X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;ds=sidebyside;f=PVE%2FRPCEnvironment.pm;h=7532e9eca0245dd76f11d75dcd3c9c85081c840f;hb=5bb4e06a6440c8b67e67e14de9e42ba17a966b23;hp=0df71dca594099544d2cdc5961c31831927947ff;hpb=8ade28e6850c260322ffb36e97dc31f12ef8f1e1;p=pve-access-control.git

diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm
index 0df71dc..7532e9e 100644
--- a/PVE/RPCEnvironment.pm
+++ b/PVE/RPCEnvironment.pm
@@ -14,6 +14,7 @@ use PVE::INotify;
 use PVE::Cluster;
 use PVE::ProcFSTools;
 use PVE::AccessControl;
+use Cwd 'abs_path';
 use CGI;
 
 # we use this singleton class to pass RPC related environment values
@@ -106,9 +107,9 @@ my $compile_acl_path = sub {
     if (!$data->{poolroles}) {
 	$data->{poolroles} = {}; 
  
-	foreach my $poolpath (keys %{$cfg->{pools}}) {
-	    my $d = $cfg->{pools}->{$poolpath};
-	    my @ra = PVE::AccessControl::roles($cfg, $user, "/pool$poolpath"); # pool roles
+	foreach my $pool (keys %{$cfg->{pools}}) {
+	    my $d = $cfg->{pools}->{$pool};
+	    my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
 	    next if !scalar(@ra);
 	    foreach my $vmid (keys %{$d->{vms}}) {
 		for my $role (@ra) {
@@ -236,6 +237,15 @@ sub check_any {
     raise_perm_exc("$path, " . join("|", @$privs)); 
 };
 
+sub check_full {
+    my ($self, $username, $path, $privs, $any, $noerr) = @_;
+    if ($any) {
+	return $self->check_any($username, $path, $privs, $noerr);
+    } else {
+	return $self->check($username, $path, $privs, $noerr);
+    }
+}
+
 sub check_user_enabled {
     my ($self, $user, $noerr) = @_;
     
@@ -250,6 +260,54 @@ sub check_user_exist {
     return PVE::AccessControl::check_user_exist($cfg, $user, $noerr);
 }
 
+sub check_pool_exist {
+    my ($self, $pool, $noerr) = @_;
+
+    my $cfg = $self->{user_cfg};
+
+    return 1 if $cfg->{pools}->{$pool};
+
+    return undef if $noerr;
+
+    raise_perm_exc("pool '$pool' does not exist"); 
+}
+
+sub check_vm_perm {
+    my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_;
+
+    my $cfg = $self->{user_cfg};
+   
+    if ($pool) {
+	return if $self->check_full($user, "/pool/$pool", $privs, $any, 1);
+    }
+    return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
+};
+
+sub check_volume_access {
+    my ($self, $user, $storecfg, $vmid, $volid) = @_;
+
+    # test if we have read access to volid
+
+    my $path;
+    my ($sid, $volname) = PVE::Storage::parse_volume_id($volid, 1);
+    if ($sid) {
+	my ($ownervm, $vtype);
+	($path, $ownervm, $vtype) = PVE::Storage::path($storecfg, $volid);
+	if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
+	    # we simply allow access 
+	} elsif (!$ownervm || ($ownervm != $vmid)) {
+	    # allow if we are Datastore administrator
+	    $self->check($user, "/storage/$sid", ['Datastore.Allocate']);
+	}
+    } else {
+	die "Only root can pass arbitrary filesystem paths."
+	    if $user ne 'root@pam';
+
+	$path = abs_path($volid);
+    }
+    return $path;
+}
+
 sub is_group_member {
     my ($self, $group, $user) = @_;
 
@@ -268,14 +326,8 @@ sub filter_groups {
     my $groups = {};
     foreach my $group (keys %{$cfg->{groups}}) {
 	my $path = "/access/groups/$group";
-	if ($any) {
-	    if ($self->check_any($user, $path, $privs, 1)) {
-		$groups->{$group} = $cfg->{groups}->{$group};
-	    }
-	} else {
-	    if ($self->check($user, $path, $privs, 1)) {
-		$groups->{$group} = $cfg->{groups}->{$group};
-	    }
+	if ($self->check_full($user, $path, $privs, $any, 1)) {
+	    $groups->{$group} = $cfg->{groups}->{$group};
 	}
     }
 
@@ -299,6 +351,23 @@ sub group_member_join {
     return $users;
 }
 
+sub check_perm_modify {
+    my ($self, $username, $path, $noerr) = @_;
+
+    return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;
+
+    my $testperms = [ 'Permissions.Modify' ];
+    if ($path =~ m|^/storage/.+$|) {
+	push @$testperms, 'Datastore.Allocate';
+    } elsif ($path =~ m|^/vms/.+$|) {
+	push @$testperms, 'VM.Allocate';
+    } elsif ($path =~ m|^/pool/.+$|) {
+	push @$testperms, 'Pool.Allocate';
+    }
+
+    return $self->check_any($username, $path, $testperms, $noerr);
+}
+
 sub exec_api2_perm_check {
     my ($self, $check, $username, $param, $noerr) = @_;
 
@@ -323,21 +392,23 @@ sub exec_api2_perm_check {
 	my ($t, $tmplpath, $privs, %options) = @$check;
 	my $any = $options{any};
 	die "missing parameters" if !($tmplpath && $privs);
-	my $path = PVE::Tools::template_replace($tmplpath, $param);
-	if ($any) {
-	    return $self->check_any($username, $path, $privs, $noerr);
-	} else {
-	    return $self->check($username, $path, $privs, $noerr);
+	my $require_param = $options{require_param};
+	if ($require_param && !defined($param->{$require_param})) {
+	    return 0 if $noerr;
+	    raise_perm_exc();
 	}
+	my $path = PVE::Tools::template_replace($tmplpath, $param);
+	$path = PVE::AccessControl::normalize_path($path);
+	return $self->check_full($username, $path, $privs, $any, $noerr);
     } elsif ($test eq 'userid-group') {
 	my $userid = $param->{userid};
 	my ($t, $privs, %options) = @$check;
-	return if !$options{groups_param} && !$self->check_user_exist($userid, $noerr);
-	if (!$self->check_any($username, "/access", $privs, 1)) {
+	return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr);
+	if (!$self->check_any($username, "/access/groups", $privs, 1)) {
 	    my $groups = $self->filter_groups($username, $privs, 1);
 	    if ($options{groups_param}) {
 		my @group_param = PVE::Tools::split_list($param->{groups});
-		raise_perm_exc("/access, " . join("|", @$privs)) if !scalar(@group_param);
+		raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param);
 		foreach my $pg (@group_param) {
 		    raise_perm_exc("/access/groups/$pg, " . join("|", @$privs))
 			if !$groups->{$pg};
@@ -352,18 +423,26 @@ sub exec_api2_perm_check {
 	}
 	return 1;
     } elsif ($test eq 'userid-param') {
-	my $userid = $param->{userid};
-	return if !$self->check_user_exist($userid, $noerr);
+	my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
 	my ($t, $subtest) = @$check;
 	die "missing parameters" if !$subtest;
 	if ($subtest eq 'self') {
-	    return 1 if $username eq 'userid';
+	    return 0 if !$self->check_user_exist($userid, $noerr);
+	    return 1 if $username eq $userid;
 	    return 0 if $noerr;
 	    raise_perm_exc();
+	} elsif ($subtest eq 'Realm.AllocateUser') {
+	    my $path =  "/access/realm/$realm";
+	    return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
 	} else {
 	    die "unknown userid-param test";
 	}
-    } else {
+     } elsif ($test eq 'perm-modify') {
+	my ($t, $tmplpath) = @$check;
+	my $path = PVE::Tools::template_replace($tmplpath, $param);
+	$path = PVE::AccessControl::normalize_path($path);
+	return $self->check_perm_modify($username, $path, $noerr);
+   } else {
 	die "unknown permission test";
     }
 };
@@ -741,14 +820,14 @@ sub check_worker {
 # STDOUT,STDERR are redirected to the filename returned by upid_decode
 # NOTE: we simulate running in foreground if ($self->{type} eq 'cli')
 sub fork_worker {
-    my ($self, $dtype, $id, $user, $function) = @_;
+    my ($self, $dtype, $id, $user, $function, $background) = @_;
 
     $dtype = 'unknown' if !defined ($dtype);
     $id = '' if !defined ($id);
 
     $user = 'root@pve' if !defined ($user);
 
-    my $sync = $self->{type} eq 'cli' ? 1 : 0;
+    my $sync = ($self->{type} eq 'cli' && !$background) ? 1 : 0;
 
     local $SIG{INT} = 
 	local $SIG{QUIT} =