X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/82e135b9c84782a1a0aa9aafd0b084b23450ae35..eabe84bd3f3ea514893ec700d598a06c2418f37e:/code/validation.py diff --git a/code/validation.py b/code/validation.py old mode 100644 new mode 100755 index 05e4c27..18666be --- a/code/validation.py +++ b/code/validation.py @@ -5,16 +5,13 @@ import getafsgroups import re import string import dns.resolver +from invirt import authz from invirt.database import Machine, NIC, Type, Disk, CDROM, Autoinstall, Owner from invirt.config import structs as config from invirt.common import InvalidInput, CodeError MIN_MEMORY_SINGLE = 16 -MAX_DISK_TOTAL = 50 -MAX_DISK_SINGLE = 50 MIN_DISK_SINGLE = 0.1 -MAX_VMS_TOTAL = 10 -MAX_VMS_ACTIVE = 4 class Validate: def __init__(self, username, state, machine_id=None, name=None, description=None, owner=None, @@ -28,7 +25,7 @@ class Validate: if strict: if name is None: raise InvalidInput('name', name, "You must provide a machine name.") - if description is None: + if description is None or description.strip() == '': raise InvalidInput('description', description, "You must provide a description.") if memory is None: raise InvalidInput('memory', memory, "You must provide a memory size.") @@ -60,13 +57,13 @@ class Validate: if vmtype is not None: self.vmtype = validVmType(vmtype) if cdrom is not None: - if not CDROM.query().get(cdrom): + if not CDROM.query.get(cdrom): raise CodeError("Invalid cdrom type '%s'" % cdrom) self.cdrom = cdrom if autoinstall is not None: #raise InvalidInput('autoinstall', 'install', # "The autoinstaller has been temporarily disabled") - self.autoinstall = Autoinstall.query().get(autoinstall) + self.autoinstall = Autoinstall.query.get(autoinstall) def getMachinesByOwner(owner, machine=None): @@ -77,7 +74,7 @@ def getMachinesByOwner(owner, machine=None): """ if machine: owner = machine.owner - return Machine.query().filter_by(owner=owner) + return Machine.query.filter_by(owner=owner) def maxMemory(owner, g, machine=None, on=True): """Return the maximum memory for a machine or a user. @@ -89,7 +86,7 @@ def maxMemory(owner, g, machine=None, on=True): memory for the machine to change to, if it is left off, is returned. """ - (quota_total, quota_single) = Owner.getQuotas(machine.owner if machine else owner) + (quota_total, quota_single) = Owner.getMemoryQuotas(machine.owner if machine else owner) if not on: return quota_single @@ -104,21 +101,24 @@ def maxDisk(owner, machine=None): If machine is None, the maximum disk for a new machine. Otherwise, return the maximum that a given machine can be changed to. """ + (quota_total, quota_single) = Owner.getDiskQuotas(machine.owner if machine else owner) + if machine is not None: machine_id = machine.machine_id else: machine_id = None - disk_usage = Disk.query().filter(Disk.c.machine_id != machine_id).\ + disk_usage = Disk.query.filter(Disk.c.machine_id != machine_id).\ join('machine').\ filter_by(owner=owner).sum(Disk.c.size) or 0 - return min(MAX_DISK_SINGLE, MAX_DISK_TOTAL-disk_usage/1024.) + return min(quota_single, quota_total-disk_usage/1024.) def cantAddVm(owner, g): machines = getMachinesByOwner(owner) active_machines = [m for m in machines if m.name in g.xmlist_raw] - if machines.count() >= MAX_VMS_TOTAL: + (quota_total, quota_active) = Owner.getVMQuotas(owner) + if machines.count() >= quota_total: return 'You have too many VMs to create a new one.' - if len(active_machines) >= MAX_VMS_ACTIVE: + if len(active_machines) >= quota_active: return ('You already have the maximum number of VMs turned on. ' 'To create more, turn one off.') return False @@ -130,7 +130,7 @@ def haveAccess(user, state, machine): def owns(user, machine): """Return whether a user owns a machine""" - return user in expandLocker(machine.owner) + return user in authz.expandOwner(machine.owner) def validMachineName(name): """Check that name is valid for a machine name""" @@ -181,7 +181,7 @@ def validDisk(owner, g, disk, machine=None): def validVmType(vm_type): if vm_type is None: return None - t = Type.query().get(vm_type) + t = Type.query.get(vm_type) if t is None: raise CodeError("Invalid vm type '%s'" % vm_type) return t @@ -198,7 +198,7 @@ def testMachineId(user, state, machine_id, exists=True): machine_id = int(machine_id) except ValueError: raise InvalidInput('machine_id', machine_id, "Must be an integer.") - machine = Machine.query().get(machine_id) + machine = Machine.query.get(machine_id) if exists and machine is None: raise InvalidInput('machine_id', machine_id, "Does not exist.") if machine is not None and not haveAccess(user, state, machine): @@ -209,8 +209,7 @@ def testMachineId(user, state, machine_id, exists=True): def testAdmin(user, admin, machine): """Determine whether a user can set the admin of a machine to this value. - Return the value to set the admin field to (possibly 'system:' + - admin). XXX is modifying this a good idea? + Return the value to set the admin field to (possibly 'system:' + admin). """ if admin is None: return None @@ -218,20 +217,17 @@ def testAdmin(user, admin, machine): return admin if admin == user: return admin + # we do not require that the user be in the admin group; + # just that it is a non-empty set + if authz.expandAdmin(admin): + return admin if ':' not in admin: - if cache_acls.isUser(admin): - return admin - admin = 'system:' + admin - try: - if user in getafsgroups.getAfsGroupMembers(admin, config.authz[0].cell): - return admin - except getafsgroups.AfsProcessError, e: - errmsg = str(e) - if errmsg.startswith("pts: User or group doesn't exist"): - errmsg = 'The group "%s" does not exist.' % admin - raise InvalidInput('administrator', admin, errmsg) - #XXX Should we require that user is in the admin group? - return admin + if authz.expandAdmin('system:' + admin): + return 'system:' + admin + errmsg = 'No user "%s" or non-empty group "system:%s" found.' % (admin, admin) + else: + errmsg = 'No non-empty group "%s" found.' % (admin,) + raise InvalidInput('administrator', admin, errmsg) def testOwner(user, owner, machine=None): """Determine whether a user can set the owner of a machine to this value. @@ -242,8 +238,10 @@ def testOwner(user, owner, machine=None): return machine.owner if owner is None: raise InvalidInput('owner', owner, "Owner must be specified") + if '@' in owner: + raise InvalidInput('owner', owner, "No cross-realm Hesiod lockers allowed") try: - if user not in cache_acls.expandLocker(owner): + if user not in authz.expandOwner(owner): raise InvalidInput('owner', owner, 'You do not have access to the ' + owner + ' locker') except getafsgroups.AfsProcessError, e: @@ -257,9 +255,6 @@ def testContact(user, contact, machine=None): raise InvalidInput('contact', contact, "Not a valid email.") return contact -def testDisk(user, disksize, machine=None): - return disksize - def testName(user, name, machine=None): if name is None: return None