From 79615330836ae08cf6ed3773e2eaab7c3fa0cd31 Mon Sep 17 00:00:00 2001

Message-Id: <79615330836ae08cf6ed3773e2eaab7c3fa0cd31.1379193140.git.jdenemar@redhat.com>

From: "Daniel P. Berrange" <berrange@redhat.com>

Date: Thu, 12 Sep 2013 17:34:46 +0100

Subject: [PATCH] Fix naming of permission for detecting storage pools

https://bugzilla.redhat.com/show_bug.cgi?id=700443

The VIR_ACCESS_PERM_CONNECT_DETECT_STORAGE_POOLS enum

constant had its string format be 'detect_storage_pool',

note the missing trailing 's'. This prevent the ACL

check from ever succeeding. Fix this and add a simple

test script to validate this problem of matching names.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

(cherry picked from commit 935e7d02cfd6f5cca04f548d91a04f5f08fa4bcf)

---

 src/Makefile.am            |  8 ++++-

 src/access/viraccessperm.c |  2 +-

 src/check-aclperms.pl      | 73 ++++++++++++++++++++++++++++++++++++++++++++++

 3 files changed, 81 insertions(+), 2 deletions(-)

 create mode 100755 src/check-aclperms.pl

diff --git a/src/Makefile.am b/src/Makefile.am

index 1b734e0..66bb6b9 100644

--- a/src/Makefile.am

+++ b/src/Makefile.am

@@ -508,10 +508,16 @@ check-aclrules:

 		$(REMOTE_PROTOCOL) \

 		$(addprefix $(srcdir)/,$(filter-out /%,$(STATEFUL_DRIVER_SOURCE_FILES)))

+check-aclperms:

+	$(AM_V_GEN)$(PERL) $(srcdir)/check-aclperms.pl \

+		$(srcdir)/access/viraccessperm.h \

+		$(srcdir)/access/viraccessperm.c

+

 EXTRA_DIST += check-driverimpls.pl check-aclrules.pl

 check-local: check-protocol check-symfile check-symsorting \

-	check-drivername check-driverimpls check-aclrules

+	check-drivername check-driverimpls check-aclrules \

+	check-aclperms

 .PHONY: check-protocol $(PROTOCOL_STRUCTS:structs=struct)

 # Mock driver, covering domains, storage, networks, etc

diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c

index 9c720f9..d517c66 100644

--- a/src/access/viraccessperm.c

+++ b/src/access/viraccessperm.c

@@ -30,7 +30,7 @@ VIR_ENUM_IMPL(virAccessPermConnect,

               "search_storage_pools", "search_node_devices",

               "search_interfaces", "search_secrets",

               "search_nwfilters",

-              "detect_storage_pool", "pm_control",

+              "detect_storage_pools", "pm_control",

               "interface_transaction");

 VIR_ENUM_IMPL(virAccessPermDomain,

diff --git a/src/check-aclperms.pl b/src/check-aclperms.pl

new file mode 100755

index 0000000..5b1b4db

--- /dev/null

+++ b/src/check-aclperms.pl

@@ -0,0 +1,73 @@

+#!/usr/bin/perl

+#

+# Copyright (C) 2013 Red Hat, Inc.

+#

+# This library is free software; you can redistribute it and/or

+# modify it under the terms of the GNU Lesser General Public

+# License as published by the Free Software Foundation; either

+# version 2.1 of the License, or (at your option) any later version.

+#

+# This library is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

+# Lesser General Public License for more details.

+#

+# You should have received a copy of the GNU Lesser General Public

+# License along with this library.  If not, see

+# <http://www.gnu.org/licenses/>.

+#

+# This script just validates that the stringified version of

+# a virAccessPerm enum matches the enum constant name. We do

+# a lot of auto-generation of code, so when these don't match

+# problems occur, preventing auth from succeeding at all.

+

+my $hdr = shift;

+my $impl = shift;

+

+my %perms;

+

+my @perms;

+

+open HDR, $hdr or die "cannot read $hdr: $!";

+

+while (<HDR>) {

+    if (/^\s+VIR_ACCESS_PERM_([_A-Z]+)(,?|\s|$)/) {

+        my $perm = $1;

+

+        $perms{$perm} = 1 unless ($perm =~ /_LAST$/);

+    }

+}

+

+close HDR;

+

+

+open IMPL, $impl or die "cannot read $impl: $!";

+

+my $group;

+my $warned = 0;

+

+while (defined (my $line = <IMPL>)) {

+    if ($line =~ /VIR_ACCESS_PERM_([_A-Z]+)_LAST/) {

+        $group = $1;

+    } elsif ($line =~ /"[_a-z]+"/) {

+        my @bits = split /,/, $line;

+        foreach my $bit (@bits) {

+            if ($bit =~ /"([_a-z]+)"/) {

+                my $perm = uc($group . "_" . $1);

+                if (!exists $perms{$perm}) {

+                    print STDERR "Unknown perm string $1 for group $group\n";

+                    $warned = 1;

+                }

+                delete $perms{$perm};

+            }

+        }

+    }

+}

+close IMPL;

+

+foreach my $perm (keys %perms) {

+    print STDERR "Perm $perm had not string form\n";

+    $warned = 1;

+}

+

+exit $warned;

-- 

1.8.3.2