PVE/RPCEnvironment.pm

   1 package PVE::RPCEnvironment;
   2
   3 use strict;
   4 use warnings;
   5
   6 use PVE::RESTEnvironment;
   7
   8 use PVE::Exception qw(raise raise_perm_exc);
   9 use PVE::SafeSyslog;
  10 use PVE::Tools;
  11 use PVE::INotify;
  12 use PVE::Cluster;
  13 use PVE::ProcFSTools;
  14 use PVE::AccessControl;
  15
  16 use base qw(PVE::RESTEnvironment);
  17
  18 # ACL cache
  19
  20 my $compile_acl_path = sub {
  21     my ($self, $user, $path) = @_;
  22
  23     my $cfg = $self->{user_cfg};
  24
  25     return undef if !$cfg->{roles};
  26
  27     die "internal error" if $user eq 'root@pam';
  28
  29     my $cache = $self->{aclcache};
  30     $cache->{$user} = {} if !$cache->{$user};
  31     my $data = $cache->{$user};
  32
  33     my ($username, undef) = PVE::AccessControl::split_tokenid($user, 1);
  34     die "internal error" if $username && $username ne 'root@pam' && !defined($cache->{$username});
  35
  36     if (!$data->{poolroles}) {
  37         $data->{poolroles} = {};
  38
  39         foreach my $pool (keys %{$cfg->{pools}}) {
  40             my $d = $cfg->{pools}->{$pool};
  41             my $pool_roles = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
  42             next if !scalar(keys %$pool_roles);
  43             foreach my $vmid (keys %{$d->{vms}}) {
  44                 for my $role (keys %$pool_roles) {
  45                     $data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
  46                 }
  47             }
  48             foreach my $storeid (keys %{$d->{storage}}) {
  49                 for my $role (keys %$pool_roles) {
  50                     $data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
  51                 }
  52             }
  53         }
  54     }
  55
  56     my $roles = PVE::AccessControl::roles($cfg, $user, $path);
  57
  58     # apply roles inherited from pools
  59     # Note: assume we do not want to propagate those privs
  60     if ($data->{poolroles}->{$path}) {
  61         if (!defined($roles->{NoAccess})) {
  62             if ($data->{poolroles}->{$path}->{NoAccess}) {
  63                 $roles = { 'NoAccess' => 0 };
  64             } else {
  65                 foreach my $role (keys %{$data->{poolroles}->{$path}}) {
  66                     $roles->{$role} = 0 if !defined($roles->{$role});
  67                 }
  68             }
  69         }
  70     }
  71
  72     $data->{roles}->{$path} = $roles;
  73
  74     my $privs = {};
  75     foreach my $role (keys %$roles) {
  76         if (my $privset = $cfg->{roles}->{$role}) {
  77             foreach my $p (keys %$privset) {
  78                 $privs->{$p} = $roles->{$role};
  79             }
  80         }
  81     }
  82
  83     if ($username && $username ne 'root@pam') {
  84         # intersect user and token permissions
  85         my $user_privs = $cache->{$username}->{privs}->{$path};
  86         $privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } keys %$privs };
  87     }
  88
  89     $data->{privs}->{$path} = $privs;
  90
  91     return $privs;
  92 };
  93
  94 sub permissions {
  95     my ($self, $user, $path) = @_;
  96
  97     if ($user eq 'root@pam') { # root can do anything
  98         my $cfg = $self->{user_cfg};
  99         return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
 100     }
 101
 102     if (PVE::AccessControl::pve_verify_tokenid($user, 1)) {
 103         my ($username, $token) = PVE::AccessControl::split_tokenid($user);
 104         my $cfg = $self->{user_cfg};
 105         my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};
 106
 107         return {} if !$token_info;
 108
 109         # ensure cache for user is populated
 110         my $user_perms = $self->permissions($username, $path);
 111
 112         # return user privs for non-privsep tokens
 113         return $user_perms if !$token_info->{privsep};
 114     } else {
 115         $user = PVE::AccessControl::verify_username($user, 1);
 116         return {} if !$user;
 117     }
 118
 119     my $cache = $self->{aclcache};
 120     $cache->{$user} = {} if !$cache->{$user};
 121
 122     my $acl = $cache->{$user};
 123
 124     my $perm = $acl->{privs}->{$path};
 125     return $perm if $perm;
 126
 127     return &$compile_acl_path($self, $user, $path);
 128 }
 129
 130 sub check {
 131     my ($self, $user, $path, $privs, $noerr) = @_;
 132
 133     my $perm = $self->permissions($user, $path);
 134
 135     foreach my $priv (@$privs) {
 136         PVE::AccessControl::verify_privname($priv);
 137         if (!defined($perm->{$priv})) {
 138             return undef if $noerr;
 139             raise_perm_exc("$path, $priv");
 140         }
 141     };
 142
 143     return 1;
 144 };
 145
 146 sub check_any {
 147     my ($self, $user, $path, $privs, $noerr) = @_;
 148
 149     my $perm = $self->permissions($user, $path);
 150
 151     my $found = 0;
 152     foreach my $priv (@$privs) {
 153         PVE::AccessControl::verify_privname($priv);
 154         if (defined($perm->{$priv})) {
 155             $found = 1;
 156             last;
 157         }
 158     };
 159
 160     return 1 if $found;
 161
 162     return undef if $noerr;
 163
 164     raise_perm_exc("$path, " . join("|", @$privs));
 165 };
 166
 167 sub check_full {
 168     my ($self, $username, $path, $privs, $any, $noerr) = @_;
 169     if ($any) {
 170         return $self->check_any($username, $path, $privs, $noerr);
 171     } else {
 172         return $self->check($username, $path, $privs, $noerr);
 173     }
 174 }
 175
 176 sub check_user_enabled {
 177     my ($self, $user, $noerr) = @_;
 178
 179     my $cfg = $self->{user_cfg};
 180     return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr);
 181 }
 182
 183 sub check_user_exist {
 184     my ($self, $user, $noerr) = @_;
 185
 186     my $cfg = $self->{user_cfg};
 187     return PVE::AccessControl::check_user_exist($cfg, $user, $noerr);
 188 }
 189
 190 sub check_pool_exist {
 191     my ($self, $pool, $noerr) = @_;
 192
 193     my $cfg = $self->{user_cfg};
 194
 195     return 1 if $cfg->{pools}->{$pool};
 196
 197     return undef if $noerr;
 198
 199     raise_perm_exc("pool '$pool' does not exist");
 200 }
 201
 202 sub check_vm_perm {
 203     my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_;
 204
 205     my $cfg = $self->{user_cfg};
 206
 207     if ($pool) {
 208         return if $self->check_full($user, "/pool/$pool", $privs, $any, 1);
 209     }
 210     return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
 211 };
 212
 213 sub is_group_member {
 214     my ($self, $group, $user) = @_;
 215
 216     my $cfg = $self->{user_cfg};
 217
 218     return 0 if !$cfg->{groups}->{$group};
 219
 220     return defined($cfg->{groups}->{$group}->{users}->{$user});
 221 }
 222
 223 sub filter_groups {
 224     my ($self, $user, $privs, $any) = @_;
 225
 226     my $cfg = $self->{user_cfg};
 227
 228     my $groups = {};
 229     foreach my $group (keys %{$cfg->{groups}}) {
 230         my $path = "/access/groups/$group";
 231         if ($self->check_full($user, $path, $privs, $any, 1)) {
 232             $groups->{$group} = $cfg->{groups}->{$group};
 233         }
 234     }
 235
 236     return $groups;
 237 }
 238
 239 sub group_member_join {
 240     my ($self, $grouplist) = @_;
 241
 242     my $users = {};
 243
 244     my $cfg = $self->{user_cfg};
 245     foreach my $group (@$grouplist) {
 246         my $data = $cfg->{groups}->{$group};
 247         next if !$data;
 248         foreach my $user (keys %{$data->{users}}) {
 249             $users->{$user} = 1;
 250         }
 251     }
 252
 253     return $users;
 254 }
 255
 256 sub check_perm_modify {
 257     my ($self, $username, $path, $noerr) = @_;
 258
 259     return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;
 260
 261     my $testperms = [ 'Permissions.Modify' ];
 262     if ($path =~ m|^/storage/.+$|) {
 263         push @$testperms, 'Datastore.Allocate';
 264     } elsif ($path =~ m|^/vms/.+$|) {
 265         push @$testperms, 'VM.Allocate';
 266     } elsif ($path =~ m|^/pool/.+$|) {
 267         push @$testperms, 'Pool.Allocate';
 268     }
 269
 270     return $self->check_any($username, $path, $testperms, $noerr);
 271 }
 272
 273 sub exec_api2_perm_check {
 274     my ($self, $check, $username, $param, $noerr) = @_;
 275
 276     # syslog("info", "CHECK " . join(', ', @$check));
 277
 278     my $ind = 0;
 279     my $test = $check->[$ind++];
 280     die "no permission test specified" if !$test;
 281
 282     if ($test eq 'and') {
 283         while (my $subcheck = $check->[$ind++]) {
 284             $self->exec_api2_perm_check($subcheck, $username, $param);
 285         }
 286         return 1;
 287     } elsif ($test eq 'or') {
 288         while (my $subcheck = $check->[$ind++]) {
 289             return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1);
 290         }
 291         return 0 if $noerr;
 292         raise_perm_exc();
 293     } elsif ($test eq 'perm') {
 294         my ($t, $tmplpath, $privs, %options) = @$check;
 295         my $any = $options{any};
 296         die "missing parameters" if !($tmplpath && $privs);
 297         my $require_param = $options{require_param};
 298         if ($require_param && !defined($param->{$require_param})) {
 299             return 0 if $noerr;
 300             raise_perm_exc();
 301         }
 302         my $path = PVE::Tools::template_replace($tmplpath, $param);
 303         $path = PVE::AccessControl::normalize_path($path);
 304         return $self->check_full($username, $path, $privs, $any, $noerr);
 305     } elsif ($test eq 'userid-group') {
 306         my $userid = $param->{userid};
 307         my ($t, $privs, %options) = @$check;
 308         return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr);
 309         if (!$self->check_any($username, "/access/groups", $privs, 1)) {
 310             my $groups = $self->filter_groups($username, $privs, 1);
 311             if ($options{groups_param}) {
 312                 my @group_param = PVE::Tools::split_list($param->{groups});
 313                 raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param);
 314                 foreach my $pg (@group_param) {
 315                     raise_perm_exc("/access/groups/$pg, " . join("|", @$privs))
 316                         if !$groups->{$pg};
 317                 }
 318             } else {
 319                 my $allowed_users = $self->group_member_join([keys %$groups]);
 320                 if (!$allowed_users->{$userid}) {
 321                     return 0 if $noerr;
 322                     raise_perm_exc();
 323                 }
 324             }
 325         }
 326         return 1;
 327     } elsif ($test eq 'userid-param') {
 328         my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
 329         my ($t, $subtest) = @$check;
 330         die "missing parameters" if !$subtest;
 331         if ($subtest eq 'self') {
 332             return 0 if !$self->check_user_exist($userid, $noerr);
 333             return 1 if $username eq $userid;
 334             return 0 if $noerr;
 335             raise_perm_exc();
 336         } elsif ($subtest eq 'Realm.AllocateUser') {
 337             my $path =  "/access/realm/$realm";
 338             return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
 339         } else {
 340             die "unknown userid-param test";
 341         }
 342      } elsif ($test eq 'perm-modify') {
 343         my ($t, $tmplpath) = @$check;
 344         my $path = PVE::Tools::template_replace($tmplpath, $param);
 345         $path = PVE::AccessControl::normalize_path($path);
 346         return $self->check_perm_modify($username, $path, $noerr);
 347    } else {
 348         die "unknown permission test";
 349     }
 350 };
 351
 352 sub check_api2_permissions {
 353     my ($self, $perm, $username, $param) = @_;
 354
 355     return 1 if !$username && $perm->{user} && $perm->{user} eq 'world';
 356
 357     raise_perm_exc("user != null") if !$username;
 358
 359     return 1 if $username eq 'root@pam';
 360
 361     raise_perm_exc('user != root@pam') if !$perm;
 362
 363     return 1 if $perm->{user} && $perm->{user} eq 'all';
 364
 365     return $self->exec_api2_perm_check($perm->{check}, $username, $param)
 366         if $perm->{check};
 367
 368     raise_perm_exc();
 369 }
 370
 371 sub log_cluster_msg {
 372     my ($self, $pri, $user, $msg) = @_;
 373
 374     PVE::Cluster::log_msg($pri, $user, $msg);
 375 }
 376
 377 sub broadcast_tasklist {
 378     my ($self, $tlist) = @_;
 379
 380     PVE::Cluster::broadcast_tasklist($tlist);
 381 }
 382
 383 # initialize environment - must be called once at program startup
 384 sub init {
 385     my ($class, $type, %params) = @_;
 386
 387     $class = ref($class) || $class;
 388
 389     my $self = $class->SUPER::init($type, %params);
 390
 391     $self->{user_cfg} = {};
 392     $self->{aclcache} = {};
 393     $self->{aclversion} = undef;
 394
 395     return $self;
 396 };
 397
 398
 399 # init_request - must be called before each RPC request
 400 sub init_request {
 401     my ($self, %params) = @_;
 402
 403     PVE::Cluster::cfs_update();
 404
 405     $self->{result_attributes} = {};
 406
 407     my $userconfig; # we use this for regression tests
 408     foreach my $p (keys %params) {
 409         if ($p eq 'userconfig') {
 410             $userconfig = $params{$p};
 411         } else {
 412             die "unknown parameter '$p'";
 413         }
 414     }
 415
 416     eval {
 417         $self->{aclcache} = {};
 418         if ($userconfig) {
 419             my $ucdata = PVE::Tools::file_get_contents($userconfig);
 420             my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
 421             $self->{user_cfg} = $cfg;
 422         } else {
 423             my $ucvers = PVE::Cluster::cfs_file_version('user.cfg');
 424             if (!$self->{aclcache} || !defined($self->{aclversion}) ||
 425                 !defined($ucvers) ||  ($ucvers ne $self->{aclversion})) {
 426                 $self->{aclversion} = $ucvers;
 427                 my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
 428                 $self->{user_cfg} = $cfg;
 429             }
 430         }
 431     };
 432     if (my $err = $@) {
 433         $self->{user_cfg} = {};
 434         die "Unable to load access control list: $err";
 435     }
 436 }
 437
 438 # hacks: to provide better backwards compatibiliy
 439
 440 # old code uses PVE::RPCEnvironment::get();
 441 # new code should use PVE::RPCEnvironment->get();
 442 sub get {
 443     return PVE::RESTEnvironment->get();
 444 }
 445
 446 # old code uses PVE::RPCEnvironment::is_worker();
 447 # new code should use PVE::RPCEnvironment->is_worker();
 448 sub is_worker {
 449     return PVE::RESTEnvironment->is_worker();
 450 }
 451
 452 1;