From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sun, 30 May 2021 12:29:47 +0000 (+0100)
Subject: cmdlistener: Pass AccountsGuard into authorise_scope_*
X-Git-Tag: otter-0.7.0~215
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=2352fb0e319d98e7c89809343ff8d723142595f3;p=otter.git

cmdlistener: Pass AccountsGuard into authorise_scope_*

ssh key check is going to need it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/daemon/cmdlistener.rs b/daemon/cmdlistener.rs
index f2ca5baf..377dda94 100644
--- a/daemon/cmdlistener.rs
+++ b/daemon/cmdlistener.rs
@@ -146,7 +146,8 @@ fn execute_and_respond<W>(cs: &mut CommandStreamData, cmd: MgmtCommand,
       if !enable {
         cs.authstate = AuthState::None { euid: preserve_euid };
       } else {
-        let auth = authorise_scope_direct(cs, &AccountScope::Server)?;
+        let ag = AccountsGuard::lock();
+        let auth = authorise_scope_direct(cs, &ag, &AccountScope::Server)?;
         let auth = auth.therefore_ok();
         cs.authstate = AuthState::Superuser { euid: preserve_euid, auth };
       }
@@ -202,7 +203,8 @@ fn execute_and_respond<W>(cs: &mut CommandStreamData, cmd: MgmtCommand,
     }
 
     MC::SelectAccount(wanted_account) => {
-      let auth = authorise_scope_direct(cs, &wanted_account.scope)?;
+      let ag = AccountsGuard::lock();
+      let auth = authorise_scope_direct(cs, &ag, &wanted_account.scope)?;
       cs.account = Some(AccountSpecified {
         cooked: wanted_account.to_string(),
         notional_account: wanted_account,
@@ -1716,16 +1718,18 @@ fn authorise_by_account(cs: &CommandStreamData, ag: &AccountsGuard,
 }
 
 #[throws(MgmtError)]
-fn authorise_scope_direct(cs: &CommandStreamData, wanted: &AccountScope)
+fn authorise_scope_direct(cs: &CommandStreamData, ag: &AccountsGuard,
+                          wanted: &AccountScope)
                           -> Authorisation<AccountScope> {
   // Usually, use authorise_by_account
-  do_authorise_scope(cs, wanted)
+  do_authorise_scope(cs, ag, wanted)
     .map_err(|e| cs.map_auth_err(e))?
 }
 
 #[throws(AuthorisationError)]
-fn do_authorise_scope(cs: &CommandStreamData, wanted: &AccountScope)
-                   -> Authorisation<AccountScope> {
+fn do_authorise_scope(cs: &CommandStreamData, _ag: &AccountsGuard,
+                      wanted: &AccountScope)
+                      -> Authorisation<AccountScope> {
   if let Some(y) = cs.is_superuser() { return y }
 
   match &wanted {