From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 10/16] tasks: allow unpriv users to read their tokens' tasks
Date: Wed, 28 Oct 2020 12:37:11 +0100 [thread overview]
Message-ID: <20201028113717.827644-1-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20201028113632.814586-1-f.gruenbichler@proxmox.com>
and tighten down the return schema while we're at it.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/api2/node/tasks.rs | 37 +++++++++++++++++++++++++------------
src/api2/types/mod.rs | 6 +++---
2 files changed, 28 insertions(+), 15 deletions(-)
diff --git a/src/api2/node/tasks.rs b/src/api2/node/tasks.rs
index 66af6d11..555f59cd 100644
--- a/src/api2/node/tasks.rs
+++ b/src/api2/node/tasks.rs
@@ -14,6 +14,16 @@ use crate::server::{self, UPID, TaskState, TaskListInfoIterator};
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
use crate::config::cached_user_info::CachedUserInfo;
+fn check_task_access(auth_id: &Authid, upid: &UPID) -> Result<(), Error> {
+ let task_auth_id = &upid.auth_id;
+ if auth_id == task_auth_id
+ || (task_auth_id.is_token() && &Authid::from(task_auth_id.user().clone()) == auth_id) {
+ Ok(())
+ } else {
+ let user_info = CachedUserInfo::new()?;
+ user_info.check_privs(auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)
+ }
+}
#[api(
input: {
@@ -57,9 +67,13 @@ use crate::config::cached_user_info::CachedUserInfo;
description: "Worker ID (arbitrary ASCII string)",
},
user: {
- type: String,
+ type: Userid,
description: "The user who started the task.",
},
+ tokenid: {
+ schema: PROXMOX_TOKEN_NAME_SCHEMA,
+ optional: true,
+ },
status: {
type: String,
description: "'running' or 'stopped'",
@@ -85,11 +99,7 @@ async fn get_task_status(
let upid = extract_upid(¶m)?;
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
-
- if auth_id != upid.auth_id {
- let user_info = CachedUserInfo::new()?;
- user_info.check_privs(&auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)?;
- }
+ check_task_access(&auth_id, &upid)?;
let mut result = json!({
"upid": param["upid"],
@@ -99,9 +109,13 @@ async fn get_task_status(
"starttime": upid.starttime,
"type": upid.worker_type,
"id": upid.worker_id,
- "user": upid.auth_id,
+ "user": upid.auth_id.user(),
});
+ if upid.auth_id.is_token() {
+ result["tokenid"] = Value::from(upid.auth_id.tokenname().unwrap().as_str());
+ }
+
if crate::server::worker_is_active(&upid).await? {
result["status"] = Value::from("running");
} else {
@@ -163,10 +177,7 @@ async fn read_task_log(
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
- if auth_id != upid.auth_id {
- let user_info = CachedUserInfo::new()?;
- user_info.check_privs(&auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)?;
- }
+ check_task_access(&auth_id, &upid)?;
let test_status = param["test-status"].as_bool().unwrap_or(false);
@@ -326,7 +337,9 @@ pub fn list_tasks(
Err(_) => return None,
};
- if !list_all && info.upid.auth_id != auth_id { return None; }
+ if !list_all && check_task_access(&auth_id, &info.upid).is_err() {
+ return None;
+ }
if let Some(needle) = &userfilter {
if !info.upid.auth_id.to_string().contains(needle) { return None; }
diff --git a/src/api2/types/mod.rs b/src/api2/types/mod.rs
index 4084112d..acb5d6d0 100644
--- a/src/api2/types/mod.rs
+++ b/src/api2/types/mod.rs
@@ -627,7 +627,7 @@ pub struct StorageStatus {
#[api(
properties: {
upid: { schema: UPID_SCHEMA },
- userid: { type: Authid },
+ user: { type: Authid },
},
)]
#[derive(Serialize, Deserialize)]
@@ -647,7 +647,7 @@ pub struct TaskListItem {
/// Worker ID (arbitrary ASCII string)
pub worker_id: Option<String>,
/// The authenticated entity who started the task
- pub userid: Authid,
+ pub user: Authid,
/// The task end time (Epoch)
#[serde(skip_serializing_if="Option::is_none")]
pub endtime: Option<i64>,
@@ -670,7 +670,7 @@ impl From<crate::server::TaskListInfo> for TaskListItem {
starttime: info.upid.starttime,
worker_type: info.upid.worker_type,
worker_id: info.upid.worker_id,
- userid: info.upid.auth_id,
+ user: info.upid.auth_id,
endtime,
status,
}
--
2.20.1
next prev parent reply other threads:[~2020-10-28 11:37 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-28 11:36 [pbs-devel] [PATCH proxmox-backup 00/16] API tokens Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-widget-toolkit] add PermissionView Fabian Grünbichler
2020-10-28 16:18 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-backup 01/16] api: add Authid as wrapper around Userid Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox] rpcenv: rename user to auth_id Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-backup 02/16] config: add token.shadow file Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-backup 03/16] replace Userid with Authid Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-backup 04/16] REST: extract and handle API tokens Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-backup 05/16] api: add API token endpoints Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-backup 06/16] api: allow listing users + tokens Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-backup 07/16] api: add permissions endpoint Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-backup 08/16] client/remote: allow using ApiToken + secret Fabian Grünbichler
2020-10-28 11:36 ` [pbs-devel] [PATCH proxmox-backup 09/16] owner checks: handle backups owned by API tokens Fabian Grünbichler
2020-10-28 11:37 ` Fabian Grünbichler [this message]
2020-10-28 11:37 ` [pbs-devel] [PATCH proxmox-backup 11/16] manager: add token commands Fabian Grünbichler
2020-10-28 11:37 ` [pbs-devel] [PATCH proxmox-backup 12/16] manager: add user permissions command Fabian Grünbichler
2020-10-28 11:37 ` [pbs-devel] [PATCH proxmox-backup 13/16] gui: add permissions button to user view Fabian Grünbichler
2020-10-28 11:37 ` [pbs-devel] [PATCH proxmox-backup 14/16] gui: add API token UI Fabian Grünbichler
2020-10-28 11:37 ` [pbs-devel] [PATCH proxmox-backup 15/16] acls: allow viewing/editing user's token ACLs Fabian Grünbichler
2020-10-28 11:37 ` [pbs-devel] [PATCH proxmox-backup 16/16] gui: add API " Fabian Grünbichler
2020-10-29 14:23 ` [pbs-devel] applied: [PATCH proxmox-backup 00/16] API tokens Wolfgang Bumiller
2020-10-29 19:50 ` [pbs-devel] " Thomas Lamprecht
2020-10-30 8:03 ` Fabian Grünbichler
2020-10-30 8:48 ` Thomas Lamprecht
2020-10-30 9:55 ` Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201028113717.827644-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox