Merge pull request #315 from Tinyblargon/Feature#308

Feature: Dynamic permission checking.
Telmate · Mar 9, 2024 · 08d2943 · 08d2943
2 parents 4ced342 + 60d15a6
commit 08d2943
Show file tree

Hide file tree

Showing 6 changed files with 853 additions and 9 deletions.
diff --git a/proxmox/client.go b/proxmox/client.go
@@ -27,14 +27,16 @@ const exitStatusSuccess = "OK"
 
 // Client - URL, user and password to specific Proxmox node
 type Client struct {
-	session      *Session
-	ApiUrl       string
-	Username     string
-	Password     string
-	Otp          string
-	TaskTimeout  int
-	version      *Version
-	versionMutex *sync.Mutex
+	session         *Session
+	ApiUrl          string
+	Username        string
+	Password        string
+	Otp             string
+	TaskTimeout     int
+	permissionMutex *sync.Mutex
+	permissions     map[permissionPath]privileges
+	version         *Version
+	versionMutex    *sync.Mutex
 }
 
 const (
@@ -112,7 +114,7 @@ func NewClient(apiUrl string, hclient *http.Client, http_headers string, tls *tl
 		return nil, err
 	}
 	if err_s == nil {
-		client = &Client{session: sess, ApiUrl: apiUrl, TaskTimeout: taskTimeout, versionMutex: &sync.Mutex{}}
+		client = &Client{session: sess, ApiUrl: apiUrl, TaskTimeout: taskTimeout, versionMutex: &sync.Mutex{}, permissionMutex: &sync.Mutex{}, permissions: make(map[permissionPath]privileges)}
 	}
 
 	return client, err_s
@@ -2227,6 +2229,102 @@ func (c *Client) CheckTask(resp *http.Response) (exitStatus string, err error) {
 	return c.WaitForCompletion(taskResponse)
 }
 
+// return a list of requested permissions from the cache for further processing
+func (c *Client) cachedPermissions(paths []permissionPath) (map[permissionPath]privileges, error) {
+	c.permissionMutex.Lock()
+	defer c.permissionMutex.Unlock()
+	if c.permissions == nil {
+		permissionMap, err := c.getPermissions()
+		if err != nil {
+			return nil, err
+		}
+		c.permissions = permissionMap
+	}
+	extractedPermissions := make(map[permissionPath]privileges)
+	for _, path := range paths {
+		if permission, ok := c.permissions[path]; ok {
+			extractedPermissions[path] = permission
+		}
+	}
+	return extractedPermissions, nil
+}
+
+// Returns an error if the user does not have the required permissions on the given category and itme.
+func (c *Client) CheckPermissions(perms []Permission) error {
+	for _, perm := range perms {
+		if err := perm.Validate(); err != nil {
+			return err
+		}
+	}
+	return c.checkPermissions(perms)
+}
+
+// internal function to check permissions, does not validate input.
+func (c *Client) checkPermissions(perms []Permission) error {
+	if c == nil {
+		return errors.New(Client_Error_Nil)
+	}
+	if c.Username == "root@pam" { // no permissions check for root
+		return nil
+	}
+	permissions, err := c.cachedPermissions(Permission{}.buildPathList(perms))
+	if err != nil {
+		return err
+	}
+	for _, perm := range perms {
+		err = perm.check(permissions)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// inserts a permission into the cache, this is useful for when we create an item, as refreshing the whole cache is quite expensive.
+func (c *Client) insertCachedPermission(path permissionPath) error {
+	rawPermissions, err := c.getPermissionsRaw()
+	if err != nil {
+		return err
+	}
+	if rawPrivileges, ok := rawPermissions[string(path)]; ok {
+		privileges := privileges{}.mapToSDK(rawPrivileges.(map[string]interface{}))
+		c.permissionMutex.Lock()
+		c.permissions[path] = privileges
+		c.permissionMutex.Unlock()
+		return nil
+	}
+	return nil
+}
+
+// get the users permissions from the cache and decodes them for the SDK
+func (c *Client) getPermissions() (map[permissionPath]privileges, error) {
+	permissions, err := c.getPermissionsRaw()
+	if err != nil {
+		return nil, err
+	}
+	return permissionPath("").mapToSDK(permissions), nil
+}
+
+// returns the raw permissions from the API
+func (c *Client) getPermissionsRaw() (map[string]interface{}, error) {
+	return c.GetItemConfigMapStringInterface("/access/permissions", "", "permissions")
+}
+
+// RefreshPermissions fetches the permissions from the API and updates the cache.
+func (c *Client) RefreshPermissions() error {
+	if c == nil {
+		return errors.New(Client_Error_Nil)
+	}
+	tmpPermsissions, err := c.getPermissions()
+	if err != nil {
+		return err
+	}
+	c.permissionMutex.Lock()
+	c.permissions = tmpPermsissions
+	c.permissionMutex.Unlock()
+	return nil
+}
+
 // Returns the Client's cached version if it exists, otherwise fetches the version from the API.
 func (c *Client) Version() (Version, error) {
 	if c == nil {

diff --git a/proxmox/client_test.go b/proxmox/client_test.go
@@ -1,11 +1,55 @@
 package proxmox
 
 import (
+	"errors"
+	"sync"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 )
 
+func Test_Client_CheckPermissions(t *testing.T) {
+	pointerClient := func(c Client) *Client {
+		c.permissionMutex = &sync.Mutex{}
+		return &c
+	}
+	type input struct {
+		client *Client
+		perms  []Permission
+	}
+	tests := []struct {
+		name   string
+		input  input
+		output error
+	}{
+		{"nil client", input{nil, []Permission{}}, errors.New(Client_Error_Nil)},
+		{"user root@pam", input{pointerClient(Client{Username: "root@pam"}), []Permission{}}, nil},
+		{name: "direct permissions",
+			input: input{pointerClient(Client{permissions: map[permissionPath]privileges{
+				"/access/pve": {UserModify: privilegeTrue},
+			}}), []Permission{
+				{Category: PermissionCategory_Access, Item: "pve", Privileges: Privileges{UserModify: true}}}}},
+		{name: "propagate permissions",
+			input: input{pointerClient(Client{permissions: map[permissionPath]privileges{
+				"/access": {UserModify: privilegePropagate},
+			}}), []Permission{
+				{Category: PermissionCategory_Access, Item: "pve", Privileges: Privileges{UserModify: true}}}}},
+		{name: "missing permissions",
+			input: input{pointerClient(Client{permissions: map[permissionPath]privileges{
+				"/": {UserModify: privilegeTrue},
+			}}), []Permission{
+				{Category: PermissionCategory_Root, Privileges: Privileges{PoolAllocate: true}},
+			}},
+			output: Permission{Category: PermissionCategory_Root, Privileges: Privileges{PoolAllocate: true}}.error(),
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			require.Equal(t, test.output, test.input.client.CheckPermissions(test.input.perms))
+		})
+	}
+}
+
 func Test_Version_Greater(t *testing.T) {
 	type input struct {
 		a Version

diff --git a/proxmox/config_qemu.go b/proxmox/config_qemu.go
@@ -964,6 +964,9 @@ func (newConfig ConfigQemu) setAdvanced(currentConfig *ConfigQemu, rebootIfNeede
 		if err = resizeNewDisks(vmr, client, newConfig.Disks, nil); err != nil {
 			return
 		}
+		if err = client.insertCachedPermission(permissionPath(permissionCategory_GuestPath) + "/" + permissionPath(strconv.Itoa(vmr.vmId))); err != nil {
+			return
+		}
 	}
 
 	_, err = client.UpdateVMHA(vmr, newConfig.HaState, newConfig.HaGroup)