[pve-access-control.git] / src / PVE / RPCEnvironment.pm

package PVE::RPCEnvironment;

use strict;
use warnings;

use PVE::AccessControl;
use PVE::Cluster;
use PVE::Exception qw(raise raise_perm_exc);
use PVE::INotify;
use PVE::ProcFSTools;
use PVE::RESTEnvironment;
use PVE::SafeSyslog;
use PVE::Tools;

use base qw(PVE::RESTEnvironment);

# ACL cache

my $compile_acl_path = sub {
    my ($self, $user, $path) = @_;

    my $cfg = $self->{user_cfg};

    return undef if !$cfg->{roles};

    die "internal error" if $user eq 'root@pam';

    my $cache = $self->{aclcache};
    $cache->{$user} = {} if !$cache->{$user};
    my $data = $cache->{$user};

    my ($username, undef) = PVE::AccessControl::split_tokenid($user, 1);
    die "internal error" if $username && $username ne 'root@pam' && !defined($cache->{$username});

    if (!$data->{poolroles}) {
	$data->{poolroles} = {};

	foreach my $pool (keys %{$cfg->{pools}}) {
	    my $d = $cfg->{pools}->{$pool};
	    my $pool_roles = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
	    next if !scalar(keys %$pool_roles);
	    foreach my $vmid (keys %{$d->{vms}}) {
		for my $role (keys %$pool_roles) {
		    $data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
		}
	    }
	    foreach my $storeid (keys %{$d->{storage}}) {
		for my $role (keys %$pool_roles) {
		    $data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
		}
	    }
	}
    }

    my $roles = PVE::AccessControl::roles($cfg, $user, $path);

    # apply roles inherited from pools
    # Note: assume we do not want to propagate those privs
    if ($data->{poolroles}->{$path}) {
	if (!defined($roles->{NoAccess})) {
	    if ($data->{poolroles}->{$path}->{NoAccess}) {
		$roles = { 'NoAccess' => 0 };
	    } else {
		foreach my $role (keys %{$data->{poolroles}->{$path}}) {
		    $roles->{$role} = 0 if !defined($roles->{$role});
		}
	    }
	}
    }

    $data->{roles}->{$path} = $roles;

    my $privs = {};
    foreach my $role (keys %$roles) {
	if (my $privset = $cfg->{roles}->{$role}) {
	    foreach my $p (keys %$privset) {
		$privs->{$p} = $roles->{$role};
	    }
	}
    }

    if ($username && $username ne 'root@pam') {
	# intersect user and token permissions
	my $user_privs = $cache->{$username}->{privs}->{$path};
	$privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } keys %$privs };
    }

    $data->{privs}->{$path} = $privs;

    return $privs;
};

sub permissions {
    my ($self, $user, $path) = @_;

    if ($user eq 'root@pam') { # root can do anything
	my $cfg = $self->{user_cfg};
	return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
    }

    if (PVE::AccessControl::pve_verify_tokenid($user, 1)) {
	my ($username, $token) = PVE::AccessControl::split_tokenid($user);
	my $cfg = $self->{user_cfg};
	my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};

	return {} if !$token_info;

	# ensure cache for user is populated
	my $user_perms = $self->permissions($username, $path);

	# return user privs for non-privsep tokens
	return $user_perms if !$token_info->{privsep};
    } else {
	$user = PVE::AccessControl::verify_username($user, 1);
	return {} if !$user;
    }

    my $cache = $self->{aclcache};
    $cache->{$user} = {} if !$cache->{$user};

    my $acl = $cache->{$user};

    my $perm = $acl->{privs}->{$path};
    return $perm if $perm;

    return &$compile_acl_path($self, $user, $path);
}

sub get_effective_permissions {
    my ($self, $user) = @_;

    # default / top level paths
    my $paths = {
	'/' => 1,
	'/access' => 1,
	'/access/groups' => 1,
	'/nodes' => 1,
	'/pools' => 1,
	'/storage' => 1,
	'/vms' => 1,
    };

    my $cfg = $self->{user_cfg};

    # paths explicitly listed in ACLs
    foreach my $acl_path (keys %{$cfg->{acl}}) {
	$paths->{$acl_path} = 1;
    }

    # paths referenced by pool definitions
    foreach my $pool (keys %{$cfg->{pools}}) {
	my $d = $cfg->{pools}->{$pool};
	foreach my $vmid (keys %{$d->{vms}}) {
	    $paths->{"/vms/$vmid"} = 1;
	}
	foreach my $storeid (keys %{$d->{storage}}) {
	    $paths->{"/storage/$storeid"} = 1;
	}
    }

    my $perms = {};
    foreach my $path (keys %$paths) {
	my $path_perms = $self->permissions($user, $path);
	# filter paths where user has NO permissions
	$perms->{$path} = $path_perms if %$path_perms;
    }
    return $perms;
}

sub check {
    my ($self, $user, $path, $privs, $noerr) = @_;

    my $perm = $self->permissions($user, $path);

    foreach my $priv (@$privs) {
	PVE::AccessControl::verify_privname($priv);
	if (!defined($perm->{$priv})) {
	    return undef if $noerr;
	    raise_perm_exc("$path, $priv");
	}
    };

    return 1;
};

sub check_any {
    my ($self, $user, $path, $privs, $noerr) = @_;

    my $perm = $self->permissions($user, $path);

    my $found = 0;
    foreach my $priv (@$privs) {
	PVE::AccessControl::verify_privname($priv);
	if (defined($perm->{$priv})) {
	    $found = 1;
	    last;
	}
    };

    return 1 if $found;

    return undef if $noerr;

    raise_perm_exc("$path, " . join("|", @$privs));
};

sub check_full {
    my ($self, $username, $path, $privs, $any, $noerr) = @_;
    if ($any) {
	return $self->check_any($username, $path, $privs, $noerr);
    } else {
	return $self->check($username, $path, $privs, $noerr);
    }
}

sub check_user_enabled {
    my ($self, $user, $noerr) = @_;

    my $cfg = $self->{user_cfg};
    return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr);
}

sub check_user_exist {
    my ($self, $user, $noerr) = @_;

    my $cfg = $self->{user_cfg};
    return PVE::AccessControl::check_user_exist($cfg, $user, $noerr);
}

sub check_pool_exist {
    my ($self, $pool, $noerr) = @_;

    my $cfg = $self->{user_cfg};

    return 1 if $cfg->{pools}->{$pool};

    return undef if $noerr;

    raise_perm_exc("pool '$pool' does not exist");
}

sub check_vm_perm {
    my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_;

    my $cfg = $self->{user_cfg};

    if ($pool) {
	return if $self->check_full($user, "/pool/$pool", $privs, $any, 1);
    }
    return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
};

sub is_group_member {
    my ($self, $group, $user) = @_;

    my $cfg = $self->{user_cfg};

    return 0 if !$cfg->{groups}->{$group};

    return defined($cfg->{groups}->{$group}->{users}->{$user});
}

sub filter_groups {
    my ($self, $user, $privs, $any) = @_;

    my $cfg = $self->{user_cfg};

    my $groups = {};
    foreach my $group (keys %{$cfg->{groups}}) {
	my $path = "/access/groups/$group";
	if ($self->check_full($user, $path, $privs, $any, 1)) {
	    $groups->{$group} = $cfg->{groups}->{$group};
	}
    }

    return $groups;
}

sub group_member_join {
    my ($self, $grouplist) = @_;

    my $users = {};

    my $cfg = $self->{user_cfg};
    foreach my $group (@$grouplist) {
	my $data = $cfg->{groups}->{$group};
	next if !$data;
	foreach my $user (keys %{$data->{users}}) {
	    $users->{$user} = 1;
	}
    }

    return $users;
}

sub check_perm_modify {
    my ($self, $username, $path, $noerr) = @_;

    return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;

    my $testperms = [ 'Permissions.Modify' ];
    if ($path =~ m|^/storage/.+$|) {
	push @$testperms, 'Datastore.Allocate';
    } elsif ($path =~ m|^/vms/.+$|) {
	push @$testperms, 'VM.Allocate';
    } elsif ($path =~ m|^/pool/.+$|) {
	push @$testperms, 'Pool.Allocate';
    }

    return $self->check_any($username, $path, $testperms, $noerr);
}

sub exec_api2_perm_check {
    my ($self, $check, $username, $param, $noerr) = @_;

    # syslog("info", "CHECK " . join(', ', @$check));

    my $ind = 0;
    my $test = $check->[$ind++];
    die "no permission test specified" if !$test;

    if ($test eq 'and') {
	while (my $subcheck = $check->[$ind++]) {
	    $self->exec_api2_perm_check($subcheck, $username, $param);
	}
	return 1;
    } elsif ($test eq 'or') {
	while (my $subcheck = $check->[$ind++]) {
	    return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1);
	}
	return 0 if $noerr;
	raise_perm_exc();
    } elsif ($test eq 'perm') {
	my ($t, $tmplpath, $privs, %options) = @$check;
	my $any = $options{any};
	die "missing parameters" if !($tmplpath && $privs);
	my $require_param = $options{require_param};
	if ($require_param && !defined($param->{$require_param})) {
	    return 0 if $noerr;
	    raise_perm_exc();
	}
	my $path = PVE::Tools::template_replace($tmplpath, $param);
	$path = PVE::AccessControl::normalize_path($path);
	return $self->check_full($username, $path, $privs, $any, $noerr);
    } elsif ($test eq 'userid-group') {
	my $userid = $param->{userid};
	my ($t, $privs, %options) = @$check;
	return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr);
	if (!$self->check_any($username, "/access/groups", $privs, 1)) {
	    my $groups = $self->filter_groups($username, $privs, 1);
	    if ($options{groups_param}) {
		my @group_param = PVE::Tools::split_list($param->{groups});
		raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param);
		foreach my $pg (@group_param) {
		    raise_perm_exc("/access/groups/$pg, " . join("|", @$privs))
			if !$groups->{$pg};
		}
	    } else {
		my $allowed_users = $self->group_member_join([keys %$groups]);
		if (!$allowed_users->{$userid}) {
		    return 0 if $noerr;
		    raise_perm_exc();
		}
	    }
	}
	return 1;
    } elsif ($test eq 'userid-param') {
	my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
	my ($t, $subtest) = @$check;
	die "missing parameters" if !$subtest;
	if ($subtest eq 'self') {
	    return 0 if !$self->check_user_exist($userid, $noerr);
	    return 1 if $username eq $userid;
	    return 0 if $noerr;
	    raise_perm_exc();
	} elsif ($subtest eq 'Realm.AllocateUser') {
	    my $path =  "/access/realm/$realm";
	    return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
	} else {
	    die "unknown userid-param test";
	}
     } elsif ($test eq 'perm-modify') {
	my ($t, $tmplpath) = @$check;
	my $path = PVE::Tools::template_replace($tmplpath, $param);
	$path = PVE::AccessControl::normalize_path($path);
	return $self->check_perm_modify($username, $path, $noerr);
   } else {
	die "unknown permission test";
    }
};

sub check_api2_permissions {
    my ($self, $perm, $username, $param) = @_;

    return 1 if !$username && $perm->{user} && $perm->{user} eq 'world';

    raise_perm_exc("user != null") if !$username;

    return 1 if $username eq 'root@pam';

    raise_perm_exc('user != root@pam') if !$perm;

    return 1 if $perm->{user} && $perm->{user} eq 'all';

    return $self->exec_api2_perm_check($perm->{check}, $username, $param)
	if $perm->{check};

    raise_perm_exc();
}

sub log_cluster_msg {
    my ($self, $pri, $user, $msg) = @_;

    PVE::Cluster::log_msg($pri, $user, $msg);
}

sub broadcast_tasklist {
    my ($self, $tlist) = @_;

    PVE::Cluster::broadcast_tasklist($tlist);
}

# initialize environment - must be called once at program startup
sub init {
    my ($class, $type, %params) = @_;

    $class = ref($class) || $class;

    my $self = $class->SUPER::init($type, %params);

    $self->{user_cfg} = {};
    $self->{aclcache} = {};
    $self->{aclversion} = undef;

    return $self;
};


# init_request - must be called before each RPC request
sub init_request {
    my ($self, %params) = @_;

    PVE::Cluster::cfs_update();

    $self->{result_attributes} = {};

    my $userconfig; # we use this for regression tests
    foreach my $p (keys %params) {
	if ($p eq 'userconfig') {
	    $userconfig = $params{$p};
	} else {
	    die "unknown parameter '$p'";
	}
    }

    eval {
	$self->{aclcache} = {};
	if ($userconfig) {
	    my $ucdata = PVE::Tools::file_get_contents($userconfig);
	    my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
	    $self->{user_cfg} = $cfg;
	} else {
	    my $ucvers = PVE::Cluster::cfs_file_version('user.cfg');
	    if (!$self->{aclcache} || !defined($self->{aclversion}) ||
		!defined($ucvers) ||  ($ucvers ne $self->{aclversion})) {
		$self->{aclversion} = $ucvers;
		my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
		$self->{user_cfg} = $cfg;
	    }
	}
    };
    if (my $err = $@) {
	$self->{user_cfg} = {};
	die "Unable to load access control list: $err";
    }
}

# hacks: to provide better backwards compatibiliy

# old code uses PVE::RPCEnvironment::get();
# new code should use PVE::RPCEnvironment->get();
sub get {
    return PVE::RESTEnvironment->get();
}

# old code uses PVE::RPCEnvironment::is_worker();
# new code should use PVE::RPCEnvironment->is_worker();
sub is_worker {
    return PVE::RESTEnvironment->is_worker();
}

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::RPCEnvironment;
	2
	3	use strict;
	4	use warnings;
c104e4ab	5
5e868938 TL	6	use PVE::AccessControl;
5e868938 TL	7	use PVE::Cluster;
37d45deb	8	use PVE::Exception qw(raise raise_perm_exc);
2c3a6c0a	9	use PVE::INotify;
2c3a6c0a	10	use PVE::ProcFSTools;
5e868938 TL	11	use PVE::RESTEnvironment;
	12	use PVE::SafeSyslog;
	13	use PVE::Tools;
2c3a6c0a	14
c104e4ab	15	use base qw(PVE::RESTEnvironment);
2c3a6c0a	16
2c3a6c0a DM	17	# ACL cache
2c3a6c0a DM	18
4bc17477 DM	19	my $compile_acl_path = sub {
4bc17477 DM	20	my ($self, $user, $path) = @_;
2c3a6c0a	21
2c3a6c0a DM	22	my $cfg = $self->{user_cfg};
	23
	24	return undef if !$cfg->{roles};
	25
4bc17477	26	die "internal error" if $user eq 'root@pam';
2c3a6c0a	27
4bc17477 DM	28	my $cache = $self->{aclcache};
	29	$cache->{$user} = {} if !$cache->{$user};
	30	my $data = $cache->{$user};
2c3a6c0a	31
e915e9e4 FG	32	my ($username, undef) = PVE::AccessControl::split_tokenid($user, 1);
	33	die "internal error" if $username && $username ne 'root@pam' && !defined($cache->{$username});
	34
4bc17477	35	if (!$data->{poolroles}) {
c104e4ab DM	36	$data->{poolroles} = {};
c104e4ab DM	37
39c85db8 DM	38	foreach my $pool (keys %{$cfg->{pools}}) {
39c85db8 DM	39	my $d = $cfg->{pools}->{$pool};
7e8bcaa7 FG	40	my $pool_roles = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
7e8bcaa7 FG	41	next if !scalar(keys %$pool_roles);
4bc17477	42	foreach my $vmid (keys %{$d->{vms}}) {
7e8bcaa7	43	for my $role (keys %$pool_roles) {
4bc17477	44	$data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
2c3a6c0a DM	45	}
2c3a6c0a DM	46	}
4bc17477	47	foreach my $storeid (keys %{$d->{storage}}) {
7e8bcaa7	48	for my $role (keys %$pool_roles) {
4bc17477 DM	49	$data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
	50	}
	51	}
	52	}
	53	}
	54
7e8bcaa7	55	my $roles = PVE::AccessControl::roles($cfg, $user, $path);
4bc17477 DM	56
	57	# apply roles inherited from pools
	58	# Note: assume we do not want to propagate those privs
	59	if ($data->{poolroles}->{$path}) {
7e8bcaa7	60	if (!defined($roles->{NoAccess})) {
8ade28e6	61	if ($data->{poolroles}->{$path}->{NoAccess}) {
7e8bcaa7	62	$roles = { 'NoAccess' => 0 };
8ade28e6 DM	63	} else {
8ade28e6 DM	64	foreach my $role (keys %{$data->{poolroles}->{$path}}) {
7e8bcaa7	65	$roles->{$role} = 0 if !defined($roles->{$role});
8ade28e6	66	}
4bc17477	67	}
2c3a6c0a	68	}
4bc17477	69	}
2c3a6c0a	70
7e8bcaa7	71	$data->{roles}->{$path} = $roles;
c104e4ab	72
4bc17477	73	my $privs = {};
7e8bcaa7	74	foreach my $role (keys %$roles) {
4bc17477 DM	75	if (my $privset = $cfg->{roles}->{$role}) {
4bc17477 DM	76	foreach my $p (keys %$privset) {
7e8bcaa7	77	$privs->{$p} = $roles->{$role};
4bc17477 DM	78	}
4bc17477 DM	79	}
2c3a6c0a	80	}
e915e9e4 FG	81
	82	if ($username && $username ne 'root@pam') {
	83	# intersect user and token permissions
	84	my $user_privs = $cache->{$username}->{privs}->{$path};
7e8bcaa7	85	$privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } keys %$privs };
e915e9e4 FG	86	}
e915e9e4 FG	87
4bc17477	88	$data->{privs}->{$path} = $privs;
2c3a6c0a	89
4bc17477	90	return $privs;
2c3a6c0a DM	91	};
	92
	93	sub permissions {
	94	my ($self, $user, $path) = @_;
	95
4bc17477 DM	96	if ($user eq 'root@pam') { # root can do anything
4bc17477 DM	97	my $cfg = $self->{user_cfg};
7e8bcaa7	98	return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
c104e4ab	99	}
4bc17477	100
e915e9e4 FG	101	if (PVE::AccessControl::pve_verify_tokenid($user, 1)) {
	102	my ($username, $token) = PVE::AccessControl::split_tokenid($user);
	103	my $cfg = $self->{user_cfg};
	104	my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};
7e8bcaa7	105
e915e9e4 FG	106	return {} if !$token_info;
	107
	108	# ensure cache for user is populated
	109	my $user_perms = $self->permissions($username, $path);
	110
	111	# return user privs for non-privsep tokens
	112	return $user_perms if !$token_info->{privsep};
	113	} else {
	114	$user = PVE::AccessControl::verify_username($user, 1);
	115	return {} if !$user;
	116	}
2c3a6c0a DM	117
2c3a6c0a DM	118	my $cache = $self->{aclcache};
4bc17477	119	$cache->{$user} = {} if !$cache->{$user};
2c3a6c0a DM	120
	121	my $acl = $cache->{$user};
	122
4bc17477 DM	123	my $perm = $acl->{privs}->{$path};
4bc17477 DM	124	return $perm if $perm;
2c3a6c0a	125
4bc17477	126	return &$compile_acl_path($self, $user, $path);
2c3a6c0a DM	127	}
2c3a6c0a DM	128
c3fa8a36 FG	129	sub get_effective_permissions {
	130	my ($self, $user) = @_;
	131
	132	# default / top level paths
	133	my $paths = {
	134	'/' => 1,
	135	'/access' => 1,
	136	'/access/groups' => 1,
	137	'/nodes' => 1,
	138	'/pools' => 1,
	139	'/storage' => 1,
	140	'/vms' => 1,
	141	};
	142
	143	my $cfg = $self->{user_cfg};
	144
	145	# paths explicitly listed in ACLs
	146	foreach my $acl_path (keys %{$cfg->{acl}}) {
	147	$paths->{$acl_path} = 1;
	148	}
	149
	150	# paths referenced by pool definitions
	151	foreach my $pool (keys %{$cfg->{pools}}) {
	152	my $d = $cfg->{pools}->{$pool};
	153	foreach my $vmid (keys %{$d->{vms}}) {
	154	$paths->{"/vms/$vmid"} = 1;
	155	}
	156	foreach my $storeid (keys %{$d->{storage}}) {
	157	$paths->{"/storage/$storeid"} = 1;
	158	}
	159	}
	160
	161	my $perms = {};
	162	foreach my $path (keys %$paths) {
	163	my $path_perms = $self->permissions($user, $path);
	164	# filter paths where user has NO permissions
	165	$perms->{$path} = $path_perms if %$path_perms;
	166	}
	167	return $perms;
	168	}
	169
2c3a6c0a	170	sub check {
37d45deb	171	my ($self, $user, $path, $privs, $noerr) = @_;
2c3a6c0a DM	172
	173	my $perm = $self->permissions($user, $path);
	174
	175	foreach my $priv (@$privs) {
37d45deb	176	PVE::AccessControl::verify_privname($priv);
7e8bcaa7	177	if (!defined($perm->{$priv})) {
37d45deb	178	return undef if $noerr;
c104e4ab	179	raise_perm_exc("$path, $priv");
37d45deb	180	}
2c3a6c0a DM	181	};
	182
	183	return 1;
	184	};
	185
37d45deb DM	186	sub check_any {
	187	my ($self, $user, $path, $privs, $noerr) = @_;
	188
	189	my $perm = $self->permissions($user, $path);
efce1d57	190
37d45deb DM	191	my $found = 0;
	192	foreach my $priv (@$privs) {
	193	PVE::AccessControl::verify_privname($priv);
7e8bcaa7	194	if (defined($perm->{$priv})) {
37d45deb DM	195	$found = 1;
	196	last;
	197	}
	198	};
	199
	200	return 1 if $found;
	201
	202	return undef if $noerr;
	203
c104e4ab	204	raise_perm_exc("$path, " . join("\|", @$privs));
37d45deb DM	205	};
37d45deb DM	206
c4a776a6 DM	207	sub check_full {
	208	my ($self, $username, $path, $privs, $any, $noerr) = @_;
	209	if ($any) {
	210	return $self->check_any($username, $path, $privs, $noerr);
	211	} else {
	212	return $self->check($username, $path, $privs, $noerr);
	213	}
	214	}
	215
7070c1ae DM	216	sub check_user_enabled {
7070c1ae DM	217	my ($self, $user, $noerr) = @_;
c104e4ab	218
2c3a6c0a	219	my $cfg = $self->{user_cfg};
7070c1ae	220	return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr);
2c3a6c0a DM	221	}
2c3a6c0a DM	222
37d45deb DM	223	sub check_user_exist {
37d45deb DM	224	my ($self, $user, $noerr) = @_;
c104e4ab	225
37d45deb DM	226	my $cfg = $self->{user_cfg};
	227	return PVE::AccessControl::check_user_exist($cfg, $user, $noerr);
	228	}
	229
a23cec1f DM	230	sub check_pool_exist {
	231	my ($self, $pool, $noerr) = @_;
	232
	233	my $cfg = $self->{user_cfg};
	234
	235	return 1 if $cfg->{pools}->{$pool};
	236
	237	return undef if $noerr;
	238
c104e4ab	239	raise_perm_exc("pool '$pool' does not exist");
a23cec1f DM	240	}
	241
	242	sub check_vm_perm {
	243	my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_;
	244
	245	my $cfg = $self->{user_cfg};
c104e4ab	246
a23cec1f DM	247	if ($pool) {
	248	return if $self->check_full($user, "/pool/$pool", $privs, $any, 1);
	249	}
	250	return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
	251	};
	252
37d45deb DM	253	sub is_group_member {
	254	my ($self, $group, $user) = @_;
	255
	256	my $cfg = $self->{user_cfg};
	257
	258	return 0 if !$cfg->{groups}->{$group};
	259
	260	return defined($cfg->{groups}->{$group}->{users}->{$user});
	261	}
	262
	263	sub filter_groups {
b9180ed2	264	my ($self, $user, $privs, $any) = @_;
37d45deb DM	265
	266	my $cfg = $self->{user_cfg};
	267
	268	my $groups = {};
	269	foreach my $group (keys %{$cfg->{groups}}) {
b9180ed2	270	my $path = "/access/groups/$group";
c4a776a6 DM	271	if ($self->check_full($user, $path, $privs, $any, 1)) {
c4a776a6 DM	272	$groups->{$group} = $cfg->{groups}->{$group};
37d45deb DM	273	}
	274	}
	275
	276	return $groups;
	277	}
	278
	279	sub group_member_join {
	280	my ($self, $grouplist) = @_;
	281
	282	my $users = {};
	283
	284	my $cfg = $self->{user_cfg};
	285	foreach my $group (@$grouplist) {
	286	my $data = $cfg->{groups}->{$group};
	287	next if !$data;
	288	foreach my $user (keys %{$data->{users}}) {
	289	$users->{$user} = 1;
	290	}
	291	}
	292
	293	return $users;
	294	}
	295
e3a3a0d7 DM	296	sub check_perm_modify {
	297	my ($self, $username, $path, $noerr) = @_;
	298
	299	return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;
	300
	301	my $testperms = [ 'Permissions.Modify' ];
	302	if ($path =~ m\|^/storage/.+$\|) {
	303	push @$testperms, 'Datastore.Allocate';
	304	} elsif ($path =~ m\|^/vms/.+$\|) {
	305	push @$testperms, 'VM.Allocate';
7a7a517a DM	306	} elsif ($path =~ m\|^/pool/.+$\|) {
7a7a517a DM	307	push @$testperms, 'Pool.Allocate';
e3a3a0d7 DM	308	}
	309
	310	return $self->check_any($username, $path, $testperms, $noerr);
	311	}
	312
f8cc5a5f DM	313	sub exec_api2_perm_check {
	314	my ($self, $check, $username, $param, $noerr) = @_;
	315
	316	# syslog("info", "CHECK " . join(', ', @$check));
	317
	318	my $ind = 0;
	319	my $test = $check->[$ind++];
	320	die "no permission test specified" if !$test;
c104e4ab	321
f8cc5a5f DM	322	if ($test eq 'and') {
f8cc5a5f DM	323	while (my $subcheck = $check->[$ind++]) {
c104e4ab	324	$self->exec_api2_perm_check($subcheck, $username, $param);
f8cc5a5f DM	325	}
	326	return 1;
	327	} elsif ($test eq 'or') {
	328	while (my $subcheck = $check->[$ind++]) {
c104e4ab	329	return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1);
f8cc5a5f DM	330	}
	331	return 0 if $noerr;
	332	raise_perm_exc();
	333	} elsif ($test eq 'perm') {
	334	my ($t, $tmplpath, $privs, %options) = @$check;
	335	my $any = $options{any};
	336	die "missing parameters" if !($tmplpath && $privs);
c4a776a6 DM	337	my $require_param = $options{require_param};
	338	if ($require_param && !defined($param->{$require_param})) {
	339	return 0 if $noerr;
	340	raise_perm_exc();
	341	}
f8cc5a5f	342	my $path = PVE::Tools::template_replace($tmplpath, $param);
e3a3a0d7	343	$path = PVE::AccessControl::normalize_path($path);
c4a776a6	344	return $self->check_full($username, $path, $privs, $any, $noerr);
f8cc5a5f DM	345	} elsif ($test eq 'userid-group') {
	346	my $userid = $param->{userid};
	347	my ($t, $privs, %options) = @$check;
82b63965 DM	348	return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr);
82b63965 DM	349	if (!$self->check_any($username, "/access/groups", $privs, 1)) {
f8cc5a5f DM	350	my $groups = $self->filter_groups($username, $privs, 1);
	351	if ($options{groups_param}) {
	352	my @group_param = PVE::Tools::split_list($param->{groups});
82b63965	353	raise_perm_exc("/access/groups, " . join("\|", @$privs)) if !scalar(@group_param);
f8cc5a5f DM	354	foreach my $pg (@group_param) {
	355	raise_perm_exc("/access/groups/$pg, " . join("\|", @$privs))
	356	if !$groups->{$pg};
	357	}
	358	} else {
	359	my $allowed_users = $self->group_member_join([keys %$groups]);
	360	if (!$allowed_users->{$userid}) {
	361	return 0 if $noerr;
	362	raise_perm_exc();
	363	}
	364	}
	365	}
	366	return 1;
	367	} elsif ($test eq 'userid-param') {
09d27058	368	my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
f8cc5a5f DM	369	my ($t, $subtest) = @$check;
	370	die "missing parameters" if !$subtest;
	371	if ($subtest eq 'self') {
a69bbe2e	372	return 0 if !$self->check_user_exist($userid, $noerr);
1cf154b7	373	return 1 if $username eq $userid;
f8cc5a5f DM	374	return 0 if $noerr;
f8cc5a5f DM	375	raise_perm_exc();
82b63965 DM	376	} elsif ($subtest eq 'Realm.AllocateUser') {
	377	my $path = "/access/realm/$realm";
	378	return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
f8cc5a5f DM	379	} else {
	380	die "unknown userid-param test";
	381	}
82b63965	382	} elsif ($test eq 'perm-modify') {
e3a3a0d7 DM	383	my ($t, $tmplpath) = @$check;
	384	my $path = PVE::Tools::template_replace($tmplpath, $param);
	385	$path = PVE::AccessControl::normalize_path($path);
	386	return $self->check_perm_modify($username, $path, $noerr);
	387	} else {
f8cc5a5f DM	388	die "unknown permission test";
	389	}
	390	};
	391
	392	sub check_api2_permissions {
	393	my ($self, $perm, $username, $param) = @_;
	394
d146e520	395	return 1 if !$username && $perm->{user} && $perm->{user} eq 'world';
f8cc5a5f DM	396
	397	raise_perm_exc("user != null") if !$username;
	398
	399	return 1 if $username eq 'root@pam';
	400
	401	raise_perm_exc('user != root@pam') if !$perm;
	402
	403	return 1 if $perm->{user} && $perm->{user} eq 'all';
	404
c104e4ab	405	return $self->exec_api2_perm_check($perm->{check}, $username, $param)
f8cc5a5f DM	406	if $perm->{check};
	407
	408	raise_perm_exc();
	409	}
	410
c104e4ab DM	411	sub log_cluster_msg {
c104e4ab DM	412	my ($self, $pri, $user, $msg) = @_;
2c3a6c0a	413
c104e4ab DM	414	PVE::Cluster::log_msg($pri, $user, $msg);
c104e4ab DM	415	}
2c3a6c0a	416
c104e4ab DM	417	sub broadcast_tasklist {
c104e4ab DM	418	my ($self, $tlist) = @_;
2c3a6c0a	419
c104e4ab DM	420	PVE::Cluster::broadcast_tasklist($tlist);
c104e4ab DM	421	}
2c3a6c0a	422
c104e4ab DM	423	# initialize environment - must be called once at program startup
	424	sub init {
	425	my ($class, $type, %params) = @_;
86c4f1e6 DM	426
86c4f1e6 DM	427	$class = ref($class) \|\| $class;
5ae5900d	428
c104e4ab	429	my $self = $class->SUPER::init($type, %params);
5ae5900d	430
c104e4ab DM	431	$self->{user_cfg} = {};
	432	$self->{aclcache} = {};
	433	$self->{aclversion} = undef;
2c3a6c0a	434
c104e4ab DM	435	return $self;
c104e4ab DM	436	};
2c3a6c0a	437
2c3a6c0a DM	438
	439	# init_request - must be called before each RPC request
	440	sub init_request {
	441	my ($self, %params) = @_;
	442
	443	PVE::Cluster::cfs_update();
	444
be6ea723	445	$self->{result_attributes} = {};
272fe9ff	446
2c3a6c0a DM	447	my $userconfig; # we use this for regression tests
	448	foreach my $p (keys %params) {
	449	if ($p eq 'userconfig') {
	450	$userconfig = $params{$p};
	451	} else {
	452	die "unknown parameter '$p'";
	453	}
	454	}
	455
	456	eval {
	457	$self->{aclcache} = {};
	458	if ($userconfig) {
	459	my $ucdata = PVE::Tools::file_get_contents($userconfig);
	460	my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
	461	$self->{user_cfg} = $cfg;
	462	} else {
c104e4ab DM	463	my $ucvers = PVE::Cluster::cfs_file_version('user.cfg');
c104e4ab DM	464	if (!$self->{aclcache} \|\| !defined($self->{aclversion}) \|\|
2c3a6c0a DM	465	!defined($ucvers) \|\| ($ucvers ne $self->{aclversion})) {
	466	$self->{aclversion} = $ucvers;
	467	my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
	468	$self->{user_cfg} = $cfg;
	469	}
	470	}
	471	};
	472	if (my $err = $@) {
	473	$self->{user_cfg} = {};
	474	die "Unable to load access control list: $err";
	475	}
	476	}
	477
c104e4ab	478	# hacks: to provide better backwards compatibiliy
2c3a6c0a	479
c104e4ab DM	480	# old code uses PVE::RPCEnvironment::get();
	481	# new code should use PVE::RPCEnvironment->get();
	482	sub get {
	483	return PVE::RESTEnvironment->get();
2c3a6c0a DM	484	}
2c3a6c0a DM	485
c104e4ab DM	486	# old code uses PVE::RPCEnvironment::is_worker();
c104e4ab DM	487	# new code should use PVE::RPCEnvironment->is_worker();
7b6dfe82	488	sub is_worker {
c104e4ab	489	return PVE::RESTEnvironment->is_worker();
2c3a6c0a DM	490	}
	491
	492	1;