[pve-devel] r5540 - in pve-access-control/trunk: . PVE test

svn-commits at proxmox.com svn-commits at proxmox.com
Wed Feb 16 07:37:11 CET 2011 

Author: dietmar
Date: 2011-02-16 07:37:11 +0100 (Wed, 16 Feb 2011)
New Revision: 5540

Removed:
   pve-access-control/trunk/PVE/ACLCache.pm
Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/Makefile
   pve-access-control/trunk/PVE/RPCEnvironment.pm
   pve-access-control/trunk/test/perm-test1.pl
Log:
* PVE/ACLCache.pm: deleted - moved code into RPCEnvironment.


Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-02-16 05:37:51 UTC (rev 5539)
+++ pve-access-control/trunk/ChangeLog	2011-02-16 06:37:11 UTC (rev 5540)
@@ -1,3 +1,7 @@
+2011-02-16  Proxmox Support Team  <support at proxmox.com>
+
+	* PVE/ACLCache.pm: deleted - moved code into RPCEnvironment.
+
 2011-02-15  Proxmox Support Team  <support at proxmox.com>
 
 	* PVE/AccessControl.pm (verify_username): restrict user names to

Deleted: pve-access-control/trunk/PVE/ACLCache.pm
===================================================================
--- pve-access-control/trunk/PVE/ACLCache.pm	2011-02-16 05:37:51 UTC (rev 5539)
+++ pve-access-control/trunk/PVE/ACLCache.pm	2011-02-16 06:37:11 UTC (rev 5540)
@@ -1,98 +0,0 @@
-package PVE::ACLCache;
-
-use strict;
-use warnings;
-use PVE::AccessControl;
-
-sub new {
-    my ($class, $user_cfg) = @_;
-
-    my $self = {
-	cfg => $user_cfg,
-	cache => {},
-    };
-
-    bless $self;
-
-    return $self;
-}
-
-my $compile_acl = sub {
-    my ($self, $user) = @_;
-
-    my $res = {};
-    my $cfg = $self->{cfg};
-
-    if ($user eq 'root') { # root can do anything
-	return {'/' => $cfg->{roles}->{'Administrator'}};
-    } 
-
-    foreach my $path (sort keys %{$cfg->{acl}}) {
-	my @ra = PVE::AccessControl::roles($cfg, $user, $path);
-
-	my $privs = {};
-	foreach my $role (@ra) {
-	    if (my $privset = $cfg->{roles}->{$role}) {
-		foreach my $p (keys %$privset) {
-		    $privs->{$p} = 1;
-		}
-	    }
-	}
-
-	$res->{$path} = $privs;
-    }
-
-    return $res;
-};
-
-sub permissions {
-    my ($self, $user, $path) = @_;
-
-    $user = PVE::AccessControl::verify_username($user, 1);
-    return {} if !$user;
-
-    my $cache = $self->{cache};
-
-    my $acl = $cache->{$user};
-
-    if (!$acl) {
-	$acl = $cache->{$user} = &$compile_acl($self, $user);
-    }
-
-    my $perm;
-
-    if (!($perm = $acl->{$path})) {
-	$perm = {};
-	foreach my $p (sort keys %$acl) {
-	    my $final = ($path eq $p);
-	    
-	    next if !(($p eq '/') || $final || ($path =~ m|^$p/|));
-
-	    $perm = $acl->{$p};
-	}
-	$acl->{$path} = $perm;
-    }
-
-    return $perm;
-}
-
-sub check {
-    my ($self, $user, $path, $privs) = @_;
-
-    my $perm = $self->permissions($user, $path);
-
-    foreach my $priv (@$privs) {
-	return undef if !$perm->{$priv};
-    };
-
-    return 1;
-};
-
-sub user_enabled {
-    my ($self, $user) = @_;
-    
-    my $cfg = $self->{cfg};
-    return PVE::AccessControl::user_enabled($cfg, $user);
-}
-
-1;

Modified: pve-access-control/trunk/PVE/Makefile
===================================================================
--- pve-access-control/trunk/PVE/Makefile	2011-02-16 05:37:51 UTC (rev 5539)
+++ pve-access-control/trunk/PVE/Makefile	2011-02-16 06:37:11 UTC (rev 5540)
@@ -3,6 +3,5 @@
 .PHONY: install
 install:
 	install -D -m 0644 AccessControl.pm ${DESTDIR}${PERLDIR}/PVE/AccessControl.pm
-	install -D -m 0644 ACLCache.pm ${DESTDIR}${PERLDIR}/PVE/ACLCache.pm
 	install -D -m 0644 RPCEnvironment.pm ${DESTDIR}${PERLDIR}/PVE/RPCEnvironment.pm
 	make -C API2 install
\ No newline at end of file

Modified: pve-access-control/trunk/PVE/RPCEnvironment.pm
===================================================================
--- pve-access-control/trunk/PVE/RPCEnvironment.pm	2011-02-16 05:37:51 UTC (rev 5539)
+++ pve-access-control/trunk/PVE/RPCEnvironment.pm	2011-02-16 06:37:11 UTC (rev 5540)
@@ -7,9 +7,11 @@
 use Fcntl qw(:flock);
 use PVE::SafeSyslog;
 use PVE::INotify;
+use PVE::Cluster;
 use PVE::ProcFSTools;
+use PVE::AccessControl;
 
-# we use this singleton class to pass RPC related environment value
+# we use this singleton class to pass RPC related environment values
 
 my $pve_env;
 
@@ -48,13 +50,92 @@
     $WORKER_PIDS->{$pid} = 1;
 };
 
-sub get {
+# ACL cache
 
-    die "not initialized" if !$pve_env;
+my $compile_acl = sub {
+    my ($self, $user) = @_;
 
-    return $pve_env;
+    my $res = {};
+    my $cfg = $self->{user_cfg};
+
+    return undef if !$cfg->{roles};
+
+    if ($user eq 'root') { # root can do anything
+	return {'/' => $cfg->{roles}->{'Administrator'}};
+    } 
+
+    foreach my $path (sort keys %{$cfg->{acl}}) {
+	my @ra = PVE::AccessControl::roles($cfg, $user, $path);
+
+	my $privs = {};
+	foreach my $role (@ra) {
+	    if (my $privset = $cfg->{roles}->{$role}) {
+		foreach my $p (keys %$privset) {
+		    $privs->{$p} = 1;
+		}
+	    }
+	}
+
+	$res->{$path} = $privs;
+    }
+
+    return $res;
+};
+
+sub permissions {
+    my ($self, $user, $path) = @_;
+
+    $user = PVE::AccessControl::verify_username($user, 1);
+    return {} if !$user;
+
+    my $cache = $self->{aclcache};
+
+    my $acl = $cache->{$user};
+
+    if (!$acl) {
+	if (!($acl = &$compile_acl($self, $user))) {
+	    return {};
+	}
+	$cache->{$user} = $acl;
+    }
+
+    my $perm;
+
+    if (!($perm = $acl->{$path})) {
+	$perm = {};
+	foreach my $p (sort keys %$acl) {
+	    my $final = ($path eq $p);
+	    
+	    next if !(($p eq '/') || $final || ($path =~ m|^$p/|));
+
+	    $perm = $acl->{$p};
+	}
+	$acl->{$path} = $perm;
+    }
+
+    return $perm;
 }
 
+sub check {
+    my ($self, $user, $path, $privs) = @_;
+
+    my $perm = $self->permissions($user, $path);
+
+    foreach my $priv (@$privs) {
+	return undef if !$perm->{$priv};
+    };
+
+    return 1;
+};
+
+sub user_enabled {
+    my ($self, $user) = @_;
+    
+    my $cfg = $self->{user_cfg};
+    return PVE::AccessControl::user_enabled($cfg, $user);
+}
+
+# initialize environment - must be called once at program startup
 sub init {
     my ($class, $type, %params) = @_;
 
@@ -72,6 +153,9 @@
     # priv ... access from private server (pvedaemon)
     
     my $self = {
+	user_cfg => {},
+	aclcache => {},
+	aclversion => undef,
 	type => $type,
     };
 
@@ -96,6 +180,51 @@
     return $self;
 }; 
 
+# get the singleton 
+sub get {
+
+    die "not initialized" if !$pve_env;
+
+    return $pve_env;
+}
+
+# init_request - must be called before each RPC request
+sub init_request {
+    my ($self, %params) = @_;
+
+    PVE::Cluster::cfs_update();
+
+    my $userconfig; # we use this for regression tests
+    foreach my $p (keys %params) {
+	if ($p eq 'userconfig') {
+	    $userconfig = $params{$p};
+	} else {
+	    die "unknown parameter '$p'";
+	}
+    }
+
+    eval {
+	$self->{aclcache} = {};
+	if ($userconfig) {
+	    my $ucdata = PVE::Tools::file_get_contents($userconfig);
+	    my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
+	    $self->{user_cfg} = $cfg;
+	} else {
+	    my $ucvers = PVE::Cluster::cfs_file_version('user.cfg'); 
+	    if (!$self->{aclcache} || !defined($self->{aclversion}) || 
+		!defined($ucvers) ||  ($ucvers ne $self->{aclversion})) {
+		$self->{aclversion} = $ucvers;
+		my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
+		$self->{user_cfg} = $cfg;
+	    }
+	}
+    };
+    if (my $err = $@) {
+	$self->{user_cfg} = {};
+	die "Unable to load access control list: $err";
+    }
+}
+
 sub set_language {
     my ($self, $lang) = @_;
 
@@ -104,6 +233,12 @@
     $self->{language} = $lang;
 }
 
+sub get_language {
+    my ($self) = @_;
+
+    return $self->{language};
+}
+
 sub set_user {
     my ($self, $user) = @_;
 

Modified: pve-access-control/trunk/test/perm-test1.pl
===================================================================
--- pve-access-control/trunk/test/perm-test1.pl	2011-02-16 05:37:51 UTC (rev 5539)
+++ pve-access-control/trunk/test/perm-test1.pl	2011-02-16 06:37:11 UTC (rev 5540)
@@ -3,26 +3,26 @@
 use strict;
 use PVE::Tools;
 use PVE::AccessControl;
-use PVE::ACLCache;
+use PVE::RPCEnvironment;
 use Getopt::Long;
 
+my $rpcenv = PVE::RPCEnvironment->init('cli');
+
 my $cfgfn = "user.cfg.ex1";
-my $ucdata = PVE::Tools::file_get_contents($cfgfn);
-my $cfg = PVE::AccessControl::parse_user_config ($cfgfn, $ucdata);
-my $acl = PVE::ACLCache->new($cfg);
+$rpcenv->init_request(userconfig => $cfgfn);
 
 sub check_permission {
     my ($user, $path, $expected_result) = @_;
 
-    my $perm = PVE::AccessControl::permission($cfg, $user, $path);
+    my $perm = PVE::AccessControl::permission($rpcenv->{user_cfg}, $user, $path);
     my $res = join(',', sort keys %$perm);
 
-    die "unexpected result - need '${expected_result}'\n"
+    die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
 	if $res ne $expected_result;
 
-    $perm = $acl->permissions($user, $path);
+    $perm = $rpcenv->permissions($user, $path);
     $res = join(',', sort keys %$perm);
-    die "unexpected result (compiled) - need '${expected_result}'\n"
+    die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n"
 	if $res ne $expected_result;
 
     print "$path:$user:$res\n";

More information about the pve-devel mailing list