-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CA-352073: Ensure all serialized calls can pass rbac checks #4829
CA-352073: Ensure all serialized calls can pass rbac checks #4829
Conversation
f1550f6
to
3796b2b
Compare
b2d8c69
to
925e3a5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's quite hard to see what is exactly going on in gen_server.ml, but this looks right to me. Thanks for splitting it up in logical commits, otherwise I'd be totally lost. The changes make the code generator clearer and safer, and server.ml more efficient.
| Some default -> | ||
Printf.sprintf | ||
"(if (List.mem_assoc \"%s\" __structure) then (my_assoc \"%s\" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This now doesn't call my_assoc
anymore, but that is just List.assoc
with a different exception raised. The exception won't be raised here, so that is fine.
in | ||
let rbac_check_end = if has_session_arg then [] else [] in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Brilliant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to use records rather than lists? Or a map? I assume we don't want to have duplicate keys either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which usage do you mean? for arguments it makes sense to use a map. I don't think it makes sense to use records because each call will have different arguments and the code to process them won't be easily generalizable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking about the list matching and extracting parameters by position. The alternative is to have matches of different lengths and capturing each argument by a named pattern variable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the end it comes down to serializarion of xmlrpc calls, if arguments is modeled as a list in the xml, the deserialization to a record will still need to extract the default one by position. So this step is unavoidable, whether is done before this match or within it.
Since changing how the calls are modelled in xml means changing the API, it will mean we will have to accept both, which needs serious time and effort, in part because we're not too familiar with this part of xapi.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. I think you solved the problem nicely. I also like to use the monadic let*
for cases like this - you fail, when the structure is unexpected but the regular path is straight. Anyway, fine as is.
Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
These can be replaced by functions in the standard library Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
In this form is more difficult to allow a variable number of elements then using .. :: .. :: .. so it's easier to spot possible issues around them When a call has default arguments it's not possible to change the form as these are optional arguments and make the list variable in length Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
This will allow this code to generate a binding not only for the value with the unmarshalled value, but for the rpc value as well. This is needed to be able to explicitely define the parameter list with the default values embedded into the rbac check Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
Explicitly define a list of tuples with names and values so the rbac checks can never fail at runtime on differing lengths for these. Instead now the check will fail at build time. Calls with defaults allowed the values list to be shorter as they never bothered to contain the default values. Now the default values are collected to match all the names of the parameters. Signed-off-by: Pau Ruiz Safont <pau.safont@citrix.com>
925e3a5
to
b57f70c
Compare
Explicitly define a list of tuples with names and values so the rbac checks can never fail at runtime on differing lengths for these. Instead now the check happens at build time, by list construction.
Calls with defaults allowed the values list to be shorter as they never bothered to contain the default values. Now the default values are collected to match all the names of the parameters.
To help with this, I've removed some custom functions with default ones, and changed how lists are generated to stop using cons, as it doesn't lend itself to determine a particular number of elements in a list.
To give an idea on how these changes impact the code generated here are a couple of examples:
Call without defaults before:
after:
Call with defaults before:
after:
This not only gets rids of the rbac_audit spurious warnings, but the RBAC code spends a copious amount of time at time ensuring that
~args
contains 2 lists of the same length, this is because this doesn't happen just once, but pervasively in the code. This is an identified bottleneck when there are many calls happening at the same. While this PR doesn't fix this bottleneck, I've experimented with removing all these check and will open a PR once the code is cleaned up: master...psafont:xen-api:private/paus/rbacuum