tyler
/
proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

sync/pull: cleanup priv checks and logging 

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2022-05-24 13:51:27 +02:00 committed by Thomas Lamprecht
parent d1fba4de1d
commit 77bd14f68a
1 changed files with 14 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
src/server/pull.rs
View File

@ -16,9 +16,9 @@ use proxmox_router::HttpError;
use proxmox_sys::task_log; use proxmox_sys::task_log;
use pbs_api_types::{ use pbs_api_types::{
privs_to_priv_names, Authid, BackupNamespace, DatastoreWithNamespace, GroupFilter, Authid, BackupNamespace, DatastoreWithNamespace, GroupFilter, GroupListItem, NamespaceListItem,
GroupListItem, NamespaceListItem, Operation, RateLimitConfig, Remote, SnapshotListItem, Operation, RateLimitConfig, Remote, SnapshotListItem, MAX_NAMESPACE_DEPTH,
MAX_NAMESPACE_DEPTH, PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY,
}; };
use pbs_client::{ use pbs_client::{
@ -800,15 +800,7 @@ fn check_ns_privs(
// TODO re-sync with API, maybe find common place? // TODO re-sync with API, maybe find common place?
let path = &store_with_ns.acl_path(); user_info.check_privs(owner, &store_with_ns.acl_path(), privs, true)
let user_privs = user_info.lookup_privs(owner, path);
if (user_privs & privs) == 0 {
let priv_names = privs_to_priv_names(privs).join("|");
let path = path.join("/");
bail!("privilege(s) {priv_names} missing on /{path}");
}
Ok(())
} }
fn check_and_create_ns( fn check_and_create_ns(
@ -824,17 +816,13 @@ fn check_and_create_ns(
let parent = params.store_with_ns(parent); let parent = params.store_with_ns(parent);
if let Err(err) = check_ns_privs(&parent, &params.owner, PRIV_DATASTORE_MODIFY) { check_ns_privs(&parent, &params.owner, PRIV_DATASTORE_MODIFY)
bail!( .map_err(|err| format_err!("Creating {ns} not allowed - {err}"))?;
"Not allowed to create namespace {} - {}",
store_with_ns,
err,
);
}
if let Some(name) = name { if let Some(name) = name {
if let Err(err) = params.store.create_namespace(&parent.ns, name) { if let Err(err) = params.store.create_namespace(&parent.ns, name) {
bail!( bail!(
"sync namespace {} failed - namespace creation failed: {}", "sync into {} failed - namespace creation failed: {}",
&store_with_ns, &store_with_ns,
err err
); );
@ -842,27 +830,24 @@ fn check_and_create_ns(
created = true; created = true;
} else { } else {
bail!( bail!(
"sync namespace {} failed - namespace creation failed - couldn't determine parent namespace", "sync into {} failed - namespace creation failed - couldn't determine parent namespace",
&store_with_ns, &store_with_ns,
); );
} }
} }
// TODO re-sync with API, maybe find common place? // TODO re-sync with API, maybe find common place?
if let Err(err) = check_ns_privs(&store_with_ns, &params.owner, PRIV_DATASTORE_BACKUP) { check_ns_privs(&store_with_ns, &params.owner, PRIV_DATASTORE_BACKUP)
bail!("sync namespace {} failed - {}", &store_with_ns, err); .map_err(|err| format_err!("sync into {store_with_ns} not allowed - {err}"))?;
}
Ok(created) Ok(created)
} }
fn check_and_remove_ns(params: &PullParameters, local_ns: &BackupNamespace) -> Result<bool, Error> { fn check_and_remove_ns(params: &PullParameters, local_ns: &BackupNamespace) -> Result<bool, Error> {
let parent = local_ns.clone().parent(); let parent = local_ns.clone().parent();
check_ns_privs( let store_with_parent = params.store_with_ns(parent);
&params.store_with_ns(parent), check_ns_privs(&store_with_parent, &params.owner, PRIV_DATASTORE_MODIFY)
&params.owner, .map_err(|err| format_err!("Removing {local_ns} not allowed - {err}"))?;
PRIV_DATASTORE_MODIFY,
)?;
params.store.remove_namespace_recursive(local_ns, true) params.store.remove_namespace_recursive(local_ns, true)
} }