move and unify namespace priv helpers
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler
committed by
Thomas Lamprecht
Thomas Lamprecht
parent
77bd14f68a
commit
ea2e91e52f
@ -1,14 +1,72 @@
|
||||
use std::sync::Arc;
|
||||
|
||||
use anyhow::Error;
|
||||
use anyhow::{bail, Error};
|
||||
|
||||
use pbs_api_types::{
|
||||
Authid, BackupNamespace, DatastoreWithNamespace, PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP,
|
||||
PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_READ,
|
||||
privs_to_priv_names, Authid, BackupNamespace, DatastoreWithNamespace, PRIV_DATASTORE_AUDIT,
|
||||
PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_MODIFY, PRIV_DATASTORE_READ,
|
||||
};
|
||||
use pbs_config::CachedUserInfo;
|
||||
use pbs_datastore::{backup_info::BackupGroup, DataStore, ListGroups, ListNamespacesRecursive};
|
||||
|
||||
/// Asserts that `privs` are fulfilled on datastore + (optional) namespace.
|
||||
pub fn check_ns_privs(
|
||||
store_with_ns: &DatastoreWithNamespace,
|
||||
auth_id: &Authid,
|
||||
privs: u64,
|
||||
) -> Result<(), Error> {
|
||||
check_ns_privs_full(store_with_ns, auth_id, privs, 0).map(|_| ())
|
||||
}
|
||||
|
||||
/// Asserts that `privs` for creating/destroying namespace in datastore are fulfilled.
|
||||
pub fn check_ns_modification_privs(
|
||||
store_with_ns: &DatastoreWithNamespace,
|
||||
auth_id: &Authid,
|
||||
) -> Result<(), Error> {
|
||||
// we could allow it as easy purge-whole datastore, but lets be more restrictive for now
|
||||
if store_with_ns.ns.is_root() {
|
||||
// TODO
|
||||
bail!("Cannot create/delete root namespace!");
|
||||
}
|
||||
|
||||
let parent = DatastoreWithNamespace {
|
||||
store: store_with_ns.store.clone(),
|
||||
ns: store_with_ns.ns.parent(),
|
||||
};
|
||||
|
||||
check_ns_privs(&parent, auth_id, PRIV_DATASTORE_MODIFY)
|
||||
}
|
||||
|
||||
/// Asserts that either either `full_access_privs` or `partial_access_privs` are fulfilled on
|
||||
/// datastore + (optional) namespace.
|
||||
///
|
||||
/// Return value indicates whether further checks like group ownerships are required because
|
||||
/// `full_access_privs` are missing.
|
||||
pub fn check_ns_privs_full(
|
||||
store_with_ns: &DatastoreWithNamespace,
|
||||
auth_id: &Authid,
|
||||
full_access_privs: u64,
|
||||
partial_access_privs: u64,
|
||||
) -> Result<bool, Error> {
|
||||
let user_info = CachedUserInfo::new()?;
|
||||
let privs = user_info.lookup_privs(auth_id, &store_with_ns.acl_path());
|
||||
|
||||
if full_access_privs != 0 && (privs & full_access_privs) != 0 {
|
||||
return Ok(false);
|
||||
}
|
||||
if partial_access_privs != 0 && (privs & partial_access_privs) != 0 {
|
||||
return Ok(true);
|
||||
}
|
||||
|
||||
let priv_names = privs_to_priv_names(full_access_privs | partial_access_privs).join("|");
|
||||
let path = format!("/{}", store_with_ns.acl_path().join("/"));
|
||||
|
||||
proxmox_router::http_bail!(
|
||||
FORBIDDEN,
|
||||
"permission check failed - missing {priv_names} on {path}"
|
||||
);
|
||||
}
|
||||
|
||||
/// A priviledge aware iterator for all backup groups in all Namespaces below an anchor namespace,
|
||||
/// most often that will be the `BackupNamespace::root()` one.
|
||||
///
|
||||
|
||||
Reference in New Issue
Block a user