Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Dynamic permission checking. #315

Merged
merged 4 commits into from
Mar 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 107 additions & 9 deletions proxmox/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,16 @@ const exitStatusSuccess = "OK"

// Client - URL, user and password to specific Proxmox node
type Client struct {
session *Session
ApiUrl string
Username string
Password string
Otp string
TaskTimeout int
version *Version
versionMutex *sync.Mutex
session *Session
ApiUrl string
Username string
Password string
Otp string
TaskTimeout int
permissionMutex *sync.Mutex
permissions map[permissionPath]privileges
version *Version
versionMutex *sync.Mutex
}

const (
Expand Down Expand Up @@ -112,7 +114,7 @@ func NewClient(apiUrl string, hclient *http.Client, http_headers string, tls *tl
return nil, err
}
if err_s == nil {
client = &Client{session: sess, ApiUrl: apiUrl, TaskTimeout: taskTimeout, versionMutex: &sync.Mutex{}}
client = &Client{session: sess, ApiUrl: apiUrl, TaskTimeout: taskTimeout, versionMutex: &sync.Mutex{}, permissionMutex: &sync.Mutex{}, permissions: make(map[permissionPath]privileges)}
}

return client, err_s
Expand Down Expand Up @@ -2227,6 +2229,102 @@ func (c *Client) CheckTask(resp *http.Response) (exitStatus string, err error) {
return c.WaitForCompletion(taskResponse)
}

// return a list of requested permissions from the cache for further processing
func (c *Client) cachedPermissions(paths []permissionPath) (map[permissionPath]privileges, error) {
c.permissionMutex.Lock()
defer c.permissionMutex.Unlock()
if c.permissions == nil {
permissionMap, err := c.getPermissions()
if err != nil {
return nil, err
}
c.permissions = permissionMap
}
extractedPermissions := make(map[permissionPath]privileges)
for _, path := range paths {
if permission, ok := c.permissions[path]; ok {
extractedPermissions[path] = permission
}
}
return extractedPermissions, nil
}

// Returns an error if the user does not have the required permissions on the given category and itme.
func (c *Client) CheckPermissions(perms []Permission) error {
for _, perm := range perms {
if err := perm.Validate(); err != nil {
return err
}
}
return c.checkPermissions(perms)
}

// internal function to check permissions, does not validate input.
func (c *Client) checkPermissions(perms []Permission) error {
if c == nil {
return errors.New(Client_Error_Nil)
}
if c.Username == "root@pam" { // no permissions check for root
return nil
}
permissions, err := c.cachedPermissions(Permission{}.buildPathList(perms))
if err != nil {
return err
}
for _, perm := range perms {
err = perm.check(permissions)
if err != nil {
return err
}
}
return nil
}

// inserts a permission into the cache, this is useful for when we create an item, as refreshing the whole cache is quite expensive.
func (c *Client) insertCachedPermission(path permissionPath) error {
rawPermissions, err := c.getPermissionsRaw()
if err != nil {
return err
}
if rawPrivileges, ok := rawPermissions[string(path)]; ok {
privileges := privileges{}.mapToSDK(rawPrivileges.(map[string]interface{}))
c.permissionMutex.Lock()
c.permissions[path] = privileges
c.permissionMutex.Unlock()
return nil
}
return nil
}

// get the users permissions from the cache and decodes them for the SDK
func (c *Client) getPermissions() (map[permissionPath]privileges, error) {
permissions, err := c.getPermissionsRaw()
if err != nil {
return nil, err
}
return permissionPath("").mapToSDK(permissions), nil
}

// returns the raw permissions from the API
func (c *Client) getPermissionsRaw() (map[string]interface{}, error) {
return c.GetItemConfigMapStringInterface("/access/permissions", "", "permissions")
}

// RefreshPermissions fetches the permissions from the API and updates the cache.
func (c *Client) RefreshPermissions() error {
if c == nil {
return errors.New(Client_Error_Nil)
}
tmpPermsissions, err := c.getPermissions()
if err != nil {
return err
}
c.permissionMutex.Lock()
c.permissions = tmpPermsissions
c.permissionMutex.Unlock()
return nil
}

// Returns the Client's cached version if it exists, otherwise fetches the version from the API.
func (c *Client) Version() (Version, error) {
if c == nil {
Expand Down
44 changes: 44 additions & 0 deletions proxmox/client_test.go
Original file line number Diff line number Diff line change
@@ -1,11 +1,55 @@
package proxmox

import (
"errors"
"sync"
"testing"

"github.com/stretchr/testify/require"
)

func Test_Client_CheckPermissions(t *testing.T) {
pointerClient := func(c Client) *Client {
c.permissionMutex = &sync.Mutex{}
return &c
}
type input struct {
client *Client
perms []Permission
}
tests := []struct {
name string
input input
output error
}{
{"nil client", input{nil, []Permission{}}, errors.New(Client_Error_Nil)},
{"user root@pam", input{pointerClient(Client{Username: "root@pam"}), []Permission{}}, nil},
{name: "direct permissions",
input: input{pointerClient(Client{permissions: map[permissionPath]privileges{
"/access/pve": {UserModify: privilegeTrue},
}}), []Permission{
{Category: PermissionCategory_Access, Item: "pve", Privileges: Privileges{UserModify: true}}}}},
{name: "propagate permissions",
input: input{pointerClient(Client{permissions: map[permissionPath]privileges{
"/access": {UserModify: privilegePropagate},
}}), []Permission{
{Category: PermissionCategory_Access, Item: "pve", Privileges: Privileges{UserModify: true}}}}},
{name: "missing permissions",
input: input{pointerClient(Client{permissions: map[permissionPath]privileges{
"/": {UserModify: privilegeTrue},
}}), []Permission{
{Category: PermissionCategory_Root, Privileges: Privileges{PoolAllocate: true}},
}},
output: Permission{Category: PermissionCategory_Root, Privileges: Privileges{PoolAllocate: true}}.error(),
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
require.Equal(t, test.output, test.input.client.CheckPermissions(test.input.perms))
})
}
}

func Test_Version_Greater(t *testing.T) {
type input struct {
a Version
Expand Down
3 changes: 3 additions & 0 deletions proxmox/config_qemu.go
Original file line number Diff line number Diff line change
Expand Up @@ -964,6 +964,9 @@ func (newConfig ConfigQemu) setAdvanced(currentConfig *ConfigQemu, rebootIfNeede
if err = resizeNewDisks(vmr, client, newConfig.Disks, nil); err != nil {
return
}
if err = client.insertCachedPermission(permissionPath(permissionCategory_GuestPath) + "/" + permissionPath(strconv.Itoa(vmr.vmId))); err != nil {
return
}
}

_, err = client.UpdateVMHA(vmr, newConfig.HaState, newConfig.HaGroup)
Expand Down
Loading
Loading