From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 823611FF165 for ; Thu, 23 Oct 2025 11:23:49 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E6997488F; Thu, 23 Oct 2025 11:24:16 +0200 (CEST) Message-ID: Date: Thu, 23 Oct 2025 11:24:13 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox Datacenter Manager development discussion , Shannon Sterz References: <20251022131126.358790-1-s.sterz@proxmox.com> <20251022131126.358790-2-s.sterz@proxmox.com> Content-Language: en-US From: Dominik Csapak In-Reply-To: <20251022131126.358790-2-s.sterz@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1761211445841 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.028 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pdm-devel] [PATCH proxmox v2 1/4] access-control: add acl feature to only expose types and the AclTree X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" one tiny nit inline otherwise looks good to me Reviewed-by: Dominik Csapak On 10/22/25 3:11 PM, Shannon Sterz wrote: > this is useful, when an application wants to only handle an acl tree > without depending on more complex features provided by the rest of the > `impl` feature or its bigger dependencies (e.g. openssl). > > Signed-off-by: Shannon Sterz > --- > proxmox-access-control/Cargo.toml | 6 +++++- > proxmox-access-control/src/acl.rs | 19 ++++++++++++++++++- > proxmox-access-control/src/init.rs | 13 ++++++++++++- > proxmox-access-control/src/lib.rs | 4 ++-- > 4 files changed, 37 insertions(+), 5 deletions(-) > > diff --git a/proxmox-access-control/Cargo.toml b/proxmox-access-control/Cargo.toml > index d23d272d..0eaf9fdf 100644 > --- a/proxmox-access-control/Cargo.toml > +++ b/proxmox-access-control/Cargo.toml > @@ -35,18 +35,22 @@ proxmox-uuid = { workspace = true } > > [features] > default = [] > +acl = [ > + "dep:proxmox-section-config", > +] > api = [ > "impl", > "dep:hex", > ] > impl = [ > + "acl", > "dep:nix", > "dep:openssl", > "dep:proxmox-config-digest", > "dep:proxmox-product-config", > "dep:proxmox-router", > - "dep:proxmox-section-config", > "dep:proxmox-shared-memory", > "dep:proxmox-sys", > "dep:serde_json", > ] > + > diff --git a/proxmox-access-control/src/acl.rs b/proxmox-access-control/src/acl.rs > index 270292ac..877b003c 100644 > --- a/proxmox-access-control/src/acl.rs > +++ b/proxmox-access-control/src/acl.rs > @@ -1,15 +1,25 @@ > -use std::collections::{BTreeMap, BTreeSet, HashMap}; > +#[cfg(feature = "impl")] > +use std::collections::BTreeSet; > +use std::collections::{BTreeMap, HashMap}; > +#[cfg(feature = "impl")] > use std::io::Write; > +#[cfg(feature = "impl")] > use std::path::Path; > +#[cfg(feature = "impl")] > use std::sync::{Arc, OnceLock, RwLock}; > > use anyhow::{bail, Error}; > > use proxmox_auth_api::types::{Authid, Userid}; > +#[cfg(feature = "impl")] > use proxmox_config_digest::ConfigDigest; > +#[cfg(feature = "impl")] > use proxmox_product_config::{open_api_lockfile, replace_privileged_config, ApiLockGuard}; > > use crate::init::{access_conf, acl_config, acl_config_lock}; > +use crate::init::access_conf; this now imports 'access_conf' twice, probably that line would belong to the next patch? > +#[cfg(feature = "impl")] > +use crate::init::{acl_config, acl_config_lock}; > > pub fn split_acl_path(path: &str) -> Vec<&str> { > let items = path.split('/'); > @@ -302,6 +312,7 @@ impl AclTree { > node.insert_user_role(auth_id.to_owned(), role.to_string(), propagate); > } > > + #[cfg(feature = "impl")] > fn write_node_config(node: &AclTreeNode, path: &str, w: &mut dyn Write) -> Result<(), Error> { > let mut role_ug_map0: HashMap<_, BTreeSet<_>> = HashMap::new(); > let mut role_ug_map1: HashMap<_, BTreeSet<_>> = HashMap::new(); > @@ -402,6 +413,7 @@ impl AclTree { > Ok(()) > } > > + #[cfg(feature = "impl")] > fn write_config(&self, w: &mut dyn Write) -> Result<(), Error> { > Self::write_node_config(&self.root, "", w) > } > @@ -449,6 +461,7 @@ impl AclTree { > Ok(()) > } > > + #[cfg(feature = "impl")] > fn load(filename: &Path) -> Result<(Self, ConfigDigest), Error> { > let mut tree = Self::new(); > > @@ -553,11 +566,13 @@ impl AclTree { > } > > /// Get exclusive lock > +#[cfg(feature = "impl")] > pub fn lock_config() -> Result { > open_api_lockfile(acl_config_lock(), None, true) > } > > /// Reads the [`AclTree`] from `acl.cfg` in the configuration directory. > +#[cfg(feature = "impl")] > pub fn config() -> Result<(AclTree, ConfigDigest), Error> { > let path = acl_config(); > AclTree::load(&path) > @@ -568,6 +583,7 @@ pub fn config() -> Result<(AclTree, ConfigDigest), Error> { > /// > /// Since the AclTree is used for every API request's permission check, this caching mechanism > /// allows to skip reading and parsing the file again if it is unchanged. > +#[cfg(feature = "impl")] > pub fn cached_config() -> Result, Error> { > struct ConfigCache { > data: Option>, > @@ -621,6 +637,7 @@ pub fn cached_config() -> Result, Error> { > > /// Saves an [`AclTree`] to `acl.cfg` in the configuration directory, ensuring proper ownership and > /// file permissions. > +#[cfg(feature = "impl")] > pub fn save_config(acl: &AclTree) -> Result<(), Error> { > let mut raw: Vec = Vec::new(); > acl.write_config(&mut raw)?; > diff --git a/proxmox-access-control/src/init.rs b/proxmox-access-control/src/init.rs > index 39a12352..cf5f795d 100644 > --- a/proxmox-access-control/src/init.rs > +++ b/proxmox-access-control/src/init.rs > @@ -1,4 +1,5 @@ > use std::collections::HashMap; > +#[cfg(feature = "impl")] > use std::path::{Path, PathBuf}; > use std::sync::OnceLock; > > @@ -8,6 +9,7 @@ use proxmox_auth_api::types::{Authid, Userid}; > use proxmox_section_config::SectionConfigData; > > static ACCESS_CONF: OnceLock<&'static dyn AccessControlConfig> = OnceLock::new(); > +#[cfg(feature = "impl")] > static ACCESS_CONF_DIR: OnceLock = OnceLock::new(); > > /// This trait specifies the functions a product needs to implement to get ACL tree based access > @@ -105,6 +107,7 @@ pub trait AccessControlConfig: Send + Sync { > } > } > > +#[cfg(feature = "impl")] > pub fn init>( > acm_config: &'static dyn AccessControlConfig, > config_dir: P, > @@ -113,13 +116,14 @@ pub fn init>( > init_access_config_dir(config_dir) > } > > +#[cfg(feature = "impl")] > pub(crate) fn init_access_config_dir>(config_dir: P) -> Result<(), Error> { > ACCESS_CONF_DIR > .set(config_dir.as_ref().to_owned()) > .map_err(|_e| format_err!("cannot initialize acl tree config twice!")) > } > > -pub(crate) fn init_access_config(config: &'static dyn AccessControlConfig) -> Result<(), Error> { > +pub fn init_access_config(config: &'static dyn AccessControlConfig) -> Result<(), Error> { > ACCESS_CONF > .set(config) > .map_err(|_e| format_err!("cannot initialize acl tree config twice!")) > @@ -131,32 +135,39 @@ pub(crate) fn access_conf() -> &'static dyn AccessControlConfig { > .expect("please initialize the acm config before using it!") > } > > +#[cfg(feature = "impl")] > fn conf_dir() -> &'static PathBuf { > ACCESS_CONF_DIR > .get() > .expect("please initialize acm config dir before using it!") > } > > +#[cfg(feature = "impl")] > pub(crate) fn acl_config() -> PathBuf { > conf_dir().join("acl.cfg") > } > > +#[cfg(feature = "impl")] > pub(crate) fn acl_config_lock() -> PathBuf { > conf_dir().join(".acl.lck") > } > > +#[cfg(feature = "impl")] > pub(crate) fn user_config() -> PathBuf { > conf_dir().join("user.cfg") > } > > +#[cfg(feature = "impl")] > pub(crate) fn user_config_lock() -> PathBuf { > conf_dir().join(".user.lck") > } > > +#[cfg(feature = "impl")] > pub(crate) fn token_shadow() -> PathBuf { > conf_dir().join("token.shadow") > } > > +#[cfg(feature = "impl")] > pub(crate) fn token_shadow_lock() -> PathBuf { > conf_dir().join("token.shadow.lock") > } > diff --git a/proxmox-access-control/src/lib.rs b/proxmox-access-control/src/lib.rs > index 62683924..9195c999 100644 > --- a/proxmox-access-control/src/lib.rs > +++ b/proxmox-access-control/src/lib.rs > @@ -2,13 +2,13 @@ > > pub mod types; > > -#[cfg(feature = "impl")] > +#[cfg(feature = "acl")] > pub mod acl; > > #[cfg(feature = "api")] > pub mod api; > > -#[cfg(feature = "impl")] > +#[cfg(feature = "acl")] > pub mod init; > > #[cfg(feature = "impl")] _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel