From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Dominik Csapak" <d.csapak@proxmox.com>,
"Proxmox Datacenter Manager development discussion"
<pdm-devel@lists.proxmox.com>,
"Dietmar Maurer" <dietmar@proxmox.com>
Subject: Re: [pdm-devel] [PATCH proxmox 2/4] access-control: add acl api feature
Date: Fri, 11 Apr 2025 13:40:21 +0200 [thread overview]
Message-ID: <D93S4RWONVOT.35K5MQPHT6OR0@proxmox.com> (raw)
In-Reply-To: <ad8c93a3-11f3-4a55-86f8-ba20e9a50c1c@proxmox.com>
On Fri Apr 11, 2025 at 12:53 PM CEST, Dominik Csapak wrote:
> On 4/11/25 12:29, Shannon Sterz wrote:
>> On Wed Apr 9, 2025 at 2:58 PM CEST, Shannon Sterz wrote:
>>> On Wed Apr 9, 2025 at 1:39 PM CEST, Dominik Csapak wrote:
>>>> On 4/9/25 13:01, Dietmar Maurer wrote:
>>>> maybe something like this for the update case (untested, please verify before using this!):
>>>> (the diff is for pbs, where the code was copied from)
>>>>
>>>> this also includes a reformatted check for the token,non-token, same user checks
>>>> that are IMHO more readable than what we currently have
>>>> with the match, i think it's much more obvious that all cases are handled
>>>>
>>>> ---
>>>> let user_info = CachedUserInfo::new()?;
>>>>
>>>> - let top_level_privs = user_info.lookup_privs(¤t_auth_id, &["access", "acl"]);
>>>> - if top_level_privs & PRIV_PERMISSIONS_MODIFY == 0 {
>>>> + let has_modify_permission = user_info
>>>> + .check_privs(
>>>> + ¤t_auth_id,
>>>> + &["access", "acl"],
>>>> + PRIV_PERMISSIONS_MODIFY,
>>>> + false,
>>>> + )
>>>> + .is_ok();
>>>> +
>>>> + if !has_modify_permission {
>>>> if group.is_some() {
>>>> bail!("Unprivileged users are not allowed to create group ACL item.");
>>>> }
>>>>
>>>> match &auth_id {
>>>> Some(auth_id) => {
>>>> - if current_auth_id.is_token() {
>>>> - bail!("Unprivileged API tokens can't set ACL items.");
>>>> - } else if !auth_id.is_token() {
>>>> - bail!("Unprivileged users can only set ACL items for API tokens.");
>>>> - } else if auth_id.user() != current_auth_id.user() {
>>>> - bail!("Unprivileged users can only set ACL items for their own API tokens.");
>>>> + let same_user = auth_id.user() == current_auth_id.user();
>>>> + match (current_auth_id.is_token(), auth_id.is_token(), same_user) {
>>>> + (true, _, _) => bail!("Unprivileged API tokens can't set ACL items."),
>>>> + (false, false, _) => {
>>>> + bail!("Unprivileged users can only set ACL items for API tokens.")
>>>> + }
>>>> + (false, true, true) => {
>>>> + // users are always allowed to modify ACLs for their own tokens
>>>> + }
>>>> + (false, true, false) => {
>>>> + bail!("Unprivileged users can only set ACL items for their own API tokens.")
>>>> + }
>>>> }
>>>> }
>>>> None => {
>>>> ---
>>
>> had another think about this, i'd tend towards something like the below.
>> the match statement is a nice idea, but it couples together things that
>> aren't really related. for example, why pull in the
>> `current_auth_id.is_token()` check, but not the `group.is_some()` check?
>> having match statements with tuples like this is making the code more
>> complex. imo, this is simpler:
>>
>> ```rs
>> let unprivileged_user = CachedUserInfo::new()?
>> .check_privs(
>> ¤t_auth_id,
>> &["access", "acl"],
>> access_conf.acl_modify_privileges(),
>> access_conf.allow_partial_permission_match(),
>> )
>> .is_err();
>>
>> if unprivileged_user {
>> if group.is_some() {
>> bail!("Unprivileged users are not allowed to create group ACL item.");
>> }
>>
>> let auth_id = auth_id.as_ref().ok_or_else(|| {
>> format_err!("Unprivileged user needs to provide auth_id to update ACL item.")
>> })?;
>>
>> if current_auth_id.is_token() {
>> bail!("Unprivileged API tokens can't set ACL items.");
>> }
>>
>> if !auth_id.is_token() {
>> bail!("Unprivileged users can only set ACL items for API tokens.");
>> }
>>
>> if current_auth_id != *auth_id {
>> bail!("Unprivileged users can only set ACL items for their own API tokens.");
>> }
>> }
>> ```
>>
>> what do you think?
>
> I see what you mean, and yes i think it's more readable, but what I really wanted to convey with my
> approach was to clarify which condition is ok
>
> we currently try to filter out all invalid states, and it is not really obvious what
> condition makes the code continue at first glance
>
> Maybe we have to approach it completely different, for example check only the valid cases first
> and let that pass through, and then fail with the specific errors and have a fallback error
> for all other cases. that way we can't come into a situation where we forget/overlook some edge
> case.
oh, i mean we could just add a comment to the first if statement there
something like:
```rs
// check that if a user with insufficient permissions is changing acl
// entries, that they only modify their own api tokens' entries.
// unprivileged api tokens are not allowed to modify anything.
if unprivileged_user {
...
```
alternatively, we could do this which is closer to your suggestion in
the last comment
```rs
if unprivileged_user {
if group.is_none()
&& !current_auth_id.is_token()
// check that an entry for an auth_id is being edited and
// that it is a token for the user that is making the edit
&& auth_id
.as_ref()
.map(|id| id.is_token() && current_auth_id.user() == id.user())
.unwrap_or_default()
{
// a user is directly editing the privileges of their own token, this is always
// allowed
} else {
if group.is_some() {
bail!("Unprivileged users are not allowed to create group ACL item.");
}
let auth_id = auth_id.as_ref().ok_or_else(|| {
format_err!("Unprivileged user needs to provide auth_id to update ACL item.")
})?;
if current_auth_id.is_token() {
bail!("Unprivileged API tokens can't set ACL items.");
}
if !auth_id.is_token() {
bail!("Unprivileged users can only set ACL items for API tokens.");
}
if current_auth_id.user() != auth_id.user() {
bail!("Unprivileged users can only set ACL items for their own API tokens.");
}
// this should not be reachable, but just in case, bail here
bail!("Unprivileged user is trying to set an invalid ACL item.")
}
}
```
i think that respects your initial intend and also has a fail-safe just
in case something got overlooked or is changed later on.
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-04-11 11:40 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 14:17 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp 0/9] ACL edit api and ui components Shannon Sterz
2025-04-03 14:17 ` [pdm-devel] [PATCH proxmox 1/4] access-control: add more types to prepare for api feature Shannon Sterz
2025-04-03 14:17 ` [pdm-devel] [PATCH proxmox 2/4] access-control: add acl " Shannon Sterz
2025-04-09 11:01 ` Dietmar Maurer
2025-04-09 11:39 ` Dominik Csapak
2025-04-09 12:58 ` Shannon Sterz
2025-04-10 6:28 ` Dominik Csapak
2025-04-10 8:17 ` Shannon Sterz
2025-04-10 10:09 ` Dominik Csapak
2025-04-11 10:29 ` Shannon Sterz
2025-04-11 10:53 ` Dominik Csapak
2025-04-11 11:40 ` Shannon Sterz [this message]
2025-04-03 14:18 ` [pdm-devel] [PATCH proxmox 3/4] access-control: add comments to roles function of AccessControlConfig Shannon Sterz
2025-04-03 14:18 ` [pdm-devel] [PATCH proxmox 4/4] access-control: add generic roles endpoint to `api` feature Shannon Sterz
2025-04-03 14:18 ` [pdm-devel] [PATCH yew-comp 1/3] api-types/role_selector: depend on common `RoleInfo` type Shannon Sterz
2025-04-03 14:18 ` [pdm-devel] [PATCH yew-comp 2/3] acl: add a view and semi-generic `EditWindow` for acl entries Shannon Sterz
2025-04-03 14:18 ` [pdm-devel] [PATCH yew-comp 3/3] role_selector/acl_edit: make api endpoint and default role configurable Shannon Sterz
2025-04-03 14:18 ` [pdm-devel] [PATCH datacenter-manager 1/2] server: use proxmox-access-control api implementations Shannon Sterz
2025-04-03 14:18 ` [pdm-devel] [PATCH datacenter-manager 2/2] ui: configuration: add panel for viewing and editing acl entries Shannon Sterz
2025-04-11 13:45 ` [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp 0/9] ACL edit api and ui components Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D93S4RWONVOT.35K5MQPHT6OR0@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=dietmar@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal