API: add 'permissions' API endpoint

and related helper, to dump permissions + propagate info for
- a specific, given path
- generic top-level + user.cfg-referenced paths, including pools

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index c6499be87a307d0dab8e347daeafbf6166716aec..5b63d2bcc55e323b8836358b100d64bca07b59f8 100644 (file)
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -661,4 +661,60 @@ __PACKAGE__->register_method({
        }
     }});
 
+__PACKAGE__->register_method({
+    name => 'permissions',
+    path => 'permissions',
+    method => 'GET',
+    description => 'Retrieve effective permissions of given user/token.',
+    permissions => {
+       description => "Each user/token is allowed to dump their own permissions. A user can dump the permissions of another user if they have 'Sys.Audit' permission on /access.",
+       user => 'all',
+    },
+    parameters => {
+       additionalProperties => 0,
+       properties => {
+           userid => {
+               type => 'string',
+               description => "User ID or full API token ID",
+               pattern => $PVE::AccessControl::userid_or_token_regex,
+               optional => 1,
+           },
+           path => get_standard_option('acl-path', {
+               description => "Only dump this specific path, not the whole tree.",
+               optional => 1,
+           }),
+       },
+    },
+    returns => {
+       type => 'object',
+       description => 'Map of "path" => (Map of "privilege" => "propagate boolean").',
+    },
+    code => sub {
+       my ($param) = @_;
+
+       my $rpcenv = PVE::RPCEnvironment::get();
+
+       my $userid = $param->{userid};
+       if (defined($userid)) {
+           $rpcenv->check($rpcenv->get_user(), '/access', ['Sys.Audit']);
+       } else {
+           $userid = $rpcenv->get_user();
+       }
+
+       my $res;
+
+       if (my $path = $param->{path}) {
+           my $perms = $rpcenv->permissions($userid, $path);
+           if ($perms) {
+               $res = { $path => $perms };
+           } else {
+               $res = {};
+           }
+       } else {
+           $res = $rpcenv->get_effective_permissions($userid);
+       }
+
+       return $res;
+    }});
+
 1;

diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm
index 8384376f99e0207212129058f72e34e78a607690..e66107be7c1567cdc045c303ae0fd89980144a87 100644 (file)
--- a/PVE/RPCEnvironment.pm
+++ b/PVE/RPCEnvironment.pm
@@ -127,6 +127,47 @@ sub permissions {
     return &$compile_acl_path($self, $user, $path);
 }
 
+sub get_effective_permissions {
+    my ($self, $user) = @_;
+
+    # default / top level paths
+    my $paths = {
+       '/' => 1,
+       '/access' => 1,
+       '/access/groups' => 1,
+       '/nodes' => 1,
+       '/pools' => 1,
+       '/storage' => 1,
+       '/vms' => 1,
+    };
+
+    my $cfg = $self->{user_cfg};
+
+    # paths explicitly listed in ACLs
+    foreach my $acl_path (keys %{$cfg->{acl}}) {
+       $paths->{$acl_path} = 1;
+    }
+
+    # paths referenced by pool definitions
+    foreach my $pool (keys %{$cfg->{pools}}) {
+       my $d = $cfg->{pools}->{$pool};
+       foreach my $vmid (keys %{$d->{vms}}) {
+           $paths->{"/vms/$vmid"} = 1;
+       }
+       foreach my $storeid (keys %{$d->{storage}}) {
+           $paths->{"/storage/$storeid"} = 1;
+       }
+    }
+
+    my $perms = {};
+    foreach my $path (keys %$paths) {
+       my $path_perms = $self->permissions($user, $path);
+       # filter paths where user has NO permissions
+       $perms->{$path} = $path_perms if %$path_perms;
+    }
+    return $perms;
+}
+
 sub check {
     my ($self, $user, $path, $privs, $noerr) = @_;