motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-09 02:24:58 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

authz: delete existing ACL implementation

Browse source 
The 'qemu_acl' type was a previous non-QOM based attempt to provide an
authorization facility in QEMU. Because it is non-QOM based it cannot be
created via the command line and requires special monitor commands to
manipulate it.

The new QAuthZ subclasses provide a superset of the functionality in
qemu_acl, so the latter can now be deleted. The HMP 'acl_*' monitor
commands are converted to use the new QAuthZSimple data type instead
in order to provide temporary backwards compatibility.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2016-02-18 18:40:24 +00:00 committed by Daniel P. Berrangé
parent 8953caf3cd
commit b76806d4ec
16 changed files with 207 additions and 376 deletions
Download patch file Download diff file Expand all files Collapse all files

35
crypto/tlssession.c
View file

@ -24,7 +24,7 @@
#include "crypto/tlscredspsk.h"
#include "crypto/tlscredsx509.h"
#include "qapi/error.h"
#include "qemu/acl.h"
#include "authz/base.h"
#include "trace.h"
#ifdef CONFIG_GNUTLS
@ -37,7 +37,7 @@ struct QCryptoTLSSession {
QCryptoTLSCreds *creds;
gnutls_session_t handle;
char *hostname;
char *aclname;
char *authzid;
bool handshakeComplete;
QCryptoTLSSessionWriteFunc writeFunc;
QCryptoTLSSessionReadFunc readFunc;
@ -56,7 +56,7 @@ qcrypto_tls_session_free(QCryptoTLSSession *session)
gnutls_deinit(session->handle);
g_free(session->hostname);
g_free(session->peername);
g_free(session->aclname);
g_free(session->authzid);
object_unref(OBJECT(session->creds));
g_free(session);
}
@ -95,7 +95,7 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t len)
QCryptoTLSSession *
qcrypto_tls_session_new(QCryptoTLSCreds *creds,
const char *hostname,
const char *aclname,
const char *authzid,
QCryptoTLSCredsEndpoint endpoint,
Error **errp)
{
@ -105,13 +105,13 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
session = g_new0(QCryptoTLSSession, 1);
trace_qcrypto_tls_session_new(
session, creds, hostname ? hostname : "<none>",
aclname ? aclname : "<none>", endpoint);
authzid ? authzid : "<none>", endpoint);
if (hostname) {
session->hostname = g_strdup(hostname);
}
if (aclname) {
session->aclname = g_strdup(aclname);
if (authzid) {
session->authzid = g_strdup(authzid);
}
session->creds = creds;
object_ref(OBJECT(creds));
@ -262,6 +262,7 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession *session,
unsigned int nCerts, i;
time_t now;
gnutls_x509_crt_t cert = NULL;
Error *err = NULL;
now = time(NULL);
if (now == ((time_t)-1)) {
@ -349,19 +350,17 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession *session,
gnutls_strerror(ret));
goto error;
}
if (session->aclname) {
qemu_acl *acl = qemu_acl_find(session->aclname);
int allow;
if (!acl) {
error_setg(errp, "Cannot find ACL %s",
session->aclname);
if (session->authzid) {
bool allow;
allow = qauthz_is_allowed_by_id(session->authzid,
session->peername, &err);
if (err) {
error_propagate(errp, err);
goto error;
}
allow = qemu_acl_party_is_allowed(acl, session->peername);
if (!allow) {
error_setg(errp, "TLS x509 ACL check for %s is denied",
error_setg(errp, "TLS x509 authz check for %s is denied",
session->peername);
goto error;
}
@ -555,7 +554,7 @@ qcrypto_tls_session_get_peer_name(QCryptoTLSSession *session)
QCryptoTLSSession *
qcrypto_tls_session_new(QCryptoTLSCreds *creds G_GNUC_UNUSED,
const char *hostname G_GNUC_UNUSED,
const char *aclname G_GNUC_UNUSED,
const char *authzid G_GNUC_UNUSED,
QCryptoTLSCredsEndpoint endpoint G_GNUC_UNUSED,
Error **errp)
{