verify: fix unprivileged verification jobs
since the store is not a path parameter, we need to do manual instead of schema checks. also dropping Datastore.Backup here Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
6823fdc7f9
commit
35c80d696f
@ -9,10 +9,11 @@ use crate::api2::types::*;
|
|||||||
|
|
||||||
use crate::config::acl::{
|
use crate::config::acl::{
|
||||||
PRIV_DATASTORE_AUDIT,
|
PRIV_DATASTORE_AUDIT,
|
||||||
PRIV_DATASTORE_BACKUP,
|
|
||||||
PRIV_DATASTORE_VERIFY,
|
PRIV_DATASTORE_VERIFY,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
|
|
||||||
use crate::config::verify::{self, VerificationJobConfig};
|
use crate::config::verify::{self, VerificationJobConfig};
|
||||||
|
|
||||||
#[api(
|
#[api(
|
||||||
@ -25,10 +26,8 @@ use crate::config::verify::{self, VerificationJobConfig};
|
|||||||
items: { type: verify::VerificationJobConfig },
|
items: { type: verify::VerificationJobConfig },
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(
|
permission: &Permission::Anybody,
|
||||||
&["datastore", "{store}"],
|
description: "Requires Datastore.Audit or Datastore.Verify on datastore.",
|
||||||
PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_BACKUP | PRIV_DATASTORE_VERIFY,
|
|
||||||
true),
|
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// List all verification jobs
|
/// List all verification jobs
|
||||||
@ -36,11 +35,22 @@ pub fn list_verification_jobs(
|
|||||||
_param: Value,
|
_param: Value,
|
||||||
mut rpcenv: &mut dyn RpcEnvironment,
|
mut rpcenv: &mut dyn RpcEnvironment,
|
||||||
) -> Result<Vec<VerificationJobConfig>, Error> {
|
) -> Result<Vec<VerificationJobConfig>, Error> {
|
||||||
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
|
let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_VERIFY;
|
||||||
|
|
||||||
let (config, digest) = verify::config()?;
|
let (config, digest) = verify::config()?;
|
||||||
|
|
||||||
let list = config.convert_to_typed_array("verification")?;
|
let list = config.convert_to_typed_array("verification")?;
|
||||||
|
|
||||||
|
let list = list.into_iter()
|
||||||
|
.filter(|job: &VerificationJobConfig| {
|
||||||
|
let privs = user_info.lookup_privs(&auth_id, &["datastore", &job.store]);
|
||||||
|
|
||||||
|
privs & required_privs != 00
|
||||||
|
}).collect();
|
||||||
|
|
||||||
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
||||||
|
|
||||||
Ok(list)
|
Ok(list)
|
||||||
@ -76,19 +86,24 @@ pub fn list_verification_jobs(
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(
|
permission: &Permission::Anybody,
|
||||||
&["datastore", "{store}"],
|
description: "Requires Datastore.Verify on job's datastore.",
|
||||||
PRIV_DATASTORE_VERIFY,
|
|
||||||
true),
|
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Create a new verification job.
|
/// Create a new verification job.
|
||||||
pub fn create_verification_job(param: Value) -> Result<(), Error> {
|
pub fn create_verification_job(
|
||||||
|
param: Value,
|
||||||
let _lock = open_file_locked(verify::VERIFICATION_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
rpcenv: &mut dyn RpcEnvironment
|
||||||
|
) -> Result<(), Error> {
|
||||||
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
let verification_job: verify::VerificationJobConfig = serde_json::from_value(param.clone())?;
|
let verification_job: verify::VerificationJobConfig = serde_json::from_value(param.clone())?;
|
||||||
|
|
||||||
|
user_info.check_privs(&auth_id, &["datastore", &verification_job.store], PRIV_DATASTORE_VERIFY, false)?;
|
||||||
|
|
||||||
|
let _lock = open_file_locked(verify::VERIFICATION_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
||||||
|
|
||||||
let (mut config, _digest) = verify::config()?;
|
let (mut config, _digest) = verify::config()?;
|
||||||
|
|
||||||
if let Some(_) = config.sections.get(&verification_job.id) {
|
if let Some(_) = config.sections.get(&verification_job.id) {
|
||||||
@ -117,10 +132,8 @@ pub fn create_verification_job(param: Value) -> Result<(), Error> {
|
|||||||
type: verify::VerificationJobConfig,
|
type: verify::VerificationJobConfig,
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(
|
permission: &Permission::Anybody,
|
||||||
&["datastore", "{store}"],
|
description: "Requires Datastore.Audit or Datastore.Verify on job's datastore.",
|
||||||
PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_BACKUP | PRIV_DATASTORE_VERIFY,
|
|
||||||
true),
|
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Read a verification job configuration.
|
/// Read a verification job configuration.
|
||||||
@ -128,9 +141,16 @@ pub fn read_verification_job(
|
|||||||
id: String,
|
id: String,
|
||||||
mut rpcenv: &mut dyn RpcEnvironment,
|
mut rpcenv: &mut dyn RpcEnvironment,
|
||||||
) -> Result<VerificationJobConfig, Error> {
|
) -> Result<VerificationJobConfig, Error> {
|
||||||
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
let (config, digest) = verify::config()?;
|
let (config, digest) = verify::config()?;
|
||||||
|
|
||||||
let verification_job = config.lookup("verification", &id)?;
|
let verification_job: verify::VerificationJobConfig = config.lookup("verification", &id)?;
|
||||||
|
|
||||||
|
let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_VERIFY;
|
||||||
|
user_info.check_privs(&auth_id, &["datastore", &verification_job.store], required_privs, true)?;
|
||||||
|
|
||||||
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
||||||
|
|
||||||
Ok(verification_job)
|
Ok(verification_job)
|
||||||
@ -193,10 +213,8 @@ pub enum DeletableProperty {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(
|
permission: &Permission::Anybody,
|
||||||
&["datastore", "{store}"],
|
description: "Requires Datastore.Verify on job's datastore.",
|
||||||
PRIV_DATASTORE_VERIFY,
|
|
||||||
true),
|
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Update verification job config.
|
/// Update verification job config.
|
||||||
@ -209,7 +227,10 @@ pub fn update_verification_job(
|
|||||||
schedule: Option<String>,
|
schedule: Option<String>,
|
||||||
delete: Option<Vec<DeletableProperty>>,
|
delete: Option<Vec<DeletableProperty>>,
|
||||||
digest: Option<String>,
|
digest: Option<String>,
|
||||||
|
rpcenv: &mut dyn RpcEnvironment,
|
||||||
) -> Result<(), Error> {
|
) -> Result<(), Error> {
|
||||||
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
let _lock = open_file_locked(verify::VERIFICATION_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
let _lock = open_file_locked(verify::VERIFICATION_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
||||||
|
|
||||||
@ -223,7 +244,10 @@ pub fn update_verification_job(
|
|||||||
|
|
||||||
let mut data: verify::VerificationJobConfig = config.lookup("verification", &id)?;
|
let mut data: verify::VerificationJobConfig = config.lookup("verification", &id)?;
|
||||||
|
|
||||||
if let Some(delete) = delete {
|
// check existing store
|
||||||
|
user_info.check_privs(&auth_id, &["datastore", &data.store], PRIV_DATASTORE_VERIFY, true)?;
|
||||||
|
|
||||||
|
if let Some(delete) = delete {
|
||||||
for delete_prop in delete {
|
for delete_prop in delete {
|
||||||
match delete_prop {
|
match delete_prop {
|
||||||
DeletableProperty::IgnoreVerified => { data.ignore_verified = None; },
|
DeletableProperty::IgnoreVerified => { data.ignore_verified = None; },
|
||||||
@ -243,7 +267,12 @@ pub fn update_verification_job(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if let Some(store) = store { data.store = store; }
|
if let Some(store) = store {
|
||||||
|
// check new store
|
||||||
|
user_info.check_privs(&auth_id, &["datastore", &store], PRIV_DATASTORE_VERIFY, true)?;
|
||||||
|
data.store = store;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
if ignore_verified.is_some() { data.ignore_verified = ignore_verified; }
|
if ignore_verified.is_some() { data.ignore_verified = ignore_verified; }
|
||||||
if outdated_after.is_some() { data.outdated_after = outdated_after; }
|
if outdated_after.is_some() { data.outdated_after = outdated_after; }
|
||||||
@ -270,19 +299,26 @@ pub fn update_verification_job(
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(
|
permission: &Permission::Anybody,
|
||||||
&["datastore", "{store}"],
|
description: "Requires Datastore.Verify on job's datastore.",
|
||||||
PRIV_DATASTORE_VERIFY,
|
|
||||||
true),
|
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// Remove a verification job configuration
|
/// Remove a verification job configuration
|
||||||
pub fn delete_verification_job(id: String, digest: Option<String>) -> Result<(), Error> {
|
pub fn delete_verification_job(
|
||||||
|
id: String,
|
||||||
|
digest: Option<String>,
|
||||||
|
rpcenv: &mut dyn RpcEnvironment,
|
||||||
|
) -> Result<(), Error> {
|
||||||
|
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
let _lock = open_file_locked(verify::VERIFICATION_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
let _lock = open_file_locked(verify::VERIFICATION_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
||||||
|
|
||||||
let (mut config, expected_digest) = verify::config()?;
|
let (mut config, expected_digest) = verify::config()?;
|
||||||
|
|
||||||
|
let job: verify::VerificationJobConfig = config.lookup("verification", &id)?;
|
||||||
|
user_info.check_privs(&auth_id, &["datastore", &job.store], PRIV_DATASTORE_VERIFY, true)?;
|
||||||
|
|
||||||
if let Some(ref digest) = digest {
|
if let Some(ref digest) = digest {
|
||||||
let digest = proxmox::tools::hex_to_digest(digest)?;
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
||||||
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
||||||
|
Loading…
Reference in New Issue
Block a user