X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/1e922a353a14f5f231040595a93af3054ea41664..6d821072f645e107e02e661ee937745642dc3588:/code/validation.py?ds=inline diff --git a/code/validation.py b/code/validation.py index 9b7a0b0..d288a69 100755 --- a/code/validation.py +++ b/code/validation.py @@ -5,6 +5,7 @@ import getafsgroups import re import string import dns.resolver +from invirt import authz from invirt.database import Machine, NIC, Type, Disk, CDROM, Autoinstall, Owner from invirt.config import structs as config from invirt.common import InvalidInput, CodeError @@ -24,7 +25,7 @@ class Validate: if strict: if name is None: raise InvalidInput('name', name, "You must provide a machine name.") - if description is None: + if description is None or description.strip() == '': raise InvalidInput('description', description, "You must provide a description.") if memory is None: raise InvalidInput('memory', memory, "You must provide a memory size.") @@ -129,7 +130,7 @@ def haveAccess(user, state, machine): def owns(user, machine): """Return whether a user owns a machine""" - return user in expandLocker(machine.owner) + return user in authz.expandOwner(machine.owner) def validMachineName(name): """Check that name is valid for a machine name""" @@ -208,8 +209,7 @@ def testMachineId(user, state, machine_id, exists=True): def testAdmin(user, admin, machine): """Determine whether a user can set the admin of a machine to this value. - Return the value to set the admin field to (possibly 'system:' + - admin). XXX is modifying this a good idea? + Return the value to set the admin field to (possibly 'system:' + admin). """ if admin is None: return None @@ -217,20 +217,17 @@ def testAdmin(user, admin, machine): return admin if admin == user: return admin + # we do not require that the user be in the admin group; + # just that it is a non-empty set + if authz.expandAdmin(admin): + return admin if ':' not in admin: - if cache_acls.isUser(admin): - return admin - admin = 'system:' + admin - try: - if user in getafsgroups.getAfsGroupMembers(admin, config.authz.afs.cells[0].cell): - return admin - except getafsgroups.AfsProcessError, e: - errmsg = str(e) - if errmsg.startswith("pts: User or group doesn't exist"): - errmsg = 'The group "%s" does not exist.' % admin - raise InvalidInput('administrator', admin, errmsg) - #XXX Should we require that user is in the admin group? - return admin + if authz.expandAdmin('system:' + admin): + return 'system:' + admin + errmsg = 'No user "%s" or non-empty group "system:%s" found.' % (admin, admin) + else: + errmsg = 'No non-empty group "%s" found.' % (admin,) + raise InvalidInput('administrator', admin, errmsg) def testOwner(user, owner, machine=None): """Determine whether a user can set the owner of a machine to this value. @@ -244,7 +241,7 @@ def testOwner(user, owner, machine=None): if '@' in owner: raise InvalidInput('owner', owner, "No cross-realm Hesiod lockers allowed") try: - if user not in cache_acls.expandLocker(owner): + if user not in authz.expandOwner(owner): raise InvalidInput('owner', owner, 'You do not have access to the ' + owner + ' locker') except getafsgroups.AfsProcessError, e: