proxmox-backup/src/api2/access/acl.rs

//! Manage Access Control Lists

use anyhow::{bail, Error};

use proxmox::api::{api, Router, RpcEnvironment, Permission};
use proxmox::tools::fs::open_file_locked;

use crate::api2::types::*;
use crate::config::acl;
use crate::config::acl::{Role, PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
use crate::config::cached_user_info::CachedUserInfo;

fn extract_acl_node_data(
    node: &acl::AclTreeNode,
    path: &str,
    list: &mut Vec<AclListItem>,
    exact: bool,
    token_user: &Option<Authid>,
) {
    // tokens can't have tokens, so we can early return
    if let Some(token_user) = token_user {
        if token_user.is_token() {
            return;
        }
    }

    for (user, roles) in &node.users {
        if let Some(token_user) = token_user {
            if !user.is_token()
                || user.user() != token_user.user() {
                 continue;
            }
        }

        for (role, propagate) in roles {
            list.push(AclListItem {
                path: if path.is_empty() { String::from("/") } else { path.to_string() },
                propagate: *propagate,
                ugid_type: String::from("user"),
                ugid: user.to_string(),
                roleid: role.to_string(),
            });
        }
    }
    for (group, roles) in &node.groups {
        if token_user.is_some() {
            continue;
        }

        for (role, propagate) in roles {
            list.push(AclListItem {
                path: if path.is_empty() { String::from("/") } else { path.to_string() },
                propagate: *propagate,
                ugid_type: String::from("group"),
                ugid: group.to_string(),
                roleid: role.to_string(),
            });
        }
    }
    if exact {
        return;
    }
    for (comp, child) in &node.children {
        let new_path = format!("{}/{}", path, comp);
        extract_acl_node_data(child, &new_path, list, exact, token_user);
    }
}

#[api(
    input: {
        properties: {
	    path: {
                schema: ACL_PATH_SCHEMA,
                optional: true,
            },
            exact: {
                description: "If set, returns only ACL for the exact path.",
                type: bool,
                optional: true,
                default: false,
            },
        },
    },
    returns: {
        description: "ACL entry list.",
        type: Array,
        items: {
            type: AclListItem,
        }
    },
    access: {
        permission: &Permission::Anybody,
        description: "Returns all ACLs if user has Sys.Audit on '/access/acl', or just the ACLs containing the user's API tokens.",
    },
)]
/// Read Access Control List (ACLs).
pub fn read_acl(
    path: Option<String>,
    exact: bool,
    mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<AclListItem>, Error> {
    let auth_id = rpcenv.get_auth_id().unwrap().parse()?;

    let user_info = CachedUserInfo::new()?;

    let top_level_privs = user_info.lookup_privs(&auth_id, &["access", "acl"]);
    let auth_id_filter = if (top_level_privs & PRIV_SYS_AUDIT) == 0 {
        Some(auth_id)
    } else {
        None
    };

    let (mut tree, digest) = acl::config()?;

    let mut list: Vec<AclListItem> = Vec::new();
    if let Some(path) = &path {
        if let Some(node) = &tree.find_node(path) {
            extract_acl_node_data(&node, path, &mut list, exact, &auth_id_filter);
        }
    } else {
        extract_acl_node_data(&tree.root, "", &mut list, exact, &auth_id_filter);
    }

    rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();

    Ok(list)
}

#[api(
    protected: true,
    input: {
        properties: {
	    path: {
                schema: ACL_PATH_SCHEMA,
            },
	    role: {
                type: Role,
            },
            propagate: {
                optional: true,
                schema: ACL_PROPAGATE_SCHEMA,
            },
            "auth-id": {
                optional: true,
                type: Authid,
            },
            group: {
                optional: true,
                schema: PROXMOX_GROUP_ID_SCHEMA,
            },
            delete: {
                optional: true,
                description: "Remove permissions (instead of adding it).",
                type: bool,
            },
            digest: {
                optional: true,
                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
            },
       },
    },
    access: {
        permission: &Permission::Anybody,
        description: "Requires Permissions.Modify on '/access/acl', limited to updating ACLs of the user's API tokens otherwise."
    },
)]
/// Update Access Control List (ACLs).
pub fn update_acl(
    path: String,
    role: String,
    propagate: Option<bool>,
    auth_id: Option<Authid>,
    group: Option<String>,
    delete: Option<bool>,
    digest: Option<String>,
    rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
    let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;

    let user_info = CachedUserInfo::new()?;

    let top_level_privs = user_info.lookup_privs(&current_auth_id, &["access", "acl"]);
    if top_level_privs & PRIV_PERMISSIONS_MODIFY == 0 {
        if group.is_some() {
            bail!("Unprivileged users are not allowed to create group ACL item.");
        }

        match &auth_id {
            Some(auth_id) => {
                if current_auth_id.is_token() {
                    bail!("Unprivileged API tokens can't set ACL items.");
                } else if !auth_id.is_token() {
                    bail!("Unprivileged users can only set ACL items for API tokens.");
                } else if auth_id.user() != current_auth_id.user() {
                    bail!("Unprivileged users can only set ACL items for their own API tokens.");
                }
            },
            None => { bail!("Unprivileged user needs to provide auth_id to update ACL item."); },
        };
    }

    let _lock = open_file_locked(acl::ACL_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;

    let (mut tree, expected_digest) = acl::config()?;

    if let Some(ref digest) = digest {
        let digest = proxmox::tools::hex_to_digest(digest)?;
        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
    }

    let propagate = propagate.unwrap_or(true);

    let delete = delete.unwrap_or(false);

    if let Some(ref _group) = group {
        bail!("parameter 'group' - groups are currently not supported.");
    } else if let Some(ref auth_id) = auth_id {
        if !delete { // Note: we allow to delete non-existent users
            let user_cfg = crate::config::user::cached_config()?;
            if user_cfg.sections.get(&auth_id.to_string()).is_none() {
                bail!(format!("no such {}.",
                              if auth_id.is_token() { "API token" } else { "user" }));
            }
        }
    } else {
        bail!("missing 'userid' or 'group' parameter.");
    }

    if !delete { // Note: we allow to delete entries with invalid path
        acl::check_acl_path(&path)?;
    }

    if let Some(auth_id) = auth_id {
        if delete {
            tree.delete_user_role(&path, &auth_id, &role);
        } else {
            tree.insert_user_role(&path, &auth_id, &role, propagate);
        }
    } else if let Some(group) = group {
        if delete {
            tree.delete_group_role(&path, &group, &role);
        } else {
            tree.insert_group_role(&path, &group, &role, propagate);
        }
    }

    acl::save_config(&tree)?;

    Ok(())
}

pub const ROUTER: Router = Router::new()
    .get(&API_METHOD_READ_ACL)
    .put(&API_METHOD_UPDATE_ACL);
improve code docs in api2 Note: API methos should be declared pub, so that they show up in the generated docu. 2021-01-22 14:53:51 +00:00			`//! Manage Access Control Lists`

switch from failure to anyhow Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-04-17 12:11:25 +00:00			`use anyhow::{bail, Error};`
start ACL api 2020-04-13 09:09:44 +00:00
src/api2/access/acl.rs: add access permissions 2020-04-17 08:03:09 +00:00			`use proxmox::api::{api, Router, RpcEnvironment, Permission};`
remove timer and lock functions, fix building with proxmox 0.3.2 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-04 09:33:02 +00:00			`use proxmox::tools::fs::open_file_locked;`
start ACL api 2020-04-13 09:09:44 +00:00
			`use crate::api2::types::*;`
			`use crate::config::acl;`
use reasonable acl paths 2020-04-30 07:30:00 +00:00			`use crate::config::acl::{Role, PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`use crate::config::cached_user_info::CachedUserInfo;`
start ACL api 2020-04-13 09:09:44 +00:00
			`fn extract_acl_node_data(`
			`node: &acl::AclTreeNode,`
			`path: &str,`
			`list: &mut Vec<AclListItem>,`
add 'exact' parameter to extract_acl_node_data so that we can return acls for a single path Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-20 10:15:34 +00:00			`exact: bool,`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`token_user: &Option<Authid>,`
start ACL api 2020-04-13 09:09:44 +00:00			`) {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`// tokens can't have tokens, so we can early return`
			`if let Some(token_user) = token_user {`
			`if token_user.is_token() {`
			`return;`
			`}`
			`}`

start ACL api 2020-04-13 09:09:44 +00:00			`for (user, roles) in &node.users {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`if let Some(token_user) = token_user {`
			`if !user.is_token()`
			`\|\| user.user() != token_user.user() {`
			`continue;`
			`}`
			`}`

start ACL api 2020-04-13 09:09:44 +00:00			`for (role, propagate) in roles {`
			`list.push(AclListItem {`
			`path: if path.is_empty() { String::from("/") } else { path.to_string() },`
			`propagate: *propagate,`
			`ugid_type: String::from("user"),`
			`ugid: user.to_string(),`
			`roleid: role.to_string(),`
			`});`
			`}`
			`}`
			`for (group, roles) in &node.groups {`
clippy: is_some/none/ok/err/empty Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2021-01-19 09:27:59 +00:00			`if token_user.is_some() {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`continue;`
			`}`

start ACL api 2020-04-13 09:09:44 +00:00			`for (role, propagate) in roles {`
			`list.push(AclListItem {`
			`path: if path.is_empty() { String::from("/") } else { path.to_string() },`
			`propagate: *propagate,`
			`ugid_type: String::from("group"),`
			`ugid: group.to_string(),`
			`roleid: role.to_string(),`
			`});`
			`}`
			`}`
add 'exact' parameter to extract_acl_node_data so that we can return acls for a single path Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-20 10:15:34 +00:00			`if exact {`
			`return;`
			`}`
start ACL api 2020-04-13 09:09:44 +00:00			`for (comp, child) in &node.children {`
			`let new_path = format!("{}/{}", path, comp);`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`extract_acl_node_data(child, &new_path, list, exact, token_user);`
start ACL api 2020-04-13 09:09:44 +00:00			`}`
			`}`

			`#[api(`
api2/access/acl: add path and exact parameter to list_acl so that we can get only a subset of the acls, filtered by the backed also return the digest here Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-20 10:15:35 +00:00			`input: {`
			`properties: {`
			`path: {`
			`schema: ACL_PATH_SCHEMA,`
			`optional: true,`
			`},`
			`exact: {`
			`description: "If set, returns only ACL for the exact path.",`
			`type: bool,`
			`optional: true,`
			`default: false,`
			`},`
			`},`
			`},`
start ACL api 2020-04-13 09:09:44 +00:00			`returns: {`
			`description: "ACL entry list.",`
			`type: Array,`
			`items: {`
			`type: AclListItem,`
			`}`
src/api2/access/acl.rs: add access permissions 2020-04-17 08:03:09 +00:00			`},`
			`access: {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`permission: &Permission::Anybody,`
			`description: "Returns all ACLs if user has Sys.Audit on '/access/acl', or just the ACLs containing the user's API tokens.",`
src/api2/access/acl.rs: add access permissions 2020-04-17 08:03:09 +00:00			`},`
start ACL api 2020-04-13 09:09:44 +00:00			`)]`
			`/// Read Access Control List (ACLs).`
			`pub fn read_acl(`
api2/access/acl: add path and exact parameter to list_acl so that we can get only a subset of the acls, filtered by the backed also return the digest here Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-20 10:15:35 +00:00			`path: Option<String>,`
			`exact: bool,`
			`mut rpcenv: &mut dyn RpcEnvironment,`
start ACL api 2020-04-13 09:09:44 +00:00			`) -> Result<Vec<AclListItem>, Error> {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`let auth_id = rpcenv.get_auth_id().unwrap().parse()?;`
start ACL api 2020-04-13 09:09:44 +00:00
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`let user_info = CachedUserInfo::new()?;`

			`let top_level_privs = user_info.lookup_privs(&auth_id, &["access", "acl"]);`
			`let auth_id_filter = if (top_level_privs & PRIV_SYS_AUDIT) == 0 {`
			`Some(auth_id)`
			`} else {`
			`None`
			`};`
start ACL api 2020-04-13 09:09:44 +00:00
api2/access/acl: add path and exact parameter to list_acl so that we can get only a subset of the acls, filtered by the backed also return the digest here Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-20 10:15:35 +00:00			`let (mut tree, digest) = acl::config()?;`
start ACL api 2020-04-13 09:09:44 +00:00
			`let mut list: Vec<AclListItem> = Vec::new();`
api2/access/acl: add path and exact parameter to list_acl so that we can get only a subset of the acls, filtered by the backed also return the digest here Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-20 10:15:35 +00:00			`if let Some(path) = &path {`
			`if let Some(node) = &tree.find_node(path) {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`extract_acl_node_data(&node, path, &mut list, exact, &auth_id_filter);`
api2/access/acl: add path and exact parameter to list_acl so that we can get only a subset of the acls, filtered by the backed also return the digest here Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-20 10:15:35 +00:00			`}`
			`} else {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`extract_acl_node_data(&tree.root, "", &mut list, exact, &auth_id_filter);`
api2/access/acl: add path and exact parameter to list_acl so that we can get only a subset of the acls, filtered by the backed also return the digest here Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-20 10:15:35 +00:00			`}`

			`rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();`
start ACL api 2020-04-13 09:09:44 +00:00
			`Ok(list)`
			`}`

acl api: implement update 2020-04-14 06:40:53 +00:00			`#[api(`
api2/access/acl: make update_acl a protected api call since we want to set the owner of the acl config to 'root' which is only possible when using a protected api call Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-20 10:15:36 +00:00			`protected: true,`
acl api: implement update 2020-04-14 06:40:53 +00:00			`input: {`
			`properties: {`
			`path: {`
			`schema: ACL_PATH_SCHEMA,`
			`},`
			`role: {`
use proxmox 0.1.25, use new EnumEntry feature 2020-04-29 11:01:24 +00:00			`type: Role,`
acl api: implement update 2020-04-14 06:40:53 +00:00			`},`
			`propagate: {`
			`optional: true,`
			`schema: ACL_PROPAGATE_SCHEMA,`
			`},`
api: replace auth_id with auth-id in parameters, and fix up the completion for the ACL update parameter. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-30 14:18:41 +00:00			`"auth-id": {`
acl api: implement update 2020-04-14 06:40:53 +00:00			`optional: true,`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`type: Authid,`
acl api: implement update 2020-04-14 06:40:53 +00:00			`},`
			`group: {`
			`optional: true,`
			`schema: PROXMOX_GROUP_ID_SCHEMA,`
			`},`
acl update: check if user exist. 2020-04-14 11:46:27 +00:00			`delete: {`
acl api: implement update 2020-04-14 06:40:53 +00:00			`optional: true,`
			`description: "Remove permissions (instead of adding it).",`
			`type: bool,`
			`},`
			`digest: {`
			`optional: true,`
			`schema: PROXMOX_CONFIG_DIGEST_SCHEMA,`
			`},`
			`},`
			`},`
src/api2/access/acl.rs: add access permissions 2020-04-17 08:03:09 +00:00			`access: {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`permission: &Permission::Anybody,`
			`description: "Requires Permissions.Modify on '/access/acl', limited to updating ACLs of the user's API tokens otherwise."`
src/api2/access/acl.rs: add access permissions 2020-04-17 08:03:09 +00:00			`},`
acl api: implement update 2020-04-14 06:40:53 +00:00			`)]`
			`/// Update Access Control List (ACLs).`
			`pub fn update_acl(`
			`path: String,`
			`role: String,`
			`propagate: Option<bool>,`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`auth_id: Option<Authid>,`
acl api: implement update 2020-04-14 06:40:53 +00:00			`group: Option<String>,`
			`delete: Option<bool>,`
			`digest: Option<String>,`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`rpcenv: &mut dyn RpcEnvironment,`
acl api: implement update 2020-04-14 06:40:53 +00:00			`) -> Result<(), Error> {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;`

			`let user_info = CachedUserInfo::new()?;`

			`let top_level_privs = user_info.lookup_privs(&current_auth_id, &["access", "acl"]);`
			`if top_level_privs & PRIV_PERMISSIONS_MODIFY == 0 {`
clippy: is_some/none/ok/err/empty Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2021-01-19 09:27:59 +00:00			`if group.is_some() {`
acls: allow viewing/editing user's token ACLs even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-28 08:49:25 +00:00			`bail!("Unprivileged users are not allowed to create group ACL item.");`
			`}`

			`match &auth_id {`
			`Some(auth_id) => {`
			`if current_auth_id.is_token() {`
			`bail!("Unprivileged API tokens can't set ACL items.");`
			`} else if !auth_id.is_token() {`
			`bail!("Unprivileged users can only set ACL items for API tokens.");`
			`} else if auth_id.user() != current_auth_id.user() {`
			`bail!("Unprivileged users can only set ACL items for their own API tokens.");`
			`}`
			`},`
			`None => { bail!("Unprivileged user needs to provide auth_id to update ACL item."); },`
			`};`
			`}`
acl api: implement update 2020-04-14 06:40:53 +00:00
depend on proxmox 0.4.2 2020-09-28 08:50:44 +00:00			`let _lock = open_file_locked(acl::ACL_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;`
acl api: implement update 2020-04-14 06:40:53 +00:00
			`let (mut tree, expected_digest) = acl::config()?;`

			`if let Some(ref digest) = digest {`
			`let digest = proxmox::tools::hex_to_digest(digest)?;`
			`crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;`
			`}`

			`let propagate = propagate.unwrap_or(true);`

			`let delete = delete.unwrap_or(false);`

acl update: check path 2020-04-14 15:23:48 +00:00			`if let Some(ref _group) = group {`
acl update: check if user exist. 2020-04-14 11:46:27 +00:00			`bail!("parameter 'group' - groups are currently not supported.");`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`} else if let Some(ref auth_id) = auth_id {`
acl update: check if user exist. 2020-04-14 11:46:27 +00:00			`if !delete { // Note: we allow to delete non-existent users`
src/config/user.rs - cached_config: do not store/return digest 2020-04-15 09:35:57 +00:00			`let user_cfg = crate::config::user::cached_config()?;`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`if user_cfg.sections.get(&auth_id.to_string()).is_none() {`
			`bail!(format!("no such {}.",`
			`if auth_id.is_token() { "API token" } else { "user" }));`
acl update: check if user exist. 2020-04-14 11:46:27 +00:00			`}`
			`}`
			`} else {`
			`bail!("missing 'userid' or 'group' parameter.");`
			`}`

acl update: check path 2020-04-14 15:23:48 +00:00			`if !delete { // Note: we allow to delete entries with invalid path`
use reasonable acl paths 2020-04-30 07:30:00 +00:00			`acl::check_acl_path(&path)?;`
acl update: check path 2020-04-14 15:23:48 +00:00			`}`

replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`if let Some(auth_id) = auth_id {`
acl api: implement update 2020-04-14 06:40:53 +00:00			`if delete {`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`tree.delete_user_role(&path, &auth_id, &role);`
acl api: implement update 2020-04-14 06:40:53 +00:00			`} else {`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`tree.insert_user_role(&path, &auth_id, &role, propagate);`
acl api: implement update 2020-04-14 06:40:53 +00:00			`}`
			`} else if let Some(group) = group {`
			`if delete {`
			`tree.delete_group_role(&path, &group, &role);`
			`} else {`
			`tree.insert_group_role(&path, &group, &role, propagate);`
			`}`
			`}`

			`acl::save_config(&tree)?;`

			`Ok(())`
			`}`

start ACL api 2020-04-13 09:09:44 +00:00			`pub const ROUTER: Router = Router::new()`
acl api: implement update 2020-04-14 06:40:53 +00:00			`.get(&API_METHOD_READ_ACL)`
			`.put(&API_METHOD_UPDATE_ACL);`