[Engine-patches] Change in ovirt-engine[ovirt-engine-3.5]: aaa: Changing search logic at internal authz

oourfali Thu, 02 Oct 2014 03:03:35 -0700

Oved Ourfali has uploaded a new change for review.

Change subject: aaa: Changing search logic at internal authz
......................................................................


aaa: Changing search logic at internal authz

If the user that is searched is not substring
(asteriks are taken into consideration) of the admin
user name, the internal authz will not return a user

Topic: AAA
Change-Id: I2ae66d23862ad5d4da2f2e2e6a903119e859fd39
Bug-Url: https:/bugzilla.redhat.com/1100321
Signed-off-by: Yair Zaslavsky <[email protected]>
(cherry picked from commit 057da72b9215ca99d14773240081543f95e43070)
---
M 
backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java
1 file changed, 35 insertions(+), 7 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/04/33704/1

diff --git 
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java
 
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java
index f36cf14..0cec7c2 100644
--- 
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java
+++ 
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalAuthz.java
@@ -1,9 +1,11 @@
 package org.ovirt.engine.extensions.aaa.builtin.internal;
 
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Properties;
 
 import org.ovirt.engine.api.extensions.Base;
+import org.ovirt.engine.api.extensions.ExtKey;
 import org.ovirt.engine.api.extensions.ExtMap;
 import org.ovirt.engine.api.extensions.ExtUUID;
 import org.ovirt.engine.api.extensions.Extension;
@@ -21,14 +23,16 @@
 
     private ExtMap adminUser;
 
+    private String userName;
+
     private static class Opaque {
 
         private boolean firstCall;
-        private boolean isUser;
+        private boolean found;
 
-        public Opaque(boolean isUser) {
+        public Opaque(boolean found) {
             firstCall = true;
-            this.isUser = isUser;
+            this.found = found;
         }
     }
 
@@ -44,8 +48,7 @@
             } else if (command.equals(Authz.InvokeCommands.QUERY_CLOSE)) {
                 // Do nothing
             } else if (command.equals(Authz.InvokeCommands.QUERY_OPEN)) {
-                output.put(Authz.InvokeKeys.QUERY_OPAQUE, new 
Opaque(input.<ExtUUID> get(Authz.InvokeKeys.QUERY_ENTITY)
-                        .equals(Authz.QueryEntity.PRINCIPAL)));
+                doQueryOpen(input, output);
             } else if (command.equals(Authz.InvokeCommands.QUERY_EXECUTE)) {
                 doQueryExecute(input, output);
             } else {
@@ -67,10 +70,35 @@
         }
     }
 
+    private void doQueryOpen(ExtMap input, ExtMap output) {
+        if 
(input.get(Authz.InvokeKeys.QUERY_ENTITY).equals(Authz.QueryEntity.PRINCIPAL)) {
+            output.put(Authz.InvokeKeys.QUERY_OPAQUE, new 
Opaque(doQueryOpenImpl(input.<ExtMap> get(Authz.InvokeKeys.QUERY_FILTER))));
+        } else {
+            output.put(Authz.InvokeKeys.QUERY_OPAQUE, new Opaque(false));
+        }
+    }
+
+    private boolean doQueryOpenImpl(ExtMap filter) {
+        boolean found = false;
+        if (filter.<Integer> get(Authz.QueryFilterRecord.OPERATOR) == 
Authz.QueryFilterOperator.EQ) {
+            if (filter.<ExtKey> 
get(Authz.QueryFilterRecord.KEY).equals(Authz.PrincipalRecord.NAME)) {
+                String name = filter.<String> get(Authz.PrincipalRecord.NAME);
+                found = userName.matches(name.replace("*", ".*"));
+            } else {
+                found = false;
+            }
+        } else {
+            for (ExtMap currentFilter : filter.<Collection<ExtMap>> 
get(Authz.QueryFilterRecord.FILTER)) {
+                found = found || doQueryOpenImpl(currentFilter);
+            }
+        }
+        return found;
+    }
+
     private void doQueryExecute(ExtMap input, ExtMap output) {
         Opaque opaque = input.<Opaque> get(Authz.InvokeKeys.QUERY_OPAQUE);
         output.put(Authz.InvokeKeys.QUERY_RESULT,
-                opaque.firstCall && opaque.isUser ? Arrays.asList(adminUser)
+                opaque.firstCall && opaque.found ? Arrays.asList(adminUser)
                         : null);
         opaque.firstCall = false;
     }
@@ -113,7 +141,7 @@
                         Authz.ContextKeys.AVAILABLE_NAMESPACES,
                         Arrays.asList(NAMESPACE)
                         );
-        String userName = configuration.getProperty("config.authz.user.name");
+        userName = configuration.getProperty("config.authz.user.name");
         adminUser = new ExtMap().mput(
                 Authz.PrincipalRecord.NAMESPACE,
                 NAMESPACE


-- 
To view, visit http://gerrit.ovirt.org/33704
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I2ae66d23862ad5d4da2f2e2e6a903119e859fd39
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: ovirt-engine-3.5
Gerrit-Owner: Oved Ourfali <[email protected]>
Gerrit-Reviewer: Yair Zaslavsky <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

[Engine-patches] Change in ovirt-engine[ovirt-engine-3.5]: aaa: Changing search logic at internal authz

Reply via email to