diff options
Diffstat (limited to 'rt/lib/RT/Principal_Overlay.pm')
-rw-r--r-- | rt/lib/RT/Principal_Overlay.pm | 367 |
1 files changed, 178 insertions, 189 deletions
diff --git a/rt/lib/RT/Principal_Overlay.pm b/rt/lib/RT/Principal_Overlay.pm index 3e2edaac6..4783c5ca6 100644 --- a/rt/lib/RT/Principal_Overlay.pm +++ b/rt/lib/RT/Principal_Overlay.pm @@ -1,8 +1,8 @@ -# {{{ BEGIN BPS TAGGED BLOCK +# BEGIN BPS TAGGED BLOCK {{{ # # COPYRIGHT: # -# This software is Copyright (c) 1996-2004 Best Practical Solutions, LLC +# This software is Copyright (c) 1996-2005 Best Practical Solutions, LLC # <jesse@bestpractical.com> # # (Except where explicitly superseded by other copyright notices) @@ -42,15 +42,27 @@ # works based on those contributions, and sublicense and distribute # those contributions and any derivatives thereof. # -# }}} END BPS TAGGED BLOCK +# END BPS TAGGED BLOCK }}} +# + +package RT::Principal; + use strict; +use warnings; no warnings qw(redefine); -use vars qw(%_ACL_KEY_CACHE); + +use Cache::Simple::TimedExpiry; + + use RT::Group; use RT::User; +# Set up the ACL cache on startup +our $_ACL_CACHE; +InvalidateACLCache(); + # {{{ IsGroup =head2 IsGroup @@ -131,6 +143,11 @@ sub Object { A helper function which calls RT::ACE->Create + + + Returns a tuple of (STATUS, MESSAGE); If the call succeeded, STATUS is true. Otherwise it's + false. + =cut sub GrantRight { @@ -140,11 +157,6 @@ sub GrantRight { @_); - #if we haven't specified any sort of right, we're talking about a global right - if (!defined $args{'Object'} && !defined $args{'ObjectId'} && !defined $args{'ObjectType'}) { - $args{'Object'} = $RT::System; - } - unless ($args{'Right'}) { return(0, $self->loc("Invalid Right")); } @@ -172,6 +184,11 @@ sub GrantRight { Delete a right that a user has + + Returns a tuple of (STATUS, MESSAGE); If the call succeeded, STATUS is true. Otherwise it's + false. + + =cut sub RevokeRight { @@ -206,7 +223,40 @@ sub RevokeRight { # }}} +# {{{ sub _CleanupInvalidDelegations + +=head2 sub _CleanupInvalidDelegations { InsideTransaction => undef } + +Revokes all ACE entries delegated by this principal which are +inconsistent with this principal's current delegation rights. Does +not perform permission checks, but takes no action and returns success +if this principal still retains DelegateRights. Should only ever be +called from inside the RT library. + +If this principal is a group, recursively calls this method on each +cached user member of itself. + +If called from inside a transaction, specify a true value for the +InsideTransaction parameter. +Returns a true value if the deletion succeeded; returns a false value +and logs an internal error if the deletion fails (should not happen). + +=cut + +# This is currently just a stub for the methods of the same name in +# RT::User and RT::Group. + +sub _CleanupInvalidDelegations { + my $self = shift; + unless ( $self->Id ) { + $RT::Logger->warning("Principal not loaded."); + return (undef); + } + return ($self->Object->_CleanupInvalidDelegations(@_)); +} + +# }}} # {{{ sub HasRight @@ -241,28 +291,31 @@ Returns undef if no ACE was found. sub HasRight { my $self = shift; - my %args = ( Right => undef, - Object => undef, - EquivObjects => undef, - @_ ); + my %args = ( + Right => undef, + Object => undef, + EquivObjects => undef, + @_ + ); if ( $self->Disabled ) { - $RT::Logger->err( "Disabled User: " . $self->id . " failed access check for " . $args{'Right'} ); + $RT::Logger->err( "Disabled User: " + . $self->id + . " failed access check for " + . $args{'Right'} ); return (undef); } if ( !defined $args{'Right'} ) { - require Carp; - $RT::Logger->debug( Carp::cluck("HasRight called without a right") ); + $RT::Logger->crit("HasRight called without a right"); return (undef); } - if ( defined( $args{'Object'} )) { - return (undef) unless (UNIVERSAL::can( $args{'Object'}, 'id' ) ); - push(@{$args{'EquivObjects'}}, $args{Object}); - } - elsif ( $args{'ObjectId'} && $args{'ObjectType'} ) { - $RT::Logger->crit(Carp::cluck("API not supprted")); + if ( defined( $args{'Object'} ) + && UNIVERSAL::can( $args{'Object'}, 'id' ) + && $args{'Object'}->id ) + { + push( @{ $args{'EquivObjects'} }, $args{Object} ); } else { $RT::Logger->crit("$self HasRight called with no valid object"); @@ -270,88 +323,50 @@ sub HasRight { } # If this object is a ticket, we care about ticket roles and queue roles - if ( (ref($args{'Object'}) eq 'RT::Ticket') && $args{'Object'}->Id) { - # this is a little bit hacky, but basically, now that we've done the ticket roles magic, we load the queue object - # and ask all the rest of our questions about the queue. - push (@{$args{'EquivObjects'}}, $args{'Object'}->QueueObj); + if ( ( ref( $args{'Object'} ) eq 'RT::Ticket' ) && $args{'Object'}->Id ) { - } +# this is a little bit hacky, but basically, now that we've done the ticket roles magic, we load the queue object +# and ask all the rest of our questions about the queue. + push( @{ $args{'EquivObjects'} }, $args{'Object'}->QueueObj ); + } # {{{ If we've cached a win or loss for this lookup say so # {{{ Construct a hashkey to cache decisions in my $hashkey = do { - no warnings 'uninitialized'; - - # We don't worry about the hash ordering, as this is only - # temporarily used; also if the key changes it would be - # invalidated anyway. - join ( - ";:;", $self->Id, map { - $_, # the key of each arguments - ($_ eq 'EquivObjects') # for object arrayref... - ? map(_ReferenceId($_), @{$args{$_}}) # calculate each - : _ReferenceId( $args{$_} ) # otherwise just the value - } keys %args + no warnings 'uninitialized'; + + # We don't worry about the hash ordering, as this is only + # temporarily used; also if the key changes it would be + # invalidated anyway. + join( + ";:;", + $self->Id, + map { + $_, # the key of each arguments + ( $_ eq 'EquivObjects' ) # for object arrayref... + ? map( _ReferenceId($_), @{ $args{$_} } ) # calculate each + : _ReferenceId( $args{$_} ) # otherwise just the value + } keys %args ); }; - # }}} - #Anything older than 60 seconds needs to be rechecked - my $cache_timeout = ( time - 60 ); - - # {{{ if we've cached a positive result for this query, return 1 - if ( ( defined $self->_ACLCache->{"$hashkey"} ) - && ( $self->_ACLCache->{"$hashkey"}{'val'} == 1 ) - && ( defined $self->_ACLCache->{"$hashkey"}{'set'} ) - && ( $self->_ACLCache->{"$hashkey"}{'set'} > $cache_timeout ) ) { - - #$RT::Logger->debug("Cached ACL win for ". $args{'Right'}.$args{'Scope'}. $args{'AppliesTo'}."\n"); - return ( 1); - } # }}} - # {{{ if we've cached a negative result for this query return undef - elsif ( ( defined $self->_ACLCache->{"$hashkey"} ) - && ( $self->_ACLCache->{"$hashkey"}{'val'} == -1 ) - && ( defined $self->_ACLCache->{"$hashkey"}{'set'} ) - && ( $self->_ACLCache->{"$hashkey"}{'set'} > $cache_timeout ) ) { + # {{{ if we've cached a positive result for this query, return 1 - #$RT::Logger->debug("Cached ACL loss decision for ". $args{'Right'}.$args{'Scope'}. $args{'AppliesTo'}."\n"); + my $cached_answer = $_ACL_CACHE->fetch($hashkey); - return (undef); + # Returns undef on cache miss + if ( defined $cached_answer ) { + if ( $cached_answer == 1 ) { + return (1); + } + elsif ( $cached_answer == -1 ) { + return (0); + } } - # }}} - - # }}} - - - - # {{{ Out of date docs - - # We want to grant the right if: - - - # # The user has the right as a member of a system-internal or - # # user-defined group - # - # Find all records from the ACL where they're granted to a group - # of type "UserDefined" or "System" - # for the object "System or the object "Queue N" and the group we're looking - # at has the recursive member $self->Id - # - # # The user has the right based on a role - # - # Find all the records from ACL where they're granted to the role "foo" - # for the object "System" or the object "Queue N" and the group we're looking - # at is of domain ("RT::Queue-Role" and applies to the right queue) - # or ("RT::Ticket-Role" and applies to the right ticket) - # and the type is the same as the type of the ACL and the group has - # the recursive member $self->Id - # - - # }}} my ( $or_look_at_object_rights, $or_check_roles ); my $right = $args{'Right'}; @@ -359,119 +374,108 @@ sub HasRight { # {{{ Construct Right Match # If an object is defined, we want to look at rights for that object - - my @look_at_objects; - push (@look_at_objects, "ACL.ObjectType = 'RT::System'") - unless $self->can('_IsOverrideGlobalACL') and $self->_IsOverrideGlobalACL($args{Object}); - - - - foreach my $obj (@{$args{'EquivObjects'}}) { - next unless (UNIVERSAL::can($obj, 'id')); - my $type = ref($obj); - my $id = $obj->id; - unless ($id) { - use Carp; - Carp::cluck("Trying to check $type rights for an unspecified $type"); - $RT::Logger->crit("Trying to check $type rights for an unspecified $type"); - } - push @look_at_objects, "(ACL.ObjectType = '$type' AND ACL.ObjectId = '$id')"; - } + my @look_at_objects; + push( @look_at_objects, "ACL.ObjectType = 'RT::System'" ) + unless $self->can('_IsOverrideGlobalACL') + and $self->_IsOverrideGlobalACL( $args{Object} ); + + foreach my $obj ( @{ $args{'EquivObjects'} } ) { + next unless ( UNIVERSAL::can( $obj, 'id' ) ); + my $type = ref($obj); + my $id = $obj->id; + + unless ($id) { + use Carp; + Carp::cluck( + "Trying to check $type rights for an unspecified $type"); + $RT::Logger->crit( + "Trying to check $type rights for an unspecified $type"); + } + push @look_at_objects, + "(ACL.ObjectType = '$type' AND ACL.ObjectId = '$id')"; + } - # }}} # {{{ Build that honkin-big SQL query - + my $query_base = + "SELECT ACL.id from ACL, Groups, Principals, CachedGroupMembers WHERE " . - my $query_base = "SELECT ACL.id from ACL, Groups, Principals, CachedGroupMembers WHERE ". - # Only find superuser or rights with the name $right - "(ACL.RightName = 'SuperUser' OR ACL.RightName = '$right') ". - # Never find disabled groups. - "AND Principals.Disabled = 0 " . - "AND CachedGroupMembers.Disabled = 0 ". - "AND Principals.id = Groups.id " . # We always grant rights to Groups + # Only find superuser or rights with the name $right + "(ACL.RightName = 'SuperUser' OR ACL.RightName = '$right') " . - # See if the principal is a member of the group recursively or _is the rightholder_ - # never find recursively disabled group members - # also, check to see if the right is being granted _directly_ to this principal, - # as is the case when we want to look up group rights - "AND Principals.id = CachedGroupMembers.GroupId AND CachedGroupMembers.MemberId = '" . $self->Id . "' ". + # Never find disabled groups. + "AND Principals.Disabled = 0 " + . "AND CachedGroupMembers.Disabled = 0 " + . "AND Principals.id = Groups.id " + . # We always grant rights to Groups - # Make sure the rights apply to the entire system or to the object in question - "AND ( ".join(' OR ', @look_at_objects).") "; +# See if the principal is a member of the group recursively or _is the rightholder_ +# never find recursively disabled group members +# also, check to see if the right is being granted _directly_ to this principal, +# as is the case when we want to look up group rights +"AND Principals.id = CachedGroupMembers.GroupId AND CachedGroupMembers.MemberId = '" + . $self->Id . "' " + . + # Make sure the rights apply to the entire system or to the object in question + "AND ( " . join( ' OR ', @look_at_objects ) . ") "; +# The groups query does the query based on group membership and individual user rights - # The groups query does the query based on group membership and individual user rights + my $groups_query = $query_base . - my $groups_query = $query_base . +# limit the result set to groups of types ACLEquivalence (user) UserDefined, SystemInternal and Personal +"AND ( ( ACL.PrincipalId = Principals.id AND ACL.PrincipalType = 'Group' AND " + . "(Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence' OR Groups.Domain = 'Personal'))" + . - # limit the result set to groups of types ACLEquivalence (user) UserDefined, SystemInternal and Personal - "AND ( ( ACL.PrincipalId = Principals.id AND ACL.PrincipalType = 'Group' AND ". - "(Groups.Domain = 'SystemInternal' OR Groups.Domain = 'UserDefined' OR Groups.Domain = 'ACLEquivalence' OR Groups.Domain = 'Personal'))". + " ) "; + $self->_Handle->ApplyLimits( \$groups_query, 1 ); #only return one result - " ) "; - $self->_Handle->ApplyLimits(\$groups_query, 1); #only return one result - my @roles; - foreach my $object (@{$args{'EquivObjects'}}) { - push (@roles, $self->_RolesForObject(ref($object), $object->id)); + foreach my $object ( @{ $args{'EquivObjects'} } ) { + push( @roles, $self->_RolesForObject( ref($object), $object->id ) ); } # The roles query does the query based on roles my $roles_query; if (@roles) { - $roles_query = $query_base . "AND ". - " ( (".join (' OR ', @roles)." ) ". - " AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.id AND Principals.PrincipalType = 'Group') "; - $self->_Handle->ApplyLimits(\$roles_query, 1); #only return one result - - } - + $roles_query = + $query_base . "AND " . " ( (" + . join( ' OR ', @roles ) . " ) " + . " AND Groups.Type = ACL.PrincipalType AND Groups.Id = Principals.id AND Principals.PrincipalType = 'Group') "; + $self->_Handle->ApplyLimits( \$roles_query, 1 ); #only return one result + } # }}} # {{{ Actually check the ACL by performing an SQL query - # $RT::Logger->debug("Now Trying $groups_query"); + # $RT::Logger->debug("Now Trying $groups_query"); my $hitcount = $self->_Handle->FetchResult($groups_query); # }}} - - # {{{ if there's a match, the right is granted - if ($hitcount) { - # Cache a positive hit. - $self->_ACLCache->{"$hashkey"}{'set'} = time; - $self->_ACLCache->{"$hashkey"}{'val'} = 1; + # {{{ if there's a match, the right is granted + if ($hitcount) { + $_ACL_CACHE->set( $hashkey => 1 ); return (1); } - # }}} - # {{{ If there's no match on groups, try it on roles - else { - - $hitcount = $self->_Handle->FetchResult($roles_query); - if ($hitcount) { + # Now check the roles query + $hitcount = $self->_Handle->FetchResult($roles_query); - # Cache a positive hit. - $self->_ACLCache->{"$hashkey"}{'set'} = time; - $self->_ACLCache->{"$hashkey"}{'val'} = 1; - return (1); - } - - else { - # cache a negative hit - $self->_ACLCache->{"$hashkey"}{'set'} = time; - $self->_ACLCache->{"$hashkey"}{'val'} = -1; - - return (undef); - } + if ($hitcount) { + $_ACL_CACHE->set( $hashkey => 1 ); + return (1); } - # }}} + + # We failed to find an acl hit + $_ACL_CACHE->set( $hashkey => -1 ); + return (undef); } # }}} @@ -513,34 +517,19 @@ sub _RolesForObject { # {{{ ACL caching -# {{{ _ACLCache - -=head2 _ACLCache - -# Function: _ACLCache -# Type : private instance -# Args : none -# Lvalue : hash: ACLCache -# Desc : Returns a reference to the Key cache hash - -=cut - -sub _ACLCache { - return(\%_ACL_KEY_CACHE); -} -# }}} +# {{{ InvalidateACLCache -# {{{ _InvalidateACLCache +=head2 InvalidateACLCache -=head2 _InvalidateACLCache - -Cleans out and reinitializes the user rights key cache +Cleans out and reinitializes the user rights cache =cut -sub _InvalidateACLCache { - %_ACL_KEY_CACHE = (); +sub InvalidateACLCache { + $_ACL_CACHE = Cache::Simple::TimedExpiry->new(); + $_ACL_CACHE->expire_after($RT::ACLCacheLifetime||60); + } # }}} |