PVE/RPCEnvironment.pm

   1 package PVE::RPCEnvironment;
   2
   3 use strict;
   4 use warnings;
   5
   6 use PVE::RESTEnvironment;
   7
   8 use PVE::Exception qw(raise raise_perm_exc);
   9 use PVE::SafeSyslog;
  10 use PVE::Tools;
  11 use PVE::INotify;
  12 use PVE::Cluster;
  13 use PVE::ProcFSTools;
  14 use PVE::AccessControl;
  15
  16 use base qw(PVE::RESTEnvironment);
  17
  18 # ACL cache
  19
  20 my $compile_acl_path = sub {
  21     my ($self, $user, $path) = @_;
  22
  23     my $cfg = $self->{user_cfg};
  24
  25     return undef if !$cfg->{roles};
  26
  27     die "internal error" if $user eq 'root@pam';
  28
  29     my $cache = $self->{aclcache};
  30     $cache->{$user} = {} if !$cache->{$user};
  31     my $data = $cache->{$user};
  32
  33     if (!$data->{poolroles}) {
  34         $data->{poolroles} = {};
  35
  36         foreach my $pool (keys %{$cfg->{pools}}) {
  37             my $d = $cfg->{pools}->{$pool};
  38             my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
  39             next if !scalar(@ra);
  40             foreach my $vmid (keys %{$d->{vms}}) {
  41                 for my $role (@ra) {
  42                     $data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
  43                 }
  44             }
  45             foreach my $storeid (keys %{$d->{storage}}) {
  46                 for my $role (@ra) {
  47                     $data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
  48                 }
  49             }
  50         }
  51     }
  52
  53     my @ra = PVE::AccessControl::roles($cfg, $user, $path);
  54
  55     # apply roles inherited from pools
  56     # Note: assume we do not want to propagate those privs
  57     if ($data->{poolroles}->{$path}) {
  58         if (!($ra[0] && $ra[0] eq 'NoAccess')) {
  59             if ($data->{poolroles}->{$path}->{NoAccess}) {
  60                 @ra = ('NoAccess');
  61             } else {
  62                 foreach my $role (keys %{$data->{poolroles}->{$path}}) {
  63                     push @ra, $role;
  64                 }
  65             }
  66         }
  67     }
  68
  69     $data->{roles}->{$path} = [ @ra ];
  70
  71     my $privs = {};
  72     foreach my $role (@ra) {
  73         if (my $privset = $cfg->{roles}->{$role}) {
  74             foreach my $p (keys %$privset) {
  75                 $privs->{$p} = 1;
  76             }
  77         }
  78     }
  79     $data->{privs}->{$path} = $privs;
  80
  81     return $privs;
  82 };
  83
  84 sub permissions {
  85     my ($self, $user, $path) = @_;
  86
  87     if ($user eq 'root@pam') { # root can do anything
  88         my $cfg = $self->{user_cfg};
  89         return $cfg->{roles}->{'Administrator'};
  90     }
  91
  92     $user = PVE::AccessControl::verify_username($user, 1);
  93     return {} if !$user;
  94
  95     my $cache = $self->{aclcache};
  96     $cache->{$user} = {} if !$cache->{$user};
  97
  98     my $acl = $cache->{$user};
  99
 100     my $perm = $acl->{privs}->{$path};
 101     return $perm if $perm;
 102
 103     return &$compile_acl_path($self, $user, $path);
 104 }
 105
 106 sub check {
 107     my ($self, $user, $path, $privs, $noerr) = @_;
 108
 109     my $perm = $self->permissions($user, $path);
 110
 111     foreach my $priv (@$privs) {
 112         PVE::AccessControl::verify_privname($priv);
 113         if (!$perm->{$priv}) {
 114             return undef if $noerr;
 115             raise_perm_exc("$path, $priv");
 116         }
 117     };
 118
 119     return 1;
 120 };
 121
 122 sub check_any {
 123     my ($self, $user, $path, $privs, $noerr) = @_;
 124
 125     my $perm = $self->permissions($user, $path);
 126
 127     my $found = 0;
 128     foreach my $priv (@$privs) {
 129         PVE::AccessControl::verify_privname($priv);
 130         if ($perm->{$priv}) {
 131             $found = 1;
 132             last;
 133         }
 134     };
 135
 136     return 1 if $found;
 137
 138     return undef if $noerr;
 139
 140     raise_perm_exc("$path, " . join("|", @$privs));
 141 };
 142
 143 sub check_full {
 144     my ($self, $username, $path, $privs, $any, $noerr) = @_;
 145     if ($any) {
 146         return $self->check_any($username, $path, $privs, $noerr);
 147     } else {
 148         return $self->check($username, $path, $privs, $noerr);
 149     }
 150 }
 151
 152 sub check_user_enabled {
 153     my ($self, $user, $noerr) = @_;
 154
 155     my $cfg = $self->{user_cfg};
 156     return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr);
 157 }
 158
 159 sub check_user_exist {
 160     my ($self, $user, $noerr) = @_;
 161
 162     my $cfg = $self->{user_cfg};
 163     return PVE::AccessControl::check_user_exist($cfg, $user, $noerr);
 164 }
 165
 166 sub check_pool_exist {
 167     my ($self, $pool, $noerr) = @_;
 168
 169     my $cfg = $self->{user_cfg};
 170
 171     return 1 if $cfg->{pools}->{$pool};
 172
 173     return undef if $noerr;
 174
 175     raise_perm_exc("pool '$pool' does not exist");
 176 }
 177
 178 sub check_vm_perm {
 179     my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_;
 180
 181     my $cfg = $self->{user_cfg};
 182
 183     if ($pool) {
 184         return if $self->check_full($user, "/pool/$pool", $privs, $any, 1);
 185     }
 186     return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
 187 };
 188
 189 sub is_group_member {
 190     my ($self, $group, $user) = @_;
 191
 192     my $cfg = $self->{user_cfg};
 193
 194     return 0 if !$cfg->{groups}->{$group};
 195
 196     return defined($cfg->{groups}->{$group}->{users}->{$user});
 197 }
 198
 199 sub filter_groups {
 200     my ($self, $user, $privs, $any) = @_;
 201
 202     my $cfg = $self->{user_cfg};
 203
 204     my $groups = {};
 205     foreach my $group (keys %{$cfg->{groups}}) {
 206         my $path = "/access/groups/$group";
 207         if ($self->check_full($user, $path, $privs, $any, 1)) {
 208             $groups->{$group} = $cfg->{groups}->{$group};
 209         }
 210     }
 211
 212     return $groups;
 213 }
 214
 215 sub group_member_join {
 216     my ($self, $grouplist) = @_;
 217
 218     my $users = {};
 219
 220     my $cfg = $self->{user_cfg};
 221     foreach my $group (@$grouplist) {
 222         my $data = $cfg->{groups}->{$group};
 223         next if !$data;
 224         foreach my $user (keys %{$data->{users}}) {
 225             $users->{$user} = 1;
 226         }
 227     }
 228
 229     return $users;
 230 }
 231
 232 sub check_perm_modify {
 233     my ($self, $username, $path, $noerr) = @_;
 234
 235     return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;
 236
 237     my $testperms = [ 'Permissions.Modify' ];
 238     if ($path =~ m|^/storage/.+$|) {
 239         push @$testperms, 'Datastore.Allocate';
 240     } elsif ($path =~ m|^/vms/.+$|) {
 241         push @$testperms, 'VM.Allocate';
 242     } elsif ($path =~ m|^/pool/.+$|) {
 243         push @$testperms, 'Pool.Allocate';
 244     }
 245
 246     return $self->check_any($username, $path, $testperms, $noerr);
 247 }
 248
 249 sub exec_api2_perm_check {
 250     my ($self, $check, $username, $param, $noerr) = @_;
 251
 252     # syslog("info", "CHECK " . join(', ', @$check));
 253
 254     my $ind = 0;
 255     my $test = $check->[$ind++];
 256     die "no permission test specified" if !$test;
 257
 258     if ($test eq 'and') {
 259         while (my $subcheck = $check->[$ind++]) {
 260             $self->exec_api2_perm_check($subcheck, $username, $param);
 261         }
 262         return 1;
 263     } elsif ($test eq 'or') {
 264         while (my $subcheck = $check->[$ind++]) {
 265             return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1);
 266         }
 267         return 0 if $noerr;
 268         raise_perm_exc();
 269     } elsif ($test eq 'perm') {
 270         my ($t, $tmplpath, $privs, %options) = @$check;
 271         my $any = $options{any};
 272         die "missing parameters" if !($tmplpath && $privs);
 273         my $require_param = $options{require_param};
 274         if ($require_param && !defined($param->{$require_param})) {
 275             return 0 if $noerr;
 276             raise_perm_exc();
 277         }
 278         my $path = PVE::Tools::template_replace($tmplpath, $param);
 279         $path = PVE::AccessControl::normalize_path($path);
 280         return $self->check_full($username, $path, $privs, $any, $noerr);
 281     } elsif ($test eq 'userid-group') {
 282         my $userid = $param->{userid};
 283         my ($t, $privs, %options) = @$check;
 284         return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr);
 285         if (!$self->check_any($username, "/access/groups", $privs, 1)) {
 286             my $groups = $self->filter_groups($username, $privs, 1);
 287             if ($options{groups_param}) {
 288                 my @group_param = PVE::Tools::split_list($param->{groups});
 289                 raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param);
 290                 foreach my $pg (@group_param) {
 291                     raise_perm_exc("/access/groups/$pg, " . join("|", @$privs))
 292                         if !$groups->{$pg};
 293                 }
 294             } else {
 295                 my $allowed_users = $self->group_member_join([keys %$groups]);
 296                 if (!$allowed_users->{$userid}) {
 297                     return 0 if $noerr;
 298                     raise_perm_exc();
 299                 }
 300             }
 301         }
 302         return 1;
 303     } elsif ($test eq 'userid-param') {
 304         my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
 305         my ($t, $subtest) = @$check;
 306         die "missing parameters" if !$subtest;
 307         if ($subtest eq 'self') {
 308             return 0 if !$self->check_user_exist($userid, $noerr);
 309             return 1 if $username eq $userid;
 310             return 0 if $noerr;
 311             raise_perm_exc();
 312         } elsif ($subtest eq 'Realm.AllocateUser') {
 313             my $path =  "/access/realm/$realm";
 314             return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
 315         } else {
 316             die "unknown userid-param test";
 317         }
 318      } elsif ($test eq 'perm-modify') {
 319         my ($t, $tmplpath) = @$check;
 320         my $path = PVE::Tools::template_replace($tmplpath, $param);
 321         $path = PVE::AccessControl::normalize_path($path);
 322         return $self->check_perm_modify($username, $path, $noerr);
 323    } else {
 324         die "unknown permission test";
 325     }
 326 };
 327
 328 sub check_api2_permissions {
 329     my ($self, $perm, $username, $param) = @_;
 330
 331     return 1 if !$username && $perm->{user} && $perm->{user} eq 'world';
 332
 333     raise_perm_exc("user != null") if !$username;
 334
 335     return 1 if $username eq 'root@pam';
 336
 337     raise_perm_exc('user != root@pam') if !$perm;
 338
 339     return 1 if $perm->{user} && $perm->{user} eq 'all';
 340
 341     return $self->exec_api2_perm_check($perm->{check}, $username, $param)
 342         if $perm->{check};
 343
 344     raise_perm_exc();
 345 }
 346
 347 sub log_cluster_msg {
 348     my ($self, $pri, $user, $msg) = @_;
 349
 350     PVE::Cluster::log_msg($pri, $user, $msg);
 351 }
 352
 353 sub broadcast_tasklist {
 354     my ($self, $tlist) = @_;
 355
 356     PVE::Cluster::broadcast_tasklist($tlist);
 357 }
 358
 359 # initialize environment - must be called once at program startup
 360 sub init {
 361     my ($class, $type, %params) = @_;
 362
 363     $class = ref($class) || $class;
 364
 365     my $self = $class->SUPER::init($type, %params);
 366
 367     $self->{user_cfg} = {};
 368     $self->{aclcache} = {};
 369     $self->{aclversion} = undef;
 370
 371     return $self;
 372 };
 373
 374
 375 # init_request - must be called before each RPC request
 376 sub init_request {
 377     my ($self, %params) = @_;
 378
 379     PVE::Cluster::cfs_update();
 380
 381     $self->{result_attributes} = {};
 382
 383     my $userconfig; # we use this for regression tests
 384     foreach my $p (keys %params) {
 385         if ($p eq 'userconfig') {
 386             $userconfig = $params{$p};
 387         } else {
 388             die "unknown parameter '$p'";
 389         }
 390     }
 391
 392     eval {
 393         $self->{aclcache} = {};
 394         if ($userconfig) {
 395             my $ucdata = PVE::Tools::file_get_contents($userconfig);
 396             my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
 397             $self->{user_cfg} = $cfg;
 398         } else {
 399             my $ucvers = PVE::Cluster::cfs_file_version('user.cfg');
 400             if (!$self->{aclcache} || !defined($self->{aclversion}) ||
 401                 !defined($ucvers) ||  ($ucvers ne $self->{aclversion})) {
 402                 $self->{aclversion} = $ucvers;
 403                 my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
 404                 $self->{user_cfg} = $cfg;
 405             }
 406         }
 407     };
 408     if (my $err = $@) {
 409         $self->{user_cfg} = {};
 410         die "Unable to load access control list: $err";
 411     }
 412 }
 413
 414 # hacks: to provide better backwards compatibiliy
 415
 416 # old code uses PVE::RPCEnvironment::get();
 417 # new code should use PVE::RPCEnvironment->get();
 418 sub get {
 419     return PVE::RESTEnvironment->get();
 420 }
 421
 422 # old code uses PVE::RPCEnvironment::is_worker();
 423 # new code should use PVE::RPCEnvironment->is_worker();
 424 sub is_worker {
 425     return PVE::RESTEnvironment->is_worker();
 426 }
 427
 428 1;