proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-07-24 20:34:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

user.cfg: skip inexisting roles when parsing ACLs

Browse Source 
we do the same for missing users, groups and tokens, and just like
groups, roles with an empty privilege set are explicitly allowed so
pre-generating placeholders is possible.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-01-21 13:54:18 +01:00 committed by Thomas Lamprecht
parent 66d1b61528
commit 21f523a5c1
4 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
PVE/AccessControl.pm
View File

@ -1079,6 +1079,11 @@ sub parse_user_config {
next;
}
if (!$cfg->{roles}->{$role}) {
warn "user config - ignore invalid acl role '$role'\n";
next;
}
foreach my $ug (split_list($uglist)) {
my ($group) = $ug =~ m/^@(\S+)$/;

6
test/parser_writer.pl
View File

@ -821,13 +821,17 @@ my $tests = [
config => {
users => default_users_with([$default_cfg->{test_pam}]),
roles => default_roles(),
acl => default_acls_with([$default_cfg->{acl_missing_role}, $default_cfg->{acl_simple_user}]),
acl => default_acls_with([$default_cfg->{acl_simple_user}]),
},
raw => "".
$default_raw->{users}->{'root@pam'}."\n".
$default_raw->{users}->{'test_pam'}."\n\n\n\n\n".
$default_raw->{acl}->{'acl_simple_user'}."\n".
$default_raw->{acl}->{'acl_missing_role'}."\n",
expected_raw => "".
$default_raw->{users}->{'root@pam'}."\n".
$default_raw->{users}->{'test_pam'}."\n\n\n\n\n".
$default_raw->{acl}->{'acl_simple_user'}."\n",
},
{
name => "acl_complex_mixed",

4
test/perm-test6.pl
View File

@ -55,10 +55,10 @@ check_roles('User2@pve', '/vms/100', 'RoleTEST1');
check_roles('User3@pve', '/vms/100', 'NoAccess');
check_roles('User4@pve', '/vms/100', '');
check_roles('User1@pve', '/vms/300', 'Role1');
check_roles('User1@pve', '/vms/300', 'RoleTEST1');
check_roles('User2@pve', '/vms/300', 'RoleTEST1');
check_roles('User3@pve', '/vms/300', 'NoAccess');
check_roles('User4@pve', '/vms/300', 'Role1');
check_roles('User4@pve', '/vms/300', 'RoleTEST1');
check_permissions('User1@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
check_permissions('User2@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');

2
test/test6.cfg
View File

@ -15,7 +15,7 @@ acl:1:/pool/marketing:@MARKETING:RoleMARKETING:
acl:1:/vms:@DEVEL:RoleTEST1:
acl:1:/vms:User3@pve:NoAccess:
acl:1:/vms/300:@MARKETING:Role1:
acl:1:/vms/300:@MARKETING:RoleTEST1:
pool:devel:MITS development:500,501,502:store1 store2:
pool:marketing:MITS marketing:600:store1: