src/test/perm-test1.pl

   1 #!/usr/bin/perl -w
   2
   3 use strict;
   4 use warnings;
   5
   6 use Getopt::Long;
   7
   8 use PVE::Tools;
   9
  10 use PVE::AccessControl;
  11 use PVE::RPCEnvironment;
  12
  13 my $rpcenv = PVE::RPCEnvironment->init('cli');
  14
  15 my $cfgfn = "test1.cfg";
  16 $rpcenv->init_request(userconfig => $cfgfn);
  17
  18 sub check_roles {
  19     my ($user, $path, $expected_result) = @_;
  20
  21     my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
  22     my $res = join(',', sort keys %$roles);
  23
  24     die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
  25         if $res ne $expected_result;
  26
  27     print "ROLES:$path:$user:$res\n";
  28 }
  29
  30 sub check_permission {
  31     my ($user, $path, $expected_result) = @_;
  32
  33     my $perm = $rpcenv->permissions($user, $path);
  34     my $res = join(',', sort keys %$perm);
  35
  36     die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
  37         if $res ne $expected_result;
  38
  39     $perm = $rpcenv->permissions($user, $path);
  40     $res = join(',', sort keys %$perm);
  41     die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n"
  42         if $res ne $expected_result;
  43
  44     print "PERM:$path:$user:$res\n";
  45 }
  46
  47 check_roles('max@pve', '/', '');
  48 check_roles('max@pve', '/vms', 'vm_admin');
  49
  50 #user permissions overrides group permissions
  51 check_roles('max@pve', '/vms/100', 'customer');
  52 check_roles('max@pve', '/vms/101', 'vm_admin');
  53
  54 check_permission('max@pve', '/', '');
  55 check_permission('max@pve', '/vms', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
  56 check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
  57
  58 check_permission('alex@pve', '/vms', '');
  59 check_permission('alex@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
  60
  61 # PVEVMAdmin -> no Permissions.Modify!
  62 check_permission(
  63     'alex@pve',
  64     '/vms/300',
  65     '' # sorted, comma-separated expected privilege string
  66     . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
  67     . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
  68     . 'VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback'
  69 );
  70 # Administrator -> Permissions.Modify!
  71 check_permission(
  72     'alex@pve',
  73     '/vms/400',
  74     '' # sorted, comma-separated expected privilege string, loosely grouped by prefix
  75     . 'Datastore.Allocate,Datastore.AllocateSpace,Datastore.AllocateTemplate,Datastore.Audit,'
  76     . 'Group.Allocate,'
  77     . 'Mapping.Audit,Mapping.Modify,Mapping.Use,'
  78     . 'Permissions.Modify,'
  79     . 'Pool.Allocate,Pool.Audit,'
  80     . 'Realm.Allocate,Realm.AllocateUser,'
  81     . 'SDN.Allocate,SDN.Audit,SDN.Use,'
  82     . 'Sys.AccessNetwork,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
  83     . 'User.Modify,'
  84     . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
  85     . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
  86     . 'VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback',
  87 );
  88
  89 check_roles('max@pve', '/vms/200', 'storage_manager');
  90 check_roles('joe@pve', '/vms/200', 'vm_admin');
  91 check_roles('sue@pve', '/vms/200', 'NoAccess');
  92
  93 print "all tests passed\n";
  94
  95 exit (0);