Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix: xml: Correctly observe ACLs when creating filtered copies of xml…

… documents
  • Loading branch information...
commit 9ec934600a901398c3febb2f50554238f099ba7d 1 parent 6527e11
@beekhof authored
Showing with 172 additions and 19 deletions.
  1. +22 −10 lib/common/xml.c
  2. +136 −9 tools/regression.acls.exp
  3. +14 −0 tools/regression.sh
View
32 lib/common/xml.c
@@ -621,21 +621,34 @@ __xml_purge_attributes(xmlNode *xml)
xml_private_t *p = xml->_private;
if(__xml_acl_mode_test(p->flags, xpf_acl_read)) {
+ crm_trace("%s is readable", crm_element_name(xml), ID(xml));
return TRUE;
}
- for (xIter = crm_first_attr(xml); xIter != NULL; xIter = xIter->next) {
+ xIter = crm_first_attr(xml);
+ while(xIter != NULL) {
+ xmlAttr *tmp = xIter;
const char *prop_name = (const char *)xIter->name;
+ xIter = xIter->next;
if (strcmp(prop_name, XML_ATTR_ID) == 0) {
continue;
}
+
+ xmlUnsetProp(xml, tmp->name);
}
- for (child = __xml_first_child(xml); child != NULL; child = __xml_next(child)) {
- readable_children |= __xml_purge_attributes(child);
+ child = __xml_first_child(xml);
+ while ( child != NULL ) {
+ xmlNode *tmp = child;
+
+ child = __xml_next(child);
+ readable_children |= __xml_purge_attributes(tmp);
}
+ if(readable_children == FALSE) {
+ free_xml(xml); /* Nothing readable under here, purge completely */
+ }
return readable_children;
}
@@ -652,9 +665,10 @@ xml_acl_filtered_copy(const char *user, xmlNode *xml, xmlNode ** result)
return FALSE;
}
- crm_trace("filtered copy of %p for '%s'", xml, user);
+ crm_trace("filtering copy of %p for '%s'", xml, user);
target = copy_xml(xml);
__xml_acl_unpack(target, user);
+ __xml_acl_apply(target);
doc = target->doc->_private;
for(aIter = doc->acls; aIter != NULL && target; aIter = aIter->next) {
@@ -672,12 +686,10 @@ xml_acl_filtered_copy(const char *user, xmlNode *xml, xmlNode ** result)
for(lpc = 0; lpc < max; lpc++) {
xmlNode *match = getXpathResult(xpathObj, lpc);
- if(__xml_purge_attributes(match) == FALSE) {
- free_xml(match); /* Nothing readable under here, purge completely */
- if(match == target) {
- crm_trace("No access to the entire document");
- return TRUE;
- }
+ crm_trace("Purging attributes from %s", acl->xpath);
+ if(__xml_purge_attributes(match) == FALSE && match == target) {
+ crm_trace("No access to the entire document for %s", user);
+ return TRUE;
}
}
crm_trace("Enforced ACL %s (%d matches)", acl->xpath, max);
View
145 tools/regression.acls.exp
@@ -589,10 +589,10 @@ Call failed: Permission denied
=#=#=#= End test: root: Create a resource - OK (0) =#=#=#=
* Passed: cibadmin - root: Create a resource
=#=#=#= Begin test: l33t-haxor: Create a resource meta attribute =#=#=#=
- error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
- error: crm_abort: update_validation: Triggered assert at xml.c:5118 : *xml_blob != NULL
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5525 : data != NULL
+ error: crm_abort: update_validation: Triggered assert at xml.c:5132 : *xml_blob != NULL
error: crm_element_value: Couldn't find validate-with in NULL
- error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5525 : data != NULL
Your current configuration could only be upgraded to <null>... the minimum requirement is pacemaker-1.0.
Error performing operation: Required key not available
<cib epoch="6" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
@@ -627,10 +627,10 @@ Error performing operation: Required key not available
=#=#=#= End test: l33t-haxor: Create a resource meta attribute - Required key not available (126) =#=#=#=
* Passed: crm_resource - l33t-haxor: Create a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Query a resource meta attribute =#=#=#=
- error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
- error: crm_abort: update_validation: Triggered assert at xml.c:5118 : *xml_blob != NULL
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5525 : data != NULL
+ error: crm_abort: update_validation: Triggered assert at xml.c:5132 : *xml_blob != NULL
error: crm_element_value: Couldn't find validate-with in NULL
- error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5525 : data != NULL
Your current configuration could only be upgraded to <null>... the minimum requirement is pacemaker-1.0.
Error performing operation: Required key not available
<cib epoch="6" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
@@ -665,10 +665,10 @@ Error performing operation: Required key not available
=#=#=#= End test: l33t-haxor: Query a resource meta attribute - Required key not available (126) =#=#=#=
* Passed: crm_resource - l33t-haxor: Query a resource meta attribute
=#=#=#= Begin test: l33t-haxor: Remove a resource meta attribute =#=#=#=
- error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
- error: crm_abort: update_validation: Triggered assert at xml.c:5118 : *xml_blob != NULL
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5525 : data != NULL
+ error: crm_abort: update_validation: Triggered assert at xml.c:5132 : *xml_blob != NULL
error: crm_element_value: Couldn't find validate-with in NULL
- error: crm_abort: crm_element_value: Triggered assert at xml.c:5511 : data != NULL
+ error: crm_abort: crm_element_value: Triggered assert at xml.c:5525 : data != NULL
Your current configuration could only be upgraded to <null>... the minimum requirement is pacemaker-1.0.
Error performing operation: Required key not available
<cib epoch="6" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
@@ -810,3 +810,130 @@ Deleted dummy option: id=dummy-meta_attributes-target-role name=target-role
</cib>
=#=#=#= End test: niceguy: Remove a resource meta attribute - OK (0) =#=#=#=
* Passed: crm_resource - niceguy: Remove a resource meta attribute
+=#=#=#= Begin test: niceguy: Create a resource meta attribute =#=#=#=
+<cib epoch="9" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: niceguy: Create a resource meta attribute - OK (0) =#=#=#=
+* Passed: crm_resource - niceguy: Create a resource meta attribute
+=#=#=#= Begin test: New ACL =#=#=#=
+<cib epoch="10" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <deny id="badidea-nothing" xpath="/cib"/>
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: New ACL - OK (0) =#=#=#=
+* Passed: cibadmin - New ACL
+=#=#=#= Begin test: badidea: Query configuration =#=#=#=
+<cib>
+ <configuration>
+ <resources>
+ <primitive id="dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ </configuration>
+</cib>
+<cib epoch="10" num_updates="0" admin_epoch="0" validate-with="pacemaker-1.2">
+ <configuration>
+ <crm_config>
+ <cluster_property_set id="cib-bootstrap-options">
+ <nvpair id="cib-bootstrap-options-enable-acl" name="enable-acl" value="true"/>
+ <nvpair id="cib-bootstrap-options-no-quorum-policy" name="no-quorum-policy" value="ignore"/>
+ <nvpair id="cib-bootstrap-options-stonith-enabled" name="stonith-enabled" value="true"/>
+ </cluster_property_set>
+ </crm_config>
+ <nodes/>
+ <resources>
+ <primitive id="dummy" class="ocf" provider="pacemaker" type="Dummy">
+ <meta_attributes id="dummy-meta_attributes">
+ <nvpair id="dummy-meta_attributes-target-role" name="target-role" value="Started"/>
+ </meta_attributes>
+ </primitive>
+ </resources>
+ <constraints/>
+ <acls>
+ <acl_user id="l33t-haxor">
+ <deny id="crook-nothing" xpath="/cib"/>
+ </acl_user>
+ <acl_user id="niceguy">
+ <role_ref id="observer"/>
+ </acl_user>
+ <acl_role id="observer">
+ <write id="observer-write-1" xpath="//nvpair[@name=&apos;stonith-enabled&apos;]"/>
+ <write id="observer-write-2" xpath="//nvpair[@name=&apos;target-role&apos;]"/>
+ </acl_role>
+ <acl_user id="badidea">
+ <deny id="badidea-nothing" xpath="/cib"/>
+ <read id="badidea-resources" xpath="//meta_attributes"/>
+ </acl_user>
+ </acls>
+ </configuration>
+ <status/>
+</cib>
+=#=#=#= End test: badidea: Query configuration - OK (0) =#=#=#=
+* Passed: cibadmin - badidea: Query configuration
View
14 tools/regression.sh
@@ -459,6 +459,20 @@ EOF
desc="$CIB_user: Remove a resource meta attribute"
cmd="crm_resource -r dummy --meta -d target-role"
test_assert 0
+
+ desc="$CIB_user: Create a resource meta attribute"
+ cmd="crm_resource -r dummy --meta -p target-role -v Started"
+ test_assert 0
+
+ export CIB_user=root
+ desc="New ACL"
+ cmd="cibadmin -C -o acls --xml-text '<acl_user id=\"badidea\"><deny id=\"badidea-nothing\" xpath=\"/cib\"/><read id=\"badidea-resources\" xpath=\"//meta_attributes\"/></acl_user>'"
+ test_assert 0
+
+ export CIB_user=badidea
+ desc="$CIB_user: Query configuration"
+ cmd="cibadmin -Q"
+ test_assert 0
}
for t in $tests; do
Please sign in to comment.
Something went wrong with that request. Please try again.