dird: config: console: prohibit PAM usage with user ACL and Profiles in consoles

[alaaeddineelamri]

Thank you for contributing to the Bareos Project!

Description

This PR makes Bareos consider malformed, consoles whose configuration having simultaneously use PAM authentication and ACL commands, or a Profile having ACL.

Please check

• Short description and the purpose of this PR is present above this paragraph
• Your name is present in the AUTHORS file (optional)

If you have any questions or problems, please give a comment in the PR.

Helpful documentation and best practices

• Git Workflow
• Automatic Sourcecode Formatting
• Check your commit messages

Checklist for the reviewer of the PR (will be processed by the Bareos team)

General

• PR name is meaningful
• Purpose of the PR is understood
• Commit descriptions are understandable and well formatted
• Check backport line
• Is the PR title usable as CHANGELOG entry?
• Separate commit for CHANGELOG.md ("update CHANGELOG.md"). The PR number is correct.

Source code quality

• Source code changes are understandable
• Variable and function names are meaningful
• Code comments are correct (logically and spelling)
• Required documentation changes are present and part of the PR
• bareos-check-sources --since-merge does not report any problems

Tests

• Decision taken that a test is required (if not, then remove this paragraph)
• The choice of the type of test (unit test or systemtest) is reasonable
• Testname matches exactly what is being tested
• On a fail, output of the test leads quickly to the origin of the fault

[arogge]

We should really improve LockRes()/UnlockRes() as it is too easy to misuse.
I'm not sure if your check for the ACL is correct/complete, but overall it looks good.

[arogge]

if we had GSL, you could set this up using finally() or if ConfigurationParser would satisfy BasicLockable one could just use a lock_guard lock{my_config}. This would remove the need for the explicit UnlockRes(my_config)

[alaaeddineelamri]

another issue we have with this, is that in certain functions around the code base, there are instances where there are multiple locks and unlocks

void afunction() {
  lockres(...)
  do_something
  unlockres(...)

  do_something_else

  lockres(..) //again
  doxxxxx
  unlockres(..)
}

unless we go around everywhere refactoring to make those functions use a single lock (there are 64 matches for lockres) and make sure the logic stays the same, I don't think there will be a quick fix for this.

I remember we did something similar before with the database locking by creating a DbLocker class that would do locking on construction and unlocking on destruction. But we were lucky in that instance because the locking and unlocking would occur only once for every function involved.

[arogge]

We can probably keep the old behaviour, but allow newer and refactored code to utilize RAII here.

Besides that, you can always do it like this:

void afunction() {
  {
     std::lock_guard lock(my_config);
     do_something
  }
  do_something_else
  {
     std::lock_guard lock(my_config);
     doxxx
  }
}

which isn't nice, but still a lot better than requiring manual unlock (which is btw. one of the main reasons a lot of our code is not exception-safe)

[arogge]

With emplace_back() you can just pass your arguments into the constructor of the contained type (and save a copy operation):

Suggested change

	consoles_with_auth_problems.push_back(
	std::string(console->resource_name_));
	consoles_with_auth_problems.emplace_back(console->resource_name_);

[arogge]

that describes a situation, but does not name the problem.

[arogge]

if I understood it correctly, then ACL_lists[0] is only checking for Job_ACL, but not for the others like Catalog_ACL or Command_ACL.

[arogge]

Great work!
Besides the Changelog, I'm happy with it.