sync job: fix worker ID parsing

the namespace is optional, but should be captured to allow ACL checks for unprivileged non-job-owners. also add FIXME for other job types and workers that (might) need updating. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-24 11:03:57 +02:00 · 2022-05-24 11:03:57 +02:00 · b9b2d635fe
parent 9f8aa8c5e2
commit b9b2d635fe
7 changed files with 7 additions and 1 deletions
--- a/pbs-api-types/src/jobs.rs
+++ b/pbs-api-types/src/jobs.rs
@ -18,7 +18,7 @@ const_regex! {
    /// Regex for verification jobs 'DATASTORE:ACTUAL_JOB_ID'
    pub VERIFICATION_JOB_WORKER_ID_REGEX = concat!(r"^(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):");
    /// Regex for sync jobs 'REMOTE:REMOTE_DATASTORE:LOCAL_DATASTORE:(?:LOCAL_NS_ANCHOR:)ACTUAL_JOB_ID'
-    pub SYNC_JOB_WORKER_ID_REGEX = concat!(r"^(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(?:", BACKUP_NS_RE!(), r"):");
+    pub SYNC_JOB_WORKER_ID_REGEX = concat!(r"^(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(", PROXMOX_SAFE_ID_REGEX_STR!(), r")(?::(", BACKUP_NS_RE!(), r"))?:");
 }
 pub const JOB_ID_SCHEMA: Schema = StringSchema::new("Job ID.")
--- a/src/api2/backup/mod.rs
+++ b/src/api2/backup/mod.rs
@ -117,6 +117,7 @@ fn upgrade_to_backup_protocol(
            proxmox_router::http_bail!(NOT_FOUND, "namespace not found");
        }
        // FIXME: include namespace here?
        let worker_id = format!("{}:{}/{}", store, backup_dir_arg.ty(), backup_dir_arg.id());
        let env_type = rpcenv.env_type();
--- a/src/api2/node/tasks.rs
+++ b/src/api2/node/tasks.rs
@ -22,6 +22,7 @@ use proxmox_rest_server::{upid_log_path, upid_read_status, TaskListInfoIterator,
 // matches respective job execution privileges
 fn check_job_privs(auth_id: &Authid, user_info: &CachedUserInfo, upid: &UPID) -> Result<(), Error> {
    match (upid.worker_type.as_str(), &upid.worker_id) {
        // FIXME: parse namespace here?
        ("verificationjob", Some(workerid)) => {
            if let Some(captures) = VERIFICATION_JOB_WORKER_ID_REGEX.captures(workerid) {
                if let Some(store) = captures.get(1) {
--- a/src/api2/pull.rs
+++ b/src/api2/pull.rs
@ -263,6 +263,7 @@ async fn pull(
    let client = pull_params.client().await?;
    // fixme: set to_stdout to false?
    // FIXME: add namespace to worker id?
    let upid_str = WorkerTask::spawn(
        "sync",
        Some(store.clone()),
--- a/src/api2/reader/mod.rs
+++ b/src/api2/reader/mod.rs
@ -134,6 +134,7 @@ fn upgrade_to_backup_reader_protocol(
        //let files = BackupInfo::list_files(&path, &backup_dir)?;
        // FIXME: include namespace here?
        let worker_id = format!(
            "{}:{}/{}/{:08X}",
            store,
--- a/src/server/prune_job.rs
+++ b/src/server/prune_job.rs
@ -115,6 +115,7 @@ pub fn do_prune_job(
    let worker_type = job.jobtype().to_string();
    let auth_id = auth_id.clone();
    // TODO include namespace info here once this becomes namespace-aware/configurable
    let worker_id = format!("{store}");
    let upid_str = WorkerTask::new_thread(
        &worker_type,
--- a/src/server/verify_job.rs
+++ b/src/server/verify_job.rs
@ -25,6 +25,7 @@ pub fn do_verification_job(
    let (email, notify) = crate::server::lookup_datastore_notify_settings(&verification_job.store);
    // FIXME encode namespace here for filter/ACL check?
    let job_id = format!("{}:{}", &verification_job.store, job.jobname());
    let worker_type = job.jobtype().to_string();
    let upid_str = WorkerTask::new_thread(