Re: [pve-devel] [PATCH guest-common v10 1/1] GuestHelpers: add 'assert_tag_permissions'

Tue, 15 Nov 2022 07:35:37 -0800 

On November 15, 2022 2:02 pm, Dominik Csapak wrote:
> helper to check permissions for tag setting/updating/deleting
> for both container and qemu-server
> 
> gets the list of allowed tags from the DataCenterConfig and the current
> user permissions, and checks for each tag that is added/removed if
> the user has permissions to modify it
> 
> 'normal' tags require 'VM.Config.Options' on '/vms/<vmid>', but not
> allowed tags (either limited with 'user-tag-access' or
> 'privileged-tags' in the datacenter.cfg) requrie 'Sys.Modify' on '/'
> 
> Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
> ---
> new in v10, but the code is mostly the same as the previous qemu-server
> container one, with a few changes:
> * adapt to new get_allowed_tags signature
> * change 'map {foo} bar' into 'foo for bar'
> * save all tags into $all_tags so that we only have to loop once
> * use raise_perm_exc instead of die for permission errors (sets the
>   correct http status code)
>  debian/control          |  3 ++-
>  src/PVE/GuestHelpers.pm | 54 ++++++++++++++++++++++++++++++++++++++++-
>  2 files changed, 55 insertions(+), 2 deletions(-)
> 
> diff --git a/debian/control b/debian/control
> index 83bade3..ffff22b 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -12,7 +12,8 @@ Homepage: https://www.proxmox.com
>  
>  Package: libpve-guest-common-perl
>  Architecture: all
> -Depends: libpve-cluster-perl,
> +Depends: libpve-access-control,
> +         libpve-cluster-perl,
>           libpve-common-perl (>= 7.2-6),
>           libpve-storage-perl (>= 7.0-14),
>           pve-cluster,
> diff --git a/src/PVE/GuestHelpers.pm b/src/PVE/GuestHelpers.pm
> index 0fe3fd6..2742501 100644
> --- a/src/PVE/GuestHelpers.pm
> +++ b/src/PVE/GuestHelpers.pm
> @@ -3,6 +3,7 @@ package PVE::GuestHelpers;
>  use strict;
>  use warnings;
>  
> +use PVE::Exception qw(raise_perm_exc);
>  use PVE::Tools;
>  use PVE::Storage;
>  
> @@ -11,7 +12,7 @@ use Scalar::Util qw(weaken);
>  
>  use base qw(Exporter);
>  
> -our @EXPORT_OK = qw(safe_string_ne safe_boolean_ne safe_num_ne typesafe_ne);
> +our @EXPORT_OK = qw(safe_string_ne safe_boolean_ne safe_num_ne typesafe_ne 
> assert_tag_permissions);
>  
>  # We use a separate lock to block migration while a replication job
>  # is running.
> @@ -246,4 +247,55 @@ sub config_with_pending_array {
>      return $res;
>  }
>  
> +# checks the permissions for setting/updating/removing tags for guests
> +# tagopt_old and tagopt_new expect the tags as they are in the config
> +#
> +# either returns gracefully or raises a permission exception
> +sub assert_tag_permissions {
> +    my ($vmid, $tagopt_old, $tagopt_new, $rpcenv, $authuser) = @_;
> +
> +    my $allowed_tags;
> +    my $privileged_tags;
> +    my $freeform;
> +    my $privileged_user = $rpcenv->check($authuser, '/', ['Sys.Modify'], 1);
> +    my $has_config_options =
> +     $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'], 
> 0, 1);
> +
> +    my $check_single_tag = sub {
> +     my ($tag) = @_;
> +     return if $privileged_user;
> +
> +     $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'])
> +         if !$has_config_options;
> +

nit: this confused me - but it's basically to only check once and fail if a tag 
has
changed? would be more readable by just recording whether it was checked already
and skipping based on that bool IMHO, instead of skipping based on the result of
a noerr redundant check..

> +     if (!defined($allowed_tags) && !defined($privileged_tags) && 
> !defined($freeform)) {
> +         ($allowed_tags, $privileged_tags, $freeform) = 
> PVE::DataCenterConfig::get_allowed_tags(
> +             $privileged_user,
> +             sub {
> +                 my ($vmid_to_check) = @_;
> +                 return $rpcenv->check_vm_perm($authuser, $vmid_to_check, 
> undef, ['VM.Audit'], 0, 1);
> +             },
> +         );

see response to "get_allowed_tags" patch ;)

> +     }
> +
> +     if ((!$allowed_tags->{$tag} && !$freeform) || $privileged_tags->{$tag}) 
> {
> +         raise_perm_exc("/, Sys.Modify for modifying tag '$tag'");
> +     }
> +
> +     return;
> +    };
> +
> +    my $old_tags = {};
> +    my $new_tags = {};
> +    my $all_tags = {};
> +
> +    $all_tags->{$_} = $old_tags->{$_} += 1 for 
> PVE::Tools::split_list($tagopt_old // '');
> +    $all_tags->{$_} = $new_tags->{$_} += 1 for 
> PVE::Tools::split_list($tagopt_new // '');
> +
> +    for my $tag (keys $all_tags->%*) {
> +     next if ($new_tags->{$tag} // 0) == ($old_tags->{$tag} // 0);
> +     $check_single_tag->($tag);
> +    }
> +}
> +
>  1;
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to