Re: [Qemu-devel] [PATCH v3 06/10] acl: delete existing ACL implementation

2016-03-22 Thread Eric Blake 
On 03/10/2016 11:59 AM, Daniel P. Berrange wrote:
> The 'qemu_acl' type was a previous non-QOM based attempt to
> provide an authorization facility in QEMU. Because it is
> non-QOM based it cannot be created via the command line and
> requires special monitor commands to manipulate it.
> 
> The new QAuthZ and QAuthZSimple QOM classes provide a superset
> of the functionality in qemu_acl, so the latter can now be
> deleted. The HMP 'acl_*' monitor commands are converted to
> use the new QAuthZSimple data type instead in order to provide
> backwards compatibility, but their use is discouraged.
> 
> Signed-off-by: Daniel P. Berrange 
> ---

Reviewed-by: Eric Blake 

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH v3 06/10] acl: delete existing ACL implementation

2016-03-10 Thread Daniel P. Berrange 
The 'qemu_acl' type was a previous non-QOM based attempt to
provide an authorization facility in QEMU. Because it is
non-QOM based it cannot be created via the command line and
requires special monitor commands to manipulate it.

The new QAuthZ and QAuthZSimple QOM classes provide a superset
of the functionality in qemu_acl, so the latter can now be
deleted. The HMP 'acl_*' monitor commands are converted to
use the new QAuthZSimple data type instead in order to provide
backwards compatibility, but their use is discouraged.

Signed-off-by: Daniel P. Berrange 
---
 Makefile   |   6 +-
 crypto/tlssession.c|  28 --
 include/qemu/acl.h |  74 
 monitor.c  | 161 ++-
 tests/Makefile |   2 +-
 tests/test-crypto-tlssession.c |  13 +--
 tests/test-io-channel-tls.c|  14 +--
 ui/vnc-auth-sasl.c |   2 +-
 ui/vnc-auth-sasl.h |   4 +-
 ui/vnc.c   |  11 ++-
 util/Makefile.objs |   1 -
 util/acl.c | 188 -
 12 files changed, 156 insertions(+), 348 deletions(-)
 delete mode 100644 include/qemu/acl.h
 delete mode 100644 util/acl.c

diff --git a/Makefile b/Makefile
index 60ad13e..8f7ffd3 100644
--- a/Makefile
+++ b/Makefile
@@ -235,9 +235,9 @@ util/module.o-cflags = 
-D'CONFIG_BLOCK_MODULES=$(block-modules)'
 
 qemu-img.o: qemu-img-cmds.h
 
-qemu-img$(EXESUF): qemu-img.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) 
$(qom-obj-y) libqemuutil.a libqemustub.a
-qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) 
$(qom-obj-y) libqemuutil.a libqemustub.a
-qemu-io$(EXESUF): qemu-io.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) 
$(qom-obj-y) libqemuutil.a libqemustub.a
+qemu-img$(EXESUF): qemu-img.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) 
$(qom-obj-y) $(util-qom-obj-y) libqemuutil.a libqemustub.a
+qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) 
$(qom-obj-y) $(util-qom-obj-y) libqemuutil.a libqemustub.a
+qemu-io$(EXESUF): qemu-io.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) 
$(qom-obj-y) $(util-qom-obj-y) libqemuutil.a libqemustub.a
 
 qemu-bridge-helper$(EXESUF): qemu-bridge-helper.o
 
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index e0d9658..26e8097 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -22,7 +22,7 @@
 #include "crypto/tlssession.h"
 #include "crypto/tlscredsanon.h"
 #include "crypto/tlscredsx509.h"
-#include "qemu/acl.h"
+#include "qemu/authz.h"
 #include "trace.h"
 
 #ifdef CONFIG_GNUTLS
@@ -207,6 +207,7 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession 
*session,
 unsigned int nCerts, i;
 time_t now;
 gnutls_x509_crt_t cert = NULL;
+Error *err = NULL;
 
 now = time(NULL);
 if (now == ((time_t)-1)) {
@@ -295,16 +296,33 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession 
*session,
 goto error;
 }
 if (session->aclname) {
-qemu_acl *acl = qemu_acl_find(session->aclname);
-int allow;
-if (!acl) {
+QAuthZ *acl;
+Object *obj;
+Object *container;
+bool allow;
+
+container = object_get_objects_root();
+obj = object_resolve_path_component(container,
+session->aclname);
+if (!obj) {
 error_setg(errp, "Cannot find ACL %s",
session->aclname);
 goto error;
 }
 
-allow = qemu_acl_party_is_allowed(acl, session->peername);
+if (!object_dynamic_cast(obj, TYPE_QAUTHZ)) {
+error_setg(errp, "Object '%s' is not a QAuthZ subclass",
+   session->aclname);
+goto error;
+}
 
+acl = QAUTHZ(obj);
+
+allow = qauthz_is_allowed(acl, session->peername, );
+if (err) {
+error_propagate(errp, err);
+goto error;
+}
 if (!allow) {
 error_setg(errp, "TLS x509 ACL check for %s is denied",
session->peername);
diff --git a/include/qemu/acl.h b/include/qemu/acl.h
deleted file mode 100644
index 116487e..000
--- a/include/qemu/acl.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * QEMU access control list management
- *
- * Copyright (C) 2009 Red Hat, Inc
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to 
deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or