ($self, $user, $path) = @_;
+
+    my $cache = $self->{cache};
+
+    my $acl = $cache->{$user};
+
+    if (!$acl) {
+	$acl = $cache->{$user} = $self->compile($user);
+    }
+
+    my $perm;
+
+    if (!($perm = $acl->{$path})) {
+	$perm = {};
+	foreach my $p (sort keys %$acl) {
+	    my $final = ($path eq $p);
+	    
+	    next if !(($p eq '/') || $final || ($path =~ m|^$p/|));
+
+	    $perm = $acl->{$p};
+	}
+	$acl->{$path} = $perm;
+    }
+
+    return $perm;
+}
+
+sub check {
+    my ($self, $user, $path, $privs) = @_;
+
+    my $perm = $self->permissions($user, $path);
+
+    foreach my $priv (@$privs) {
+	return undef if !$perm->{$priv};
+    };
+
+    return 1;
+};
+
 1;

Modified: pve-access-control/trunk/test/perm-test1.pl
===================================================================
--- pve-access-control/trunk/test/perm-test1.pl	2011-02-14 10:56:49 UTC (rev 5520)
+++ pve-access-control/trunk/test/perm-test1.pl	2011-02-15 09:37:38 UTC (rev 5521)
@@ -1,26 +1,31 @@
 #!/usr/bin/perl -w
 
 use strict;
+use PVE::Tools;
 use PVE::AccessControl;
 use Getopt::Long;
 
 my $cfgfn = "user.cfg.ex1";
-my $fh = IO::File->new ($cfgfn, 'r') ||
-    die "can't open file $cfgfn - $!\n";
-my $cfg = PVE::AccessControl::parse_config ($cfgfn, $fh);
-$fh->close();
+my $ucdata = PVE::Tools::file_get_contents($cfgfn);
+my $cfg = PVE::AccessControl::parse_user_config ($cfgfn, $ucdata);
+my $acl = PVE::ACLCache->new($cfg);
 
 sub check_permission {
     my ($user, $path, $expected_result) = @_;
 
     my $perm = PVE::AccessControl::permission($cfg, $user, $path);
-
     my $res = join(',', sort keys %$perm);
 
+    die "unexpected result - need '${expected_result}'\n"
+	if $res ne $expected_result;
+
+    $perm = $acl->permissions($user, $path);
+    $res = join(',', sort keys %$perm);
+    die "unexpected result (compiled) - need '${expected_result}'\n"
+	if $res ne $expected_result;
+
     print "$path:$user:$res\n";
 
-    die "unexpected result - need '${expected_result}'\n"
-	if $res ne $expected_result;
 }
 
 check_permission('max', '/', '');



More information about the pve-devel mailing list