tasks: allow unpriv users to read their tokens' tasks
and tighten down the return schema while we're at it. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
bff8557298
commit
16245d540c
|
@ -14,6 +14,16 @@ use crate::server::{self, UPID, TaskState, TaskListInfoIterator};
|
||||||
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
|
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
|
||||||
use crate::config::cached_user_info::CachedUserInfo;
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
|
||||||
|
fn check_task_access(auth_id: &Authid, upid: &UPID) -> Result<(), Error> {
|
||||||
|
let task_auth_id = &upid.auth_id;
|
||||||
|
if auth_id == task_auth_id
|
||||||
|
|| (task_auth_id.is_token() && &Authid::from(task_auth_id.user().clone()) == auth_id) {
|
||||||
|
Ok(())
|
||||||
|
} else {
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
user_info.check_privs(auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[api(
|
#[api(
|
||||||
input: {
|
input: {
|
||||||
|
@ -57,9 +67,13 @@ use crate::config::cached_user_info::CachedUserInfo;
|
||||||
description: "Worker ID (arbitrary ASCII string)",
|
description: "Worker ID (arbitrary ASCII string)",
|
||||||
},
|
},
|
||||||
user: {
|
user: {
|
||||||
type: String,
|
type: Userid,
|
||||||
description: "The user who started the task.",
|
description: "The user who started the task.",
|
||||||
},
|
},
|
||||||
|
tokenid: {
|
||||||
|
type: Tokenname,
|
||||||
|
optional: true,
|
||||||
|
},
|
||||||
status: {
|
status: {
|
||||||
type: String,
|
type: String,
|
||||||
description: "'running' or 'stopped'",
|
description: "'running' or 'stopped'",
|
||||||
|
@ -85,11 +99,7 @@ async fn get_task_status(
|
||||||
let upid = extract_upid(¶m)?;
|
let upid = extract_upid(¶m)?;
|
||||||
|
|
||||||
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
|
check_task_access(&auth_id, &upid)?;
|
||||||
if auth_id != upid.auth_id {
|
|
||||||
let user_info = CachedUserInfo::new()?;
|
|
||||||
user_info.check_privs(&auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)?;
|
|
||||||
}
|
|
||||||
|
|
||||||
let mut result = json!({
|
let mut result = json!({
|
||||||
"upid": param["upid"],
|
"upid": param["upid"],
|
||||||
|
@ -99,9 +109,13 @@ async fn get_task_status(
|
||||||
"starttime": upid.starttime,
|
"starttime": upid.starttime,
|
||||||
"type": upid.worker_type,
|
"type": upid.worker_type,
|
||||||
"id": upid.worker_id,
|
"id": upid.worker_id,
|
||||||
"user": upid.auth_id,
|
"user": upid.auth_id.user(),
|
||||||
});
|
});
|
||||||
|
|
||||||
|
if upid.auth_id.is_token() {
|
||||||
|
result["tokenid"] = Value::from(upid.auth_id.tokenname().unwrap().as_str());
|
||||||
|
}
|
||||||
|
|
||||||
if crate::server::worker_is_active(&upid).await? {
|
if crate::server::worker_is_active(&upid).await? {
|
||||||
result["status"] = Value::from("running");
|
result["status"] = Value::from("running");
|
||||||
} else {
|
} else {
|
||||||
|
@ -163,10 +177,7 @@ async fn read_task_log(
|
||||||
|
|
||||||
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
|
|
||||||
if auth_id != upid.auth_id {
|
check_task_access(&auth_id, &upid)?;
|
||||||
let user_info = CachedUserInfo::new()?;
|
|
||||||
user_info.check_privs(&auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)?;
|
|
||||||
}
|
|
||||||
|
|
||||||
let test_status = param["test-status"].as_bool().unwrap_or(false);
|
let test_status = param["test-status"].as_bool().unwrap_or(false);
|
||||||
|
|
||||||
|
@ -326,7 +337,9 @@ pub fn list_tasks(
|
||||||
Err(_) => return None,
|
Err(_) => return None,
|
||||||
};
|
};
|
||||||
|
|
||||||
if !list_all && info.upid.auth_id != auth_id { return None; }
|
if !list_all && check_task_access(&auth_id, &info.upid).is_err() {
|
||||||
|
return None;
|
||||||
|
}
|
||||||
|
|
||||||
if let Some(needle) = &userfilter {
|
if let Some(needle) = &userfilter {
|
||||||
if !info.upid.auth_id.to_string().contains(needle) { return None; }
|
if !info.upid.auth_id.to_string().contains(needle) { return None; }
|
||||||
|
|
|
@ -692,7 +692,7 @@ pub struct DataStoreStatus {
|
||||||
#[api(
|
#[api(
|
||||||
properties: {
|
properties: {
|
||||||
upid: { schema: UPID_SCHEMA },
|
upid: { schema: UPID_SCHEMA },
|
||||||
userid: { type: Authid },
|
user: { type: Authid },
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
#[derive(Serialize, Deserialize)]
|
#[derive(Serialize, Deserialize)]
|
||||||
|
@ -712,7 +712,7 @@ pub struct TaskListItem {
|
||||||
/// Worker ID (arbitrary ASCII string)
|
/// Worker ID (arbitrary ASCII string)
|
||||||
pub worker_id: Option<String>,
|
pub worker_id: Option<String>,
|
||||||
/// The authenticated entity who started the task
|
/// The authenticated entity who started the task
|
||||||
pub userid: Authid,
|
pub user: Authid,
|
||||||
/// The task end time (Epoch)
|
/// The task end time (Epoch)
|
||||||
#[serde(skip_serializing_if="Option::is_none")]
|
#[serde(skip_serializing_if="Option::is_none")]
|
||||||
pub endtime: Option<i64>,
|
pub endtime: Option<i64>,
|
||||||
|
@ -735,7 +735,7 @@ impl From<crate::server::TaskListInfo> for TaskListItem {
|
||||||
starttime: info.upid.starttime,
|
starttime: info.upid.starttime,
|
||||||
worker_type: info.upid.worker_type,
|
worker_type: info.upid.worker_type,
|
||||||
worker_id: info.upid.worker_id,
|
worker_id: info.upid.worker_id,
|
||||||
userid: info.upid.auth_id,
|
user: info.upid.auth_id,
|
||||||
endtime,
|
endtime,
|
||||||
status,
|
status,
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue