From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 5F05E1FF137 for ; Tue, 17 Feb 2026 12:12:01 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 91C3934050; Tue, 17 Feb 2026 12:12:50 +0100 (CET) From: Samuel Rufinatscha To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox v5 1/4] proxmox-access-control: split AccessControlConfig and add token.shadow gen Date: Tue, 17 Feb 2026 12:12:22 +0100 Message-ID: <20260217111229.78661-6-s.rufinatscha@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260217111229.78661-1-s.rufinatscha@proxmox.com> References: <20260217111229.78661-1-s.rufinatscha@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1771326748281 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.252 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: U3ODSGGNYAETRD6ARA4D7PPEO2MN33XU X-Message-ID-Hash: U3ODSGGNYAETRD6ARA4D7PPEO2MN33XU X-MailFrom: s.rufinatscha@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Splits AccessControlConfig into permissions and config traits and adds token.shadow generation support. The trait split separates permission from cache/invalidation concerns while keeping existing call sites working via default delegation. Signed-off-by: Samuel Rufinatscha --- Changes from v4 to v5: * Rebased proxmox-access-control/src/acl.rs | 10 ++- proxmox-access-control/src/init.rs | 113 +++++++++++++++++++++++------ 2 files changed, 99 insertions(+), 24 deletions(-) diff --git a/proxmox-access-control/src/acl.rs b/proxmox-access-control/src/acl.rs index 38cb7edf..4b4eac09 100644 --- a/proxmox-access-control/src/acl.rs +++ b/proxmox-access-control/src/acl.rs @@ -763,7 +763,7 @@ fn privs_to_priv_names(privs: u64) -> Vec<&'static str> { mod test { use std::{collections::HashMap, sync::OnceLock}; - use crate::init::{init_access_config, AccessControlConfig}; + use crate::init::{init_access_config, AccessControlConfig, AccessControlPermissions}; use super::AclTree; use anyhow::Error; @@ -775,7 +775,7 @@ mod test { roles: HashMap<&'a str, (u64, &'a str)>, } - impl AccessControlConfig for TestAcmConfig<'_> { + impl AccessControlPermissions for TestAcmConfig<'_> { fn roles(&self) -> &HashMap<&str, (u64, &str)> { &self.roles } @@ -793,6 +793,12 @@ mod test { } } + impl AccessControlConfig for TestAcmConfig<'_> { + fn permissions(&self) -> &dyn AccessControlPermissions { + self + } + } + fn setup_acl_tree_config() { static ACL_CONFIG: OnceLock = OnceLock::new(); let config = ACL_CONFIG.get_or_init(|| { diff --git a/proxmox-access-control/src/init.rs b/proxmox-access-control/src/init.rs index e64398e8..dfd7784b 100644 --- a/proxmox-access-control/src/init.rs +++ b/proxmox-access-control/src/init.rs @@ -8,9 +8,8 @@ use proxmox_section_config::SectionConfigData; static ACCESS_CONF: OnceLock<&'static dyn AccessControlConfig> = OnceLock::new(); -/// This trait specifies the functions a product needs to implement to get ACL tree based access -/// control management from this plugin. -pub trait AccessControlConfig: Send + Sync { +/// Provides permission metadata used by access control. +pub trait AccessControlPermissions: Send + Sync { /// Returns a mapping of all recognized privileges and their corresponding `u64` value. fn privileges(&self) -> &HashMap<&str, u64>; @@ -32,25 +31,6 @@ pub trait AccessControlConfig: Send + Sync { false } - /// Returns the current cache generation of the user and acl configs. If the generation was - /// incremented since the last time the cache was queried, the configs are loaded again from - /// disk. - /// - /// Returning `None` will always reload the cache. - /// - /// Default: Always returns `None`. - fn cache_generation(&self) -> Option { - None - } - - /// Increment the cache generation of user and acl configs. This indicates that they were - /// changed on disk. - /// - /// Default: Does nothing. - fn increment_cache_generation(&self) -> Result<(), Error> { - Ok(()) - } - /// Optionally returns a role that has no access to any resource. /// /// Default: Returns `None`. @@ -103,6 +83,95 @@ pub trait AccessControlConfig: Send + Sync { } } +/// This trait specifies the functions a product needs to implement to get ACL tree based access +/// control management from this plugin. +pub trait AccessControlConfig: Send + Sync { + /// Return the permissions provider. + fn permissions(&self) -> &dyn AccessControlPermissions; + + fn privileges(&self) -> &HashMap<&str, u64> { + self.permissions().privileges() + } + + fn roles(&self) -> &HashMap<&str, (u64, &str)> { + self.permissions().roles() + } + + fn is_superuser(&self, auth_id: &Authid) -> bool { + self.permissions().is_superuser(auth_id) + } + + fn is_group_member(&self, user_id: &Userid, group: &str) -> bool { + self.permissions().is_group_member(user_id, group) + } + + fn role_no_access(&self) -> Option<&str> { + self.permissions().role_no_access() + } + + fn role_admin(&self) -> Option<&str> { + self.permissions().role_admin() + } + + fn init_user_config(&self, config: &mut SectionConfigData) -> Result<(), Error> { + self.permissions().init_user_config(config) + } + + fn acl_audit_privileges(&self) -> u64 { + self.permissions().acl_audit_privileges() + } + + fn acl_modify_privileges(&self) -> u64 { + self.permissions().acl_modify_privileges() + } + + fn check_acl_path(&self, path: &str) -> Result<(), Error> { + self.permissions().check_acl_path(path) + } + + fn allow_partial_permission_match(&self) -> bool { + self.permissions().allow_partial_permission_match() + } + + // Cache hooks + + /// Returns the current cache generation of the user and acl configs. If the generation was + /// incremented since the last time the cache was queried, the configs are loaded again from + /// disk. + /// + /// Returning `None` will always reload the cache. + /// + /// Default: Always returns `None`. + fn cache_generation(&self) -> Option { + None + } + + /// Increment the cache generation of user and acl configs. This indicates that they were + /// changed on disk. + /// + /// Default: Does nothing. + fn increment_cache_generation(&self) -> Result<(), Error> { + Ok(()) + } + + /// Returns the current cache generation of the token shadow cache. If the generation was + /// incremented since the last time the cache was queried, the token shadow cache is reloaded + /// from disk. + /// + /// Default: Always returns `None`. + fn token_shadow_cache_generation(&self) -> Option { + None + } + + /// Increment the cache generation of the token shadow cache. This indicates that it was + /// changed on disk. + /// + /// Default: Returns an error as token shadow generation is not supported. + fn increment_token_shadow_cache_generation(&self) -> Result { + anyhow::bail!("token shadow generation not supported"); + } +} + pub fn init_access_config(config: &'static dyn AccessControlConfig) -> Result<(), Error> { ACCESS_CONF .set(config) -- 2.47.3