src/config/cached_user_info.rs: new helper class
This commit is contained in:
parent
1ce8a5d0b7
commit
423e656163
@ -19,6 +19,7 @@ pub mod datastore;
|
||||
pub mod remote;
|
||||
pub mod user;
|
||||
pub mod acl;
|
||||
pub mod cached_user_info;
|
||||
|
||||
/// Check configuration directory permissions
|
||||
///
|
||||
|
@ -39,7 +39,7 @@ pub const ROLE_DATASTORE_AUDIT: u64 = PRIV_DATASTORE_AUDIT;
|
||||
pub const ROLE_NAME_NO_ACCESS: &str ="NoAccess";
|
||||
|
||||
lazy_static! {
|
||||
static ref ROLE_NAMES: HashMap<&'static str, u64> = {
|
||||
pub static ref ROLE_NAMES: HashMap<&'static str, u64> = {
|
||||
let mut map = HashMap::new();
|
||||
|
||||
map.insert("Admin", ROLE_ADMIN);
|
||||
|
69
src/config/cached_user_info.rs
Normal file
69
src/config/cached_user_info.rs
Normal file
@ -0,0 +1,69 @@
|
||||
//! Cached user info for fast ACL permission checks
|
||||
|
||||
use std::sync::Arc;
|
||||
|
||||
use failure::*;
|
||||
|
||||
use proxmox::api::section_config::SectionConfigData;
|
||||
use proxmox::api::UserInformation;
|
||||
|
||||
use super::acl::{AclTree, ROLE_NAMES};
|
||||
use super::user::User;
|
||||
|
||||
/// Cache User/Group/Acl configuration data for fast permission tests
|
||||
pub struct CachedUserInfo {
|
||||
user_cfg: Arc<SectionConfigData>,
|
||||
acl_tree: Arc<AclTree>,
|
||||
}
|
||||
|
||||
impl CachedUserInfo {
|
||||
|
||||
/// Creates a new instance.
|
||||
pub fn new() -> Result<Self, Error> {
|
||||
Ok(CachedUserInfo {
|
||||
user_cfg: super::user::cached_config()?,
|
||||
acl_tree: super::acl::cached_config()?,
|
||||
})
|
||||
}
|
||||
|
||||
/// Test if a user account is enabled and not expired
|
||||
pub fn is_active_user(&self, userid: &str) -> bool {
|
||||
if let Ok(info) = self.user_cfg.lookup::<User>("user", &userid) {
|
||||
if !info.enable.unwrap_or(true) {
|
||||
return false;
|
||||
}
|
||||
if let Some(expire) = info.expire {
|
||||
if expire > 0 {
|
||||
let now = unsafe { libc::time(std::ptr::null_mut()) };
|
||||
if expire <= now {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl UserInformation for CachedUserInfo {
|
||||
fn is_superuser(&self, userid: &str) -> bool {
|
||||
userid == "root@pam"
|
||||
}
|
||||
|
||||
fn is_group_member(&self, _userid: &str, _group: &str) -> bool {
|
||||
false
|
||||
}
|
||||
|
||||
fn lookup_privs(&self, userid: &str, path: &[&str]) -> u64 {
|
||||
let roles = self.acl_tree.roles(userid, path);
|
||||
let mut privs: u64 = 0;
|
||||
for role in roles {
|
||||
if let Some(role_privs) = ROLE_NAMES.get(role.as_str()) {
|
||||
privs |= role_privs;
|
||||
}
|
||||
}
|
||||
privs
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user