Commit 82772191 authored by Dan Williams's avatar Dan Williams

libnm-util: simplify permissions somewhat; remove groups

Groups may come later, but they are also quite a bit more complicated
because getting the groups a user is in may require network access
if that user is backed by LDAP.  And it gets worse because you have
no idea that the glibc calls like getgrouplist(3) are backed by
the network and may take an arbitrary amount of time to complete.
Punt that.
parent 8b41f70d
......@@ -113,6 +113,8 @@ global:
nm_setting_connection_get_autoconnect;
nm_setting_connection_get_timestamp;
nm_setting_connection_get_read_only;
nm_setting_connection_get_num_permissions;
nm_setting_connection_get_permission;
nm_setting_duplicate;
nm_setting_enumerate_values;
nm_setting_error_get_type;
......
......@@ -19,7 +19,7 @@
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA.
*
* (C) Copyright 2007 - 2008 Red Hat, Inc.
* (C) Copyright 2007 - 2010 Red Hat, Inc.
* (C) Copyright 2007 - 2008 Novell, Inc.
*/
......@@ -30,6 +30,8 @@
#include "nm-param-spec-specialized.h"
#include "nm-setting-connection.h"
#define NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER "user:"
/**
* SECTION:nm-setting-connection
* @short_description: Describes general connection properties
......@@ -186,7 +188,7 @@ nm_setting_connection_get_num_permissions (NMSettingConnection *setting)
}
/**
* nm_setting_connection_get_permission_entry:
* nm_setting_connection_get_permission:
* @setting: the #NMSettingConnection
* @index: the zero-based index of the permissions entry
*
......@@ -196,11 +198,17 @@ nm_setting_connection_get_num_permissions (NMSettingConnection *setting)
* Returns: the entry at the specified index
*/
const char *
nm_setting_connection_get_permission_entry (NMSettingConnection *setting, guint32 i)
nm_setting_connection_get_permission (NMSettingConnection *setting, guint32 i)
{
NMSettingConnectionPrivate *priv;
g_return_val_if_fail (NM_IS_SETTING_CONNECTION (setting), NULL);
return (const char *) g_slist_nth_data (NM_SETTING_CONNECTION_GET_PRIVATE (setting)->permissions, i);
priv = NM_SETTING_CONNECTION_GET_PRIVATE (setting);
g_return_val_if_fail (i < g_slist_length (priv->permissions), NULL);
return (const char *) g_slist_nth_data (priv->permissions, i);
}
/**
......@@ -282,38 +290,23 @@ static gboolean
validate_permissions (GSList *permissions, GError **error)
{
GSList *iter;
for (iter = permissions; iter; iter = iter->next) {
char *entry = (char *) iter->data;
char *usr_start = NULL;
char *ext_start = NULL;
int prefix_len;
if (g_str_has_prefix (entry, NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER)) {
prefix_len = strlen (NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER);
} else if (g_str_has_prefix (entry, NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_GROUP)) {
prefix_len = strlen (NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_GROUP);
} else {
g_set_error (error,
NM_SETTING_CONNECTION_ERROR,
NM_SETTING_CONNECTION_ERROR_INVALID_PROPERTY,
"permissions: entry '%s': invalid prefix", entry);
return FALSE;
}
const char *entry = iter->data;
const char *usr_start = NULL;
usr_start = entry + prefix_len;
if (!g_str_has_prefix (entry, NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER))
continue;
ext_start = strchr(usr_start, ':');
if (!ext_start) {
usr_start = entry + strlen (NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER);
if (!strchr (usr_start, ':')) {
g_set_error (error,
NM_SETTING_CONNECTION_ERROR,
NM_SETTING_CONNECTION_ERROR_INVALID_PROPERTY,
"permissions: entry '%s': two few ':'s", entry);
"permissions: entry '%s': two few ':' characters", entry);
return FALSE;
}
ext_start++;
/* We don't (yet) care about what comes afterwards. */
}
return TRUE;
......@@ -376,11 +369,8 @@ verify (NMSetting *setting, GSList *all_settings, GError **error)
}
if (priv->permissions) {
GError *perm_error = NULL;
if (!validate_permissions (priv->permissions, &perm_error)) {
g_propagate_error (error, perm_error);
if (!validate_permissions (priv->permissions, error))
return FALSE;
}
}
return TRUE;
......@@ -569,12 +559,16 @@ nm_setting_connection_class_init (NMSettingConnectionClass *setting_class)
*
* An array of strings defining what access a given user has to this
* connection. If this is NULL or empty, all users are allowed to access
* this connection. Otherwise, each entry in this array specifies a user or
* unix group, and a user is allowed to access this connection if and only
* if they are in this list or if they are included in at least one of any
* listed unix groups . Each entry is of the form "user:<user-name>:<junk>
* or "group:<group-name>:<junk>. Any <junk> present must be ignored; it is
* reserved for future versions of NM.
* this connection. Otherwise a user is allowed to access this connection
* if and only if they are in this list. Each entry is of the form
* "[type]:[id]:[reserved]", for example:
*
* user:dcbw:blah
*
* At this time only the 'user' [type] is allowed. Any other values are
* ignored and reserved for future use. [id] is the username that this
* permission refers to. Any [reserved] information present must be
* ignored and is reserved for future use.
*/
g_object_class_install_property
(object_class, PROP_PERMISSIONS,
......@@ -583,15 +577,16 @@ nm_setting_connection_class_init (NMSettingConnectionClass *setting_class)
"An array of strings defining what access a given "
"user has to this connection. If this is NULL or "
"empty, all users are allowed to access this "
"connection. Otherwise, each entry in this array "
"specifies a user or unix group, and a user is "
"allowed to access this connection if and only if "
"they are in this list or if they are included in at "
"least one of any listed unix groups. Each entry is "
"of the form \"user:<user-name>:<junk>\" or "
"\"group:<group-name>:<junk>\". Any <junk> present "
"must be ignored; it is reserved for future versions "
"of NM.",
"connection. Otherwise a user is allowed to access "
"this connection if and only if they are in this "
"array. Each entry is of the form "
"\"[type]:[id]:[reserved]\", for example: "
"\"user:dcbw:blah\" At this time only the 'user' "
"[type] is allowed. Any other values are ignored and "
"reserved for future use. [id] is the username that "
"this permission refers to. Any [reserved] "
"information (if present) must be ignored and is "
"reserved for future use.",
DBUS_TYPE_G_LIST_OF_STRING,
G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));
......
......@@ -19,7 +19,7 @@
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA.
*
* (C) Copyright 2007 - 2008 Red Hat, Inc.
* (C) Copyright 2007 - 2010 Red Hat, Inc.
* (C) Copyright 2007 - 2008 Novell, Inc.
*/
......@@ -76,9 +76,6 @@ GQuark nm_setting_connection_error_quark (void);
#define NM_SETTING_CONNECTION_READ_ONLY "read-only"
#define NM_SETTING_CONNECTION_PERMISSIONS "permissions"
#define NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER "user:"
#define NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_GROUP "group:"
/**
* NMSettingConnection:
*
......@@ -109,7 +106,9 @@ gboolean nm_setting_connection_get_autoconnect (NMSettingConnection *set
guint64 nm_setting_connection_get_timestamp (NMSettingConnection *setting);
gboolean nm_setting_connection_get_read_only (NMSettingConnection *setting);
guint32 nm_setting_connection_get_num_permissions (NMSettingConnection *setting);
const char *nm_setting_connection_get_permission_entry (NMSettingConnection *setting, guint32 index);
const char *nm_setting_connection_get_permission (NMSettingConnection *setting, guint32 index);
/* FIXME: need add/remove calls for permissions */
G_END_DECLS
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment