Unverified Commit 82b6c778 authored by Francesc Guasch's avatar Francesc Guasch Committed by GitHub
Browse files

Merge pull request #699 from UPC/698_grants

feat(grants): enable or disable grant types
parents d5117808 2376fcd7
......@@ -132,8 +132,8 @@ sub BUILD {
$self->_create_tables();
$self->_upgrade_tables();
$self->_init_user_daemon();
$self->_update_data();
$self->_init_user_daemon();
}
sub _init_user_daemon {
......@@ -651,10 +651,75 @@ sub _update_data {
$self->_remove_old_isos();
$self->_update_isos();
$self->_update_grants();
$self->_enable_grants();
$self->_update_user_grants();
$self->_update_domain_drivers_types();
$self->_update_domain_drivers_options();
$self->_update_old_qemus();
}
sub _update_grants($self) {
my $sth = $CONNECTOR->dbh->prepare(
"UPDATE grant_types"
." SET name='create_machine' "
." WHERE name = 'create_domain'"
);
$sth->execute();
}
sub _null_grants($self) {
my $sth = $CONNECTOR->dbh->prepare("SELECT count(*) FROM grant_types "
." WHERE enabled = NULL "
);
$sth->execute;
my ($count) = $sth->fetchrow;
exit if !$count && $self->{_null}++;
return $count;
}
sub _enable_grants($self) {
return if $self->_null_grants();
my $sth = $CONNECTOR->dbh->prepare(
"UPDATE grant_types set enabled=0"
);
$sth->execute;
my @grants = (
'change_settings', 'change_settings_all', 'change_settings_clones'
,'clone', 'clone_all', 'create_base', 'create_machine'
,'grant'
,'manage_users'
,'remove', 'remove_all', 'remove_clone', 'remove_clone_all'
,'shutdown_all', 'shutdown_clone'
);
$sth = $CONNECTOR->dbh->prepare("SELECT id,name FROM grant_types");
$sth->execute;
my %grant_exists;
while (my ($id, $name) = $sth->fetchrow ) {
$grant_exists{$name} = $id;
}
$sth = $CONNECTOR->dbh->prepare(
"UPDATE grant_types set enabled=1 WHERE name=?"
);
my %done;
for my $name ( sort @grants ) {
die "Duplicate grant $name " if $done{$name};
die "Permission $name doesn't exist at table grant_types"
."\n".Dumper(\%grant_exists)
if !$grant_exists{$name};
$sth->execute($name);
}
}
sub _update_old_qemus($self) {
......@@ -831,6 +896,8 @@ sub _upgrade_tables {
$self->_upgrade_table('domains_network','allowed','int not null default 1');
$self->_upgrade_table('grant_types','enabled','int not null default 1');
}
......
......@@ -345,9 +345,9 @@ sub is_operator {
my $self = shift;
return $self->is_admin()
|| $self->can_shutdown_clone()
|| $self->can_hibernate_clone()
# || $self->can_hibernate_clone()
|| $self->can_change_settings_clones()
|| $self->can_remove_clone()
# || $self->can_remove_clone()
|| $self->can_remove_clone_all()
|| $self->can_create_base()
|| $self->can_create_machine();
......@@ -554,18 +554,22 @@ sub can_do($self, $grant) {
}
sub _load_grants($self) {
my $sth = $$CON->dbh->prepare(
"SELECT gt.name, gu.allowed"
my $sth;
eval { $sth= $$CON->dbh->prepare(
"SELECT gt.name, gu.allowed, gt.enabled"
." FROM grant_types gt LEFT JOIN grants_user gu "
." ON gt.id = gu.id_grant "
." AND gu.id_user=?"
);
$sth->execute($self->id);
my ($name, $allowed);
$sth->bind_columns(\($name, $allowed));
};
confess $@ if $@;
my ($name, $allowed, $enabled);
$sth->bind_columns(\($name, $allowed, $enabled));
while ($sth->fetch) {
$self->{_grant}->{$name} = $allowed;# or undef);
$self->{_grant}->{$name} = $allowed if $enabled;
$self->{_grant_disabled}->{$name} = !$enabled;
}
$sth->finish;
}
......@@ -580,7 +584,7 @@ sub grant_user_permissions($self,$user) {
$self->grant($user, 'clone');
$self->grant($user, 'change_settings');
$self->grant($user, 'remove');
$self->grant($user, 'screenshot');
# $self->grant($user, 'screenshot');
}
=head2 grant_operator_permissions
......@@ -614,6 +618,7 @@ Grant an user all the permissions
sub grant_admin_permissions($self,$user) {
my $sth = $$CON->dbh->prepare(
"SELECT name FROM grant_types "
." WHERE enabled=1"
);
$sth->execute();
while ( my ($name) = $sth->fetchrow) {
......@@ -654,6 +659,10 @@ Grant an user a specific permission, or revoke it
=cut
sub grant($self,$user,$permission,$value=1) {
confess "ERROR: permission '$permission' disabled "
if $self->{_grant_disabled}->{$permission};
if ( !$self->can_grant() && $self->name ne $Ravada::USER_DAEMON_NAME ) {
my @perms = $self->list_permissions();
confess "ERROR: ".$self->name." can't grant permissions for ".$user->name."\n"
......@@ -713,7 +722,9 @@ sub list_all_permissions($self) {
return if !$self->is_admin;
my $sth = $$CON->dbh->prepare(
"SELECT * FROM grant_types ORDER BY name"
"SELECT * FROM grant_types"
." WHERE enabled=1 "
." ORDER BY name "
);
$sth->execute;
my @list;
......
......@@ -438,7 +438,7 @@ get '/machine/pause/(:id).(:type)' => sub {
get '/machine/hybernate/(:id).(:type)' => sub {
my $c = shift;
return access_denied($c) if !$USER ->can_hibernate_all();
return access_denied($c) if !$USER ->is_admin();
return hybernate_machine($c);
};
......
/* any user should be allowed these */
INSERT INTO grant_types(name,description) VALUES('clone',"can clone public virtual machines.");
INSERT INTO grant_types(name,description) VALUES('change_settings',"can change the settings of owned virtual machines.");
INSERT INTO grant_types(name,description) VALUES('remove',"can remove any virtual machines owned by the user.");
INSERT INTO grant_types(name,description,enabled) VALUES('clone',"can clone public virtual machines.",1);
INSERT INTO grant_types(name,description,enabled) VALUES('change_settings',"can change the settings of owned virtual machines.",1);
INSERT INTO grant_types(name,description,enabled) VALUES('remove',"can remove any virtual machine owned by the user.",1);
INSERT INTO grant_types(name,description) VALUES('screenshot',"can take a screenshot of any virtual machine owned by the user.");
/* managers should be allowed these */
......@@ -10,13 +10,13 @@ INSERT INTO grant_types(name,description) VALUES('create_machine',"can create vi
INSERT INTO grant_types(name,description) VALUES('create_base',"can create bases.");
/* managers should be allowed these */
INSERT INTO grant_types(name,description) VALUES('change_settings_clones',"can change the settings of any virtual machines cloned from one base owned by the user.");
INSERT INTO grant_types(name,description) VALUES('change_settings_clones',"can change the settings of any virtual machine cloned from one base owned by the user.");
INSERT INTO grant_types(name,description) VALUES('remove_clone',"can remove clones from virtual machines owned by the user.");
INSERT INTO grant_types(name,description) VALUES('shutdown_clone',"can shutdown clones from virtual machines owned by the user.");
INSERT INTO grant_types(name,description) VALUES('hibernate_clone',"can hibernate clones from virtual machines owned by the user.");
/* operators should be allowed these */
INSERT INTO grant_types(name,description) VALUES('change_settings_all',"can change the settings of any virtual machines.");
INSERT INTO grant_types(name,description) VALUES('change_settings_all',"can change the settings of any virtual machine.");
INSERT INTO grant_types(name,description) VALUES('remove_clone_all',"can remove any clone.");
INSERT INTO grant_types(name,description) VALUES('hibernate_clone_all',"can hibernate any clone.");
......@@ -27,5 +27,5 @@ INSERT INTO grant_types(name,description) VALUES('shutdown_all',"can shutdown an
INSERT INTO grant_types(name,description) VALUES('hibernate_all',"can hibernate any virtual machine.");
INSERT INTO grant_types(name,description) VALUES('screenshot_all',"can take a screenshot of any virtual machine.");
INSERT INTO grant_types(name,description) VALUES('grant','can grant permissions to other users');
INSERT INTO grant_types(name,description, enabled) VALUES('grant','can grant permissions to other users', 1);
INSERT INTO grant_types(name,description) VALUES('manage_users','can manage users.');
......@@ -2,6 +2,7 @@ CREATE TABLE `grant_types` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` char(32) NOT NULL,
`description` varchar(255) NOT NULL,
`enabled` int default NULL,
UNIQUE(`name`),
UNIQUE(`description`),
PRIMARY KEY (`id`)
......
CREATE TABLE `grant_types` (
`id` integer NOT NULL primary key AUTOINCREMENT,
`name` char(32) NOT NULL,
`description` varchar(255) NOT NULL,
UNIQUE (`name`),
UNIQUE (`description`)
`id` integer NOT NULL PRIMARY KEY AUTOINCREMENT
, `name` char(32) NOT NULL
, `description` varchar(255) NOT NULL
, `enabled` integer default NULL
, UNIQUE(`name`)
, UNIQUE(`description`)
);
......@@ -18,6 +18,9 @@ my $test = Test::SQL::Data->new(config => 't/etc/sql.conf');
my $CONFIG_FILE = 't/etc/ravada_ldap_1.conf';
init($test->connector, $CONFIG_FILE);
rvd_back();
my $RVD_FRONT;
my $USER_DATA;
......
......@@ -129,7 +129,6 @@ sub rvd_back {
, config => ( $CONFIG or $DEFAULT_CONFIG)
, warn_error => 0
);
$rvd->_update_isos();
$USER_ADMIN = create_user('admin','admin',1) if !$USER_ADMIN;
$ARG_CREATE_DOM{KVM} = [ id_iso => search_id_iso('Alpine') ];
......@@ -155,7 +154,6 @@ sub init {
$Ravada::CONNECTOR = $CONNECTOR if !$Ravada::CONNECTOR;
Ravada::Auth::SQL::_init_connector($CONNECTOR);
$USER_ADMIN = create_user('admin','admin',1) if $create_user;
$Ravada::Domain::MIN_FREE_MEMORY = 512*1024;
......
......@@ -29,31 +29,31 @@ sub test_defaults {
ok($user->can_clone);
ok($user->can_change_settings);
ok($user->can_screenshot);
# ok($user->can_screenshot);
ok($user->can_remove);
ok(!$user->can_remove_clone);
ok(!$user->can_clone_all);
# ok(!$user->can_clone_all);
ok(!$user->can_change_settings_all);
ok(!$user->can_change_settings_clones);
ok(!$user->can_screenshot_all);
# ok(!$user->can_screenshot_all);
ok(!$user->can_grant);
ok(!$user->can_create_base);
ok(!$user->can_create_machine);
ok(!$user->can_remove_all);
# ok(!$user->can_remove_all);
ok(!$user->can_remove_clone_all);
ok(!$user->can_shutdown_clone);
# ok(!$user->can_shutdown_clone);
ok(!$user->can_shutdown_all);
ok(!$user->can_hibernate_clone);
ok(!$user->can_hibernate_all);
ok(!$user->can_hibernate_clone_all);
# ok(!$user->can_hibernate_clone);
# ok(!$user->can_hibernate_all);
# ok(!$user->can_hibernate_clone_all);
ok(!$user->can_manage_users);
......@@ -134,6 +134,7 @@ sub test_remove_clone {
ok($clone2, "Expecting ".$clone->name." not removed");
$usera->grant($user,'remove_clone');
is($user->can_remove_clone, 1);
eval { $clone->remove($user); };
is($@,'');
......@@ -173,7 +174,8 @@ sub test_view_clones {
my $clones;
eval{ $clones = rvd_front->list_clones() };
is(scalar @$clones,0) or return;
is($@,'');
is(scalar @$clones,0, Dumper($clones)) or return;
my $clone = $domain->clone(user => $usera,name => new_domain_name());
eval{ $clones = rvd_front->list_clones() };
......@@ -212,6 +214,7 @@ sub test_shutdown_clone {
is($clone->is_active,1) or return;
$usera->grant($user,'shutdown_clone');
is($user->can_shutdown_clone,1);
eval { $clone->shutdown_now($user); };
is($@,'');
......@@ -635,11 +638,18 @@ sub test_change_settings($vm_name) {
is($user->can_change_settings($clone->id), 1);
is($usera->can_change_settings($clone->id), 1);
$clone->remove(user_admin);
$domain->remove(user_admin);
$user->remove();
$usera->remove();
}
sub test_clone_all {
diag("TODO test clone all");
}
##########################################################
test_defaults();
......@@ -667,4 +677,6 @@ test_create_domain('Void');
test_create_domain2('Void');
test_view_clones('Void');
test_clone_all($vm_name);
done_testing();
......@@ -245,7 +245,7 @@
<i class="fa fa-play"></i>
</a>
% }
% if ($_user-> can_hibernate_all){
% if ($_user->is_admin){
<a type="button" class="btn btn-warning btn-sm"
ng-click="action('machine','hybernate',machine.id)"
ng-disabled="!machine.is_active"
......
......@@ -97,7 +97,7 @@
% }
% if ( $machine->{id_clone}) {
% if ($user->can_change_settings){
% if ($user->can_change_settings || $user->can_change_settings_all){
<a align="right" href="/machine/settings/<%= $machine->{id_clone} %>.html"><i class="fa fa-fw fa-cog" title="<%=l 'Settings' %>"></a></i>
% }
<div ng-show="host_restore == <%= $machine->{id_clone} %>">
......
......@@ -17,7 +17,7 @@
% if ($domain->drivers && $USER->can_change_settings) {
<li class="nav"><a href="#graphics" data-toggle="tab"><%=l 'Graphics' %></a></li>
% }
% if ($USER->can_clone_all){
% if ($USER->is_admin){
<li class="nav"><a href="#copy" data-toggle="tab"><%=l 'Copy' %></a></li>
% }
% if ( $USER->can_remove || $USER->can_remove_clone_all ) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment