[pdm-devel] [PATCH proxmox-datacenter-manager 9/9] api: add permissions for sdn resources

[Gabriel Goller]

Until now, the resources do not have any granular permissions, you only
need to have `Audit` on `/resources/{resource-name}` and you will have
access to all resources. In order to limit this more, check permissions
when every resource object is added to the list. Note that this probably
has some performance implications.
Only SDN is considered at the moment.

Signed-off-by: Gabriel Goller <g.goller at proxmox.com>
---
 server/src/api/resources.rs | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs
index 8b9d3b1baa25..b6680e3f1c71 100644
--- a/server/src/api/resources.rs
+++ b/server/src/api/resources.rs
@@ -309,7 +309,7 @@ pub(crate) async fn get_resources_impl(
     let remotes_only = is_remotes_only(&filters);
 
     for (remote_name, remote) in remotes_config {
-        if let Some(ref auth_id) = opt_auth_id {
+        if let Some(auth_id) = &opt_auth_id {
             let remote_privs = user_info.lookup_privs(auth_id, &["resource", &remote_name]);
             if remote_privs & PRIV_RESOURCE_AUDIT == 0 {
                 continue;
@@ -327,6 +327,8 @@ pub(crate) async fn get_resources_impl(
             continue;
         }
         let filter = filters.clone();
+        let user_info = user_info.clone();
+        let opt_auth_id = opt_auth_id.clone();
         let handle = tokio::spawn(async move {
             let (mut resources, error) = match get_resources_for_remote(&remote, max_age).await {
                 Ok(resources) => (resources, None),
@@ -346,6 +348,23 @@ pub(crate) async fn get_resources_impl(
                         }
                     }
 
+                    // check permissions
+                    if let (Resource::PveNetwork(sdn_resource), Some(auth_id)) =
+                        (resource, &opt_auth_id)
+                    {
+                        return (user_info.lookup_privs(
+                            auth_id,
+                            &[
+                                "resource",
+                                &remote_name,
+                                "sdn",
+                                sdn_resource.network_type().as_str(),
+                                sdn_resource.name(),
+                            ],
+                        ) & PRIV_RESOURCE_AUDIT)
+                            != 0;
+                    }
+
                     filter.matches(|filter| {
                         // if we get can't decide if it matches, don't filter it out
                         resource_matches_search_term(&remote_name, resource, filter).unwrap_or(true)
-- 
2.47.3