proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-08-08 11:12:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

API: include API tokens in ACL API endpoints

Browse Source 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-01-21 13:54:08 +01:00 committed by Thomas Lamprecht
parent 72c4589c33
commit 6b5736d572
1 changed files with 22 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
PVE/API2/ACL.pm
View File

@ -46,7 +46,7 @@ __PACKAGE__->register_method ({
properties => { properties => {
propagate => get_standard_option('acl-propagate'), propagate => get_standard_option('acl-propagate'),
path => get_standard_option('acl-path'), path => get_standard_option('acl-path'),
type => { type => 'string', enum => ['user', 'group'] }, type => { type => 'string', enum => ['user', 'group', 'token'] },
ugid => { type => 'string' }, ugid => { type => 'string' },
roleid => { type => 'string' }, roleid => { type => 'string' },
}, },
@ -68,8 +68,8 @@ __PACKAGE__->register_method ({
my $acl = $usercfg->{acl}; my $acl = $usercfg->{acl};
foreach my $path (keys %$acl) { foreach my $path (keys %$acl) {
foreach my $type (qw(users groups)) { foreach my $type (qw(user group token)) {
my $d = $acl->{$path}->{$type}; my $d = $acl->{$path}->{"${type}s"};
next if !$d; next if !$d;
next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1)); next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1));
foreach my $id (keys %$d) { foreach my $id (keys %$d) {
@ -77,7 +77,7 @@ __PACKAGE__->register_method ({
my $propagate = $d->{$id}->{$role}; my $propagate = $d->{$id}->{$role};
push @$res, { push @$res, {
path => $path, path => $path,
type => $type eq 'groups' ? 'group' : 'user', type => $type,
ugid => $id, ugid => $id,
roleid => $role, roleid => $role,
propagate => $propagate, propagate => $propagate,
@ -114,6 +114,11 @@ __PACKAGE__->register_method ({
type => 'string', format => 'pve-groupid-list', type => 'string', format => 'pve-groupid-list',
optional => 1, optional => 1,
}, },
tokens => {
description => "List of API tokens.",
type => 'string', format => 'pve-tokenid-list',
optional => 1,
},
roles => { roles => {
description => "List of roles.", description => "List of roles.",
type => 'string', format => 'pve-roleid-list', type => 'string', format => 'pve-roleid-list',
@ -129,10 +134,8 @@ __PACKAGE__->register_method ({
code => sub { code => sub {
my ($param) = @_; my ($param) = @_;
if (!($param->{users} || $param->{groups})) { if (!($param->{users} || $param->{groups} || $param->{tokens})) {
raise_param_exc({ raise_param_exc({ map { $_ => "either 'users', 'groups' or 'tokens' is required." } qw(users groups tokens) });
users => "either 'users' or 'groups' is required.",
groups => "either 'users' or 'groups' is required." });
} }
my $path = PVE::AccessControl::normalize_path($param->{path}); my $path = PVE::AccessControl::normalize_path($param->{path});
@ -177,6 +180,17 @@ __PACKAGE__->register_method ({
$cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate; $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
} }
} }
foreach my $tokenid (split_list($param->{tokens})) {
my ($username, $token) = PVE::AccessControl::split_tokenid($tokenid);
PVE::AccessControl::check_token_exist($cfg, $username, $token);
if ($param->{delete}) {
delete $cfg->{acl}->{$path}->{tokens}->{$tokenid}->{$role};
} else {
$cfg->{acl}->{$path}->{tokens}->{$tokenid}->{$role} = $propagate;
}
}
} }
cfs_write_file("user.cfg", $cfg); cfs_write_file("user.cfg", $cfg);