From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.weber@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 38FCF958E8
 for <pve-devel@lists.proxmox.com>; Fri, 12 Apr 2024 16:16:50 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 22835BBEB
 for <pve-devel@lists.proxmox.com>; Fri, 12 Apr 2024 16:16:50 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Fri, 12 Apr 2024 16:16:48 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A60FC450AF
 for <pve-devel@lists.proxmox.com>; Fri, 12 Apr 2024 16:16:48 +0200 (CEST)
From: Friedrich Weber <f.weber@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Fri, 12 Apr 2024 16:15:49 +0200
Message-Id: <20240412141553.430554-2-f.weber@proxmox.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240412141553.430554-1-f.weber@proxmox.com>
References: <20240412141553.430554-1-f.weber@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.066 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [guesthelpers.pm]
Subject: [pve-devel] [PATCH guest-common v3 1/5] guest helpers: add helper
 to abort active guest tasks of a certain type
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 14:16:50 -0000

Given a `(type, user, vmid)` tuple, the helper aborts all tasks of the
given `type` for guest `vmid` that `user` is allowed to abort:

- If `user` has `Sys.Modify` on the node, they can abort any task
- If `user` is an API token, it can abort any task it started itself
- If `user` is a user, they can abort any task started by themselves
  or one of their API tokens.

The helper is used to overrule any active qmshutdown/vzshutdown tasks
when attempting to stop a VM/CT (if requested).

Signed-off-by: Friedrich Weber <f.weber@proxmox.com>
---

Notes:
    As the computation of `$can_abort_task` essentially duplicates logic
    from PVE/API2/Tasks.pm, I considered reusing that, but this would have
    required moving it to one of the dependencies of pve-guest-common
    (Thomas suggested pve-access-control off-list). Seeing that the logic
    boils down to 4 lines in `abort_guest_tasks`, I didn't consider it
    worth the trouble in the end. Happy to reconsider, though.
    
    changes v2 -> v3:
    - improved readability: renamed subroutine to describe what it does,
      renamed return value, added comment, clarified commit message (thx
      Thomas)
    - better align logic with current permission model for stopping tasks:
      - allow users with Sys.Modify to abort *any* task (thx Thomas)
      - allow users to abort tasks of their tokens
    
    no changes v1 -> v2

 src/PVE/GuestHelpers.pm | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/src/PVE/GuestHelpers.pm b/src/PVE/GuestHelpers.pm
index 961a7b8..c9fe147 100644
--- a/src/PVE/GuestHelpers.pm
+++ b/src/PVE/GuestHelpers.pm
@@ -416,4 +416,39 @@ sub check_vnet_access {
 	if !($tag || $trunks);
 }
 
+sub abort_guest_tasks {
+    my ($rpcenv, $type, $vmid) = @_;
+
+    my $authuser = $rpcenv->get_user();
+    my $node = PVE::INotify::nodename();
+    my $can_abort_all = $rpcenv->check($authuser, "/nodes/$node", [ 'Sys.Modify' ], 1);
+
+    my $active_tasks = PVE::INotify::read_file('active');
+    my $aborted_tasks = [];
+    for my $task (@$active_tasks) {
+	if (!$task->{saved}
+	    && $task->{type} eq $type
+	    && $task->{id} eq $vmid
+	) {
+	    my $can_abort_task;
+	    # tasks started by a token can be aborted by the token or token owner,
+	    # tasks started by a user can be aborted by the user
+	    if (PVE::AccessControl::pve_verify_tokenid($task->{user}, 1)) {
+		my $full_tokenid = $task->{user};
+		my ($task_username, undef) = PVE::AccessControl::split_tokenid($full_tokenid);
+		$can_abort_task = $authuser eq $task_username || $authuser eq $full_tokenid;
+	    } else {
+		$can_abort_task = $authuser eq $task->{user};
+	    }
+
+	    if ($can_abort_all || $can_abort_task) {
+	       # passing `1` for parameter $killit aborts the task
+	       PVE::RPCEnvironment->check_worker($task->{upid}, 1);
+	       push @$aborted_tasks, $task->{upid};
+	   }
+	}
+    }
+    return $aborted_tasks;
+}
+
 1;
-- 
2.39.2