libnm-util: simplify permissions somewhat; remove groups

Groups may come later, but they are also quite a bit more complicated
because getting the groups a user is in may require network access
if that user is backed by LDAP.  And it gets worse because you have
no idea that the glibc calls like getgrouplist(3) are backed by
the network and may take an arbitrary amount of time to complete.
Punt that.

1 files changed, 41 insertions, 46 deletions

diff --git a/libnm-util/nm-setting-connection.c b/libnm-util/nm-setting-connection.c
index 40c9ac14ce..644ed59ca8 100644
--- a/libnm-util/nm-setting-connection.c
+++ b/libnm-util/nm-setting-connection.c
@@ -19,7 +19,7 @@
  * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
  * Boston, MA 02110-1301 USA.
  *
- * (C) Copyright 2007 - 2008 Red Hat, Inc.
+ * (C) Copyright 2007 - 2010 Red Hat, Inc.
  * (C) Copyright 2007 - 2008 Novell, Inc.
  */
 
@@ -30,6 +30,8 @@
 #include "nm-param-spec-specialized.h"
 #include "nm-setting-connection.h"
 
+#define NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER  "user:"
+
 /**
  * SECTION:nm-setting-connection
  * @short_description: Describes general connection properties
@@ -186,7 +188,7 @@ nm_setting_connection_get_num_permissions (NMSettingConnection *setting)
 }
 
 /**
- * nm_setting_connection_get_permission_entry:
+ * nm_setting_connection_get_permission:
  * @setting: the #NMSettingConnection
  * @index: the zero-based index of the permissions entry
  *
@@ -196,11 +198,17 @@ nm_setting_connection_get_num_permissions (NMSettingConnection *setting)
  * Returns: the entry at the specified index
  */
 const char *
-nm_setting_connection_get_permission_entry (NMSettingConnection *setting, guint32 i)
+nm_setting_connection_get_permission (NMSettingConnection *setting, guint32 i)
 {
+	NMSettingConnectionPrivate *priv;
+
 	g_return_val_if_fail (NM_IS_SETTING_CONNECTION (setting), NULL);
 
-	return (const char *) g_slist_nth_data (NM_SETTING_CONNECTION_GET_PRIVATE (setting)->permissions, i);
+	priv = NM_SETTING_CONNECTION_GET_PRIVATE (setting);
+
+	g_return_val_if_fail (i < g_slist_length (priv->permissions), NULL);
+
+	return (const char *) g_slist_nth_data (priv->permissions, i);
 }
 
 /**
@@ -282,38 +290,23 @@ static gboolean
 validate_permissions (GSList *permissions, GError **error)
 {
 	GSList *iter;
+
 	for (iter = permissions; iter; iter = iter->next) {
-		char *entry = (char *) iter->data;
-		char *usr_start = NULL;
-		char *ext_start = NULL;
-		int prefix_len;
-
-		if (g_str_has_prefix (entry, NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER)) {
-			prefix_len = strlen (NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER);
-		} else if (g_str_has_prefix (entry, NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_GROUP)) {
-			prefix_len = strlen (NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_GROUP);
-		} else {
-			g_set_error (error, 
-			             NM_SETTING_CONNECTION_ERROR,
-			             NM_SETTING_CONNECTION_ERROR_INVALID_PROPERTY,
-			             "permissions: entry '%s': invalid prefix", entry);
-			return FALSE;
-		}
+		const char *entry = iter->data;
+		const char *usr_start = NULL;
 
-		usr_start = entry + prefix_len;
+		if (!g_str_has_prefix (entry, NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER))
+			continue;
 
-		ext_start = strchr(usr_start, ':');
-		if (!ext_start) {
+		usr_start = entry + strlen (NM_SETTINGS_CONNECTION_PERMISSION_PREFIX_USER);
+		if (!strchr (usr_start, ':')) {
 			g_set_error (error,
 			             NM_SETTING_CONNECTION_ERROR,
 			             NM_SETTING_CONNECTION_ERROR_INVALID_PROPERTY,
-			             "permissions: entry '%s': two few ':'s", entry);
+			             "permissions: entry '%s': two few ':' characters", entry);
 			return FALSE;
 		}
-		ext_start++;
-
 		/* We don't (yet) care about what comes afterwards. */
-
 	}
 
 	return TRUE;
@@ -376,11 +369,8 @@ verify (NMSetting *setting, GSList *all_settings, GError **error)
 	}
 
 	if (priv->permissions) {
-		GError *perm_error = NULL;
-		if (!validate_permissions (priv->permissions, &perm_error)) {
-			g_propagate_error (error, perm_error);
+		if (!validate_permissions (priv->permissions, error))
 			return FALSE;
-		}
 	}
 
 	return TRUE;
@@ -569,12 +559,16 @@ nm_setting_connection_class_init (NMSettingConnectionClass *setting_class)
 	 * 
 	 * An array of strings defining what access a given user has to this
 	 * connection.  If this is NULL or empty, all users are allowed to access
-	 * this connection.  Otherwise, each entry in this array specifies a user or
-	 * unix group, and a user is allowed to access this connection if and only
-	 * if they are in this list or if they are included in at least one of any
-	 * listed unix groups . Each entry is of the form "user:<user-name>:<junk>
-	 * or "group:<group-name>:<junk>. Any <junk> present must be ignored; it is
-	 * reserved for future versions of NM.
+	 * this connection.  Otherwise a user is allowed to access this connection
+	 * if and only if they are in this list. Each entry is of the form
+	 * "[type]:[id]:[reserved]", for example:
+	 *
+	 *    user:dcbw:blah
+	 *
+	 * At this time only the 'user' [type] is allowed.  Any other values are
+	 * ignored and reserved for future use.  [id] is the username that this
+	 * permission refers to.  Any [reserved] information present must be
+	 * ignored and is reserved for future use.
 	 */
 	g_object_class_install_property
 		(object_class, PROP_PERMISSIONS,
@@ -583,15 +577,16 @@ nm_setting_connection_class_init (NMSettingConnectionClass *setting_class)
 		                  "An array of strings defining what access a given "
 		                  "user has to this connection.  If this is NULL or "
 		                  "empty, all users are allowed to access this "
-		                  "connection.  Otherwise, each entry in this array "
-		                  "specifies a user or unix group, and a user is "
-		                  "allowed to access this connection if and only if "
-		                  "they are in this list or if they are included in at "
-		                  "least one of any listed unix groups. Each entry is "
-		                  "of the form \"user:<user-name>:<junk>\" or "
-		                  "\"group:<group-name>:<junk>\". Any <junk> present "
-		                  "must be ignored; it is reserved for future versions "
-		                  "of NM.",
+		                  "connection.  Otherwise a user is allowed to access "
+		                  "this connection if and only if they are in this "
+		                  "array. Each entry is of the form "
+		                  "\"[type]:[id]:[reserved]\", for example: "
+		                  "\"user:dcbw:blah\"  At this time only the 'user' "
+		                  "[type] is allowed.  Any other values are ignored and "
+		                  "reserved for future use.  [id] is the username that "
+		                  "this permission refers to.  Any [reserved] "
+		                  "information (if present) must be ignored and is "
+		                  "reserved for future use.",
 		                  DBUS_TYPE_G_LIST_OF_STRING,
 		                  G_PARAM_READWRITE | NM_SETTING_PARAM_SERIALIZE));