From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 928A191B9E for ; Thu, 9 Feb 2023 14:31:35 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 70C1E24859 for ; Thu, 9 Feb 2023 14:31:35 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 9 Feb 2023 14:31:34 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 6C76246543 for ; Thu, 9 Feb 2023 14:31:34 +0100 (CET) From: Lukas Wagner To: pbs-devel@lists.proxmox.com Date: Thu, 9 Feb 2023 14:31:13 +0100 Message-Id: <20230209133128.695211-4-l.wagner@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230209133128.695211-1-l.wagner@proxmox.com> References: <20230209133128.695211-1-l.wagner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.233 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [acl.rs] Subject: [pbs-devel] [PATCH v3 proxmox-backup 03/18] pbs-config: add delete_authid to ACL-tree X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2023 13:31:35 -0000 From: Hannes Laimer ... allows the deletion of an authid from the whole tree. Needed for removing deleted users/tokens. Signed-off-by: Hannes Laimer --- pbs-config/src/acl.rs | 71 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/pbs-config/src/acl.rs b/pbs-config/src/acl.rs index 89a54dfc..01a75c00 100644 --- a/pbs-config/src/acl.rs +++ b/pbs-config/src/acl.rs @@ -280,6 +280,13 @@ impl AclTreeNode { roles.remove(role); } + fn delete_authid(&mut self, auth_id: &Authid) { + for node in self.children.values_mut() { + node.delete_authid(auth_id); + } + self.users.remove(auth_id); + } + fn insert_group_role(&mut self, group: String, role: String, propagate: bool) { let map = self.groups.entry(group).or_default(); if role == ROLE_NAME_NO_ACCESS { @@ -411,6 +418,14 @@ impl AclTree { } } + /// Deletes a user or token from the ACL-tree + /// + /// Traverses the tree in-order and removes the given user/token by their Authid + /// from every node in the tree. + pub fn delete_authid(&mut self, auth_id: &Authid) { + self.root.delete_authid(auth_id); + } + /// Inserts the specified `role` into the `group` ACL on `path`. /// /// The [`AclTreeNode`] representing `path` will be created and inserted into the tree if @@ -1010,4 +1025,60 @@ acl:1:/storage/store1:user1@pbs:DatastoreBackup Ok(()) } + + #[test] + fn test_delete_authid() -> Result<(), Error> { + let mut tree = AclTree::new(); + + let user1: Authid = "user1@pbs".parse()?; + let user2: Authid = "user2@pbs".parse()?; + + let user1_paths = vec![ + "/", + "/storage", + "/storage/a", + "/storage/a/b", + "/storage/b", + "/storage/b/a", + "/storage/b/b", + "/storage/a/a", + ]; + let user2_paths = vec!["/", "/storage", "/storage/a/b", "/storage/a/a"]; + + for path in &user1_paths { + tree.insert_user_role(path, &user1, "NoAccess", true); + } + for path in &user2_paths { + tree.insert_user_role(path, &user2, "NoAccess", true); + } + + tree.delete_authid(&user1); + + for path in &user1_paths { + let node = tree.find_node(path); + assert!(node.is_some()); + if let Some(node) = node { + assert!(node.users.get(&user1).is_none()); + } + } + for path in &user2_paths { + let node = tree.find_node(path); + assert!(node.is_some()); + if let Some(node) = node { + assert!(node.users.get(&user2).is_some()); + } + } + + tree.delete_authid(&user2); + + for path in &user2_paths { + let node = tree.find_node(path); + assert!(node.is_some()); + if let Some(node) = node { + assert!(node.users.get(&user2).is_none()); + } + } + + Ok(()) + } } -- 2.30.2