use anyhow::{bail, Error}; use ::serde::{Deserialize, Serialize}; use proxmox::api::{api, Router, RpcEnvironment, Permission}; use crate::api2::types::*; use crate::config::acl; use crate::config::acl::{Role, PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY}; #[api( properties: { propagate: { schema: ACL_PROPAGATE_SCHEMA, }, path: { schema: ACL_PATH_SCHEMA, }, ugid_type: { schema: ACL_UGID_TYPE_SCHEMA, }, ugid: { type: String, description: "User or Group ID.", }, roleid: { type: Role, } } )] #[derive(Serialize, Deserialize)] /// ACL list entry. pub struct AclListItem { path: String, ugid: String, ugid_type: String, propagate: bool, roleid: String, } fn extract_acl_node_data( node: &acl::AclTreeNode, path: &str, list: &mut Vec, exact: bool, ) { for (user, roles) in &node.users { for (role, propagate) in roles { list.push(AclListItem { path: if path.is_empty() { String::from("/") } else { path.to_string() }, propagate: *propagate, ugid_type: String::from("user"), ugid: user.to_string(), roleid: role.to_string(), }); } } for (group, roles) in &node.groups { for (role, propagate) in roles { list.push(AclListItem { path: if path.is_empty() { String::from("/") } else { path.to_string() }, propagate: *propagate, ugid_type: String::from("group"), ugid: group.to_string(), roleid: role.to_string(), }); } } if exact { return; } for (comp, child) in &node.children { let new_path = format!("{}/{}", path, comp); extract_acl_node_data(child, &new_path, list, exact); } } #[api( input: { properties: { path: { schema: ACL_PATH_SCHEMA, optional: true, }, exact: { description: "If set, returns only ACL for the exact path.", type: bool, optional: true, default: false, }, }, }, returns: { description: "ACL entry list.", type: Array, items: { type: AclListItem, } }, access: { permission: &Permission::Privilege(&["access", "acl"], PRIV_SYS_AUDIT, false), }, )] /// Read Access Control List (ACLs). pub fn read_acl( path: Option, exact: bool, mut rpcenv: &mut dyn RpcEnvironment, ) -> Result, Error> { //let auth_user = rpcenv.get_user().unwrap(); let (mut tree, digest) = acl::config()?; let mut list: Vec = Vec::new(); if let Some(path) = &path { if let Some(node) = &tree.find_node(path) { extract_acl_node_data(&node, path, &mut list, exact); } } else { extract_acl_node_data(&tree.root, "", &mut list, exact); } rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into(); Ok(list) } #[api( protected: true, input: { properties: { path: { schema: ACL_PATH_SCHEMA, }, role: { type: Role, }, propagate: { optional: true, schema: ACL_PROPAGATE_SCHEMA, }, userid: { optional: true, schema: PROXMOX_USER_ID_SCHEMA, }, group: { optional: true, schema: PROXMOX_GROUP_ID_SCHEMA, }, delete: { optional: true, description: "Remove permissions (instead of adding it).", type: bool, }, digest: { optional: true, schema: PROXMOX_CONFIG_DIGEST_SCHEMA, }, }, }, access: { permission: &Permission::Privilege(&["access", "acl"], PRIV_PERMISSIONS_MODIFY, false), }, )] /// Update Access Control List (ACLs). pub fn update_acl( path: String, role: String, propagate: Option, userid: Option, group: Option, delete: Option, digest: Option, _rpcenv: &mut dyn RpcEnvironment, ) -> Result<(), Error> { let _lock = crate::tools::open_file_locked(acl::ACL_CFG_LOCKFILE, std::time::Duration::new(10, 0))?; let (mut tree, expected_digest) = acl::config()?; if let Some(ref digest) = digest { let digest = proxmox::tools::hex_to_digest(digest)?; crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?; } let propagate = propagate.unwrap_or(true); let delete = delete.unwrap_or(false); if let Some(ref _group) = group { bail!("parameter 'group' - groups are currently not supported."); } else if let Some(ref userid) = userid { if !delete { // Note: we allow to delete non-existent users let user_cfg = crate::config::user::cached_config()?; if user_cfg.sections.get(userid).is_none() { bail!("no such user."); } } } else { bail!("missing 'userid' or 'group' parameter."); } if !delete { // Note: we allow to delete entries with invalid path acl::check_acl_path(&path)?; } if let Some(userid) = userid { if delete { tree.delete_user_role(&path, &userid, &role); } else { tree.insert_user_role(&path, &userid, &role, propagate); } } else if let Some(group) = group { if delete { tree.delete_group_role(&path, &group, &role); } else { tree.insert_group_role(&path, &group, &role, propagate); } } acl::save_config(&tree)?; Ok(()) } pub const ROUTER: Router = Router::new() .get(&API_METHOD_READ_ACL) .put(&API_METHOD_UPDATE_ACL);