[pve-devel] [RFC 08/23] refactor acl transformation code

Thu, 17 Oct 2019 06:15:12 -0700 

pull it into helper sub, since we need this one more time for token ACL
members.

Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
 PVE/AccessControl.pm | 61 +++++++++++++++++++-------------------------
 1 file changed, 26 insertions(+), 35 deletions(-)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index a84173e..48c9930 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1092,47 +1092,38 @@ sub write_user_config {
 
     $data .= "\n";
 
+    my $collect_ra = sub {
+       my ($acl_members, $ra, $prefix, $exclude) = @_;
+
+       foreach my $member (keys %$acl_members) {
+           next if $exclude && $member eq $exclude;
+
+           my $l0 = '';
+           my $l1 = '';
+           foreach my $role (sort keys %{$acl_members->{$member}}) {
+               my $propagate = $acl_members->{$member}->{$role};
+               if ($propagate) {
+                   $l1 .= ',' if $l1;
+                   $l1 .= $role;
+               } else {
+                   $l0 .= ',' if $l0;
+                   $l0 .= $role;
+               }
+           }
+           $ra->{0}->{$l0}->{"${prefix}${member}"} = 1 if $l0;
+           $ra->{1}->{$l1}->{"${prefix}${member}"} = 1 if $l1;
+       }
+    };
+
     foreach my $path (sort keys %{$cfg->{acl}}) {
        my $d = $cfg->{acl}->{$path};
 
        my $ra = {};
 
-       foreach my $group (keys %{$d->{groups}}) {
-           my $l0 = '';
-           my $l1 = '';
-           foreach my $role (sort keys %{$d->{groups}->{$group}}) {
-               my $propagate = $d->{groups}->{$group}->{$role};
-               if ($propagate) {
-                   $l1 .= ',' if $l1;
-                   $l1 .= $role;
-               } else {
-                   $l0 .= ',' if $l0;
-                   $l0 .= $role;
-               }
-           }
-           $ra->{0}->{$l0}->{"\@$group"} = 1 if $l0;
-           $ra->{1}->{$l1}->{"\@$group"} = 1 if $l1;
-       }
+       $collect_ra->($d->{'groups'}, $ra, '@');
 
-       foreach my $user (keys %{$d->{users}}) {
-           # no need to save, because root is always 'Administrator'
-           next if $user eq 'root@pam';
-
-           my $l0 = '';
-           my $l1 = '';
-           foreach my $role (sort keys %{$d->{users}->{$user}}) {
-               my $propagate = $d->{users}->{$user}->{$role};
-               if ($propagate) {
-                   $l1 .= ',' if $l1;
-                   $l1 .= $role;
-               } else {
-                   $l0 .= ',' if $l0;
-                   $l0 .= $role;
-               }
-           }
-           $ra->{0}->{$l0}->{$user} = 1 if $l0;
-           $ra->{1}->{$l1}->{$user} = 1 if $l1;
-       }
+       # no need to save 'root@pam', it is always 'Administrator'
+       $collect_ra->($d->{'users'}, $ra, '', 'root@pam');
 
        foreach my $rolelist (sort keys %{$ra->{0}}) {
            my $uglist = join (',', sort keys %{$ra->{0}->{$rolelist}});
-- 
2.20.1


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to