X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FRPCEnvironment.pm;h=52c5f64ce0cf577b1785ba390afef9a97a179e43;hp=f65a776134b271a8d6b0c8e3fd5c1e8280997280;hb=fe2defd9d52b236b2c69498b2bf7d3be501a8462;hpb=be6ea72391199dda073615881ddda229bc94ff92 diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm index f65a776..52c5f64 100644 --- a/PVE/RPCEnvironment.pm +++ b/PVE/RPCEnvironment.pm @@ -7,13 +7,13 @@ use IO::Handle; use IO::File; use IO::Select; use Fcntl qw(:flock); +use PVE::Exception qw(raise raise_perm_exc); use PVE::SafeSyslog; use PVE::Tools; use PVE::INotify; use PVE::Cluster; use PVE::ProcFSTools; use PVE::AccessControl; -use CGI; # we use this singleton class to pass RPC related environment values @@ -89,87 +89,381 @@ my $register_worker = sub { # ACL cache -my $compile_acl = sub { - my ($self, $user) = @_; +my $compile_acl_path = sub { + my ($self, $user, $path) = @_; - my $res = {}; my $cfg = $self->{user_cfg}; return undef if !$cfg->{roles}; - if ($user eq 'root@pam') { # root can do anything - return {'/' => $cfg->{roles}->{'Administrator'}}; - } + die "internal error" if $user eq 'root@pam'; + + my $cache = $self->{aclcache}; + $cache->{$user} = {} if !$cache->{$user}; + my $data = $cache->{$user}; + + if (!$data->{poolroles}) { + $data->{poolroles} = {}; + + foreach my $pool (keys %{$cfg->{pools}}) { + my $d = $cfg->{pools}->{$pool}; + my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles + next if !scalar(@ra); + foreach my $vmid (keys %{$d->{vms}}) { + for my $role (@ra) { + $data->{poolroles}->{"/vms/$vmid"}->{$role} = 1; + } + } + foreach my $storeid (keys %{$d->{storage}}) { + for my $role (@ra) { + $data->{poolroles}->{"/storage/$storeid"}->{$role} = 1; + } + } + } + } - foreach my $path (sort keys %{$cfg->{acl}}) { - my @ra = PVE::AccessControl::roles($cfg, $user, $path); + my @ra = PVE::AccessControl::roles($cfg, $user, $path); - my $privs = {}; - foreach my $role (@ra) { - if (my $privset = $cfg->{roles}->{$role}) { - foreach my $p (keys %$privset) { - $privs->{$p} = 1; + # apply roles inherited from pools + # Note: assume we do not want to propagate those privs + if ($data->{poolroles}->{$path}) { + if (!($ra[0] && $ra[0] eq 'NoAccess')) { + if ($data->{poolroles}->{$path}->{NoAccess}) { + @ra = ('NoAccess'); + } else { + foreach my $role (keys %{$data->{poolroles}->{$path}}) { + push @ra, $role; } } } + } - $res->{$path} = $privs; + $data->{roles}->{$path} = [ @ra ]; + + my $privs = {}; + foreach my $role (@ra) { + if (my $privset = $cfg->{roles}->{$role}) { + foreach my $p (keys %$privset) { + $privs->{$p} = 1; + } + } } + $data->{privs}->{$path} = $privs; - return $res; + return $privs; }; +sub roles { + my ($self, $user, $path) = @_; + + if ($user eq 'root@pam') { # root can do anything + return ('Administrator'); + } + + $user = PVE::AccessControl::verify_username($user, 1); + return () if !$user; + + my $cache = $self->{aclcache}; + $cache->{$user} = {} if !$cache->{$user}; + + my $acl = $cache->{$user}; + + my $roles = $acl->{roles}->{$path}; + return @$roles if $roles; + + &$compile_acl_path($self, $user, $path); + $roles = $acl->{roles}->{$path} || []; + return @$roles; +} + sub permissions { my ($self, $user, $path) = @_; + if ($user eq 'root@pam') { # root can do anything + my $cfg = $self->{user_cfg}; + return $cfg->{roles}->{'Administrator'}; + } + $user = PVE::AccessControl::verify_username($user, 1); return {} if !$user; my $cache = $self->{aclcache}; + $cache->{$user} = {} if !$cache->{$user}; my $acl = $cache->{$user}; - if (!$acl) { - if (!($acl = &$compile_acl($self, $user))) { - return {}; - } - $cache->{$user} = $acl; - } + my $perm = $acl->{privs}->{$path}; + return $perm if $perm; - my $perm; + return &$compile_acl_path($self, $user, $path); +} - if (!($perm = $acl->{$path})) { - $perm = {}; - foreach my $p (sort keys %$acl) { - my $final = ($path eq $p); - - next if !(($p eq '/') || $final || ($path =~ m|^$p/|)); +sub check { + my ($self, $user, $path, $privs, $noerr) = @_; + + my $perm = $self->permissions($user, $path); - $perm = $acl->{$p}; + foreach my $priv (@$privs) { + PVE::AccessControl::verify_privname($priv); + if (!$perm->{$priv}) { + return undef if $noerr; + raise_perm_exc("$path, $priv"); } - $acl->{$path} = $perm; - } + }; - return $perm; -} + return 1; +}; -sub check { - my ($self, $user, $path, $privs) = @_; +sub check_any { + my ($self, $user, $path, $privs, $noerr) = @_; my $perm = $self->permissions($user, $path); + my $found = 0; foreach my $priv (@$privs) { - return undef if !$perm->{$priv}; + PVE::AccessControl::verify_privname($priv); + if ($perm->{$priv}) { + $found = 1; + last; + } }; - return 1; + return 1 if $found; + + return undef if $noerr; + + raise_perm_exc("$path, " . join("|", @$privs)); }; -sub user_enabled { - my ($self, $user) = @_; +sub check_full { + my ($self, $username, $path, $privs, $any, $noerr) = @_; + if ($any) { + return $self->check_any($username, $path, $privs, $noerr); + } else { + return $self->check($username, $path, $privs, $noerr); + } +} + +sub check_user_enabled { + my ($self, $user, $noerr) = @_; + + my $cfg = $self->{user_cfg}; + return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr); +} + +sub check_user_exist { + my ($self, $user, $noerr) = @_; my $cfg = $self->{user_cfg}; - return PVE::AccessControl::user_enabled($cfg, $user); + return PVE::AccessControl::check_user_exist($cfg, $user, $noerr); +} + +sub check_pool_exist { + my ($self, $pool, $noerr) = @_; + + my $cfg = $self->{user_cfg}; + + return 1 if $cfg->{pools}->{$pool}; + + return undef if $noerr; + + raise_perm_exc("pool '$pool' does not exist"); +} + +sub check_vm_perm { + my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_; + + my $cfg = $self->{user_cfg}; + + if ($pool) { + return if $self->check_full($user, "/pool/$pool", $privs, $any, 1); + } + return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr); +}; + +sub check_volume_access { + my ($self, $user, $storecfg, $vmid, $volid) = @_; + + # test if we have read access to volid + + my ($sid, $volname) = PVE::Storage::parse_volume_id($volid, 1); + if ($sid) { + my ($vtype, undef, $ownervm) = PVE::Storage::parse_volname($storecfg, $volid); + if ($vtype eq 'iso' || $vtype eq 'vztmpl') { + # we simply allow access + } elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) { + # we are owner - allow access + } elsif ($vtype eq 'backup' && $ownervm) { + $self->check($user, "/storage/$sid", ['Datastore.AllocateSpace']); + $self->check($user, "/vms/$ownervm", ['VM.Backup']); + } else { + # allow if we are Datastore administrator + $self->check($user, "/storage/$sid", ['Datastore.Allocate']); + } + } else { + die "Only root can pass arbitrary filesystem paths." + if $user ne 'root@pam'; + } + + return undef; +} + +sub is_group_member { + my ($self, $group, $user) = @_; + + my $cfg = $self->{user_cfg}; + + return 0 if !$cfg->{groups}->{$group}; + + return defined($cfg->{groups}->{$group}->{users}->{$user}); +} + +sub filter_groups { + my ($self, $user, $privs, $any) = @_; + + my $cfg = $self->{user_cfg}; + + my $groups = {}; + foreach my $group (keys %{$cfg->{groups}}) { + my $path = "/access/groups/$group"; + if ($self->check_full($user, $path, $privs, $any, 1)) { + $groups->{$group} = $cfg->{groups}->{$group}; + } + } + + return $groups; +} + +sub group_member_join { + my ($self, $grouplist) = @_; + + my $users = {}; + + my $cfg = $self->{user_cfg}; + foreach my $group (@$grouplist) { + my $data = $cfg->{groups}->{$group}; + next if !$data; + foreach my $user (keys %{$data->{users}}) { + $users->{$user} = 1; + } + } + + return $users; +} + +sub check_perm_modify { + my ($self, $username, $path, $noerr) = @_; + + return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path; + + my $testperms = [ 'Permissions.Modify' ]; + if ($path =~ m|^/storage/.+$|) { + push @$testperms, 'Datastore.Allocate'; + } elsif ($path =~ m|^/vms/.+$|) { + push @$testperms, 'VM.Allocate'; + } elsif ($path =~ m|^/pool/.+$|) { + push @$testperms, 'Pool.Allocate'; + } + + return $self->check_any($username, $path, $testperms, $noerr); +} + +sub exec_api2_perm_check { + my ($self, $check, $username, $param, $noerr) = @_; + + # syslog("info", "CHECK " . join(', ', @$check)); + + my $ind = 0; + my $test = $check->[$ind++]; + die "no permission test specified" if !$test; + + if ($test eq 'and') { + while (my $subcheck = $check->[$ind++]) { + $self->exec_api2_perm_check($subcheck, $username, $param); + } + return 1; + } elsif ($test eq 'or') { + while (my $subcheck = $check->[$ind++]) { + return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1); + } + return 0 if $noerr; + raise_perm_exc(); + } elsif ($test eq 'perm') { + my ($t, $tmplpath, $privs, %options) = @$check; + my $any = $options{any}; + die "missing parameters" if !($tmplpath && $privs); + my $require_param = $options{require_param}; + if ($require_param && !defined($param->{$require_param})) { + return 0 if $noerr; + raise_perm_exc(); + } + my $path = PVE::Tools::template_replace($tmplpath, $param); + $path = PVE::AccessControl::normalize_path($path); + return $self->check_full($username, $path, $privs, $any, $noerr); + } elsif ($test eq 'userid-group') { + my $userid = $param->{userid}; + my ($t, $privs, %options) = @$check; + return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr); + if (!$self->check_any($username, "/access/groups", $privs, 1)) { + my $groups = $self->filter_groups($username, $privs, 1); + if ($options{groups_param}) { + my @group_param = PVE::Tools::split_list($param->{groups}); + raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param); + foreach my $pg (@group_param) { + raise_perm_exc("/access/groups/$pg, " . join("|", @$privs)) + if !$groups->{$pg}; + } + } else { + my $allowed_users = $self->group_member_join([keys %$groups]); + if (!$allowed_users->{$userid}) { + return 0 if $noerr; + raise_perm_exc(); + } + } + } + return 1; + } elsif ($test eq 'userid-param') { + my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid}); + my ($t, $subtest) = @$check; + die "missing parameters" if !$subtest; + if ($subtest eq 'self') { + return 0 if !$self->check_user_exist($userid, $noerr); + return 1 if $username eq $userid; + return 0 if $noerr; + raise_perm_exc(); + } elsif ($subtest eq 'Realm.AllocateUser') { + my $path = "/access/realm/$realm"; + return $self->check($username, $path, ['Realm.AllocateUser'], $noerr); + } else { + die "unknown userid-param test"; + } + } elsif ($test eq 'perm-modify') { + my ($t, $tmplpath) = @$check; + my $path = PVE::Tools::template_replace($tmplpath, $param); + $path = PVE::AccessControl::normalize_path($path); + return $self->check_perm_modify($username, $path, $noerr); + } else { + die "unknown permission test"; + } +}; + +sub check_api2_permissions { + my ($self, $perm, $username, $param) = @_; + + return 1 if !$username && $perm->{user} eq 'world'; + + raise_perm_exc("user != null") if !$username; + + return 1 if $username eq 'root@pam'; + + raise_perm_exc('user != root@pam') if !$perm; + + return 1 if $perm->{user} && $perm->{user} eq 'all'; + + return $self->exec_api2_perm_check($perm->{check}, $username, $param) + if $perm->{check}; + + raise_perm_exc(); } # initialize environment - must be called once at program startup @@ -226,51 +520,6 @@ sub get { return $pve_env; } -sub parse_params { - my ($self, $enable_upload) = @_; - - if ($self->{request_rec}) { - my $cgi; - if ($enable_upload) { - $cgi = CGI->new($self->{request_rec}); - } else { - # disable upload using empty upload_hook - $cgi = CGI->new($self->{request_rec}, sub {}, undef, 0); - } - $self->{cgi} = $cgi; - my $params = $cgi->Vars(); - return $params; - } elsif ($self->{params}) { - return $self->{params}; - } else { - die "no parameters registered"; - } -} - -sub get_upload_info { - my ($self, $param) = @_; - - my $cgi = $self->{cgi}; - die "CGI not initialized" if !$cgi; - - my $pd = $cgi->param($param); - die "unable to get cgi parameter info\n" if !$pd; - my $info = $cgi->uploadInfo($pd); - die "unable to get cgi upload info\n" if !$info; - - my $res = { %$info }; - - my $tmpfilename = $cgi->tmpFileName($pd); - die "unable to get cgi upload file name\n" if !$tmpfilename; - $res->{tmpfilename} = $tmpfilename; - - #my $hndl = $cgi->upload($param); - #die "unable to get cgi upload handle\n" if !$hndl; - #$res->{handle} = $hndl->handle; - - return $res; -} - # init_request - must be called before each RPC request sub init_request { my ($self, %params) = @_; @@ -283,11 +532,6 @@ sub init_request { foreach my $p (keys %params) { if ($p eq 'userconfig') { $userconfig = $params{$p}; - } elsif ($p eq 'request_rec') { - # pass Apache2::RequestRec - $self->{request_rec} = $params{$p}; - } elsif ($p eq 'params') { - $self->{params} = $params{$p}; } else { die "unknown parameter '$p'"; } @@ -299,6 +543,7 @@ sub init_request { my $ucdata = PVE::Tools::file_get_contents($userconfig); my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata); $self->{user_cfg} = $cfg; + #print Dumper($cfg); } else { my $ucvers = PVE::Cluster::cfs_file_version('user.cfg'); if (!$self->{aclcache} || !defined($self->{aclversion}) || @@ -525,14 +770,14 @@ sub check_worker { # STDOUT,STDERR are redirected to the filename returned by upid_decode # NOTE: we simulate running in foreground if ($self->{type} eq 'cli') sub fork_worker { - my ($self, $dtype, $id, $user, $function) = @_; + my ($self, $dtype, $id, $user, $function, $background) = @_; $dtype = 'unknown' if !defined ($dtype); $id = '' if !defined ($id); $user = 'root@pve' if !defined ($user); - my $sync = $self->{type} eq 'cli' ? 1 : 0; + my $sync = ($self->{type} eq 'cli' && !$background) ? 1 : 0; local $SIG{INT} = local $SIG{QUIT} =