Add info about access control checks into API reference

So that app developers / admins know what access control checks are performed for each API, this patch extends the API docs generator to include details of the ACLs for each. The gendispatch.pl script is extended so that it generates a simple XML describing ACL rules, eg. <aclinfo> ... <api name='virConnectNumOfDomains'> <check object='connect' perm='search_domains'/> <filter object='domain' perm='getattr'/> </api> <api name='virDomainAttachDeviceFlags'> <check object='domain' perm='write'/> <check object='domain' perm='save' flags='!VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE'/> <check object='domain' perm='save' flags='VIR_DOMAIN_AFFECT_CONFIG'/> </api> ... </aclinfo> The newapi.xsl template loads the XML files containing the ACL rules and generates a short block of HTML for each API describing the parameter checks and return value filters (if any). Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2025-02-25 18:55:26 -06:00 · 2013-08-07 13:03:50 +01:00
parent 31d41d9268
commit 664ab2801d
5 changed files with 160 additions and 6 deletions
--- a/docs/newapi.xsl
+++ b/docs/newapi.xsl
@@ -29,6 +29,69 @@
  <xsl:variable name="htmldir">html</xsl:variable>
  <xsl:variable name="href_base">../</xsl:variable>

+  <xsl:variable name="acls">
+    <xsl:copy-of select="document('../src/libvirt_access.xml')/aclinfo/api"/>
+  </xsl:variable>
+  <xsl:variable name="qemuacls">
+    <xsl:copy-of select="document('../src/libvirt_access_qemu.xml')/aclinfo/api"/>
+  </xsl:variable>
+  <xsl:variable name="lxcacls">
+    <xsl:copy-of select="document('../src/libvirt_access_lxc.xml')/aclinfo/api"/>
+  </xsl:variable>
+
+  <xsl:template name="aclinfo">
+    <xsl:param name="api"/>
+
+    <xsl:if test="count(exsl:node-set($acls)/api[@name=$api]/check) > 0">
+      <h5>Access control parameter checks</h5>
+      <table class="acl">
+        <thead>
+          <tr>
+            <th>Object</th>
+            <th>Permission</th>
+            <th>Condition</th>
+          </tr>
+        </thead>
+        <xsl:apply-templates select="exsl:node-set($acls)/api[@name=$api]/check" mode="acl"/>
+      </table>
+    </xsl:if>
+    <xsl:if test="count(exsl:node-set($acls)/api[@name=$api]/filter) > 0">
+      <h5>Access control return value filters</h5>
+      <table class="acl">
+        <thead>
+          <tr>
+            <th>Object</th>
+            <th>Permission</th>
+          </tr>
+        </thead>
+        <xsl:apply-templates select="exsl:node-set($acls)/api[@name=$api]/filter" mode="acl"/>
+      </table>
+    </xsl:if>
+  </xsl:template>
+
+  <xsl:template match="check" mode="acl">
+    <tr>
+      <td><xsl:value-of select="@object"/></td>
+      <td><xsl:value-of select="@perm"/></td>
+      <xsl:choose>
+        <xsl:when test="@flags">
+          <td><xsl:value-of select="@flags"/></td>
+        </xsl:when>
+        <xsl:otherwise>
+          <td>-</td>
+        </xsl:otherwise>
+      </xsl:choose>
+    </tr>
+  </xsl:template>
+
+  <xsl:template match="filter" mode="acl">
+    <tr>
+      <td><xsl:value-of select="@object"/></td>
+      <td><xsl:value-of select="@perm"/></td>
+    </tr>
+  </xsl:template>
+
+
  <xsl:template name="navbar">
    <xsl:variable name="previous" select="preceding-sibling::file[1]"/>
    <xsl:variable name="next" select="following-sibling::file[1]"/>
@@ -553,6 +616,11 @@
        </xsl:if>
      </dl>
    </xsl:if>
+    <div class="acl">
+      <xsl:call-template name="aclinfo">
+        <xsl:with-param name="api" select="$name"/>
+      </xsl:call-template>
+    </div>
  </xsl:template>

  <xsl:template match="exports" mode="toc">