From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B4F9E664C4 for ; Fri, 6 Nov 2020 11:23:20 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AADD01FF26 for ; Fri, 6 Nov 2020 11:23:20 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 2ACE61FF1C for ; Fri, 6 Nov 2020 11:23:20 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id EB19E45FCD for ; Fri, 6 Nov 2020 11:23:19 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Fri, 6 Nov 2020 11:23:08 +0100 Message-Id: <20201106102309.1458959-3-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20201106102309.1458959-1-f.gruenbichler@proxmox.com> References: <20201106102309.1458959-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.024 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [job.store, verify.rs] Subject: [pbs-devel] [PATCH proxmox-backup 2/3] verify: allow unprivileged access to admin API X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2020 10:23:20 -0000 which is the one used by the GUI. Signed-off-by: Fabian Grünbichler --- src/api2/admin/verify.rs | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/src/api2/admin/verify.rs b/src/api2/admin/verify.rs index 02c1eef4..6c345cd8 100644 --- a/src/api2/admin/verify.rs +++ b/src/api2/admin/verify.rs @@ -2,11 +2,16 @@ use anyhow::{format_err, Error}; use proxmox::api::router::SubdirMap; use proxmox::{list_subdirs_api_method, sortable}; -use proxmox::api::{api, ApiMethod, Router, RpcEnvironment}; +use proxmox::api::{api, ApiMethod, Permission, Router, RpcEnvironment}; use crate::api2::types::*; use crate::server::do_verification_job; use crate::server::jobstate::{Job, JobState}; +use crate::config::acl::{ + PRIV_DATASTORE_AUDIT, + PRIV_DATASTORE_VERIFY, +}; +use crate::config::cached_user_info::CachedUserInfo; use crate::config::verify; use crate::config::verify::{VerificationJobConfig, VerificationJobStatus}; use serde_json::Value; @@ -23,10 +28,14 @@ use crate::server::UPID; }, }, returns: { - description: "List configured jobs and their status.", + description: "List configured jobs and their status (filtered by access)", type: Array, items: { type: verify::VerificationJobStatus }, }, + access: { + permission: &Permission::Anybody, + description: "Requires Datastore.Audit or Datastore.Verify on datastore.", + }, )] /// List all verification jobs pub fn list_verification_jobs( @@ -34,6 +43,10 @@ pub fn list_verification_jobs( _param: Value, mut rpcenv: &mut dyn RpcEnvironment, ) -> Result, Error> { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + + let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_VERIFY; let (config, digest) = verify::config()?; @@ -41,6 +54,11 @@ pub fn list_verification_jobs( .convert_to_typed_array("verification")? .into_iter() .filter(|job: &VerificationJobStatus| { + let privs = user_info.lookup_privs(&auth_id, &["datastore", &job.store]); + if privs & required_privs == 0 { + return false; + } + if let Some(store) = &store { &job.store == store } else { @@ -90,7 +108,11 @@ pub fn list_verification_jobs( schema: JOB_ID_SCHEMA, } } - } + }, + access: { + permission: &Permission::Anybody, + description: "Requires Datastore.Verify on job's datastore.", + }, )] /// Runs a verification job manually. fn run_verification_job( @@ -98,10 +120,13 @@ fn run_verification_job( _info: &ApiMethod, rpcenv: &mut dyn RpcEnvironment, ) -> Result { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + let (config, _digest) = verify::config()?; let verification_job: VerificationJobConfig = config.lookup("verification", &id)?; - let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + user_info.check_privs(&auth_id, &["datastore", &verification_job.store], PRIV_DATASTORE_VERIFY, true)?; let job = Job::new("verificationjob", &id)?; -- 2.20.1