config: any_priv_below: plural name & switch to slice of &str for path

s/any_priv_below/any_privs_below/ for consistency and switch from a
single &str for the path param to the slice-ref string variant, as
that allows to use it more often without allocation.

Also allow passing the whole path as single &str element in the slice
by splitting each component on '/' like we do in other parts
nowadays. Note though that we need to omit the leading slash then.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2022-06-04 14:47:35 +02:00
parent 4ef6b7d1f0
commit 0bed1f2956
1 changed files with 21 additions and 17 deletions

View File

@ -669,22 +669,26 @@ impl AclTree {
}
/// Checks whether the `auth_id` has any of the privilegs `privs` on any object below `path`.
pub fn any_priv_below(&self, auth_id: &Authid, path: &str, privs: u64) -> Result<bool, Error> {
let comps = split_acl_path(path);
pub fn any_privs_below(
&self,
auth_id: &Authid,
path: &[&str],
privs: u64,
) -> Result<bool, Error> {
let mut node = &self.root;
// check first if there's any propagated priv we need to be aware of
for c in comps {
// set propagate to false to get only propagating roles
for outer in path {
for c in outer.split('/') {
if node.check_any_privs(auth_id, privs, true)? {
return Ok(true);
}
// check next component
node = node.children.get(&c.to_string()).ok_or(format_err!(
"component '{c}' of path '{path}' does not exist in current acl tree"
"component '{c}' of path '{path:?}' does not exist in current acl tree"
))?;
}
}
// check last node in the path too
if node.check_any_privs(auth_id, privs, true)? {
@ -945,22 +949,22 @@ acl:1:/storage/store1:user1@pbs:DatastoreBackup
let user2: Authid = "user2@pbs".parse()?;
// user1 has admin on "/store/store2/store3" -> return true
assert!(tree.any_priv_below(&user1, "/store", ROLE_ADMIN)?);
assert!(tree.any_privs_below(&user1, &["store"], ROLE_ADMIN)?);
// user2 has not privileges under "/store/store2/store3" --> return false
assert!(!tree.any_priv_below(&user2, "/store/store2/store3", ROLE_DATASTORE_READER)?);
assert!(!tree.any_privs_below(&user2, &["store", "store2", "store3"], ROLE_DATASTORE_READER)?);
// user2 has DatastoreReader privileges under "/store/store2/store31" --> return true
assert!(tree.any_priv_below(&user2, "/store/store2/store31", ROLE_DATASTORE_READER)?);
assert!(tree.any_privs_below(&user2, &["store/store2/store31"], ROLE_DATASTORE_READER)?);
// user2 has no TapeReader privileges under "/store/store2/store31" --> return false
assert!(!tree.any_priv_below(&user2, "/store/store2/store31", ROLE_TAPE_READER)?);
assert!(!tree.any_privs_below(&user2, &["store/store2/store31"], ROLE_TAPE_READER)?);
// user2 has no DatastoreReader propagating privileges on
// "/store/store2/store31/store4/store6" --> return true
assert!(tree.any_priv_below(
assert!(tree.any_privs_below(
&user2,
"/store/store2/store31/store4/store6",
&["store/store2/store31/store4/store6"],
ROLE_DATASTORE_READER
)?);