[pve-devel] [PATCH guest-common v10 1/1] GuestHelpers: add 'assert_tag_permissions'
Dominik Csapak
d.csapak at proxmox.com
Tue Nov 15 14:02:31 CET 2022
helper to check permissions for tag setting/updating/deleting
for both container and qemu-server
gets the list of allowed tags from the DataCenterConfig and the current
user permissions, and checks for each tag that is added/removed if
the user has permissions to modify it
'normal' tags require 'VM.Config.Options' on '/vms/<vmid>', but not
allowed tags (either limited with 'user-tag-access' or
'privileged-tags' in the datacenter.cfg) requrie 'Sys.Modify' on '/'
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
new in v10, but the code is mostly the same as the previous qemu-server
container one, with a few changes:
* adapt to new get_allowed_tags signature
* change 'map {foo} bar' into 'foo for bar'
* save all tags into $all_tags so that we only have to loop once
* use raise_perm_exc instead of die for permission errors (sets the
correct http status code)
debian/control | 3 ++-
src/PVE/GuestHelpers.pm | 54 ++++++++++++++++++++++++++++++++++++++++-
2 files changed, 55 insertions(+), 2 deletions(-)
diff --git a/debian/control b/debian/control
index 83bade3..ffff22b 100644
--- a/debian/control
+++ b/debian/control
@@ -12,7 +12,8 @@ Homepage: https://www.proxmox.com
Package: libpve-guest-common-perl
Architecture: all
-Depends: libpve-cluster-perl,
+Depends: libpve-access-control,
+ libpve-cluster-perl,
libpve-common-perl (>= 7.2-6),
libpve-storage-perl (>= 7.0-14),
pve-cluster,
diff --git a/src/PVE/GuestHelpers.pm b/src/PVE/GuestHelpers.pm
index 0fe3fd6..2742501 100644
--- a/src/PVE/GuestHelpers.pm
+++ b/src/PVE/GuestHelpers.pm
@@ -3,6 +3,7 @@ package PVE::GuestHelpers;
use strict;
use warnings;
+use PVE::Exception qw(raise_perm_exc);
use PVE::Tools;
use PVE::Storage;
@@ -11,7 +12,7 @@ use Scalar::Util qw(weaken);
use base qw(Exporter);
-our @EXPORT_OK = qw(safe_string_ne safe_boolean_ne safe_num_ne typesafe_ne);
+our @EXPORT_OK = qw(safe_string_ne safe_boolean_ne safe_num_ne typesafe_ne assert_tag_permissions);
# We use a separate lock to block migration while a replication job
# is running.
@@ -246,4 +247,55 @@ sub config_with_pending_array {
return $res;
}
+# checks the permissions for setting/updating/removing tags for guests
+# tagopt_old and tagopt_new expect the tags as they are in the config
+#
+# either returns gracefully or raises a permission exception
+sub assert_tag_permissions {
+ my ($vmid, $tagopt_old, $tagopt_new, $rpcenv, $authuser) = @_;
+
+ my $allowed_tags;
+ my $privileged_tags;
+ my $freeform;
+ my $privileged_user = $rpcenv->check($authuser, '/', ['Sys.Modify'], 1);
+ my $has_config_options =
+ $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'], 0, 1);
+
+ my $check_single_tag = sub {
+ my ($tag) = @_;
+ return if $privileged_user;
+
+ $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'])
+ if !$has_config_options;
+
+ if (!defined($allowed_tags) && !defined($privileged_tags) && !defined($freeform)) {
+ ($allowed_tags, $privileged_tags, $freeform) = PVE::DataCenterConfig::get_allowed_tags(
+ $privileged_user,
+ sub {
+ my ($vmid_to_check) = @_;
+ return $rpcenv->check_vm_perm($authuser, $vmid_to_check, undef, ['VM.Audit'], 0, 1);
+ },
+ );
+ }
+
+ if ((!$allowed_tags->{$tag} && !$freeform) || $privileged_tags->{$tag}) {
+ raise_perm_exc("/, Sys.Modify for modifying tag '$tag'");
+ }
+
+ return;
+ };
+
+ my $old_tags = {};
+ my $new_tags = {};
+ my $all_tags = {};
+
+ $all_tags->{$_} = $old_tags->{$_} += 1 for PVE::Tools::split_list($tagopt_old // '');
+ $all_tags->{$_} = $new_tags->{$_} += 1 for PVE::Tools::split_list($tagopt_new // '');
+
+ for my $tag (keys $all_tags->%*) {
+ next if ($new_tags->{$tag} // 0) == ($old_tags->{$tag} // 0);
+ $check_single_tag->($tag);
+ }
+}
+
1;
--
2.30.2
More information about the pve-devel
mailing list