[pbs-devel] [PATCH v3 proxmox-backup 20/33] api: sync: add permission checks for push sync jobs

[Christian Ebner <c.ebner@proxmox.com>]

For sync jobs in push direction, also permissions to modify and prune
the snapshots on the remote datastore are required, in contrast to
the pull sync job.

Add additional permissions to be checked on the local instance before
attempting operating on the remote.

Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
changes since version 2:
- not present in previous version

 src/api2/admin/sync.rs  | 18 +++++++++++++++---
 src/api2/config/sync.rs | 33 ++++++++++++++++++++++++++++++++-
 2 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/src/api2/admin/sync.rs b/src/api2/admin/sync.rs
index bdbc06a8e..0fad10d0c 100644
--- a/src/api2/admin/sync.rs
+++ b/src/api2/admin/sync.rs
@@ -18,7 +18,10 @@ use pbs_config::sync;
 use pbs_config::CachedUserInfo;
 
 use crate::{
-    api2::config::sync::{check_sync_job_modify_access, check_sync_job_read_access},
+    api2::config::sync::{
+        check_sync_job_modify_access, check_sync_job_read_access,
+        check_sync_job_remote_datastore_backup_access,
+    },
     server::jobstate::{compute_schedule_status, Job, JobState},
     server::sync::do_sync_job,
 };
@@ -121,8 +124,17 @@ pub fn run_sync_job(
     let sync_direction = sync_direction.unwrap_or_default();
     let sync_job: SyncJobConfig = config.lookup(sync_direction.as_config_type_str(), &id)?;
 
-    if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job) {
-        bail!("permission check failed");
+    match sync_direction {
+        SyncDirection::Pull => {
+            if !check_sync_job_modify_access(&user_info, &auth_id, &sync_job) {
+                bail!("permission check failed, '{auth_id}' is missing access on datastore");
+            }
+        }
+        SyncDirection::Push => {
+            if !check_sync_job_remote_datastore_backup_access(&user_info, &auth_id, &sync_job) {
+                bail!("permission check failed, '{auth_id}' is missing access on remote");
+            }
+        }
     }
 
     let job = Job::new("syncjob", &id)?;
diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
index a21e0bd6f..5035df8c9 100644
--- a/src/api2/config/sync.rs
+++ b/src/api2/config/sync.rs
@@ -10,7 +10,8 @@ use proxmox_schema::{api, param_bail};
 use pbs_api_types::{
     Authid, SyncJobConfig, SyncJobConfigUpdater, JOB_ID_SCHEMA, PRIV_DATASTORE_AUDIT,
     PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_PRUNE, PRIV_REMOTE_AUDIT,
-    PRIV_REMOTE_READ, PROXMOX_CONFIG_DIGEST_SCHEMA, SYNC_DIRECTION_SCHEMA,
+    PRIV_REMOTE_DATASTORE_BACKUP, PRIV_REMOTE_DATASTORE_PRUNE, PRIV_REMOTE_READ,
+    PROXMOX_CONFIG_DIGEST_SCHEMA, SYNC_DIRECTION_SCHEMA,
 };
 use pbs_config::sync;
 
@@ -76,6 +77,36 @@ pub fn check_sync_job_modify_access(
     true
 }
 
+/// Check user privileges required to push contents to a remote datastore.
+pub fn check_sync_job_remote_datastore_backup_access(
+    user_info: &CachedUserInfo,
+    auth_id: &Authid,
+    job: &SyncJobConfig,
+) -> bool {
+    if let Some(remote) = &job.remote {
+        let mut acl_path = vec!["remote", remote, &job.remote_store];
+
+        if let Some(namespace) = job.remote_ns.as_ref() {
+            if namespace.is_root() {
+                let ns_components: Vec<&str> = namespace.components().collect();
+                acl_path.extend(ns_components);
+            }
+        }
+
+        let remote_privs = user_info.lookup_privs(auth_id, &acl_path);
+
+        if let Some(true) = job.remove_vanished {
+            if remote_privs & PRIV_REMOTE_DATASTORE_PRUNE == 0 {
+                return false;
+            }
+        }
+
+        return remote_privs & PRIV_REMOTE_DATASTORE_BACKUP != 0;
+    }
+
+    false
+}
+
 #[api(
     input: {
         properties: {
-- 
2.39.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel