X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FRPCEnvironment.pm;h=06360f23ddc01fe01496a67e6eac0a52df06e671;hp=16b8ba8ad59079603f3cc147b40e2d4438198f87;hb=c4a776a657f4d66bbd3eb9c310907731e5133a5b;hpb=37d45debb1e61873fb50836fc0864b5df5f8372e

diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm
index 16b8ba8..06360f2 100644
--- a/PVE/RPCEnvironment.pm
+++ b/PVE/RPCEnvironment.pm
@@ -90,68 +90,113 @@ my $register_worker = sub {
 
 # ACL cache
 
-my $compile_acl = sub {
-    my ($self, $user) = @_;
+my $compile_acl_path = sub {
+    my ($self, $user, $path) = @_;
 
-    my $res = {};
     my $cfg = $self->{user_cfg};
 
     return undef if !$cfg->{roles};
 
-    if ($user eq 'root@pam') { # root can do anything
-	return {'/' => $cfg->{roles}->{'Administrator'}};
-    } 
+    die "internal error" if $user eq 'root@pam';
 
-    foreach my $path (sort keys %{$cfg->{acl}}) {
-	my @ra = PVE::AccessControl::roles($cfg, $user, $path);
+    my $cache = $self->{aclcache};
+    $cache->{$user} = {} if !$cache->{$user};
+    my $data = $cache->{$user};
+
+    if (!$data->{poolroles}) {
+	$data->{poolroles} = {}; 
+ 
+	foreach my $pool (keys %{$cfg->{pools}}) {
+	    my $d = $cfg->{pools}->{$pool};
+	    my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
+	    next if !scalar(@ra);
+	    foreach my $vmid (keys %{$d->{vms}}) {
+		for my $role (@ra) {
+		    $data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
+		}
+	    }
+	    foreach my $storeid (keys %{$d->{storage}}) {
+		for my $role (@ra) {
+		    $data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
+		}
+	    }
+	}
+    }
+
+    my @ra = PVE::AccessControl::roles($cfg, $user, $path);
 
-	my $privs = {};
-	foreach my $role (@ra) {
-	    if (my $privset = $cfg->{roles}->{$role}) {
-		foreach my $p (keys %$privset) {
-		    $privs->{$p} = 1;
+    # apply roles inherited from pools
+    # Note: assume we do not want to propagate those privs
+    if ($data->{poolroles}->{$path}) {
+	if (!($ra[0] && $ra[0] eq 'NoAccess')) {
+	    if ($data->{poolroles}->{$path}->{NoAccess}) {
+		@ra = ('NoAccess');
+	    } else {
+		foreach my $role (keys %{$data->{poolroles}->{$path}}) {
+		    push @ra, $role;
 		}
 	    }
 	}
+    }
 
-	$res->{$path} = $privs;
+    $data->{roles}->{$path} = [ @ra ];
+ 
+    my $privs = {};
+    foreach my $role (@ra) {
+	if (my $privset = $cfg->{roles}->{$role}) {
+	    foreach my $p (keys %$privset) {
+		$privs->{$p} = 1;
+	    }
+	}
     }
+    $data->{privs}->{$path} = $privs;
 
-    return $res;
+    return $privs;
 };
 
+sub roles {
+   my ($self, $user, $path) = @_;
+
+   if ($user eq 'root@pam') { # root can do anything
+       return ('Administrator');
+   } 
+
+   $user = PVE::AccessControl::verify_username($user, 1);
+   return () if !$user;
+
+   my $cache = $self->{aclcache};
+   $cache->{$user} = {} if !$cache->{$user};
+
+   my $acl = $cache->{$user};
+
+   my $roles = $acl->{roles}->{$path};
+   return @$roles if $roles;
+
+   &$compile_acl_path($self, $user, $path);
+   $roles = $acl->{roles}->{$path} || [];
+   return @$roles;
+}
+
 sub permissions {
     my ($self, $user, $path) = @_;
 
+    if ($user eq 'root@pam') { # root can do anything
+	my $cfg = $self->{user_cfg};
+	return $cfg->{roles}->{'Administrator'};
+    } 
+
     $user = PVE::AccessControl::verify_username($user, 1);
     return {} if !$user;
 
     my $cache = $self->{aclcache};
+    $cache->{$user} = {} if !$cache->{$user};
 
     my $acl = $cache->{$user};
 
-    if (!$acl) {
-	if (!($acl = &$compile_acl($self, $user))) {
-	    return {};
-	}
-	$cache->{$user} = $acl;
-    }
-
-    my $perm;
-
-    if (!($perm = $acl->{$path})) {
-	$perm = {};
-	foreach my $p (sort keys %$acl) {
-	    my $final = ($path eq $p);
-	    
-	    next if !(($p eq '/') || $final || ($path =~ m|^$p/|));
+    my $perm = $acl->{privs}->{$path};
+    return $perm if $perm;
 
-	    $perm = $acl->{$p};
-	}
-	$acl->{$path} = $perm;
-    }
-
-    return $perm;
+    return &$compile_acl_path($self, $user, $path);
 }
 
 sub check {
@@ -191,6 +236,15 @@ sub check_any {
     raise_perm_exc("$path, " . join("|", @$privs)); 
 };
 
+sub check_full {
+    my ($self, $username, $path, $privs, $any, $noerr) = @_;
+    if ($any) {
+	return $self->check_any($username, $path, $privs, $noerr);
+    } else {
+	return $self->check($username, $path, $privs, $noerr);
+    }
+}
+
 sub check_user_enabled {
     my ($self, $user, $noerr) = @_;
     
@@ -216,20 +270,15 @@ sub is_group_member {
 }
 
 sub filter_groups {
-    my ($self, $user, $getPath, $privs, $any) = @_;
+    my ($self, $user, $privs, $any) = @_;
 
     my $cfg = $self->{user_cfg};
 
     my $groups = {};
     foreach my $group (keys %{$cfg->{groups}}) {
-	if ($any) {
-	    if ($self->check_any($user, &$getPath($group), $privs, 1)) {
-		$groups->{$group} = $cfg->{groups}->{$group};
-	    }
-	} else {
-	    if ($self->check($user, &$getPath($group), $privs, 1)) {
-		$groups->{$group} = $cfg->{groups}->{$group};
-	    }
+	my $path = "/access/groups/$group";
+	if ($self->check_full($user, $path, $privs, $any, 1)) {
+	    $groups->{$group} = $cfg->{groups}->{$group};
 	}
     }
 
@@ -253,6 +302,121 @@ sub group_member_join {
     return $users;
 }
 
+sub check_perm_modify {
+    my ($self, $username, $path, $noerr) = @_;
+
+    return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path;
+
+    my $testperms = [ 'Permissions.Modify' ];
+    if ($path =~ m|^/storage/.+$|) {
+	push @$testperms, 'Datastore.Allocate';
+    } elsif ($path =~ m|^/vms/.+$|) {
+	push @$testperms, 'VM.Allocate';
+    } elsif ($path =~ m|^/pool/.+$|) {
+	push @$testperms, 'Pool.Allocate';
+    }
+
+    return $self->check_any($username, $path, $testperms, $noerr);
+}
+
+sub exec_api2_perm_check {
+    my ($self, $check, $username, $param, $noerr) = @_;
+
+    # syslog("info", "CHECK " . join(', ', @$check));
+
+    my $ind = 0;
+    my $test = $check->[$ind++];
+    die "no permission test specified" if !$test;
+ 
+    if ($test eq 'and') {
+	while (my $subcheck = $check->[$ind++]) {
+	    $self->exec_api2_perm_check($subcheck, $username, $param); 
+	}
+	return 1;
+    } elsif ($test eq 'or') {
+	while (my $subcheck = $check->[$ind++]) {
+	    return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1); 
+	}
+	return 0 if $noerr;
+	raise_perm_exc();
+    } elsif ($test eq 'perm') {
+	my ($t, $tmplpath, $privs, %options) = @$check;
+	my $any = $options{any};
+	die "missing parameters" if !($tmplpath && $privs);
+	my $require_param = $options{require_param};
+	if ($require_param && !defined($param->{$require_param})) {
+	    return 0 if $noerr;
+	    raise_perm_exc();
+	}
+	my $path = PVE::Tools::template_replace($tmplpath, $param);
+	$path = PVE::AccessControl::normalize_path($path);
+	return $self->check_full($username, $path, $privs, $any, $noerr);
+    } elsif ($test eq 'userid-group') {
+	my $userid = $param->{userid};
+	my ($t, $privs, %options) = @$check;
+	return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr);
+	if (!$self->check_any($username, "/access/groups", $privs, 1)) {
+	    my $groups = $self->filter_groups($username, $privs, 1);
+	    if ($options{groups_param}) {
+		my @group_param = PVE::Tools::split_list($param->{groups});
+		raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param);
+		foreach my $pg (@group_param) {
+		    raise_perm_exc("/access/groups/$pg, " . join("|", @$privs))
+			if !$groups->{$pg};
+		}
+	    } else {
+		my $allowed_users = $self->group_member_join([keys %$groups]);
+		if (!$allowed_users->{$userid}) {
+		    return 0 if $noerr;
+		    raise_perm_exc();
+		}
+	    }
+	}
+	return 1;
+    } elsif ($test eq 'userid-param') {
+	my ($userid, undef, $realm) = verify_username($param->{userid});
+	return if !$self->check_user_exist($userid, $noerr);
+	my ($t, $subtest) = @$check;
+	die "missing parameters" if !$subtest;
+	if ($subtest eq 'self') {
+	    return 1 if $username eq 'userid';
+	    return 0 if $noerr;
+	    raise_perm_exc();
+	} elsif ($subtest eq 'Realm.AllocateUser') {
+	    my $path =  "/access/realm/$realm";
+	    return $self->check($username, $path, ['Realm.AllocateUser'], $noerr);
+	} else {
+	    die "unknown userid-param test";
+	}
+     } elsif ($test eq 'perm-modify') {
+	my ($t, $tmplpath) = @$check;
+	my $path = PVE::Tools::template_replace($tmplpath, $param);
+	$path = PVE::AccessControl::normalize_path($path);
+	return $self->check_perm_modify($username, $path, $noerr);
+   } else {
+	die "unknown permission test";
+    }
+};
+
+sub check_api2_permissions {
+    my ($self, $perm, $username, $param) = @_;
+
+    return 1 if !$username && $perm->{user} eq 'world';
+
+    raise_perm_exc("user != null") if !$username;
+
+    return 1 if $username eq 'root@pam';
+
+    raise_perm_exc('user != root@pam') if !$perm;
+
+    return 1 if $perm->{user} && $perm->{user} eq 'all';
+
+    return $self->exec_api2_perm_check($perm->{check}, $username, $param) 
+	if $perm->{check};
+
+    raise_perm_exc();
+}
+
 # initialize environment - must be called once at program startup
 sub init {
     my ($class, $type, %params) = @_;
@@ -380,6 +544,7 @@ sub init_request {
 	    my $ucdata = PVE::Tools::file_get_contents($userconfig);
 	    my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata);
 	    $self->{user_cfg} = $cfg;
+	    #print Dumper($cfg);
 	} else {
 	    my $ucvers = PVE::Cluster::cfs_file_version('user.cfg'); 
 	    if (!$self->{aclcache} || !defined($self->{aclversion}) ||