From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Thu, 21 Nov 2019 14:43:25 +0000 (+0100)
Subject: refactor acl transformation code
X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=9a12a08ce94d3b13fb4328a874b7cb4766d379ff

refactor acl transformation code

pull it into helper sub, since we need this one more time for token ACL
members.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index e0cb75d..2517ca7 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1104,16 +1104,16 @@ sub write_user_config {
 
     $data .= "\n";
 
-    foreach my $path (sort keys %{$cfg->{acl}}) {
-	my $d = $cfg->{acl}->{$path};
+    my $collect_rolelist_members = sub {
+	my ($acl_members, $result, $prefix, $exclude) = @_;
 
-	my $ra = {};
+	foreach my $member (keys %$acl_members) {
+	    next if $exclude && $member eq $exclude;
 
-	foreach my $group (keys %{$d->{groups}}) {
 	    my $l0 = '';
 	    my $l1 = '';
-	    foreach my $role (sort keys %{$d->{groups}->{$group}}) {
-		my $propagate = $d->{groups}->{$group}->{$role};
+	    foreach my $role (sort keys %{$acl_members->{$member}}) {
+		my $propagate = $acl_members->{$member}->{$role};
 		if ($propagate) {
 		    $l1 .= ',' if $l1;
 		    $l1 .= $role;
@@ -1122,37 +1122,27 @@ sub write_user_config {
 		    $l0 .= $role;
 		}
 	    }
-	    $ra->{0}->{$l0}->{"\@$group"} = 1 if $l0;
-	    $ra->{1}->{$l1}->{"\@$group"} = 1 if $l1;
+	    $result->{0}->{$l0}->{"${prefix}${member}"} = 1 if $l0;
+	    $result->{1}->{$l1}->{"${prefix}${member}"} = 1 if $l1;
 	}
+    };
 
-	foreach my $user (keys %{$d->{users}}) {
-	    # no need to save, because root is always 'Administrator'
-	    next if $user eq 'root@pam';
+    foreach my $path (sort keys %{$cfg->{acl}}) {
+	my $d = $cfg->{acl}->{$path};
 
-	    my $l0 = '';
-	    my $l1 = '';
-	    foreach my $role (sort keys %{$d->{users}->{$user}}) {
-		my $propagate = $d->{users}->{$user}->{$role};
-		if ($propagate) {
-		    $l1 .= ',' if $l1;
-		    $l1 .= $role;
-		} else {
-		    $l0 .= ',' if $l0;
-		    $l0 .= $role;
-		}
-	    }
-	    $ra->{0}->{$l0}->{$user} = 1 if $l0;
-	    $ra->{1}->{$l1}->{$user} = 1 if $l1;
-	}
+	my $rolelist_members = {};
 
-	foreach my $rolelist (sort keys %{$ra->{0}}) {
-	    my $uglist = join (',', sort keys %{$ra->{0}->{$rolelist}});
-	    $data .= "acl:0:$path:$uglist:$rolelist:\n";
-	}
-	foreach my $rolelist (sort keys %{$ra->{1}}) {
-	    my $uglist = join (',', sort keys %{$ra->{1}->{$rolelist}});
-	    $data .= "acl:1:$path:$uglist:$rolelist:\n";
+	$collect_rolelist_members->($d->{'groups'}, $rolelist_members, '@');
+
+	# no need to save 'root@pam', it is always 'Administrator'
+	$collect_rolelist_members->($d->{'users'}, $rolelist_members, '', 'root@pam');
+
+	foreach my $propagate (0,1) {
+	    my $filtered = $rolelist_members->{$propagate};
+	    foreach my $rolelist (sort keys %$filtered) {
+		my $uglist = join (',', sort keys %{$filtered->{$rolelist}});
+		$data .= "acl:$propagate:$path:$uglist:$rolelist:\n";
+	    }
 	}
     }