diff --git a/src/gmp.c b/src/gmp.c index df1e1e254..5c7d7a2fc 100644 --- a/src/gmp.c +++ b/src/gmp.c @@ -99,6 +99,7 @@ #include "manage_filters.h" #include "manage_groups.h" #include "manage_oci_image_targets.h" +#include "manage_permissions.h" #include "manage_port_lists.h" #include "manage_report_configs.h" #include "manage_report_formats.h" diff --git a/src/manage.h b/src/manage.h index 2f344f1a7..477f7f943 100644 --- a/src/manage.h +++ b/src/manage.h @@ -2894,9 +2894,6 @@ create_permission (const char *, const char *, const char *, const char *, int copy_permission (const char*, const char *, permission_t *); -char* -permission_uuid (permission_t); - int permission_in_use (permission_t); diff --git a/src/manage_permissions.h b/src/manage_permissions.h index 62db451ad..e0d0ac34c 100644 --- a/src/manage_permissions.h +++ b/src/manage_permissions.h @@ -6,7 +6,12 @@ #ifndef _GVMD_MANAGE_PERMISSIONS_H #define _GVMD_MANAGE_PERMISSIONS_H +#include "manage_resources.h" + int permission_is_admin (const char *); +char * +permission_uuid (permission_t); + #endif /* not _GVMD_MANAGE_PERMISSIONS_H */ diff --git a/src/manage_sql.c b/src/manage_sql.c index 24cae8abc..1f3de9b30 100644 --- a/src/manage_sql.c +++ b/src/manage_sql.c @@ -211,15 +211,6 @@ task_owner_uuid (task_t); static int user_ensure_in_db (const gchar *, const gchar *); -static resource_t -permission_resource (permission_t); - -static resource_t -permission_subject (permission_t); - -static char * -permission_subject_type (permission_t); - static int report_counts_id_full (report_t, int *, int *, int *, int *, int *, int *, double *, const get_data_t*, const char* , @@ -243,9 +234,6 @@ find_trash_report_with_permission (const char *, report_t *, const char *); static int cleanup_schedule_times (); -static char * -permission_name (permission_t); - static void cache_permissions_for_resource (const char *, resource_t, GArray*); @@ -33092,67 +33080,6 @@ modify_schedule (const char *schedule_id, const char *name, const char *comment, /* Permissions. */ -/** - * @brief Set permissions to orphan. - * - * @param[in] type Type. - * @param[in] resource Resource ID. - * @param[in] location Location: table or trash. - */ -void -permissions_set_orphans (const char *type, resource_t resource, int location) -{ - sql ("UPDATE permissions SET resource = -1" - " WHERE resource_type = '%s' AND resource = %llu" - " AND resource_location = %i;", - type, - resource, - location); - sql ("UPDATE permissions_trash SET resource = -1" - " WHERE resource_type = '%s' AND resource = %llu" - " AND resource_location = %i;", - type, - resource, - location); -} - -/** - * @brief Adjust subject in permissions. - * - * @param[in] type Subject type. - * @param[in] old Resource ID in old table. - * @param[in] new Resource ID in new table. - * @param[in] to Destination, trash or table. - */ -void -permissions_set_subjects (const char *type, resource_t old, resource_t new, - int to) -{ - assert (type && (strcmp (type, "group") == 0 || strcmp (type, "role") == 0)); - - sql ("UPDATE permissions" - " SET subject_location = %i, subject = %llu" - " WHERE subject_location = %i" - " AND subject_type = '%s'" - " AND subject = %llu;", - to, - new, - to == LOCATION_TRASH ? LOCATION_TABLE : LOCATION_TRASH, - type, - old); - - sql ("UPDATE permissions_trash" - " SET subject_location = %i, subject = %llu" - " WHERE subject_location = %i" - " AND subject_type = '%s'" - " AND subject = %llu;", - to, - new, - to == LOCATION_TRASH ? LOCATION_TABLE : LOCATION_TRASH, - type, - old); -} - /** * @brief Find a permission given a UUID. * @@ -33762,151 +33689,6 @@ copy_permission (const char* comment, const char *permission_id, } -/** - * @brief Return the UUID of a permission. - * - * @param[in] permission Permission. - * - * @return Newly allocated UUID if available, else NULL. - */ -char* -permission_uuid (permission_t permission) -{ - return sql_string ("SELECT uuid FROM permissions WHERE id = %llu;", - permission); -} - -/** - * @brief Return the resource of a permission. - * - * @param[in] permission Permission. - * - * @return Resource if there is one, else 0. - */ -static resource_t -permission_resource (permission_t permission) -{ - resource_t resource; - sql_int64 (&resource, - "SELECT resource FROM permissions WHERE id = %llu;", - permission); - return resource; -} - -/** - * @brief Return the name of a permission. - * - * @param[in] permission Permission. - * - * @return Newly allocated name if available, else NULL. - */ -static char * -permission_name (permission_t permission) -{ - return sql_string ("SELECT name FROM permissions WHERE id = %llu;", - permission); -} - -/** - * @brief Return the subject type of a permission. - * - * @param[in] permission Permission. - * - * @return Newly allocated subject type if available, else NULL. - */ -static char * -permission_subject_type (permission_t permission) -{ - return sql_string ("SELECT subject_type FROM permissions WHERE id = %llu;", - permission); -} - -/** - * @brief Return the subject of a permission. - * - * @param[in] permission Permission. - * - * @return Subject if there is one, else 0. - */ -static resource_t -permission_subject (permission_t permission) -{ - resource_t subject; - sql_int64 (&subject, - "SELECT subject FROM permissions WHERE id = %llu;", - permission); - return subject; -} - -/** - * @brief Return the UUID of the subject of a permission. - * - * @param[in] permission Permission. - * - * @return Newly allocated subject ID if available, else NULL. - */ -static char * -permission_subject_id (permission_t permission) -{ - return sql_string ("SELECT subject_id FROM permissions WHERE id = %llu;", - permission); -} - -/** - * @brief Return the resource type of a permission. - * - * @param[in] permission Permission. - * - * @return Newly allocated resource type if available, else NULL. - */ -static char * -permission_resource_type (permission_t permission) -{ - return sql_string ("SELECT resource_type FROM permissions WHERE id = %llu;", - permission); -} - -/** - * @brief Return the UUID of the resource of a permission. - * - * @param[in] permission Permission. - * - * @return Newly allocated resource ID if available, else NULL. - */ -static char * -permission_resource_id (permission_t permission) -{ - return sql_string ("SELECT resource_id FROM permissions WHERE id = %llu;", - permission); -} - -/** - * @brief Return whether a permission is predefined. - * - * @param[in] permission Permission. - * - * @return 1 if predefined, else 0. - */ -static int -permission_is_predefined (permission_t permission) -{ - return !!sql_int ("SELECT COUNT (*) FROM permissions" - " WHERE id = %llu" - " AND (uuid = '" PERMISSION_UUID_ADMIN_EVERYTHING "'" - " OR (subject_type = 'role'" - " AND resource = 0" - " AND subject" - " IN (SELECT id FROM roles" - " WHERE uuid = '" ROLE_UUID_ADMIN "'" - " OR uuid = '" ROLE_UUID_GUEST "'" - " OR uuid = '" ROLE_UUID_INFO "'" - " OR uuid = '" ROLE_UUID_MONITOR "'" - " OR uuid = '" ROLE_UUID_USER "'" - " OR uuid = '" ROLE_UUID_SUPER_ADMIN "'" - " OR uuid = '" ROLE_UUID_OBSERVER "')))", - permission); -} - /** * @brief Return whether a permission is in use. * @@ -34526,6 +34308,11 @@ delete_permission (const char *permission_id, int ultimate) return 0; } +// TODO temporarily, until modify_permission moved out +char * +permission_resource_id (permission_t); +char * +permission_subject_id (permission_t); /** * @brief Modify a permission. * @@ -34817,268 +34604,6 @@ modify_permission (const char *permission_id, const char *name_arg, return 0; } -/** - * @brief Add role permissions to feed objects according to the - * 'Feed Import Roles' setting. - * - * @param[in] type The object type, e.g. report_format. - * @param[in] type_cap Capitalized type, e.g. "Report Format" - * @param[out] permission_count Number of permissions added. - * @param[out] object_count Number of data objects affected. - */ -static void -add_feed_role_permissions (const char *type, - const char *type_cap, - int *permission_count, - int *object_count) -{ - char *roles_str; - gchar **roles; - iterator_t resources; - - roles_str = NULL; - setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &roles_str); - - if (roles_str == NULL || strlen (roles_str) == 0) - { - g_message ("%s: No feed import roles defined", __func__); - g_free (roles_str); - return; - } - - roles = g_strsplit (roles_str, ",", 0); - free (roles_str); - - init_iterator (&resources, - "SELECT id, uuid, name, owner FROM %ss" - " WHERE predefined = 1", - type); - while (next (&resources)) - { - gboolean added_permission = FALSE; - resource_t permission_resource = iterator_int64 (&resources, 0); - const char *permission_resource_id = iterator_string (&resources, 1); - const char *permission_resource_name = iterator_string (&resources, 2); - user_t owner = iterator_int64 (&resources, 3); - gchar **role = roles; - - while (*role) - { - char *role_name = NULL; - resource_name ("role", *role, LOCATION_TABLE, &role_name); - - if (sql_int ("SELECT count(*) FROM permissions" - " WHERE name = 'get_%ss'" - " AND subject_type = 'role'" - " AND subject" - " = (SELECT id FROM roles WHERE uuid='%s')" - " AND resource = %llu", - type, - *role, - permission_resource)) - { - g_debug ("Role %s (%s) already has read permission" - " for %s %s (%s).", - role_name, - *role, - type_cap, - permission_resource_name, - permission_resource_id); - } - else - { - gchar *permission_name; - - g_info ("Creating read permission for role %s (%s)" - " on %s %s (%s).", - role_name, - *role, - type_cap, - permission_resource_name, - permission_resource_id); - - added_permission = TRUE; - if (permission_count) - *permission_count = *permission_count + 1; - - permission_name = g_strdup_printf ("get_%ss", type); - - current_credentials.uuid = user_uuid (owner); - switch (create_permission_internal - (0, - permission_name, - "Automatically created by" - " --optimize", - type, - permission_resource_id, - "role", - *role, - NULL)) - { - case 0: - // success - break; - case 2: - g_warning ("%s: failed to find role %s for permission", - __func__, *role); - break; - case 3: - g_warning ("%s: failed to find %s %s for permission", - __func__, type_cap, permission_resource_id); - break; - case 5: - g_warning ("%s: error in resource when creating permission" - " for %s %s", - __func__, type_cap, permission_resource_id); - break; - case 6: - g_warning ("%s: error in subject (Role %s)", - __func__, *role); - break; - case 7: - g_warning ("%s: error in name %s", - __func__, permission_name); - break; - case 8: - g_warning ("%s: permission on permission", __func__); - break; - case 9: - g_warning ("%s: permission %s does not accept resource", - __func__, permission_name); - break; - case 99: - g_warning ("%s: permission denied to create %s permission" - " for role %s on %s %s", - __func__, permission_name, *role, type_cap, - permission_resource_id); - break; - default: - g_warning ("%s: internal error creating %s permission" - " for role %s on %s %s", - __func__, permission_name, *role, type_cap, - permission_resource_id); - break; - } - - free (current_credentials.uuid); - current_credentials.uuid = NULL; - } - - free (role_name); - role ++; - } - if (object_count && added_permission) - *object_count = *object_count + 1; - } - - cleanup_iterator (&resources); - g_strfreev (roles); - - return; -} - - -/** - * @brief Delete permissions to feed objects for roles that are not set - * in the 'Feed Import Roles' setting. - * - * @param[in] type The object type, e.g. report_format. - * @param[in] type_cap Capitalized type, e.g. "Report Format" - * @param[out] permission_count Number of permissions added. - * @param[out] object_count Number of data objects affected. - */ -static void -clean_feed_role_permissions (const char *type, - const char *type_cap, - int *permission_count, - int *object_count) -{ - char *roles_str; - gchar **roles, **role; - GString *sql_roles; - iterator_t resources; - - roles_str = NULL; - setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &roles_str); - - if (roles_str == NULL || strlen (roles_str) == 0) - { - g_message ("%s: No feed import roles defined", __func__); - g_free (roles_str); - return; - } - - sql_roles = g_string_new ("("); - - roles = g_strsplit (roles_str, ",", 0); - role = roles; - while (*role) - { - gchar *quoted_role = sql_insert (*role); - g_string_append (sql_roles, quoted_role); - - role ++; - if (*role) - g_string_append (sql_roles, ", "); - } - - g_string_append (sql_roles, ")"); - g_debug ("%s: Keeping permissions for roles %s\n", __func__, sql_roles->str); - - init_iterator (&resources, - "SELECT id, uuid, name FROM %ss" - " WHERE predefined = 1", - type); - - while (next (&resources)) - { - gboolean removed_permission = FALSE; - resource_t permission_resource = iterator_int64 (&resources, 0); - const char *permission_resource_id = iterator_string (&resources, 1); - const char *permission_resource_name = iterator_string (&resources, 2); - iterator_t permissions; - roles = NULL; - - init_iterator (&permissions, - "DELETE FROM permissions" - " WHERE name = 'get_%ss'" - " AND resource = %llu" - " AND subject_type = 'role'" - " AND subject NOT IN" - " (SELECT id FROM roles WHERE uuid IN %s)" - " RETURNING" - " (SELECT uuid FROM roles WHERE id = subject)," - " (SELECT name FROM roles WHERE id = subject)", - type, - permission_resource, - sql_roles->str); - - while (next (&permissions)) - { - const char *role_id = iterator_string (&permissions, 0); - const char *role_name = iterator_string (&permissions, 1); - g_info ("Removed permission on %s %s (%s) for role %s (%s)", - type_cap, - permission_resource_name, - permission_resource_id, - role_name, - role_id); - - if (permission_count) - *permission_count = *permission_count + 1; - removed_permission = TRUE; - } - - if (object_count && removed_permission) - *object_count = *object_count + 1; - } - - cleanup_iterator (&resources); - g_strfreev (roles); - - return; -} - /* Schema. */ diff --git a/src/manage_sql.h b/src/manage_sql.h index 666e096c7..dfd5836f1 100644 --- a/src/manage_sql.h +++ b/src/manage_sql.h @@ -462,12 +462,6 @@ tags_remove_resource (const char *, resource_t, int); void tags_set_locations (const char *, resource_t, resource_t, int); -void -permissions_set_orphans (const char *, resource_t, int); - -void -permissions_set_subjects (const char *, resource_t, resource_t, int); - void cache_all_permissions_for_users (GArray *); diff --git a/src/manage_sql_assets.c b/src/manage_sql_assets.c index ef86f61c4..8b8816bb1 100644 --- a/src/manage_sql_assets.c +++ b/src/manage_sql_assets.c @@ -13,6 +13,7 @@ #if ENABLE_CONTAINER_SCANNING #include "manage_sql_oci_image_targets.h" #endif +#include "manage_sql_permissions.h" #include "manage_sql_tls_certificates.h" #include "sql.h" diff --git a/src/manage_sql_permissions.c b/src/manage_sql_permissions.c index b5c7783b6..adc4c0913 100644 --- a/src/manage_sql_permissions.c +++ b/src/manage_sql_permissions.c @@ -5,6 +5,7 @@ #include "manage_sql_permissions.h" #include "manage_acl.h" +#include "manage_sql_users.h" #include "sql.h" /** @@ -14,6 +15,151 @@ * The Permissions SQL for the GVM management layer. */ +/** + * @brief Return the UUID of a permission. + * + * @param[in] permission Permission. + * + * @return Newly allocated UUID if available, else NULL. + */ +char* +permission_uuid (permission_t permission) +{ + return sql_string ("SELECT uuid FROM permissions WHERE id = %llu;", + permission); +} + +/** + * @brief Return the resource of a permission. + * + * @param[in] permission Permission. + * + * @return Resource if there is one, else 0. + */ +resource_t +permission_resource (permission_t permission) +{ + resource_t resource; + sql_int64 (&resource, + "SELECT resource FROM permissions WHERE id = %llu;", + permission); + return resource; +} + +/** + * @brief Return the name of a permission. + * + * @param[in] permission Permission. + * + * @return Newly allocated name if available, else NULL. + */ +char * +permission_name (permission_t permission) +{ + return sql_string ("SELECT name FROM permissions WHERE id = %llu;", + permission); +} + +/** + * @brief Return the subject type of a permission. + * + * @param[in] permission Permission. + * + * @return Newly allocated subject type if available, else NULL. + */ +char * +permission_subject_type (permission_t permission) +{ + return sql_string ("SELECT subject_type FROM permissions WHERE id = %llu;", + permission); +} + +/** + * @brief Return the subject of a permission. + * + * @param[in] permission Permission. + * + * @return Subject if there is one, else 0. + */ +resource_t +permission_subject (permission_t permission) +{ + resource_t subject; + sql_int64 (&subject, + "SELECT subject FROM permissions WHERE id = %llu;", + permission); + return subject; +} + +/** + * @brief Return the UUID of the subject of a permission. + * + * @param[in] permission Permission. + * + * @return Newly allocated subject ID if available, else NULL. + */ +char * +permission_subject_id (permission_t permission) +{ + return sql_string ("SELECT subject_id FROM permissions WHERE id = %llu;", + permission); +} + +/** + * @brief Return the resource type of a permission. + * + * @param[in] permission Permission. + * + * @return Newly allocated resource type if available, else NULL. + */ +char * +permission_resource_type (permission_t permission) +{ + return sql_string ("SELECT resource_type FROM permissions WHERE id = %llu;", + permission); +} + +/** + * @brief Return the UUID of the resource of a permission. + * + * @param[in] permission Permission. + * + * @return Newly allocated resource ID if available, else NULL. + */ +char * +permission_resource_id (permission_t permission) +{ + return sql_string ("SELECT resource_id FROM permissions WHERE id = %llu;", + permission); +} + +/** + * @brief Return whether a permission is predefined. + * + * @param[in] permission Permission. + * + * @return 1 if predefined, else 0. + */ +int +permission_is_predefined (permission_t permission) +{ + return !!sql_int ("SELECT COUNT (*) FROM permissions" + " WHERE id = %llu" + " AND (uuid = '" PERMISSION_UUID_ADMIN_EVERYTHING "'" + " OR (subject_type = 'role'" + " AND resource = 0" + " AND subject" + " IN (SELECT id FROM roles" + " WHERE uuid = '" ROLE_UUID_ADMIN "'" + " OR uuid = '" ROLE_UUID_GUEST "'" + " OR uuid = '" ROLE_UUID_INFO "'" + " OR uuid = '" ROLE_UUID_MONITOR "'" + " OR uuid = '" ROLE_UUID_USER "'" + " OR uuid = '" ROLE_UUID_SUPER_ADMIN "'" + " OR uuid = '" ROLE_UUID_OBSERVER "')))", + permission); +} + /** * @brief Adjust location of resource in permissions. * @@ -43,3 +189,325 @@ permissions_set_locations (const char *type, resource_t old, resource_t new, old, to == LOCATION_TABLE ? LOCATION_TRASH : LOCATION_TABLE); } + +/** + * @brief Set permissions to orphan. + * + * @param[in] type Type. + * @param[in] resource Resource ID. + * @param[in] location Location: table or trash. + */ +void +permissions_set_orphans (const char *type, resource_t resource, int location) +{ + sql ("UPDATE permissions SET resource = -1" + " WHERE resource_type = '%s' AND resource = %llu" + " AND resource_location = %i;", + type, + resource, + location); + sql ("UPDATE permissions_trash SET resource = -1" + " WHERE resource_type = '%s' AND resource = %llu" + " AND resource_location = %i;", + type, + resource, + location); +} + +/** + * @brief Adjust subject in permissions. + * + * @param[in] type Subject type. + * @param[in] old Resource ID in old table. + * @param[in] new Resource ID in new table. + * @param[in] to Destination, trash or table. + */ +void +permissions_set_subjects (const char *type, resource_t old, resource_t new, + int to) +{ + assert (type && (strcmp (type, "group") == 0 || strcmp (type, "role") == 0)); + + sql ("UPDATE permissions" + " SET subject_location = %i, subject = %llu" + " WHERE subject_location = %i" + " AND subject_type = '%s'" + " AND subject = %llu;", + to, + new, + to == LOCATION_TRASH ? LOCATION_TABLE : LOCATION_TRASH, + type, + old); + + sql ("UPDATE permissions_trash" + " SET subject_location = %i, subject = %llu" + " WHERE subject_location = %i" + " AND subject_type = '%s'" + " AND subject = %llu;", + to, + new, + to == LOCATION_TRASH ? LOCATION_TABLE : LOCATION_TRASH, + type, + old); +} + +/** + * @brief Add role permissions to feed objects according to the + * 'Feed Import Roles' setting. + * + * @param[in] type The object type, e.g. report_format. + * @param[in] type_cap Capitalized type, e.g. "Report Format" + * @param[out] permission_count Number of permissions added. + * @param[out] object_count Number of data objects affected. + */ +void +add_feed_role_permissions (const char *type, + const char *type_cap, + int *permission_count, + int *object_count) +{ + char *roles_str; + gchar **roles; + iterator_t resources; + + roles_str = NULL; + setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &roles_str); + + if (roles_str == NULL || strlen (roles_str) == 0) + { + g_message ("%s: No feed import roles defined", __func__); + g_free (roles_str); + return; + } + + roles = g_strsplit (roles_str, ",", 0); + free (roles_str); + + init_iterator (&resources, + "SELECT id, uuid, name, owner FROM %ss" + " WHERE predefined = 1", + type); + while (next (&resources)) + { + gboolean added_permission = FALSE; + resource_t permission_resource = iterator_int64 (&resources, 0); + const char *permission_resource_id = iterator_string (&resources, 1); + const char *permission_resource_name = iterator_string (&resources, 2); + user_t owner = iterator_int64 (&resources, 3); + gchar **role = roles; + + while (*role) + { + char *role_name = NULL; + manage_resource_name ("role", *role, &role_name); + + if (sql_int ("SELECT count(*) FROM permissions" + " WHERE name = 'get_%ss'" + " AND subject_type = 'role'" + " AND subject" + " = (SELECT id FROM roles WHERE uuid='%s')" + " AND resource = %llu", + type, + *role, + permission_resource)) + { + g_debug ("Role %s (%s) already has read permission" + " for %s %s (%s).", + role_name, + *role, + type_cap, + permission_resource_name, + permission_resource_id); + } + else + { + gchar *permission_name; + + g_info ("Creating read permission for role %s (%s)" + " on %s %s (%s).", + role_name, + *role, + type_cap, + permission_resource_name, + permission_resource_id); + + added_permission = TRUE; + if (permission_count) + *permission_count = *permission_count + 1; + + permission_name = g_strdup_printf ("get_%ss", type); + + current_credentials.uuid = user_uuid (owner); + switch (create_permission_internal + (0, + permission_name, + "Automatically created by" + " --optimize", + type, + permission_resource_id, + "role", + *role, + NULL)) + { + case 0: + // success + break; + case 2: + g_warning ("%s: failed to find role %s for permission", + __func__, *role); + break; + case 3: + g_warning ("%s: failed to find %s %s for permission", + __func__, type_cap, permission_resource_id); + break; + case 5: + g_warning ("%s: error in resource when creating permission" + " for %s %s", + __func__, type_cap, permission_resource_id); + break; + case 6: + g_warning ("%s: error in subject (Role %s)", + __func__, *role); + break; + case 7: + g_warning ("%s: error in name %s", + __func__, permission_name); + break; + case 8: + g_warning ("%s: permission on permission", __func__); + break; + case 9: + g_warning ("%s: permission %s does not accept resource", + __func__, permission_name); + break; + case 99: + g_warning ("%s: permission denied to create %s permission" + " for role %s on %s %s", + __func__, permission_name, *role, type_cap, + permission_resource_id); + break; + default: + g_warning ("%s: internal error creating %s permission" + " for role %s on %s %s", + __func__, permission_name, *role, type_cap, + permission_resource_id); + break; + } + + free (current_credentials.uuid); + current_credentials.uuid = NULL; + } + + free (role_name); + role ++; + } + if (object_count && added_permission) + *object_count = *object_count + 1; + } + + cleanup_iterator (&resources); + g_strfreev (roles); + + return; +} + +/** + * @brief Delete permissions to feed objects for roles that are not set + * in the 'Feed Import Roles' setting. + * + * @param[in] type The object type, e.g. report_format. + * @param[in] type_cap Capitalized type, e.g. "Report Format" + * @param[out] permission_count Number of permissions added. + * @param[out] object_count Number of data objects affected. + */ +void +clean_feed_role_permissions (const char *type, + const char *type_cap, + int *permission_count, + int *object_count) +{ + char *roles_str; + gchar **roles, **role; + GString *sql_roles; + iterator_t resources; + + roles_str = NULL; + setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &roles_str); + + if (roles_str == NULL || strlen (roles_str) == 0) + { + g_message ("%s: No feed import roles defined", __func__); + g_free (roles_str); + return; + } + + sql_roles = g_string_new ("("); + + roles = g_strsplit (roles_str, ",", 0); + role = roles; + while (*role) + { + gchar *quoted_role = sql_insert (*role); + g_string_append (sql_roles, quoted_role); + + role ++; + if (*role) + g_string_append (sql_roles, ", "); + } + + g_string_append (sql_roles, ")"); + g_debug ("%s: Keeping permissions for roles %s\n", __func__, sql_roles->str); + + init_iterator (&resources, + "SELECT id, uuid, name FROM %ss" + " WHERE predefined = 1", + type); + + while (next (&resources)) + { + gboolean removed_permission = FALSE; + resource_t permission_resource = iterator_int64 (&resources, 0); + const char *permission_resource_id = iterator_string (&resources, 1); + const char *permission_resource_name = iterator_string (&resources, 2); + iterator_t permissions; + roles = NULL; + + init_iterator (&permissions, + "DELETE FROM permissions" + " WHERE name = 'get_%ss'" + " AND resource = %llu" + " AND subject_type = 'role'" + " AND subject NOT IN" + " (SELECT id FROM roles WHERE uuid IN %s)" + " RETURNING" + " (SELECT uuid FROM roles WHERE id = subject)," + " (SELECT name FROM roles WHERE id = subject)", + type, + permission_resource, + sql_roles->str); + + while (next (&permissions)) + { + const char *role_id = iterator_string (&permissions, 0); + const char *role_name = iterator_string (&permissions, 1); + g_info ("Removed permission on %s %s (%s) for role %s (%s)", + type_cap, + permission_resource_name, + permission_resource_id, + role_name, + role_id); + + if (permission_count) + *permission_count = *permission_count + 1; + removed_permission = TRUE; + } + + if (object_count && removed_permission) + *object_count = *object_count + 1; + } + + cleanup_iterator (&resources); + g_strfreev (roles); + + return; +} diff --git a/src/manage_sql_permissions.h b/src/manage_sql_permissions.h index 8186b1b77..af242a400 100644 --- a/src/manage_sql_permissions.h +++ b/src/manage_sql_permissions.h @@ -19,7 +19,37 @@ */ #define PERMISSION_UUID_SUPER_ADMIN_EVERYTHING "a9801074-6fe2-11e4-9d81-406186ea4fc5" +resource_t +permission_resource (permission_t); + +int +permission_is_predefined (permission_t); + +char * +permission_resource_type (permission_t); + +resource_t +permission_subject (permission_t); + +char * +permission_subject_type (permission_t); + +char * +permission_name (permission_t); + void permissions_set_locations (const char *, resource_t, resource_t, int); +void +permissions_set_orphans (const char *, resource_t, int); + +void +permissions_set_subjects (const char *, resource_t, resource_t, int); + +void +add_feed_role_permissions (const char *, const char *, int *, int *); + +void +clean_feed_role_permissions (const char *, const char *, int *, int *); + #endif //_GVMD_MANAGE_SQL_PERMISSIONS_H