From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 78BCF9DFF6 for ; Tue, 6 Jun 2023 15:19:59 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 59D9635980 for ; Tue, 6 Jun 2023 15:19:59 +0200 (CEST) Received: from bastionodiso.odiso.net (bastionodiso.odiso.net [IPv6:2a0a:1580:2000::2d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 6 Jun 2023 15:19:58 +0200 (CEST) Received: from kvmformation3.odiso.net (formationkvm3.odiso.net [10.3.94.12]) by bastionodiso.odiso.net (Postfix) with ESMTP id 722C58B64; Tue, 6 Jun 2023 15:19:58 +0200 (CEST) Received: by kvmformation3.odiso.net (Postfix, from userid 0) id 6CBFB2D7412; Tue, 6 Jun 2023 15:19:28 +0200 (CEST) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Date: Tue, 6 Jun 2023 15:19:22 +0200 Message-Id: <20230606131927.1667420-6-aderumier@odiso.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230606131927.1667420-1-aderumier@odiso.com> References: <20230606131927.1667420-1-aderumier@odiso.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.007 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH pve-guest-common 1/1] helpers : add check_vnet_access X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2023 13:19:59 -0000 if a tag is defined, test if user have a specific access to the vlan (or propagate from full bridge acl or zone) if no tag, test if user have access to full bridge. (if trunks are defined, it need also access to full bridge) Signed-off-by: Alexandre Derumier --- src/PVE/GuestHelpers.pm | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/PVE/GuestHelpers.pm b/src/PVE/GuestHelpers.pm index b4ccbaa..53c63e8 100644 --- a/src/PVE/GuestHelpers.pm +++ b/src/PVE/GuestHelpers.pm @@ -10,10 +10,17 @@ use PVE::Storage; use POSIX qw(strftime); use Scalar::Util qw(weaken); +my $have_sdn; +eval { + require PVE::Network::SDN; + $have_sdn = 1; +}; + use base qw(Exporter); our @EXPORT_OK = qw( assert_tag_permissions +check_vnet_access get_allowed_tags safe_boolean_ne safe_num_ne @@ -366,4 +373,22 @@ sub get_unique_tags { return !$no_join_result ? join(';', $res->@*) : $res; } +sub check_vnet_access { + my ($rpcenv, $authuser, $vnet, $tag) = @_; + + my $zone = 'localnetwork'; + + if ($have_sdn) { + my $vnet_cfg = PVE::Network::SDN::Vnets::config(); + if (defined(my $vnet = PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $vnet, 1))) { + $zone = $vnet->{zone}; + } + } + + # if a tag is defined, test if user have a specific access to the vlan (or propagated from full bridge acl) + $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet/$tag", ['SDN.Use']) if $tag; + # if no tag, test if user have access to full bridge. (if trunks are defined, it need also access to full bridge) + $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet", ['SDN.Use']); +} + 1; -- 2.30.2