From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [IPv6:2a0f:8001:1:32::40]) by lore.proxmox.com (Postfix) with ESMTPS id 01F261FF146 for ; Tue, 07 Jul 2026 14:05:29 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 4ED7021499; Tue, 07 Jul 2026 14:05:21 +0200 (CEST) From: David Riley To: pve-devel@lists.proxmox.com Subject: [PATCH pve-access-control v5 5/7] fix #7520: sdn: add VNet ACL migration Date: Tue, 7 Jul 2026 14:04:02 +0200 Message-ID: <20260707120404.73072-6-d.riley@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260707120404.73072-1-d.riley@proxmox.com> References: <20260707120404.73072-1-d.riley@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1783425906148 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.029 Adjusted score from AWL reputation of From: address DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: RYA6LFKLPTKJVDR4O55MIGTC5PIQZF7S X-Message-ID-Hash: RYA6LFKLPTKJVDR4O55MIGTC5PIQZF7S X-MailFrom: d.riley@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Add routine to enable the relocation of ACL entries when their corresponding SDN resources are moved. This prevents stale entries when VNets are moved between zones. This is a preparatory change that does not have an immediate effect on its own, but lays the foundation for safely relocating ACL nodes and rejecting conflicting destination paths. Link: https://bugzilla.proxmox.com/show_bug.cgi?id=7520 Signed-off-by: David Riley --- src/PVE/AccessControl.pm | 84 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index 1047226..4faeb8f 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -2045,6 +2045,90 @@ sub remove_sdn_resource_access { lock_user_config($delete_resource_fn, "SDN ACL cleanup failed"); } +sub migrate_sdn_resource_access { + my ($migrations) = @_; + # [ { src_path => 'zones//', dest_path => 'zones//' } ] + + return if !$migrations; + + my $migrate_fn = sub { + my $usercfg = cfs_read_file("user.cfg"); + my $modified = 0; + + my @prepared_moves = (); + for my $migration (@$migrations) { + + my $invalid_key = 0; + + for my $key (qw(src_path dest_path)) { + if (!defined($migration->{$key})) { + warn "Invalid '$key': must be an array reference.\n"; + $invalid_key = 1; + last; + } + } + + next if $invalid_key; + + my $src_path = "sdn/$migration->{src_path}"; + my $dest_path = "sdn/$migration->{dest_path}"; + + my ($src_parent, $src_last_key, $acl_node) = + find_acl_tree_node_parent($usercfg->{acl_root}, $src_path); + + if (defined($src_parent) && defined($src_last_key) && defined($acl_node)) { + # probe dest for conflicts + my (undef, undef, $existing_dest_node) = + find_acl_tree_node_parent($usercfg->{acl_root}, $dest_path); + + if (acl_tree_has_permissions($existing_dest_node)) { + my $conflict_path = "/$dest_path"; + my $source_path = "/$src_path"; + die + "Destination '$conflict_path' already has permissions configured (Source:" + . " '$source_path'). Please remove the target ACLs manually before" + . " retrying.\n"; + } + + # stage move + push( + @prepared_moves, + { + src_parent => $src_parent, + src_last_key => $src_last_key, + dest_path => $dest_path, + node => $acl_node, + }, + ); + } + } + + for my $move (@prepared_moves) { + delete $move->{src_parent}->{children}->{ $move->{src_last_key} }; + + my $current = $usercfg->{acl_root}; + my @dest_segments = split('/', $move->{dest_path}); + my $dest_last_key = pop @dest_segments; + + for my $segment (@dest_segments) { + $current->{children}->{$segment} = {} + if !defined($current->{children}->{$segment}); + + $current = $current->{children}->{$segment}; + } + $current->{children}->{$dest_last_key} = $move->{node}; + + $modified = 1; + } + + if ($modified) { + cfs_write_file("user.cfg", $usercfg); + } + }; + + lock_user_config($migrate_fn, "ACL migration failed"); +} + my $USER_CONTROLLED_TFA_TYPES = { u2f => 1, oath => 1, -- 2.47.3