use base qw(PVE::RESTEnvironment);
-# FIXME: remove dependency to PVE::Storage;
-
# ACL cache
my $compile_acl_path = sub {
$cache->{$user} = {} if !$cache->{$user};
my $data = $cache->{$user};
+ my ($username, undef) = PVE::AccessControl::split_tokenid($user, 1);
+ die "internal error" if $username && $username ne 'root@pam' && !defined($cache->{$username});
+
if (!$data->{poolroles}) {
$data->{poolroles} = {};
foreach my $pool (keys %{$cfg->{pools}}) {
my $d = $cfg->{pools}->{$pool};
- my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
- next if !scalar(@ra);
+ my $pool_roles = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
+ next if !scalar(keys %$pool_roles);
foreach my $vmid (keys %{$d->{vms}}) {
- for my $role (@ra) {
+ for my $role (keys %$pool_roles) {
$data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
}
}
foreach my $storeid (keys %{$d->{storage}}) {
- for my $role (@ra) {
+ for my $role (keys %$pool_roles) {
$data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
}
}
}
}
- my @ra = PVE::AccessControl::roles($cfg, $user, $path);
+ my $roles = PVE::AccessControl::roles($cfg, $user, $path);
# apply roles inherited from pools
# Note: assume we do not want to propagate those privs
if ($data->{poolroles}->{$path}) {
- if (!($ra[0] && $ra[0] eq 'NoAccess')) {
+ if (!defined($roles->{NoAccess})) {
if ($data->{poolroles}->{$path}->{NoAccess}) {
- @ra = ('NoAccess');
+ $roles = { 'NoAccess' => 0 };
} else {
foreach my $role (keys %{$data->{poolroles}->{$path}}) {
- push @ra, $role;
+ $roles->{$role} = 0 if !defined($roles->{$role});
}
}
}
}
- $data->{roles}->{$path} = [ @ra ];
+ $data->{roles}->{$path} = $roles;
my $privs = {};
- foreach my $role (@ra) {
+ foreach my $role (keys %$roles) {
if (my $privset = $cfg->{roles}->{$role}) {
foreach my $p (keys %$privset) {
- $privs->{$p} = 1;
+ $privs->{$p} = $roles->{$role};
}
}
}
+
+ if ($username && $username ne 'root@pam') {
+ # intersect user and token permissions
+ my $user_privs = $cache->{$username}->{privs}->{$path};
+ $privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } keys %$privs };
+ }
+
$data->{privs}->{$path} = $privs;
return $privs;
};
-sub roles {
- my ($self, $user, $path) = @_;
-
- if ($user eq 'root@pam') { # root can do anything
- return ('Administrator');
- }
-
- $user = PVE::AccessControl::verify_username($user, 1);
- return () if !$user;
-
- my $cache = $self->{aclcache};
- $cache->{$user} = {} if !$cache->{$user};
-
- my $acl = $cache->{$user};
-
- my $roles = $acl->{roles}->{$path};
- return @$roles if $roles;
-
- &$compile_acl_path($self, $user, $path);
- $roles = $acl->{roles}->{$path} || [];
- return @$roles;
-}
-
sub permissions {
my ($self, $user, $path) = @_;
if ($user eq 'root@pam') { # root can do anything
my $cfg = $self->{user_cfg};
- return $cfg->{roles}->{'Administrator'};
+ return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
}
- $user = PVE::AccessControl::verify_username($user, 1);
- return {} if !$user;
+ if (PVE::AccessControl::pve_verify_tokenid($user, 1)) {
+ my ($username, $token) = PVE::AccessControl::split_tokenid($user);
+ my $cfg = $self->{user_cfg};
+ my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};
+
+ return {} if !$token_info;
+
+ # ensure cache for user is populated
+ my $user_perms = $self->permissions($username, $path);
+
+ # return user privs for non-privsep tokens
+ return $user_perms if !$token_info->{privsep};
+ } else {
+ $user = PVE::AccessControl::verify_username($user, 1);
+ return {} if !$user;
+ }
my $cache = $self->{aclcache};
$cache->{$user} = {} if !$cache->{$user};
return &$compile_acl_path($self, $user, $path);
}
+sub get_effective_permissions {
+ my ($self, $user) = @_;
+
+ # default / top level paths
+ my $paths = {
+ '/' => 1,
+ '/access' => 1,
+ '/access/groups' => 1,
+ '/nodes' => 1,
+ '/pools' => 1,
+ '/storage' => 1,
+ '/vms' => 1,
+ };
+
+ my $cfg = $self->{user_cfg};
+
+ # paths explicitly listed in ACLs
+ foreach my $acl_path (keys %{$cfg->{acl}}) {
+ $paths->{$acl_path} = 1;
+ }
+
+ # paths referenced by pool definitions
+ foreach my $pool (keys %{$cfg->{pools}}) {
+ my $d = $cfg->{pools}->{$pool};
+ foreach my $vmid (keys %{$d->{vms}}) {
+ $paths->{"/vms/$vmid"} = 1;
+ }
+ foreach my $storeid (keys %{$d->{storage}}) {
+ $paths->{"/storage/$storeid"} = 1;
+ }
+ }
+
+ my $perms = {};
+ foreach my $path (keys %$paths) {
+ my $path_perms = $self->permissions($user, $path);
+ # filter paths where user has NO permissions
+ $perms->{$path} = $path_perms if %$path_perms;
+ }
+ return $perms;
+}
+
sub check {
my ($self, $user, $path, $privs, $noerr) = @_;
foreach my $priv (@$privs) {
PVE::AccessControl::verify_privname($priv);
- if (!$perm->{$priv}) {
+ if (!defined($perm->{$priv})) {
return undef if $noerr;
raise_perm_exc("$path, $priv");
}
my $found = 0;
foreach my $priv (@$privs) {
PVE::AccessControl::verify_privname($priv);
- if ($perm->{$priv}) {
+ if (defined($perm->{$priv})) {
$found = 1;
last;
}
return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
};
-sub check_volume_access {
- my ($self, $user, $storecfg, $vmid, $volid) = @_;
-
- # test if we have read access to volid
-
- my ($sid, $volname) = PVE::Storage::parse_volume_id($volid, 1);
- if ($sid) {
- my ($vtype, undef, $ownervm) = PVE::Storage::parse_volname($storecfg, $volid);
- if ($vtype eq 'iso' || $vtype eq 'vztmpl') {
- # we simply allow access
- } elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) {
- # we are owner - allow access
- } elsif ($vtype eq 'backup' && $ownervm) {
- $self->check($user, "/storage/$sid", ['Datastore.AllocateSpace']);
- $self->check($user, "/vms/$ownervm", ['VM.Backup']);
- } else {
- # allow if we are Datastore administrator
- $self->check($user, "/storage/$sid", ['Datastore.Allocate']);
- }
- } else {
- die "Only root can pass arbitrary filesystem paths."
- if $user ne 'root@pam';
- }
-
- return undef;
-}
-
sub is_group_member {
my ($self, $group, $user) = @_;
sub check_api2_permissions {
my ($self, $perm, $username, $param) = @_;
- return 1 if !$username && $perm->{user} eq 'world';
+ return 1 if !$username && $perm->{user} && $perm->{user} eq 'world';
raise_perm_exc("user != null") if !$username;
projects / pve-access-control.git / blobdiff