[pve-access-control.git] / PVE / RPCEnvironment.pm

package PVE::RPCEnvironment;

use strict;
use warnings;

use PVE::RESTEnvironment;

use PVE::Exception qw(raise raise_perm_exc);
use PVE::SafeSyslog;
use PVE::Tools;
use PVE::INotify;
use PVE::Cluster;
use PVE::ProcFSTools;
use PVE::AccessControl;

use base qw(PVE::RESTEnvironment);

# ACL cache

my $compile_acl_path = sub {
    my ($self, $user, $path) = @_;

    my $cfg = $self->{user_cfg};

    return undef if !$cfg->{roles};

    die "internal error" if $user eq 'root@pam';

    my $cache = $self->{aclcache};
    $cache->{$user} = {} if !$cache->{$user};
    my $data = $cache->{$user};

    if (!$data->{poolroles}) {
	$data->{poolroles} = {};

	foreach my $pool (keys %{$cfg->{pools}}) {
	    my $d = $cfg->{pools}->{$pool};
	    my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
	    next if !scalar(@ra);
	    foreach my $vmid (keys %{$d->{vms}}) {
		for my $role (@ra) {
		    $data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
		}
	    }
	    foreach my $storeid (keys %{$d->{storage}}) {
		for my $role (@ra) {
		    $data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
		}
	    }
	}
    }

    my @ra = PVE::AccessControl::roles($cfg, $user, $path);

    # apply roles inherited from pools
    # Note: assume we do not want to propagate those privs
    if ($data->{poolroles}->{$path}) {
	if (!($ra[0] && $ra[0] eq 'NoAccess')) {
	    if ($data->{poolroles}->{$path}->{NoAccess}) {
		@ra = ('NoAccess');
	    } else {
		foreach my $role (keys %{$data->{poolroles}->{$path}}) {
		    push @ra, $role;
		}
	    }
	}
    }

    $data->{roles}->{$path} = [ @ra ];

    my $privs = {};
    foreach my $role (@ra) {
	if (my $privset = $cfg->{roles}->{$role}) {
	    foreach my $p (keys %$privset) {
		$privs->{$p} = 1;
	    }
	}
    }
    $data->{privs}->{$path} = $privs;

    return $privs;
};

sub roles {
   my ($self, $user, $path) = @_;

   if ($user eq 'root@pam') { # root can do anything
       return ('Administrator');
   }

   $user = PVE::AccessControl::verify_username($user, 1);
   return () if !$user;

   my $cache = $self->{aclcache};
   $cache->{$user} = {} if !$cache->{$user};

   my $acl = $cache->{$user};

   my $roles = $acl->{roles}->{$path};
   return @$roles if $roles;

   &$compile_acl_path($self, $user, $path);
   $roles = $acl->{roles}->{$path} || [];
   return @$roles;
}

sub permissions {
    my ($self, $user, $path) = @_;

    if ($user eq 'root@pam') { # root can do anything
	my $cfg = $self->{user_cfg};
	return $cfg->{roles}->{'Administrator'};
    }

    $user = PVE::AccessControl::verify_username($user, 1);
    return {} if !$user;

    my $cache = $self->{aclcache};
    $cache->{$user} = {} if !$cache->{$user};

    my $acl = $cache->{$user};

    my $perm = $acl->{privs}->{$path};
    return $perm if $perm;

    return &$compile_acl_path($self, $user, $path);
}

sub check {
    my ($self, $user, $path, $privs, $noerr) = @_;

    my $perm = $self->permissions($user, $path);

    foreach my $priv (@$privs) {
	PVE::AccessControl::verify_privname($priv);
	if (!$perm->{$priv}) {
	    return undef if $noerr;
	    raise_perm_exc("$path, $priv");
	}
    };

    return 1;
};

sub check_any {
    my ($self, $user, $path, $privs, $noerr) = @_;

    my $perm = $self->permissions($user, $path);

    my $found = 0;
    foreach my $priv (@$privs) {
	PVE::AccessControl::verify_privname($priv);
	if ($perm->{$priv}) {
	    $found = 1;
	    last;
	}
    };

    return 1 if $found;

    return undef if $noerr;

    raise_perm_exc("$path, " . join("|", @$privs));
};

sub check_full {
    my ($self, $username, $path, $privs, $any, $noerr) = @_;
    if ($any) {
	return $self->check_any($username, $path, $privs, $noerr);
    } else {
	return $self->check($username, $path, $privs, $noerr);
    }
}

sub check_user_enabled {
    my ($self, $user, $noerr) = @_;

    my $cfg = $self->{user_cfg};
    return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr);
}

sub check_user_exist {
    my ($self, $user, $noerr) = @_;

    my $cfg = $self->{user_cfg};
    return PVE::AccessControl::check_user_exist($cfg, $user, $noerr);
}

sub check_pool_exist {
    my ($self, $pool, $noerr) = @_;

    my $cfg = $self->{user_cfg};

    return 1 if $cfg->{pools}->{$pool};

    return undef if $noerr;

    raise_perm_exc("pool '$pool' does not exist");
}

sub check_vm_perm {
    my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_;

    my $cfg = $self->{user_cfg};

    if ($pool) {
	return if $self->check_full($user, "/pool/$pool", $privs, $any, 1);
    }
    return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
};

sub is_group_member {
    my ($self, $group, $user) = @_;

    my $cfg = $self->{user_cfg};

    return 0 if !$cfg->{groups}->{$group};

    return defined($cfg->{groups}->{$group}->{users}->{$user});
}

sub filter_groups {
    my ($self, $user, $privs, $any) = @_;

    my $cfg = $self->{user_cfg};

    my $groups = {};
    foreach my $group (keys %{$cfg->{groups}}) {
	my $path = "/access/groups/$group";
	if ($self->check_full($user, $path, $privs, $any, 1)) {
	    $groups->{$group} = $cfg->{groups}->{$group};
	}
    }

    return $groups;
}

sub group_member_join {
    my ($self, $grouplist) = @_;

    my $users = {};

    my $cfg = $self->{user_cfg};
    foreach my $group (@$grouplist) {
	my $data = $cfg->{groups}->{$group};
	next if !$data;
	foreach my $user (keys %{$data->{users}}) {
	    $users->{$user} = 1;
	}
    }

    return $users;
}

sub check_perm_modify {
    my ($self, $username, $path, $noerr) = @_;

    return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;

    my $testperms = [ 'Permissions.Modify' ];
    if ($path =~ m|^/storage/.+$|) {
	push @$testperms, 'Datastore.Allocate';
    } elsif ($path =~ m|^/vms/.+$|) {
	push @$testperms, 'VM.Allocate';
    } elsif ($path =~ m|^/pool/.+$|) {
	push @$testperms, 'Pool.Allocate';
    }

    return $self->check_any($username, $path, $testperms, $noerr);
}

sub exec_api2_perm_check {
    my ($self, $check, $username, $param, $noerr) = @_;

    # syslog("info", "CHECK " . join(', ', @$check));

    my $ind = 0;
    my $test = $check->[$ind++];
    die "no permission test specified" if !$test;

    if ($test eq 'and') {
	while (my $subcheck = $check->[$ind++]) {
	    $self->exec_api2_perm_check($subcheck, $username, $param);
	}
	return 1;
    } elsif ($test eq 'or') {
	while (my $subcheck = $check->[$ind++]) {
	    return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1);
	}
	return 0 if $noerr;
	raise_perm_exc();
    } elsif ($test eq 'perm') {
	my ($t, $tmplpath, $privs, %options) = @$check;
	my $any = $options{any};
	die "missing parameters" if !($tmplpath && $privs);
	my $require_param = $options{require_param};
	if ($require_param && !defined($param->{$require_param})) {
	    return 0 if $noerr;
	    raise_perm_exc();
	}
	my $path = PVE::Tools::template_replace($tmplpath, $param);
	$path = PVE::AccessControl::normalize_path($path);
	return $self->check_full($username, $path, $privs, $any, $noerr);
    } elsif ($test eq 'userid-group') {
	my $userid = $param->{userid};
	my ($t, $privs, %options) = @$check;
	return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr);
	if (!$self->check_any($username, "/access/groups", $privs, 1)) {
	    my $groups = $self->filter_groups($username, $privs, 1);
	    if ($options{groups_param}) {
		my @group_param = PVE::Tools::split_list($param->{groups});
		raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param);
		foreach my $pg (@group_param) {
		    raise_perm_exc("/access/groups/$pg, " . join("|", @$privs))
			if !$groups->{$pg};
		}
	    } else {
		my $allowed_users = $self->group_member_join([keys %$groups]);
		if (!$allowed_users->{$userid}) {
		    return 0 if $noerr;
		    raise_perm_exc();
		}
	    }
	}
	return 1;
    } elsif ($test eq 'userid-param') {
	my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
	my ($t, $subtest) = @$check;
	die "missing parameters" if !$subtest;
	if ($subtest eq 'self') {
	    return 0 if !$self->check_user_exist($userid, $noerr);
	    return 1 if $username eq $userid;
	    return 0 if $noerr;
	    raise_perm_exc();
	} elsif ($subtest eq 'Realm.AllocateUser') {
	    my $path =  "/access/realm/$realm";
	    return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
	} else {
	    die "unknown userid-param test";
	}
     } elsif ($test eq 'perm-modify') {
	my ($t, $tmplpath) = @$check;
	my $path = PVE::Tools::template_replace($tmplpath, $param);
	$path = PVE::AccessControl::normalize_path($path);
	return $self->check_perm_modify($username, $path, $noerr);
   } else {
	die "unknown permission test";
    }
};

sub check_api2_permissions {
    my ($self, $perm, $username, $param) = @_;

    return 1 if !$username && $perm->{user} && $perm->{user} eq 'world';

    raise_perm_exc("user != null") if !$username;

    return 1 if $username eq 'root@pam';

    raise_perm_exc('user != root@pam') if !$perm;

    return 1 if $perm->{user} && $perm->{user} eq 'all';

    return $self->exec_api2_perm_check($perm->{check}, $username, $param)
	if $perm->{check};

    raise_perm_exc();
}

sub log_cluster_msg {
    my ($self, $pri, $user, $msg) = @_;

    PVE::Cluster::log_msg($pri, $user, $msg);
}

sub broadcast_tasklist {
    my ($self, $tlist) = @_;

    PVE::Cluster::broadcast_tasklist($tlist);
}

# initialize environment - must be called once at program startup
sub init {
    my ($class, $type, %params) = @_;

    $class = ref($class) || $class;

    my $self = $class->SUPER::init($type, %params);

    $self->{user_cfg} = {};
    $self->{aclcache} = {};
    $self->{aclversion} = undef;

    return $self;
};


# init_request - must be called before each RPC request
sub init_request {
    my ($self, %params) = @_;

    PVE::Cluster::cfs_update();

    $self->{result_attributes} = {};

    my $userconfig; # we use this for regression tests
    foreach my $p (keys %params) {
	if ($p eq 'userconfig') {
	    $userconfig = $params{$p};
	} else {
	    die "unknown parameter '$p'";
	}
    }

    eval {
	$self->{aclcache} = {};
	if ($userconfig) {
	    my $ucdata = PVE::Tools::file_get_contents($userconfig);
	    my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
	    $self->{user_cfg} = $cfg;
	} else {
	    my $ucvers = PVE::Cluster::cfs_file_version('user.cfg');
	    if (!$self->{aclcache} || !defined($self->{aclversion}) ||
		!defined($ucvers) ||  ($ucvers ne $self->{aclversion})) {
		$self->{aclversion} = $ucvers;
		my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
		$self->{user_cfg} = $cfg;
	    }
	}
    };
    if (my $err = $@) {
	$self->{user_cfg} = {};
	die "Unable to load access control list: $err";
    }
}

# hacks: to provide better backwards compatibiliy

# old code uses PVE::RPCEnvironment::get();
# new code should use PVE::RPCEnvironment->get();
sub get {
    return PVE::RESTEnvironment->get();
}

# old code uses PVE::RPCEnvironment::is_worker();
# new code should use PVE::RPCEnvironment->is_worker();
sub is_worker {
    return PVE::RESTEnvironment->is_worker();
}

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::RPCEnvironment;
	2
	3	use strict;
	4	use warnings;
c104e4ab DM	5
	6	use PVE::RESTEnvironment;
	7
37d45deb	8	use PVE::Exception qw(raise raise_perm_exc);
2c3a6c0a DM	9	use PVE::SafeSyslog;
	10	use PVE::Tools;
	11	use PVE::INotify;
	12	use PVE::Cluster;
	13	use PVE::ProcFSTools;
	14	use PVE::AccessControl;
	15
c104e4ab	16	use base qw(PVE::RESTEnvironment);
2c3a6c0a	17
2c3a6c0a DM	18	# ACL cache
2c3a6c0a DM	19
4bc17477 DM	20	my $compile_acl_path = sub {
4bc17477 DM	21	my ($self, $user, $path) = @_;
2c3a6c0a	22
2c3a6c0a DM	23	my $cfg = $self->{user_cfg};
	24
	25	return undef if !$cfg->{roles};
	26
4bc17477	27	die "internal error" if $user eq 'root@pam';
2c3a6c0a	28
4bc17477 DM	29	my $cache = $self->{aclcache};
	30	$cache->{$user} = {} if !$cache->{$user};
	31	my $data = $cache->{$user};
2c3a6c0a	32
4bc17477	33	if (!$data->{poolroles}) {
c104e4ab DM	34	$data->{poolroles} = {};
c104e4ab DM	35
39c85db8 DM	36	foreach my $pool (keys %{$cfg->{pools}}) {
	37	my $d = $cfg->{pools}->{$pool};
	38	my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
4bc17477 DM	39	next if !scalar(@ra);
	40	foreach my $vmid (keys %{$d->{vms}}) {
	41	for my $role (@ra) {
	42	$data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
2c3a6c0a DM	43	}
2c3a6c0a DM	44	}
4bc17477 DM	45	foreach my $storeid (keys %{$d->{storage}}) {
	46	for my $role (@ra) {
	47	$data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
	48	}
	49	}
	50	}
	51	}
	52
	53	my @ra = PVE::AccessControl::roles($cfg, $user, $path);
	54
	55	# apply roles inherited from pools
	56	# Note: assume we do not want to propagate those privs
	57	if ($data->{poolroles}->{$path}) {
	58	if (!($ra[0] && $ra[0] eq 'NoAccess')) {
8ade28e6 DM	59	if ($data->{poolroles}->{$path}->{NoAccess}) {
	60	@ra = ('NoAccess');
	61	} else {
	62	foreach my $role (keys %{$data->{poolroles}->{$path}}) {
	63	push @ra, $role;
	64	}
4bc17477	65	}
2c3a6c0a	66	}
4bc17477	67	}
2c3a6c0a	68
4bc17477	69	$data->{roles}->{$path} = [ @ra ];
c104e4ab	70
4bc17477 DM	71	my $privs = {};
	72	foreach my $role (@ra) {
	73	if (my $privset = $cfg->{roles}->{$role}) {
	74	foreach my $p (keys %$privset) {
	75	$privs->{$p} = 1;
	76	}
	77	}
2c3a6c0a	78	}
4bc17477	79	$data->{privs}->{$path} = $privs;
2c3a6c0a	80
4bc17477	81	return $privs;
2c3a6c0a DM	82	};
2c3a6c0a DM	83
4bc17477 DM	84	sub roles {
	85	my ($self, $user, $path) = @_;
	86
	87	if ($user eq 'root@pam') { # root can do anything
	88	return ('Administrator');
c104e4ab	89	}
4bc17477 DM	90
	91	$user = PVE::AccessControl::verify_username($user, 1);
	92	return () if !$user;
	93
	94	my $cache = $self->{aclcache};
	95	$cache->{$user} = {} if !$cache->{$user};
	96
	97	my $acl = $cache->{$user};
	98
	99	my $roles = $acl->{roles}->{$path};
	100	return @$roles if $roles;
	101
	102	&$compile_acl_path($self, $user, $path);
	103	$roles = $acl->{roles}->{$path} \|\| [];
	104	return @$roles;
	105	}
	106
2c3a6c0a DM	107	sub permissions {
	108	my ($self, $user, $path) = @_;
	109
4bc17477 DM	110	if ($user eq 'root@pam') { # root can do anything
	111	my $cfg = $self->{user_cfg};
	112	return $cfg->{roles}->{'Administrator'};
c104e4ab	113	}
4bc17477	114
2c3a6c0a DM	115	$user = PVE::AccessControl::verify_username($user, 1);
	116	return {} if !$user;
	117
	118	my $cache = $self->{aclcache};
4bc17477	119	$cache->{$user} = {} if !$cache->{$user};
2c3a6c0a DM	120
	121	my $acl = $cache->{$user};
	122
4bc17477 DM	123	my $perm = $acl->{privs}->{$path};
4bc17477 DM	124	return $perm if $perm;
2c3a6c0a	125
4bc17477	126	return &$compile_acl_path($self, $user, $path);
2c3a6c0a DM	127	}
	128
	129	sub check {
37d45deb	130	my ($self, $user, $path, $privs, $noerr) = @_;
2c3a6c0a DM	131
	132	my $perm = $self->permissions($user, $path);
	133
	134	foreach my $priv (@$privs) {
37d45deb DM	135	PVE::AccessControl::verify_privname($priv);
	136	if (!$perm->{$priv}) {
	137	return undef if $noerr;
c104e4ab	138	raise_perm_exc("$path, $priv");
37d45deb	139	}
2c3a6c0a DM	140	};
	141
	142	return 1;
	143	};
	144
37d45deb DM	145	sub check_any {
	146	my ($self, $user, $path, $privs, $noerr) = @_;
	147
	148	my $perm = $self->permissions($user, $path);
efce1d57	149
37d45deb DM	150	my $found = 0;
	151	foreach my $priv (@$privs) {
	152	PVE::AccessControl::verify_privname($priv);
	153	if ($perm->{$priv}) {
	154	$found = 1;
	155	last;
	156	}
	157	};
	158
	159	return 1 if $found;
	160
	161	return undef if $noerr;
	162
c104e4ab	163	raise_perm_exc("$path, " . join("\|", @$privs));
37d45deb DM	164	};
37d45deb DM	165
c4a776a6 DM	166	sub check_full {
	167	my ($self, $username, $path, $privs, $any, $noerr) = @_;
	168	if ($any) {
	169	return $self->check_any($username, $path, $privs, $noerr);
	170	} else {
	171	return $self->check($username, $path, $privs, $noerr);
	172	}
	173	}
	174
7070c1ae DM	175	sub check_user_enabled {
7070c1ae DM	176	my ($self, $user, $noerr) = @_;
c104e4ab	177
2c3a6c0a	178	my $cfg = $self->{user_cfg};
7070c1ae	179	return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr);
2c3a6c0a DM	180	}
2c3a6c0a DM	181
37d45deb DM	182	sub check_user_exist {
37d45deb DM	183	my ($self, $user, $noerr) = @_;
c104e4ab	184
37d45deb DM	185	my $cfg = $self->{user_cfg};
	186	return PVE::AccessControl::check_user_exist($cfg, $user, $noerr);
	187	}
	188
a23cec1f DM	189	sub check_pool_exist {
	190	my ($self, $pool, $noerr) = @_;
	191
	192	my $cfg = $self->{user_cfg};
	193
	194	return 1 if $cfg->{pools}->{$pool};
	195
	196	return undef if $noerr;
	197
c104e4ab	198	raise_perm_exc("pool '$pool' does not exist");
a23cec1f DM	199	}
	200
	201	sub check_vm_perm {
	202	my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_;
	203
	204	my $cfg = $self->{user_cfg};
c104e4ab	205
a23cec1f DM	206	if ($pool) {
	207	return if $self->check_full($user, "/pool/$pool", $privs, $any, 1);
	208	}
	209	return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
	210	};
	211
37d45deb DM	212	sub is_group_member {
	213	my ($self, $group, $user) = @_;
	214
	215	my $cfg = $self->{user_cfg};
	216
	217	return 0 if !$cfg->{groups}->{$group};
	218
	219	return defined($cfg->{groups}->{$group}->{users}->{$user});
	220	}
	221
	222	sub filter_groups {
b9180ed2	223	my ($self, $user, $privs, $any) = @_;
37d45deb DM	224
	225	my $cfg = $self->{user_cfg};
	226
	227	my $groups = {};
	228	foreach my $group (keys %{$cfg->{groups}}) {
b9180ed2	229	my $path = "/access/groups/$group";
c4a776a6 DM	230	if ($self->check_full($user, $path, $privs, $any, 1)) {
c4a776a6 DM	231	$groups->{$group} = $cfg->{groups}->{$group};
37d45deb DM	232	}
	233	}
	234
	235	return $groups;
	236	}
	237
	238	sub group_member_join {
	239	my ($self, $grouplist) = @_;
	240
	241	my $users = {};
	242
	243	my $cfg = $self->{user_cfg};
	244	foreach my $group (@$grouplist) {
	245	my $data = $cfg->{groups}->{$group};
	246	next if !$data;
	247	foreach my $user (keys %{$data->{users}}) {
	248	$users->{$user} = 1;
	249	}
	250	}
	251
	252	return $users;
	253	}
	254
e3a3a0d7 DM	255	sub check_perm_modify {
	256	my ($self, $username, $path, $noerr) = @_;
	257
	258	return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;
	259
	260	my $testperms = [ 'Permissions.Modify' ];
	261	if ($path =~ m\|^/storage/.+$\|) {
	262	push @$testperms, 'Datastore.Allocate';
	263	} elsif ($path =~ m\|^/vms/.+$\|) {
	264	push @$testperms, 'VM.Allocate';
7a7a517a DM	265	} elsif ($path =~ m\|^/pool/.+$\|) {
7a7a517a DM	266	push @$testperms, 'Pool.Allocate';
e3a3a0d7 DM	267	}
	268
	269	return $self->check_any($username, $path, $testperms, $noerr);
	270	}
	271
f8cc5a5f DM	272	sub exec_api2_perm_check {
	273	my ($self, $check, $username, $param, $noerr) = @_;
	274
	275	# syslog("info", "CHECK " . join(', ', @$check));
	276
	277	my $ind = 0;
	278	my $test = $check->[$ind++];
	279	die "no permission test specified" if !$test;
c104e4ab	280
f8cc5a5f DM	281	if ($test eq 'and') {
f8cc5a5f DM	282	while (my $subcheck = $check->[$ind++]) {
c104e4ab	283	$self->exec_api2_perm_check($subcheck, $username, $param);
f8cc5a5f DM	284	}
	285	return 1;
	286	} elsif ($test eq 'or') {
	287	while (my $subcheck = $check->[$ind++]) {
c104e4ab	288	return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1);
f8cc5a5f DM	289	}
	290	return 0 if $noerr;
	291	raise_perm_exc();
	292	} elsif ($test eq 'perm') {
	293	my ($t, $tmplpath, $privs, %options) = @$check;
	294	my $any = $options{any};
	295	die "missing parameters" if !($tmplpath && $privs);
c4a776a6 DM	296	my $require_param = $options{require_param};
	297	if ($require_param && !defined($param->{$require_param})) {
	298	return 0 if $noerr;
	299	raise_perm_exc();
	300	}
f8cc5a5f	301	my $path = PVE::Tools::template_replace($tmplpath, $param);
e3a3a0d7	302	$path = PVE::AccessControl::normalize_path($path);
c4a776a6	303	return $self->check_full($username, $path, $privs, $any, $noerr);
f8cc5a5f DM	304	} elsif ($test eq 'userid-group') {
	305	my $userid = $param->{userid};
	306	my ($t, $privs, %options) = @$check;
82b63965 DM	307	return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr);
82b63965 DM	308	if (!$self->check_any($username, "/access/groups", $privs, 1)) {
f8cc5a5f DM	309	my $groups = $self->filter_groups($username, $privs, 1);
	310	if ($options{groups_param}) {
	311	my @group_param = PVE::Tools::split_list($param->{groups});
82b63965	312	raise_perm_exc("/access/groups, " . join("\|", @$privs)) if !scalar(@group_param);
f8cc5a5f DM	313	foreach my $pg (@group_param) {
	314	raise_perm_exc("/access/groups/$pg, " . join("\|", @$privs))
	315	if !$groups->{$pg};
	316	}
	317	} else {
	318	my $allowed_users = $self->group_member_join([keys %$groups]);
	319	if (!$allowed_users->{$userid}) {
	320	return 0 if $noerr;
	321	raise_perm_exc();
	322	}
	323	}
	324	}
	325	return 1;
	326	} elsif ($test eq 'userid-param') {
09d27058	327	my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
f8cc5a5f DM	328	my ($t, $subtest) = @$check;
	329	die "missing parameters" if !$subtest;
	330	if ($subtest eq 'self') {
a69bbe2e	331	return 0 if !$self->check_user_exist($userid, $noerr);
1cf154b7	332	return 1 if $username eq $userid;
f8cc5a5f DM	333	return 0 if $noerr;
f8cc5a5f DM	334	raise_perm_exc();
82b63965 DM	335	} elsif ($subtest eq 'Realm.AllocateUser') {
	336	my $path = "/access/realm/$realm";
	337	return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
f8cc5a5f DM	338	} else {
	339	die "unknown userid-param test";
	340	}
82b63965	341	} elsif ($test eq 'perm-modify') {
e3a3a0d7 DM	342	my ($t, $tmplpath) = @$check;
	343	my $path = PVE::Tools::template_replace($tmplpath, $param);
	344	$path = PVE::AccessControl::normalize_path($path);
	345	return $self->check_perm_modify($username, $path, $noerr);
	346	} else {
f8cc5a5f DM	347	die "unknown permission test";
	348	}
	349	};
	350
	351	sub check_api2_permissions {
	352	my ($self, $perm, $username, $param) = @_;
	353
d146e520	354	return 1 if !$username && $perm->{user} && $perm->{user} eq 'world';
f8cc5a5f DM	355
	356	raise_perm_exc("user != null") if !$username;
	357
	358	return 1 if $username eq 'root@pam';
	359
	360	raise_perm_exc('user != root@pam') if !$perm;
	361
	362	return 1 if $perm->{user} && $perm->{user} eq 'all';
	363
c104e4ab	364	return $self->exec_api2_perm_check($perm->{check}, $username, $param)
f8cc5a5f DM	365	if $perm->{check};
	366
	367	raise_perm_exc();
	368	}
	369
c104e4ab DM	370	sub log_cluster_msg {
c104e4ab DM	371	my ($self, $pri, $user, $msg) = @_;
2c3a6c0a	372
c104e4ab DM	373	PVE::Cluster::log_msg($pri, $user, $msg);
c104e4ab DM	374	}
2c3a6c0a	375
c104e4ab DM	376	sub broadcast_tasklist {
c104e4ab DM	377	my ($self, $tlist) = @_;
2c3a6c0a	378
c104e4ab DM	379	PVE::Cluster::broadcast_tasklist($tlist);
c104e4ab DM	380	}
2c3a6c0a	381
c104e4ab DM	382	# initialize environment - must be called once at program startup
	383	sub init {
	384	my ($class, $type, %params) = @_;
86c4f1e6 DM	385
86c4f1e6 DM	386	$class = ref($class) \|\| $class;
5ae5900d	387
c104e4ab	388	my $self = $class->SUPER::init($type, %params);
5ae5900d	389
c104e4ab DM	390	$self->{user_cfg} = {};
	391	$self->{aclcache} = {};
	392	$self->{aclversion} = undef;
2c3a6c0a	393
c104e4ab DM	394	return $self;
c104e4ab DM	395	};
2c3a6c0a	396
2c3a6c0a DM	397
	398	# init_request - must be called before each RPC request
	399	sub init_request {
	400	my ($self, %params) = @_;
	401
	402	PVE::Cluster::cfs_update();
	403
be6ea723	404	$self->{result_attributes} = {};
272fe9ff	405
2c3a6c0a DM	406	my $userconfig; # we use this for regression tests
	407	foreach my $p (keys %params) {
	408	if ($p eq 'userconfig') {
	409	$userconfig = $params{$p};
	410	} else {
	411	die "unknown parameter '$p'";
	412	}
	413	}
	414
	415	eval {
	416	$self->{aclcache} = {};
	417	if ($userconfig) {
	418	my $ucdata = PVE::Tools::file_get_contents($userconfig);
	419	my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
	420	$self->{user_cfg} = $cfg;
	421	} else {
c104e4ab DM	422	my $ucvers = PVE::Cluster::cfs_file_version('user.cfg');
c104e4ab DM	423	if (!$self->{aclcache} \|\| !defined($self->{aclversion}) \|\|
2c3a6c0a DM	424	!defined($ucvers) \|\| ($ucvers ne $self->{aclversion})) {
	425	$self->{aclversion} = $ucvers;
	426	my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
	427	$self->{user_cfg} = $cfg;
	428	}
	429	}
	430	};
	431	if (my $err = $@) {
	432	$self->{user_cfg} = {};
	433	die "Unable to load access control list: $err";
	434	}
	435	}
	436
c104e4ab	437	# hacks: to provide better backwards compatibiliy
2c3a6c0a	438
c104e4ab DM	439	# old code uses PVE::RPCEnvironment::get();
	440	# new code should use PVE::RPCEnvironment->get();
	441	sub get {
	442	return PVE::RESTEnvironment->get();
2c3a6c0a DM	443	}
2c3a6c0a DM	444
c104e4ab DM	445	# old code uses PVE::RPCEnvironment::is_worker();
c104e4ab DM	446	# new code should use PVE::RPCEnvironment->is_worker();
7b6dfe82	447	sub is_worker {
c104e4ab	448	return PVE::RESTEnvironment->is_worker();
2c3a6c0a DM	449	}
	450
	451	1;