verify: allow unprivileged access to admin API

which is the one used by the GUI.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-11-06 11:23:08 +01:00 committed by Dietmar Maurer
parent 35c80d696f
commit 4c979d5450

View File

@ -2,11 +2,16 @@ use anyhow::{format_err, Error};
use proxmox::api::router::SubdirMap; use proxmox::api::router::SubdirMap;
use proxmox::{list_subdirs_api_method, sortable}; use proxmox::{list_subdirs_api_method, sortable};
use proxmox::api::{api, ApiMethod, Router, RpcEnvironment}; use proxmox::api::{api, ApiMethod, Permission, Router, RpcEnvironment};
use crate::api2::types::*; use crate::api2::types::*;
use crate::server::do_verification_job; use crate::server::do_verification_job;
use crate::server::jobstate::{Job, JobState}; use crate::server::jobstate::{Job, JobState};
use crate::config::acl::{
PRIV_DATASTORE_AUDIT,
PRIV_DATASTORE_VERIFY,
};
use crate::config::cached_user_info::CachedUserInfo;
use crate::config::verify; use crate::config::verify;
use crate::config::verify::{VerificationJobConfig, VerificationJobStatus}; use crate::config::verify::{VerificationJobConfig, VerificationJobStatus};
use serde_json::Value; use serde_json::Value;
@ -23,10 +28,14 @@ use crate::server::UPID;
}, },
}, },
returns: { returns: {
description: "List configured jobs and their status.", description: "List configured jobs and their status (filtered by access)",
type: Array, type: Array,
items: { type: verify::VerificationJobStatus }, items: { type: verify::VerificationJobStatus },
}, },
access: {
permission: &Permission::Anybody,
description: "Requires Datastore.Audit or Datastore.Verify on datastore.",
},
)] )]
/// List all verification jobs /// List all verification jobs
pub fn list_verification_jobs( pub fn list_verification_jobs(
@ -34,6 +43,10 @@ pub fn list_verification_jobs(
_param: Value, _param: Value,
mut rpcenv: &mut dyn RpcEnvironment, mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<VerificationJobStatus>, Error> { ) -> Result<Vec<VerificationJobStatus>, Error> {
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let user_info = CachedUserInfo::new()?;
let required_privs = PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_VERIFY;
let (config, digest) = verify::config()?; let (config, digest) = verify::config()?;
@ -41,6 +54,11 @@ pub fn list_verification_jobs(
.convert_to_typed_array("verification")? .convert_to_typed_array("verification")?
.into_iter() .into_iter()
.filter(|job: &VerificationJobStatus| { .filter(|job: &VerificationJobStatus| {
let privs = user_info.lookup_privs(&auth_id, &["datastore", &job.store]);
if privs & required_privs == 0 {
return false;
}
if let Some(store) = &store { if let Some(store) = &store {
&job.store == store &job.store == store
} else { } else {
@ -90,7 +108,11 @@ pub fn list_verification_jobs(
schema: JOB_ID_SCHEMA, schema: JOB_ID_SCHEMA,
} }
} }
} },
access: {
permission: &Permission::Anybody,
description: "Requires Datastore.Verify on job's datastore.",
},
)] )]
/// Runs a verification job manually. /// Runs a verification job manually.
fn run_verification_job( fn run_verification_job(
@ -98,10 +120,13 @@ fn run_verification_job(
_info: &ApiMethod, _info: &ApiMethod,
rpcenv: &mut dyn RpcEnvironment, rpcenv: &mut dyn RpcEnvironment,
) -> Result<String, Error> { ) -> Result<String, Error> {
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let user_info = CachedUserInfo::new()?;
let (config, _digest) = verify::config()?; let (config, _digest) = verify::config()?;
let verification_job: VerificationJobConfig = config.lookup("verification", &id)?; let verification_job: VerificationJobConfig = config.lookup("verification", &id)?;
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; user_info.check_privs(&auth_id, &["datastore", &verification_job.store], PRIV_DATASTORE_VERIFY, true)?;
let job = Job::new("verificationjob", &id)?; let job = Job::new("verificationjob", &id)?;