sub check_roles {
my ($user, $path, $expected_result) = @_;
- my @ra = $rpcenv->roles($user, $path);
+ my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
my $res = join(',', sort @ra);
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
print "ROLES:$path:$user:$res\n";
}
+sub check_permissions {
+ my ($user, $path, $expected_result) = @_;
+
+ my $perm = $rpcenv->permissions($user, $path);
+ my $res = join(',', sort keys %$perm);
+
+ die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
+ if $res ne $expected_result;
+
+ $perm = $rpcenv->permissions($user, $path);
+ $res = join(',', sort keys %$perm);
+ die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n"
+ if $res ne $expected_result;
+
+ print "PERM:$path:$user:$res\n";
+}
+
check_roles('User1@pve', '', '');
check_roles('User2@pve', '', '');
check_roles('User3@pve', '', '');
check_roles('User3@pve', '/vms/300', 'NoAccess');
check_roles('User4@pve', '/vms/300', 'Role1');
-check_roles('User1@pve', '/vms/500', 'RoleDEVEL,RoleTEST1');
-check_roles('User2@pve', '/vms/500', 'RoleDEVEL,RoleTEST1');
+check_permissions('User1@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
+check_permissions('User2@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
+# without pool
check_roles('User3@pve', '/vms/500', 'NoAccess');
+# with pool
+check_permissions('User3@pve', '/vms/500', '');
+# without pool
check_roles('User4@pve', '/vms/500', '');
+# with pool
+check_permissions('User4@pve', '/vms/500', '');
+
-check_roles('User1@pve', '/vms/600', 'RoleMARKETING,RoleTEST1');
-check_roles('User2@pve', '/vms/600', 'RoleTEST1');
-check_roles('User3@pve', '/vms/600', 'NoAccess');
-check_roles('User4@pve', '/vms/600', 'RoleMARKETING');
+check_permissions('User1@pve', '/vms/600', 'VM.Console');
+check_permissions('User2@pve', '/vms/600', 'VM.Console');
+check_permissions('User3@pve', '/vms/600', '');
+check_permissions('User4@pve', '/vms/600', 'VM.Console');
-check_roles('User1@pve', '/storage/store1', 'RoleDEVEL,RoleMARKETING');
-check_roles('User2@pve', '/storage/store1', 'RoleDEVEL');
-check_roles('User3@pve', '/storage/store1', 'RoleDEVEL');
-check_roles('User4@pve', '/storage/store1', 'RoleMARKETING');
+check_permissions('User1@pve', '/storage/store1', 'VM.Console,VM.PowerMgmt');
+check_permissions('User2@pve', '/storage/store1', 'VM.PowerMgmt');
+check_permissions('User3@pve', '/storage/store1', 'VM.PowerMgmt');
+check_permissions('User4@pve', '/storage/store1', 'VM.Console');
-check_roles('User1@pve', '/storage/store2', 'RoleDEVEL');
-check_roles('User2@pve', '/storage/store2', 'RoleDEVEL');
-check_roles('User3@pve', '/storage/store2', 'RoleDEVEL');
-check_roles('User4@pve', '/storage/store2', '');
+check_permissions('User1@pve', '/storage/store2', 'VM.PowerMgmt');
+check_permissions('User2@pve', '/storage/store2', 'VM.PowerMgmt');
+check_permissions('User3@pve', '/storage/store2', 'VM.PowerMgmt');
+check_permissions('User4@pve', '/storage/store2', '');
print "all tests passed\n";