From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox v2 2/4] access-control: move functions querying privileges to the AclTree
Date: Fri, 24 Oct 2025 16:51:18 +0200	[thread overview]
Message-ID: <20251024145126.384611-3-s.sterz@proxmox.com> (raw)
In-Reply-To: <20251024145126.384611-1-s.sterz@proxmox.com>
instead of keeping them in the CachedUserInfo. there is nothing that's
specific to the CachedUserInfo in these functions and having them in
the AclTree makes it possible to use them with the `acl` feature only
too.
to keep backward compatability, we keep the original functions in
CachedUserInfo but make them call the functions on the AclTree.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 proxmox-access-control/src/acl.rs             | 108 ++++++++++++++++++
 .../src/cached_user_info.rs                   |  91 +--------------
 2 files changed, 114 insertions(+), 85 deletions(-)
diff --git a/proxmox-access-control/src/acl.rs b/proxmox-access-control/src/acl.rs
index 6f0a8251..9fb97f55 100644
--- a/proxmox-access-control/src/acl.rs
+++ b/proxmox-access-control/src/acl.rs
@@ -562,6 +562,102 @@ impl AclTree {
 
         Ok(res)
     }
+
+    pub fn check_privs(
+        &self,
+        auth_id: &Authid,
+        path: &[&str],
+        required_privs: u64,
+        partial: bool,
+    ) -> Result<(), Error> {
+        let privs = self.lookup_privs(auth_id, path);
+        let allowed = if partial {
+            (privs & required_privs) != 0
+        } else {
+            (privs & required_privs) == required_privs
+        };
+        if !allowed {
+            // printing the path doesn't leak any information as long as we
+            // always check privilege before resource existence
+            let priv_names = privs_to_priv_names(required_privs);
+            let priv_names = if partial {
+                priv_names.join("|")
+            } else {
+                priv_names.join("&")
+            };
+            bail!(
+                "missing permissions '{priv_names}' on '/{}'",
+                path.join("/")
+            );
+        }
+        Ok(())
+    }
+
+    pub fn lookup_privs(&self, auth_id: &Authid, path: &[&str]) -> u64 {
+        let (privs, _) = self.lookup_privs_details(auth_id, path);
+        privs
+    }
+
+    pub fn lookup_privs_details(&self, auth_id: &Authid, path: &[&str]) -> (u64, u64) {
+        if access_conf().is_superuser(auth_id) {
+            let acm_config = access_conf();
+            if let Some(admin) = acm_config.role_admin() {
+                if let Some((admin, _)) = acm_config.roles().get(admin) {
+                    return (*admin, *admin);
+                }
+            }
+        }
+
+        let roles = self.roles(auth_id, path);
+        let mut privs: u64 = 0;
+        let mut propagated_privs: u64 = 0;
+        for (role, propagate) in roles {
+            if let Some((role_privs, _)) = access_conf().roles().get(role.as_str()) {
+                if propagate {
+                    propagated_privs |= role_privs;
+                }
+                privs |= role_privs;
+            }
+        }
+
+        if auth_id.is_token() {
+            // limit privs to that of owning user
+            let user_auth_id = Authid::from(auth_id.user().clone());
+            let (owner_privs, owner_propagated_privs) =
+                self.lookup_privs_details(&user_auth_id, path);
+            privs &= owner_privs;
+            propagated_privs &= owner_propagated_privs;
+        }
+
+        (privs, propagated_privs)
+    }
+
+    /// Checks whether the `auth_id` has any of the privileges `privs` on any object below `path`.
+    pub fn any_privs_below(
+        &self,
+        auth_id: &Authid,
+        path: &[&str],
+        privs: u64,
+    ) -> Result<bool, Error> {
+        // if the anchor path itself has matching propagated privs, we skip checking children
+        let (_privs, propagated_privs) = self.lookup_privs_details(auth_id, path);
+        if propagated_privs & privs != 0 {
+            return Ok(true);
+        }
+
+        // get all sub-paths with roles defined for `auth_id`
+        let paths = self.get_child_paths(auth_id, path)?;
+
+        for path in paths.iter() {
+            // early return if any sub-path has any of the privs we are looking for
+            if privs & self.lookup_privs(auth_id, &[path.as_str()]) != 0 {
+                return Ok(true);
+            }
+        }
+
+        // no paths or no matching paths
+        Ok(false)
+    }
 }
 
 /// Get exclusive lock
@@ -650,6 +746,18 @@ pub fn save_config(acl: &AclTree) -> Result<(), Error> {
     Ok(())
 }
 
+fn privs_to_priv_names(privs: u64) -> Vec<&'static str> {
+    access_conf()
+        .privileges()
+        .iter()
+        .fold(Vec::new(), |mut priv_names, (name, value)| {
+            if value & privs != 0 {
+                priv_names.push(name);
+            }
+            priv_names
+        })
+}
+
 #[cfg(test)]
 mod test {
     use std::{collections::HashMap, sync::OnceLock};
diff --git a/proxmox-access-control/src/cached_user_info.rs b/proxmox-access-control/src/cached_user_info.rs
index f5ed2858..8db37727 100644
--- a/proxmox-access-control/src/cached_user_info.rs
+++ b/proxmox-access-control/src/cached_user_info.rs
@@ -2,7 +2,7 @@
 
 use std::sync::{Arc, OnceLock, RwLock};
 
-use anyhow::{bail, Error};
+use anyhow::Error;
 
 use proxmox_auth_api::types::{Authid, Userid};
 use proxmox_router::UserInformation;
@@ -118,66 +118,16 @@ impl CachedUserInfo {
         required_privs: u64,
         partial: bool,
     ) -> Result<(), Error> {
-        let privs = self.lookup_privs(auth_id, path);
-        let allowed = if partial {
-            (privs & required_privs) != 0
-        } else {
-            (privs & required_privs) == required_privs
-        };
-        if !allowed {
-            // printing the path doesn't leak any information as long as we
-            // always check privilege before resource existence
-            let priv_names = privs_to_priv_names(required_privs);
-            let priv_names = if partial {
-                priv_names.join("|")
-            } else {
-                priv_names.join("&")
-            };
-            bail!(
-                "missing permissions '{priv_names}' on '/{}'",
-                path.join("/")
-            );
-        }
-        Ok(())
+        self.acl_tree
+            .check_privs(auth_id, path, required_privs, partial)
     }
 
     pub fn lookup_privs(&self, auth_id: &Authid, path: &[&str]) -> u64 {
-        let (privs, _) = self.lookup_privs_details(auth_id, path);
-        privs
+        self.acl_tree.lookup_privs(auth_id, path)
     }
 
     pub fn lookup_privs_details(&self, auth_id: &Authid, path: &[&str]) -> (u64, u64) {
-        if self.is_superuser(auth_id) {
-            let acm_config = access_conf();
-            if let Some(admin) = acm_config.role_admin() {
-                if let Some((admin, _)) = acm_config.roles().get(admin) {
-                    return (*admin, *admin);
-                }
-            }
-        }
-
-        let roles = self.acl_tree.roles(auth_id, path);
-        let mut privs: u64 = 0;
-        let mut propagated_privs: u64 = 0;
-        for (role, propagate) in roles {
-            if let Some((role_privs, _)) = access_conf().roles().get(role.as_str()) {
-                if propagate {
-                    propagated_privs |= role_privs;
-                }
-                privs |= role_privs;
-            }
-        }
-
-        if auth_id.is_token() {
-            // limit privs to that of owning user
-            let user_auth_id = Authid::from(auth_id.user().clone());
-            let (owner_privs, owner_propagated_privs) =
-                self.lookup_privs_details(&user_auth_id, path);
-            privs &= owner_privs;
-            propagated_privs &= owner_propagated_privs;
-        }
-
-        (privs, propagated_privs)
+        self.acl_tree.lookup_privs_details(auth_id, path)
     }
 
     /// Checks whether the `auth_id` has any of the privileges `privs` on any object below `path`.
@@ -187,24 +137,7 @@ impl CachedUserInfo {
         path: &[&str],
         privs: u64,
     ) -> Result<bool, Error> {
-        // if the anchor path itself has matching propagated privs, we skip checking children
-        let (_privs, propagated_privs) = self.lookup_privs_details(auth_id, path);
-        if propagated_privs & privs != 0 {
-            return Ok(true);
-        }
-
-        // get all sub-paths with roles defined for `auth_id`
-        let paths = self.acl_tree.get_child_paths(auth_id, path)?;
-
-        for path in paths.iter() {
-            // early return if any sub-path has any of the privs we are looking for
-            if privs & self.lookup_privs(auth_id, &[path.as_str()]) != 0 {
-                return Ok(true);
-            }
-        }
-
-        // no paths or no matching paths
-        Ok(false)
+        self.acl_tree.any_privs_below(auth_id, path, privs)
     }
 }
 
@@ -232,15 +165,3 @@ impl UserInformation for CachedUserInfo {
         }
     }
 }
-
-pub fn privs_to_priv_names(privs: u64) -> Vec<&'static str> {
-    access_conf()
-        .privileges()
-        .iter()
-        .fold(Vec::new(), |mut priv_names, (name, value)| {
-            if value & privs != 0 {
-                priv_names.push(name);
-            }
-            priv_names
-        })
-}
-- 
2.47.3
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply	other threads:[~2025-10-24 14:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-24 14:51 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v2 00/10] add support for checking acl permissions in (yew) front-ends Shannon Sterz
2025-10-24 14:51 ` [pdm-devel] [PATCH proxmox v2 1/4] access-control: add acl feature to only expose types and the AclTree Shannon Sterz
2025-10-24 14:51 ` Shannon Sterz [this message]
2025-10-24 14:51 ` [pdm-devel] [PATCH proxmox v2 3/4] access-control: derive Debug and PartialEq on AclTree and AclTreeNode Shannon Sterz
2025-10-24 14:51 ` [pdm-devel] [PATCH proxmox v2 4/4] access-control: allow reading all acls of the current authid Shannon Sterz
2025-10-24 14:51 ` [pdm-devel] [PATCH yew-comp v2 1/2] acl_context: add AclContext and AclContextProvider Shannon Sterz
2025-10-24 14:51 ` [pdm-devel] [PATCH yew-comp v2 2/2] http_helpers: reload LocalAclTree when logging in or refreshing a ticket Shannon Sterz
2025-10-24 14:51 ` [pdm-devel] [PATCH datacenter-manager v2 1/4] server/api-types: move AccessControlConfig to shared api types Shannon Sterz
2025-10-24 14:51 ` [pdm-devel] [PATCH datacenter-manager v2 2/4] ui: add an AclContext via the AclContextProvider to the main app ui Shannon Sterz
2025-10-24 14:51 ` [pdm-devel] [PATCH datacenter-manager v2 3/4] ui: main menu: use the AclContext to hide the Notes if appropriate Shannon Sterz
2025-10-24 14:51 ` [pdm-devel] [PATCH datacenter-manager v2 4/4] ui: permission path selector: remove duplicate path entry Shannon Sterz
  -- strict thread matches above, loose matches on Subject: below --
2025-10-22 13:11 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v2 00/10] add support for checking acl permissions in (yew) front-ends Shannon Sterz
2025-10-22 13:11 ` [pdm-devel] [PATCH proxmox v2 2/4] access-control: move functions querying privileges to the AclTree Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox
  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):
  git send-email \
    --in-reply-to=20251024145126.384611-3-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY
  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
  Be sure your reply has a Subject: header at the top and a blank line
  before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox