Commit cfa73fa1 authored by Francesc Guasch's avatar Francesc Guasch
Browse files

feature(auth): deny by LDAP attribute

issue #922
parent e2183630
......@@ -1025,7 +1025,7 @@ LDAP external authentication
sub ldap_entry($self) {
confess "Error: User ".$self->name." is not in LDAP external auth"
if $self->external_auth ne 'ldap';
if !$self->external_auth || $self->external_auth ne 'ldap';
return $self->{_ldap_entry} if $self->{_ldap_entry};
......
......@@ -316,17 +316,35 @@ sub allowed_access($self,$id_domain) {
return 0;
}
sub _list_domains_access($self) {
my @domains;
my $sth = $$CONNECTOR->dbh->prepare(
"SELECT distinct(id_domain) FROM access_ldap_attribute"
);
$sth->execute();
while (my ($id_domain) = $sth->fetchrow) {
push @domains, ($id_domain);
}
$sth->finish;
return @domains;
}
sub _load_allowed {
my $self = shift;
my $refresh = shift;
return if !$refresh && $self->{_load_allowed}++;
return if !$self->external_auth || $self->external_auth ne 'ldap';
my $ldap_entry;
$ldap_entry = $self->ldap_entry if $self->external_auth && $self->external_auth eq 'ldap';
my @domains = $self->_list_domains_access();
for my $id_domain ( @domains ) {
my $sth = $$CONNECTOR->dbh->prepare(
"SELECT attribute, value, allowed, last "
"SELECT attribute, value, allowed "
." FROM access_ldap_attribute"
." WHERE id_domain=?"
." ORDER BY n_order "
......@@ -334,20 +352,17 @@ sub _load_allowed {
$sth->execute($id_domain);
my ($n_allowed, $n_denied) = ( 0,0 );
while ( my ($attribute, $value, $allowed, $last) = $sth->fetchrow) {
while ( my ($attribute, $value, $allowed) = $sth->fetchrow) {
$n_allowed++ if $allowed;
$n_denied++ if !$allowed;
if ( $value eq '*' ) {
$self->{_allowed}->{$id_domain} = $allowed
if !exists $self->{_allowed}->{$id_domain};
last;
} elsif ( $ldap_entry && defined $ldap_entry->get_value($attribute)
&& $ldap_entry->get_value($attribute) eq $value ) {
if ( $value eq '*'
|| ( $ldap_entry && defined $ldap_entry->get_value($attribute)
&& $ldap_entry->get_value($attribute) eq $value )) {
$self->{_allowed}->{$id_domain} = $allowed;
last if !$allowed || $last;
last if !$allowed;
}
}
$sth->finish;
......@@ -359,10 +374,9 @@ sub _load_allowed {
if ($n_allowed && !$n_denied) {
$self->{_allowed}->{$id_domain} = 0;
} else {
$self->{_allowed}->{$id_domain} = 0;
$self->{_allowed}->{$id_domain} = 1;
}
}
$sth->finish;
}
1;
......@@ -3022,7 +3022,7 @@ Example:
=cut
sub allow_ldap_access($self, $attribute, $value, $allowed=1, $last=0 ) {
sub allow_ldap_attribute($self, $attribute, $value, $allowed=1 ) {
my $sth = $$CONNECTOR->dbh->prepare(
"SELECT max(n_order) from access_ldap_attribute"
." WHERE id_domain = ? "
......@@ -3033,36 +3033,12 @@ sub allow_ldap_access($self, $attribute, $value, $allowed=1, $last=0 ) {
$sth = $$CONNECTOR->dbh->prepare(
"INSERT INTO access_ldap_attribute "
."(id_domain, attribute, value, allowed, n_order, last) "
."VALUES(?,?,?,?,?,?)");
$sth->execute($self->id, $attribute, $value, $allowed, $n_order+1, $last);
}
#TODO: check something has been deleted
sub delete_ldap_access($self, $id_access) {
my $sth = $$CONNECTOR->dbh->prepare(
"DELETE FROM access_ldap_attribute "
."WHERE id_domain=? AND id=? ");
$sth->execute($self->id, $id_access);
}
sub list_ldap_access($self) {
my $sth = $$CONNECTOR->dbh->prepare(
"SELECT * from access_ldap_attribute"
." WHERE id_domain = ? "
." ORDER BY n_order"
);
$sth->execute($self->id);
my @list;
while (my $row = $sth->fetchrow_hashref) {
$row->{last} = 1 if !$row->{allowed} && !$row->{last};
push @list,($row) if keys %$row;
}
return @list;
."(id_domain, attribute, value, allowed) "
."VALUES(?,?,?,?)");
$sth->execute($self->id, $attribute, $value, $allowed);
}
=head2 deny_ldap_access
=head2 deny_ldap_attribute
If specified, only the LDAP users with that attribute value can clone these
virtual machines.
......@@ -3075,62 +3051,8 @@ Example:
=cut
sub deny_ldap_access($self, $attribute, $value) {
$self->allow_ldap_access($attribute, $value, 0);
}
sub _set_access_order($self, $id_access, $n_order) {
my $sth = $$CONNECTOR->dbh->prepare("UPDATE access_ldap_attribute "
." SET n_order=? WHERE id=? AND id_domain=?");
$sth->execute($n_order, $id_access, $self->id);
}
sub move_ldap_access($self, $id_access, $position) {
confess "Error: You can only move position +1 or -1"
if ($position != -1 && $position != 1);
my @list = $self->list_ldap_access();
my $index;
for my $n (0 .. $#list) {
if (defined $list[$n] && $list[$n]->{id} == $id_access ) {
$index = $n;
last;
}
}
confess "Error: access id: $id_access not found for domain ".$self->id
."\n".Dumper(\@list)
if !defined $index;
my ($n_order) = $list[$index]->{n_order};
die "Error: position $index has no n_order for domain ".$self->id
."\n".Dumper(\@list)
if !defined $n_order;
my $index2 = $index + $position;
die "Error: position $index2 has no id for domain ".$self->id
."\n".Dumper(\@list)
if !defined $list[$index2] || !defined$list[$index2]->{id};
my ($id_access2, $n_order2) = ($list[$index2]->{id}, $list[$index2]->{n_order});
die "Error: position ".$index2." not found for domain ".$self->id
."\n".Dumper(\@list)
if !defined $id_access2;
die "Error: n_orders are the same for index $index and ".($index+$position)
."in \n".Dumper(\@list)
if $n_order == $n_order2;
$self->_set_access_order($id_access, $n_order2);
$self->_set_access_order($id_access2, $n_order);
}
sub set_ldap_access($self, $id_access, $allowed, $last) {
my $sth = $$CONNECTOR->dbh->prepare("UPDATE access_ldap_attribute "
." SET allowed=?, last=?"
." WHERE id=?");
$sth->execute($allowed, $last, $id_access);
sub deny_ldap_attribute($self, $attribute, $value) {
$self->allow_ldap_attribute($attribute, $value, 0);
}
1;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment