From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 6C00769E68 for ; Wed, 20 Jan 2021 17:25:05 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 69A24AC78 for ; Wed, 20 Jan 2021 17:24:35 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id DD1B5AC6E for ; Wed, 20 Jan 2021 17:24:34 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A870A46091 for ; Wed, 20 Jan 2021 17:24:34 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Wed, 20 Jan 2021 17:23:51 +0100 Message-Id: <20210120162355.2750802-5-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210120162355.2750802-1-f.gruenbichler@proxmox.com> References: <20210120162355.2750802-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.027 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [access.rs, tasks.rs] Subject: [pbs-devel] [PATCH proxmox-backup 4/8] clippy: rewrite ifs with identical return values X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jan 2021 16:25:05 -0000 Signed-off-by: Fabian Grünbichler --- src/api2/access.rs | 32 +++++++++++++------------------- src/api2/node/tasks.rs | 16 ++++++---------- 2 files changed, 19 insertions(+), 29 deletions(-) diff --git a/src/api2/access.rs b/src/api2/access.rs index 61d0f74e..b4d78395 100644 --- a/src/api2/access.rs +++ b/src/api2/access.rs @@ -25,6 +25,7 @@ pub mod role; pub mod tfa; pub mod user; +#[allow(clippy::large_enum_variant)] enum AuthResult { /// Successful authentication which does not require a new ticket. Success, @@ -329,27 +330,20 @@ pub fn list_permissions( let user_info = CachedUserInfo::new()?; let user_privs = user_info.lookup_privs(¤t_auth_id, &["access"]); - let auth_id = if user_privs & PRIV_SYS_AUDIT == 0 { - match auth_id { - Some(auth_id) => { - if auth_id == current_auth_id { - auth_id - } else if auth_id.is_token() + let auth_id = match auth_id { + Some(auth_id) if auth_id == current_auth_id => current_auth_id, + Some(auth_id) => { + if user_privs & PRIV_SYS_AUDIT != 0 + || (auth_id.is_token() && !current_auth_id.is_token() - && auth_id.user() == current_auth_id.user() - { - auth_id - } else { - bail!("not allowed to list permissions of {}", auth_id); - } + && auth_id.user() == current_auth_id.user()) + { + auth_id + } else { + bail!("not allowed to list permissions of {}", auth_id); } - None => current_auth_id, - } - } else { - match auth_id { - Some(auth_id) => auth_id, - None => current_auth_id, - } + }, + None => current_auth_id, }; fn populate_acl_paths( diff --git a/src/api2/node/tasks.rs b/src/api2/node/tasks.rs index 8de35ca9..99470531 100644 --- a/src/api2/node/tasks.rs +++ b/src/api2/node/tasks.rs @@ -110,16 +110,12 @@ fn check_task_access(auth_id: &Authid, upid: &UPID) -> Result<(), Error> { } else { let user_info = CachedUserInfo::new()?; - let task_privs = user_info.lookup_privs(auth_id, &["system", "tasks"]); - if task_privs & PRIV_SYS_AUDIT != 0 { - // allowed to read all tasks in general - Ok(()) - } else if check_job_privs(&auth_id, &user_info, upid).is_ok() { - // job which the user/token could have configured/manually executed - Ok(()) - } else { - bail!("task access not allowed"); - } + // access to all tasks + // or task == job which the user/token could have configured/manually executed + + user_info.check_privs(auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false) + .or_else(|_| check_job_privs(&auth_id, &user_info, upid)) + .or_else(|_| bail!("task access not allowed")) } } -- 2.20.1