proxmox-mirrors/proxmox
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox synced 2025-06-12 19:39:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2d4050825d
proxmox/proxmox-access-control/src/cached_user_info.rs
Maximiliano Sandoval 72ab48eb55 fix typos in rust api documentation 
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
2024-07-22 08:49:42 +02:00

247 lines
7.3 KiB
Rust
Raw Blame History

//! Cached user info for fast ACL permission checks
use std::sync::{Arc, OnceLock, RwLock};
use anyhow::{bail, Error};
use proxmox_auth_api::types::{Authid, Userid};
use proxmox_router::UserInformation;
use proxmox_section_config::SectionConfigData;
use proxmox_time::epoch_i64;
use crate::acl::AclTree;
use crate::init::access_conf;
use crate::types::{ApiToken, User};
/// Cache User/Group/Token/Acl configuration data for fast permission tests
pub struct CachedUserInfo {
user_cfg: Arc<SectionConfigData>,
acl_tree: Arc<AclTree>,
}
struct ConfigCache {
data: Option<Arc<CachedUserInfo>>,
last_update: i64,
last_user_cache_generation: usize,
}
impl CachedUserInfo {
/// Returns a cached instance (up to 5 seconds old).
pub fn new() -> Result<Arc<Self>, Error> {
let now = epoch_i64();
let cache_generation = access_conf().cache_generation();
static CACHED_CONFIG: OnceLock<RwLock<ConfigCache>> = OnceLock::new();
let cached_config = CACHED_CONFIG.get_or_init(|| {
RwLock::new(ConfigCache {
data: None,
last_update: 0,
last_user_cache_generation: 0,
})
});
{
// limit scope
let cache = cached_config.read().unwrap();
if let Some(current_generation) = cache_generation {
if (current_generation == cache.last_user_cache_generation)
&& ((now - cache.last_update) < 5)
{
if let Some(ref config) = cache.data {
return Ok(config.clone());
}
}
}
}
let config = Arc::new(CachedUserInfo {
user_cfg: crate::user::cached_config()?,
acl_tree: crate::acl::cached_config()?,
});
let mut cache = cached_config.write().unwrap();
if let Some(current_generation) = cache_generation {
cache.last_user_cache_generation = current_generation;
}
cache.last_update = now;
cache.data = Some(config.clone());
Ok(config)
}
pub fn is_superuser(&self, auth_id: &Authid) -> bool {
access_conf().is_superuser(auth_id)
}
pub fn is_group_member(&self, user_id: &Userid, group: &str) -> bool {
access_conf().is_group_member(user_id, group)
}
/// Test if a user_id is enabled and not expired
pub fn is_active_user_id(&self, userid: &Userid) -> bool {
if let Ok(info) = self.user_cfg.lookup::<User>("user", userid.as_str()) {
info.is_active()
} else {
false
}
}
/// Test if a authentication id is enabled and not expired
pub fn is_active_auth_id(&self, auth_id: &Authid) -> bool {
let userid = auth_id.user();
if !self.is_active_user_id(userid) {
return false;
}
if auth_id.is_token() {
if let Ok(info) = self
.user_cfg
.lookup::<ApiToken>("token", &auth_id.to_string())
{
return info.is_active();
} else {
return false;
}
}
true
}
pub fn check_privs(
&self,
auth_id: &Authid,
path: &[&str],
required_privs: u64,
partial: bool,
) -> Result<(), Error> {
let privs = self.lookup_privs(auth_id, path);
let allowed = if partial {
(privs & required_privs) != 0
} else {
(privs & required_privs) == required_privs
};
if !allowed {
// printing the path doesn't leak any information as long as we
// always check privilege before resource existence
let priv_names = privs_to_priv_names(required_privs);
let priv_names = if partial {
priv_names.join("|")
} else {
priv_names.join("&")
};
bail!(
"missing permissions '{priv_names}' on '/{}'",
path.join("/")
);
}
Ok(())
}
pub fn lookup_privs(&self, auth_id: &Authid, path: &[&str]) -> u64 {
let (privs, _) = self.lookup_privs_details(auth_id, path);
privs
}
pub fn lookup_privs_details(&self, auth_id: &Authid, path: &[&str]) -> (u64, u64) {
if self.is_superuser(auth_id) {
let acm_config = access_conf();
if let Some(admin) = acm_config.role_admin() {
if let Some(admin) = acm_config.roles().get(admin) {
return (*admin, *admin);
}
}
}
let roles = self.acl_tree.roles(auth_id, path);
let mut privs: u64 = 0;
let mut propagated_privs: u64 = 0;
for (role, propagate) in roles {
if let Some(role_privs) = access_conf().roles().get(role.as_str()) {
if propagate {
propagated_privs |= role_privs;
}
privs |= role_privs;
}
}
if auth_id.is_token() {
// limit privs to that of owning user
let user_auth_id = Authid::from(auth_id.user().clone());
let (owner_privs, owner_propagated_privs) =
self.lookup_privs_details(&user_auth_id, path);
privs &= owner_privs;
propagated_privs &= owner_propagated_privs;
}
(privs, propagated_privs)
}
/// Checks whether the `auth_id` has any of the privileges `privs` on any object below `path`.
pub fn any_privs_below(
&self,
auth_id: &Authid,
path: &[&str],
privs: u64,
) -> Result<bool, Error> {
// if the anchor path itself has matching propagated privs, we skip checking children
let (_privs, propagated_privs) = self.lookup_privs_details(auth_id, path);
if propagated_privs & privs != 0 {
return Ok(true);
}
// get all sub-paths with roles defined for `auth_id`
let paths = self.acl_tree.get_child_paths(auth_id, path)?;
for path in paths.iter() {
// early return if any sub-path has any of the privs we are looking for
if privs & self.lookup_privs(auth_id, &[path.as_str()]) != 0 {
return Ok(true);
}
}
// no paths or no matching paths
Ok(false)
}
}
impl UserInformation for CachedUserInfo {
fn is_superuser(&self, userid: &str) -> bool {
if let Ok(authid) = userid.parse() {
return self.is_superuser(&authid);
}
false
}
fn is_group_member(&self, userid: &str, group: &str) -> bool {
if let Ok(userid) = userid.parse() {
return self.is_group_member(&userid, group);
}
false
}
fn lookup_privs(&self, auth_id: &str, path: &[&str]) -> u64 {
match auth_id.parse::<Authid>() {
Ok(auth_id) => Self::lookup_privs(self, &auth_id, path),
Err(_) => 0,
}
}
}
pub fn privs_to_priv_names(privs: u64) -> Vec<&'static str> {
access_conf()
.privileges()
.iter()
.fold(Vec::new(), |mut priv_names, (name, value)| {
if value & privs != 0 {
priv_names.push(name);
}
priv_names
})
}
Reference in New Issue View Git Blame Copy Permalink