From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 59A1D9F439 for ; Thu, 8 Jun 2023 03:24:55 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3A70D1F94B for ; Thu, 8 Jun 2023 03:24:55 +0200 (CEST) Received: from bastionodiso.odiso.net (bastionodiso.odiso.net [IPv6:2a0a:1580:2000::2d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 8 Jun 2023 03:24:54 +0200 (CEST) Received: from kvmformation3.odiso.net (formationkvm3.odiso.net [10.3.94.12]) by bastionodiso.odiso.net (Postfix) with ESMTP id 18B7C80AD; Thu, 8 Jun 2023 03:24:45 +0200 (CEST) Received: by kvmformation3.odiso.net (Postfix, from userid 0) id 07A9B2FD922; Thu, 8 Jun 2023 03:24:45 +0200 (CEST) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Date: Thu, 8 Jun 2023 03:24:44 +0200 Message-Id: <20230608012444.1390571-1-aderumier@odiso.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.009 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [zones.pm, sdn.pm, subnets.pm, vnets.pm] Subject: [pve-devel] [PATCH pve-network] fix permissions && use new /sdn/zones// path X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2023 01:24:55 -0000 - use new /sdn/zones/zone/ path for vnet && subnets permissions - fix some permissions on /sdn/zones && /sdn Signed-off-by: Alexandre Derumier --- PVE/API2/Network/SDN.pm | 2 +- PVE/API2/Network/SDN/Subnets.pm | 67 ++++++++++++++++++++++++--------- PVE/API2/Network/SDN/Vnets.pm | 45 +++++++++++++++++----- PVE/API2/Network/SDN/Zones.pm | 4 +- 4 files changed, 88 insertions(+), 30 deletions(-) diff --git a/PVE/API2/Network/SDN.pm b/PVE/API2/Network/SDN.pm index 33ecfb7..d216e48 100644 --- a/PVE/API2/Network/SDN.pm +++ b/PVE/API2/Network/SDN.pm @@ -51,7 +51,7 @@ __PACKAGE__->register_method({ method => 'GET', description => "Directory index.", permissions => { - check => ['perm', '/', [ 'SDN.Audit' ]], + check => ['perm', '/sdn', [ 'SDN.Audit' ]], }, parameters => { additionalProperties => 0, diff --git a/PVE/API2/Network/SDN/Subnets.pm b/PVE/API2/Network/SDN/Subnets.pm index 377a568..eb6b41b 100644 --- a/PVE/API2/Network/SDN/Subnets.pm +++ b/PVE/API2/Network/SDN/Subnets.pm @@ -33,13 +33,34 @@ my $api_sdn_subnets_config = sub { return $scfg; }; +my $api_sdn_vnets_config = sub { + my ($cfg, $id) = @_; + + my $scfg = dclone(PVE::Network::SDN::Vnets::sdn_vnets_config($cfg, $id)); + $scfg->{vnet} = $id; + $scfg->{digest} = $cfg->{digest}; + + return $scfg; +}; + +my $check_vnet_access = sub { + my ($vnet, $privs) = @_; + + my $cfg = PVE::Network::SDN::Vnets::config(); + my $rpcenv = PVE::RPCEnvironment::get(); + my $authuser = $rpcenv->get_user(); + my $scfg = &$api_sdn_vnets_config($cfg, $vnet); + my $zoneid = $scfg->{zone}; + $rpcenv->check_any($authuser, "/sdn/zones/$zoneid/$vnet", $privs); +}; + __PACKAGE__->register_method ({ name => 'index', path => '', method => 'GET', description => "SDN subnets index.", permissions => { - description => "Only list entries where you have 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/subnets/'", + description => "Only list entries where you have 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/zones//'", user => 'all', }, parameters => { @@ -69,10 +90,9 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; - my $rpcenv = PVE::RPCEnvironment::get(); - my $authuser = $rpcenv->get_user(); - - my $vnetid = $param->{vnet}; + my $vnetid = $param->{vnet}; + my $privs = [ 'SDN.Audit', 'SDN.Allocate' ]; + &$check_vnet_access($vnetid, $privs); my $cfg = {}; if($param->{pending}) { @@ -89,9 +109,6 @@ __PACKAGE__->register_method ({ my @sids = PVE::Network::SDN::Subnets::sdn_subnets_ids($cfg); my $res = []; foreach my $id (@sids) { - my $privs = [ 'SDN.Audit', 'SDN.Allocate' ]; - next if !$rpcenv->check_any($authuser, "/sdn/vnets/$vnetid/subnets/$id", $privs, 1); - my $scfg = &$api_sdn_subnets_config($cfg, $id); next if !$scfg->{vnet} || $scfg->{vnet} ne $vnetid; push @$res, $scfg; @@ -106,9 +123,9 @@ __PACKAGE__->register_method ({ method => 'GET', description => "Read sdn subnet configuration.", permissions => { - check => ['perm', '/sdn/vnets/{vnet}/subnets/{subnet}', ['SDN.Allocate']], - }, - + description => "Require 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/zones//'", + user => 'all', + }, parameters => { additionalProperties => 0, properties => { @@ -132,6 +149,10 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; + my $vnet = extract_param($param, 'vnet'); + my $privs = [ 'SDN.Audit', 'SDN.Allocate' ]; + &$check_vnet_access($vnet, $privs); + my $cfg = {}; if($param->{pending}) { my $running_cfg = PVE::Network::SDN::running_config(); @@ -146,7 +167,7 @@ __PACKAGE__->register_method ({ my $scfg = &$api_sdn_subnets_config($cfg, $param->{subnet}); - raise_param_exc({ vnet => "wrong vnet"}) if $param->{vnet} ne $scfg->{vnet}; + raise_param_exc({ vnet => "wrong vnet"}) if $vnet ne $scfg->{vnet}; return $scfg; }}); @@ -158,7 +179,8 @@ __PACKAGE__->register_method ({ method => 'POST', description => "Create a new sdn subnet object.", permissions => { - check => ['perm', '/sdn/vnets/{vnet}/subnets', ['SDN.Allocate']], + description => "Require 'SDN.Allocate' permission on '/sdn/zones//'", + user => 'all', }, parameters => PVE::Network::SDN::SubnetPlugin->createSchema(), returns => { type => 'null' }, @@ -168,6 +190,10 @@ __PACKAGE__->register_method ({ my $type = extract_param($param, 'type'); my $cidr = extract_param($param, 'subnet'); + my $vnet = $param->{vnet}; + my $privs = [ 'SDN.Allocate' ]; + &$check_vnet_access($vnet, $privs); + # create /etc/pve/sdn directory PVE::Cluster::check_cfs_quorum(); mkdir("/etc/pve/sdn") if ! -d '/etc/pve/sdn'; @@ -210,7 +236,8 @@ __PACKAGE__->register_method ({ method => 'PUT', description => "Update sdn subnet object configuration.", permissions => { - check => ['perm', '/sdn/vnets/{vnet}/subnets', ['SDN.Allocate']], + description => "Require 'SDN.Allocate' permission on '/sdn/zones//'", + user => 'all', }, parameters => PVE::Network::SDN::SubnetPlugin->updateSchema(), returns => { type => 'null' }, @@ -219,6 +246,10 @@ __PACKAGE__->register_method ({ my $id = extract_param($param, 'subnet'); my $digest = extract_param($param, 'digest'); + my $vnet = $param->{vnet}; + + my $privs = [ 'SDN.Allocate' ]; + &$check_vnet_access($vnet, $privs); PVE::Network::SDN::lock_sdn_config( sub { @@ -226,7 +257,6 @@ __PACKAGE__->register_method ({ my $cfg = PVE::Network::SDN::Subnets::config(); my $zone_cfg = PVE::Network::SDN::Zones::config(); my $vnet_cfg = PVE::Network::SDN::Vnets::config(); - my $vnet = $param->{vnet}; my $zoneid = $vnet_cfg->{ids}->{$vnet}->{zone}; my $zone = $zone_cfg->{ids}->{$zoneid}; @@ -256,7 +286,8 @@ __PACKAGE__->register_method ({ method => 'DELETE', description => "Delete sdn subnet object configuration.", permissions => { - check => ['perm', '/sdn/vnets/{vnet}/subnets', ['SDN.Allocate']], + description => "Require 'SDN.Allocate' permission on '/sdn/zones//'", + user => 'all', }, parameters => { additionalProperties => 0, @@ -272,6 +303,9 @@ __PACKAGE__->register_method ({ my ($param) = @_; my $id = extract_param($param, 'subnet'); + my $vnet = extract_param($param, 'vnet'); + my $privs = [ 'SDN.Allocate' ]; + &$check_vnet_access($vnet, $privs); PVE::Network::SDN::lock_sdn_config( sub { @@ -284,7 +318,6 @@ __PACKAGE__->register_method ({ PVE::Network::SDN::SubnetPlugin->on_delete_hook($id, $cfg, $vnets_cfg); my $zone_cfg = PVE::Network::SDN::Zones::config(); - my $vnet = $param->{vnet}; my $zoneid = $vnets_cfg->{ids}->{$vnet}->{zone}; my $zone = $zone_cfg->{ids}->{$zoneid}; diff --git a/PVE/API2/Network/SDN/Vnets.pm b/PVE/API2/Network/SDN/Vnets.pm index 811a2e8..864dc4a 100644 --- a/PVE/API2/Network/SDN/Vnets.pm +++ b/PVE/API2/Network/SDN/Vnets.pm @@ -50,6 +50,17 @@ my $api_sdn_vnets_deleted_config = sub { } }; +my $check_vnet_access = sub { + my ($vnet, $privs) = @_; + + my $cfg = PVE::Network::SDN::Vnets::config(); + my $rpcenv = PVE::RPCEnvironment::get(); + my $authuser = $rpcenv->get_user(); + my $scfg = &$api_sdn_vnets_config($cfg, $vnet); + my $zoneid = $scfg->{zone}; + $rpcenv->check_any($authuser, "/sdn/zones/$zoneid/$vnet", $privs); +}; + __PACKAGE__->register_method ({ name => 'index', path => '', @@ -57,7 +68,7 @@ __PACKAGE__->register_method ({ description => "SDN vnets index.", permissions => { description => "Only list entries where you have 'SDN.Audit' or 'SDN.Allocate'" - ." permissions on '/sdn/vnets/'", + ." permissions on '/sdn/zones//'", user => 'all', }, parameters => { @@ -105,9 +116,10 @@ __PACKAGE__->register_method ({ my $res = []; foreach my $id (@sids) { my $privs = [ 'SDN.Audit', 'SDN.Allocate' ]; - next if !$rpcenv->check_any($authuser, "/sdn/vnets/$id", $privs, 1); - my $scfg = &$api_sdn_vnets_config($cfg, $id); + my $zoneid = $scfg->{zone}; + next if !$rpcenv->check_any($authuser, "/sdn/zones/$zoneid/$id", $privs, 1); + push @$res, $scfg; } @@ -120,8 +132,9 @@ __PACKAGE__->register_method ({ method => 'GET', description => "Read sdn vnet configuration.", permissions => { - check => ['perm', '/sdn/vnets/{vnet}', ['SDN.Allocate']], - }, + description => "Require 'SDN.Audit' or 'SDN.Allocate' permissions on '/sdn/zones//'", + user => 'all', + }, parameters => { additionalProperties => 0, properties => { @@ -144,6 +157,11 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; + my $id = extract_param($param, 'vnet'); + + my $privs = [ 'SDN.Audit', 'SDN.Allocate' ]; + &$check_vnet_access($id, $privs); + my $cfg = {}; if($param->{pending}) { my $running_cfg = PVE::Network::SDN::running_config(); @@ -156,7 +174,7 @@ __PACKAGE__->register_method ({ $cfg = PVE::Network::SDN::Vnets::config(); } - return $api_sdn_vnets_config->($cfg, $param->{vnet}); + return $api_sdn_vnets_config->($cfg, $id); }}); __PACKAGE__->register_method ({ @@ -166,7 +184,7 @@ __PACKAGE__->register_method ({ method => 'POST', description => "Create a new sdn vnet object.", permissions => { - check => ['perm', '/sdn/vnets', ['SDN.Allocate']], + check => ['perm', '/sdn/zones/{zone}', ['SDN.Allocate']], }, parameters => PVE::Network::SDN::VnetPlugin->createSchema(), returns => { type => 'null' }, @@ -210,7 +228,8 @@ __PACKAGE__->register_method ({ method => 'PUT', description => "Update sdn vnet object configuration.", permissions => { - check => ['perm', '/sdn/vnets', ['SDN.Allocate']], + description => "Require 'SDN.Allocate' permission on '/sdn/zones//'", + user => 'all', }, parameters => PVE::Network::SDN::VnetPlugin->updateSchema(), returns => { type => 'null' }, @@ -220,12 +239,14 @@ __PACKAGE__->register_method ({ my $id = extract_param($param, 'vnet'); my $digest = extract_param($param, 'digest'); + my $privs = [ 'SDN.Allocate' ]; + &$check_vnet_access($id, $privs); + PVE::Network::SDN::lock_sdn_config(sub { my $cfg = PVE::Network::SDN::Vnets::config(); PVE::SectionConfig::assert_if_modified($cfg, $digest); - my $opts = PVE::Network::SDN::VnetPlugin->check_config($id, $param, 0, 1); raise_param_exc({ zone => "missing zone"}) if !$opts->{zone}; my $subnets = PVE::Network::SDN::Vnets::get_subnets($id); @@ -256,7 +277,8 @@ __PACKAGE__->register_method ({ method => 'DELETE', description => "Delete sdn vnet object configuration.", permissions => { - check => ['perm', '/sdn/vnets', ['SDN.Allocate']], + description => "Require 'SDN.Allocate' permission on '/sdn/zones//'", + user => 'all', }, parameters => { additionalProperties => 0, @@ -272,6 +294,9 @@ __PACKAGE__->register_method ({ my $id = extract_param($param, 'vnet'); + my $privs = [ 'SDN.Allocate' ]; + &$check_vnet_access($id, $privs); + PVE::Network::SDN::lock_sdn_config(sub { my $cfg = PVE::Network::SDN::Vnets::config(); my $scfg = PVE::Network::SDN::Vnets::sdn_vnets_config($cfg, $id); # check if exists diff --git a/PVE/API2/Network/SDN/Zones.pm b/PVE/API2/Network/SDN/Zones.pm index 6e53240..4c8b7e1 100644 --- a/PVE/API2/Network/SDN/Zones.pm +++ b/PVE/API2/Network/SDN/Zones.pm @@ -251,7 +251,7 @@ __PACKAGE__->register_method ({ method => 'PUT', description => "Update sdn zone object configuration.", permissions => { - check => ['perm', '/sdn/zones', ['SDN.Allocate']], + check => ['perm', '/sdn/zones/{zone}', ['SDN.Allocate']], }, parameters => PVE::Network::SDN::Zones::Plugin->updateSchema(), returns => { type => 'null' }, @@ -315,7 +315,7 @@ __PACKAGE__->register_method ({ method => 'DELETE', description => "Delete sdn zone object configuration.", permissions => { - check => ['perm', '/sdn/zones', ['SDN.Allocate']], + check => ['perm', '/sdn/zones/{zone}', ['SDN.Allocate']], }, parameters => { additionalProperties => 0, -- 2.30.2