From c796a251db813fcb96953a6c355b21d15a829c1a Mon Sep 17 00:00:00 2001 From: Ted Trask Date: Fri, 25 Jul 2008 20:24:40 +0000 Subject: Modified tinydns to add in role-based permissions. git-svn-id: svn://svn.alpinelinux.org/acf/tinydns/trunk@1321 ab2d0c66-481e-0410-8bed-d214d4d58bed --- tinydns-model.lua | 76 +++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 66 insertions(+), 10 deletions(-) (limited to 'tinydns-model.lua') diff --git a/tinydns-model.lua b/tinydns-model.lua index 148dec6..0546e43 100644 --- a/tinydns-model.lua +++ b/tinydns-model.lua @@ -7,6 +7,7 @@ require("fs") require("format") require("validator") require("authenticator") +require("roles") -- Set variables local configfiles = {} @@ -97,8 +98,15 @@ local function getallowedlist(self, userid) local allowedlist = {} local entry = authenticator.read_userentry(self, "tinydns", userid) or "" for x in string.gmatch(entry, "([^,]+),?") do allowedlist[#allowedlist + 1] = x end - -- FIXME also check to see if there are allowed files for this user's roles --- local roles = authenticator.get_userinfo_roles(self, userid) + + -- also check to see if there are allowed files for this user's roles + local rols = authenticator.get_userinfo_roles(self, userid) + -- add in the ALL role + rols.value[#rols.value + 1] = "ALL" + for i,role in ipairs(rols.value) do + local entry = authenticator.read_roleentry(self, "tinydns", role) or "" + for x in string.gmatch(entry, "([^,]+),?") do allowedlist[#allowedlist + 1] = x end + end return allowedlist end @@ -295,9 +303,9 @@ function createconfigfile(self, configfile, userid) configfile.errtxt = nil -- We have to add this file to the allowed list, if there is one - -- FIXME - what do we do here when there is role support? - local perm = getuserpermissions(self, userid) - if #perm.value.allowed.value > 0 then + local allowed = getallowedlist(self, userid) + if #allowed > 0 then + local perm = getuserpermissions(self, userid) perm.value.allowed.value[#perm.value.allowed.value + 1] = path setuserpermissions(self, perm) end @@ -328,16 +336,25 @@ end function getpermissionslist(self) local users = authenticator.list_users(self) - local output = {} + local userlist = {} for i,user in ipairs(users) do local allowedlist = {} local entry = authenticator.read_userentry(self, "tinydns", user) or "" for x in string.gmatch(entry, "([^,]+),?") do allowedlist[#allowedlist + 1] = x end - output[#output + 1] = {id=user, allowed=allowedlist} + userlist[#userlist + 1] = {id=user, allowed=allowedlist} end - table.sort(output, function(a,b) return a.id < b.id end) - -- FIXME - need to check for roles as well as users - return cfe({ type="structure", value=output, label="TinyDNS Permissions" }) + -- Need to check for roles as well as users + local rolelist = {} + local rols = roles.list_all_roles() + for i,role in ipairs(rols) do + local allowedlist = {} + local entry = authenticator.read_roleentry(self, "tinydns", role) or "" + for x in string.gmatch(entry, "([^,]+),?") do allowedlist[#allowedlist + 1] = x end + rolelist[#rolelist + 1] = {id=role, allowed=allowedlist} + end + table.sort(userlist, function(a,b) return a.id < b.id end) + table.sort(rolelist, function(a,b) return a.id < b.id end) + return cfe({ type="structure", value={user=userlist, role=rolelist}, label="TinyDNS Permissions" }) end local function validateuserpermissions(self, userpermissions) @@ -355,6 +372,21 @@ local function validateuserpermissions(self, userpermissions) return success, userpermissions end +local function validaterolepermissions(self, rolepermissions) + local success = false + rolepermissions.value.role.errtxt = "Invalid role" + local rols = roles.list_all_roles() + for i,role in ipairs(rols) do + if rolepermissions.value.role.value == role then + rolepermissions.value.role.errtxt = nil + success = true + break + end + end + success = success and modelfunctions.validatemulti(rolepermissions.value.allowed) + return success, rolepermissions +end + function getuserpermissions(self, userid) local allowedlist = {} local entry = authenticator.read_userentry(self, "tinydns", userid) or "" @@ -378,3 +410,27 @@ function setuserpermissions(self, userpermissions) end return userpermissions end + +function getrolepermissions(self, role) + local allowedlist = {} + local entry = authenticator.read_roleentry(self, "tinydns", role) or "" + for x in string.gmatch(entry, "([^,]+),?") do allowedlist[#allowedlist + 1] = x end + local cnffile = {} + recursedir(configdir, cnffile) + local allowed = cfe({ type="multi", value=allowedlist, label="TinyDNS Permissions", option=cnffile, descr="If no permissions are defined, then all are allowed" }) + local rol = cfe({ value=role, label="Role" }) + local output = cfe({ type="group", value={role=rol, allowed=allowed}, label="TinyDNS Permissions" }) + validaterolepermissions(self, output) + return output +end + +function setrolepermissions(self, rolepermissions) + local success, rolepermissions = validaterolepermissions(self, rolepermissions) + + if success then + authenticator.write_roleentry(self, "tinydns", rolepermissions.value.role.value, table.concat(rolepermissions.value.allowed.value, ",")) + else + rolepermissions.errtxt = "Failed to set role permissions" + end + return rolepermissions +end -- cgit v1.2.3