[pve-access-control.git] / src / test / perm-test1.pl

#!/usr/bin/perl -w

use strict;
use warnings;

use Getopt::Long;

use PVE::Tools;

use PVE::AccessControl;
use PVE::RPCEnvironment;

my $rpcenv = PVE::RPCEnvironment->init('cli');

my $cfgfn = "test1.cfg";
$rpcenv->init_request(userconfig => $cfgfn);

sub check_roles {
    my ($user, $path, $expected_result) = @_;

    my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
    my $res = join(',', sort keys %$roles);

    die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
	if $res ne $expected_result;

    print "ROLES:$path:$user:$res\n";
}

sub check_permission {
    my ($user, $path, $expected_result) = @_;

    my $perm = $rpcenv->permissions($user, $path);
    my $res = join(',', sort keys %$perm);

    die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
	if $res ne $expected_result;

    $perm = $rpcenv->permissions($user, $path);
    $res = join(',', sort keys %$perm);
    die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n"
	if $res ne $expected_result;

    print "PERM:$path:$user:$res\n";
}

check_roles('max@pve', '/', '');
check_roles('max@pve', '/vms', 'vm_admin');

#user permissions overrides group permissions
check_roles('max@pve', '/vms/100', 'customer');
check_roles('max@pve', '/vms/101', 'vm_admin');

check_permission('max@pve', '/', '');
check_permission('max@pve', '/vms', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');

check_permission('alex@pve', '/vms', '');
check_permission('alex@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');

# PVEVMAdmin -> no Permissions.Modify!
check_permission(
    'alex@pve',
    '/vms/300',
    '' # sorted, comma-separated expected privilege string
    . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
    . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
    . 'VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback'
);
# Administrator -> Permissions.Modify!
check_permission(
    'alex@pve',
    '/vms/400',
    '' # sorted, comma-separated expected privilege string, loosely grouped by prefix
    . 'Datastore.Allocate,Datastore.AllocateSpace,Datastore.AllocateTemplate,Datastore.Audit,'
    . 'Group.Allocate,'
    . 'Mapping.Audit,Mapping.Modify,Mapping.Use,'
    . 'Permissions.Modify,'
    . 'Pool.Allocate,Pool.Audit,'
    . 'Realm.Allocate,Realm.AllocateUser,'
    . 'SDN.Allocate,SDN.Audit,SDN.Use,'
    . 'Sys.AccessNetwork,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
    . 'User.Modify,'
    . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
    . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
    . 'VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback',
);

check_roles('max@pve', '/vms/200', 'storage_manager');
check_roles('joe@pve', '/vms/200', 'vm_admin');
check_roles('sue@pve', '/vms/200', 'NoAccess');

print "all tests passed\n";

exit (0);
Commit	Line	Data
2c3a6c0a DM	1	#!/usr/bin/perl -w
	2
	3	use strict;
95fb22e6 TL	4	use warnings;
	5
	6	use Getopt::Long;
	7
2c3a6c0a	8	use PVE::Tools;
95fb22e6	9
2c3a6c0a DM	10	use PVE::AccessControl;
2c3a6c0a DM	11	use PVE::RPCEnvironment;
2c3a6c0a DM	12
	13	my $rpcenv = PVE::RPCEnvironment->init('cli');
	14
9449fe21	15	my $cfgfn = "test1.cfg";
2c3a6c0a DM	16	$rpcenv->init_request(userconfig => $cfgfn);
	17
	18	sub check_roles {
	19	my ($user, $path, $expected_result) = @_;
	20
7e8bcaa7 FG	21	my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
7e8bcaa7 FG	22	my $res = join(',', sort keys %$roles);
2c3a6c0a DM	23
	24	die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
	25	if $res ne $expected_result;
	26
	27	print "ROLES:$path:$user:$res\n";
	28	}
	29
	30	sub check_permission {
	31	my ($user, $path, $expected_result) = @_;
	32
9efcb561	33	my $perm = $rpcenv->permissions($user, $path);
2c3a6c0a DM	34	my $res = join(',', sort keys %$perm);
	35
	36	die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
	37	if $res ne $expected_result;
	38
	39	$perm = $rpcenv->permissions($user, $path);
	40	$res = join(',', sort keys %$perm);
	41	die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n"
	42	if $res ne $expected_result;
	43
	44	print "PERM:$path:$user:$res\n";
2c3a6c0a DM	45	}
	46
	47	check_roles('max@pve', '/', '');
	48	check_roles('max@pve', '/vms', 'vm_admin');
	49
	50	#user permissions overrides group permissions
	51	check_roles('max@pve', '/vms/100', 'customer');
	52	check_roles('max@pve', '/vms/101', 'vm_admin');
	53
	54	check_permission('max@pve', '/', '');
	55	check_permission('max@pve', '/vms', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
	56	check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
	57
	58	check_permission('alex@pve', '/vms', '');
	59	check_permission('alex@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
	60
df619a8d	61	# PVEVMAdmin -> no Permissions.Modify!
742a7b6c TL	62	check_permission(
	63	'alex@pve',
	64	'/vms/300',
	65	'' # sorted, comma-separated expected privilege string
	66	. 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
	67	. 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
	68	. 'VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback'
	69	);
df619a8d	70	# Administrator -> Permissions.Modify!
742a7b6c TL	71	check_permission(
	72	'alex@pve',
	73	'/vms/400',
	74	'' # sorted, comma-separated expected privilege string, loosely grouped by prefix
	75	. 'Datastore.Allocate,Datastore.AllocateSpace,Datastore.AllocateTemplate,Datastore.Audit,'
	76	. 'Group.Allocate,'
	77	. 'Mapping.Audit,Mapping.Modify,Mapping.Use,'
	78	. 'Permissions.Modify,'
	79	. 'Pool.Allocate,Pool.Audit,'
	80	. 'Realm.Allocate,Realm.AllocateUser,'
	81	. 'SDN.Allocate,SDN.Audit,SDN.Use,'
36c18144	82	. 'Sys.AccessNetwork,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
742a7b6c TL	83	. 'User.Modify,'
	84	. 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
	85	. 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
	86	. 'VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback',
	87	);
2c3a6c0a DM	88
	89	check_roles('max@pve', '/vms/200', 'storage_manager');
	90	check_roles('joe@pve', '/vms/200', 'vm_admin');
4bc17477	91	check_roles('sue@pve', '/vms/200', 'NoAccess');
2c3a6c0a DM	92
	93	print "all tests passed\n";
	94
	95	exit (0);