From 86533bf43d071048d654691dc18a3004b6142081 Mon Sep 17 00:00:00 2001
From: Jon Robertson <jonrober@stanford.edu>
Date: Mon, 8 Jun 2015 11:15:37 -0700
Subject: Added nested acl verifier

This verifier will allow embedding one ACL in another for more flexible
ACL handling.  As part of thise we've also added the ability for each
verifier to do a syntax check to see if a given name is valid for that
verifier.  For the moment this returns true for everything but Nested.
Nested will check to make sure the given name is an existing group.

Change-Id: Iacdf146d46ed882d57b7534058d34db6e6ec1de4
---
 perl/lib/Wallet/ACL.pm | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

(limited to 'perl/lib/Wallet/ACL.pm')

diff --git a/perl/lib/Wallet/ACL.pm b/perl/lib/Wallet/ACL.pm
index 260ff22..6d8005d 100644
--- a/perl/lib/Wallet/ACL.pm
+++ b/perl/lib/Wallet/ACL.pm
@@ -198,6 +198,19 @@ sub rename {
         $acls->ac_name ($name);
         $acls->update;
         $self->log_acl ('rename', undef, undef, $user, $host, $time);
+
+        # Find any references to this being used as a nested verifier and
+        # update the name.  This really breaks out of the normal flow, but
+        # it's hard to do otherwise.
+        %search = (ae_scheme     => 'nested',
+                   ae_identifier => $self->{name},
+                  );
+        my @entries = $self->{schema}->resultset('AclEntry')->search(\%search);
+        for my $entry (@entries) {
+            $entry->ae_identifier ($name);
+            $entry->update;
+        }
+
         $guard->commit;
     };
     if ($@) {
@@ -267,6 +280,17 @@ sub destroy {
             $entry->delete;
         }
 
+        # Find any references to this being used as a nested verifier and
+        # remove them.  This really breaks out of the normal flow, but it's
+        # hard to do otherwise.
+        %search = (ae_scheme     => 'nested',
+                   ae_identifier => $self->{name},
+                  );
+        @entries = $self->{schema}->resultset('AclEntry')->search(\%search);
+        for my $entry (@entries) {
+            $entry->delete;
+        }
+
         # There should definitely be an ACL record to delete.
         %search = (ac_id => $self->{id});
         my $entry = $self->{schema}->resultset('Acl')->find(\%search);
@@ -302,6 +326,18 @@ sub add {
         $self->error ("unknown ACL scheme $scheme");
         return;
     }
+
+    # Check to make sure that this entry has a valid name for the scheme.
+    my $class = $self->scheme_mapping ($scheme);
+    my $object = eval {
+        $class->new ($identifier, $self->{schema});
+    };
+    unless ($object && $object->syntax_check ($identifier)) {
+        $self->error ("invalid ACL identifier $identifier for $scheme");
+        return;
+    };
+
+    # Actually create the scheme.
     eval {
         my $guard = $self->{schema}->txn_scope_guard;
         my %record = (ae_id         => $self->{id},
@@ -446,7 +482,7 @@ sub history {
                 push (@{ $self->{check_errors} }, "unknown scheme $scheme");
                 return;
             }
-            $verifier{$scheme} = $class->new;
+            $verifier{$scheme} = $class->new ($identifier, $self->{schema});
             unless (defined $verifier{$scheme}) {
                 push (@{ $self->{check_errors} }, "cannot verify $scheme");
                 return;
-- 
cgit v1.2.3