public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH access-control 0/2] improve permission self-service
@ 2024-11-05  8:30 Fabian Grünbichler
  2024-11-05  8:30 ` [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions Fabian Grünbichler
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2024-11-05  8:30 UTC (permalink / raw)
  To: pve-devel

noticed this while testing https://lore.proxmox.com/pve-devel/20241031134629.144893-1-d.kral@proxmox.com

the first patch fixes the already allowed "permission self-service" for
users as the web UI implements it (it always passes the $userid
parameter).

the second patch extends that self-service to allow users without
Sys.Audit on /access to evaluate their own tokens' ACLs/permissions,
which seems sensible to me ;)

Fabian Grünbichler (2):
  api: permissions: allow users to view their own permissions
  api: permissions: allow users to check their own tokens

 src/PVE/API2/AccessControl.pm | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions
  2024-11-05  8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
@ 2024-11-05  8:30 ` Fabian Grünbichler
  2024-11-05  8:30 ` [pve-devel] [PATCH access-control 2/2] api: permissions: allow users to check their own tokens Fabian Grünbichler
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2024-11-05  8:30 UTC (permalink / raw)
  To: pve-devel

even when specifying an explicit userid matching their own.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/PVE/API2/AccessControl.pm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index c55a7b3..157a5ee 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -486,14 +486,14 @@ __PACKAGE__->register_method({
 	my ($param) = @_;
 
 	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authid = $rpcenv->get_user();
 
 	my $userid = $param->{userid};
-	if (defined($userid)) {
+	$userid = $authid if !defined($userid);
+
+	if ($userid ne $authid) {
 	    $rpcenv->check($rpcenv->get_user(), '/access', ['Sys.Audit']);
-	} else {
-	    $userid = $rpcenv->get_user();
 	}
-
 	my $res;
 
 	if (my $path = $param->{path}) {
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH access-control 2/2] api: permissions: allow users to check their own tokens
  2024-11-05  8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
  2024-11-05  8:30 ` [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions Fabian Grünbichler
@ 2024-11-05  8:30 ` Fabian Grünbichler
  2024-11-06 14:54 ` [pve-devel] [PATCH access-control 0/2] improve permission self-service Daniel Kral
  2024-11-10 19:08 ` [pve-devel] applied-series: " Thomas Lamprecht
  3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2024-11-05  8:30 UTC (permalink / raw)
  To: pve-devel

even if they lack Sys.Audit on /access - since tokens are self-service,
checking whether the ACLs work as expected should also be doable for every
user.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/PVE/API2/AccessControl.pm | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 157a5ee..7fcf6fb 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -460,7 +460,11 @@ __PACKAGE__->register_method({
     method => 'GET',
     description => 'Retrieve effective permissions of given user/token.',
     permissions => {
-	description => "Each user/token is allowed to dump their own permissions. A user can dump the permissions of another user if they have 'Sys.Audit' permission on /access.",
+	description => "Each user/token is allowed to dump their own ".
+	               "permissions (or that of owned tokens). A user  ".
+	               "can dump the permissions of another user or ".
+	               "their tokens if they have 'Sys.Audit' permission ".
+	               "on /access.",
 	user => 'all',
     },
     parameters => {
@@ -491,7 +495,11 @@ __PACKAGE__->register_method({
 	my $userid = $param->{userid};
 	$userid = $authid if !defined($userid);
 
-	if ($userid ne $authid) {
+	my ($user, $token) = PVE::AccessControl::split_tokenid($userid, 1);
+	my $check_self = $userid eq $authid;
+	my $check_owned_token = defined($user) && $user eq $authid;
+
+	if (!($check_self || $check_owned_token)) {
 	    $rpcenv->check($rpcenv->get_user(), '/access', ['Sys.Audit']);
 	}
 	my $res;
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [pve-devel] [PATCH access-control 0/2] improve permission self-service
  2024-11-05  8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
  2024-11-05  8:30 ` [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions Fabian Grünbichler
  2024-11-05  8:30 ` [pve-devel] [PATCH access-control 2/2] api: permissions: allow users to check their own tokens Fabian Grünbichler
@ 2024-11-06 14:54 ` Daniel Kral
  2024-11-10 19:08 ` [pve-devel] applied-series: " Thomas Lamprecht
  3 siblings, 0 replies; 5+ messages in thread
From: Daniel Kral @ 2024-11-06 14:54 UTC (permalink / raw)
  To: pve-devel

On 11/5/24 09:30, Fabian Grünbichler wrote:
> noticed this while testing https://lore.proxmox.com/pve-devel/20241031134629.144893-1-d.kral@proxmox.com
> 
> the first patch fixes the already allowed "permission self-service" for
> users as the web UI implements it (it always passes the $userid
> parameter).
> 
> the second patch extends that self-service to allow users without
> Sys.Audit on /access to evaluate their own tokens' ACLs/permissions,
> which seems sensible to me ;)
> 
> Fabian Grünbichler (2):
>    api: permissions: allow users to view their own permissions
>    api: permissions: allow users to check their own tokens
> 
>   src/PVE/API2/AccessControl.pm | 18 +++++++++++++-----
>   1 file changed, 13 insertions(+), 5 deletions(-)
> 

I have written some test cases for this and sent the patch to the 
mailing list [0].

[0] 
https://lore.proxmox.com/pve-devel/20241106144813.189056-1-d.kral@proxmox.com/

With the test cases included there, consider the whole series as:

Tested-by: Daniel Kral <d.kral@proxmox.com>


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] applied-series: [PATCH access-control 0/2] improve permission self-service
  2024-11-05  8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
                   ` (2 preceding siblings ...)
  2024-11-06 14:54 ` [pve-devel] [PATCH access-control 0/2] improve permission self-service Daniel Kral
@ 2024-11-10 19:08 ` Thomas Lamprecht
  3 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2024-11-10 19:08 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler

Am 05.11.24 um 09:30 schrieb Fabian Grünbichler:
> noticed this while testing https://lore.proxmox.com/pve-devel/20241031134629.144893-1-d.kral@proxmox.com
> 
> the first patch fixes the already allowed "permission self-service" for
> users as the web UI implements it (it always passes the $userid
> parameter).
> 
> the second patch extends that self-service to allow users without
> Sys.Audit on /access to evaluate their own tokens' ACLs/permissions,
> which seems sensible to me ;)
> 
> Fabian Grünbichler (2):
>   api: permissions: allow users to view their own permissions
>   api: permissions: allow users to check their own tokens
> 
>  src/PVE/API2/AccessControl.pm | 18 +++++++++++++-----
>  1 file changed, 13 insertions(+), 5 deletions(-)
> 


applied with Daniel's T-b, thanks!

ps. I made a small code-style follow-up for breaking up the schema description
over multiple lines so that it follows our style guide [0], there were some other
bad instances in that file  anyway, so I did it as separate patch.

[0]: https://pve.proxmox.com/wiki/Perl_Style_Guide#Wrapping_Strings


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-11-10 19:08 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-05  8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
2024-11-05  8:30 ` [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions Fabian Grünbichler
2024-11-05  8:30 ` [pve-devel] [PATCH access-control 2/2] api: permissions: allow users to check their own tokens Fabian Grünbichler
2024-11-06 14:54 ` [pve-devel] [PATCH access-control 0/2] improve permission self-service Daniel Kral
2024-11-10 19:08 ` [pve-devel] applied-series: " Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal