my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};
return () if !$token_info;
- my @user_roles = roles($cfg, $username, $path);
+ my $user_roles = roles($cfg, $username, $path);
# return full user privileges
- return @user_roles if !$token_info->{privsep};
+ return $user_roles if !$token_info->{privsep};
}
- my $perm = {};
+ my $roles = {};
foreach my $p (sort keys %{$cfg->{acl}}) {
my $final = ($path eq $p);
if ($final || $propagate) {
#print "APPLY ROLE $p $user $role\n";
$new = {} if !$new;
- $new->{$role} = 1;
+ $new->{$role} = $propagate;
}
}
if ($new) {
- $perm = $new; # overwrite previous settings
+ $roles = $new; # overwrite previous settings
next;
}
}
if ($final || $propagate) {
#print "APPLY ROLE $p $user $role\n";
$new = {} if !$new;
- $new->{$role} = 1;
+ $new->{$role} = $propagate;
}
}
if ($new) {
- $perm = $new; # overwrite previous settings
+ $roles = $new; # overwrite previous settings
next; # user privs always override group privs
}
}
if ($final || $propagate) {
#print "APPLY ROLE $p \@$g $role\n";
$new = {} if !$new;
- $new->{$role} = 1;
+ $new->{$role} = $propagate;
}
}
}
}
if ($new) {
- $perm = $new; # overwrite previous settings
+ $roles = $new; # overwrite previous settings
next;
}
}
- return ('NoAccess') if defined ($perm->{NoAccess});
- #return () if defined ($perm->{NoAccess});
+ return { 'NoAccess' => $roles->{NoAccess} } if defined ($roles->{NoAccess});
+ #return () if defined ($roles->{NoAccess});
- #print "permission $user $path = " . Dumper ($perm);
-
- my @ra = keys %$perm;
+ #print "permission $user $path = " . Dumper ($roles);
#print "roles $user $path = " . join (',', @ra) . "\n";
- return @ra;
+ return $roles;
}
sub remove_vm_access {
foreach my $pool (keys %{$cfg->{pools}}) {
my $d = $cfg->{pools}->{$pool};
- my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
- next if !scalar(@ra);
+ my $pool_roles = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles
+ next if !scalar(keys %$pool_roles);
foreach my $vmid (keys %{$d->{vms}}) {
- for my $role (@ra) {
+ for my $role (keys %$pool_roles) {
$data->{poolroles}->{"/vms/$vmid"}->{$role} = 1;
}
}
foreach my $storeid (keys %{$d->{storage}}) {
- for my $role (@ra) {
+ for my $role (keys %$pool_roles) {
$data->{poolroles}->{"/storage/$storeid"}->{$role} = 1;
}
}
}
}
- my @ra = PVE::AccessControl::roles($cfg, $user, $path);
+ my $roles = PVE::AccessControl::roles($cfg, $user, $path);
# apply roles inherited from pools
# Note: assume we do not want to propagate those privs
if ($data->{poolroles}->{$path}) {
- if (!($ra[0] && $ra[0] eq 'NoAccess')) {
+ if (!defined($roles->{NoAccess})) {
if ($data->{poolroles}->{$path}->{NoAccess}) {
- @ra = ('NoAccess');
+ $roles = { 'NoAccess' => 0 };
} else {
foreach my $role (keys %{$data->{poolroles}->{$path}}) {
- push @ra, $role;
+ $roles->{$role} = 0 if !defined($roles->{$role});
}
}
}
}
- $data->{roles}->{$path} = [ @ra ];
+ $data->{roles}->{$path} = $roles;
my $privs = {};
- foreach my $role (@ra) {
+ foreach my $role (keys %$roles) {
if (my $privset = $cfg->{roles}->{$role}) {
foreach my $p (keys %$privset) {
- $privs->{$p} = 1;
+ $privs->{$p} = $roles->{$role};
}
}
}
if ($username && $username ne 'root@pam') {
# intersect user and token permissions
my $user_privs = $cache->{$username}->{privs}->{$path};
- $privs = { map { $_ => 1 } grep { $user_privs->{$_} } keys %$privs };
+ $privs = { map { $_ => $user_privs->{$_} && $privs->{$_} } keys %$privs };
}
$data->{privs}->{$path} = $privs;
if ($user eq 'root@pam') { # root can do anything
my $cfg = $self->{user_cfg};
- return $cfg->{roles}->{'Administrator'};
+ return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
}
if (PVE::AccessControl::pve_verify_tokenid($user, 1)) {
my ($username, $token) = PVE::AccessControl::split_tokenid($user);
my $cfg = $self->{user_cfg};
my $token_info = $cfg->{users}->{$username}->{tokens}->{$token};
+
return {} if !$token_info;
# ensure cache for user is populated
foreach my $priv (@$privs) {
PVE::AccessControl::verify_privname($priv);
- if (!$perm->{$priv}) {
+ if (!defined($perm->{$priv})) {
return undef if $noerr;
raise_perm_exc("$path, $priv");
}
my $found = 0;
foreach my $priv (@$privs) {
PVE::AccessControl::verify_privname($priv);
- if ($perm->{$priv}) {
+ if (defined($perm->{$priv})) {
$found = 1;
last;
}
sub check_roles {
my ($user, $path, $expected_result) = @_;
- my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
- my $res = join(',', sort @ra);
+ my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
+ my $res = join(',', sort keys %$roles);
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
if $res ne $expected_result;
if $res ne $expected_result;
print "PERM:$path:$user:$res\n";
-
}
check_roles('max@pve', '/', '');
sub check_roles {
my ($user, $path, $expected_result) = @_;
- my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
- my $res = join(',', sort @ra);
+ my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
+ my $res = join(',', sort keys %$roles);
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
if $res ne $expected_result;
sub check_roles {
my ($user, $path, $expected_result) = @_;
- my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
- my $res = join(',', sort @ra);
+ my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
+ my $res = join(',', sort keys %$roles);
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
if $res ne $expected_result;
sub check_roles {
my ($user, $path, $expected_result) = @_;
- my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
- my $res = join(',', sort @ra);
+ my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
+ my $res = join(',', sort keys %$roles);
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
if $res ne $expected_result;
sub check_roles {
my ($user, $path, $expected_result) = @_;
- my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
- my $res = join(',', sort @ra);
+ my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
+ my $res = join(',', sort keys %$roles);
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
if $res ne $expected_result;
sub check_roles {
my ($user, $path, $expected_result) = @_;
- my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
- my $res = join(',', sort @ra);
+ my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
+ my $res = join(',', sort keys %$roles);
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
if $res ne $expected_result;
sub check_roles {
my ($user, $path, $expected_result) = @_;
- my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
- my $res = join(',', sort @ra);
+ my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
+ my $res = join(',', sort keys %$roles);
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
if $res ne $expected_result;