From b9b2d635fe10d23b8e89522a65b2c463692302d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Tue, 24 May 2022 11:03:57 +0200
Subject: [PATCH] sync job: fix worker ID parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

the namespace is optional, but should be captured to allow ACL checks
for unprivileged non-job-owners.

also add FIXME for other job types and workers that (might) need
updating.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 pbs-api-types/src/jobs.rs | 2 +-
 src/api2/backup/mod.rs    | 1 +
 src/api2/node/tasks.rs    | 1 +
 src/api2/pull.rs          | 1 +
 src/api2/reader/mod.rs    | 1 +
 src/server/prune_job.rs   | 1 +
 src/server/verify_job.rs  | 1 +
 7 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/pbs-api-types/src/jobs.rs b/pbs-api-types/src/jobs.rs
index ed3d5a52..71bd6789 100644
--- a/pbs-api-types/src/jobs.rs
+++ b/pbs-api-types/src/jobs.rs
@@ -18,7 +18,7 @@ const_regex! {
     /// Regex for verification jobs 'DATASTORE:ACTUAL_JOB_ID'
     pub VERIFICATION_JOB_WORKER_ID_REGEX = concat!(r"^(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):");
     /// Regex for sync jobs 'REMOTE:REMOTE_DATASTORE:LOCAL_DATASTORE:(?:LOCAL_NS_ANCHOR:)ACTUAL_JOB_ID'
-    pub SYNC_JOB_WORKER_ID_REGEX = concat!(r"^(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(?:", BACKUP_NS_RE!(), r"):");
+    pub SYNC_JOB_WORKER_ID_REGEX = concat!(r"^(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(", PROXMOX_SAFE_ID_REGEX_STR!(), r"):(", PROXMOX_SAFE_ID_REGEX_STR!(), r")(?::(", BACKUP_NS_RE!(), r"))?:");
 }
 
 pub const JOB_ID_SCHEMA: Schema = StringSchema::new("Job ID.")
diff --git a/src/api2/backup/mod.rs b/src/api2/backup/mod.rs
index 56f7670f..7be975c2 100644
--- a/src/api2/backup/mod.rs
+++ b/src/api2/backup/mod.rs
@@ -117,6 +117,7 @@ fn upgrade_to_backup_protocol(
             proxmox_router::http_bail!(NOT_FOUND, "namespace not found");
         }
 
+        // FIXME: include namespace here?
         let worker_id = format!("{}:{}/{}", store, backup_dir_arg.ty(), backup_dir_arg.id());
 
         let env_type = rpcenv.env_type();
diff --git a/src/api2/node/tasks.rs b/src/api2/node/tasks.rs
index 9cd50e0e..592e927d 100644
--- a/src/api2/node/tasks.rs
+++ b/src/api2/node/tasks.rs
@@ -22,6 +22,7 @@ use proxmox_rest_server::{upid_log_path, upid_read_status, TaskListInfoIterator,
 // matches respective job execution privileges
 fn check_job_privs(auth_id: &Authid, user_info: &CachedUserInfo, upid: &UPID) -> Result<(), Error> {
     match (upid.worker_type.as_str(), &upid.worker_id) {
+        // FIXME: parse namespace here?
         ("verificationjob", Some(workerid)) => {
             if let Some(captures) = VERIFICATION_JOB_WORKER_ID_REGEX.captures(workerid) {
                 if let Some(store) = captures.get(1) {
diff --git a/src/api2/pull.rs b/src/api2/pull.rs
index f3300567..e05e946e 100644
--- a/src/api2/pull.rs
+++ b/src/api2/pull.rs
@@ -263,6 +263,7 @@ async fn pull(
     let client = pull_params.client().await?;
 
     // fixme: set to_stdout to false?
+    // FIXME: add namespace to worker id?
     let upid_str = WorkerTask::spawn(
         "sync",
         Some(store.clone()),
diff --git a/src/api2/reader/mod.rs b/src/api2/reader/mod.rs
index 910ddddc..b9f1969a 100644
--- a/src/api2/reader/mod.rs
+++ b/src/api2/reader/mod.rs
@@ -134,6 +134,7 @@ fn upgrade_to_backup_reader_protocol(
 
         //let files = BackupInfo::list_files(&path, &backup_dir)?;
 
+        // FIXME: include namespace here?
         let worker_id = format!(
             "{}:{}/{}/{:08X}",
             store,
diff --git a/src/server/prune_job.rs b/src/server/prune_job.rs
index 01947bc3..2835d79d 100644
--- a/src/server/prune_job.rs
+++ b/src/server/prune_job.rs
@@ -115,6 +115,7 @@ pub fn do_prune_job(
 
     let worker_type = job.jobtype().to_string();
     let auth_id = auth_id.clone();
+    // TODO include namespace info here once this becomes namespace-aware/configurable
     let worker_id = format!("{store}");
     let upid_str = WorkerTask::new_thread(
         &worker_type,
diff --git a/src/server/verify_job.rs b/src/server/verify_job.rs
index a861cd31..64584e3d 100644
--- a/src/server/verify_job.rs
+++ b/src/server/verify_job.rs
@@ -25,6 +25,7 @@ pub fn do_verification_job(
 
     let (email, notify) = crate::server::lookup_datastore_notify_settings(&verification_job.store);
 
+    // FIXME encode namespace here for filter/ACL check?
     let job_id = format!("{}:{}", &verification_job.store, job.jobname());
     let worker_type = job.jobtype().to_string();
     let upid_str = WorkerTask::new_thread(