[pve-devel] r5451 - in pve-access-control/trunk: . PVE

svn-commits at proxmox.com svn-commits at proxmox.com
Thu Jan 27 14:28:52 CET 2011 

Author: dietmar
Date: 2011-01-27 14:28:52 +0100 (Thu, 27 Jan 2011)
New Revision: 5451

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/AccessControl.pm
   pve-access-control/trunk/pveum
Log:


Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-01-27 13:04:56 UTC (rev 5450)
+++ pve-access-control/trunk/ChangeLog	2011-01-27 13:28:52 UTC (rev 5451)
@@ -1,3 +1,12 @@
+2011-01-27  Proxmox Support Team  <support at proxmox.com>
+
+	* pveum (auth): remove auth method - we do not use it any
+	longer,  comment out ability to pass password via environment
+	variable.
+
+	* PVE/AccessControl.pm (check_permissions): new helper to check
+	permissions.
+
 2011-01-21  root  <root at maui.maurer-it.com>
 
 	* PVE/AccessControl.pm: register a JSONSchema standard option for

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-01-27 13:04:56 UTC (rev 5450)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-01-27 13:28:52 UTC (rev 5451)
@@ -103,11 +103,11 @@
 sub verify_ticket {
     my ($ticket, $noerr) = @_;
 
-    my $rsa_pub = get_pubkey();
-
     if ($ticket && $ticket =~ m/^(\S+)::([^:\s]+)$/) {
 	my $plain = $1;
 	my $sig = $2;
+
+	my $rsa_pub = get_pubkey();
 	if ($rsa_pub->verify($plain, decode_base64($sig))) {
 	    if ($plain =~ m/^PVE:(([A-Za-z0-9\.\-_]+)(\@([A-Za-z0-9\.\-_]+))?):(\d+)$/) {
 		my $username = $1;
@@ -1040,4 +1040,18 @@
     return $privs;
 }
 
+sub check_permissions {
+    my ($username, $path, $privlist) = @_;
+
+    $path = normalize_path($path);
+    my $usercfg = cfs_read_file('user.cfg');
+    my $perm = permission($usercfg, $username, $path);
+
+    foreach my $priv (split_list($privlist)) {
+	return undef if !$perm->{$priv};
+    };
+
+    return 1;
+}
+
 1;

Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum	2011-01-27 13:04:56 UTC (rev 5450)
+++ pve-access-control/trunk/pveum	2011-01-27 13:28:52 UTC (rev 5451)
@@ -43,7 +43,7 @@
 
 my $read_password = sub {
 
-    return $ENV{PVE_PW_TICKET} if defined($ENV{PVE_PW_TICKET});
+    # return $ENV{PVE_PW_TICKET} if defined($ENV{PVE_PW_TICKET});
 
     my $term = new Term::ReadLine ('pveum');
     my $attribs = $term->Attribs;
@@ -54,58 +54,12 @@
     return $input;
 };
 
-__PACKAGE__->register_method ({
-    name => 'auth', 
-    path => 'auth', 
-    method => 'GET',
-    description => "Helper method to authenticate users and verify access permissions. This is called by external tools like kvm and vncterm. Simply raises an exception when authentication fails or the user does not have the requested privileges.",
-    parameters => {
-	additionalProperties => 0,
-	properties => {
-	    userid => get_standard_option('userid'),
-	    password => { 
-		type => 'string',
-		description => "Password (or ticket). This can be passed via an environment variable 'PVE_PW_TICKET'.", 
-	    },
-	    permissions => { 
-		type => 'string' , format => 'pve-priv-list',
-		description => "The list of privileges to check for.",
-	    },
-	    path => { 
-		type => 'string',
-		description => "Path to identify object."
-	    }
-	}
-    },
-    returns => { type => 'null' },
-    code => sub {
-	my ($param) = @_;
-    
-	my $user = PVE::AccessControl::authenticate_user($param->{userid}, $param->{password});
-
-	# check permissions
-
-	my $path = PVE::AccessControl::normalize_path($param->{path});
-	my $cfg = PVE::Cluster::cfs_read_file("user.cfg"); 
-	my $perm = PVE::AccessControl::permission($cfg, $user, $path);
-
-	foreach my $priv (PVE::AccessControl::split_list($param->{permissions})) {
-	    die "missing privileg '$priv'\n" if !$perm->{$priv}; 
-	};
-	
-	PVE::Cluster::log_msg('info', "root", "successful auth for user '$user'");
-
-	return undef;
-    }});
-
-
 my $cmddef = {
     ticket => [ 'PVE::API2::User', 'create_ticket', ['userid'], undef,
 		sub {
 		    my $ticket = shift;
 		    print "$ticket\n";
 		}],
-    auth => [ __PACKAGE__, 'auth', ['path', 'userid', 'permissions'] ],
     useradd => [ 'PVE::API2::User', 'create_user', ['userid'] ],
     usermod => [ 'PVE::API2::User', 'update_user', ['userid'] ],
     userdel => [ 'PVE::API2::User', 'delete_user', ['userid'] ],

More information about the pve-devel mailing list