qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH] monitor: Refactor acl commnds


From: Jan Kiszka
Subject: [Qemu-devel] [PATCH] monitor: Refactor acl commnds
Date: Thu, 25 Jun 2009 08:22:08 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666

Refactor the ACL monitor interface to make full use of the monitor
command dispatcher. This also gives proper help formatting and command
completion. Note that 'acl allow' and 'acl deny' were combined to
'acl_add aclname match allow|deny [index]' for consistency reasons.

Signed-off-by: Jan Kiszka <address@hidden>
---

 monitor.c       |   96 +++++++++++++++++++++++++++++++++----------------------
 qemu-monitor.hx |   76 ++++++++++++++++++++++----------------------
 2 files changed, 96 insertions(+), 76 deletions(-)

diff --git a/monitor.c b/monitor.c
index e0faf1c..29e24f5 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1579,60 +1579,79 @@ static void do_info_balloon(Monitor *mon)
         monitor_printf(mon, "balloon: actual=%d\n", (int)(actual >> 20));
 }
 
-static void do_acl(Monitor *mon,
-                   const char *command,
-                   const char *aclname,
-                   const char *match,
-                   int has_index,
-                   int index)
+static qemu_acl *find_acl(Monitor *mon, const char *name)
 {
-    qemu_acl *acl;
+    qemu_acl *acl = qemu_acl_find(name);
 
-    acl = qemu_acl_find(aclname);
     if (!acl) {
-        monitor_printf(mon, "acl: unknown list '%s'\n", aclname);
-        return;
+        monitor_printf(mon, "acl: unknown list '%s'\n", name);
     }
+    return acl;
+}
+
+static void do_acl_show(Monitor *mon, const char *aclname)
+{
+    qemu_acl *acl = find_acl(mon, aclname);
+    qemu_acl_entry *entry;
+    int i = 0;
 
-    if (strcmp(command, "show") == 0) {
-        int i = 0;
-        qemu_acl_entry *entry;
+    if (acl) {
         monitor_printf(mon, "policy: %s\n",
                        acl->defaultDeny ? "deny" : "allow");
         TAILQ_FOREACH(entry, &acl->entries, next) {
             i++;
             monitor_printf(mon, "%d: %s %s\n", i,
-                           entry->deny ? "deny" : "allow",
-                           entry->match);
+                           entry->deny ? "deny" : "allow", entry->match);
         }
-    } else if (strcmp(command, "reset") == 0) {
+    }
+}
+
+static void do_acl_reset(Monitor *mon, const char *aclname)
+{
+    qemu_acl *acl = find_acl(mon, aclname);
+
+    if (acl) {
         qemu_acl_reset(acl);
         monitor_printf(mon, "acl: removed all rules\n");
-    } else if (strcmp(command, "policy") == 0) {
-        if (!match) {
-            monitor_printf(mon, "acl: missing policy parameter\n");
-            return;
-        }
+    }
+}
+
+static void do_acl_policy(Monitor *mon, const char *aclname,
+                          const char *policy)
+{
+    qemu_acl *acl = find_acl(mon, aclname);
 
-        if (strcmp(match, "allow") == 0) {
+    if (acl) {
+        if (strcmp(policy, "allow") == 0) {
             acl->defaultDeny = 0;
             monitor_printf(mon, "acl: policy set to 'allow'\n");
-        } else if (strcmp(match, "deny") == 0) {
+        } else if (strcmp(policy, "deny") == 0) {
             acl->defaultDeny = 1;
             monitor_printf(mon, "acl: policy set to 'deny'\n");
         } else {
-            monitor_printf(mon, "acl: unknown policy '%s', expected 'deny' or 
'allow'\n", match);
+            monitor_printf(mon, "acl: unknown policy '%s', "
+                           "expected 'deny' or 'allow'\n", policy);
         }
-    } else if ((strcmp(command, "allow") == 0) ||
-               (strcmp(command, "deny") == 0)) {
-        int deny = strcmp(command, "deny") == 0 ? 1 : 0;
-        int ret;
+    }
+}
 
-        if (!match) {
-            monitor_printf(mon, "acl: missing match parameter\n");
+static void do_acl_add(Monitor *mon, const char *aclname,
+                       const char *match, const char *policy,
+                       int has_index, int index)
+{
+    qemu_acl *acl = find_acl(mon, aclname);
+    int deny, ret;
+
+    if (acl) {
+        if (strcmp(policy, "allow") == 0) {
+            deny = 0;
+        } else if (strcmp(policy, "deny") == 0) {
+            deny = 1;
+        } else {
+            monitor_printf(mon, "acl: unknown policy '%s', "
+                           "expected 'deny' or 'allow'\n", policy);
             return;
         }
-
         if (has_index)
             ret = qemu_acl_insert(acl, deny, match, index);
         else
@@ -1641,21 +1660,20 @@ static void do_acl(Monitor *mon,
             monitor_printf(mon, "acl: unable to add acl entry\n");
         else
             monitor_printf(mon, "acl: added rule at position %d\n", ret);
-    } else if (strcmp(command, "remove") == 0) {
-        int ret;
+    }
+}
 
-        if (!match) {
-            monitor_printf(mon, "acl: missing match parameter\n");
-            return;
-        }
+static void do_acl_remove(Monitor *mon, const char *aclname, const char *match)
+{
+    qemu_acl *acl = find_acl(mon, aclname);
+    int ret;
 
+    if (acl) {
         ret = qemu_acl_remove(acl, match);
         if (ret < 0)
             monitor_printf(mon, "acl: no matching acl entry\n");
         else
             monitor_printf(mon, "acl: removed rule at position %d\n", ret);
-    } else {
-        monitor_printf(mon, "acl: unknown command '%s'\n", command);
     }
 }
 
diff --git a/qemu-monitor.hx b/qemu-monitor.hx
index fa48527..d7c7078 100644
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@ -567,48 +567,50 @@ STEXI
 Change watchdog action.
 ETEXI
 
-    { "acl", "sss?i?", do_acl, "<command> <aclname> [<match> [<index>]]\n",
-                               "acl show vnc.username\n"
-                               "acl policy vnc.username deny\n"
-                               "acl allow vnc.username fred\n"
-                               "acl deny vnc.username bob\n"
-                               "acl reset vnc.username\n" },
+    { "acl_show", "s", do_acl_show, "aclname",
+      "list rules in the access control list" },
 STEXI
address@hidden acl @var{subcommand} @var{aclname} @var{match} @var{index}
-
-Manage access control lists for network services. There are currently
-two named access control lists, @var{vnc.x509dname} and @var{vnc.username}
-matching on the x509 client certificate distinguished name, and SASL
-username respectively.
address@hidden acl_show @var{aclname}
+List all the matching rules in the access control list, and the default
+policy. There are currently two named access control lists,
address@hidden and @var{vnc.username} matching on the x509 client
+certificate distinguished name, and SASL username respectively.
+ETEXI
 
address@hidden @option
address@hidden acl show <aclname>
-list all the match rules in the access control list, and the default
-policy
address@hidden acl policy <aclname> @code{allow|deny}
-set the default access control list policy, used in the event that
+    { "acl_policy", "ss", do_acl_policy, "aclname allow|deny",
+      "set default access control list policy" },
+STEXI
address@hidden acl_policy @var{aclname] @code{allow|deny}
+Set the default access control list policy, used in the event that
 none of the explicit rules match. The default policy at startup is
-always @code{deny}
address@hidden acl allow <aclname> <match> [<index>]
-add a match to the access control list, allowing access. The match will
-normally be an exact username or x509 distinguished name, but can
-optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to allow
-all users in the @code{EXAMPLE.COM} kerberos realm. The match will
-normally be appended to the end of the ACL, but can be inserted
-earlier in the list if the optional @code{index} parameter is supplied.
address@hidden acl deny <aclname> <match> [<index>]
-add a match to the access control list, denying access. The match will
-normally be an exact username or x509 distinguished name, but can
-optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to allow
-all users in the @code{EXAMPLE.COM} kerberos realm. The match will
+always @code{deny}.
+ETEXI
+
+    { "acl_add", "sssi?", do_acl_add, "aclname match allow|deny [index]",
+      "add a match rule to the access control list" },
+STEXI
address@hidden acl_allow @var{aclname} @var{match} @code{allow|deny} 
address@hidden
+Add a match rule to the access control list, allowing or denying access.
+The match will normally be an exact username or x509 distinguished name,
+but can optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to
+allow all users in the @code{EXAMPLE.COM} kerberos realm. The match will
 normally be appended to the end of the ACL, but can be inserted
-earlier in the list if the optional @code{index} parameter is supplied.
address@hidden acl remove <aclname> <match>
-remove the specified match rule from the access control list.
address@hidden acl reset <aclname>
-remove all matches from the access control list, and set the default
+earlier in the list if the optional @var{index} parameter is supplied.
+ETEXI
+
+    { "acl_remove", "ss", do_acl_remove, "aclname match",
+      "remove a match rule from the access control list" },
+STEXI
address@hidden acl_remove @var{aclname} @var{match}
+Remove the specified match rule from the access control list.
+ETEXI
+
+    { "acl_reset", "s", do_acl_reset, "aclname",
+      "reset the access control list" },
+STEXI
address@hidden acl_remove @var{aclname} @var{match}
+Remove all matches from the access control list, and set the default
 policy back to @code{deny}.
address@hidden table
 ETEXI
 
 STEXI

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]