[pve-access-control.git] / src / PVE / RPCEnvironment.pm

package PVE::RPCEnvironment;

use strict;
use warnings;

use PVE::AccessControl;
use PVE::Cluster;
use PVE::Exception qw(raise raise_perm_exc);
use PVE::INotify;
use PVE::ProcFSTools;
use PVE::RESTEnvironment;
use PVE::SafeSyslog;
use PVE::Tools;

use base qw(PVE::RESTEnvironment);

# ACL cache

my $compile_acl_path = sub {
    my ($self, $user, $path) = @_;

    my $cfg = $self->{user_cfg};

    return undef if !$cfg->{roles};

    # permissions() has an early return for this case
    die "internal error" if $user eq 'root@pam';

    my $cache = $self->{aclcache};
    $cache->{$user} = {} if !$cache->{$user};
    my $data = $cache->{$user};

    # permissions() will always prime the cache for the owning user
    my ($username, undef) = PVE::AccessControl::split_tokenid($user, 1);
    die "internal error" if $username && $username ne 'root@pam' && !defined($cache->{$username});

    # resolve and cache roles of the current user/token for all pool ACL paths
    if (!$data->{poolroles}) {
	$data->{poolroles} = {};

	foreach my $pool (keys %{$cfg->{pools}}) {
	    my $d = $cfg->{pools}->{$pool};
	    my $pool_roles = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
	    next if !scalar(keys %$pool_roles);
	    foreach my $vmid (keys %{$d->{vms}}) {
		for my $role (keys %$pool_roles) {
		    $data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
		}
	    }
	    foreach my $storeid (keys %{$d->{storage}}) {
		for my $role (keys %$pool_roles) {
		    $data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
		}
	    }
	}
    }

    # get roles of current user/token on checked path - this already handles
    # propagation and NoAccess along the path
    #
    # hash mapping role name to propagation flag value, a key being defined
    # means the role is set
    my $roles = PVE::AccessControl::roles($cfg, $user, $path);

    # apply roles inherited from pools
    if ($data->{poolroles}->{$path}) {
	# NoAccess must not be trumped by pool ACLs
	if (!defined($roles->{NoAccess})) {
	    if ($data->{poolroles}->{$path}->{NoAccess}) {
		# but pool ACL NoAccess trumps regular ACL
		$roles = { 'NoAccess' => 0 };
	    } else {
		foreach my $role (keys %{$data->{poolroles}->{$path}}) {
		    # only use role from pool ACL if regular ACL didn't already
		    # set it, and never set propagation for pool-derived ACLs
		    $roles->{$role} = 0 if !defined($roles->{$role});
		}
	    }
	}
    }

    # cache roles
    $data->{roles}->{$path} = $roles;

    # derive privs from set roles - hash mapping privilege name to propagation
    # flag value, a key being defined means the priv is set
    my $privs = {};
    foreach my $role (keys %$roles) {
	if (my $privset = $cfg->{roles}->{$role}) {
	    foreach my $p (keys %$privset) {
		# set priv '$p' to propagated iff any of the set roles
		# containing it have the propagated flag set
		$privs->{$p} ||= $roles->{$role};
	    }
	}
    }

    # intersect user and token permissions
    if ($username && $username ne 'root@pam') {
	# map of set privs to their propagation flag value, for the owning user
	my $user_privs = $cache->{$username}->{privs}->{$path};
	# list of privs set both for token and owning user
	my $filtered_privs = [ grep { defined($user_privs->{$_}) } keys %$privs ];
	# intersection of privs using filtered list, combining both propagation
	# flags
	$privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } @$filtered_privs };
    }

    foreach my $priv (keys %$privs) {
	# safeguard, this should never happen anyway
	delete $privs->{$priv} if !defined($privs->{$priv});
    }

    # cache privs
    $data->{privs}->{$path} = $privs;

    return $privs;
};

# this is the method used by permission check helpers below
#
# returned value is a hash mapping all set privileges on $path to their
# respective propagation flag. the propagation flag is informational only -
# actual propagation is handled in PVE::AccessControl::roles(). to determine
# whether a privilege is set, check for definedness in the returned hash.
#
# compiled ACLs are cached, so repeated checks for the same path and user are
# almost free.
#
# if $user is a tokenid, permissions are calculated depending on the
# privilege-separation flag value:
# - non-priv-separated: permissions for owning user are returned
# - priv-separated: permissions for owning user are calculated and intersected
#   with those of token
sub permissions {
    my ($self, $user, $path) = @_;

    if ($user eq 'root@pam') { # root can do anything
	my $cfg = $self->{user_cfg};
	return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
    }

    if (PVE::AccessControl::pve_verify_tokenid($user, 1)) {
	my ($username, $token) = PVE::AccessControl::split_tokenid($user);
	my $cfg = $self->{user_cfg};
	my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};

	return {} if !$token_info;

	# ensure cache for user is populated
	my $user_perms = $self->permissions($username, $path);

	# return user privs for non-privsep tokens
	return $user_perms if !$token_info->{privsep};
    } else {
	$user = PVE::AccessControl::verify_username($user, 1);
	return {} if !$user;
    }

    my $cache = $self->{aclcache};
    $cache->{$user} = {} if !$cache->{$user};

    my $acl = $cache->{$user};

    my $perm = $acl->{privs}->{$path};
    return $perm if $perm;

    return &$compile_acl_path($self, $user, $path);
}

sub compute_api_permission {
    my ($self, $authuser) = @_;

    my $usercfg = $self->{user_cfg};

    my $res = {};
    my $priv_re_map = {
	vms => qr/VM\.|Permissions\.Modify/,
	access => qr/(User|Group)\.|Permissions\.Modify/,
	storage => qr/Datastore\.|Permissions\.Modify/,
	nodes => qr/Sys\.|Permissions\.Modify/,
	sdn => qr/SDN\.|Permissions\.Modify/,
	dc => qr/Sys\.Audit|SDN\./,
    };
    map { $res->{$_} = {} } keys %$priv_re_map;

    my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn'];

    my $checked_paths = {};
    foreach my $path (@$required_paths, keys %{$usercfg->{acl}}) {
	next if $checked_paths->{$path};
	$checked_paths->{$path} = 1;

	my $path_perm = $self->permissions($authuser, $path);

	my $toplevel = ($path =~ /^\/(\w+)/) ? $1 : 'dc';
	if ($toplevel eq 'pool') {
	    foreach my $priv (keys %$path_perm) {
		next if !defined($path_perm->{$priv});

		if ($priv =~ m/^VM\./) {
		    $res->{vms}->{$priv} = 1;
		} elsif ($priv =~ m/^Datastore\./) {
		    $res->{storage}->{$priv} = 1;
		} elsif ($priv eq 'Permissions.Modify') {
		    $res->{storage}->{$priv} = 1;
		    $res->{vms}->{$priv} = 1;
		}
	    }
	} else {
	    my $priv_regex = $priv_re_map->{$toplevel} // next;
	    foreach my $priv (keys %$path_perm) {
		next if !defined($path_perm->{$priv});

		next if $priv !~ m/^($priv_regex)/;
		$res->{$toplevel}->{$priv} = 1;
	    }
	}
    }

    return $res;
}

sub get_effective_permissions {
    my ($self, $user) = @_;

    # default / top level paths
    my $paths = {
	'/' => 1,
	'/access' => 1,
	'/access/groups' => 1,
	'/nodes' => 1,
	'/pools' => 1,
	'/sdn' => 1,
	'/storage' => 1,
	'/vms' => 1,
    };

    my $cfg = $self->{user_cfg};

    # paths explicitly listed in ACLs
    foreach my $acl_path (keys %{$cfg->{acl}}) {
	$paths->{$acl_path} = 1;
    }

    # paths referenced by pool definitions
    foreach my $pool (keys %{$cfg->{pools}}) {
	my $d = $cfg->{pools}->{$pool};
	foreach my $vmid (keys %{$d->{vms}}) {
	    $paths->{"/vms/$vmid"} = 1;
	}
	foreach my $storeid (keys %{$d->{storage}}) {
	    $paths->{"/storage/$storeid"} = 1;
	}
    }

    my $perms = {};
    foreach my $path (keys %$paths) {
	my $path_perms = $self->permissions($user, $path);
	foreach my $priv (keys %$path_perms) {
	    delete $path_perms->{$priv} if !defined($path_perms->{$priv});
	}
	# filter paths where user has NO permissions
	$perms->{$path} = $path_perms if %$path_perms;
    }
    return $perms;
}

sub check {
    my ($self, $user, $path, $privs, $noerr) = @_;

    my $perm = $self->permissions($user, $path);

    foreach my $priv (@$privs) {
	PVE::AccessControl::verify_privname($priv);
	if (!defined($perm->{$priv})) {
	    return undef if $noerr;
	    raise_perm_exc("$path, $priv");
	}
    };

    return 1;
};

sub check_any {
    my ($self, $user, $path, $privs, $noerr) = @_;

    my $perm = $self->permissions($user, $path);

    my $found = 0;
    foreach my $priv (@$privs) {
	PVE::AccessControl::verify_privname($priv);
	if (defined($perm->{$priv})) {
	    $found = 1;
	    last;
	}
    };

    return 1 if $found;

    return undef if $noerr;

    raise_perm_exc("$path, " . join("|", @$privs));
};

sub check_full {
    my ($self, $username, $path, $privs, $any, $noerr) = @_;
    if ($any) {
	return $self->check_any($username, $path, $privs, $noerr);
    } else {
	return $self->check($username, $path, $privs, $noerr);
    }
}

sub check_user_enabled {
    my ($self, $user, $noerr) = @_;

    my $cfg = $self->{user_cfg};
    return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr);
}

sub check_user_exist {
    my ($self, $user, $noerr) = @_;

    my $cfg = $self->{user_cfg};
    return PVE::AccessControl::check_user_exist($cfg, $user, $noerr);
}

sub check_pool_exist {
    my ($self, $pool, $noerr) = @_;

    my $cfg = $self->{user_cfg};

    return 1 if $cfg->{pools}->{$pool};

    return undef if $noerr;

    raise_perm_exc("pool '$pool' does not exist");
}

sub check_vm_perm {
    my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_;

    my $cfg = $self->{user_cfg};

    if ($pool) {
	return if $self->check_full($user, "/pool/$pool", $privs, $any, 1);
    }
    return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
};

sub is_group_member {
    my ($self, $group, $user) = @_;

    my $cfg = $self->{user_cfg};

    return 0 if !$cfg->{groups}->{$group};

    return defined($cfg->{groups}->{$group}->{users}->{$user});
}

sub filter_groups {
    my ($self, $user, $privs, $any) = @_;

    my $cfg = $self->{user_cfg};

    my $groups = {};
    foreach my $group (keys %{$cfg->{groups}}) {
	my $path = "/access/groups/$group";
	if ($self->check_full($user, $path, $privs, $any, 1)) {
	    $groups->{$group} = $cfg->{groups}->{$group};
	}
    }

    return $groups;
}

sub group_member_join {
    my ($self, $grouplist) = @_;

    my $users = {};

    my $cfg = $self->{user_cfg};
    foreach my $group (@$grouplist) {
	my $data = $cfg->{groups}->{$group};
	next if !$data;
	foreach my $user (keys %{$data->{users}}) {
	    $users->{$user} = 1;
	}
    }

    return $users;
}

sub check_perm_modify {
    my ($self, $username, $path, $noerr) = @_;

    return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;

    my $testperms = [ 'Permissions.Modify' ];
    if ($path =~ m|^/storage/.+$|) {
	push @$testperms, 'Datastore.Allocate';
    } elsif ($path =~ m|^/vms/.+$|) {
	push @$testperms, 'VM.Allocate';
    } elsif ($path =~ m|^/pool/.+$|) {
	push @$testperms, 'Pool.Allocate';
    }

    return $self->check_any($username, $path, $testperms, $noerr);
}

sub exec_api2_perm_check {
    my ($self, $check, $username, $param, $noerr) = @_;

    # syslog("info", "CHECK " . join(', ', @$check));

    my $ind = 0;
    my $test = $check->[$ind++];
    die "no permission test specified" if !$test;

    if ($test eq 'and') {
	while (my $subcheck = $check->[$ind++]) {
	    $self->exec_api2_perm_check($subcheck, $username, $param);
	}
	return 1;
    } elsif ($test eq 'or') {
	while (my $subcheck = $check->[$ind++]) {
	    return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1);
	}
	return 0 if $noerr;
	raise_perm_exc();
    } elsif ($test eq 'perm') {
	my ($t, $tmplpath, $privs, %options) = @$check;
	my $any = $options{any};
	die "missing parameters" if !($tmplpath && $privs);
	my $require_param = $options{require_param};
	if ($require_param && !defined($param->{$require_param})) {
	    return 0 if $noerr;
	    raise_perm_exc();
	}
	my $path = PVE::Tools::template_replace($tmplpath, $param);
	$path = PVE::AccessControl::normalize_path($path);
	return $self->check_full($username, $path, $privs, $any, $noerr);
    } elsif ($test eq 'userid-group') {
	my $userid = $param->{userid};
	my ($t, $privs, %options) = @$check;

	my $check_existing_user = !$options{groups_param} || $options{groups_param} ne 'create';
	return 0 if $check_existing_user && !$self->check_user_exist($userid, $noerr);

	# check permission for ALL groups (and thus ALL users)
	if (!$self->check_any($username, "/access/groups", $privs, 1)) {
	    # list of groups $username has any of $privs on
	    my $groups = $self->filter_groups($username, $privs, 1);
	    if ($options{groups_param}) {
		# does $username have any of $privs on all new/updated/.. groups?
		my @group_param = PVE::Tools::split_list($param->{groups});
		raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param);
		foreach my $pg (@group_param) {
		    raise_perm_exc("/access/groups/$pg, " . join("|", @$privs))
			if !$groups->{$pg};
		}
	    }
	    if ($check_existing_user) {
		# does $username have any of $privs on any existing group of $userid
		my $allowed_users = $self->group_member_join([keys %$groups]);
		if (!$allowed_users->{$userid}) {
		    return 0 if $noerr;
		    raise_perm_exc();
		}
	    }
	}
	return 1;
    } elsif ($test eq 'userid-param') {
	my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
	my ($t, $subtest) = @$check;
	die "missing parameters" if !$subtest;
	if ($subtest eq 'self') {
	    return 0 if !$self->check_user_exist($userid, $noerr);
	    return 1 if $username eq $userid;
	    return 0 if $noerr;
	    raise_perm_exc();
	} elsif ($subtest eq 'Realm.AllocateUser') {
	    my $path =  "/access/realm/$realm";
	    return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
	} else {
	    die "unknown userid-param test";
	}
    } elsif ($test eq 'perm-modify') {
	my ($t, $tmplpath) = @$check;
	my $path = PVE::Tools::template_replace($tmplpath, $param);
	$path = PVE::AccessControl::normalize_path($path);
	return $self->check_perm_modify($username, $path, $noerr);
    } else {
	die "unknown permission test";
    }
};

sub check_api2_permissions {
    my ($self, $perm, $username, $param) = @_;

    return 1 if !$username && $perm->{user} && $perm->{user} eq 'world';

    raise_perm_exc("user != null") if !$username;

    return 1 if $username eq 'root@pam';

    raise_perm_exc('user != root@pam') if !$perm;

    return 1 if $perm->{user} && $perm->{user} eq 'all';

    return $self->exec_api2_perm_check($perm->{check}, $username, $param)
	if $perm->{check};

    raise_perm_exc();
}

sub log_cluster_msg {
    my ($self, $pri, $user, $msg) = @_;

    PVE::Cluster::log_msg($pri, $user, $msg);
}

sub broadcast_tasklist {
    my ($self, $tlist) = @_;

    PVE::Cluster::broadcast_tasklist($tlist);
}

# initialize environment - must be called once at program startup
sub init {
    my ($class, $type, %params) = @_;

    $class = ref($class) || $class;

    my $self = $class->SUPER::init($type, %params);

    $self->{user_cfg} = {};
    $self->{aclcache} = {};
    $self->{aclversion} = undef;

    return $self;
};


# init_request - must be called before each RPC request
sub init_request {
    my ($self, %params) = @_;

    PVE::Cluster::cfs_update();

    $self->{result_attributes} = {};

    my $userconfig; # we use this for regression tests
    foreach my $p (keys %params) {
	if ($p eq 'userconfig') {
	    $userconfig = $params{$p};
	} else {
	    die "unknown parameter '$p'";
	}
    }

    eval {
	$self->{aclcache} = {};
	if ($userconfig) {
	    my $ucdata = PVE::Tools::file_get_contents($userconfig);
	    my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
	    $self->{user_cfg} = $cfg;
	} else {
	    my $ucvers = PVE::Cluster::cfs_file_version('user.cfg');
	    if (!$self->{aclcache} || !defined($self->{aclversion}) ||
		!defined($ucvers) ||  ($ucvers ne $self->{aclversion})) {
		$self->{aclversion} = $ucvers;
		my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
		$self->{user_cfg} = $cfg;
	    }
	}
    };
    if (my $err = $@) {
	$self->{user_cfg} = {};
	die "Unable to load access control list: $err";
    }
}

# hacks: to provide better backwards compatibility

# old code uses PVE::RPCEnvironment::get();
# new code should use PVE::RPCEnvironment->get();
sub get {
    return PVE::RESTEnvironment->get();
}

# old code uses PVE::RPCEnvironment::is_worker();
# new code should use PVE::RPCEnvironment->is_worker();
sub is_worker {
    return PVE::RESTEnvironment->is_worker();
}

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::RPCEnvironment;
	2
	3	use strict;
	4	use warnings;
c104e4ab	5
5e868938 TL	6	use PVE::AccessControl;
5e868938 TL	7	use PVE::Cluster;
37d45deb	8	use PVE::Exception qw(raise raise_perm_exc);
2c3a6c0a	9	use PVE::INotify;
2c3a6c0a	10	use PVE::ProcFSTools;
5e868938 TL	11	use PVE::RESTEnvironment;
	12	use PVE::SafeSyslog;
	13	use PVE::Tools;
2c3a6c0a	14
c104e4ab	15	use base qw(PVE::RESTEnvironment);
2c3a6c0a	16
2c3a6c0a DM	17	# ACL cache
2c3a6c0a DM	18
4bc17477 DM	19	my $compile_acl_path = sub {
4bc17477 DM	20	my ($self, $user, $path) = @_;
2c3a6c0a	21
2c3a6c0a DM	22	my $cfg = $self->{user_cfg};
	23
	24	return undef if !$cfg->{roles};
	25
b8c4218b	26	# permissions() has an early return for this case
4bc17477	27	die "internal error" if $user eq 'root@pam';
2c3a6c0a	28
4bc17477 DM	29	my $cache = $self->{aclcache};
	30	$cache->{$user} = {} if !$cache->{$user};
	31	my $data = $cache->{$user};
2c3a6c0a	32
b8c4218b	33	# permissions() will always prime the cache for the owning user
e915e9e4 FG	34	my ($username, undef) = PVE::AccessControl::split_tokenid($user, 1);
	35	die "internal error" if $username && $username ne 'root@pam' && !defined($cache->{$username});
	36
b8c4218b	37	# resolve and cache roles of the current user/token for all pool ACL paths
4bc17477	38	if (!$data->{poolroles}) {
c104e4ab DM	39	$data->{poolroles} = {};
c104e4ab DM	40
39c85db8 DM	41	foreach my $pool (keys %{$cfg->{pools}}) {
39c85db8 DM	42	my $d = $cfg->{pools}->{$pool};
7e8bcaa7 FG	43	my $pool_roles = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
7e8bcaa7 FG	44	next if !scalar(keys %$pool_roles);
4bc17477	45	foreach my $vmid (keys %{$d->{vms}}) {
7e8bcaa7	46	for my $role (keys %$pool_roles) {
4bc17477	47	$data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
2c3a6c0a DM	48	}
2c3a6c0a DM	49	}
4bc17477	50	foreach my $storeid (keys %{$d->{storage}}) {
7e8bcaa7	51	for my $role (keys %$pool_roles) {
4bc17477 DM	52	$data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
	53	}
	54	}
	55	}
	56	}
	57
b8c4218b FG	58	# get roles of current user/token on checked path - this already handles
	59	# propagation and NoAccess along the path
	60	#
	61	# hash mapping role name to propagation flag value, a key being defined
	62	# means the role is set
7e8bcaa7	63	my $roles = PVE::AccessControl::roles($cfg, $user, $path);
4bc17477 DM	64
4bc17477 DM	65	# apply roles inherited from pools
4bc17477	66	if ($data->{poolroles}->{$path}) {
b8c4218b	67	# NoAccess must not be trumped by pool ACLs
7e8bcaa7	68	if (!defined($roles->{NoAccess})) {
8ade28e6	69	if ($data->{poolroles}->{$path}->{NoAccess}) {
b8c4218b	70	# but pool ACL NoAccess trumps regular ACL
7e8bcaa7	71	$roles = { 'NoAccess' => 0 };
8ade28e6 DM	72	} else {
8ade28e6 DM	73	foreach my $role (keys %{$data->{poolroles}->{$path}}) {
b8c4218b FG	74	# only use role from pool ACL if regular ACL didn't already
b8c4218b FG	75	# set it, and never set propagation for pool-derived ACLs
7e8bcaa7	76	$roles->{$role} = 0 if !defined($roles->{$role});
8ade28e6	77	}
4bc17477	78	}
2c3a6c0a	79	}
4bc17477	80	}
2c3a6c0a	81
b8c4218b	82	# cache roles
7e8bcaa7	83	$data->{roles}->{$path} = $roles;
c104e4ab	84
b8c4218b FG	85	# derive privs from set roles - hash mapping privilege name to propagation
b8c4218b FG	86	# flag value, a key being defined means the priv is set
4bc17477	87	my $privs = {};
7e8bcaa7	88	foreach my $role (keys %$roles) {
4bc17477 DM	89	if (my $privset = $cfg->{roles}->{$role}) {
4bc17477 DM	90	foreach my $p (keys %$privset) {
b8c4218b FG	91	# set priv '$p' to propagated iff any of the set roles
b8c4218b FG	92	# containing it have the propagated flag set
b55e33f4	93	$privs->{$p} \|\|= $roles->{$role};
4bc17477 DM	94	}
4bc17477 DM	95	}
2c3a6c0a	96	}
e915e9e4	97
b8c4218b	98	# intersect user and token permissions
e915e9e4	99	if ($username && $username ne 'root@pam') {
b8c4218b	100	# map of set privs to their propagation flag value, for the owning user
e915e9e4	101	my $user_privs = $cache->{$username}->{privs}->{$path};
b8c4218b	102	# list of privs set both for token and owning user
0716a56b	103	my $filtered_privs = [ grep { defined($user_privs->{$_}) } keys %$privs ];
b8c4218b FG	104	# intersection of privs using filtered list, combining both propagation
b8c4218b FG	105	# flags
e8a0cee4	106	$privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } @$filtered_privs };
e915e9e4 FG	107	}
e915e9e4 FG	108
9aa49a8d FG	109	foreach my $priv (keys %$privs) {
	110	# safeguard, this should never happen anyway
	111	delete $privs->{$priv} if !defined($privs->{$priv});
	112	}
	113
b8c4218b	114	# cache privs
4bc17477	115	$data->{privs}->{$path} = $privs;
2c3a6c0a	116
4bc17477	117	return $privs;
2c3a6c0a DM	118	};
2c3a6c0a DM	119
b8c4218b FG	120	# this is the method used by permission check helpers below
	121	#
	122	# returned value is a hash mapping all set privileges on $path to their
	123	# respective propagation flag. the propagation flag is informational only -
	124	# actual propagation is handled in PVE::AccessControl::roles(). to determine
	125	# whether a privilege is set, check for definedness in the returned hash.
	126	#
	127	# compiled ACLs are cached, so repeated checks for the same path and user are
	128	# almost free.
	129	#
	130	# if $user is a tokenid, permissions are calculated depending on the
	131	# privilege-separation flag value:
	132	# - non-priv-separated: permissions for owning user are returned
	133	# - priv-separated: permissions for owning user are calculated and intersected
	134	# with those of token
2c3a6c0a DM	135	sub permissions {
	136	my ($self, $user, $path) = @_;
	137
4bc17477 DM	138	if ($user eq 'root@pam') { # root can do anything
4bc17477 DM	139	my $cfg = $self->{user_cfg};
7e8bcaa7	140	return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
c104e4ab	141	}
4bc17477	142
e915e9e4 FG	143	if (PVE::AccessControl::pve_verify_tokenid($user, 1)) {
	144	my ($username, $token) = PVE::AccessControl::split_tokenid($user);
	145	my $cfg = $self->{user_cfg};
	146	my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};
7e8bcaa7	147
e915e9e4 FG	148	return {} if !$token_info;
	149
	150	# ensure cache for user is populated
	151	my $user_perms = $self->permissions($username, $path);
	152
	153	# return user privs for non-privsep tokens
	154	return $user_perms if !$token_info->{privsep};
	155	} else {
	156	$user = PVE::AccessControl::verify_username($user, 1);
	157	return {} if !$user;
	158	}
2c3a6c0a DM	159
2c3a6c0a DM	160	my $cache = $self->{aclcache};
4bc17477	161	$cache->{$user} = {} if !$cache->{$user};
2c3a6c0a DM	162
	163	my $acl = $cache->{$user};
	164
4bc17477 DM	165	my $perm = $acl->{privs}->{$path};
4bc17477 DM	166	return $perm if $perm;
2c3a6c0a	167
4bc17477	168	return &$compile_acl_path($self, $user, $path);
2c3a6c0a DM	169	}
2c3a6c0a DM	170
ac344d7d DM	171	sub compute_api_permission {
	172	my ($self, $authuser) = @_;
	173
	174	my $usercfg = $self->{user_cfg};
	175
	176	my $res = {};
	177	my $priv_re_map = {
	178	vms => qr/VM\.\|Permissions\.Modify/,
	179	access => qr/(User\|Group)\.\|Permissions\.Modify/,
	180	storage => qr/Datastore\.\|Permissions\.Modify/,
	181	nodes => qr/Sys\.\|Permissions\.Modify/,
	182	sdn => qr/SDN\.\|Permissions\.Modify/,
	183	dc => qr/Sys\.Audit\|SDN\./,
	184	};
	185	map { $res->{$_} = {} } keys %$priv_re_map;
	186
	187	my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn'];
	188
	189	my $checked_paths = {};
	190	foreach my $path (@$required_paths, keys %{$usercfg->{acl}}) {
	191	next if $checked_paths->{$path};
	192	$checked_paths->{$path} = 1;
	193
	194	my $path_perm = $self->permissions($authuser, $path);
	195
	196	my $toplevel = ($path =~ /^\/(\w+)/) ? $1 : 'dc';
	197	if ($toplevel eq 'pool') {
	198	foreach my $priv (keys %$path_perm) {
0786c1e5 FG	199	next if !defined($path_perm->{$priv});
0786c1e5 FG	200
ac344d7d DM	201	if ($priv =~ m/^VM\./) {
	202	$res->{vms}->{$priv} = 1;
	203	} elsif ($priv =~ m/^Datastore\./) {
	204	$res->{storage}->{$priv} = 1;
	205	} elsif ($priv eq 'Permissions.Modify') {
	206	$res->{storage}->{$priv} = 1;
	207	$res->{vms}->{$priv} = 1;
	208	}
	209	}
	210	} else {
	211	my $priv_regex = $priv_re_map->{$toplevel} // next;
	212	foreach my $priv (keys %$path_perm) {
0786c1e5 FG	213	next if !defined($path_perm->{$priv});
0786c1e5 FG	214
ac344d7d DM	215	next if $priv !~ m/^($priv_regex)/;
	216	$res->{$toplevel}->{$priv} = 1;
	217	}
	218	}
	219	}
	220
	221	return $res;
	222	}
	223
c3fa8a36 FG	224	sub get_effective_permissions {
	225	my ($self, $user) = @_;
	226
	227	# default / top level paths
	228	my $paths = {
	229	'/' => 1,
	230	'/access' => 1,
	231	'/access/groups' => 1,
	232	'/nodes' => 1,
	233	'/pools' => 1,
92f571d9	234	'/sdn' => 1,
c3fa8a36 FG	235	'/storage' => 1,
	236	'/vms' => 1,
	237	};
	238
	239	my $cfg = $self->{user_cfg};
	240
	241	# paths explicitly listed in ACLs
	242	foreach my $acl_path (keys %{$cfg->{acl}}) {
	243	$paths->{$acl_path} = 1;
	244	}
	245
	246	# paths referenced by pool definitions
	247	foreach my $pool (keys %{$cfg->{pools}}) {
	248	my $d = $cfg->{pools}->{$pool};
	249	foreach my $vmid (keys %{$d->{vms}}) {
	250	$paths->{"/vms/$vmid"} = 1;
	251	}
	252	foreach my $storeid (keys %{$d->{storage}}) {
	253	$paths->{"/storage/$storeid"} = 1;
	254	}
	255	}
	256
	257	my $perms = {};
	258	foreach my $path (keys %$paths) {
	259	my $path_perms = $self->permissions($user, $path);
0786c1e5 FG	260	foreach my $priv (keys %$path_perms) {
	261	delete $path_perms->{$priv} if !defined($path_perms->{$priv});
	262	}
c3fa8a36 FG	263	# filter paths where user has NO permissions
	264	$perms->{$path} = $path_perms if %$path_perms;
	265	}
	266	return $perms;
	267	}
	268
2c3a6c0a	269	sub check {
37d45deb	270	my ($self, $user, $path, $privs, $noerr) = @_;
2c3a6c0a DM	271
	272	my $perm = $self->permissions($user, $path);
	273
	274	foreach my $priv (@$privs) {
37d45deb	275	PVE::AccessControl::verify_privname($priv);
7e8bcaa7	276	if (!defined($perm->{$priv})) {
37d45deb	277	return undef if $noerr;
c104e4ab	278	raise_perm_exc("$path, $priv");
37d45deb	279	}
2c3a6c0a DM	280	};
	281
	282	return 1;
	283	};
	284
37d45deb DM	285	sub check_any {
	286	my ($self, $user, $path, $privs, $noerr) = @_;
	287
	288	my $perm = $self->permissions($user, $path);
efce1d57	289
37d45deb DM	290	my $found = 0;
	291	foreach my $priv (@$privs) {
	292	PVE::AccessControl::verify_privname($priv);
7e8bcaa7	293	if (defined($perm->{$priv})) {
37d45deb DM	294	$found = 1;
	295	last;
	296	}
	297	};
	298
	299	return 1 if $found;
	300
	301	return undef if $noerr;
	302
c104e4ab	303	raise_perm_exc("$path, " . join("\|", @$privs));
37d45deb DM	304	};
37d45deb DM	305
c4a776a6 DM	306	sub check_full {
	307	my ($self, $username, $path, $privs, $any, $noerr) = @_;
	308	if ($any) {
	309	return $self->check_any($username, $path, $privs, $noerr);
	310	} else {
	311	return $self->check($username, $path, $privs, $noerr);
	312	}
	313	}
	314
7070c1ae DM	315	sub check_user_enabled {
7070c1ae DM	316	my ($self, $user, $noerr) = @_;
c104e4ab	317
2c3a6c0a	318	my $cfg = $self->{user_cfg};
7070c1ae	319	return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr);
2c3a6c0a DM	320	}
2c3a6c0a DM	321
37d45deb DM	322	sub check_user_exist {
37d45deb DM	323	my ($self, $user, $noerr) = @_;
c104e4ab	324
37d45deb DM	325	my $cfg = $self->{user_cfg};
	326	return PVE::AccessControl::check_user_exist($cfg, $user, $noerr);
	327	}
	328
a23cec1f DM	329	sub check_pool_exist {
	330	my ($self, $pool, $noerr) = @_;
	331
	332	my $cfg = $self->{user_cfg};
	333
	334	return 1 if $cfg->{pools}->{$pool};
	335
	336	return undef if $noerr;
	337
c104e4ab	338	raise_perm_exc("pool '$pool' does not exist");
a23cec1f DM	339	}
	340
	341	sub check_vm_perm {
	342	my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_;
	343
	344	my $cfg = $self->{user_cfg};
c104e4ab	345
a23cec1f DM	346	if ($pool) {
	347	return if $self->check_full($user, "/pool/$pool", $privs, $any, 1);
	348	}
	349	return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
	350	};
	351
37d45deb DM	352	sub is_group_member {
	353	my ($self, $group, $user) = @_;
	354
	355	my $cfg = $self->{user_cfg};
	356
	357	return 0 if !$cfg->{groups}->{$group};
	358
	359	return defined($cfg->{groups}->{$group}->{users}->{$user});
	360	}
	361
	362	sub filter_groups {
b9180ed2	363	my ($self, $user, $privs, $any) = @_;
37d45deb DM	364
	365	my $cfg = $self->{user_cfg};
	366
	367	my $groups = {};
	368	foreach my $group (keys %{$cfg->{groups}}) {
b9180ed2	369	my $path = "/access/groups/$group";
c4a776a6 DM	370	if ($self->check_full($user, $path, $privs, $any, 1)) {
c4a776a6 DM	371	$groups->{$group} = $cfg->{groups}->{$group};
37d45deb DM	372	}
	373	}
	374
	375	return $groups;
	376	}
	377
	378	sub group_member_join {
	379	my ($self, $grouplist) = @_;
	380
	381	my $users = {};
	382
	383	my $cfg = $self->{user_cfg};
	384	foreach my $group (@$grouplist) {
	385	my $data = $cfg->{groups}->{$group};
	386	next if !$data;
	387	foreach my $user (keys %{$data->{users}}) {
	388	$users->{$user} = 1;
	389	}
	390	}
	391
	392	return $users;
	393	}
	394
e3a3a0d7 DM	395	sub check_perm_modify {
	396	my ($self, $username, $path, $noerr) = @_;
	397
	398	return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;
	399
	400	my $testperms = [ 'Permissions.Modify' ];
	401	if ($path =~ m\|^/storage/.+$\|) {
	402	push @$testperms, 'Datastore.Allocate';
	403	} elsif ($path =~ m\|^/vms/.+$\|) {
	404	push @$testperms, 'VM.Allocate';
7a7a517a DM	405	} elsif ($path =~ m\|^/pool/.+$\|) {
7a7a517a DM	406	push @$testperms, 'Pool.Allocate';
e3a3a0d7 DM	407	}
	408
	409	return $self->check_any($username, $path, $testperms, $noerr);
	410	}
	411
f8cc5a5f DM	412	sub exec_api2_perm_check {
	413	my ($self, $check, $username, $param, $noerr) = @_;
	414
	415	# syslog("info", "CHECK " . join(', ', @$check));
	416
	417	my $ind = 0;
	418	my $test = $check->[$ind++];
	419	die "no permission test specified" if !$test;
c104e4ab	420
f8cc5a5f DM	421	if ($test eq 'and') {
f8cc5a5f DM	422	while (my $subcheck = $check->[$ind++]) {
c104e4ab	423	$self->exec_api2_perm_check($subcheck, $username, $param);
f8cc5a5f DM	424	}
	425	return 1;
	426	} elsif ($test eq 'or') {
	427	while (my $subcheck = $check->[$ind++]) {
c104e4ab	428	return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1);
f8cc5a5f DM	429	}
	430	return 0 if $noerr;
	431	raise_perm_exc();
	432	} elsif ($test eq 'perm') {
	433	my ($t, $tmplpath, $privs, %options) = @$check;
	434	my $any = $options{any};
	435	die "missing parameters" if !($tmplpath && $privs);
c4a776a6 DM	436	my $require_param = $options{require_param};
	437	if ($require_param && !defined($param->{$require_param})) {
	438	return 0 if $noerr;
	439	raise_perm_exc();
	440	}
f8cc5a5f	441	my $path = PVE::Tools::template_replace($tmplpath, $param);
e3a3a0d7	442	$path = PVE::AccessControl::normalize_path($path);
c4a776a6	443	return $self->check_full($username, $path, $privs, $any, $noerr);
f8cc5a5f DM	444	} elsif ($test eq 'userid-group') {
	445	my $userid = $param->{userid};
	446	my ($t, $privs, %options) = @$check;
aee071ad FG	447
	448	my $check_existing_user = !$options{groups_param} \|\| $options{groups_param} ne 'create';
	449	return 0 if $check_existing_user && !$self->check_user_exist($userid, $noerr);
	450
	451	# check permission for ALL groups (and thus ALL users)
82b63965	452	if (!$self->check_any($username, "/access/groups", $privs, 1)) {
aee071ad	453	# list of groups $username has any of $privs on
f8cc5a5f DM	454	my $groups = $self->filter_groups($username, $privs, 1);
f8cc5a5f DM	455	if ($options{groups_param}) {
aee071ad	456	# does $username have any of $privs on all new/updated/.. groups?
f8cc5a5f	457	my @group_param = PVE::Tools::split_list($param->{groups});
82b63965	458	raise_perm_exc("/access/groups, " . join("\|", @$privs)) if !scalar(@group_param);
f8cc5a5f DM	459	foreach my $pg (@group_param) {
	460	raise_perm_exc("/access/groups/$pg, " . join("\|", @$privs))
	461	if !$groups->{$pg};
	462	}
aee071ad FG	463	}
	464	if ($check_existing_user) {
	465	# does $username have any of $privs on any existing group of $userid
f8cc5a5f DM	466	my $allowed_users = $self->group_member_join([keys %$groups]);
	467	if (!$allowed_users->{$userid}) {
	468	return 0 if $noerr;
	469	raise_perm_exc();
	470	}
	471	}
	472	}
	473	return 1;
	474	} elsif ($test eq 'userid-param') {
09d27058	475	my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
f8cc5a5f DM	476	my ($t, $subtest) = @$check;
	477	die "missing parameters" if !$subtest;
	478	if ($subtest eq 'self') {
a69bbe2e	479	return 0 if !$self->check_user_exist($userid, $noerr);
1cf154b7	480	return 1 if $username eq $userid;
f8cc5a5f DM	481	return 0 if $noerr;
f8cc5a5f DM	482	raise_perm_exc();
82b63965 DM	483	} elsif ($subtest eq 'Realm.AllocateUser') {
	484	my $path = "/access/realm/$realm";
	485	return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
f8cc5a5f DM	486	} else {
	487	die "unknown userid-param test";
	488	}
c870b202	489	} elsif ($test eq 'perm-modify') {
e3a3a0d7 DM	490	my ($t, $tmplpath) = @$check;
	491	my $path = PVE::Tools::template_replace($tmplpath, $param);
	492	$path = PVE::AccessControl::normalize_path($path);
	493	return $self->check_perm_modify($username, $path, $noerr);
c870b202	494	} else {
f8cc5a5f DM	495	die "unknown permission test";
	496	}
	497	};
	498
	499	sub check_api2_permissions {
	500	my ($self, $perm, $username, $param) = @_;
	501
d146e520	502	return 1 if !$username && $perm->{user} && $perm->{user} eq 'world';
f8cc5a5f DM	503
	504	raise_perm_exc("user != null") if !$username;
	505
	506	return 1 if $username eq 'root@pam';
	507
	508	raise_perm_exc('user != root@pam') if !$perm;
	509
	510	return 1 if $perm->{user} && $perm->{user} eq 'all';
	511
c104e4ab	512	return $self->exec_api2_perm_check($perm->{check}, $username, $param)
f8cc5a5f DM	513	if $perm->{check};
	514
	515	raise_perm_exc();
	516	}
	517
c104e4ab DM	518	sub log_cluster_msg {
c104e4ab DM	519	my ($self, $pri, $user, $msg) = @_;
2c3a6c0a	520
c104e4ab DM	521	PVE::Cluster::log_msg($pri, $user, $msg);
c104e4ab DM	522	}
2c3a6c0a	523
c104e4ab DM	524	sub broadcast_tasklist {
c104e4ab DM	525	my ($self, $tlist) = @_;
2c3a6c0a	526
c104e4ab DM	527	PVE::Cluster::broadcast_tasklist($tlist);
c104e4ab DM	528	}
2c3a6c0a	529
c104e4ab DM	530	# initialize environment - must be called once at program startup
	531	sub init {
	532	my ($class, $type, %params) = @_;
86c4f1e6 DM	533
86c4f1e6 DM	534	$class = ref($class) \|\| $class;
5ae5900d	535
c104e4ab	536	my $self = $class->SUPER::init($type, %params);
5ae5900d	537
c104e4ab DM	538	$self->{user_cfg} = {};
	539	$self->{aclcache} = {};
	540	$self->{aclversion} = undef;
2c3a6c0a	541
c104e4ab DM	542	return $self;
c104e4ab DM	543	};
2c3a6c0a	544
2c3a6c0a DM	545
	546	# init_request - must be called before each RPC request
	547	sub init_request {
	548	my ($self, %params) = @_;
	549
	550	PVE::Cluster::cfs_update();
	551
be6ea723	552	$self->{result_attributes} = {};
272fe9ff	553
2c3a6c0a DM	554	my $userconfig; # we use this for regression tests
	555	foreach my $p (keys %params) {
	556	if ($p eq 'userconfig') {
	557	$userconfig = $params{$p};
	558	} else {
	559	die "unknown parameter '$p'";
	560	}
	561	}
	562
	563	eval {
	564	$self->{aclcache} = {};
	565	if ($userconfig) {
	566	my $ucdata = PVE::Tools::file_get_contents($userconfig);
	567	my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
	568	$self->{user_cfg} = $cfg;
	569	} else {
c104e4ab DM	570	my $ucvers = PVE::Cluster::cfs_file_version('user.cfg');
c104e4ab DM	571	if (!$self->{aclcache} \|\| !defined($self->{aclversion}) \|\|
2c3a6c0a DM	572	!defined($ucvers) \|\| ($ucvers ne $self->{aclversion})) {
	573	$self->{aclversion} = $ucvers;
	574	my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
	575	$self->{user_cfg} = $cfg;
	576	}
	577	}
	578	};
	579	if (my $err = $@) {
	580	$self->{user_cfg} = {};
	581	die "Unable to load access control list: $err";
	582	}
	583	}
	584
7d23b7ca	585	# hacks: to provide better backwards compatibility
2c3a6c0a	586
c104e4ab DM	587	# old code uses PVE::RPCEnvironment::get();
	588	# new code should use PVE::RPCEnvironment->get();
	589	sub get {
	590	return PVE::RESTEnvironment->get();
2c3a6c0a DM	591	}
2c3a6c0a DM	592
c104e4ab DM	593	# old code uses PVE::RPCEnvironment::is_worker();
c104e4ab DM	594	# new code should use PVE::RPCEnvironment->is_worker();
7b6dfe82	595	sub is_worker {
c104e4ab	596	return PVE::RESTEnvironment->is_worker();
2c3a6c0a DM	597	}
	598
	599	1;