tasks: allow unpriv users to read their tokens' tasks

and tighten down the return schema while we're at it.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-10-15 11:27:47 +02:00 committed by Wolfgang Bumiller
parent bff8557298
commit 16245d540c
2 changed files with 28 additions and 15 deletions

View File

@ -14,6 +14,16 @@ use crate::server::{self, UPID, TaskState, TaskListInfoIterator};
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY}; use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
use crate::config::cached_user_info::CachedUserInfo; use crate::config::cached_user_info::CachedUserInfo;
fn check_task_access(auth_id: &Authid, upid: &UPID) -> Result<(), Error> {
let task_auth_id = &upid.auth_id;
if auth_id == task_auth_id
|| (task_auth_id.is_token() && &Authid::from(task_auth_id.user().clone()) == auth_id) {
Ok(())
} else {
let user_info = CachedUserInfo::new()?;
user_info.check_privs(auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)
}
}
#[api( #[api(
input: { input: {
@ -57,9 +67,13 @@ use crate::config::cached_user_info::CachedUserInfo;
description: "Worker ID (arbitrary ASCII string)", description: "Worker ID (arbitrary ASCII string)",
}, },
user: { user: {
type: String, type: Userid,
description: "The user who started the task.", description: "The user who started the task.",
}, },
tokenid: {
type: Tokenname,
optional: true,
},
status: { status: {
type: String, type: String,
description: "'running' or 'stopped'", description: "'running' or 'stopped'",
@ -85,11 +99,7 @@ async fn get_task_status(
let upid = extract_upid(&param)?; let upid = extract_upid(&param)?;
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
check_task_access(&auth_id, &upid)?;
if auth_id != upid.auth_id {
let user_info = CachedUserInfo::new()?;
user_info.check_privs(&auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)?;
}
let mut result = json!({ let mut result = json!({
"upid": param["upid"], "upid": param["upid"],
@ -99,9 +109,13 @@ async fn get_task_status(
"starttime": upid.starttime, "starttime": upid.starttime,
"type": upid.worker_type, "type": upid.worker_type,
"id": upid.worker_id, "id": upid.worker_id,
"user": upid.auth_id, "user": upid.auth_id.user(),
}); });
if upid.auth_id.is_token() {
result["tokenid"] = Value::from(upid.auth_id.tokenname().unwrap().as_str());
}
if crate::server::worker_is_active(&upid).await? { if crate::server::worker_is_active(&upid).await? {
result["status"] = Value::from("running"); result["status"] = Value::from("running");
} else { } else {
@ -163,10 +177,7 @@ async fn read_task_log(
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
if auth_id != upid.auth_id { check_task_access(&auth_id, &upid)?;
let user_info = CachedUserInfo::new()?;
user_info.check_privs(&auth_id, &["system", "tasks"], PRIV_SYS_AUDIT, false)?;
}
let test_status = param["test-status"].as_bool().unwrap_or(false); let test_status = param["test-status"].as_bool().unwrap_or(false);
@ -326,7 +337,9 @@ pub fn list_tasks(
Err(_) => return None, Err(_) => return None,
}; };
if !list_all && info.upid.auth_id != auth_id { return None; } if !list_all && check_task_access(&auth_id, &info.upid).is_err() {
return None;
}
if let Some(needle) = &userfilter { if let Some(needle) = &userfilter {
if !info.upid.auth_id.to_string().contains(needle) { return None; } if !info.upid.auth_id.to_string().contains(needle) { return None; }

View File

@ -692,7 +692,7 @@ pub struct DataStoreStatus {
#[api( #[api(
properties: { properties: {
upid: { schema: UPID_SCHEMA }, upid: { schema: UPID_SCHEMA },
userid: { type: Authid }, user: { type: Authid },
}, },
)] )]
#[derive(Serialize, Deserialize)] #[derive(Serialize, Deserialize)]
@ -712,7 +712,7 @@ pub struct TaskListItem {
/// Worker ID (arbitrary ASCII string) /// Worker ID (arbitrary ASCII string)
pub worker_id: Option<String>, pub worker_id: Option<String>,
/// The authenticated entity who started the task /// The authenticated entity who started the task
pub userid: Authid, pub user: Authid,
/// The task end time (Epoch) /// The task end time (Epoch)
#[serde(skip_serializing_if="Option::is_none")] #[serde(skip_serializing_if="Option::is_none")]
pub endtime: Option<i64>, pub endtime: Option<i64>,
@ -735,7 +735,7 @@ impl From<crate::server::TaskListInfo> for TaskListItem {
starttime: info.upid.starttime, starttime: info.upid.starttime,
worker_type: info.upid.worker_type, worker_type: info.upid.worker_type,
worker_id: info.upid.worker_id, worker_id: info.upid.worker_id,
userid: info.upid.auth_id, user: info.upid.auth_id,
endtime, endtime,
status, status,
} }