[pve-devel] r4998 - pve-access-control/trunk

Fri Aug 13 11:05:45 CEST 2010

Author: dietmar
Date: 2010-08-13 09:05:45 +0000 (Fri, 13 Aug 2010)
New Revision: 4998

Modified:
   pve-access-control/trunk/ACL.pm
   pve-access-control/trunk/AccessControl.pm
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/Group.pm
   pve-access-control/trunk/Role.pm
   pve-access-control/trunk/User.pm
Log:


Modified: pve-access-control/trunk/ACL.pm
===================================================================

--- pve-access-control/trunk/ACL.pm	2010-08-13 08:46:04 UTC (rev 4997)
+++ pve-access-control/trunk/ACL.pm	2010-08-13 09:05:45 UTC (rev 4998)
@@ -3,6 +3,7 @@
 use strict;
 use warnings;
 use PVE::INotify qw (read_file write_file);
+use PVE::Tools qw(split_list);
 use PVE::AccessControl;
 
 use PVE::SafeSyslog;
@@ -65,12 +66,12 @@
 
 		die "invalid ACL path '$param->{path}'\n" if !$path;
 
-		foreach my $role (PVE::AccessControl::split_list($param->{roles})) {
+		foreach my $role (split_list($param->{roles})) {
 		    PVE::AccessControl::verify_rolename($role);
 		    die "role '$role' does not exist\n" 
 			if !$cfg->{roles}->{$role};
 
-		    foreach my $ug (PVE::AccessControl::split_list($param->{uglist})) {
+		    foreach my $ug (split_list($param->{uglist})) {
 
 			if ($ug =~ m/^@(\w+)$/) {
 			    my $group = $1;

Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm	2010-08-13 08:46:04 UTC (rev 4997)
+++ pve-access-control/trunk/AccessControl.pm	2010-08-13 09:05:45 UTC (rev 4998)
@@ -8,7 +8,7 @@
 use Digest::SHA;
 use Authen::PAM qw(:constants);
 use Net::LDAP;
-use PVE::Tools qw(run_command lock_file file_get_contents);
+use PVE::Tools qw(run_command lock_file file_get_contents split_list);
 use PVE::INotify qw(read_file write_file);
 use PVE::JSONSchema;
 
@@ -499,17 +499,6 @@
     }	
 }
 
-sub split_list {
-    my $listtxt = shift || '';
-
-    $listtxt =~ s/[,;]/ /g;
-    $listtxt =~ s/^\s+//;
-
-    my @data = split (/\s+/, $listtxt);
-
-    return @data;
-}
-
 sub normalize_path {
     my $path = shift;
 
@@ -524,6 +513,7 @@
     return $path;
 } 
 
+PVE::JSONSchema::register_format('pve-userid', \&verify_username);
 sub verify_username {
     my ($username, $noerr) = @_;
 
@@ -535,11 +525,12 @@
 	return wantarray ? ($username, $1, $3) : $username;
     }
 
-    die "user name '$username' contains invalid characters\n" if !$noerr && !$username;
+    die "user name '$username' contains invalid characters\n" if !$noerr;
 
     return undef;
 }
 
+PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
 sub verify_groupname {
     my ($groupname, $noerr) = @_;
 
@@ -553,6 +544,7 @@
     return $groupname;
 }
 
+PVE::JSONSchema::register_format('pve-roleid', \&verify_rolename);
 sub verify_rolename {
     my ($rolename, $noerr) = @_;
 
@@ -566,6 +558,19 @@
     return $rolename;
 }
 
+PVE::JSONSchema::register_format('pve-priv', \&verify_privname);
+sub verify_privname {
+    my ($priv, $noerr) = @_;
+
+    if (!$valid_privs->{$priv}) {
+	die "invalid priviledge '$priv'\n" if !$noerr;
+
+	return undef;
+    }
+    
+    return $priv;
+}
+
 sub userconfig_force_defaults {
     my ($cfg) = @_;
 

Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2010-08-13 08:46:04 UTC (rev 4997)
+++ pve-access-control/trunk/ChangeLog	2010-08-13 09:05:45 UTC (rev 4998)
@@ -1,7 +1,19 @@
 2010-08-13  Proxmox Support Team  <support at proxmox.com>
 
+	* User.pm: use new 'format' property in schema
+
+	* ACL.pm: use new 'format' property in schema, remove redundant
+	calls to verify_XXX calls.
+
+	* Role.pm: use new 'format' property in schema, remove redundant
+	calls to verify_XXX calls.
+
+	* Group.pm: use new 'format' property in schema, remove redundant
+	calls to verify_XXX calls.
+
 	* AccessControl.pm (modify_acl): strict error checking - use 'die'
 	instead of 'warn', moved to ACL.pm
+	(verify_username): fix serious bug
 
 2010-08-12  Proxmox Support Team  <support at proxmox.com>
 

Modified: pve-access-control/trunk/Group.pm
===================================================================
--- pve-access-control/trunk/Group.pm	2010-08-13 08:46:04 UTC (rev 4997)
+++ pve-access-control/trunk/Group.pm	2010-08-13 09:05:45 UTC (rev 4998)
@@ -56,7 +56,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    groupid => { type => 'string' },
+	    groupid => { type => 'string', format => 'pve-groupid' },
 	},
     },
     returns => { type => 'null' },
@@ -69,8 +69,6 @@
 		my $usercfg = read_file("usercfg");
 
 		my $group = $param->{groupid};
-
-		PVE::AccessControl::verify_groupname($group);
 	
 		die "group '$group' already exists\n" 
 		    if $usercfg->{groups}->{$group};
@@ -96,7 +94,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    groupid => { type => 'string' },
+	    groupid => { type => 'string', format => 'pve-groupid'},
 	},
     },
     returns => {},
@@ -105,8 +103,6 @@
 
 	my $group = $param->{groupid};
 
-	PVE::AccessControl::verify_groupname($group);
-
 	my $usercfg = read_file("usercfg");
  
 	my $data = $usercfg->{groups}->{$group};

Modified: pve-access-control/trunk/Role.pm
===================================================================
--- pve-access-control/trunk/Role.pm	2010-08-13 08:46:04 UTC (rev 4997)
+++ pve-access-control/trunk/Role.pm	2010-08-13 09:05:45 UTC (rev 4998)
@@ -56,7 +56,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    roleid => { type => 'string' },
+	    roleid => { type => 'string', format => 'pve-roleid' },
 	    privs => { type => 'string', optional => 1 },
 	},
     },
@@ -71,8 +71,6 @@
 
 		my $role = $param->{roleid};
 
-		PVE::AccessControl::verify_rolename($role);
-	
 		die "role '$role' already exists\n" 
 		    if $usercfg->{roles}->{$role};
 
@@ -99,8 +97,8 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    roleid => { type => 'string' },
-	    privs => { type => 'string' },
+	    roleid => { type => 'string', format => 'pve-roleid' },
+	    privs => { type => 'string' , format => 'pve-priv-list' },
 	    append => { 
 		type => 'boolean', 
 		optional => 1,
@@ -117,8 +115,6 @@
 			
 		my $role = $param->{roleid};
 
-		PVE::AccessControl::verify_rolename($role);
-
 		my $usercfg = read_file("usercfg");
 	
 		die "role '$role' does not exist\n" 
@@ -147,7 +143,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    roleid => { type => 'string' },
+	    roleid => { type => 'string' , format => 'pve-roleid' },
 	},
     },
     returns => {},
@@ -158,8 +154,6 @@
 
 	my $role = $param->{roleid};
 
-	PVE::AccessControl::verify_rolename($role);
- 
 	my $data = $usercfg->{roles}->{$role};
 
 	die "role '$role' does not exist\n" if !$data;
@@ -177,7 +171,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    roleid => { type => 'string' },
+	    roleid => { type => 'string', format => 'pve-roleid' },
 	}
     },
     returns => { type => 'null' },
@@ -189,8 +183,6 @@
 
 		my $role = $param->{roleid};
 
-		PVE::AccessControl::verify_rolename($role);
- 
 		my $usercfg = read_file("usercfg");
 
 		die "role '$role' does not exist\n"

Modified: pve-access-control/trunk/User.pm
===================================================================
--- pve-access-control/trunk/User.pm	2010-08-13 08:46:04 UTC (rev 4997)
+++ pve-access-control/trunk/User.pm	2010-08-13 09:05:45 UTC (rev 4998)
@@ -3,6 +3,7 @@
 use strict;
 use warnings;
 use PVE::INotify qw (read_file write_file);
+use PVE::Tools qw(split_list);
 use PVE::AccessControl;
 
 use PVE::SafeSyslog;
@@ -57,7 +58,7 @@
     parameters => {
 	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string' },
+	    userid => { type => 'string' , format => 'pve-userid'},
 	    password => { type => 'string' },
 	}
     },
@@ -80,9 +81,9 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string' },
+	    userid => { type => 'string', format => 'pve-userid' },
 	    password => { type => 'string', optional => 1 },
-	    groups => { type => 'string', optional => 1 },
+	    groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
 	},
     },
     returns => { type => 'null' },
@@ -111,7 +112,7 @@
 		PVE::AccessControl::enable_user($username, $usercfg);
 
 		if ($param->{groups}) {
-		    foreach my $group (PVE::AccessControl::split_list($param->{groups})) {
+		    foreach my $group (split_list($param->{groups})) {
 			if ($usercfg->{groups}->{$group}) {
 			    PVE::AccessControl::add_user_group($username, $usercfg, $group);
 			} else {
@@ -138,7 +139,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string' },
+	    userid => { type => 'string', format => 'pve-userid' },
 	},
     },
     returns => {},
@@ -166,9 +167,9 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string' },
+	    userid => { type => 'string', format => 'pve-userid' },
 	    password => { type => 'string', optional => 1 },
-	    groups => { type => 'string', optional => 1 },
+	    groups => { type => 'string', optional => 1,  format => 'pve-groupid-list'  },
 	    append => { 
 		type => 'boolean', 
 		optional => 1,
@@ -214,7 +215,7 @@
 		    if (!$param->{append} && $param->{groups});
 
 		if ($param->{groups}) {
-		    foreach my $group (PVE::AccessControl::split_list($param->{groups})) {
+		    foreach my $group (split_list($param->{groups})) {
 			if ($usercfg->{groups}->{$group}) {
 			    PVE::AccessControl::add_user_group($username, $usercfg, $group);
 			} else {
@@ -246,7 +247,7 @@
     parameters => {
    	additionalProperties => 0,
 	properties => {
-	    userid => { type => 'string' },
+	    userid => { type => 'string', format => 'pve-userid' },
 	}
     },
     returns => { type => 'null' },


