--- Begin Message ---
|
Subject: |
submitter-id-regexp patch |
|
Date: |
Fri, 27 Jun 2003 16:15:18 +1000 |
The following patch implements host and/or user access restrictions on
the submitter ID of PRs searched by gnatsd. The documentation patches
below explain the changes in more detail. It looks like this idea has
been considered before (it was mentioned in the comments), so I have
gone ahead and implemented it.
The only controversial aspect of the change is that I chose to reuse
the defunct "database" field as gnatsd clearly doesn't use it. I
trust this will be okay, though, especially for an upcoming GNATS 4.0
release?
Okay to commit?
[gnats/ChangeLog]
2003-06-27 Ben Elliston <bje@wasabisystems.com>
* adm.h (HostListFields [HostListUnused]): Remove.
(HostListFields [HostListSbumitterRegexp]): New enumerator.
* cmds.c (submitter_constraint_regexp): Declare extern.
(set_confidential_access): Apply a more restrictive query to match
specific submitter-ids if submitter_constraint_regexp has a value.
* gnatsd.c (submitter_constraint_regexp): Define.
(validateHost): If a host is matched, store the value of the
HostListSubmitterRegexp adm field in submitter_constraint_regexp.
(findUserAccessLevel): Likewise, if a user is matched, store the
value of admFields[3] in submitter_constraint_regexp.
* gnatsd.host_access: Update comments.
* gnatsd.user_access: Likewise.
[doc/ChangeLog]
2003-06-27 Ben Elliston <bje@wasabisystems.com>
* gnats.texi (gnatsd.user_access): Document submitter-id-regexp.
* gnats.texi (gnatsd.host_access): Likewise.
Index: doc/gnats.texi
===================================================================
RCS file: /cvsroot/gnats/doc/gnats.texi,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 gnats.texi
--- doc/gnats.texi 1 Dec 2002 03:14:57 -0000 1.1.1.1
+++ doc/gnats.texi 27 Jun 2003 05:35:20 -0000
@@ -1629,7 +1629,7 @@
apply across all databases on the server. Entries in this file are in
the following format:
-@var{host:access-level:whatever}
+@var{host:access-level:submitter-id-regexp}
@noindent @var{host} is the hostname or IP address of the host contacting
gnatsd. Wildcard characters are supported: @samp{*} matches anything;
@@ -1640,9 +1640,11 @@
@code{deny}. If the user's hostname isn't in the file or its access
level is set to @code{deny}, the connection is closed immediately.
-@sc{gnats} currently doesn't make use of the third field. Remember to
-still include the second @samp{:} on the line if you choose to leave the third
-field empty.
+The third field is an optional regular expression that constrains the
+submitter-id field of PRs matched by @sc{gnats}. This can be useful
+for limiting access to PRs submitted by a certain site. Remember to
+still include the second @samp{:} on the line if you choose to leave
+the third field empty.
Whenever a @code{CHDB} command is processed (or defaulted), the user's
access level is set to the level for their host, as determined by the
@@ -1689,7 +1691,7 @@
The overall @file{gnatsd.user_access} user access file adds a fourth
@var{databases} field:
-@var{userid:password:access-level:databases}
+@var{userid:password:access-level:submitter-id-regexp}
@noindent @var{password} should either be in plain text, DES
@code{crypt()}@footnote{DES crypt is the standard password encryption
@@ -1761,11 +1763,11 @@
might be surprised if they suddenly found themselves logged in, but with
a lower access level than they usually have.
-The @var{databases} field contains a comma-separated list of database
-names, as defined in the @file{databases} file (@pxref{databases
-file,,The @code{databases} file}. Wildcard characters are
-supported. The databases listed in this field are the ones to which
-the other settings on the same line will be applied.
+The fourth field, formerly the @var{databases} field, is reused as the
+@var{submitter-id-regexp} field. This field may contain a regular
+expression that constrains the submitter-id field of PRs matched by
+@sc{gnats}. This can be useful for limiting user access to PRs
+submitted by a certain site.
@node Privileged gnatsd commands
@section Privileged @code{gnatsd} commands
Index: gnats/adm.h
===================================================================
RCS file: /cvsroot/gnats/gnats/adm.h,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 adm.h
--- gnats/adm.h 20 May 2000 03:50:20 -0000 1.1.1.1
+++ gnats/adm.h 27 Jun 2003 05:35:20 -0000
@@ -89,7 +89,7 @@
enum HostListFields {
HostListKey = 0,
HostListAccessLevel = 1,
- HostListUnused = 2
+ HostListSubmitterRegexp = 2
};
/* Return the adm record matching KEY from field FIELD; if one is
Index: gnats/cmds.c
===================================================================
RCS file: /cvsroot/gnats/gnats/cmds.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 cmds.c
--- gnats/cmds.c 22 Oct 2002 10:40:57 -0000 1.1.1.1
+++ gnats/cmds.c 27 Jun 2003 05:35:24 -0000
@@ -33,6 +33,7 @@
#endif
extern int require_db;
+extern char submitter_constraint_regexp[];
static QueryExpr query = NULL;
#ifdef HAVE_KERBEROS
@@ -368,6 +369,16 @@
"builtinfield:Confidential ~ \"no\"",
NULL);
*search = booleanQuery (QueryAnd, *search, newQ);
+ }
+
+ if (submitter_constraint_regexp[0])
+ {
+ QueryExpr restrictQ;
+ char restrict_expr[600];
+
+ sprintf (restrict_expr, "builtinfield:submitter-id = \"%s\"",
submitter_constraint_regexp);
+ restrictQ = parseQueryExpression (currentDatabase, restrict_expr, NULL);
+ *search = booleanQuery (QueryAnd, *search, restrictQ);
}
}
Index: gnats/gnatsd.c
===================================================================
RCS file: /cvsroot/gnats/gnats/gnatsd.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 gnatsd.c
--- gnats/gnatsd.c 22 Oct 2002 10:40:57 -0000 1.1.1.1
+++ gnats/gnatsd.c 27 Jun 2003 05:35:26 -0000
@@ -52,6 +52,9 @@
/* Maximum available access level. */
static Access_Level max_access_level = ACCESS_ADMIN;
+/* Regular expression to contrain queries by submitter-ID. */
+char submitter_constraint_regexp[512];
+
struct option long_options[] =
{
{"database", 1, NULL, 'd'},
@@ -389,11 +392,10 @@
int found = 0;
/* The format of the file is:
- sitename:access:
+ sitename:access:submitter-id-regexp
where `sitename' is the hostname allowed; `access' is the access
- level, and the third field is undefined for now, but may be the
- field to control what PRs, categories, or submitter-id PRs are
- allowed, or whatever. */
+ level, and the third field is a regular expression that
+ limits the submitter-id of PRs that may be matched. */
while (hostList != NULL)
{
@@ -403,6 +405,9 @@
&& match (ipaddr, hostList->admFields[HostListKey], FALSE)))
{
found = 1;
+ strncpy (submitter_constraint_regexp,
+ hostList->admFields[HostListSubmitterRegexp],
+ sizeof (submitter_constraint_regexp));
*access = access_level (hostList->admFields[HostListAccessLevel]);
break;
}
@@ -420,6 +425,7 @@
return found;
}
+
/* Returns a non-zero value if an entry was found for the user; the access
level will be contained in ACCESS. */
static int
@@ -472,33 +478,18 @@
}
else
{
+ found = 1;
if (ent->fieldcount == 4)
{
- /* Compare all given names against the name of the
- requested database. */
- const char *l2 = ent->admFields[3];
-
- if (! strlen(l2))
- found = 1;
-
- while (l2 != NULL && ! found)
- {
- char *token = get_next_field (&l2, ',');
- if (match (dName, token, TRUE))
- {
- found = 1;
- }
- free (token);
- }
+ /* Re-define the meaning of field[3] to be a
+ GNATS regexp to constrain submitter-id. */
+ strncpy (submitter_constraint_regexp, ent->admFields[3],
+ sizeof (submitter_constraint_regexp));
}
else
- {
- found = 1;
- }
- if (found)
- {
- *access = access_level (ent->admFields[2]);
- }
+ submitter_constraint_regexp[0] = '\0';
+
+ *access = access_level (ent->admFields[2]);
}
}
}
Index: gnats/gnatsd.host_access
===================================================================
RCS file: /cvsroot/gnats/gnats/gnatsd.host_access,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 gnatsd.host_access
--- gnats/gnatsd.host_access 9 Nov 2002 03:52:10 -0000 1.1.1.1
+++ gnats/gnatsd.host_access 27 Jun 2003 05:35:26 -0000
@@ -6,7 +6,7 @@
#
# Each entry has the format:
#
-# host:access-level:whatever
+# host:access-level:submitter-id-regexp
#
# * host: the hostname or IP address of the user contacting gnatsd.
# Wildcard characters are supported:
@@ -25,9 +25,9 @@
# this will get overridden (increased) with the USER command. See the
# gnatsd.user_access file.
#
-# We currently don't make use of the third field. Ideas include
-# listing the categories, the PRs matching a given submitter-id, and
-# the PRs of a certain category to a particular site.
+# The third field allows a regular expression to be specified
+# that will restrict the selection of PRs by submitter-id. This is
+# useful for limiting the scope of searches for particular hosts.
#
#192.168.*:view:
#software.free.com:edit:
Index: gnats/gnatsd.user_access
===================================================================
RCS file: /cvsroot/gnats/gnats/gnatsd.user_access,v
retrieving revision 1.2
diff -u -r1.2 gnatsd.user_access
--- gnats/gnatsd.user_access 23 Jun 2003 06:10:19 -0000 1.2
+++ gnats/gnatsd.user_access 27 Jun 2003 05:35:26 -0000
@@ -6,7 +6,7 @@
#
# Each entry has the format:
#
-# userid:password:access-level:database-alias
+# userid:password:access-level:submitter-id-regexp
#
# Wildcard characters are supported for userid, password and database.
# "*" matches anything; "?" matches any single character
@@ -33,8 +33,8 @@
# deleting PRs)
# This overrides (increases but never lowers) the access level given
# as the default for the user's host in the gnatsd.host_access file.
-# * database-alias: a comma-separated list of database names.
-# It's ignored in gnatsd-adm/gnatsd.user_access since this file is
-# already database specific.
+# * submitter-id-regexp: a regular expression that can restrict
+# the selection of PRs by submitter-id. This is useful for
+# limiting the scope of searches for particular users.
#
#*::view:
--- End Message ---