From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C7306857D for ; Tue, 15 Nov 2022 16:35:30 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AE5EE5952 for ; Tue, 15 Nov 2022 16:35:00 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 15 Nov 2022 16:34:58 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 91FE944C96 for ; Tue, 15 Nov 2022 16:34:58 +0100 (CET) Date: Tue, 15 Nov 2022 16:34:50 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20221115130248.1007325-1-d.csapak@proxmox.com> <20221115130248.1007325-7-d.csapak@proxmox.com> In-Reply-To: <20221115130248.1007325-7-d.csapak@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1668525982.bezonomjlo.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: =?UTF-8?Q?0=0A=09?=AWL 0.140 Adjusted score from AWL reputation of From: =?UTF-8?Q?address=0A=09?=BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict =?UTF-8?Q?Alignment=0A=09?=SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF =?UTF-8?Q?Record=0A=09?=SPF_PASS -0.001 SPF: sender matches SPF =?UTF-8?Q?record=0A=09?=URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, guesthelpers.pm] Subject: Re: [pve-devel] [PATCH guest-common v10 1/1] GuestHelpers: add 'assert_tag_permissions' X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2022 15:35:30 -0000 On November 15, 2022 2:02 pm, Dominik Csapak wrote: > helper to check permissions for tag setting/updating/deleting > for both container and qemu-server >=20 > gets the list of allowed tags from the DataCenterConfig and the current > user permissions, and checks for each tag that is added/removed if > the user has permissions to modify it >=20 > 'normal' tags require 'VM.Config.Options' on '/vms/', but not > allowed tags (either limited with 'user-tag-access' or > 'privileged-tags' in the datacenter.cfg) requrie 'Sys.Modify' on '/' >=20 > Signed-off-by: Dominik Csapak > --- > new in v10, but the code is mostly the same as the previous qemu-server > container one, with a few changes: > * adapt to new get_allowed_tags signature > * change 'map {foo} bar' into 'foo for bar' > * save all tags into $all_tags so that we only have to loop once > * use raise_perm_exc instead of die for permission errors (sets the > correct http status code) > debian/control | 3 ++- > src/PVE/GuestHelpers.pm | 54 ++++++++++++++++++++++++++++++++++++++++- > 2 files changed, 55 insertions(+), 2 deletions(-) >=20 > diff --git a/debian/control b/debian/control > index 83bade3..ffff22b 100644 > --- a/debian/control > +++ b/debian/control > @@ -12,7 +12,8 @@ Homepage: https://www.proxmox.com > =20 > Package: libpve-guest-common-perl > Architecture: all > -Depends: libpve-cluster-perl, > +Depends: libpve-access-control, > + libpve-cluster-perl, > libpve-common-perl (>=3D 7.2-6), > libpve-storage-perl (>=3D 7.0-14), > pve-cluster, > diff --git a/src/PVE/GuestHelpers.pm b/src/PVE/GuestHelpers.pm > index 0fe3fd6..2742501 100644 > --- a/src/PVE/GuestHelpers.pm > +++ b/src/PVE/GuestHelpers.pm > @@ -3,6 +3,7 @@ package PVE::GuestHelpers; > use strict; > use warnings; > =20 > +use PVE::Exception qw(raise_perm_exc); > use PVE::Tools; > use PVE::Storage; > =20 > @@ -11,7 +12,7 @@ use Scalar::Util qw(weaken); > =20 > use base qw(Exporter); > =20 > -our @EXPORT_OK =3D qw(safe_string_ne safe_boolean_ne safe_num_ne typesaf= e_ne); > +our @EXPORT_OK =3D qw(safe_string_ne safe_boolean_ne safe_num_ne typesaf= e_ne assert_tag_permissions); > =20 > # We use a separate lock to block migration while a replication job > # is running. > @@ -246,4 +247,55 @@ sub config_with_pending_array { > return $res; > } > =20 > +# checks the permissions for setting/updating/removing tags for guests > +# tagopt_old and tagopt_new expect the tags as they are in the config > +# > +# either returns gracefully or raises a permission exception > +sub assert_tag_permissions { > + my ($vmid, $tagopt_old, $tagopt_new, $rpcenv, $authuser) =3D @_; > + > + my $allowed_tags; > + my $privileged_tags; > + my $freeform; > + my $privileged_user =3D $rpcenv->check($authuser, '/', ['Sys.Modify'= ], 1); > + my $has_config_options =3D > + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'], = 0, 1); > + > + my $check_single_tag =3D sub { > + my ($tag) =3D @_; > + return if $privileged_user; > + > + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options']) > + if !$has_config_options; > + nit: this confused me - but it's basically to only check once and fail if a= tag has changed? would be more readable by just recording whether it was checked al= ready and skipping based on that bool IMHO, instead of skipping based on the resu= lt of a noerr redundant check.. > + if (!defined($allowed_tags) && !defined($privileged_tags) && !defined($= freeform)) { > + ($allowed_tags, $privileged_tags, $freeform) =3D PVE::DataCenterCon= fig::get_allowed_tags( > + $privileged_user, > + sub { > + my ($vmid_to_check) =3D @_; > + return $rpcenv->check_vm_perm($authuser, $vmid_to_check, undef, ['= VM.Audit'], 0, 1); > + }, > + ); see response to "get_allowed_tags" patch ;) > + } > + > + if ((!$allowed_tags->{$tag} && !$freeform) || $privileged_tags->{$tag})= { > + raise_perm_exc("/, Sys.Modify for modifying tag '$tag'"); > + } > + > + return; > + }; > + > + my $old_tags =3D {}; > + my $new_tags =3D {}; > + my $all_tags =3D {}; > + > + $all_tags->{$_} =3D $old_tags->{$_} +=3D 1 for PVE::Tools::split_lis= t($tagopt_old // ''); > + $all_tags->{$_} =3D $new_tags->{$_} +=3D 1 for PVE::Tools::split_lis= t($tagopt_new // ''); > + > + for my $tag (keys $all_tags->%*) { > + next if ($new_tags->{$tag} // 0) =3D=3D ($old_tags->{$tag} // 0); > + $check_single_tag->($tag); > + } > +} > + > 1; > --=20 > 2.30.2 >=20 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20