X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/e37dd15bbf8683bab8454ea0eec8e9968ce982b2..230d47ec0096ba45aeb3a690fa2c4551f4fcbb16:/code/validation.py diff --git a/code/validation.py b/code/validation.py index fd2b979..a2e19fe 100644 --- a/code/validation.py +++ b/code/validation.py @@ -1,9 +1,10 @@ #!/usr/bin/python +import cache_acls import getafsgroups import re import string -from sipb_xen_database import Machine, NIC +from sipb_xen_database import Machine, NIC, Type from webcommon import InvalidInput, g MAX_MEMORY_TOTAL = 512 @@ -71,18 +72,11 @@ def validAddVm(user): def haveAccess(user, machine): """Return whether a user has administrative access to a machine""" - if user in (machine.administrator, machine.owner): - return True - if getafsgroups.checkAfsGroup(user, machine.administrator, - 'athena.mit.edu'): #XXX Cell? - return True - if not getafsgroups.notLockerOwner(user, machine.owner): - return True - return owns(user, machine) + return user in cache_acls.accessList(machine) def owns(user, machine): """Return whether a user owns a machine""" - return not getafsgroups.notLockerOwner(user, machine.owner) + return user in expandLocker(machine.owner) def validMachineName(name): """Check that name is valid for a machine name""" @@ -129,7 +123,15 @@ def validDisk(user, disk, machine=None): raise InvalidInput('disk', disk, "Minimum %s GiB" % MIN_DISK_SINGLE) return disk - + +def validVmType(vm_type): + if vm_type == 'hvm': + return Type.get('linux-hvm') + elif vm_type == 'paravm': + return Type.get('linux') + else: + raise CodeError("Invalid vm type '%s'" % vm_type) + def testMachineId(user, machine_id, exists=True): """Parse, validate and check authorization for a given user and machine. @@ -151,26 +153,46 @@ def testMachineId(user, machine_id, exists=True): return machine def testAdmin(user, admin, machine): + """Determine whether a user can set the admin of a machine to this value. + + Return the value to set the admin field to (possibly 'system:' + + admin). XXX is modifying this a good idea? + """ if admin in (None, machine.administrator): return None if admin == user: return admin - if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'): - return admin - if getafsgroups.checkAfsGroup(user, 'system:'+admin, - 'athena.mit.edu'): - return 'system:'+admin + if ':' not in admin: + if cache_acls.isUser(admin): + return admin + admin = 'system:' + admin + try: + if user in getafsgroups.getAfsGroupMembers(admin, 'athena.mit.edu'): + return admin + except getafsgroups.AfsProcessError, e: + errmsg = str(e) + if errmsg.startswith("pts: User or group doesn't exist"): + errmsg = 'The group "%s" does not exist.' % admin + raise InvalidInput('administrator', admin, errmsg) + #XXX Should we require that user is in the admin group? return admin def testOwner(user, owner, machine=None): + """Determine whether a user can set the owner of a machine to this value. + + If machine is None, this is the owner of a new machine. + """ if owner == user or machine is not None and owner == machine.owner: return owner if owner is None: raise InvalidInput('owner', owner, "Owner must be specified") - value = getafsgroups.notLockerOwner(user, owner) - if not value: - return owner - raise InvalidInput('owner', owner, value) + try: + if user not in cache_acls.expandLocker(owner): + raise InvalidInput('owner', owner, 'You do not have access to the ' + + owner + ' locker') + except getafsgroups.AfsProcessError, e: + raise InvalidInput('owner', owner, str(e)) + return owner def testContact(user, contact, machine=None): if contact in (None, machine.contact):