Merge pull request #4722 from BOINC/dpa_remote_perm

Remote job submission: clean up permissions checking
This commit is contained in:
Vitalii Koshura 2022-04-22 12:17:31 +02:00 committed by GitHub
commit afd08ef3d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 44 additions and 27 deletions

View File

@ -54,7 +54,25 @@ function job_file_name($md5) {
return "jf_$md5"; return "jf_$md5";
} }
function authenticate_user($r, $app) { // does user have submit permissions?
//
function submit_permissions($user) {
return BoincUserSubmit::lookup_userid($user->id);
}
// does user have submit permissions for given app?
//
function submit_permissions_app($user, $app) {
return BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app->id");
}
// check whether user has permissions for a remote job submission
// or job file request.
// $r is a request message that includes an 'authenticator' field
// $app is the app being submitted to (or null if file op)
// returns [user, UserSubmit], or give XML error
//
function check_remote_submit_permissions($r, $app) {
$auth = (string)$r->authenticator; $auth = (string)$r->authenticator;
if (!$auth) { if (!$auth) {
log_write("no authenticator"); log_write("no authenticator");
@ -66,13 +84,13 @@ function authenticate_user($r, $app) {
log_write("bad authenticator"); log_write("bad authenticator");
xml_error(-1, "bad authenticator"); xml_error(-1, "bad authenticator");
} }
$user_submit = BoincUserSubmit::lookup_userid($user->id); $user_submit = submit_permissions($user);
if (!$user_submit) { if (!$user_submit) {
log_write("no submit access"); log_write("no submit access");
xml_error(-1, "no submit access"); xml_error(-1, "no submit access");
} }
if ($app && !$user_submit->submit_all) { if ($app && !$user_submit->submit_all) {
$usa = BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app->id"); $usa = submit_permissions_app($user, $app);
if (!$usa) { if (!$usa) {
log_write("no app submit access"); log_write("no app submit access");
xml_error(-1, "no app submit access"); xml_error(-1, "no app submit access");

View File

@ -16,7 +16,7 @@
// You should have received a copy of the GNU Lesser General Public License // You should have received a copy of the GNU Lesser General Public License
// along with BOINC. If not, see <http://www.gnu.org/licenses/>. // along with BOINC. If not, see <http://www.gnu.org/licenses/>.
// Web RPCs for managing job input files on the server. // Web RPCs for managing input files for remote job submission
// //
// Issues: // Issues:
// //
@ -99,7 +99,7 @@ function upload_error_description($errno) {
function query_files($r) { function query_files($r) {
xml_start_tag("query_files"); xml_start_tag("query_files");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$absent_files = array(); $absent_files = array();
$now = time(); $now = time();
$delete_time = (int)$r->delete_time; $delete_time = (int)$r->delete_time;
@ -175,7 +175,7 @@ function delete_uploaded_files() {
function upload_files($r) { function upload_files($r) {
xml_start_tag("upload_files"); xml_start_tag("upload_files");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$fanout = parse_config(get_config(), "<uldl_dir_fanout>"); $fanout = parse_config(get_config(), "<uldl_dir_fanout>");
$delete_time = (int)$r->delete_time; $delete_time = (int)$r->delete_time;
$batch_id = (int)$r->batch_id; $batch_id = (int)$r->batch_id;

View File

@ -37,16 +37,17 @@ ini_set('display_startup_errors', true);
require_once("../inc/sandbox.inc"); require_once("../inc/sandbox.inc");
require_once("../inc/submit_db.inc"); require_once("../inc/submit_db.inc");
require_once("../inc/submit_util.inc");
function list_files($user, $err_msg) { function list_files($user, $err_msg) {
$dir = sandbox_dir($user); $dir = sandbox_dir($user);
$d = opendir($dir); $d = opendir($dir);
if (!$d) error_page("Can't open sandbox directory"); if (!$d) error_page("Can't open sandbox directory");
page_head("File sandbox for $user->name"); page_head("File sandbox");
echo " echo "
<form action=sandbox.php method=post ENCTYPE=\"multipart/form-data\"> <form action=sandbox.php method=post ENCTYPE=\"multipart/form-data\">
<input type=hidden name=action value=upload_file> <input type=hidden name=action value=upload_file>
Upload a file to your sandbox: Upload files to your sandbox:
<p><input size=80 type=file name=\"new_file[]\" multiple=\"multiple\"> <p><input size=80 type=file name=\"new_file[]\" multiple=\"multiple\">
<p> <input class=\"btn btn-default\" type=submit value=Upload> <p> <input class=\"btn btn-default\" type=submit value=Upload>
</form> </form>
@ -131,7 +132,7 @@ function upload_file($user) {
$dir = sandbox_dir($user); $dir = sandbox_dir($user);
$link_path = "$dir/$name"; $link_path = "$dir/$name";
sandbox_write_link_file($link_path, $size, $md5); sandbox_write_link_file($link_path, $size, $md5);
$notice .= "Successfully uploaded file <strong>$name</strong>!<br/>"; $notice .= "Uploaded file <strong>$name</strong><br/>";
} }
} }
list_files($user, $notice); list_files($user, $notice);
@ -186,9 +187,7 @@ function view_file($user) {
} }
$user = get_logged_in_user(); $user = get_logged_in_user();
//print_r($user); if (!submit_permissions($user)) error_page("no job submission access");
$user_submit = BoincUserSubmit::lookup_userid($user->id);
if (!$user_submit) error_page("no job submission access");
$action = get_str('action', true); $action = get_str('action', true);
if (!$action) $action = post_str('action', true); if (!$action) $action = post_str('action', true);

View File

@ -206,7 +206,7 @@ function handle_main($user) {
if (isset($submit_urls)) { if (isset($submit_urls)) {
// show links to per-app job submission pages // show links to per-app job submission pages
// //
echo "<h2>Submit jobs</h2> echo "<h3>Submit jobs</h3>
<ul> <ul>
"; ";
foreach ($submit_urls as $appname=>$submit_url) { foreach ($submit_urls as $appname=>$submit_url) {
@ -232,7 +232,7 @@ function handle_main($user) {
} }
} }
if ($user_submit->manage_all || $app_admin) { if ($user_submit->manage_all || $app_admin) {
echo "<h2>Administrative functions</h2><ul>\n"; echo "<h3>Administrative functions</h3><ul>\n";
if ($user_submit->manage_all) { if ($user_submit->manage_all) {
echo "<li>All applications<br> echo "<li>All applications<br>
<a href=submit.php?action=admin&app_id=0>Batches</a> <a href=submit.php?action=admin&app_id=0>Batches</a>

View File

@ -128,7 +128,7 @@ function check_max_jobs_in_progress($r, $user_submit) {
function estimate_batch($r) { function estimate_batch($r) {
xml_start_tag("estimate_batch"); xml_start_tag("estimate_batch");
$app = get_submit_app((string)($r->batch->app_name)); $app = get_submit_app((string)($r->batch->app_name));
list($user, $user_submit) = authenticate_user($r, $app); list($user, $user_submit) = check_remote_submit_permissions($r, $app);
$template = read_input_template($app, $r); $template = read_input_template($app, $r);
$e = est_elapsed_time($r, $template); $e = est_elapsed_time($r, $template);
@ -444,7 +444,7 @@ function logical_end_time($r, $jobs, $user, $app) {
function submit_batch($r) { function submit_batch($r) {
xml_start_tag("submit_batch"); xml_start_tag("submit_batch");
$app = get_submit_app((string)($r->batch->app_name)); $app = get_submit_app((string)($r->batch->app_name));
list($user, $user_submit) = authenticate_user($r, $app); list($user, $user_submit) = check_remote_submit_permissions($r, $app);
$jobs = xml_get_jobs($r); $jobs = xml_get_jobs($r);
$template = read_input_template($app, $r); $template = read_input_template($app, $r);
if ($template) { if ($template) {
@ -546,7 +546,7 @@ function submit_batch($r) {
function create_batch($r) { function create_batch($r) {
xml_start_tag("create_batch"); xml_start_tag("create_batch");
$app = get_submit_app((string)($r->app_name)); $app = get_submit_app((string)($r->app_name));
list($user, $user_submit) = authenticate_user($r, $app); list($user, $user_submit) = check_remote_submit_permissions($r, $app);
$now = time(); $now = time();
$batch_name = (string)($r->batch_name); $batch_name = (string)($r->batch_name);
$batch_name = BoincDb::escape_string($batch_name); $batch_name = BoincDb::escape_string($batch_name);
@ -589,7 +589,7 @@ function print_batch_params($batch, $get_cpu_time) {
function query_batches($r) { function query_batches($r) {
xml_start_tag("query_batches"); xml_start_tag("query_batches");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batches = BoincBatch::enum("user_id = $user->id"); $batches = BoincBatch::enum("user_id = $user->id");
$get_cpu_time = (int)($r->get_cpu_time); $get_cpu_time = (int)($r->get_cpu_time);
foreach ($batches as $batch) { foreach ($batches as $batch) {
@ -691,7 +691,7 @@ function get_batch($r) {
function query_batch($r) { function query_batch($r) {
xml_start_tag("query_batch"); xml_start_tag("query_batch");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = get_batch($r); $batch = get_batch($r);
if ($batch->user_id != $user->id) { if ($batch->user_id != $user->id) {
log_write("not owner of batch"); log_write("not owner of batch");
@ -733,7 +733,7 @@ function results_sent($wu) {
// //
function query_batch2($r) { function query_batch2($r) {
xml_start_tag("query_batch2"); xml_start_tag("query_batch2");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch_names = $r->batch_name; $batch_names = $r->batch_name;
$batches = array(); $batches = array();
foreach ($batch_names as $b) { foreach ($batch_names as $b) {
@ -792,7 +792,7 @@ function query_batch2($r) {
function query_job($r) { function query_job($r) {
xml_start_tag("query_job"); xml_start_tag("query_job");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$job_id = (int)($r->job_id); $job_id = (int)($r->job_id);
$wu = BoincWorkunit::lookup_id($job_id); $wu = BoincWorkunit::lookup_id($job_id);
if (!$wu) { if (!$wu) {
@ -835,7 +835,7 @@ function query_job($r) {
// //
function query_completed_job($r) { function query_completed_job($r) {
xml_start_tag("query_completed_job"); xml_start_tag("query_completed_job");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$job_name = (string)($r->job_name); $job_name = (string)($r->job_name);
$job_name = BoincDb::escape_string($job_name); $job_name = BoincDb::escape_string($job_name);
$wu = BoincWorkunit::lookup("name='$job_name'"); $wu = BoincWorkunit::lookup("name='$job_name'");
@ -884,7 +884,7 @@ function query_completed_job($r) {
function handle_abort_batch($r) { function handle_abort_batch($r) {
xml_start_tag("abort_batch"); xml_start_tag("abort_batch");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = get_batch($r); $batch = get_batch($r);
if ($batch->user_id != $user->id) { if ($batch->user_id != $user->id) {
log_write("not owner"); log_write("not owner");
@ -900,7 +900,7 @@ function handle_abort_batch($r) {
// //
function handle_abort_jobs($r) { function handle_abort_jobs($r) {
xml_start_tag("abort_jobs"); xml_start_tag("abort_jobs");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = null; $batch = null;
foreach ($r->job_name as $job_name) { foreach ($r->job_name as $job_name) {
$job_name = BoincDb::escape_string($job_name); $job_name = BoincDb::escape_string($job_name);
@ -930,7 +930,7 @@ function handle_abort_jobs($r) {
function handle_retire_batch($r) { function handle_retire_batch($r) {
xml_start_tag("retire_batch"); xml_start_tag("retire_batch");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = get_batch($r); $batch = get_batch($r);
if ($batch->user_id != $user->id) { if ($batch->user_id != $user->id) {
log_write("not owner of batch"); log_write("not owner of batch");
@ -944,7 +944,7 @@ function handle_retire_batch($r) {
function handle_set_expire_time($r) { function handle_set_expire_time($r) {
xml_start_tag("set_expire_time"); xml_start_tag("set_expire_time");
list($user, $user_submit) = authenticate_user($r, null); list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = get_batch($r); $batch = get_batch($r);
if ($batch->user_id != $user->id) { if ($batch->user_id != $user->id) {
log_write("not owner of batch"); log_write("not owner of batch");
@ -971,7 +971,7 @@ function get_templates($r) {
$app = BoincApp::lookup_id($wu->appid); $app = BoincApp::lookup_id($wu->appid);
} }
list($user, $user_submit) = authenticate_user($r, $app); list($user, $user_submit) = check_remote_submit_permissions($r, $app);
$in = file_get_contents(project_dir() . "/templates/".$app->name."_in"); $in = file_get_contents(project_dir() . "/templates/".$app->name."_in");
$out = file_get_contents(project_dir() . "/templates/".$app->name."_out"); $out = file_get_contents(project_dir() . "/templates/".$app->name."_out");
if ($in === false || $out === false) { if ($in === false || $out === false) {