r80047 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r80046‎ | r80047 | r80048 >
Date:22:40, 11 January 2011
Author:laner
Status:deferred
Tags:
Comment:
* Localize special pages
* Move special pages into a 'nova' heading
* Add security to all nova special pages
Modified paths:
  • /trunk/extensions/OpenStackManager/OpenStackManager.i18n.php (modified) (history)
  • /trunk/extensions/OpenStackManager/OpenStackManager.php (modified) (history)
  • /trunk/extensions/OpenStackManager/OpenStackNovaProject.php (modified) (history)
  • /trunk/extensions/OpenStackManager/OpenStackNovaUser.php (modified) (history)
  • /trunk/extensions/OpenStackManager/special/SpecialNova.php (modified) (history)
  • /trunk/extensions/OpenStackManager/special/SpecialNovaAddress.php (modified) (history)
  • /trunk/extensions/OpenStackManager/special/SpecialNovaDomain.php (modified) (history)
  • /trunk/extensions/OpenStackManager/special/SpecialNovaInstance.php (modified) (history)
  • /trunk/extensions/OpenStackManager/special/SpecialNovaKey.php (modified) (history)
  • /trunk/extensions/OpenStackManager/special/SpecialNovaProject.php (modified) (history)

Diff [purge]

Index: trunk/extensions/OpenStackManager/OpenStackNovaUser.php
@@ -140,9 +140,60 @@
141141 }
142142 }
143143
144 - function inRole( $role, $project = '' ) {
145 - # Currently unsupported
146 - return true;
 144+ function inRole( $role, $projectname = '' ) {
 145+ global $wgAuth;
 146+ global $wgOpenStackManagerLDAPGlobalRoles;
 147+
 148+ if ( ! array_key_exists( $wgOpenStackManagerLDAPGlobalRoles, $role ) ) {
 149+ return false;
 150+ }
 151+
 152+ if ( $wgOpenStackManagerLDAPGlobalRoles["$role"] ) {
 153+ # Check global role
 154+ $roledn = $wgOpenStackManagerLDAPGlobalRoles["$role"];
 155+ $filter = "(member=$this->userDN)";
 156+ wfSuppressWarnings();
 157+ $result = ldap_search( $wgAuth->ldapconn, $roledn, $filter );
 158+ wfRestoreWarnings();
 159+ if ( $result ) {
 160+ wfSuppressWarnings();
 161+ $entries = ldap_get_entries( $wgAuth->ldapconn, $result );
 162+ wfRestoreWarnings();
 163+ if ( (int)$entries['count'] > 0 ) {
 164+ return true;
 165+ }
 166+ }
 167+ }
 168+
 169+ if ( $projectname ) {
 170+ # Check project specific role
 171+ $project = OpenStackNovaProject::getProjectByName( $projectname );
 172+ if ( ! $project ) {
 173+ return false;
 174+ }
 175+ $filter = "(&(cn=$role)(member=$this->userDN))";
 176+ wfSuppressWarnings();
 177+ $result = ldap_search( $wgAuth->ldapconn, $project->projectDN, $filter );
 178+ wfRestoreWarnings();
 179+ if ( $result ) {
 180+ wfSuppressWarnings();
 181+ $entries = ldap_get_entries( $wgAuth->ldapconn, $result );
 182+ wfRestoreWarnings();
 183+ if ( $entries ) {
 184+ if ( $entries['count'] == "0" ) {
 185+ $wgAuth->printDebug( "Couldn't find the user in role: $role", NONSENSITIVE );
 186+ return false;
 187+ } else {
 188+ return true;
 189+ }
 190+ } else {
 191+ return false;
 192+ }
 193+ } else {
 194+ return false;
 195+ }
 196+ }
 197+ return false;
147198 }
148199
149200 function connect() {
Index: trunk/extensions/OpenStackManager/special/SpecialNovaInstance.php
@@ -66,6 +66,11 @@
6767 $this->setHeaders();
6868 $wgOut->setPagetitle( wfMsg( 'openstackmanager-createinstance' ) );
6969
 70+ $project = $wgRequest->getText( 'project' );
 71+ if ( ! $this->userLDAP->inRole( 'sysadmin', $project ) ) {
 72+ $this->notInRole( 'sysadmin' );
 73+ return false;
 74+ }
7075 $instanceInfo = Array();
7176 $instanceInfo['instancename'] = array(
7277 'type' => 'text',
@@ -145,7 +150,7 @@
146151
147152 $instanceInfo['project'] = array(
148153 'type' => 'hidden',
149 - 'default' => $wgRequest->getText( 'project' ),
 154+ 'default' => $project,
150155 );
151156
152157 if ( $wgOpenStackManagerPuppetOptions['enabled'] ) {
@@ -193,8 +198,12 @@
194199 $this->setHeaders();
195200 $wgOut->setPagetitle( wfMsg( 'openstackmanager-configureinstance' ) );
196201
 202+ $project = $wgRequest->getText( 'project' );
 203+ if ( ! $this->userLDAP->inRole( 'sysadmin', $project ) ) {
 204+ $this->notInRole( 'sysadmin' );
 205+ return false;
 206+ }
197207 $instanceid = $wgRequest->getText( 'instanceid' );
198 -
199208 $instanceInfo = Array();
200209 $instanceInfo['instanceid'] = array(
201210 'type' => 'hidden',
@@ -202,7 +211,7 @@
203212 );
204213 $instanceInfo['project'] = array(
205214 'type' => 'hidden',
206 - 'default' => $wgRequest->getText( 'project' ),
 215+ 'default' => $project,
207216 );
208217
209218 if ( $wgOpenStackManagerPuppetOptions['enabled'] ) {
@@ -267,8 +276,12 @@
268277 $this->setHeaders();
269278 $wgOut->setPagetitle( wfMsg( 'openstackmanager-deletedomain' ) );
270279
 280+ $project = $wgRequest->getText( 'project' );
 281+ if ( ! $this->userLDAP->inRole( 'sysadmin', $project ) ) {
 282+ $this->notInRole( 'sysadmin' );
 283+ return false;
 284+ }
271285 $instanceid = $wgRequest->getText( 'instanceid' );
272 - $project = $wgRequest->getText( 'project' );
273286 if ( ! $wgRequest->wasPosted() ) {
274287 $out = Html::element( 'p', array(), wfMsgExt( 'openstackmanager-deleteinstancequestion', array(), $instanceid ) );
275288 $wgOut->addHTML( $out );
@@ -296,10 +309,6 @@
297310 return true;
298311 }
299312
300 - function modifyInstance() {
301 - return true;
302 - }
303 -
304313 function listInstances() {
305314 global $wgOut, $wgUser;
306315
Index: trunk/extensions/OpenStackManager/special/SpecialNovaAddress.php
@@ -46,6 +46,10 @@
4747 $wgOut->setPagetitle( wfMsg( 'openstackmanager-allocateaddress' ) );
4848
4949 $project = $wgRequest->getText( 'project' );
 50+ if ( ! $this->userLDAP->inRole( 'netadmin', $project ) ) {
 51+ $this->notInRole( 'netadmin' );
 52+ return false;
 53+ }
5054 $userCredentials = $this->userLDAP->getCredentials( $project );
5155 $this->userNova = new OpenStackNovaController( $userCredentials );
5256 if ( ! $wgRequest->wasPosted() ) {
@@ -78,6 +82,10 @@
7983 $wgOut->setPagetitle( wfMsg( 'openstackmanager-releaseaddress' ) );
8084
8185 $project = $wgRequest->getText( 'project' );
 86+ if ( ! $this->userLDAP->inRole( 'netadmin', $project ) ) {
 87+ $this->notInRole( 'netadmin' );
 88+ return false;
 89+ }
8290 $userCredentials = $this->userLDAP->getCredentials( $project );
8391 $this->userNova = new OpenStackNovaController( $userCredentials );
8492 $ip = $wgRequest->getText( 'ip' );
@@ -116,6 +124,10 @@
117125
118126 $ip = $wgRequest->getText( 'ip' );
119127 $project = $wgRequest->getText( 'project' );
 128+ if ( ! $this->userLDAP->inRole( 'netadmin', $project ) ) {
 129+ $this->notInRole( 'netadmin' );
 130+ return false;
 131+ }
120132 $userCredentials = $this->userLDAP->getCredentials( $project );
121133 $this->userNova = new OpenStackNovaController( $userCredentials );
122134 $instances = $this->userNova->getInstances();
@@ -160,6 +172,10 @@
161173 $wgOut->setPagetitle( wfMsg( 'openstackmanager-disassociateaddress' ) );
162174
163175 $project = $wgRequest->getText( 'project' );
 176+ if ( ! $this->userLDAP->inRole( 'netadmin', $project ) ) {
 177+ $this->notInRole( 'netadmin' );
 178+ return false;
 179+ }
164180 $userCredentials = $this->userLDAP->getCredentials( $project );
165181 $this->userNova = new OpenStackNovaController( $userCredentials );
166182 $ip = $wgRequest->getText( 'ip' );
Index: trunk/extensions/OpenStackManager/special/SpecialNovaProject.php
@@ -4,7 +4,7 @@
55 var $userNova, $adminNova;
66
77 function __construct() {
8 - parent::__construct( 'NovaProject' );
 8+ parent::__construct( 'NovaProject', 'manageproject' );
99
1010 global $wgOpenStackManagerNovaAdminKeys;
1111
@@ -13,26 +13,14 @@
1414 $this->adminNova = new OpenStackNovaController( $adminCredentials );
1515 }
1616
17 - public function isRestricted() {
18 - return true;
19 - }
20 -
21 -# public function userCanExecute( $user ) {
22 -# global $wgRequest;
23 -#
24 -# #$project = $wgRequest->getVal('project');
25 -# #if ( $project && ! $this->userLDAP->inProject( $project ) ) {
26 -# # return false;
27 -# #}
28 -# return true;
29 -# }
30 -
3117 function execute( $par ) {
3218 global $wgRequest, $wgUser;
3319
34 - # if ( ! $wgUser->isAllowed( 'manageproject' ) ) {
35 - # return false;
36 - # }
 20+ if ( !$this->userCanExecute( $wgUser ) ) {
 21+ $this->displayRestrictionError();
 22+ return false;
 23+ }
 24+
3725 if ( ! $wgUser->isLoggedIn() ) {
3826 $this->notLoggedIn();
3927 return false;
Index: trunk/extensions/OpenStackManager/special/SpecialNovaDomain.php
@@ -12,10 +12,6 @@
1313 $this->adminNova = new OpenStackNovaController( $wgOpenStackManagerNovaAdminKeys );
1414 }
1515
16 - public function isRestricted() {
17 - return true;
18 - }
19 -
2016 function execute( $par ) {
2117 global $wgRequest, $wgUser;
2218
@@ -26,6 +22,12 @@
2723 $this->notLoggedIn();
2824 return false;
2925 }
 26+ $project = $wgRequest->getText( 'project' );
 27+ # Must be in the global role
 28+ if ( ! $this->userLDAP->inRole( 'netadmin' ) ) {
 29+ $this->notInRole( 'netadmin' );
 30+ return false;
 31+ }
3032
3133 $action = $wgRequest->getVal( 'action' );
3234 if ( $action == "create" ) {
Index: trunk/extensions/OpenStackManager/special/SpecialNovaKey.php
@@ -7,10 +7,6 @@
88 parent::__construct( 'NovaKey' );
99 }
1010
11 - public function isRestricted() {
12 - return true;
13 - }
14 -
1511 function execute( $par ) {
1612 global $wgRequest, $wgUser;
1713
Index: trunk/extensions/OpenStackManager/special/SpecialNova.php
@@ -24,4 +24,17 @@
2525 $wgOut->setPagetitle( wfMsg( 'openstackmanager-noaccount' ) );
2626 $wgOut->addHTML( wfMsg( 'openstackmanager-noaccount2' ) );
2727 }
 28+
 29+ function notInRole( $role ) {
 30+ global $wgOut;
 31+
 32+ $this->setHeaders();
 33+ if ( $role == 'sysadmin' ) {
 34+ $wgOut->setPagetitle( wfMsg( 'openstackmanager-needsysadminrole' ) );
 35+ $wgOut->addHTML( wfMsg( 'openstackmanager-needsysadminrole2' ) );
 36+ } else if ( $role == 'netadmin' ) {
 37+ $wgOut->setPagetitle( wfMsg( 'openstackmanager-neednetadminrole' ) );
 38+ $wgOut->addHTML( wfMsg( 'openstackmanager-neednetadminrole2' ) );
 39+ }
 40+ }
2841 }
Index: trunk/extensions/OpenStackManager/OpenStackManager.i18n.php
@@ -22,6 +22,13 @@
2323 'openstackmanager-instance' => 'Manage Instance',
2424 'openstackmanager-title' => 'OpenStackManager',
2525
 26+ 'specialpages-group-nova' => 'OpenStack Nova',
 27+ 'novaaddress' => 'Manage public IP addresses',
 28+ 'novadomain' => 'Manage DNS domains',
 29+ 'novainstance' => 'Manage Instances',
 30+ 'novakey' => 'Manage your public SSH keys',
 31+ 'novaproject' => 'Manage OpenStack projects',
 32+
2633 'openstackmanager-novadomain' => 'Nova Domain',
2734 'openstackmanager-novainstance' => 'Nova Instance',
2835 'openstackmanager-novakey' => 'Nova Key',
@@ -147,6 +154,11 @@
148155 'openstackmanager-disassociateaddress-confirm' => 'Are you sure you would like to disassociate $1?',
149156 'openstackmanager-releaseaddress-confirm' => 'Are you sure you would like to release $1?',
150157
 158+ 'openstackmanager-needsysadminrole' => 'Sysadmin Role Required',
 159+ 'openstackmanager-needsysadminrole2' => 'You must be a member of the sysadmin role to perform this action.',
 160+ 'openstackmanager-neednetadminrole' => 'Netadmin Role Required',
 161+ 'openstackmanager-neednetadminrole2' => 'You must be a member of the netadmin role to perform this action.',
 162+
151163 );
152164
153165 /** Message documentation (Message documentation)
Index: trunk/extensions/OpenStackManager/OpenStackManager.php
@@ -30,6 +30,9 @@
3131 $wgExtraNamespaces[NS_VM] = 'VM';
3232 $wgExtraNamespaces[NS_VM_TALK] = 'VM_talk';
3333
 34+$wgGroupPermissions['sysop']['manageproject'] = true;
 35+$wgAvailableRights[] = 'manageproject';
 36+
3437 $wgOpenStackManagerNovaDisableSSL = true;
3538 $wgOpenStackManagerNovaServerName = 'localhost';
3639 $wgOpenStackManagerNovaPort = 8773;
@@ -40,6 +43,11 @@
4144 $wgOpenStackManagerLDAPUser = '';
4245 $wgOpenStackManagerLDAPUserPassword = '';
4346 $wgOpenStackManagerLDAPProjectBaseDN = '';
 47+$wgOpenStackManagerLDAPGlobalRoles = array(
 48+ 'sysadmin' => '',
 49+ 'netadmin' => '',
 50+ 'cloudadmin' => '',
 51+ );
4452 $wgOpenStackManagerLDAPInstanceBaseDN = '';
4553 $wgOpenStackManagerLDAPDefaultGid = '500';
4654 $wgOpenStackManagerDNSServers = array( 'primary' => 'localhost', 'secondary' => 'localhost' );
@@ -72,15 +80,15 @@
7381 $wgAutoloadClasses['OpenStackNovaHostJob'] = $dir . 'OpenStackNovaHostJob.php';
7482 $wgAutoloadClasses['AmazonEC2'] = $dir . 'aws-sdk/sdk.class.php';
7583 $wgSpecialPages['NovaInstance'] = 'SpecialNovaInstance';
76 -$wgSpecialPageGroups['NovaInstance'] = 'other';
 84+$wgSpecialPageGroups['NovaInstance'] = 'nova';
7785 $wgSpecialPages['NovaKey'] = 'SpecialNovaKey';
78 -$wgSpecialPageGroups['NovaKey'] = 'other';
 86+$wgSpecialPageGroups['NovaKey'] = 'nova';
7987 $wgSpecialPages['NovaProject'] = 'SpecialNovaProject';
80 -$wgSpecialPageGroups['NovaProject'] = 'other';
 88+$wgSpecialPageGroups['NovaProject'] = 'nova';
8189 $wgSpecialPages['NovaDomain'] = 'SpecialNovaDomain';
82 -$wgSpecialPageGroups['NovaDomain'] = 'other';
 90+$wgSpecialPageGroups['NovaDomain'] = 'nova';
8391 $wgSpecialPages['NovaAddress'] = 'SpecialNovaAddress';
84 -$wgSpecialPageGroups['NovaAddress'] = 'other';
 92+$wgSpecialPageGroups['NovaAddress'] = 'nova';
8593 $wgJobClasses['addDNSHostToLDAP'] = 'OpenStackNovaHostJob';
8694
8795 $wgHooks['LDAPSetCreationValues'][] = 'OpenStackNovaUser::LDAPSetCreationValues';
Index: trunk/extensions/OpenStackManager/OpenStackNovaProject.php
@@ -117,6 +117,15 @@
118118 }
119119 }
120120
 121+ static function getProjectByName( $projectname ) {
 122+ $project = new OpenStackNovaProject( $projectname );
 123+ if ( $project->projectInfo ) {
 124+ return $project;
 125+ } else {
 126+ return null;
 127+ }
 128+ }
 129+
121130 static function getAllProjects() {
122131 global $wgAuth;
123132 global $wgOpenStackManagerLDAPUser, $wgOpenStackManagerLDAPUserPassword;

Status & tagging log