From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37083)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aiU0N-0007mZ-WF
	for qemu-devel@nongnu.org; Tue, 22 Mar 2016 17:38:25 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aiU0M-0004fd-S7
	for qemu-devel@nongnu.org; Tue, 22 Mar 2016 17:38:23 -0400
References: <1457635927-23045-1-git-send-email-berrange@redhat.com>
	<1457636396-24983-1-git-send-email-berrange@redhat.com>
	<1457636396-24983-10-git-send-email-berrange@redhat.com>
From: Eric Blake <eblake@redhat.com>
Message-ID: <56F1BB46.3090407@redhat.com>
Date: Tue, 22 Mar 2016 15:38:14 -0600
MIME-Version: 1.0
In-Reply-To: <1457636396-24983-10-git-send-email-berrange@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="onPDfil699sFW2WWuo19sI3tTsLrwe7UR"
Subject: Re: [Qemu-devel] [PATCH v3 10/10] vnc: allow specifying a custom
	ACL object name
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-block@nongnu.org, Markus Armbruster <armbru@redhat.com>, =?UTF-8?Q?Andreas_F=c3=a4rber?= <afaerber@suse.de>, Max Reitz <mreitz@redhat.com>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--onPDfil699sFW2WWuo19sI3tTsLrwe7UR
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 03/10/2016 11:59 AM, Daniel P. Berrange wrote:
> The VNC server has historically had support for ACLs to check
> both the SASL username and the TLS x509 distinguished name.
> The VNC server was responsible for creating the initial ACL,
> and the client app was then responsible for populating it with
> rules using the HMP 'acl_add' command.
>=20
> This is not satisfactory for a variety of reasons. There is
> no way to populate the ACLs from the command line, users are
> forced to use the HMP. With multiple network services all
> supporting TLS and ACLs now, it is desirable to be able to
> define a single ACL that is referenced by all services.
>=20
> To address these limitations, two new options are added to the
> VNC server CLI. The 'tls-acl' option takes the ID of a QAuthZ
> object to use for checking TLS x509 distinguished names, and
> the 'sasl-acl' option takes the ID of another object to use for
> checking SASL usernames.
>=20
> In this example, we setup two ACLs. The first allows any client
> with a certificate issued by the 'RedHat' organization in the
> 'London' locality. The second ACL allows clients with either
> the 'joe@REDHAT.COM' or  'fred@REDHAT.COM' kerberos usernames.
> Both ACLs must pass for the user to be allowed.
>=20
>     $QEMU -object tls-creds-x509,id=3Dtls0,dir=3D/home/berrange/qemutls=
,\
>                   endpoint=3Dserver,verify-peer=3Dyes \
>           -object authz-simple,id=3Dacl0,policy=3Ddeny,\
>                   rules.0.match=3DO=3DRedHat,,L=3DLondon,rules.0.policy=
=3Dallow \
>           -object authz-simple,id=3Dacl0,policy=3Ddeny,\

Umm, you can't reuse 'acl0' as the id.

>                   rules.0.match=3Dfred@REDHAT.COM,rules.0.policy=3Dallo=
w \
>                   rules.0.match=3Djoe@REDHAT.COM,rules.0.policy=3Dallow=
 \
>           -vnc 0.0.0.0:1,tls-creds=3Dtls0,tls-acl=3Dtlsacl0,
> 	       sasl,sasl-acl=3Dsaslacl0 \

And this fails because the ids don't exist.  I think you meant
authz-simple,id=3Dtlsacl0 in the first instance, and
authz-simple,id=3Dsaslacl0 in the second instance.

>           ...other QEMU args...
>=20
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  ui/vnc.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++----=
--------
>  1 file changed, 60 insertions(+), 13 deletions(-)
>=20
> @@ -3670,6 +3680,21 @@ void vnc_display_open(const char *id, Error **er=
rp)
>          }
>      }
>      acl =3D qemu_opt_get_bool(opts, "acl", false);
> +    tlsacl =3D qemu_opt_get(opts, "tls-acl");
> +    if (acl && tlsacl) {
> +        error_setg(errp, "'acl' option is mutually exclusive with the =
"
> +                   "'tls-acl' options");
> +        goto fail;
> +    }
> +
> +#ifdef CONFIG_VNC_SASL
> +    saslacl =3D qemu_opt_get(opts, "sasl-acl");
> +    if (acl && saslacl) {
> +        error_setg(errp, "'acl' option is mutually exclusive with the =
"
> +                   "'sasl-acl' options");
> +        goto fail;
> +    }
> +#endif

Do we explicitly fail if sasl-acl was provided but CONFIG_VNC_SASL is
not defined?  It looks here like you silently ignore it, which would not
be good.

> @@ -3710,19 +3737,39 @@ void vnc_display_open(const char *id, Error **e=
rrp)
>                            &error_abort);
>      }
>  #ifdef CONFIG_VNC_SASL
> -    if (acl && sasl) {
> -        char *aclname;
> +    if (sasl) {
> +        if (saslacl) {
> +            Object *container, *acl;
> +            container =3D object_get_objects_root();
> +            acl =3D object_resolve_path_component(container, saslacl);=

> +            if (!acl) {
> +                error_setg(errp, "Cannot find ACL %s", saslacl);
> +                goto fail;
> +            }
> =20
> -        if (strcmp(vs->id, "default") =3D=3D 0) {
> -            aclname =3D g_strdup("vnc.username");
> -        } else {
> -            aclname =3D g_strdup_printf("vnc.%s.username", vs->id);
> -        }
> -        vs->sasl.acl =3D
> -            QAUTHZ(qauthz_simple_new(aclname,
> -                                     QAUTHZ_SIMPLE_POLICY_DENY,
> -                                     &error_abort));
> -        g_free(aclname);
> +            if (!object_dynamic_cast(acl, TYPE_QAUTHZ)) {
> +                error_setg(errp, "Object '%s' is not a QAuthZ subclass=
",
> +                           saslacl);
> +                goto fail;
> +            }
> +            vs->sasl.acl =3D QAUTHZ(acl);
> +        } else if (acl) {
> +            char *aclname;
> +
> +            if (strcmp(vs->id, "default") =3D=3D 0) {
> +                aclname =3D g_strdup("vnc.username");
> +            } else {
> +                aclname =3D g_strdup_printf("vnc.%s.username", vs->id)=
;
> +            }
> +            vs->sasl.acl =3D
> +                QAUTHZ(qauthz_simple_new(aclname,
> +                                         QAUTHZ_SIMPLE_POLICY_DENY,
> +                                         &error_abort));
> +            g_free(aclname);
> +        }
> +    } else if (saslacl) {
> +        error_setg(errp, "SASL ACL provided when SASL is disabled");
> +        goto fail;
>      }
>  #endif
> =20

Again, the saslacl check is only mentioned inside the #if; what happens
when the #if is not compiled?

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--onPDfil699sFW2WWuo19sI3tTsLrwe7UR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJW8btGAAoJEKeha0olJ0NqHKkH/3yKX6rBCcFFVz9TFDGe29fb
F7FqC/NWy0QgWnyojnVnClo4KlN7wDDlMLyJzgUZ2pn91WP9Ytqq2XpQKxUF/T4L
Eo8QaZehn4je/8JgIRKbEkjWbmRnIxfxi51yXZSSKCFicLBcXixGz4h5sDuiK2jV
+3S/x4lKuBT99LY7Uj1lsiUF182+Kx5CTgCxdWrvlxuCnigQS/82Jj53tadt/N9W
Kh/o+6UMAANPWs3enQPUJfehczgHzVDOh6y9zLCjD/V7UHAjeCHT/1SziEBfJs7Z
7TXNiDx7KBFdjeuYaoUrnucrv0saQn2w0N1jSRF1+c9uGxJwn8NV7JwGI4oOlcA=
=DHDL
-----END PGP SIGNATURE-----

--onPDfil699sFW2WWuo19sI3tTsLrwe7UR--