From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 62C9467A38
 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:08:19 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 5A2BA1F9EF
 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:08:19 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 3C48B1F9D1
 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:08:18 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 0285746054
 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:08:18 +0100 (CET)
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Tue, 10 Nov 2020 12:08:13 +0100
Message-Id: <20201110110813.2060005-1-f.gruenbichler@proxmox.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.024 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [datastore.rs, verify.rs]
Subject: [pbs-devel] [PATCH proxmox-backup] fix #3060:: improve get_owner
 error handling
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 11:08:19 -0000

log invalid owners to system log, and continue with next group just as
if permission checks fail for the following operations:
- verify store with limited permissions
- list store groups
- list store snapshots

all other call sites either handle it correctly already (sync/pull), or
operate on a single group/snapshot and can bubble up the error.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/api2/admin/datastore.rs | 16 ++++++++++++++--
 src/backup/verify.rs        |  7 ++++++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/api2/admin/datastore.rs b/src/api2/admin/datastore.rs
index b051e8dd..8256f02f 100644
--- a/src/api2/admin/datastore.rs
+++ b/src/api2/admin/datastore.rs
@@ -187,7 +187,13 @@ fn list_groups(
         let group = info.backup_dir.group();
 
         let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0;
-        let owner = datastore.get_owner(group)?;
+        let owner = match datastore.get_owner(group) {
+            Ok(auth_id) => auth_id,
+            Err(err) => {
+                println!("Failed to get owner of group '{}' - {}", group, err);
+                continue;
+            },
+        };
         if !list_all && check_backup_owner(&owner, &auth_id).is_err() {
             continue;
         }
@@ -369,7 +375,13 @@ pub fn list_snapshots (
         }
 
         let list_all = (user_privs & PRIV_DATASTORE_AUDIT) != 0;
-        let owner = datastore.get_owner(group)?;
+        let owner = match datastore.get_owner(group) {
+            Ok(auth_id) => auth_id,
+            Err(err) => {
+                println!("Failed to get owner of group '{}' - {}", group, err);
+                continue;
+            },
+        };
 
         if !list_all && check_backup_owner(&owner, &auth_id).is_err() {
             continue;
diff --git a/src/backup/verify.rs b/src/backup/verify.rs
index e0e28ee9..b5bb85fc 100644
--- a/src/backup/verify.rs
+++ b/src/backup/verify.rs
@@ -516,7 +516,12 @@ pub fn verify_all_backups(
                             && !owner.is_token()
                             && group_owner.user() == owner.user())
                 },
-                Err(_) => false,
+                Err(err) => {
+                    // intentionally not in task log
+                    // the task user might not be allowed to see this group!
+                    println!("Failed to get owner of group '{}' - {}", group, err);
+                    false
+                },
             }
         } else {
             true
-- 
2.20.1