From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id C79621FF15C
	for <inbox@lore.proxmox.com>; Fri, 17 Oct 2025 09:44:10 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 088AF21072;
	Fri, 17 Oct 2025 09:44:32 +0200 (CEST)
Mime-Version: 1.0
Date: Fri, 17 Oct 2025 09:44:28 +0200
Message-Id: <DDKFH53O7BFQ.3OI7U3O0YKDOA@proxmox.com>
To: "Proxmox Datacenter Manager development discussion"
 <pdm-devel@lists.proxmox.com>
Cc: "pdm-devel" <pdm-devel-bounces@lists.proxmox.com>
From: "Lukas Wagner" <l.wagner@proxmox.com>
X-Mailer: aerc 0.20.1-0-g2ecb8770224a
References: <20251015124711.312943-1-l.wagner@proxmox.com>
 <20251015124711.312943-5-l.wagner@proxmox.com>
In-Reply-To: <20251015124711.312943-5-l.wagner@proxmox.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1760687065421
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.123 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 POISEN_SPAM_PILL          0.1 Meta: its spam
 POISEN_SPAM_PILL_1        0.1 random spam to be learned in bayes
 POISEN_SPAM_PILL_3        0.1 random spam to be learned in bayes
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pdm-devel] [PATCH proxmox-datacenter-manager 04/12] api: add
 API for retrieving/refreshing the remote update summary
X-BeenThere: pdm-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
 <pdm-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pdm-devel>, 
 <mailto:pdm-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pdm-devel/>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel>, 
 <mailto:pdm-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Datacenter Manager development discussion
 <pdm-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pdm-devel-bounces@lists.proxmox.com
Sender: "pdm-devel" <pdm-devel-bounces@lists.proxmox.com>

On Wed Oct 15, 2025 at 2:47 PM CEST, Lukas Wagner wrote:
> +#[api(
> +    access: {
> +        permission: &Permission::Anybody,
> +        description: "Resource.Modify privileges are needed on /resource/{remote}",
> +    },
> +)]
> +/// Return available update summary for managed remote nodes.
> +pub fn update_summary(rpcenv: &mut dyn RpcEnvironment) -> Result<UpdateSummary, Error> {
> +    let auth_id = rpcenv.get_auth_id().unwrap().parse()?;
> +    let user_info = CachedUserInfo::new()?;
> +
> +    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_MODIFY)? {
> +        http_bail!(UNAUTHORIZED, "user has no access to resources");

Just read the discussion regarding the usage of FORBIDDEN vs
UNAUTHORIZED - will change this to FORBIDDEN in a v2 (after any other
review feedback, just so to avoid noise on the list)

> +    }
> +
> +    let mut update_summary = remote_updates::get_available_updates_summary()?;
> +
> +    update_summary.remotes.retain(|remote_name, _| {
> +        user_info
> +            .check_privs(
> +                &auth_id,
> +                &["resource", remote_name],
> +                PRIV_RESOURCE_MODIFY,
> +                false,
> +            )
> +            .is_ok()
> +    });
> +
> +    Ok(update_summary)
> +}
> +
> +#[api(
> +    access: {
> +        permission: &Permission::Anybody,
> +        description: "Resource.Modify privileges are needed on /resource/{remote}",
> +    },
> +)]
> +/// Refresh the update summary of all remotes.
> +pub fn refresh_remote_update_summaries(rpcenv: &mut dyn RpcEnvironment) -> Result<UPID, Error> {
> +    let (config, _digest) = pdm_config::remotes::config()?;
> +
> +    let auth_id = rpcenv.get_auth_id().unwrap().parse()?;
> +    let user_info = CachedUserInfo::new()?;
> +
> +    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_MODIFY)? {
> +        http_bail!(UNAUTHORIZED, "user has no access to resources");

Same here.

> +    }
> +
> +    let remotes: Vec<Remote> = config
> +        .into_iter()
> +        .filter_map(|(remote_name, remote)| {
> +            user_info
> +                .check_privs(
> +                    &auth_id,
> +                    &["resource", &remote_name],
> +                    PRIV_RESOURCE_MODIFY,
> +                    false,
> +                )
> +                .is_ok()
> +                .then_some(remote)
> +        })
> +        .collect();
> +
> +    let upid_str = WorkerTask::spawn(
> +        "refresh-remote-updates",
> +        None,
> +        auth_id.to_string(),
> +        true,
> +        |_worker| async {
> +            // TODO: Add more verbose logging per remote/node, so we can actually see something
> +            // interesting in the task log.
> +            remote_updates::refresh_update_summary_cache(remotes).await?;
> +            Ok(())
> +        },
> +    )?;
> +
> +    upid_str.parse()
> +}



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel