Commit 5a017617 authored by Francesc Guasch's avatar Francesc Guasch
Browse files

feat(grants): enable or disable grant types

This also sets the permissions that have been
implemented so far. Those must be enabled at
the sub _enable_grants at Ravada.pm

@joelalju, this when all the grants are implemented
it should be added there.

issue #698
parent d5117808
...@@ -132,8 +132,8 @@ sub BUILD { ...@@ -132,8 +132,8 @@ sub BUILD {
$self->_create_tables(); $self->_create_tables();
$self->_upgrade_tables(); $self->_upgrade_tables();
$self->_init_user_daemon();
$self->_update_data(); $self->_update_data();
$self->_init_user_daemon();
} }
sub _init_user_daemon { sub _init_user_daemon {
...@@ -651,10 +651,59 @@ sub _update_data { ...@@ -651,10 +651,59 @@ sub _update_data {
$self->_remove_old_isos(); $self->_remove_old_isos();
$self->_update_isos(); $self->_update_isos();
$self->_update_grants();
$self->_enable_grants();
$self->_update_user_grants(); $self->_update_user_grants();
$self->_update_domain_drivers_types(); $self->_update_domain_drivers_types();
$self->_update_domain_drivers_options(); $self->_update_domain_drivers_options();
$self->_update_old_qemus(); $self->_update_old_qemus();
}
sub _update_grants($self) {
my $sth = $CONNECTOR->dbh->prepare(
"UPDATE grant_types"
." SET name='create_machine' "
." WHERE name = 'create_domain'"
);
$sth->execute();
}
sub _enable_grants($self) {
return;
my $sth = $CONNECTOR->dbh->prepare(
"UPDATE grant_types set enabled=0"
);
my @grants = (
'change_settings','clone', 'create_base', 'create_machine'
,'grant'
,'hibernate_clone'
,'remove_clone', 'remove_clone_all'
,'screenshot', 'shutdown_clone'
);
$sth = $CONNECTOR->dbh->prepare("SELECT id,name FROM grant_types");
$sth->execute;
my %grant_exists;
while (my ($id, $name) = $sth->fetchrow ) {
$grant_exists{$name} = $id;
}
$sth = $CONNECTOR->dbh->prepare(
"UPDATE grant_types set enabled=1 WHERE name=?"
);
my %done;
for my $name ( @grants ) {
die "Duplicate grant $name " if $done{$name};
die "Permission $name doesn't exist at table grant_types"
."\n".Dumper(\%grant_exists)
if !$grant_exists{$name};
$sth->execute($name);
}
} }
sub _update_old_qemus($self) { sub _update_old_qemus($self) {
...@@ -831,6 +880,8 @@ sub _upgrade_tables { ...@@ -831,6 +880,8 @@ sub _upgrade_tables {
$self->_upgrade_table('domains_network','allowed','int not null default 1'); $self->_upgrade_table('domains_network','allowed','int not null default 1');
$self->_upgrade_table('grant_types','enabled','int not null default 1');
} }
......
...@@ -554,18 +554,22 @@ sub can_do($self, $grant) { ...@@ -554,18 +554,22 @@ sub can_do($self, $grant) {
} }
sub _load_grants($self) { sub _load_grants($self) {
my $sth = $$CON->dbh->prepare( my $sth;
"SELECT gt.name, gu.allowed" eval { $sth= $$CON->dbh->prepare(
"SELECT gt.name, gu.allowed, gt.enabled"
." FROM grant_types gt LEFT JOIN grants_user gu " ." FROM grant_types gt LEFT JOIN grants_user gu "
." ON gt.id = gu.id_grant " ." ON gt.id = gu.id_grant "
." AND gu.id_user=?" ." AND gu.id_user=?"
); );
$sth->execute($self->id); $sth->execute($self->id);
my ($name, $allowed); };
$sth->bind_columns(\($name, $allowed)); confess $@ if $@;
my ($name, $allowed, $enabled);
$sth->bind_columns(\($name, $allowed, $enabled));
while ($sth->fetch) { while ($sth->fetch) {
$self->{_grant}->{$name} = $allowed;# or undef); $self->{_grant}->{$name} = $allowed if $enabled;
$self->{_grant_disabled}->{$name} = !$enabled;
} }
$sth->finish; $sth->finish;
} }
...@@ -654,6 +658,10 @@ Grant an user a specific permission, or revoke it ...@@ -654,6 +658,10 @@ Grant an user a specific permission, or revoke it
=cut =cut
sub grant($self,$user,$permission,$value=1) { sub grant($self,$user,$permission,$value=1) {
confess "ERROR: permission '$permission' disabled "
if $self->{_grant_disabled}->{$permission};
if ( !$self->can_grant() && $self->name ne $Ravada::USER_DAEMON_NAME ) { if ( !$self->can_grant() && $self->name ne $Ravada::USER_DAEMON_NAME ) {
my @perms = $self->list_permissions(); my @perms = $self->list_permissions();
confess "ERROR: ".$self->name." can't grant permissions for ".$user->name."\n" confess "ERROR: ".$self->name." can't grant permissions for ".$user->name."\n"
......
...@@ -2,6 +2,7 @@ CREATE TABLE `grant_types` ( ...@@ -2,6 +2,7 @@ CREATE TABLE `grant_types` (
`id` int(11) NOT NULL AUTO_INCREMENT, `id` int(11) NOT NULL AUTO_INCREMENT,
`name` char(32) NOT NULL, `name` char(32) NOT NULL,
`description` varchar(255) NOT NULL, `description` varchar(255) NOT NULL,
`enabled` int not null default 1,
UNIQUE(`name`), UNIQUE(`name`),
UNIQUE(`description`), UNIQUE(`description`),
PRIMARY KEY (`id`) PRIMARY KEY (`id`)
......
CREATE TABLE `grant_types` ( CREATE TABLE `grant_types` (
`id` integer NOT NULL primary key AUTOINCREMENT, `id` integer NOT NULL PRIMARY KEY AUTOINCREMENT
`name` char(32) NOT NULL, , `name` char(32) NOT NULL
`description` varchar(255) NOT NULL, , `description` varchar(255) NOT NULL
UNIQUE (`name`), , `enabled` integer not null default 1
UNIQUE (`description`) , UNIQUE(`name`)
, UNIQUE(`description`)
); );
...@@ -129,7 +129,6 @@ sub rvd_back { ...@@ -129,7 +129,6 @@ sub rvd_back {
, config => ( $CONFIG or $DEFAULT_CONFIG) , config => ( $CONFIG or $DEFAULT_CONFIG)
, warn_error => 0 , warn_error => 0
); );
$rvd->_update_isos();
$USER_ADMIN = create_user('admin','admin',1) if !$USER_ADMIN; $USER_ADMIN = create_user('admin','admin',1) if !$USER_ADMIN;
$ARG_CREATE_DOM{KVM} = [ id_iso => search_id_iso('Alpine') ]; $ARG_CREATE_DOM{KVM} = [ id_iso => search_id_iso('Alpine') ];
...@@ -155,7 +154,6 @@ sub init { ...@@ -155,7 +154,6 @@ sub init {
$Ravada::CONNECTOR = $CONNECTOR if !$Ravada::CONNECTOR; $Ravada::CONNECTOR = $CONNECTOR if !$Ravada::CONNECTOR;
Ravada::Auth::SQL::_init_connector($CONNECTOR); Ravada::Auth::SQL::_init_connector($CONNECTOR);
$USER_ADMIN = create_user('admin','admin',1) if $create_user;
$Ravada::Domain::MIN_FREE_MEMORY = 512*1024; $Ravada::Domain::MIN_FREE_MEMORY = 512*1024;
......
...@@ -173,7 +173,8 @@ sub test_view_clones { ...@@ -173,7 +173,8 @@ sub test_view_clones {
my $clones; my $clones;
eval{ $clones = rvd_front->list_clones() }; eval{ $clones = rvd_front->list_clones() };
is(scalar @$clones,0) or return; is($@,'');
is(scalar @$clones,0, Dumper($clones)) or return;
my $clone = $domain->clone(user => $usera,name => new_domain_name()); my $clone = $domain->clone(user => $usera,name => new_domain_name());
eval{ $clones = rvd_front->list_clones() }; eval{ $clones = rvd_front->list_clones() };
...@@ -635,6 +636,9 @@ sub test_change_settings($vm_name) { ...@@ -635,6 +636,9 @@ sub test_change_settings($vm_name) {
is($user->can_change_settings($clone->id), 1); is($user->can_change_settings($clone->id), 1);
is($usera->can_change_settings($clone->id), 1); is($usera->can_change_settings($clone->id), 1);
$clone->remove(user_admin);
$domain->remove(user_admin);
$user->remove(); $user->remove();
$usera->remove(); $usera->remove();
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment