]> git.proxmox.com Git - proxmox-backup.git/blob - src/api2/access/acl.rs
projects / proxmox-backup.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
improve code docs in api2
[proxmox-backup.git] / src / api2 / access / acl.rs
1 //! Manage Access Control Lists
2
3 use anyhow::{bail, Error};
4
5 use proxmox::api::{api, Router, RpcEnvironment, Permission};
6 use proxmox::tools::fs::open_file_locked;
7
8 use crate::api2::types::*;
9 use crate::config::acl;
10 use crate::config::acl::{Role, PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
11 use crate::config::cached_user_info::CachedUserInfo;
12
13 fn extract_acl_node_data(
14 node: &acl::AclTreeNode,
15 path: &str,
16 list: &mut Vec<AclListItem>,
17 exact: bool,
18 token_user: &Option<Authid>,
19 ) {
20 // tokens can't have tokens, so we can early return
21 if let Some(token_user) = token_user {
22 if token_user.is_token() {
23 return;
24 }
25 }
26
27 for (user, roles) in &node.users {
28 if let Some(token_user) = token_user {
29 if !user.is_token()
30 || user.user() != token_user.user() {
31 continue;
32 }
33 }
34
35 for (role, propagate) in roles {
36 list.push(AclListItem {
37 path: if path.is_empty() { String::from("/") } else { path.to_string() },
38 propagate: *propagate,
39 ugid_type: String::from("user"),
40 ugid: user.to_string(),
41 roleid: role.to_string(),
42 });
43 }
44 }
45 for (group, roles) in &node.groups {
46 if token_user.is_some() {
47 continue;
48 }
49
50 for (role, propagate) in roles {
51 list.push(AclListItem {
52 path: if path.is_empty() { String::from("/") } else { path.to_string() },
53 propagate: *propagate,
54 ugid_type: String::from("group"),
55 ugid: group.to_string(),
56 roleid: role.to_string(),
57 });
58 }
59 }
60 if exact {
61 return;
62 }
63 for (comp, child) in &node.children {
64 let new_path = format!("{}/{}", path, comp);
65 extract_acl_node_data(child, &new_path, list, exact, token_user);
66 }
67 }
68
69 #[api(
70 input: {
71 properties: {
72 path: {
73 schema: ACL_PATH_SCHEMA,
74 optional: true,
75 },
76 exact: {
77 description: "If set, returns only ACL for the exact path.",
78 type: bool,
79 optional: true,
80 default: false,
81 },
82 },
83 },
84 returns: {
85 description: "ACL entry list.",
86 type: Array,
87 items: {
88 type: AclListItem,
89 }
90 },
91 access: {
92 permission: &Permission::Anybody,
93 description: "Returns all ACLs if user has Sys.Audit on '/access/acl', or just the ACLs containing the user's API tokens.",
94 },
95 )]
96 /// Read Access Control List (ACLs).
97 pub fn read_acl(
98 path: Option<String>,
99 exact: bool,
100 mut rpcenv: &mut dyn RpcEnvironment,
101 ) -> Result<Vec<AclListItem>, Error> {
102 let auth_id = rpcenv.get_auth_id().unwrap().parse()?;
103
104 let user_info = CachedUserInfo::new()?;
105
106 let top_level_privs = user_info.lookup_privs(&auth_id, &["access", "acl"]);
107 let auth_id_filter = if (top_level_privs & PRIV_SYS_AUDIT) == 0 {
108 Some(auth_id)
109 } else {
110 None
111 };
112
113 let (mut tree, digest) = acl::config()?;
114
115 let mut list: Vec<AclListItem> = Vec::new();
116 if let Some(path) = &path {
117 if let Some(node) = &tree.find_node(path) {
118 extract_acl_node_data(&node, path, &mut list, exact, &auth_id_filter);
119 }
120 } else {
121 extract_acl_node_data(&tree.root, "", &mut list, exact, &auth_id_filter);
122 }
123
124 rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
125
126 Ok(list)
127 }
128
129 #[api(
130 protected: true,
131 input: {
132 properties: {
133 path: {
134 schema: ACL_PATH_SCHEMA,
135 },
136 role: {
137 type: Role,
138 },
139 propagate: {
140 optional: true,
141 schema: ACL_PROPAGATE_SCHEMA,
142 },
143 "auth-id": {
144 optional: true,
145 type: Authid,
146 },
147 group: {
148 optional: true,
149 schema: PROXMOX_GROUP_ID_SCHEMA,
150 },
151 delete: {
152 optional: true,
153 description: "Remove permissions (instead of adding it).",
154 type: bool,
155 },
156 digest: {
157 optional: true,
158 schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
159 },
160 },
161 },
162 access: {
163 permission: &Permission::Anybody,
164 description: "Requires Permissions.Modify on '/access/acl', limited to updating ACLs of the user's API tokens otherwise."
165 },
166 )]
167 /// Update Access Control List (ACLs).
168 pub fn update_acl(
169 path: String,
170 role: String,
171 propagate: Option<bool>,
172 auth_id: Option<Authid>,
173 group: Option<String>,
174 delete: Option<bool>,
175 digest: Option<String>,
176 rpcenv: &mut dyn RpcEnvironment,
177 ) -> Result<(), Error> {
178 let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
179
180 let user_info = CachedUserInfo::new()?;
181
182 let top_level_privs = user_info.lookup_privs(&current_auth_id, &["access", "acl"]);
183 if top_level_privs & PRIV_PERMISSIONS_MODIFY == 0 {
184 if group.is_some() {
185 bail!("Unprivileged users are not allowed to create group ACL item.");
186 }
187
188 match &auth_id {
189 Some(auth_id) => {
190 if current_auth_id.is_token() {
191 bail!("Unprivileged API tokens can't set ACL items.");
192 } else if !auth_id.is_token() {
193 bail!("Unprivileged users can only set ACL items for API tokens.");
194 } else if auth_id.user() != current_auth_id.user() {
195 bail!("Unprivileged users can only set ACL items for their own API tokens.");
196 }
197 },
198 None => { bail!("Unprivileged user needs to provide auth_id to update ACL item."); },
199 };
200 }
201
202 let _lock = open_file_locked(acl::ACL_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
203
204 let (mut tree, expected_digest) = acl::config()?;
205
206 if let Some(ref digest) = digest {
207 let digest = proxmox::tools::hex_to_digest(digest)?;
208 crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
209 }
210
211 let propagate = propagate.unwrap_or(true);
212
213 let delete = delete.unwrap_or(false);
214
215 if let Some(ref _group) = group {
216 bail!("parameter 'group' - groups are currently not supported.");
217 } else if let Some(ref auth_id) = auth_id {
218 if !delete { // Note: we allow to delete non-existent users
219 let user_cfg = crate::config::user::cached_config()?;
220 if user_cfg.sections.get(&auth_id.to_string()).is_none() {
221 bail!(format!("no such {}.",
222 if auth_id.is_token() { "API token" } else { "user" }));
223 }
224 }
225 } else {
226 bail!("missing 'userid' or 'group' parameter.");
227 }
228
229 if !delete { // Note: we allow to delete entries with invalid path
230 acl::check_acl_path(&path)?;
231 }
232
233 if let Some(auth_id) = auth_id {
234 if delete {
235 tree.delete_user_role(&path, &auth_id, &role);
236 } else {
237 tree.insert_user_role(&path, &auth_id, &role, propagate);
238 }
239 } else if let Some(group) = group {
240 if delete {
241 tree.delete_group_role(&path, &group, &role);
242 } else {
243 tree.insert_group_role(&path, &group, &role, propagate);
244 }
245 }
246
247 acl::save_config(&tree)?;
248
249 Ok(())
250 }
251
252 pub const ROUTER: Router = Router::new()
253 .get(&API_METHOD_READ_ACL)
254 .put(&API_METHOD_UPDATE_ACL);
Proxmox Backup Server and Client