From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <pdm-devel-bounces@lists.proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 1B78D1FF16B for <inbox@lore.proxmox.com>; Thu, 3 Apr 2025 16:18:58 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 20BC73DD0; Thu, 3 Apr 2025 16:18:47 +0200 (CEST) From: Shannon Sterz <s.sterz@proxmox.com> To: pdm-devel@lists.proxmox.com Date: Thu, 3 Apr 2025 16:17:58 +0200 Message-Id: <20250403141806.402974-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250403141806.402974-1-s.sterz@proxmox.com> References: <20250403141806.402974-1-s.sterz@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.018 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pdm-devel] [PATCH proxmox 1/4] access-control: add more types to prepare for api feature X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion <pdm-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pdm-devel>, <mailto:pdm-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pdm-devel/> List-Post: <mailto:pdm-devel@lists.proxmox.com> List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel>, <mailto:pdm-devel-request@lists.proxmox.com?subject=subscribe> Reply-To: Proxmox Datacenter Manager development discussion <pdm-devel@lists.proxmox.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" <pdm-devel-bounces@lists.proxmox.com> this includes: - `ACL_PATH_SCHEMA`: describes the format of valid acl paths - `ACL_PROPAGATE_SCHEMA`: describes whether an acl entry propagates to its child paths - `AclUgidType`: which type an acl entry refers to, either a user or a group - `AclListItem`: describes an entry of the ACL Signed-off-by: Shannon Sterz <s.sterz@proxmox.com> --- proxmox-access-control/Cargo.toml | 3 ++ proxmox-access-control/src/types.rs | 59 ++++++++++++++++++++++++++++- 2 files changed, 60 insertions(+), 2 deletions(-) diff --git a/proxmox-access-control/Cargo.toml b/proxmox-access-control/Cargo.toml index 9c355344..23be7fcb 100644 --- a/proxmox-access-control/Cargo.toml +++ b/proxmox-access-control/Cargo.toml @@ -13,10 +13,13 @@ rust-version.workspace = true [dependencies] anyhow.workspace = true +const_format.workspace = true nix = { workspace = true, optional = true } openssl = { workspace = true, optional = true } +regex.workspace = true serde.workspace = true serde_json = { workspace = true, optional = true } +serde_plain.workspace = true proxmox-auth-api = { workspace = true, features = [ "api-types" ] } proxmox-config-digest = { workspace = true, optional = true, features = [ "openssl" ] } diff --git a/proxmox-access-control/src/types.rs b/proxmox-access-control/src/types.rs index ae6de7cf..01d078de 100644 --- a/proxmox-access-control/src/types.rs +++ b/proxmox-access-control/src/types.rs @@ -1,10 +1,12 @@ use serde::{Deserialize, Serialize}; +use const_format::concatcp; + use proxmox_auth_api::types::{Authid, Userid, PROXMOX_TOKEN_ID_SCHEMA}; use proxmox_schema::{ api, - api_types::{COMMENT_SCHEMA, SINGLE_LINE_COMMENT_FORMAT}, - BooleanSchema, IntegerSchema, Schema, StringSchema, Updater, + api_types::{COMMENT_SCHEMA, SAFE_ID_REGEX_STR, SINGLE_LINE_COMMENT_FORMAT}, + const_regex, ApiStringFormat, BooleanSchema, IntegerSchema, Schema, StringSchema, Updater, }; pub const ENABLE_USER_SCHEMA: Schema = BooleanSchema::new( @@ -38,6 +40,23 @@ pub const EMAIL_SCHEMA: Schema = StringSchema::new("E-Mail Address.") .max_length(64) .schema(); +const_regex! { + pub ACL_PATH_REGEX = concatcp!(r"^(?:/|", r"(?:/", SAFE_ID_REGEX_STR, ")+", r")$"); +} + +pub const ACL_PATH_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&ACL_PATH_REGEX); + +pub const ACL_PATH_SCHEMA: Schema = StringSchema::new("Access control path.") + .format(&ACL_PATH_FORMAT) + .min_length(1) + .max_length(128) + .schema(); + +pub const ACL_PROPAGATE_SCHEMA: Schema = + BooleanSchema::new("Allow to propagate (inherit) permissions.") + .default(true) + .schema(); + #[api( properties: { user: { @@ -192,3 +211,39 @@ impl User { true } } + +#[api] +/// Type of the 'ugid' property in the ACL entry list. +#[derive(Clone, Copy, Debug, Eq, PartialEq, Deserialize, Serialize, Hash)] +#[serde(rename_all = "lowercase")] +pub enum AclUgidType { + /// An entry for a user (or token). + User, + /// An entry for a group. + Group, +} + +serde_plain::derive_display_from_serialize!(AclUgidType); +serde_plain::derive_fromstr_from_deserialize!(AclUgidType); + +#[api( + properties: { + propagate: { schema: ACL_PROPAGATE_SCHEMA, }, + path: { schema: ACL_PATH_SCHEMA, }, + ugid_type: { type: AclUgidType }, + ugid: { + type: String, + description: "User or Group ID.", + }, + } +)] +#[derive(Serialize, Deserialize, PartialEq, Clone, Hash)] +/// Access control list entry. +pub struct AclListItem { + pub path: String, + pub ugid: String, + pub ugid_type: AclUgidType, + pub propagate: bool, + /// A role represented as a string. + pub roleid: String, +} -- 2.39.5 _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel