From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 1411C9EDBD for ; Wed, 7 Jun 2023 14:04:30 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id F17521954C for ; Wed, 7 Jun 2023 14:04:29 +0200 (CEST) Received: from bastionodiso.odiso.net (bastionodiso.odiso.net [IPv6:2a0a:1580:2000::2d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 7 Jun 2023 14:04:29 +0200 (CEST) Received: from kvmformation3.odiso.net (formationkvm3.odiso.net [10.3.94.12]) by bastionodiso.odiso.net (Postfix) with ESMTP id 1D07C8B6C; Wed, 7 Jun 2023 14:04:29 +0200 (CEST) Received: by kvmformation3.odiso.net (Postfix, from userid 0) id 14B442B61F2; Wed, 7 Jun 2023 14:03:59 +0200 (CEST) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Date: Wed, 7 Jun 2023 14:03:52 +0200 Message-Id: <20230607120357.4177891-6-aderumier@odiso.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230607120357.4177891-1-aderumier@odiso.com> References: <20230607120357.4177891-1-aderumier@odiso.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.009 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH v2 pve-guest-common 1/1] helpers : add check_vnet_access X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2023 12:04:30 -0000 if a tag is defined, test if user have a specific access to the vlan (or propagate from full bridge acl or zone) if trunks is defined, we check permissions for each vlan of the trunks if no tag, test if user have access to full bridge. Signed-off-by: Alexandre Derumier --- src/PVE/GuestHelpers.pm | 49 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/src/PVE/GuestHelpers.pm b/src/PVE/GuestHelpers.pm index b4ccbaa..d22be1e 100644 --- a/src/PVE/GuestHelpers.pm +++ b/src/PVE/GuestHelpers.pm @@ -10,10 +10,17 @@ use PVE::Storage; use POSIX qw(strftime); use Scalar::Util qw(weaken); +my $have_sdn; +eval { + require PVE::Network::SDN; + $have_sdn = 1; +}; + use base qw(Exporter); our @EXPORT_OK = qw( assert_tag_permissions +check_vnet_access get_allowed_tags safe_boolean_ne safe_num_ne @@ -366,4 +373,46 @@ sub get_unique_tags { return !$no_join_result ? join(';', $res->@*) : $res; } +sub get_tags_from_trunk { + my ($trunks) = @_; + + my $res = {}; + my @trunks_array = split /;/, $trunks; + for my $trunk (@trunks_array) { + my ($tag, $tag_end) = split /-/, $trunk; + if($tag_end && $tag_end > $tag) { + my @tags = ($tag..$tag_end); + $res->{$_} = 1 for @tags; + } else { + $res->{$tag} = 1; + } + } + return $res; +} + +sub check_vnet_access { + my ($rpcenv, $authuser, $vnet, $tag, $trunks) = @_; + + my $zone = 'localnetwork'; + + if ($have_sdn) { + my $vnet_cfg = PVE::Network::SDN::Vnets::config(); + if (defined(my $vnet = PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $vnet, 1))) { + $zone = $vnet->{zone}; + } + } + + # if a tag is defined, test if user have a specific access to the vlan (or propagated from full bridge acl) + $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet/$tag", ['SDN.Use']) if $tag; + # check each vlan access from trunk + if ($trunks) { + my $tags = get_tags_from_trunk($trunks); + for my $tag (sort keys %$tags) { + $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet/$tag", ['SDN.Use']); + } + } + # if no tag, test if user have access to full bridge. + $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet", ['SDN.Use']); +} + 1; -- 2.30.2