]>
Commit | Line | Data |
---|---|---|
5c6cdf98 | 1 | use std::io::Write; |
a83eab3c | 2 | use std::collections::{HashMap, HashSet, BTreeMap, BTreeSet}; |
5c6cdf98 | 3 | use std::path::{PathBuf, Path}; |
5354511f | 4 | use std::sync::{Arc, RwLock}; |
5c6cdf98 | 5 | |
f7d4e4b5 | 6 | use anyhow::{bail, Error}; |
5c6cdf98 DM |
7 | |
8 | use lazy_static::lazy_static; | |
9 | ||
10 | use proxmox::tools::{fs::replace_file, fs::CreateOptions}; | |
11 | ||
12 | // define Privilege bitfield | |
13 | ||
9765092e DM |
14 | pub const PRIV_SYS_AUDIT: u64 = 1 << 0; |
15 | pub const PRIV_SYS_MODIFY: u64 = 1 << 1; | |
16 | pub const PRIV_SYS_POWER_MANAGEMENT: u64 = 1 << 2; | |
5c6cdf98 | 17 | |
9765092e | 18 | pub const PRIV_DATASTORE_AUDIT: u64 = 1 << 3; |
d00e1a21 | 19 | pub const PRIV_DATASTORE_MODIFY: u64 = 1 << 4; |
54552dda DM |
20 | pub const PRIV_DATASTORE_READ: u64 = 1 << 5; |
21 | ||
22 | /// Datastore.Backup also requires backup ownership | |
23 | pub const PRIV_DATASTORE_BACKUP: u64 = 1 << 6; | |
24 | /// Datastore.Prune also requires backup ownership | |
d00e1a21 | 25 | pub const PRIV_DATASTORE_PRUNE: u64 = 1 << 7; |
5c6cdf98 | 26 | |
d00e1a21 | 27 | pub const PRIV_PERMISSIONS_MODIFY: u64 = 1 << 8; |
4f66423f | 28 | |
0815ec7e DM |
29 | pub const ROLE_ADMIN: u64 = std::u64::MAX; |
30 | pub const ROLE_NO_ACCESS: u64 = 0; | |
31 | ||
5c6cdf98 DM |
32 | pub const ROLE_AUDIT: u64 = |
33 | PRIV_SYS_AUDIT | | |
9765092e | 34 | PRIV_DATASTORE_AUDIT; |
5c6cdf98 | 35 | |
9765092e DM |
36 | pub const ROLE_DATASTORE_ADMIN: u64 = |
37 | PRIV_DATASTORE_AUDIT | | |
9c7fe29d | 38 | PRIV_DATASTORE_MODIFY | |
d00e1a21 | 39 | PRIV_DATASTORE_READ | |
54552dda | 40 | PRIV_DATASTORE_BACKUP | |
d00e1a21 | 41 | PRIV_DATASTORE_PRUNE; |
5c6cdf98 | 42 | |
9765092e | 43 | pub const ROLE_DATASTORE_USER: u64 = |
54552dda | 44 | PRIV_DATASTORE_BACKUP; |
d00e1a21 DM |
45 | |
46 | pub const ROLE_DATASTORE_AUDIT: u64 = | |
47 | PRIV_DATASTORE_AUDIT; | |
9765092e | 48 | |
8d048af2 | 49 | pub const ROLE_NAME_NO_ACCESS: &str ="NoAccess"; |
5c6cdf98 DM |
50 | |
51 | lazy_static! { | |
3fff55b2 | 52 | pub static ref ROLE_NAMES: HashMap<&'static str, (u64, &'static str)> = { |
5c6cdf98 DM |
53 | let mut map = HashMap::new(); |
54 | ||
3fff55b2 DM |
55 | map.insert("Admin", ( |
56 | ROLE_ADMIN, | |
57 | "Administrator", | |
58 | )); | |
59 | map.insert("Audit", ( | |
60 | ROLE_AUDIT, | |
61 | "Auditor", | |
62 | )); | |
63 | map.insert(ROLE_NAME_NO_ACCESS, ( | |
64 | ROLE_NO_ACCESS, | |
65 | "Disable access", | |
66 | )); | |
67 | ||
68 | map.insert("Datastore.Admin", ( | |
69 | ROLE_DATASTORE_ADMIN, | |
70 | "Datastore Administrator", | |
71 | )); | |
72 | map.insert("Datastore.User", ( | |
73 | ROLE_DATASTORE_USER, | |
74 | "Datastore User", | |
75 | )); | |
76 | map.insert("Datastore.Audit", ( | |
77 | ROLE_DATASTORE_AUDIT, | |
78 | "Datastore Auditor", | |
79 | )); | |
5c6cdf98 DM |
80 | |
81 | map | |
82 | }; | |
83 | } | |
84 | ||
9f4e47dd | 85 | pub fn split_acl_path(path: &str) -> Vec<&str> { |
5c6cdf98 DM |
86 | |
87 | let items = path.split('/'); | |
88 | ||
89 | let mut components = vec![]; | |
90 | ||
91 | for name in items { | |
92 | if name.is_empty() { continue; } | |
93 | components.push(name); | |
94 | } | |
95 | ||
96 | components | |
97 | } | |
98 | ||
99 | pub struct AclTree { | |
ed3e60ae | 100 | pub root: AclTreeNode, |
5c6cdf98 DM |
101 | } |
102 | ||
ed3e60ae DM |
103 | pub struct AclTreeNode { |
104 | pub users: HashMap<String, HashMap<String, bool>>, | |
105 | pub groups: HashMap<String, HashMap<String, bool>>, | |
106 | pub children: BTreeMap<String, AclTreeNode>, | |
5c6cdf98 DM |
107 | } |
108 | ||
109 | impl AclTreeNode { | |
110 | ||
111 | pub fn new() -> Self { | |
112 | Self { | |
113 | users: HashMap::new(), | |
114 | groups: HashMap::new(), | |
a83eab3c | 115 | children: BTreeMap::new(), |
5c6cdf98 DM |
116 | } |
117 | } | |
118 | ||
0815ec7e DM |
119 | pub fn extract_roles(&self, user: &str, all: bool) -> HashSet<String> { |
120 | let user_roles = self.extract_user_roles(user, all); | |
121 | if !user_roles.is_empty() { | |
122 | // user privs always override group privs | |
123 | return user_roles | |
124 | }; | |
125 | ||
126 | self.extract_group_roles(user, all) | |
127 | } | |
128 | ||
129 | pub fn extract_user_roles(&self, user: &str, all: bool) -> HashSet<String> { | |
130 | ||
131 | let mut set = HashSet::new(); | |
132 | ||
133 | let roles = match self.users.get(user) { | |
134 | Some(m) => m, | |
135 | None => return set, | |
136 | }; | |
137 | ||
138 | for (role, propagate) in roles { | |
139 | if *propagate || all { | |
8d048af2 | 140 | if role == ROLE_NAME_NO_ACCESS { |
0815ec7e DM |
141 | // return a set with a single role 'NoAccess' |
142 | let mut set = HashSet::new(); | |
143 | set.insert(role.to_string()); | |
144 | return set; | |
145 | } | |
146 | set.insert(role.to_string()); | |
147 | } | |
148 | } | |
149 | ||
150 | set | |
151 | } | |
152 | ||
153 | pub fn extract_group_roles(&self, _user: &str, all: bool) -> HashSet<String> { | |
154 | ||
155 | let mut set = HashSet::new(); | |
156 | ||
157 | for (_group, roles) in &self.groups { | |
158 | let is_member = false; // fixme: check if user is member of the group | |
159 | if !is_member { continue; } | |
160 | ||
161 | for (role, propagate) in roles { | |
162 | if *propagate || all { | |
8d048af2 | 163 | if role == ROLE_NAME_NO_ACCESS { |
0815ec7e DM |
164 | // return a set with a single role 'NoAccess' |
165 | let mut set = HashSet::new(); | |
166 | set.insert(role.to_string()); | |
167 | return set; | |
168 | } | |
169 | set.insert(role.to_string()); | |
170 | } | |
171 | } | |
172 | } | |
173 | ||
174 | set | |
175 | } | |
176 | ||
9765092e DM |
177 | pub fn delete_group_role(&mut self, group: &str, role: &str) { |
178 | let roles = match self.groups.get_mut(group) { | |
179 | Some(r) => r, | |
180 | None => return, | |
181 | }; | |
182 | roles.remove(role); | |
183 | } | |
184 | ||
185 | pub fn delete_user_role(&mut self, userid: &str, role: &str) { | |
186 | let roles = match self.users.get_mut(userid) { | |
187 | Some(r) => r, | |
188 | None => return, | |
189 | }; | |
190 | roles.remove(role); | |
191 | } | |
192 | ||
5c6cdf98 | 193 | pub fn insert_group_role(&mut self, group: String, role: String, propagate: bool) { |
8d048af2 DM |
194 | let map = self.groups.entry(group).or_insert_with(|| HashMap::new()); |
195 | if role == ROLE_NAME_NO_ACCESS { | |
196 | map.clear(); | |
197 | map.insert(role, propagate); | |
198 | } else { | |
199 | map.remove(ROLE_NAME_NO_ACCESS); | |
200 | map.insert(role, propagate); | |
201 | } | |
5c6cdf98 DM |
202 | } |
203 | ||
204 | pub fn insert_user_role(&mut self, user: String, role: String, propagate: bool) { | |
8d048af2 DM |
205 | let map = self.users.entry(user).or_insert_with(|| HashMap::new()); |
206 | if role == ROLE_NAME_NO_ACCESS { | |
207 | map.clear(); | |
208 | map.insert(role, propagate); | |
209 | } else { | |
210 | map.remove(ROLE_NAME_NO_ACCESS); | |
211 | map.insert(role, propagate); | |
212 | } | |
5c6cdf98 DM |
213 | } |
214 | } | |
215 | ||
216 | impl AclTree { | |
217 | ||
218 | pub fn new() -> Self { | |
219 | Self { root: AclTreeNode::new() } | |
220 | } | |
221 | ||
9765092e DM |
222 | fn get_node(&mut self, path: &[&str]) -> Option<&mut AclTreeNode> { |
223 | let mut node = &mut self.root; | |
224 | for comp in path { | |
225 | node = match node.children.get_mut(*comp) { | |
226 | Some(n) => n, | |
227 | None => return None, | |
228 | }; | |
229 | } | |
230 | Some(node) | |
231 | } | |
232 | ||
5c6cdf98 DM |
233 | fn get_or_insert_node(&mut self, path: &[&str]) -> &mut AclTreeNode { |
234 | let mut node = &mut self.root; | |
235 | for comp in path { | |
236 | node = node.children.entry(String::from(*comp)) | |
237 | .or_insert_with(|| AclTreeNode::new()); | |
238 | } | |
239 | node | |
240 | } | |
241 | ||
9765092e DM |
242 | pub fn delete_group_role(&mut self, path: &str, group: &str, role: &str) { |
243 | let path = split_acl_path(path); | |
244 | let node = match self.get_node(&path) { | |
245 | Some(n) => n, | |
246 | None => return, | |
247 | }; | |
248 | node.delete_group_role(group, role); | |
249 | } | |
250 | ||
251 | pub fn delete_user_role(&mut self, path: &str, userid: &str, role: &str) { | |
252 | let path = split_acl_path(path); | |
253 | let node = match self.get_node(&path) { | |
254 | Some(n) => n, | |
255 | None => return, | |
256 | }; | |
257 | node.delete_user_role(userid, role); | |
258 | } | |
259 | ||
5c6cdf98 DM |
260 | pub fn insert_group_role(&mut self, path: &str, group: &str, role: &str, propagate: bool) { |
261 | let path = split_acl_path(path); | |
262 | let node = self.get_or_insert_node(&path); | |
263 | node.insert_group_role(group.to_string(), role.to_string(), propagate); | |
264 | } | |
265 | ||
266 | pub fn insert_user_role(&mut self, path: &str, user: &str, role: &str, propagate: bool) { | |
267 | let path = split_acl_path(path); | |
268 | let node = self.get_or_insert_node(&path); | |
269 | node.insert_user_role(user.to_string(), role.to_string(), propagate); | |
270 | } | |
271 | ||
272 | fn write_node_config( | |
273 | node: &AclTreeNode, | |
274 | path: &str, | |
275 | w: &mut dyn Write, | |
276 | ) -> Result<(), Error> { | |
277 | ||
278 | let mut role_ug_map0 = HashMap::new(); | |
279 | let mut role_ug_map1 = HashMap::new(); | |
280 | ||
281 | for (user, roles) in &node.users { | |
282 | // no need to save, because root is always 'Administrator' | |
283 | if user == "root@pam" { continue; } | |
284 | for (role, propagate) in roles { | |
285 | let role = role.as_str(); | |
286 | let user = user.to_string(); | |
287 | if *propagate { | |
a83eab3c | 288 | role_ug_map1.entry(role).or_insert_with(|| BTreeSet::new()) |
5c6cdf98 DM |
289 | .insert(user); |
290 | } else { | |
a83eab3c | 291 | role_ug_map0.entry(role).or_insert_with(|| BTreeSet::new()) |
5c6cdf98 DM |
292 | .insert(user); |
293 | } | |
294 | } | |
295 | } | |
296 | ||
297 | for (group, roles) in &node.groups { | |
298 | for (role, propagate) in roles { | |
299 | let group = format!("@{}", group); | |
300 | if *propagate { | |
a83eab3c | 301 | role_ug_map1.entry(role).or_insert_with(|| BTreeSet::new()) |
5c6cdf98 DM |
302 | .insert(group); |
303 | } else { | |
a83eab3c | 304 | role_ug_map0.entry(role).or_insert_with(|| BTreeSet::new()) |
5c6cdf98 DM |
305 | .insert(group); |
306 | } | |
307 | } | |
308 | } | |
309 | ||
310 | fn group_by_property_list( | |
a83eab3c DM |
311 | item_property_map: &HashMap<&str, BTreeSet<String>>, |
312 | ) -> BTreeMap<String, BTreeSet<String>> { | |
313 | let mut result_map = BTreeMap::new(); | |
5c6cdf98 | 314 | for (item, property_map) in item_property_map { |
a83eab3c DM |
315 | let item_list = property_map.iter().fold(String::new(), |mut acc, v| { |
316 | if !acc.is_empty() { acc.push(','); } | |
317 | acc.push_str(v); | |
318 | acc | |
319 | }); | |
320 | result_map.entry(item_list).or_insert_with(|| BTreeSet::new()) | |
5c6cdf98 DM |
321 | .insert(item.to_string()); |
322 | } | |
323 | result_map | |
324 | } | |
325 | ||
a83eab3c DM |
326 | let uglist_role_map0 = group_by_property_list(&role_ug_map0); |
327 | let uglist_role_map1 = group_by_property_list(&role_ug_map1); | |
5c6cdf98 | 328 | |
8d048af2 DM |
329 | fn role_list(roles: &BTreeSet<String>) -> String { |
330 | if roles.contains(ROLE_NAME_NO_ACCESS) { return String::from(ROLE_NAME_NO_ACCESS); } | |
331 | roles.iter().fold(String::new(), |mut acc, v| { | |
a83eab3c DM |
332 | if !acc.is_empty() { acc.push(','); } |
333 | acc.push_str(v); | |
334 | acc | |
8d048af2 | 335 | }) |
5c6cdf98 DM |
336 | } |
337 | ||
8d048af2 DM |
338 | for (uglist, roles) in &uglist_role_map0 { |
339 | let role_list = role_list(roles); | |
340 | writeln!(w, "acl:0:{}:{}:{}", if path.is_empty() { "/" } else { path }, uglist, role_list)?; | |
341 | } | |
342 | ||
343 | for (uglist, roles) in &uglist_role_map1 { | |
344 | let role_list = role_list(roles); | |
345 | writeln!(w, "acl:1:{}:{}:{}", if path.is_empty() { "/" } else { path }, uglist, role_list)?; | |
5c6cdf98 DM |
346 | } |
347 | ||
a83eab3c | 348 | for (name, child) in node.children.iter() { |
5c6cdf98 DM |
349 | let child_path = format!("{}/{}", path, name); |
350 | Self::write_node_config(child, &child_path, w)?; | |
351 | } | |
352 | ||
353 | Ok(()) | |
354 | } | |
355 | ||
356 | pub fn write_config(&self, w: &mut dyn Write) -> Result<(), Error> { | |
357 | Self::write_node_config(&self.root, "", w) | |
358 | } | |
359 | ||
360 | fn parse_acl_line(&mut self, line: &str) -> Result<(), Error> { | |
361 | ||
362 | let items: Vec<&str> = line.split(':').collect(); | |
363 | ||
364 | if items.len() != 5 { | |
365 | bail!("wrong number of items."); | |
366 | } | |
367 | ||
368 | if items[0] != "acl" { | |
369 | bail!("line does not start with 'acl'."); | |
370 | } | |
371 | ||
372 | let propagate = if items[1] == "0" { | |
373 | false | |
374 | } else if items[1] == "1" { | |
375 | true | |
376 | } else { | |
377 | bail!("expected '0' or '1' for propagate flag."); | |
378 | }; | |
379 | ||
380 | let path = split_acl_path(items[2]); | |
381 | let node = self.get_or_insert_node(&path); | |
382 | ||
383 | let uglist: Vec<&str> = items[3].split(',').map(|v| v.trim()).collect(); | |
384 | ||
385 | let rolelist: Vec<&str> = items[4].split(',').map(|v| v.trim()).collect(); | |
386 | ||
387 | for user_or_group in &uglist { | |
388 | for role in &rolelist { | |
389 | if !ROLE_NAMES.contains_key(role) { | |
390 | bail!("unknown role '{}'", role); | |
391 | } | |
392 | if user_or_group.starts_with('@') { | |
393 | let group = &user_or_group[1..]; | |
394 | node.insert_group_role(group.to_string(), role.to_string(), propagate); | |
395 | } else { | |
396 | node.insert_user_role(user_or_group.to_string(), role.to_string(), propagate); | |
397 | } | |
398 | } | |
399 | } | |
400 | ||
401 | Ok(()) | |
402 | } | |
403 | ||
404 | pub fn load(filename: &Path) -> Result<(Self, [u8;32]), Error> { | |
405 | let mut tree = Self::new(); | |
406 | ||
407 | let raw = match std::fs::read_to_string(filename) { | |
408 | Ok(v) => v, | |
409 | Err(err) => { | |
410 | if err.kind() == std::io::ErrorKind::NotFound { | |
411 | String::new() | |
412 | } else { | |
413 | bail!("unable to read acl config {:?} - {}", filename, err); | |
414 | } | |
415 | } | |
416 | }; | |
417 | ||
418 | let digest = openssl::sha::sha256(raw.as_bytes()); | |
419 | ||
420 | for (linenr, line) in raw.lines().enumerate() { | |
0815ec7e DM |
421 | let line = line.trim(); |
422 | if line.is_empty() { continue; } | |
5c6cdf98 | 423 | if let Err(err) = tree.parse_acl_line(line) { |
0815ec7e DM |
424 | bail!("unable to parse acl config {:?}, line {} - {}", |
425 | filename, linenr+1, err); | |
5c6cdf98 DM |
426 | } |
427 | } | |
428 | ||
429 | Ok((tree, digest)) | |
430 | } | |
0815ec7e DM |
431 | |
432 | pub fn from_raw(raw: &str) -> Result<Self, Error> { | |
433 | let mut tree = Self::new(); | |
434 | for (linenr, line) in raw.lines().enumerate() { | |
435 | let line = line.trim(); | |
436 | if line.is_empty() { continue; } | |
437 | if let Err(err) = tree.parse_acl_line(line) { | |
438 | bail!("unable to parse acl config data, line {} - {}", linenr+1, err); | |
439 | } | |
440 | } | |
441 | Ok(tree) | |
442 | } | |
443 | ||
444 | pub fn roles(&self, userid: &str, path: &[&str]) -> HashSet<String> { | |
445 | ||
446 | let mut node = &self.root; | |
447 | let mut role_set = node.extract_roles(userid, path.is_empty()); | |
448 | ||
449 | for (pos, comp) in path.iter().enumerate() { | |
450 | let last_comp = (pos + 1) == path.len(); | |
451 | node = match node.children.get(*comp) { | |
452 | Some(n) => n, | |
453 | None => return role_set, // path not found | |
454 | }; | |
455 | let new_set = node.extract_roles(userid, last_comp); | |
456 | if !new_set.is_empty() { | |
457 | // overwrite previous settings | |
458 | role_set = new_set; | |
459 | } | |
460 | } | |
461 | ||
462 | role_set | |
463 | } | |
5c6cdf98 DM |
464 | } |
465 | ||
466 | pub const ACL_CFG_FILENAME: &str = "/etc/proxmox-backup/acl.cfg"; | |
467 | pub const ACL_CFG_LOCKFILE: &str = "/etc/proxmox-backup/.acl.lck"; | |
468 | ||
469 | pub fn config() -> Result<(AclTree, [u8; 32]), Error> { | |
470 | let path = PathBuf::from(ACL_CFG_FILENAME); | |
471 | AclTree::load(&path) | |
472 | } | |
473 | ||
5354511f DM |
474 | pub fn cached_config() -> Result<Arc<AclTree>, Error> { |
475 | ||
476 | struct ConfigCache { | |
477 | data: Option<Arc<AclTree>>, | |
478 | last_mtime: i64, | |
479 | last_mtime_nsec: i64, | |
480 | } | |
481 | ||
482 | lazy_static! { | |
483 | static ref CACHED_CONFIG: RwLock<ConfigCache> = RwLock::new( | |
484 | ConfigCache { data: None, last_mtime: 0, last_mtime_nsec: 0 }); | |
485 | } | |
486 | ||
487 | let stat = nix::sys::stat::stat(ACL_CFG_FILENAME)?; | |
488 | ||
489 | { // limit scope | |
490 | let cache = CACHED_CONFIG.read().unwrap(); | |
491 | if stat.st_mtime == cache.last_mtime && stat.st_mtime_nsec == cache.last_mtime_nsec { | |
492 | if let Some(ref config) = cache.data { | |
493 | return Ok(config.clone()); | |
494 | } | |
495 | } | |
496 | } | |
497 | ||
498 | let (config, _digest) = config()?; | |
499 | let config = Arc::new(config); | |
500 | ||
501 | let mut cache = CACHED_CONFIG.write().unwrap(); | |
502 | cache.last_mtime = stat.st_mtime; | |
503 | cache.last_mtime_nsec = stat.st_mtime_nsec; | |
504 | cache.data = Some(config.clone()); | |
505 | ||
506 | Ok(config) | |
507 | } | |
508 | ||
9765092e | 509 | pub fn save_config(acl: &AclTree) -> Result<(), Error> { |
5c6cdf98 DM |
510 | let mut raw: Vec<u8> = Vec::new(); |
511 | ||
512 | acl.write_config(&mut raw)?; | |
513 | ||
514 | let backup_user = crate::backup::backup_user()?; | |
515 | let mode = nix::sys::stat::Mode::from_bits_truncate(0o0640); | |
516 | // set the correct owner/group/permissions while saving file | |
517 | // owner(rw) = root, group(r)= backup | |
518 | let options = CreateOptions::new() | |
519 | .perm(mode) | |
520 | .owner(nix::unistd::ROOT) | |
521 | .group(backup_user.gid); | |
522 | ||
9765092e | 523 | replace_file(ACL_CFG_FILENAME, &raw, options)?; |
5c6cdf98 DM |
524 | |
525 | Ok(()) | |
526 | } | |
0815ec7e | 527 | |
0815ec7e DM |
528 | #[cfg(test)] |
529 | mod test { | |
530 | ||
f7d4e4b5 | 531 | use anyhow::{Error}; |
0815ec7e DM |
532 | use super::AclTree; |
533 | ||
534 | fn check_roles( | |
535 | tree: &AclTree, | |
536 | user: &str, | |
537 | path: &str, | |
538 | expected_roles: &str, | |
539 | ) { | |
540 | ||
541 | let path_vec = super::split_acl_path(path); | |
542 | let mut roles = tree.roles(user, &path_vec) | |
543 | .iter().map(|v| v.clone()).collect::<Vec<String>>(); | |
544 | roles.sort(); | |
545 | let roles = roles.join(","); | |
546 | ||
547 | assert_eq!(roles, expected_roles, "\nat check_roles for '{}' on '{}'", user, path); | |
548 | } | |
549 | ||
550 | #[test] | |
551 | fn test_acl_line_compression() -> Result<(), Error> { | |
552 | ||
553 | let tree = AclTree::from_raw(r###" | |
554 | acl:0:/store/store2:user1:Admin | |
555 | acl:0:/store/store2:user2:Admin | |
9765092e DM |
556 | acl:0:/store/store2:user1:Datastore.User |
557 | acl:0:/store/store2:user2:Datastore.User | |
0815ec7e DM |
558 | "###)?; |
559 | ||
560 | let mut raw: Vec<u8> = Vec::new(); | |
561 | tree.write_config(&mut raw)?; | |
562 | let raw = std::str::from_utf8(&raw)?; | |
563 | ||
9765092e | 564 | assert_eq!(raw, "acl:0:/store/store2:user1,user2:Admin,Datastore.User\n"); |
0815ec7e DM |
565 | |
566 | Ok(()) | |
567 | } | |
568 | ||
569 | #[test] | |
570 | fn test_roles_1() -> Result<(), Error> { | |
571 | ||
572 | let tree = AclTree::from_raw(r###" | |
573 | acl:1:/storage:user1@pbs:Admin | |
9765092e DM |
574 | acl:1:/storage/store1:user1@pbs:Datastore.User |
575 | acl:1:/storage/store2:user2@pbs:Datastore.User | |
0815ec7e DM |
576 | "###)?; |
577 | check_roles(&tree, "user1@pbs", "/", ""); | |
578 | check_roles(&tree, "user1@pbs", "/storage", "Admin"); | |
9765092e | 579 | check_roles(&tree, "user1@pbs", "/storage/store1", "Datastore.User"); |
0815ec7e DM |
580 | check_roles(&tree, "user1@pbs", "/storage/store2", "Admin"); |
581 | ||
582 | check_roles(&tree, "user2@pbs", "/", ""); | |
583 | check_roles(&tree, "user2@pbs", "/storage", ""); | |
584 | check_roles(&tree, "user2@pbs", "/storage/store1", ""); | |
9765092e | 585 | check_roles(&tree, "user2@pbs", "/storage/store2", "Datastore.User"); |
0815ec7e DM |
586 | |
587 | Ok(()) | |
588 | } | |
589 | ||
590 | #[test] | |
591 | fn test_role_no_access() -> Result<(), Error> { | |
592 | ||
593 | let tree = AclTree::from_raw(r###" | |
594 | acl:1:/:user1@pbs:Admin | |
595 | acl:1:/storage:user1@pbs:NoAccess | |
9765092e | 596 | acl:1:/storage/store1:user1@pbs:Datastore.User |
0815ec7e DM |
597 | "###)?; |
598 | check_roles(&tree, "user1@pbs", "/", "Admin"); | |
599 | check_roles(&tree, "user1@pbs", "/storage", "NoAccess"); | |
9765092e | 600 | check_roles(&tree, "user1@pbs", "/storage/store1", "Datastore.User"); |
0815ec7e DM |
601 | check_roles(&tree, "user1@pbs", "/storage/store2", "NoAccess"); |
602 | check_roles(&tree, "user1@pbs", "/system", "Admin"); | |
603 | ||
604 | let tree = AclTree::from_raw(r###" | |
605 | acl:1:/:user1@pbs:Admin | |
606 | acl:0:/storage:user1@pbs:NoAccess | |
9765092e | 607 | acl:1:/storage/store1:user1@pbs:Datastore.User |
0815ec7e DM |
608 | "###)?; |
609 | check_roles(&tree, "user1@pbs", "/", "Admin"); | |
610 | check_roles(&tree, "user1@pbs", "/storage", "NoAccess"); | |
9765092e | 611 | check_roles(&tree, "user1@pbs", "/storage/store1", "Datastore.User"); |
0815ec7e DM |
612 | check_roles(&tree, "user1@pbs", "/storage/store2", "Admin"); |
613 | check_roles(&tree, "user1@pbs", "/system", "Admin"); | |
614 | ||
615 | Ok(()) | |
616 | } | |
8d048af2 DM |
617 | |
618 | #[test] | |
619 | fn test_role_add_delete() -> Result<(), Error> { | |
620 | ||
621 | let mut tree = AclTree::new(); | |
622 | ||
623 | tree.insert_user_role("/", "user1@pbs", "Admin", true); | |
624 | tree.insert_user_role("/", "user1@pbs", "Audit", true); | |
625 | ||
626 | check_roles(&tree, "user1@pbs", "/", "Admin,Audit"); | |
627 | ||
628 | tree.insert_user_role("/", "user1@pbs", "NoAccess", true); | |
629 | check_roles(&tree, "user1@pbs", "/", "NoAccess"); | |
630 | ||
631 | let mut raw: Vec<u8> = Vec::new(); | |
632 | tree.write_config(&mut raw)?; | |
633 | let raw = std::str::from_utf8(&raw)?; | |
634 | ||
635 | assert_eq!(raw, "acl:1:/:user1@pbs:NoAccess\n"); | |
636 | ||
637 | Ok(()) | |
638 | } | |
639 | ||
640 | #[test] | |
641 | fn test_no_access_overwrite() -> Result<(), Error> { | |
642 | ||
643 | let mut tree = AclTree::new(); | |
644 | ||
645 | tree.insert_user_role("/storage", "user1@pbs", "NoAccess", true); | |
646 | ||
647 | check_roles(&tree, "user1@pbs", "/storage", "NoAccess"); | |
648 | ||
649 | tree.insert_user_role("/storage", "user1@pbs", "Admin", true); | |
650 | tree.insert_user_role("/storage", "user1@pbs", "Audit", true); | |
651 | ||
652 | check_roles(&tree, "user1@pbs", "/storage", "Admin,Audit"); | |
653 | ||
654 | tree.insert_user_role("/storage", "user1@pbs", "NoAccess", true); | |
655 | ||
656 | check_roles(&tree, "user1@pbs", "/storage", "NoAccess"); | |
657 | ||
658 | Ok(()) | |
659 | } | |
660 | ||
0815ec7e | 661 | } |