From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 5AD36A02E9 for ; Mon, 12 Jun 2023 16:37:22 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 358DE25393 for ; Mon, 12 Jun 2023 16:36:52 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 12 Jun 2023 16:36:50 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9A8CB4415C for ; Mon, 12 Jun 2023 16:36:50 +0200 (CEST) Date: Mon, 12 Jun 2023 16:36:40 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20230608012444.1390571-1-aderumier@odiso.com> In-Reply-To: <20230608012444.1390571-1-aderumier@odiso.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1686580529.kfidru01ul.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.072 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] applied: [PATCH pve-network] fix permissions && use new /sdn/zones// path X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2023 14:37:22 -0000 one more thing I realized while testing that might be worthy of a follow up - if you configure SDN, but for some reason, your /etc/network/interfaces is missing the "source .." line, the error handling behaviour is very strange: - vnets are displayed in the resource tree next to zones - no proper indication about the root cause both shouldn't be too hard to fix I guess.. On June 8, 2023 3:24 am, Alexandre Derumier wrote: > - use new /sdn/zones/zone/ path for vnet && subnets permissions >=20 > - fix some permissions on /sdn/zones && /sdn >=20 > Signed-off-by: Alexandre Derumier > --- > PVE/API2/Network/SDN.pm | 2 +- > PVE/API2/Network/SDN/Subnets.pm | 67 ++++++++++++++++++++++++--------- > PVE/API2/Network/SDN/Vnets.pm | 45 +++++++++++++++++----- > PVE/API2/Network/SDN/Zones.pm | 4 +- > 4 files changed, 88 insertions(+), 30 deletions(-) >=20 > diff --git a/PVE/API2/Network/SDN.pm b/PVE/API2/Network/SDN.pm > index 33ecfb7..d216e48 100644 > --- a/PVE/API2/Network/SDN.pm > +++ b/PVE/API2/Network/SDN.pm > @@ -51,7 +51,7 @@ __PACKAGE__->register_method({ > method =3D> 'GET', > description =3D> "Directory index.", > permissions =3D> { > - check =3D> ['perm', '/', [ 'SDN.Audit' ]], > + check =3D> ['perm', '/sdn', [ 'SDN.Audit' ]], > }, > parameters =3D> { > additionalProperties =3D> 0, > diff --git a/PVE/API2/Network/SDN/Subnets.pm b/PVE/API2/Network/SDN/Subne= ts.pm > index 377a568..eb6b41b 100644 > --- a/PVE/API2/Network/SDN/Subnets.pm > +++ b/PVE/API2/Network/SDN/Subnets.pm > @@ -33,13 +33,34 @@ my $api_sdn_subnets_config =3D sub { > return $scfg; > }; > =20 > +my $api_sdn_vnets_config =3D sub { > + my ($cfg, $id) =3D @_; > + > + my $scfg =3D dclone(PVE::Network::SDN::Vnets::sdn_vnets_config($cfg,= $id)); > + $scfg->{vnet} =3D $id; > + $scfg->{digest} =3D $cfg->{digest}; > + > + return $scfg; > +}; > + > +my $check_vnet_access =3D sub { > + my ($vnet, $privs) =3D @_; > + > + my $cfg =3D PVE::Network::SDN::Vnets::config(); > + my $rpcenv =3D PVE::RPCEnvironment::get(); > + my $authuser =3D $rpcenv->get_user(); > + my $scfg =3D &$api_sdn_vnets_config($cfg, $vnet); > + my $zoneid =3D $scfg->{zone}; > + $rpcenv->check_any($authuser, "/sdn/zones/$zoneid/$vnet", $privs); > +}; > + > __PACKAGE__->register_method ({ > name =3D> 'index', > path =3D> '', > method =3D> 'GET', > description =3D> "SDN subnets index.", > permissions =3D> { > - description =3D> "Only list entries where you have 'SDN.Audit' or 'SDN.= Allocate' permissions on '/sdn/subnets/'", > + description =3D> "Only list entries where you have 'SDN.Audit' or 'SDN.= Allocate' permissions on '/sdn/zones//'", > user =3D> 'all', > }, > parameters =3D> { > @@ -69,10 +90,9 @@ __PACKAGE__->register_method ({ > code =3D> sub { > my ($param) =3D @_; > =20 > - my $rpcenv =3D PVE::RPCEnvironment::get(); > - my $authuser =3D $rpcenv->get_user(); > - > - my $vnetid =3D $param->{vnet}; > + my $vnetid =3D $param->{vnet}; > + my $privs =3D [ 'SDN.Audit', 'SDN.Allocate' ]; > + &$check_vnet_access($vnetid, $privs); > =20 > my $cfg =3D {}; > if($param->{pending}) { > @@ -89,9 +109,6 @@ __PACKAGE__->register_method ({ > my @sids =3D PVE::Network::SDN::Subnets::sdn_subnets_ids($cfg); > my $res =3D []; > foreach my $id (@sids) { > - my $privs =3D [ 'SDN.Audit', 'SDN.Allocate' ]; > - next if !$rpcenv->check_any($authuser, "/sdn/vnets/$vnetid/subnets/= $id", $privs, 1); > - > my $scfg =3D &$api_sdn_subnets_config($cfg, $id); > next if !$scfg->{vnet} || $scfg->{vnet} ne $vnetid; > push @$res, $scfg; > @@ -106,9 +123,9 @@ __PACKAGE__->register_method ({ > method =3D> 'GET', > description =3D> "Read sdn subnet configuration.", > permissions =3D> { > - check =3D> ['perm', '/sdn/vnets/{vnet}/subnets/{subnet}', ['SDN.Allocat= e']], > - }, > - > + description =3D> "Require 'SDN.Audit' or 'SDN.Allocate' permissions on = '/sdn/zones//'", > + user =3D> 'all', > + }, > parameters =3D> { > additionalProperties =3D> 0, > properties =3D> { > @@ -132,6 +149,10 @@ __PACKAGE__->register_method ({ > code =3D> sub { > my ($param) =3D @_; > =20 > + my $vnet =3D extract_param($param, 'vnet'); > + my $privs =3D [ 'SDN.Audit', 'SDN.Allocate' ]; > + &$check_vnet_access($vnet, $privs); > + > my $cfg =3D {}; > if($param->{pending}) { > my $running_cfg =3D PVE::Network::SDN::running_config(); > @@ -146,7 +167,7 @@ __PACKAGE__->register_method ({ > =20 > my $scfg =3D &$api_sdn_subnets_config($cfg, $param->{subnet}); > =20 > - raise_param_exc({ vnet =3D> "wrong vnet"}) if $param->{vnet} ne $scfg->= {vnet}; > + raise_param_exc({ vnet =3D> "wrong vnet"}) if $vnet ne $scfg->{vnet}; > =20 > return $scfg; > }}); > @@ -158,7 +179,8 @@ __PACKAGE__->register_method ({ > method =3D> 'POST', > description =3D> "Create a new sdn subnet object.", > permissions =3D> { > - check =3D> ['perm', '/sdn/vnets/{vnet}/subnets', ['SDN.Allocate']], > + description =3D> "Require 'SDN.Allocate' permission on '/sdn/zones//'", > + user =3D> 'all', > }, > parameters =3D> PVE::Network::SDN::SubnetPlugin->createSchema(), > returns =3D> { type =3D> 'null' }, > @@ -168,6 +190,10 @@ __PACKAGE__->register_method ({ > my $type =3D extract_param($param, 'type'); > my $cidr =3D extract_param($param, 'subnet'); > =20 > + my $vnet =3D $param->{vnet}; > + my $privs =3D [ 'SDN.Allocate' ]; > + &$check_vnet_access($vnet, $privs); > + > # create /etc/pve/sdn directory > PVE::Cluster::check_cfs_quorum(); > mkdir("/etc/pve/sdn") if ! -d '/etc/pve/sdn'; > @@ -210,7 +236,8 @@ __PACKAGE__->register_method ({ > method =3D> 'PUT', > description =3D> "Update sdn subnet object configuration.", > permissions =3D> { > - check =3D> ['perm', '/sdn/vnets/{vnet}/subnets', ['SDN.Allocate']], > + description =3D> "Require 'SDN.Allocate' permission on '/sdn/zones//'", > + user =3D> 'all', > }, > parameters =3D> PVE::Network::SDN::SubnetPlugin->updateSchema(), > returns =3D> { type =3D> 'null' }, > @@ -219,6 +246,10 @@ __PACKAGE__->register_method ({ > =20 > my $id =3D extract_param($param, 'subnet'); > my $digest =3D extract_param($param, 'digest'); > + my $vnet =3D $param->{vnet}; > + > + my $privs =3D [ 'SDN.Allocate' ]; > + &$check_vnet_access($vnet, $privs); > =20 > PVE::Network::SDN::lock_sdn_config( > sub { > @@ -226,7 +257,6 @@ __PACKAGE__->register_method ({ > my $cfg =3D PVE::Network::SDN::Subnets::config(); > my $zone_cfg =3D PVE::Network::SDN::Zones::config(); > my $vnet_cfg =3D PVE::Network::SDN::Vnets::config(); > - my $vnet =3D $param->{vnet}; > my $zoneid =3D $vnet_cfg->{ids}->{$vnet}->{zone}; > my $zone =3D $zone_cfg->{ids}->{$zoneid}; > =20 > @@ -256,7 +286,8 @@ __PACKAGE__->register_method ({ > method =3D> 'DELETE', > description =3D> "Delete sdn subnet object configuration.", > permissions =3D> { > - check =3D> ['perm', '/sdn/vnets/{vnet}/subnets', ['SDN.Allocate']], > + description =3D> "Require 'SDN.Allocate' permission on '/sdn/zones//'", > + user =3D> 'all', > }, > parameters =3D> { > additionalProperties =3D> 0, > @@ -272,6 +303,9 @@ __PACKAGE__->register_method ({ > my ($param) =3D @_; > =20 > my $id =3D extract_param($param, 'subnet'); > + my $vnet =3D extract_param($param, 'vnet'); > + my $privs =3D [ 'SDN.Allocate' ]; > + &$check_vnet_access($vnet, $privs); > =20 > PVE::Network::SDN::lock_sdn_config( > sub { > @@ -284,7 +318,6 @@ __PACKAGE__->register_method ({ > PVE::Network::SDN::SubnetPlugin->on_delete_hook($id, $cfg, $vnets_cfg)= ; > =20 > my $zone_cfg =3D PVE::Network::SDN::Zones::config(); > - my $vnet =3D $param->{vnet}; > my $zoneid =3D $vnets_cfg->{ids}->{$vnet}->{zone}; > my $zone =3D $zone_cfg->{ids}->{$zoneid}; > =20 > diff --git a/PVE/API2/Network/SDN/Vnets.pm b/PVE/API2/Network/SDN/Vnets.p= m > index 811a2e8..864dc4a 100644 > --- a/PVE/API2/Network/SDN/Vnets.pm > +++ b/PVE/API2/Network/SDN/Vnets.pm > @@ -50,6 +50,17 @@ my $api_sdn_vnets_deleted_config =3D sub { > } > }; > =20 > +my $check_vnet_access =3D sub { > + my ($vnet, $privs) =3D @_; > + > + my $cfg =3D PVE::Network::SDN::Vnets::config(); > + my $rpcenv =3D PVE::RPCEnvironment::get(); > + my $authuser =3D $rpcenv->get_user(); > + my $scfg =3D &$api_sdn_vnets_config($cfg, $vnet); > + my $zoneid =3D $scfg->{zone}; > + $rpcenv->check_any($authuser, "/sdn/zones/$zoneid/$vnet", $privs); > +}; > + > __PACKAGE__->register_method ({ > name =3D> 'index', > path =3D> '', > @@ -57,7 +68,7 @@ __PACKAGE__->register_method ({ > description =3D> "SDN vnets index.", > permissions =3D> { > description =3D> "Only list entries where you have 'SDN.Audit' or 'SDN.= Allocate'" > - ." permissions on '/sdn/vnets/'", > + ." permissions on '/sdn/zones//'", > user =3D> 'all', > }, > parameters =3D> { > @@ -105,9 +116,10 @@ __PACKAGE__->register_method ({ > my $res =3D []; > foreach my $id (@sids) { > my $privs =3D [ 'SDN.Audit', 'SDN.Allocate' ]; > - next if !$rpcenv->check_any($authuser, "/sdn/vnets/$id", $privs, 1)= ; > - > my $scfg =3D &$api_sdn_vnets_config($cfg, $id); > + my $zoneid =3D $scfg->{zone}; > + next if !$rpcenv->check_any($authuser, "/sdn/zones/$zoneid/$id", $p= rivs, 1); > + > push @$res, $scfg; > } > =20 > @@ -120,8 +132,9 @@ __PACKAGE__->register_method ({ > method =3D> 'GET', > description =3D> "Read sdn vnet configuration.", > permissions =3D> { > - check =3D> ['perm', '/sdn/vnets/{vnet}', ['SDN.Allocate']], > - }, > + description =3D> "Require 'SDN.Audit' or 'SDN.Allocate' permissions on = '/sdn/zones//'", > + user =3D> 'all', > + }, > parameters =3D> { > additionalProperties =3D> 0, > properties =3D> { > @@ -144,6 +157,11 @@ __PACKAGE__->register_method ({ > code =3D> sub { > my ($param) =3D @_; > =20 > + my $id =3D extract_param($param, 'vnet'); > + > + my $privs =3D [ 'SDN.Audit', 'SDN.Allocate' ]; > + &$check_vnet_access($id, $privs); > + > my $cfg =3D {}; > if($param->{pending}) { > my $running_cfg =3D PVE::Network::SDN::running_config(); > @@ -156,7 +174,7 @@ __PACKAGE__->register_method ({ > $cfg =3D PVE::Network::SDN::Vnets::config(); > } > =20 > - return $api_sdn_vnets_config->($cfg, $param->{vnet}); > + return $api_sdn_vnets_config->($cfg, $id); > }}); > =20 > __PACKAGE__->register_method ({ > @@ -166,7 +184,7 @@ __PACKAGE__->register_method ({ > method =3D> 'POST', > description =3D> "Create a new sdn vnet object.", > permissions =3D> { > - check =3D> ['perm', '/sdn/vnets', ['SDN.Allocate']], > + check =3D> ['perm', '/sdn/zones/{zone}', ['SDN.Allocate']], > }, > parameters =3D> PVE::Network::SDN::VnetPlugin->createSchema(), > returns =3D> { type =3D> 'null' }, > @@ -210,7 +228,8 @@ __PACKAGE__->register_method ({ > method =3D> 'PUT', > description =3D> "Update sdn vnet object configuration.", > permissions =3D> { > - check =3D> ['perm', '/sdn/vnets', ['SDN.Allocate']], > + description =3D> "Require 'SDN.Allocate' permission on '/sdn/zones//'", > + user =3D> 'all', > }, > parameters =3D> PVE::Network::SDN::VnetPlugin->updateSchema(), > returns =3D> { type =3D> 'null' }, > @@ -220,12 +239,14 @@ __PACKAGE__->register_method ({ > my $id =3D extract_param($param, 'vnet'); > my $digest =3D extract_param($param, 'digest'); > =20 > + my $privs =3D [ 'SDN.Allocate' ]; > + &$check_vnet_access($id, $privs); > + > PVE::Network::SDN::lock_sdn_config(sub { > my $cfg =3D PVE::Network::SDN::Vnets::config(); > =20 > PVE::SectionConfig::assert_if_modified($cfg, $digest); > =20 > - > my $opts =3D PVE::Network::SDN::VnetPlugin->check_config($id, $para= m, 0, 1); > raise_param_exc({ zone =3D> "missing zone"}) if !$opts->{zone}; > my $subnets =3D PVE::Network::SDN::Vnets::get_subnets($id); > @@ -256,7 +277,8 @@ __PACKAGE__->register_method ({ > method =3D> 'DELETE', > description =3D> "Delete sdn vnet object configuration.", > permissions =3D> { > - check =3D> ['perm', '/sdn/vnets', ['SDN.Allocate']], > + description =3D> "Require 'SDN.Allocate' permission on '/sdn/zones//'", > + user =3D> 'all', > }, > parameters =3D> { > additionalProperties =3D> 0, > @@ -272,6 +294,9 @@ __PACKAGE__->register_method ({ > =20 > my $id =3D extract_param($param, 'vnet'); > =20 > + my $privs =3D [ 'SDN.Allocate' ]; > + &$check_vnet_access($id, $privs); > + > PVE::Network::SDN::lock_sdn_config(sub { > my $cfg =3D PVE::Network::SDN::Vnets::config(); > my $scfg =3D PVE::Network::SDN::Vnets::sdn_vnets_config($cfg, $id);= # check if exists > diff --git a/PVE/API2/Network/SDN/Zones.pm b/PVE/API2/Network/SDN/Zones.p= m > index 6e53240..4c8b7e1 100644 > --- a/PVE/API2/Network/SDN/Zones.pm > +++ b/PVE/API2/Network/SDN/Zones.pm > @@ -251,7 +251,7 @@ __PACKAGE__->register_method ({ > method =3D> 'PUT', > description =3D> "Update sdn zone object configuration.", > permissions =3D> { > - check =3D> ['perm', '/sdn/zones', ['SDN.Allocate']], > + check =3D> ['perm', '/sdn/zones/{zone}', ['SDN.Allocate']], > }, > parameters =3D> PVE::Network::SDN::Zones::Plugin->updateSchema(), > returns =3D> { type =3D> 'null' }, > @@ -315,7 +315,7 @@ __PACKAGE__->register_method ({ > method =3D> 'DELETE', > description =3D> "Delete sdn zone object configuration.", > permissions =3D> { > - check =3D> ['perm', '/sdn/zones', ['SDN.Allocate']], > + check =3D> ['perm', '/sdn/zones/{zone}', ['SDN.Allocate']], > }, > parameters =3D> { > additionalProperties =3D> 0, > --=20 > 2.30.2 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20