From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 48DD88AE55
 for <pve-devel@lists.proxmox.com>; Tue,  9 Aug 2022 08:55:31 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 3B2392AE7E
 for <pve-devel@lists.proxmox.com>; Tue,  9 Aug 2022 08:55:31 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Tue,  9 Aug 2022 08:55:29 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5242B430AE
 for <pve-devel@lists.proxmox.com>; Tue,  9 Aug 2022 08:55:29 +0200 (CEST)
Message-ID: <e774ba2f-df50-5f3a-ca03-1768b84e0ee5@proxmox.com>
Date: Tue, 9 Aug 2022 08:55:28 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101
 Thunderbird/104.0
To: pve-devel@lists.proxmox.com
References: <20220719114639.3035048-1-d.csapak@proxmox.com>
 <20220719114639.3035048-4-d.csapak@proxmox.com>
 <1659354771.rznwko94vg.astroid@nora.none>
Content-Language: en-US
From: Dominik Csapak <d.csapak@proxmox.com>
In-Reply-To: <1659354771.rznwko94vg.astroid@nora.none>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.304 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_ASCII_DIVIDERS        0.8 Spam that uses ascii formatting tricks
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NICE_REPLY_A           -0.001 Looks like a legit reply (A)
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [rpcenvironment.pm, proxmox.com]
Subject: Re: [pve-devel] [PATCH access-control 2/2] PVE/RPCEnvironment: add
 helper for checking hw permissions
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 06:55:31 -0000

On 8/1/22 14:01, Fabian Grünbichler wrote:
> On July 19, 2022 1:46 pm, Dominik Csapak wrote:
>> like check_vm_perm, etc.
>>
>> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
>> ---
>>   src/PVE/RPCEnvironment.pm | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
>> diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
>> index 7c37c6e..c1b712d 100644
>> --- a/src/PVE/RPCEnvironment.pm
>> +++ b/src/PVE/RPCEnvironment.pm
>> @@ -356,6 +356,14 @@ sub check_vm_perm {
>>       return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
>>   };
>>   
>> +sub check_hw_perm {
>> +    my ($self, $user, $id, $privs, $any, $noerr) = @_;
>> +
>> +    my $cfg = $self->{user_cfg};
>> +
>> +    return $self->check_full($user, "/hardware/$id", $privs, $any, $noerr);
>> +}
> 
> is this really needed (here?)?
> 
> I mean, yes,
> 
> $rpcenv->check_hw_perm('foo@bar', "hardware_id", ['Hardware.Use'], 0, 0)
> 
> is a (tiny) bit shorter than
> 
> $rpcenv->check_full('foo@bar', "/hardware/hardware_id", ['Hardware.Use'], 0, 0)
> 
> but ;)
> 
> note that check_vm has a special job and is not just a wrapper for
> checking $ID against /$PREFIX/$ID, it is specifically for checking guest
> ACLs while honoring pool ACLs for the special case of "VM is currently
> being created and not formally part of the pool yet"..
> 
> similary, check_perm_modify serves the purpose of containing all the
> "modify $path" -> "actual privilege" mappings in a single place.
> 
> the rest of the check_foo subs are low-level building blocks/helpers.
> 

you're right, the helper is not really necessary

>> +
>>   sub is_group_member {
>>       my ($self, $group, $user) = @_;
>>   
>> -- 
>> 2.30.2
>>
>>
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel@lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>>
>>
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
>