[PATCH 8/8] Extend the ACL test case to validate filter rule checks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

The 'check-aclrules' test case validates that there are ACL
checks in each method. This extends it so that it can also
validate that methods which return info about lists of objects,
will filter their returned info throw an ACL check.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 src/Makefile.am       |  1 +
 src/check-aclrules.pl | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 98 insertions(+)

diff --git a/src/Makefile.am b/src/Makefile.am
index e6b1927..5057277 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -500,6 +500,7 @@ check-driverimpls:
 
 check-aclrules:
 	$(AM_V_GEN)$(PERL) $(srcdir)/check-aclrules.pl \
+		$(addprefix $(srcdir)/,$(filter-out /%,$(REMOTE_PROTOCOL))) \
 		$(addprefix $(srcdir)/,$(filter-out /%,$(STATEFUL_DRIVER_SOURCE_FILES)))
 
 EXTRA_DIST += check-driverimpls.pl check-aclrules.pl
diff --git a/src/check-aclrules.pl b/src/check-aclrules.pl
index 336b2fe..057517e 100644
--- a/src/check-aclrules.pl
+++ b/src/check-aclrules.pl
@@ -42,6 +42,7 @@ my $intable = 0;
 my $table;
 
 my %acls;
+my %aclfilters;
 
 my %whitelist = (
     "connectClose" => 1,
@@ -73,9 +74,80 @@ my %implwhitelist = (
     "xenUnifiedDomainIsUpdated" => 1,
     "xenUnifiedDomainOpenConsole" => 1,
     );
+my %filterimplwhitelist = (
+    "xenUnifiedConnectListDomains" => 1,
+    "xenUnifiedConnectNumOfDomains" => 1,
+    "xenUnifiedConnectListDefinedDomains" => 1,
+    "xenUnifiedConnectNumOfDefinedDomains" => 1,
+    );
 
 my $lastfile;
 
+sub fixup_name {
+    my $name = shift;
+
+    $name =~ s/Nwfilter/NWFilter/;
+    $name =~ s/Xml$/XML/;
+    $name =~ s/Uri$/URI/;
+    $name =~ s/Uuid$/UUID/;
+    $name =~ s/Id$/ID/;
+    $name =~ s/Mac$/MAC/;
+    $name =~ s/Cpu$/CPU/;
+    $name =~ s/Os$/OS/;
+    $name =~ s/Nmi$/NMI/;
+    $name =~ s/Pm/PM/;
+    $name =~ s/Fstrim$/FSTrim/;
+    $name =~ s/Scsi/SCSI/;
+    $name =~ s/Wwn$/WWN/;
+
+    return $name;
+}
+
+sub name_to_ProcName {
+    my $name = shift;
+
+    my @elems;
+    if ($name =~ /_/ || (lc $name) eq "open" || (lc $name) eq "close") {
+        @elems = split /_/, $name;
+        @elems = map lc, @elems;
+        @elems = map ucfirst, @elems;
+    } else {
+        @elems = $name;
+    }
+    @elems = map { fixup_name($_) } @elems;
+    my $procname = join "", @elems;
+
+    $procname =~ s/^([A-Z])/lc $1/e;
+
+    return $procname;
+}
+
+
+my $proto = shift @ARGV;
+
+open PROTO, "<$proto" or die "cannot read $proto";
+
+my %filtered;
+my $incomment = 0;
+my $filtered = 0;
+while (<PROTO>) {
+    if (m,/\*\*,) {
+        $incomment = 1;
+        $filtered = 0;
+    } elsif ($incomment) {
+        if (m,\*\s\@aclfilter,) {
+            $filtered = 1;
+        } elsif ($filtered &&
+                 m,REMOTE_PROC_(.*)\s+=\s*\d+,) {
+            my $api = name_to_ProcName($1);
+            $filtered{$api} = 1;
+            $incomment = 0;
+        }
+    }
+}
+
+close PROTO;
+
 while (<>) {
     if (!defined $lastfile ||
         $lastfile ne $ARGV) {
@@ -107,6 +179,21 @@ while (<>) {
                 }
             }
             $acls{$maybefunc} = 1;
+        } elsif (m,(\w+)CheckACL,) {
+            # Record the fact that maybefunc contains an
+            # ACL filter call, and make sure it is the right call!
+            my $func = $1;
+            $func =~ s/^vir//;
+            if (!defined $maybefunc) {
+                print "$ARGV:$. Unexpected check '$func' outside function\n";
+                $status = 1;
+            } else {
+                unless ($maybefunc =~ /$func$/i) {
+                    print "$ARGV:$. Mismatch check 'vir${func}CheckACL' for function '$maybefunc'\n";
+                    $status = 1;
+                }
+            }
+            $aclfilters{$maybefunc} = 1;
         } elsif (m,\b(\w+)\(,) {
             # Handles case where we replaced an API with a new
             # one which  adds new parameters, and we're left with
@@ -115,6 +202,9 @@ while (<>) {
             if (exists $acls{$callfunc}) {
                 $acls{$maybefunc} = 1;
             }
+            if (exists $aclfilters{$callfunc}) {
+                $aclfilters{$maybefunc} = 1;
+            }
         }
     }
 
@@ -138,6 +228,13 @@ while (<>) {
                 print "$ARGV:$. Missing ACL check in function '$impl' for '$api'\n";
                 $status = 1;
             }
+
+            if (exists $filtered{$api} &&
+                !exists $aclfilters{$impl} &&
+                !exists $filterimplwhitelist{$impl}) {
+                print "$ARGV:$. Missing ACL filter in function '$impl' for '$api'\n";
+                $status = 1;
+            }
         }
     } elsif (/^(?:static\s+)?(vir(?:\w+)?Driver)\s+/) {
         if ($1 ne "virNWFilterCallbackDriver" &&
-- 
1.8.1.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]