[pve-devel] [PATCH v2 access-control 14/23] API: include API tokens in ACL API endpoints

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Nov 21 15:43:32 CET 2019 

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/API2/ACL.pm | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
index 3e42ac0..c340267 100644
--- a/PVE/API2/ACL.pm
+++ b/PVE/API2/ACL.pm
@@ -46,7 +46,7 @@ __PACKAGE__->register_method ({
 	    properties => {
 		propagate => get_standard_option('acl-propagate'),
 		path => get_standard_option('acl-path'),
-		type => { type => 'string', enum => ['user', 'group'] },
+		type => { type => 'string', enum => ['user', 'group', 'token'] },
 		ugid => { type => 'string' },
 		roleid => { type => 'string' },
 	    },
@@ -68,8 +68,8 @@ __PACKAGE__->register_method ({
 
 	my $acl = $usercfg->{acl};
 	foreach my $path (keys %$acl) {
-	    foreach my $type (qw(users groups)) {
-		my $d = $acl->{$path}->{$type};
+	    foreach my $type (qw(user group token)) {
+		my $d = $acl->{$path}->{"${type}s"};
 		next if !$d;
 		next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1));
 		foreach my $id (keys %$d) {
@@ -77,7 +77,7 @@ __PACKAGE__->register_method ({
 			my $propagate = $d->{$id}->{$role};
 			push @$res, {
 			    path => $path,
-			    type => $type eq 'groups' ? 'group' : 'user',
+			    type => $type,
 			    ugid => $id,
 			    roleid => $role,
 			    propagate => $propagate,
@@ -114,6 +114,11 @@ __PACKAGE__->register_method ({
 		type => 'string', format => 'pve-groupid-list',
 		optional => 1,
 	    },
+	    tokens => {
+		description => "List of API tokens.",
+		type => 'string', format => 'pve-tokenid-list',
+		optional => 1,
+	    },
 	    roles => {
 		description => "List of roles.",
 		type => 'string', format => 'pve-roleid-list',
@@ -129,10 +134,8 @@ __PACKAGE__->register_method ({
     code => sub {
 	my ($param) = @_;
 
-	if (!($param->{users} || $param->{groups})) {
-	    raise_param_exc({
-		users => "either 'users' or 'groups' is required.",
-		groups => "either 'users' or 'groups' is required." });
+	if (!($param->{users} || $param->{groups} || $param->{tokens})) {
+	    raise_param_exc({ map { $_ => "either 'users', 'groups' or 'tokens' is required." } qw(users groups tokens) });
 	}
 
 	my $path = PVE::AccessControl::normalize_path($param->{path});
@@ -177,6 +180,17 @@ __PACKAGE__->register_method ({
 			    $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
 			}
 		    }
+
+		    foreach my $tokenid (split_list($param->{tokens})) {
+			my ($username, $token) = PVE::AccessControl::split_tokenid($tokenid);
+			PVE::AccessControl::check_token_exist($cfg, $username, $token);
+
+			if ($param->{delete}) {
+			    delete $cfg->{acl}->{$path}->{tokens}->{$tokenid}->{$role};
+			} else {
+			    $cfg->{acl}->{$path}->{tokens}->{$tokenid}->{$role} = $propagate;
+			}
+		    }
 		}
 
 		cfs_write_file("user.cfg", $cfg);
-- 
2.20.1

More information about the pve-devel mailing list