b2da7fbd1c
even for otherwise unprivileged users. since effective privileges of an API token are always intersected with those of their owning user, this does not allow an unprivileged user to elevate their privileges in practice, but avoids the need to involve a privileged user to deploy API tokens. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
284 lines
8.1 KiB
Rust
284 lines
8.1 KiB
Rust
use anyhow::{bail, Error};
|
|
use ::serde::{Deserialize, Serialize};
|
|
|
|
use proxmox::api::{api, Router, RpcEnvironment, Permission};
|
|
use proxmox::tools::fs::open_file_locked;
|
|
|
|
use crate::api2::types::*;
|
|
use crate::config::acl;
|
|
use crate::config::acl::{Role, PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
|
|
use crate::config::cached_user_info::CachedUserInfo;
|
|
|
|
#[api(
|
|
properties: {
|
|
propagate: {
|
|
schema: ACL_PROPAGATE_SCHEMA,
|
|
},
|
|
path: {
|
|
schema: ACL_PATH_SCHEMA,
|
|
},
|
|
ugid_type: {
|
|
schema: ACL_UGID_TYPE_SCHEMA,
|
|
},
|
|
ugid: {
|
|
type: String,
|
|
description: "User or Group ID.",
|
|
},
|
|
roleid: {
|
|
type: Role,
|
|
}
|
|
}
|
|
)]
|
|
#[derive(Serialize, Deserialize)]
|
|
/// ACL list entry.
|
|
pub struct AclListItem {
|
|
path: String,
|
|
ugid: String,
|
|
ugid_type: String,
|
|
propagate: bool,
|
|
roleid: String,
|
|
}
|
|
|
|
fn extract_acl_node_data(
|
|
node: &acl::AclTreeNode,
|
|
path: &str,
|
|
list: &mut Vec<AclListItem>,
|
|
exact: bool,
|
|
token_user: &Option<Authid>,
|
|
) {
|
|
// tokens can't have tokens, so we can early return
|
|
if let Some(token_user) = token_user {
|
|
if token_user.is_token() {
|
|
return;
|
|
}
|
|
}
|
|
|
|
for (user, roles) in &node.users {
|
|
if let Some(token_user) = token_user {
|
|
if !user.is_token()
|
|
|| user.user() != token_user.user() {
|
|
continue;
|
|
}
|
|
}
|
|
|
|
for (role, propagate) in roles {
|
|
list.push(AclListItem {
|
|
path: if path.is_empty() { String::from("/") } else { path.to_string() },
|
|
propagate: *propagate,
|
|
ugid_type: String::from("user"),
|
|
ugid: user.to_string(),
|
|
roleid: role.to_string(),
|
|
});
|
|
}
|
|
}
|
|
for (group, roles) in &node.groups {
|
|
if let Some(_) = token_user {
|
|
continue;
|
|
}
|
|
|
|
for (role, propagate) in roles {
|
|
list.push(AclListItem {
|
|
path: if path.is_empty() { String::from("/") } else { path.to_string() },
|
|
propagate: *propagate,
|
|
ugid_type: String::from("group"),
|
|
ugid: group.to_string(),
|
|
roleid: role.to_string(),
|
|
});
|
|
}
|
|
}
|
|
if exact {
|
|
return;
|
|
}
|
|
for (comp, child) in &node.children {
|
|
let new_path = format!("{}/{}", path, comp);
|
|
extract_acl_node_data(child, &new_path, list, exact, token_user);
|
|
}
|
|
}
|
|
|
|
#[api(
|
|
input: {
|
|
properties: {
|
|
path: {
|
|
schema: ACL_PATH_SCHEMA,
|
|
optional: true,
|
|
},
|
|
exact: {
|
|
description: "If set, returns only ACL for the exact path.",
|
|
type: bool,
|
|
optional: true,
|
|
default: false,
|
|
},
|
|
},
|
|
},
|
|
returns: {
|
|
description: "ACL entry list.",
|
|
type: Array,
|
|
items: {
|
|
type: AclListItem,
|
|
}
|
|
},
|
|
access: {
|
|
permission: &Permission::Anybody,
|
|
description: "Returns all ACLs if user has Sys.Audit on '/access/acl', or just the ACLs containing the user's API tokens.",
|
|
},
|
|
)]
|
|
/// Read Access Control List (ACLs).
|
|
pub fn read_acl(
|
|
path: Option<String>,
|
|
exact: bool,
|
|
mut rpcenv: &mut dyn RpcEnvironment,
|
|
) -> Result<Vec<AclListItem>, Error> {
|
|
let auth_id = rpcenv.get_auth_id().unwrap().parse()?;
|
|
|
|
let user_info = CachedUserInfo::new()?;
|
|
|
|
let top_level_privs = user_info.lookup_privs(&auth_id, &["access", "acl"]);
|
|
let auth_id_filter = if (top_level_privs & PRIV_SYS_AUDIT) == 0 {
|
|
Some(auth_id)
|
|
} else {
|
|
None
|
|
};
|
|
|
|
let (mut tree, digest) = acl::config()?;
|
|
|
|
let mut list: Vec<AclListItem> = Vec::new();
|
|
if let Some(path) = &path {
|
|
if let Some(node) = &tree.find_node(path) {
|
|
extract_acl_node_data(&node, path, &mut list, exact, &auth_id_filter);
|
|
}
|
|
} else {
|
|
extract_acl_node_data(&tree.root, "", &mut list, exact, &auth_id_filter);
|
|
}
|
|
|
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
|
|
|
Ok(list)
|
|
}
|
|
|
|
#[api(
|
|
protected: true,
|
|
input: {
|
|
properties: {
|
|
path: {
|
|
schema: ACL_PATH_SCHEMA,
|
|
},
|
|
role: {
|
|
type: Role,
|
|
},
|
|
propagate: {
|
|
optional: true,
|
|
schema: ACL_PROPAGATE_SCHEMA,
|
|
},
|
|
auth_id: {
|
|
optional: true,
|
|
type: Authid,
|
|
},
|
|
group: {
|
|
optional: true,
|
|
schema: PROXMOX_GROUP_ID_SCHEMA,
|
|
},
|
|
delete: {
|
|
optional: true,
|
|
description: "Remove permissions (instead of adding it).",
|
|
type: bool,
|
|
},
|
|
digest: {
|
|
optional: true,
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
},
|
|
},
|
|
},
|
|
access: {
|
|
permission: &Permission::Anybody,
|
|
description: "Requires Permissions.Modify on '/access/acl', limited to updating ACLs of the user's API tokens otherwise."
|
|
},
|
|
)]
|
|
/// Update Access Control List (ACLs).
|
|
pub fn update_acl(
|
|
path: String,
|
|
role: String,
|
|
propagate: Option<bool>,
|
|
auth_id: Option<Authid>,
|
|
group: Option<String>,
|
|
delete: Option<bool>,
|
|
digest: Option<String>,
|
|
rpcenv: &mut dyn RpcEnvironment,
|
|
) -> Result<(), Error> {
|
|
let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
|
|
|
let user_info = CachedUserInfo::new()?;
|
|
|
|
let top_level_privs = user_info.lookup_privs(¤t_auth_id, &["access", "acl"]);
|
|
if top_level_privs & PRIV_PERMISSIONS_MODIFY == 0 {
|
|
if let Some(_) = group {
|
|
bail!("Unprivileged users are not allowed to create group ACL item.");
|
|
}
|
|
|
|
match &auth_id {
|
|
Some(auth_id) => {
|
|
if current_auth_id.is_token() {
|
|
bail!("Unprivileged API tokens can't set ACL items.");
|
|
} else if !auth_id.is_token() {
|
|
bail!("Unprivileged users can only set ACL items for API tokens.");
|
|
} else if auth_id.user() != current_auth_id.user() {
|
|
bail!("Unprivileged users can only set ACL items for their own API tokens.");
|
|
}
|
|
},
|
|
None => { bail!("Unprivileged user needs to provide auth_id to update ACL item."); },
|
|
};
|
|
}
|
|
|
|
let _lock = open_file_locked(acl::ACL_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
|
|
|
let (mut tree, expected_digest) = acl::config()?;
|
|
|
|
if let Some(ref digest) = digest {
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
}
|
|
|
|
let propagate = propagate.unwrap_or(true);
|
|
|
|
let delete = delete.unwrap_or(false);
|
|
|
|
if let Some(ref _group) = group {
|
|
bail!("parameter 'group' - groups are currently not supported.");
|
|
} else if let Some(ref auth_id) = auth_id {
|
|
if !delete { // Note: we allow to delete non-existent users
|
|
let user_cfg = crate::config::user::cached_config()?;
|
|
if user_cfg.sections.get(&auth_id.to_string()).is_none() {
|
|
bail!(format!("no such {}.",
|
|
if auth_id.is_token() { "API token" } else { "user" }));
|
|
}
|
|
}
|
|
} else {
|
|
bail!("missing 'userid' or 'group' parameter.");
|
|
}
|
|
|
|
if !delete { // Note: we allow to delete entries with invalid path
|
|
acl::check_acl_path(&path)?;
|
|
}
|
|
|
|
if let Some(auth_id) = auth_id {
|
|
if delete {
|
|
tree.delete_user_role(&path, &auth_id, &role);
|
|
} else {
|
|
tree.insert_user_role(&path, &auth_id, &role, propagate);
|
|
}
|
|
} else if let Some(group) = group {
|
|
if delete {
|
|
tree.delete_group_role(&path, &group, &role);
|
|
} else {
|
|
tree.insert_group_role(&path, &group, &role, propagate);
|
|
}
|
|
}
|
|
|
|
acl::save_config(&tree)?;
|
|
|
|
Ok(())
|
|
}
|
|
|
|
pub const ROUTER: Router = Router::new()
|
|
.get(&API_METHOD_READ_ACL)
|
|
.put(&API_METHOD_UPDATE_ACL);
|