mirror of
https://git.proxmox.com/git/pve-access-control
synced 2025-07-16 09:36:14 +00:00
21f523a5c1
we do the same for missing users, groups and tokens, and just like groups, roles with an empty privilege set are explicitly allowed so pre-generating placeholders is possible. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
93 lines
2.9 KiB
Perl
Executable File
93 lines
2.9 KiB
Perl
Executable File
#!/usr/bin/perl -w
|
|
|
|
use strict;
|
|
use PVE::Tools;
|
|
use PVE::AccessControl;
|
|
use PVE::RPCEnvironment;
|
|
use Getopt::Long;
|
|
|
|
my $rpcenv = PVE::RPCEnvironment->init('cli');
|
|
|
|
my $cfgfn = "test6.cfg";
|
|
$rpcenv->init_request(userconfig => $cfgfn);
|
|
|
|
sub check_roles {
|
|
my ($user, $path, $expected_result) = @_;
|
|
|
|
my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
|
|
my $res = join(',', sort keys %$roles);
|
|
|
|
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
|
|
if $res ne $expected_result;
|
|
|
|
print "ROLES:$path:$user:$res\n";
|
|
}
|
|
|
|
sub check_permissions {
|
|
my ($user, $path, $expected_result) = @_;
|
|
|
|
my $perm = $rpcenv->permissions($user, $path);
|
|
my $res = join(',', sort keys %$perm);
|
|
|
|
die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
|
|
if $res ne $expected_result;
|
|
|
|
$perm = $rpcenv->permissions($user, $path);
|
|
$res = join(',', sort keys %$perm);
|
|
die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n"
|
|
if $res ne $expected_result;
|
|
|
|
print "PERM:$path:$user:$res\n";
|
|
}
|
|
|
|
check_roles('User1@pve', '', '');
|
|
check_roles('User2@pve', '', '');
|
|
check_roles('User3@pve', '', '');
|
|
check_roles('User4@pve', '', '');
|
|
|
|
check_roles('User1@pve', '/vms', 'RoleTEST1');
|
|
check_roles('User2@pve', '/vms', 'RoleTEST1');
|
|
check_roles('User3@pve', '/vms', 'NoAccess');
|
|
check_roles('User4@pve', '/vms', '');
|
|
|
|
check_roles('User1@pve', '/vms/100', 'RoleTEST1');
|
|
check_roles('User2@pve', '/vms/100', 'RoleTEST1');
|
|
check_roles('User3@pve', '/vms/100', 'NoAccess');
|
|
check_roles('User4@pve', '/vms/100', '');
|
|
|
|
check_roles('User1@pve', '/vms/300', 'RoleTEST1');
|
|
check_roles('User2@pve', '/vms/300', 'RoleTEST1');
|
|
check_roles('User3@pve', '/vms/300', 'NoAccess');
|
|
check_roles('User4@pve', '/vms/300', 'RoleTEST1');
|
|
|
|
check_permissions('User1@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
|
|
check_permissions('User2@pve', '/vms/500', 'VM.Console,VM.PowerMgmt');
|
|
# without pool
|
|
check_roles('User3@pve', '/vms/500', 'NoAccess');
|
|
# with pool
|
|
check_permissions('User3@pve', '/vms/500', '');
|
|
# without pool
|
|
check_roles('User4@pve', '/vms/500', '');
|
|
# with pool
|
|
check_permissions('User4@pve', '/vms/500', '');
|
|
|
|
|
|
check_permissions('User1@pve', '/vms/600', 'VM.Console');
|
|
check_permissions('User2@pve', '/vms/600', 'VM.Console');
|
|
check_permissions('User3@pve', '/vms/600', '');
|
|
check_permissions('User4@pve', '/vms/600', 'VM.Console');
|
|
|
|
check_permissions('User1@pve', '/storage/store1', 'VM.Console,VM.PowerMgmt');
|
|
check_permissions('User2@pve', '/storage/store1', 'VM.PowerMgmt');
|
|
check_permissions('User3@pve', '/storage/store1', 'VM.PowerMgmt');
|
|
check_permissions('User4@pve', '/storage/store1', 'VM.Console');
|
|
|
|
check_permissions('User1@pve', '/storage/store2', 'VM.PowerMgmt');
|
|
check_permissions('User2@pve', '/storage/store2', 'VM.PowerMgmt');
|
|
check_permissions('User3@pve', '/storage/store2', 'VM.PowerMgmt');
|
|
check_permissions('User4@pve', '/storage/store2', '');
|
|
|
|
print "all tests passed\n";
|
|
|
|
exit (0);
|