EH: CS-2031: Implement default-deny evaluation logic

ernst-bablick · ernst-bablick · commit 3848d038ee90 · 2026-05-06T20:02:54.000+02:00
diff --git a/source/libs/sgeobj/ocs_Role.cc b/source/libs/sgeobj/ocs_Role.cc
@@ -508,3 +508,42 @@ ocs::Role::collect_perm_rules(const char *role_name, const lList *role_list, Per
    collect_recursive(role_name, role_list, rules, visited);
    DRETURN_VOID;
 }
+
+bool
+ocs::Role::is_authorized(const lList *role_list, const lList *userset_list, const MatchContext &ctx) {
+   DENTER(TOP_LAYER);
+   for_each_ep_lv(role_ep, role_list) {
+      // skip disabled roles
+      if (!lGetBool(role_ep, RL_enabled)) {
+         continue;
+      }
+      // check whether the requesting user is a member of this role's user_list
+      bool user_in_role = false;
+      for_each_ep_lv(acl_ep, lGetList(role_ep, RL_user_list)) {
+         const char *userset_name = lGetString(acl_ep, US_name);
+         const lListElem *userset_ep = lGetElemStr(userset_list, US_name, userset_name);
+         if (userset_ep == nullptr) {
+            continue;
+         }
+         if (sge_contained_in_access_list(ctx.request_user.c_str(),
+                                          ctx.request_group.c_str(),
+                                          ctx.request_grp_list,
+                                          userset_ep) == 1) {
+            user_in_role = true;
+            break;
+         }
+      }
+      if (!user_in_role) {
+         continue;
+      }
+      // user is in this role — collect effective rules and evaluate
+      PermRuleList rules;
+      collect_perm_rules(lGetString(role_ep, RL_name), role_list, rules);
+      for (const auto &rule : rules) {
+         if (match_rule(rule, ctx)) {
+            DRETURN(true);
+         }
+      }
+   }
+   DRETURN(false);
+}
diff --git a/source/libs/sgeobj/ocs_Role.h b/source/libs/sgeobj/ocs_Role.h
@@ -49,6 +49,8 @@ namespace ocs {
          std::string object_key;                              ///< specific object name or ID
          std::string object_owner;                            ///< owner of the target object
          std::string request_user;                            ///< authenticated requesting user
+         std::string request_group;                           ///< primary UNIX group of the requesting user
+         const lList *request_grp_list{nullptr};              ///< supplementary UNIX groups (ST_Type list)
          std::vector<std::string> source_hostgroups;          ///< @groups the source host belongs to
          std::vector<std::string> required_value_constraints; ///< elevated permissions required by the request
       };
@@ -130,5 +132,18 @@ namespace ocs {
        * @param rules       Receives the collected rules (appended, not replaced).
        */
       static void collect_perm_rules(const char *role_name, const lList *role_list, PermRuleList &rules);
+
+      /**
+       * Evaluate whether a request is authorized under the current role configuration.
+       * Iterates all enabled roles; for each role the requesting user belongs to,
+       * collects the effective rule set (own + inherited) and evaluates each rule.
+       * Returns true on the first matching rule. Returns false if no rule matches
+       * across all applicable roles (default-deny).
+       * @param role_list     The master role list.
+       * @param userset_list  The master userset list (for membership checks).
+       * @param ctx           The request context.
+       * @return              True if the request is authorized.
+       */
+      static bool is_authorized(const lList *role_list, const lList *userset_list, const MatchContext &ctx);
    };
 }
