From: "Daniel P. Berrange" <berrange@redhat.com> The VIR_ACCESS_PERM_CONNECT_DETECT_STORAGE_POOLS enum constant had its string format be 'detect_storage_pool', note the missing trailing 's'. This prevent the ACL check from ever succeeding. Fix this and add a simple test script to validate this problem of matching names. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/Makefile.am | 8 ++++- src/access/viraccessperm.c | 2 +- src/check-aclperms.pl | 75 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 2 deletions(-) create mode 100755 src/check-aclperms.pl diff --git a/src/Makefile.am b/src/Makefile.am index 711da32..9f9dcd9 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -528,10 +528,16 @@ check-aclrules: $(REMOTE_PROTOCOL) \ $(addprefix $(srcdir)/,$(filter-out /%,$(STATEFUL_DRIVER_SOURCE_FILES))) +check-aclperms: + $(AM_V_GEN)$(PERL) $(srcdir)/check-aclperms.pl \ + $(srcdir)/access/viraccessperm.h \ + $(srcdir)/access/viraccessperm.c + EXTRA_DIST += check-driverimpls.pl check-aclrules.pl check-local: check-protocol check-symfile check-symsorting \ - check-drivername check-driverimpls check-aclrules + check-drivername check-driverimpls check-aclrules \ + check-aclperms .PHONY: check-protocol $(PROTOCOL_STRUCTS:structs=struct) # Mock driver, covering domains, storage, networks, etc diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c index 9c720f9..d517c66 100644 --- a/src/access/viraccessperm.c +++ b/src/access/viraccessperm.c @@ -30,7 +30,7 @@ VIR_ENUM_IMPL(virAccessPermConnect, "search_storage_pools", "search_node_devices", "search_interfaces", "search_secrets", "search_nwfilters", - "detect_storage_pool", "pm_control", + "detect_storage_pools", "pm_control", "interface_transaction"); VIR_ENUM_IMPL(virAccessPermDomain, diff --git a/src/check-aclperms.pl b/src/check-aclperms.pl new file mode 100755 index 0000000..b7fadcd --- /dev/null +++ b/src/check-aclperms.pl @@ -0,0 +1,75 @@ +#!/usr/bin/perl +# +# Copyright (C) 2013 Red Hat, Inc. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see +# <http://www.gnu.org/licenses/>. +# +# This script just validates that the stringified version of +# a virAccessPerm enum matches the enum constant name. We do +# alot of auto-generation of code, so when these don't match +# problems occur, preventing auth from succeeding at all. + +my $hdr = shift; +my $impl = shift; + +my %perms; + +my @perms; + +open HDR, $hdr or die "cannot read $hdr: $!"; + +while (<HDR>) { + if (/^\s+VIR_ACCESS_PERM_([_A-Z]+)(,?|\s|$)/) { + my $perm = $1; + + $perms{$perm} = 1 unless ($perm =~ /_LAST$/); + } +} + +close HDR; + + +open IMPL, $impl or die "cannot read $impl: $!"; + +my $group; +my $warned = 0; + +while (defined (my $line = <IMPL>)) { + if ($line =~ /VIR_ACCESS_PERM_([_A-Z]+)_LAST/) { + $group = $1; + } elsif ($line =~ /"[_a-z]+"/) { + my @bits = split /,/, $line; + foreach my $bit (@bits) { + if ($bit =~ /"([_a-z]+)"/) { + #print $1, "\n"; + + my $perm = uc($group . "_" . $1); + if (!exists $perms{$perm}) { + print STDERR "Unknown perm string $1 for group $group\n"; + $warned = 1; + } + delete $perms{$perm}; + } + } + } +} +close IMPL; + +foreach my $perm (keys %perms) { + print STDERR "Perm $perm had not string form\n"; + $warned = 1; +} + +exit $warned; -- 1.8.3.1