From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id F09491FF15E for ; Wed, 21 Jan 2026 16:14:07 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1A6A424F1; Wed, 21 Jan 2026 16:14:23 +0100 (CET) From: Samuel Rufinatscha To: pbs-devel@lists.proxmox.com Date: Wed, 21 Jan 2026 16:14:01 +0100 Message-ID: <20260121151408.731516-6-s.rufinatscha@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260121151408.731516-1-s.rufinatscha@proxmox.com> References: <20260121151408.731516-1-s.rufinatscha@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1769008397049 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.257 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox v4 1/4] proxmox-access-control: split AccessControlConfig and add token.shadow gen X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Splits AccessControlConfig trait into AccessControlPermissions and AccessControlConfig traits and adds token.shadow generation support to AccessControlConfig (provides default impl). Signed-off-by: Samuel Rufinatscha --- Changes from v3 to 4: * Split AccessControlConfig: introduced AccessControlPermissions to provide permissions for AccessControlConfig * Adjusted commit message proxmox-access-control/src/acl.rs | 10 ++- proxmox-access-control/src/init.rs | 113 +++++++++++++++++++++++------ 2 files changed, 99 insertions(+), 24 deletions(-) diff --git a/proxmox-access-control/src/acl.rs b/proxmox-access-control/src/acl.rs index 38cb7edf..4b4eac09 100644 --- a/proxmox-access-control/src/acl.rs +++ b/proxmox-access-control/src/acl.rs @@ -763,7 +763,7 @@ fn privs_to_priv_names(privs: u64) -> Vec<&'static str> { mod test { use std::{collections::HashMap, sync::OnceLock}; - use crate::init::{init_access_config, AccessControlConfig}; + use crate::init::{init_access_config, AccessControlConfig, AccessControlPermissions}; use super::AclTree; use anyhow::Error; @@ -775,7 +775,7 @@ mod test { roles: HashMap<&'a str, (u64, &'a str)>, } - impl AccessControlConfig for TestAcmConfig<'_> { + impl AccessControlPermissions for TestAcmConfig<'_> { fn roles(&self) -> &HashMap<&str, (u64, &str)> { &self.roles } @@ -793,6 +793,12 @@ mod test { } } + impl AccessControlConfig for TestAcmConfig<'_> { + fn permissions(&self) -> &dyn AccessControlPermissions { + self + } + } + fn setup_acl_tree_config() { static ACL_CONFIG: OnceLock = OnceLock::new(); let config = ACL_CONFIG.get_or_init(|| { diff --git a/proxmox-access-control/src/init.rs b/proxmox-access-control/src/init.rs index e64398e8..dfd7784b 100644 --- a/proxmox-access-control/src/init.rs +++ b/proxmox-access-control/src/init.rs @@ -8,9 +8,8 @@ use proxmox_section_config::SectionConfigData; static ACCESS_CONF: OnceLock<&'static dyn AccessControlConfig> = OnceLock::new(); -/// This trait specifies the functions a product needs to implement to get ACL tree based access -/// control management from this plugin. -pub trait AccessControlConfig: Send + Sync { +/// Provides permission metadata used by access control. +pub trait AccessControlPermissions: Send + Sync { /// Returns a mapping of all recognized privileges and their corresponding `u64` value. fn privileges(&self) -> &HashMap<&str, u64>; @@ -32,25 +31,6 @@ pub trait AccessControlConfig: Send + Sync { false } - /// Returns the current cache generation of the user and acl configs. If the generation was - /// incremented since the last time the cache was queried, the configs are loaded again from - /// disk. - /// - /// Returning `None` will always reload the cache. - /// - /// Default: Always returns `None`. - fn cache_generation(&self) -> Option { - None - } - - /// Increment the cache generation of user and acl configs. This indicates that they were - /// changed on disk. - /// - /// Default: Does nothing. - fn increment_cache_generation(&self) -> Result<(), Error> { - Ok(()) - } - /// Optionally returns a role that has no access to any resource. /// /// Default: Returns `None`. @@ -103,6 +83,95 @@ pub trait AccessControlConfig: Send + Sync { } } +/// This trait specifies the functions a product needs to implement to get ACL tree based access +/// control management from this plugin. +pub trait AccessControlConfig: Send + Sync { + /// Return the permissions provider. + fn permissions(&self) -> &dyn AccessControlPermissions; + + fn privileges(&self) -> &HashMap<&str, u64> { + self.permissions().privileges() + } + + fn roles(&self) -> &HashMap<&str, (u64, &str)> { + self.permissions().roles() + } + + fn is_superuser(&self, auth_id: &Authid) -> bool { + self.permissions().is_superuser(auth_id) + } + + fn is_group_member(&self, user_id: &Userid, group: &str) -> bool { + self.permissions().is_group_member(user_id, group) + } + + fn role_no_access(&self) -> Option<&str> { + self.permissions().role_no_access() + } + + fn role_admin(&self) -> Option<&str> { + self.permissions().role_admin() + } + + fn init_user_config(&self, config: &mut SectionConfigData) -> Result<(), Error> { + self.permissions().init_user_config(config) + } + + fn acl_audit_privileges(&self) -> u64 { + self.permissions().acl_audit_privileges() + } + + fn acl_modify_privileges(&self) -> u64 { + self.permissions().acl_modify_privileges() + } + + fn check_acl_path(&self, path: &str) -> Result<(), Error> { + self.permissions().check_acl_path(path) + } + + fn allow_partial_permission_match(&self) -> bool { + self.permissions().allow_partial_permission_match() + } + + // Cache hooks + + /// Returns the current cache generation of the user and acl configs. If the generation was + /// incremented since the last time the cache was queried, the configs are loaded again from + /// disk. + /// + /// Returning `None` will always reload the cache. + /// + /// Default: Always returns `None`. + fn cache_generation(&self) -> Option { + None + } + + /// Increment the cache generation of user and acl configs. This indicates that they were + /// changed on disk. + /// + /// Default: Does nothing. + fn increment_cache_generation(&self) -> Result<(), Error> { + Ok(()) + } + + /// Returns the current cache generation of the token shadow cache. If the generation was + /// incremented since the last time the cache was queried, the token shadow cache is reloaded + /// from disk. + /// + /// Default: Always returns `None`. + fn token_shadow_cache_generation(&self) -> Option { + None + } + + /// Increment the cache generation of the token shadow cache. This indicates that it was + /// changed on disk. + /// + /// Default: Returns an error as token shadow generation is not supported. + fn increment_token_shadow_cache_generation(&self) -> Result { + anyhow::bail!("token shadow generation not supported"); + } +} + pub fn init_access_config(config: &'static dyn AccessControlConfig) -> Result<(), Error> { ACCESS_CONF .set(config) -- 2.47.3 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel