From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <l.wagner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 159EA9FE30
 for <pve-devel@lists.proxmox.com>; Tue,  7 Nov 2023 13:46:11 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id F27DA329D0
 for <pve-devel@lists.proxmox.com>; Tue,  7 Nov 2023 13:46:10 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Tue,  7 Nov 2023 13:46:10 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id EAF40469D2
 for <pve-devel@lists.proxmox.com>; Tue,  7 Nov 2023 13:46:09 +0100 (CET)
From: Lukas Wagner <l.wagner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Tue,  7 Nov 2023 13:46:07 +0100
Message-Id: <20231107124607.571477-2-l.wagner@proxmox.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20231107124607.571477-1-l.wagner@proxmox.com>
References: <20231107124607.571477-1-l.wagner@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.016 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: [pve-devel] [PATCH manager 2/2] api: notifications: give targets
 and matchers their own ACL namespace
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 12:46:11 -0000

Right now, matchers and targets share a single namespace due to
limitations of the section-config parser. This will probably be fixed
some time in the future.
As a preparation for that we need to ensure that the ACL tree has
separate namespaces for both.

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
This patch requires the pve-manager patches from my notification
revamp patch series.


 PVE/API2/Cluster/Notifications.pm | 55 +++++++++++++++----------------
 1 file changed, 27 insertions(+), 28 deletions(-)

diff --git a/PVE/API2/Cluster/Notifications.pm b/PVE/API2/Cluster/Notifications.pm
index 8f716f26..6ff6d89e 100644
--- a/PVE/API2/Cluster/Notifications.pm
+++ b/PVE/API2/Cluster/Notifications.pm
@@ -57,7 +57,7 @@ sub raise_api_error {
 }
 
 sub filter_entities_by_privs {
-    my ($rpcenv, $entities) = @_;
+    my ($rpcenv, $prefix, $entities) = @_;
     my $authuser = $rpcenv->get_user();
 
     my $can_see_mapping_privs = ['Mapping.Modify', 'Mapping.Use', 'Mapping.Audit'];
@@ -65,7 +65,7 @@ sub filter_entities_by_privs {
     my $filtered = [grep {
 	$rpcenv->check_any(
 	    $authuser,
-	    "/mapping/notification/$_->{name}",
+	    "/mapping/notification/$prefix/$_->{name}",
 	    $can_see_mapping_privs,
 	    1
 	);
@@ -138,8 +138,7 @@ __PACKAGE__->register_method ({
     description => 'Returns a list of all entities that can be used as notification targets.',
     permissions => {
 	description => "Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or"
-	    . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'."
-	    . " The special 'mail-to-root' target is available to all users.",
+	    . " 'Mapping.Audit' permissions on '/mapping/notification/targets/<name>'.",
 	user => 'all',
     },
     protected => 1,
@@ -199,7 +198,7 @@ __PACKAGE__->register_method ({
 
 	raise_api_error($@) if $@;
 
-	return filter_entities_by_privs($rpcenv, $targets);
+	return filter_entities_by_privs($rpcenv, "targets", $targets);
     }
 });
 
@@ -211,7 +210,7 @@ __PACKAGE__->register_method ({
     description => 'Send a test notification to a provided target.',
     permissions => {
 	description => "The user requires 'Mapping.Modify', 'Mapping.Use' or"
-	    . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'."
+	    . " 'Mapping.Audit' permissions on '/mapping/notification/targets/<name>'."
 	    . " The special 'mail-to-root' target can be accessed by all users.",
 	user => 'all',
     },
@@ -236,7 +235,7 @@ __PACKAGE__->register_method ({
 
 	$rpcenv->check_any(
 	    $authuser,
-	    "/mapping/notification/$name",
+	    "/mapping/notification/targets/$name",
 	    $privs,
 	);
 
@@ -299,7 +298,7 @@ __PACKAGE__->register_method ({
     description => 'Returns a list of all sendmail endpoints',
     permissions => {
 	description => "Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or"
-	    . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'.",
+	    . " 'Mapping.Audit' permissions on '/mapping/notification/targets/<name>'.",
 	user => 'all',
     },
     protected => 1,
@@ -324,7 +323,7 @@ __PACKAGE__->register_method ({
 	};
 	raise_api_error($@) if $@;
 
-	return filter_entities_by_privs($rpcenv, $entities);
+	return filter_entities_by_privs($rpcenv, "targets", $entities);
     }
 });
 
@@ -335,8 +334,8 @@ __PACKAGE__->register_method ({
     description => 'Return a specific sendmail endpoint',
     permissions => {
 	check => ['or',
-	    ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
-	    ['perm', '/mapping/notification/{name}', ['Mapping.Audit']],
+	    ['perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
+	    ['perm', '/mapping/notification/targets/{name}', ['Mapping.Audit']],
 	],
     },
     protected => 1,
@@ -380,7 +379,7 @@ __PACKAGE__->register_method ({
     method => 'POST',
     description => 'Create a new sendmail endpoint',
     permissions => {
-	check => ['perm', '/mapping/notification', ['Mapping.Modify']],
+	check => ['perm', '/mapping/notification/targets', ['Mapping.Modify']],
     },
     parameters => {
 	additionalProperties => 0,
@@ -426,7 +425,7 @@ __PACKAGE__->register_method ({
     method => 'PUT',
     description => 'Update existing sendmail endpoint',
     permissions => {
-	check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+	check => [ 'perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
     },
     parameters => {
 	additionalProperties => 0,
@@ -490,7 +489,7 @@ __PACKAGE__->register_method ({
     method => 'DELETE',
     description => 'Remove sendmail endpoint',
     permissions => {
-	check => ['perm', '/mapping/notification', ['Mapping.Modify']],
+	check => ['perm', '/mapping/notification/targets', ['Mapping.Modify']],
     },
     parameters => {
 	additionalProperties => 0,
@@ -548,7 +547,7 @@ __PACKAGE__->register_method ({
     protected => 1,
     permissions => {
 	description => "Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or"
-	    . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'.",
+	    . " 'Mapping.Audit' permissions on '/mapping/notification/targets/<name>'.",
 	user => 'all',
     },
     parameters => {
@@ -572,7 +571,7 @@ __PACKAGE__->register_method ({
 	};
 	raise_api_error($@) if $@;
 
-	return filter_entities_by_privs($rpcenv, $entities);
+	return filter_entities_by_privs($rpcenv, "targets", $entities);
     }
 });
 
@@ -584,8 +583,8 @@ __PACKAGE__->register_method ({
     protected => 1,
     permissions => {
 	check => ['or',
-	    ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
-	    ['perm', '/mapping/notification/{name}', ['Mapping.Audit']],
+	    ['perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
+	    ['perm', '/mapping/notification/targets/{name}', ['Mapping.Audit']],
 	],
     },
     parameters => {
@@ -628,7 +627,7 @@ __PACKAGE__->register_method ({
     method => 'POST',
     description => 'Create a new gotify endpoint',
     permissions => {
-	check => ['perm', '/mapping/notification', ['Mapping.Modify']],
+	check => ['perm', '/mapping/notification/targets', ['Mapping.Modify']],
     },
     parameters => {
 	additionalProperties => 0,
@@ -670,7 +669,7 @@ __PACKAGE__->register_method ({
     method => 'PUT',
     description => 'Update existing gotify endpoint',
     permissions => {
-	check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+	check => [ 'perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
     },
     parameters => {
 	additionalProperties => 0,
@@ -729,7 +728,7 @@ __PACKAGE__->register_method ({
     method => 'DELETE',
     description => 'Remove gotify endpoint',
     permissions => {
-	check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+	check => [ 'perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
     },
     parameters => {
 	additionalProperties => 0,
@@ -825,7 +824,7 @@ __PACKAGE__->register_method ({
     protected => 1,
     permissions => {
 	description => "Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or"
-	    . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'.",
+	    . " 'Mapping.Audit' permissions on '/mapping/notification/matchers/<name>'.",
 	user => 'all',
     },
     parameters => {
@@ -849,7 +848,7 @@ __PACKAGE__->register_method ({
 	};
 	raise_api_error($@) if $@;
 
-	return filter_entities_by_privs($rpcenv, $entities);
+	return filter_entities_by_privs($rpcenv, "matchers", $entities);
     }
 });
 
@@ -861,8 +860,8 @@ __PACKAGE__->register_method ({
     protected => 1,
     permissions => {
 	check => ['or',
-	    ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
-	    ['perm', '/mapping/notification/{name}', ['Mapping.Audit']],
+	    ['perm', '/mapping/notification/matchers/{name}', ['Mapping.Modify']],
+	    ['perm', '/mapping/notification/matchers/{name}', ['Mapping.Audit']],
 	],
     },
     parameters => {
@@ -906,7 +905,7 @@ __PACKAGE__->register_method ({
     description => 'Create a new matcher',
     protected => 1,
     permissions => {
-	check => ['perm', '/mapping/notification', ['Mapping.Modify']],
+	check => ['perm', '/mapping/notification/matchers', ['Mapping.Modify']],
     },
     parameters => {
 	additionalProperties => 0,
@@ -956,7 +955,7 @@ __PACKAGE__->register_method ({
     method => 'PUT',
     description => 'Update existing matcher',
     permissions => {
-	check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+	check => [ 'perm', '/mapping/notification/matchers/{name}', ['Mapping.Modify']],
     },
     parameters => {
 	additionalProperties => 0,
@@ -1022,7 +1021,7 @@ __PACKAGE__->register_method ({
     method => 'DELETE',
     description => 'Remove matcher',
     permissions => {
-	check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+	check => ['perm', '/mapping/notification/matchers/{name}', ['Mapping.Modify']],
     },
     parameters => {
 	additionalProperties => 0,
-- 
2.39.2