From 21f523a5c1e5c7687ff9bf3f4781a994672a596f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Tue, 21 Jan 2020 13:54:18 +0100
Subject: [PATCH] user.cfg: skip inexisting roles when parsing ACLs
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

we do the same for missing users, groups and tokens, and just like
groups, roles with an empty privilege set are explicitly allowed so
pre-generating placeholders is possible.

Signed-off-by: Fabian GrÃ¼nbichler <f.gruenbichler@proxmox.com>
---
 PVE/AccessControl.pm  | 5 +++++
 test/parser_writer.pl | 6 +++++-
 test/perm-test6.pl    | 4 ++--
 test/test6.cfg        | 2 +-
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index a3990de..5e1185f 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1079,6 +1079,11 @@ sub parse_user_config {
 			next;
 		    }
 
+		    if (!$cfg->{roles}->{$role}) {
+			warn "user config - ignore invalid acl role '$role'\n";
+			next;
+		    }
+
 		    foreach my $ug (split_list($uglist)) {
 			my ($group) = $ug =~ m/^@(\S+)$/;
 
diff --git a/test/parser_writer.pl b/test/parser_writer.pl
index 6bf6d72..0aa01b7 100755
--- a/test/parser_writer.pl
+++ b/test/parser_writer.pl
@@ -821,13 +821,17 @@ my $tests = [
 	config => {
 	    users => default_users_with([$default_cfg->{test_pam}]),
 	    roles => default_roles(),
-	    acl => default_acls_with([$default_cfg->{acl_missing_role}, $default_cfg->{acl_simple_user}]),
+	    acl => default_acls_with([$default_cfg->{acl_simple_user}]),
 	},
 	raw => "".
 	       $default_raw->{users}->{'root@pam'}."\n".
 	       $default_raw->{users}->{'test_pam'}."\n\n\n\n\n".
 	       $default_raw->{acl}->{'acl_simple_user'}."\n".
 	       $default_raw->{acl}->{'acl_missing_role'}."\n",
+	expected_raw => "".
+	       $default_raw->{users}->{'root@pam'}."\n".
+	       $default_raw->{users}->{'test_pam'}."\n\n\n\n\n".
+	       $default_raw->{acl}->{'acl_simple_user'}."\n",
     },
     {
 	name => "acl_complex_mixed",
diff --git a/test/perm-test6.pl b/test/perm-test6.pl
index 87d9bf7..dd433dd 100755
--- a/test/perm-test6.pl
+++ b/test/perm-test6.pl
@@ -55,10 +55,10 @@ check_roles('User2@pve', '/vms/100', 'RoleTEST1');
 check_roles('User3@pve', '/vms/100', 'NoAccess');
 check_roles('User4@pve', '/vms/100', '');
 
-check_roles('User1@pve', '/vms/300', 'Role1');
+check_roles('User1@pve', '/vms/300', 'RoleTEST1');
 check_roles('User2@pve', '/vms/300', 'RoleTEST1');
 check_roles('User3@pve', '/vms/300', 'NoAccess');
-check_roles('User4@pve', '/vms/300', 'Role1');
+check_roles('User4@pve', '/vms/300', 'RoleTEST1');
 
 check_permissions('User1@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
 check_permissions('User2@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
diff --git a/test/test6.cfg b/test/test6.cfg
index 7af1895..4986910 100644
--- a/test/test6.cfg
+++ b/test/test6.cfg
@@ -15,7 +15,7 @@ acl:1:/pool/marketing:@MARKETING:RoleMARKETING:
 
 acl:1:/vms:@DEVEL:RoleTEST1:
 acl:1:/vms:User3@pve:NoAccess:
-acl:1:/vms/300:@MARKETING:Role1:
+acl:1:/vms/300:@MARKETING:RoleTEST1:
 
 pool:devel:MITS development:500,501,502:store1 store2:
 pool:marketing:MITS marketing:600:store1:
-- 
2.39.2