From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id CE366837F for ; Tue, 15 Nov 2022 14:03:21 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0ED742ED4 for ; Tue, 15 Nov 2022 14:03:00 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 15 Nov 2022 14:02:52 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BFCEC44C99 for ; Tue, 15 Nov 2022 14:02:50 +0100 (CET) From: Dominik Csapak To: pve-devel@lists.proxmox.com Date: Tue, 15 Nov 2022 14:02:31 +0100 Message-Id: <20221115130248.1007325-7-d.csapak@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221115130248.1007325-1-d.csapak@proxmox.com> References: <20221115130248.1007325-1-d.csapak@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: =?UTF-8?Q?0=0A=09?=AWL 0.065 Adjusted score from AWL reputation of From: =?UTF-8?Q?address=0A=09?=BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict =?UTF-8?Q?Alignment=0A=09?=SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF =?UTF-8?Q?Record=0A=09?=SPF_PASS -0.001 SPF: sender matches SPF =?UTF-8?Q?record=0A=09?=URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, guesthelpers.pm] Subject: [pve-devel] [PATCH guest-common v10 1/1] GuestHelpers: add 'assert_tag_permissions' X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2022 13:03:21 -0000 helper to check permissions for tag setting/updating/deleting for both container and qemu-server gets the list of allowed tags from the DataCenterConfig and the current user permissions, and checks for each tag that is added/removed if the user has permissions to modify it 'normal' tags require 'VM.Config.Options' on '/vms/', but not allowed tags (either limited with 'user-tag-access' or 'privileged-tags' in the datacenter.cfg) requrie 'Sys.Modify' on '/' Signed-off-by: Dominik Csapak --- new in v10, but the code is mostly the same as the previous qemu-server container one, with a few changes: * adapt to new get_allowed_tags signature * change 'map {foo} bar' into 'foo for bar' * save all tags into $all_tags so that we only have to loop once * use raise_perm_exc instead of die for permission errors (sets the correct http status code) debian/control | 3 ++- src/PVE/GuestHelpers.pm | 54 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 83bade3..ffff22b 100644 --- a/debian/control +++ b/debian/control @@ -12,7 +12,8 @@ Homepage: https://www.proxmox.com Package: libpve-guest-common-perl Architecture: all -Depends: libpve-cluster-perl, +Depends: libpve-access-control, + libpve-cluster-perl, libpve-common-perl (>= 7.2-6), libpve-storage-perl (>= 7.0-14), pve-cluster, diff --git a/src/PVE/GuestHelpers.pm b/src/PVE/GuestHelpers.pm index 0fe3fd6..2742501 100644 --- a/src/PVE/GuestHelpers.pm +++ b/src/PVE/GuestHelpers.pm @@ -3,6 +3,7 @@ package PVE::GuestHelpers; use strict; use warnings; +use PVE::Exception qw(raise_perm_exc); use PVE::Tools; use PVE::Storage; @@ -11,7 +12,7 @@ use Scalar::Util qw(weaken); use base qw(Exporter); -our @EXPORT_OK = qw(safe_string_ne safe_boolean_ne safe_num_ne typesafe_ne); +our @EXPORT_OK = qw(safe_string_ne safe_boolean_ne safe_num_ne typesafe_ne assert_tag_permissions); # We use a separate lock to block migration while a replication job # is running. @@ -246,4 +247,55 @@ sub config_with_pending_array { return $res; } +# checks the permissions for setting/updating/removing tags for guests +# tagopt_old and tagopt_new expect the tags as they are in the config +# +# either returns gracefully or raises a permission exception +sub assert_tag_permissions { + my ($vmid, $tagopt_old, $tagopt_new, $rpcenv, $authuser) = @_; + + my $allowed_tags; + my $privileged_tags; + my $freeform; + my $privileged_user = $rpcenv->check($authuser, '/', ['Sys.Modify'], 1); + my $has_config_options = + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'], 0, 1); + + my $check_single_tag = sub { + my ($tag) = @_; + return if $privileged_user; + + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options']) + if !$has_config_options; + + if (!defined($allowed_tags) && !defined($privileged_tags) && !defined($freeform)) { + ($allowed_tags, $privileged_tags, $freeform) = PVE::DataCenterConfig::get_allowed_tags( + $privileged_user, + sub { + my ($vmid_to_check) = @_; + return $rpcenv->check_vm_perm($authuser, $vmid_to_check, undef, ['VM.Audit'], 0, 1); + }, + ); + } + + if ((!$allowed_tags->{$tag} && !$freeform) || $privileged_tags->{$tag}) { + raise_perm_exc("/, Sys.Modify for modifying tag '$tag'"); + } + + return; + }; + + my $old_tags = {}; + my $new_tags = {}; + my $all_tags = {}; + + $all_tags->{$_} = $old_tags->{$_} += 1 for PVE::Tools::split_list($tagopt_old // ''); + $all_tags->{$_} = $new_tags->{$_} += 1 for PVE::Tools::split_list($tagopt_new // ''); + + for my $tag (keys $all_tags->%*) { + next if ($new_tags->{$tag} // 0) == ($old_tags->{$tag} // 0); + $check_single_tag->($tag); + } +} + 1; -- 2.30.2