[PATCH pmg-api/pmg-docs/pmg-gui v3 0/5] tracking-center: make input-base configurable

[PATCH pmg-api/pmg-docs/pmg-gui v3 0/5] tracking-center: make input-base configurable

[Stoiko Ivanov]

v2->v3:
* pmg-api patch 2: change the validation from a regex to a validation sub
  to sanitize the path and prevent curdir and parentdir as well as
  consecutive slashes

Thanks big-time to Max for checking the series so quickly and for the
valuable feedback and insight into SectionConfig! I decided to not
implement some of the suggestions (as talked off-list):
* root-only vs. root_only - as this is not a user-facing/api parameter,
  left it in snake_case to not have to quote it.
* I left the maximal directory depth at 6, as we can very easily extend it
  if someone requests it, while restricting after having this public would
      be backwards incompatible
* pmg currently does not have a concept of api-permissions and not
  showing/modifying elements where an user has no permissions -
  implementing this would expand the scope of this small patch series too
  much (PVE has this in access-control [0]).
* the docs for pmg.conf get generated automatically based on the property
  descriptions - see [1].


[0] https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/RPCEnvironment.pm;h=7591aa9ed414f4e70b66bc6c40cb054bd2e8231c;hb=5ccd07d9302562b73374d331b63d25b04b86766c#l178
[1] https://git.proxmox.com/?p=pmg-docs.git;a=blob;f=pmg-doc-generator.mk.in;h=e9253c4a84b0d545021259b68c2051b6697a11f5;hb=b3a0fb7f942001a26d2386e5d1ee47be2b9eaf0b#l51
v2:
https://lore.proxmox.com/pmg-devel/DJ5IDD9OR8HE.ENMUIGWPW37U@proxmox.com/T/#t


pmg-api:

Stoiko Ivanov (3):
  config: add root_only paramter option.
  config: add log-tracker-base key
  fix #3657: api: tracking center: explicitly set input base from config

 src/PMG/API2/Config.pm      | 10 +++++++++-
 src/PMG/API2/MailTracker.pm |  5 +++++
 src/PMG/Config.pm           | 20 ++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)


pmg-gui:

Stoiko Ivanov (1):
  fix #3657: system options: add log-tracker-base textrow

 js/SystemOptions.js | 6 ++++++
 1 file changed, 6 insertions(+)


pmg-docs:

Stoiko Ivanov (1):
  pmg-log-tracker: mention that input-base can be configured via GUI

 pmg-log-tracker.adoc | 3 +++
 1 file changed, 3 insertions(+)


Summary over all repositories:
  5 files changed, 43 insertions(+), 1 deletions(-)

-- 
Generated by murpp 0.12.0

[PATCH pmg-api v3 1/5] config: add root_only paramter option.

[Stoiko Ivanov]

this introduces a way to have some options in our pmg.conf
SectionConfig restricted to 'root@pam' only.

I skimmed the (quite improved) documentation in PVE::SectionConfig,
and did not see any blockers to extending adding other options instead
of 'optional' and 'fixed' there.

This is needed to have unified way to check if a particular option
should be restricted to 'root@pam' only.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/API2/Config.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/PMG/API2/Config.pm b/src/PMG/API2/Config.pm
index 9cce95dd..6edde9b4 100644
--- a/src/PMG/API2/Config.pm
+++ b/src/PMG/API2/Config.pm
@@ -10,6 +10,7 @@ use HTTP::Status qw(:constants);
 use Storable qw(dclone);
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::RESTHandler;
+use PVE::Exception qw(raise_perm_exc);
 use Time::HiRes qw();
 
 use PMG::Config;
@@ -194,14 +195,21 @@ my $api_update_config_section = sub {
         die "no options specified\n"
             if !$delete_str && !scalar(keys %$param);
 
+        my $plugin = PMG::Config::Base->lookup($section);
+        my $rpcenv = PMG::RESTEnvironment->get();
+        my $authuser = $rpcenv->get_user();
+
         foreach my $opt (PVE::Tools::split_list($delete_str)) {
+            my $is_root_only = $plugin->options()->{$opt}->{root_only};
+            raise_perm_exc() if ( $is_root_only && $authuser ne 'root@pam') ;
             delete $ids->{$section}->{$opt};
         }
 
-        my $plugin = PMG::Config::Base->lookup($section);
         my $config = $plugin->check_config($section, $param, 0, 1);
 
         foreach my $p (keys %$config) {
+            my $is_root_only = $plugin->options()->{$p}->{root_only};
+            raise_perm_exc() if ( $is_root_only && $authuser ne 'root@pam') ;
             $ids->{$section}->{$p} = $config->{$p};
         }
 
-- 
2.47.3

[PATCH pmg-api v3 2/5] config: add log-tracker-base key

[Stoiko Ivanov]

makes it possible to override the input-base parameter for
pmg-log-tracker - functionality there was added in:
9816d19 ("fix #3657: allow scanning a configurable rotated log series")

the option is restricted to root@pam, as suggested by Thomas, since
enabling other admin users to open arbitrary files on the system might
leak information, in case the parser in pmg-log-tracker matches
something unexpected. To err on the side of caution - restrict it to
root@pam, as we can always make it more liberal in the future, while
restricting it later could break some users workflows.

the pattern allows for a input-base with a maximal depth of 6
directories, which should cover all needs, and can be extended if
there are deployments that need that (restricting to fewer directories
would break backwards compat, hence the rather small limit).

the default in the config is /var/log/syslog and will be explicitly
provided to pmg-log-tracker if nothing is set in pmg.conf

exposing the option in pmg.conf enables users to use a different
log location for the daily work.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/Config.pm | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm
index 943ae1ea..8973c92d 100644
--- a/src/PMG/Config.pm
+++ b/src/PMG/Config.pm
@@ -56,6 +56,19 @@ use warnings;
 
 use base qw(PMG::Config::Base);
 
+PVE::JSONSchema::register_format('pmg-log-tracker-base', \&parse_log_tracker_base);
+
+sub parse_log_tracker_base {
+    my ($path, $noerr) = @_;
+
+    if ($path !~ m!^/([^/\0]+/){0,6}[^/\0]+$! || $path =~ m!(?://|/\.{1,2}(?:/|$))!) {
+        return undef if $noerr;
+        die "log-tracker-base '$path' contains illegal characters\n";
+    }
+
+    return $path;
+}
+
 sub type {
     return 'admin';
 }
@@ -161,6 +174,12 @@ EODESC
             maxLength => 64 * 1024,
             default => '',
         },
+        'log-tracker-base' => {
+            description => "Location of rotated mail logs, input-base argument for pmg-log-tracker",
+            type => 'string',
+            format => 'pmg-log-tracker-base',
+            default => '/var/log/syslog',
+        },
     };
 }
 
@@ -182,6 +201,7 @@ sub options {
         'dkim-use-domain' => { optional => 1 },
         'admin-mail-from' => { optional => 1 },
         'consent-text' => { optional => 1 },
+        'log-tracker-base' => { optional => 1, root_only => 1 },
     };
 }
 
-- 
2.47.3

[PATCH pmg-api v3 3/5] fix #3657: api: tracking center: explicitly set input base from config

[Stoiko Ivanov]

makes it possible to override the location of logs which are scanned
by pmg-log-tracker.
This should enable admins, to either point the log-tracker to another
location on disk where e.g. a rsyslog daemon combines the logs of
multiple instances, or to only log the mail-facility somewhere and
drop /var/log/syslog logging in favor of journalling.

pmg-log-tracker still uses syslog-files over the journal, as this was
far more performant when we last compared log-file reading to reading
from the journal.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/PMG/API2/MailTracker.pm | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/PMG/API2/MailTracker.pm b/src/PMG/API2/MailTracker.pm
index 1cc93ef2..5c175300 100644
--- a/src/PMG/API2/MailTracker.pm
+++ b/src/PMG/API2/MailTracker.pm
@@ -41,6 +41,11 @@ my $statmap = {
 my $run_pmg_log_tracker = sub {
     my ($args, $includelog) = @_;
 
+    my $pmg_cfg = PMG::Config->new();
+    my $input_base = $pmg_cfg->get('admin', 'log-tracker-base');
+
+    push @$args, '--input-base', $input_base;
+
     my $logids = {};
 
     if (defined(my $id = $includelog)) {
-- 
2.47.3

[PATCH pmg-gui v3 4/5] fix #3657: system options: add log-tracker-base textrow

[Stoiko Ivanov]

the system options panel seems like the best place to set the location
of the logs.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 js/SystemOptions.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/js/SystemOptions.js b/js/SystemOptions.js
index 92dc5d0..b7d20fd 100644
--- a/js/SystemOptions.js
+++ b/js/SystemOptions.js
@@ -91,6 +91,12 @@ Ext.define('PMG.SystemOptions', {
             renderer: Ext.htmlEncode,
         });
 
+        me.add_text_row('log-tracker-base', gettext("Maillog base name"), {
+            deleteEmpty: true,
+            defaultValue: '/var/log/syslog',
+            renderer: Ext.htmlEncode,
+        });
+
         me.add_proxy_row('http_proxy', gettext('HTTP proxy'));
 
         me.add_textareafield_row('consent-text', gettext('Consent Text'), {
-- 
2.47.3

[PATCH pmg-docs v3 5/5] pmg-log-tracker: mention that input-base can be configured via GUI

[Stoiko Ivanov]

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 pmg-log-tracker.adoc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pmg-log-tracker.adoc b/pmg-log-tracker.adoc
index 60cc6b9..ba182ed 100644
--- a/pmg-log-tracker.adoc
+++ b/pmg-log-tracker.adoc
@@ -22,6 +22,9 @@ Prefer this over `-i` when the system logs mail events to a dedicated file and
 you want to cover rotated logs as well. Compression is detected per file, so
 custom logrotate compression settings are handled.
 
+You can set the `--input-base` parameter used for the Tracking Center at
+__Configuration -> Options -> Maillog base name__.
+
 Start time `-s` and end time `-e` are optional. By default the end time will be
 the current time and the start time will be 0:00 of the current day.
 
-- 
2.47.3