From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 411129D70A for ; Mon, 5 Jun 2023 01:37:54 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 16AA221910 for ; Mon, 5 Jun 2023 01:37:24 +0200 (CEST) Received: from bastionodiso.odiso.net (bastionodiso.odiso.net [IPv6:2a0a:1580:2000::2d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 5 Jun 2023 01:37:22 +0200 (CEST) Received: from kvmformation3.odiso.net (formationkvm3.odiso.net [10.3.94.12]) by bastionodiso.odiso.net (Postfix) with ESMTP id CA16D8B61; Mon, 5 Jun 2023 01:37:14 +0200 (CEST) Received: by kvmformation3.odiso.net (Postfix, from userid 0) id BF07C2C4BEB; Mon, 5 Jun 2023 01:37:14 +0200 (CEST) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Date: Mon, 5 Jun 2023 01:37:06 +0200 Message-Id: <20230604233709.1340089-4-aderumier@odiso.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230604233709.1340089-1-aderumier@odiso.com> References: <20230604233709.1340089-1-aderumier@odiso.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.006 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH v2 qemu-server 1/1] api2: add check_bridge_access for create/update vm X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jun 2023 23:37:54 -0000 test first if user have access to the full zone (any bridge/vlan) if a tag is defined, test if user have a specific access to the vlan (or propagate from full bridge acl) if no tag, test if user have access to full bridge. (if trunks are defined, it need also access to full bridge) Signed-off-by: Alexandre Derumier --- PVE/API2/Qemu.pm | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm index 587bb22..4de7b32 100644 --- a/PVE/API2/Qemu.pm +++ b/PVE/API2/Qemu.pm @@ -46,6 +46,12 @@ use PVE::SSHInfo; use PVE::Replication; use PVE::StorageTunnel; +my $have_sdn; +eval { + require PVE::Network::SDN; + $have_sdn = 1; +}; + BEGIN { if (!$ENV{PVE_GENERATING_DOCS}) { require PVE::HA::Env::PVE2; @@ -601,6 +607,34 @@ my $check_vm_create_usb_perm = sub { return 1; }; +my $check_bridge_access = sub { + my ($rpcenv, $authuser, $param) = @_; + + return 1 if $authuser eq 'root@pam'; + + foreach my $opt (keys %{$param}) { + next if $opt !~ m/^net\d+$/; + my $net = PVE::QemuServer::parse_net($param->{$opt}); + my $bridge = $net->{bridge}; + my $tag = $net->{tag}; + my $zone = 'local'; + + if ($have_sdn) { + my $vnet_cfg = PVE::Network::SDN::Vnets::config(); + if (defined(my $vnet = PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $bridge, 1))) { + $zone = $vnet->{zone}; + } + } + # test first if user have access to the full zone (any bridge/vlan) + return 1 if $rpcenv->check_any($authuser, "/sdn/zones/$zone", ['SDN.Audit', 'SDN.Allocate'], 1); + # if a tag is defined, test if user have a specific access to the vlan (or propagate from full bridge acl) + return 1 if $tag && $rpcenv->check_any($authuser, "/sdn/vnets/$bridge/$tag", ['SDN.Audit', 'SDN.Allocate'], 1); + # if no tag, test if user have access to full bridge. (if trunks are defined, it need also access to full bridge) + $rpcenv->check_any($authuser, "/sdn/vnets/$bridge", ['SDN.Audit', 'SDN.Allocate']); + } + return 1; +}; + my $check_vm_modify_config_perm = sub { my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_; @@ -878,7 +912,7 @@ __PACKAGE__->register_method({ &$check_vm_create_serial_perm($rpcenv, $authuser, $vmid, $pool, $param); &$check_vm_create_usb_perm($rpcenv, $authuser, $vmid, $pool, $param); - + &$check_bridge_access($rpcenv, $authuser, $param); &$check_cpu_model_access($rpcenv, $authuser, $param); $check_drive_param->($param, $storecfg); @@ -1578,6 +1612,8 @@ my $update_vm_api = sub { &$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param); + &$check_bridge_access($rpcenv, $authuser, $param); + my $updatefn = sub { my $conf = PVE::QemuConfig->load_config($vmid); -- 2.30.2