X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FAccessControl.pm;h=5f859197446655436e58501ca282683ddc8c2534;hp=24699d215822658e51d672829545a7e87da4553d;hb=fe2defd9d52b236b2c69498b2bf7d3be501a8462;hpb=adf8d771d04a48f12386ac485437232620d65494 diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm index 24699d2..5f85919 100644 --- a/PVE/API2/AccessControl.pm +++ b/PVE/API2/AccessControl.pm @@ -3,6 +3,7 @@ package PVE::API2::AccessControl; use strict; use warnings; +use PVE::Exception qw(raise raise_perm_exc); use PVE::SafeSyslog; use PVE::RPCEnvironment; use PVE::Cluster qw(cfs_read_file); @@ -47,6 +48,9 @@ __PACKAGE__->register_method ({ path => '', method => 'GET', description => "Directory index.", + permissions => { + user => 'all', + }, parameters => { additionalProperties => 0, properties => {}, @@ -77,6 +81,7 @@ __PACKAGE__->register_method ({ } push @$res, { subdir => 'ticket' }; + push @$res, { subdir => 'password' }; return $res; }}); @@ -126,11 +131,89 @@ my $create_ticket = sub { }; }; +my $compute_api_permission = sub { + my ($rpcenv, $authuser) = @_; + + my $usercfg = $rpcenv->{user_cfg}; + + my $nodelist = PVE::Cluster::get_nodelist(); + my $vmlist = PVE::Cluster::get_vmlist() || {}; + my $idlist = $vmlist->{ids} || {}; + + my $cfg = PVE::Storage::config(); + my @sids = PVE::Storage::storage_ids ($cfg); + + my $res = { + vms => {}, + storage => {}, + access => {}, + nodes => {}, + dc => {}, + }; + + my $extract_vm_caps = sub { + my ($path) = @_; + + my $perm = $rpcenv->permissions($authuser, $path); + foreach my $priv (keys %$perm) { + next if !($priv eq 'Permissions.Modify' || $priv =~ m/^VM\./); + $res->{vms}->{$priv} = 1; + } + }; + + foreach my $pool (keys %{$usercfg->{pools}}) { + &$extract_vm_caps("/pool/$pool"); + } + + foreach my $vmid (keys %$idlist, '__phantom__') { + &$extract_vm_caps("/vms/$vmid"); + } + + foreach my $storeid (@sids, '__phantom__') { + my $perm = $rpcenv->permissions($authuser, "/storage/$storeid"); + foreach my $priv (keys %$perm) { + next if !($priv eq 'Permissions.Modify' || $priv =~ m/^Datastore\./); + $res->{storage}->{$priv} = 1; + } + } + + foreach my $path (('/access/groups')) { + my $perm = $rpcenv->permissions($authuser, $path); + foreach my $priv (keys %$perm) { + next if $priv !~ m/^(User|Group)\./; + $res->{access}->{$priv} = 1; + } + } + + foreach my $group (keys %{$usercfg->{users}->{$authuser}->{groups}}, '__phantom__') { + my $perm = $rpcenv->permissions($authuser, "/access/groups/$group"); + if ($perm->{'User.Modify'}) { + $res->{access}->{'User.Modify'} = 1; + } + } + + foreach my $node (@$nodelist) { + my $perm = $rpcenv->permissions($authuser, "/nodes/$node"); + foreach my $priv (keys %$perm) { + next if $priv !~ m/^Sys\./; + $res->{nodes}->{$priv} = 1; + } + } + + my $perm = $rpcenv->permissions($authuser, "/"); + $res->{dc}->{'Sys.Audit'} = 1 if $perm->{'Sys.Audit'}; + + return $res; +}; + __PACKAGE__->register_method ({ name => 'create_ticket', path => 'ticket', method => 'POST', - permissions => { user => 'world' }, + permissions => { + description => "You need to pass valid credientials.", + user => 'world' + }, protected => 1, # else we can't access shadow files description => "Create or verify authentication ticket.", parameters => { @@ -181,7 +264,6 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $res; - eval { # test if user exists and is enabled $rpcenv->check_user_enabled($username); @@ -196,12 +278,75 @@ __PACKAGE__->register_method ({ if (my $err = $@) { my $clientip = $rpcenv->get_client_ip() || ''; syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err"); - die $err; + # do not return any info to prevent user enumeration attacks + die PVE::Exception->new("authentication failure\n", code => 401); } + $res->{cap} = &$compute_api_permission($rpcenv, $username); + PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user '$username'"); return $res; }}); +__PACKAGE__->register_method ({ + name => 'change_passsword', + path => 'password', + method => 'PUT', + permissions => { + description => "Each user is allowed to change his own password. A user can change the password of another user if he has 'Realm.AllocateUser' (on the realm of user ) and 'User.Modify' permission on /access/groups/ on a group where user is member of.", + check => [ 'or', + ['userid-param', 'self'], + [ 'and', + [ 'userid-param', 'Realm.AllocateUser'], + [ 'userid-group', ['User.Modify']] + ] + ], + }, + protected => 1, # else we can't access shadow files + description => "Change user password.", + parameters => { + additionalProperties => 0, + properties => { + userid => get_standard_option('userid'), + password => { + description => "The new password.", + type => 'string', + minLength => 5, + maxLength => 64, + }, + } + }, + returns => { type => "null" }, + code => sub { + my ($param) = @_; + + my $rpcenv = PVE::RPCEnvironment::get(); + my $authuser = $rpcenv->get_user(); + + my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); + + $rpcenv->check_user_exist($userid); + + if ($authuser eq 'root@pam') { + # OK - root can change anything + } else { + if ($authuser eq $userid) { + $rpcenv->check_user_enabled($userid); + # OK - each user can change its own password + } else { + # only root may change root password + raise_perm_exc() if $userid eq 'root@pam'; + # do not allow to change system user passwords + raise_perm_exc() if $realm eq 'pam'; + } + } + + PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password}); + + PVE::Cluster::log_msg('info', 'root@pam', "changed password for user '$userid'"); + + return undef; + }}); + 1;