mirror of
https://git.proxmox.com/git/pve-access-control
synced 2025-06-14 13:46:04 +00:00
rpcenv: drop unused roles()
it was useful for test-cases to verify the behaviour when pools where introduced, but it is not used anywhere else in the code base and those tests can also just check on permission-level. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler
Thomas Lamprecht
parent
3443faca75
commit
a31f1d85f9
@ -1221,7 +1221,7 @@ sub roles {
|
||||
my ($cfg, $user, $path) = @_;
|
||||
|
||||
# NOTE: we do not consider pools here.
|
||||
# You need to use $rpcenv->roles() instead if you want that.
|
||||
# Use $rpcenv->permission() for any actual permission checks!
|
||||
|
||||
return 'Administrator' if $user eq 'root@pam'; # root can do anything
|
||||
|
||||
|
||||
@ -81,29 +81,6 @@ my $compile_acl_path = sub {
|
||||
return $privs;
|
||||
};
|
||||
|
||||
sub roles {
|
||||
my ($self, $user, $path) = @_;
|
||||
|
||||
if ($user eq 'root@pam') { # root can do anything
|
||||
return ('Administrator');
|
||||
}
|
||||
|
||||
$user = PVE::AccessControl::verify_username($user, 1);
|
||||
return () if !$user;
|
||||
|
||||
my $cache = $self->{aclcache};
|
||||
$cache->{$user} = {} if !$cache->{$user};
|
||||
|
||||
my $acl = $cache->{$user};
|
||||
|
||||
my $roles = $acl->{roles}->{$path};
|
||||
return @$roles if $roles;
|
||||
|
||||
&$compile_acl_path($self, $user, $path);
|
||||
$roles = $acl->{roles}->{$path} || [];
|
||||
return @$roles;
|
||||
}
|
||||
|
||||
sub permissions {
|
||||
my ($self, $user, $path) = @_;
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ $rpcenv->init_request(userconfig => $cfgfn);
|
||||
sub check_roles {
|
||||
my ($user, $path, $expected_result) = @_;
|
||||
|
||||
my @ra = $rpcenv->roles($user, $path);
|
||||
my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
|
||||
my $res = join(',', sort @ra);
|
||||
|
||||
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
|
||||
|
||||
@ -14,7 +14,7 @@ $rpcenv->init_request(userconfig => $cfgfn);
|
||||
sub check_roles {
|
||||
my ($user, $path, $expected_result) = @_;
|
||||
|
||||
my @ra = $rpcenv->roles($user, $path);
|
||||
my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
|
||||
my $res = join(',', sort @ra);
|
||||
|
||||
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
|
||||
@ -23,6 +23,23 @@ sub check_roles {
|
||||
print "ROLES:$path:$user:$res\n";
|
||||
}
|
||||
|
||||
sub check_permissions {
|
||||
my ($user, $path, $expected_result) = @_;
|
||||
|
||||
my $perm = $rpcenv->permissions($user, $path);
|
||||
my $res = join(',', sort keys %$perm);
|
||||
|
||||
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
|
||||
if $res ne $expected_result;
|
||||
|
||||
$perm = $rpcenv->permissions($user, $path);
|
||||
$res = join(',', sort keys %$perm);
|
||||
die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n"
|
||||
if $res ne $expected_result;
|
||||
|
||||
print "PERM:$path:$user:$res\n";
|
||||
}
|
||||
|
||||
check_roles('User1@pve', '', '');
|
||||
check_roles('User2@pve', '', '');
|
||||
check_roles('User3@pve', '', '');
|
||||
@ -43,25 +60,32 @@ check_roles('User2@pve', '/vms/300', 'RoleTEST1');
|
||||
check_roles('User3@pve', '/vms/300', 'NoAccess');
|
||||
check_roles('User4@pve', '/vms/300', 'Role1');
|
||||
|
||||
check_roles('User1@pve', '/vms/500', 'RoleDEVEL,RoleTEST1');
|
||||
check_roles('User2@pve', '/vms/500', 'RoleDEVEL,RoleTEST1');
|
||||
check_permissions('User1@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
|
||||
check_permissions('User2@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
|
||||
# without pool
|
||||
check_roles('User3@pve', '/vms/500', 'NoAccess');
|
||||
# with pool
|
||||
check_permissions('User3@pve', '/vms/500', '');
|
||||
# without pool
|
||||
check_roles('User4@pve', '/vms/500', '');
|
||||
# with pool
|
||||
check_permissions('User4@pve', '/vms/500', '');
|
||||
|
||||
check_roles('User1@pve', '/vms/600', 'RoleMARKETING,RoleTEST1');
|
||||
check_roles('User2@pve', '/vms/600', 'RoleTEST1');
|
||||
check_roles('User3@pve', '/vms/600', 'NoAccess');
|
||||
check_roles('User4@pve', '/vms/600', 'RoleMARKETING');
|
||||
|
||||
check_roles('User1@pve', '/storage/store1', 'RoleDEVEL,RoleMARKETING');
|
||||
check_roles('User2@pve', '/storage/store1', 'RoleDEVEL');
|
||||
check_roles('User3@pve', '/storage/store1', 'RoleDEVEL');
|
||||
check_roles('User4@pve', '/storage/store1', 'RoleMARKETING');
|
||||
check_permissions('User1@pve', '/vms/600', 'VM.Console');
|
||||
check_permissions('User2@pve', '/vms/600', 'VM.Console');
|
||||
check_permissions('User3@pve', '/vms/600', '');
|
||||
check_permissions('User4@pve', '/vms/600', 'VM.Console');
|
||||
|
||||
check_roles('User1@pve', '/storage/store2', 'RoleDEVEL');
|
||||
check_roles('User2@pve', '/storage/store2', 'RoleDEVEL');
|
||||
check_roles('User3@pve', '/storage/store2', 'RoleDEVEL');
|
||||
check_roles('User4@pve', '/storage/store2', '');
|
||||
check_permissions('User1@pve', '/storage/store1', 'VM.Console,VM.PowerMgmt');
|
||||
check_permissions('User2@pve', '/storage/store1', 'VM.PowerMgmt');
|
||||
check_permissions('User3@pve', '/storage/store1', 'VM.PowerMgmt');
|
||||
check_permissions('User4@pve', '/storage/store1', 'VM.Console');
|
||||
|
||||
check_permissions('User1@pve', '/storage/store2', 'VM.PowerMgmt');
|
||||
check_permissions('User2@pve', '/storage/store2', 'VM.PowerMgmt');
|
||||
check_permissions('User3@pve', '/storage/store2', 'VM.PowerMgmt');
|
||||
check_permissions('User4@pve', '/storage/store2', '');
|
||||
|
||||
print "all tests passed\n";
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ $rpcenv->init_request(userconfig => $cfgfn);
|
||||
sub check_roles {
|
||||
my ($user, $path, $expected_result) = @_;
|
||||
|
||||
my @ra = $rpcenv->roles($user, $path);
|
||||
my @ra = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
|
||||
my $res = join(',', sort @ra);
|
||||
|
||||
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
|
||||
@ -23,10 +23,30 @@ sub check_roles {
|
||||
print "ROLES:$path:$user:$res\n";
|
||||
}
|
||||
|
||||
sub check_permissions {
|
||||
my ($user, $path, $expected_result) = @_;
|
||||
|
||||
my $perm = $rpcenv->permissions($user, $path);
|
||||
my $res = join(',', sort keys %$perm);
|
||||
|
||||
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
|
||||
if $res ne $expected_result;
|
||||
|
||||
$perm = $rpcenv->permissions($user, $path);
|
||||
$res = join(',', sort keys %$perm);
|
||||
die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n"
|
||||
if $res ne $expected_result;
|
||||
|
||||
print "PERM:$path:$user:$res\n";
|
||||
}
|
||||
|
||||
check_roles('User1@pve', '/vms', 'Role1');
|
||||
check_roles('User1@pve', '/vms/200', 'Role1');
|
||||
check_roles('User1@pve', '/vms/100', 'NoAccess');
|
||||
|
||||
# no pool
|
||||
check_roles('User1@pve', '/vms/100', 'Role1');
|
||||
# with pool
|
||||
check_permissions('User1@pve', '/vms/100', '');
|
||||
|
||||
print "all tests passed\n";
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user