config: any_priv_below: plural name & switch to slice of &str for path

s/any_priv_below/any_privs_below/ for consistency and switch from a single &str for the path param to the slice-ref string variant, as that allows to use it more often without allocation. Also allow passing the whole path as single &str element in the slice by splitting each component on '/' like we do in other parts nowadays. Note though that we need to omit the leading slash then. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-06-04 14:47:35 +02:00 · 2022-06-04 14:47:35 +02:00 · 0bed1f2956
parent 4ef6b7d1f0
commit 0bed1f2956
1 changed files with 21 additions and 17 deletions
--- a/pbs-config/src/acl.rs
+++ b/pbs-config/src/acl.rs
@ -669,21 +669,25 @@ impl AclTree {
    }

    /// Checks whether the `auth_id` has any of the privilegs `privs` on any object below `path`.
-    pub fn any_priv_below(&self, auth_id: &Authid, path: &str, privs: u64) -> Result<bool, Error> {
-        let comps = split_acl_path(path);
+    pub fn any_privs_below(
+        &self,
+        auth_id: &Authid,
+        path: &[&str],
+        privs: u64,
+    ) -> Result<bool, Error> {
        let mut node = &self.root;

        // check first if there's any propagated priv we need to be aware of
-        for c in comps {
-            // set propagate to false to get only propagating roles
-            if node.check_any_privs(auth_id, privs, true)? {
-                return Ok(true);
+        for outer in path {
+            for c in outer.split('/') {
+                if node.check_any_privs(auth_id, privs, true)? {
+                    return Ok(true);
+                }
+                // check next component
+                node = node.children.get(&c.to_string()).ok_or(format_err!(
+                    "component '{c}' of path '{path:?}' does not exist in current acl tree"
+                ))?;
            }
-
-            // check next component
-            node = node.children.get(&c.to_string()).ok_or(format_err!(
-                "component '{c}' of path '{path}' does not exist in current acl tree"
-            ))?;
        }

        // check last node in the path too
@ -945,22 +949,22 @@ acl:1:/storage/store1:user1@pbs:DatastoreBackup
        let user2: Authid = "user2@pbs".parse()?;

        // user1 has admin on "/store/store2/store3" -> return true
-        assert!(tree.any_priv_below(&user1, "/store", ROLE_ADMIN)?);
+        assert!(tree.any_privs_below(&user1, &["store"], ROLE_ADMIN)?);

        // user2 has not privileges under "/store/store2/store3" --> return false
-        assert!(!tree.any_priv_below(&user2, "/store/store2/store3", ROLE_DATASTORE_READER)?);
+        assert!(!tree.any_privs_below(&user2, &["store", "store2", "store3"], ROLE_DATASTORE_READER)?);

        // user2 has DatastoreReader privileges under "/store/store2/store31" --> return true
-        assert!(tree.any_priv_below(&user2, "/store/store2/store31", ROLE_DATASTORE_READER)?);
+        assert!(tree.any_privs_below(&user2, &["store/store2/store31"], ROLE_DATASTORE_READER)?);

        // user2 has no TapeReader privileges under "/store/store2/store31" --> return false
-        assert!(!tree.any_priv_below(&user2, "/store/store2/store31", ROLE_TAPE_READER)?);
+        assert!(!tree.any_privs_below(&user2, &["store/store2/store31"], ROLE_TAPE_READER)?);

        // user2 has no DatastoreReader propagating privileges on
        // "/store/store2/store31/store4/store6" --> return true
-        assert!(tree.any_priv_below(
+        assert!(tree.any_privs_below(
            &user2,
-            "/store/store2/store31/store4/store6",
+            &["store/store2/store31/store4/store6"],
            ROLE_DATASTORE_READER
        )?);