access-control: factor out user config handling
this commit factors out the user config. it also add two new functions to the `AccessControlConfig` trait to handle caching in a more generalized way. Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
This commit is contained in:
parent
ed6a17cec9
commit
84537a02b1
@ -127,6 +127,7 @@ proxmox-router = { version = "2.1.3", path = "proxmox-router" }
|
||||
proxmox-schema = { version = "3.1.1", path = "proxmox-schema" }
|
||||
proxmox-section-config = { version = "2.0.0", path = "proxmox-section-config" }
|
||||
proxmox-serde = { version = "0.1.1", path = "proxmox-serde", features = [ "serde_json" ] }
|
||||
proxmox-shared-memory = { version = "0.3.0", path = "proxmox-shared-memory" }
|
||||
proxmox-sortable-macro = { version = "0.1.3", path = "proxmox-sortable-macro" }
|
||||
proxmox-sys = { version = "0.5.5", path = "proxmox-sys" }
|
||||
proxmox-tfa = { version = "4.0.4", path = "proxmox-tfa" }
|
||||
|
@ -21,7 +21,10 @@ serde_json.workspace = true
|
||||
|
||||
# proxmox-notify.workspace = true
|
||||
proxmox-auth-api = { workspace = true, features = [ "api-types" ] }
|
||||
proxmox-router = { workspace = true }
|
||||
proxmox-schema.workspace = true
|
||||
proxmox-section-config.workspace = true
|
||||
proxmox-product-config.workspace = true
|
||||
proxmox-shared-memory.workspace = true
|
||||
proxmox-sys = { workspace = true, features = [ "crypt" ] }
|
||||
proxmox-time.workspace = true
|
||||
|
@ -665,6 +665,10 @@ mod test {
|
||||
&self.roles
|
||||
}
|
||||
|
||||
fn privileges(&self) -> &HashMap<&str, u64> {
|
||||
unreachable!("acl tests don't need privileges")
|
||||
}
|
||||
|
||||
fn role_no_access(&self) -> Option<&'static str> {
|
||||
Some("NoAccess")
|
||||
}
|
||||
|
246
proxmox-access-control/src/cached_user_info.rs
Normal file
246
proxmox-access-control/src/cached_user_info.rs
Normal file
@ -0,0 +1,246 @@
|
||||
//! Cached user info for fast ACL permission checks
|
||||
|
||||
use std::sync::{Arc, OnceLock, RwLock};
|
||||
|
||||
use anyhow::{bail, Error};
|
||||
|
||||
use proxmox_auth_api::types::{Authid, Userid};
|
||||
use proxmox_router::UserInformation;
|
||||
use proxmox_section_config::SectionConfigData;
|
||||
use proxmox_time::epoch_i64;
|
||||
|
||||
use crate::acl::AclTree;
|
||||
use crate::init::access_conf;
|
||||
use crate::types::{ApiToken, User};
|
||||
|
||||
/// Cache User/Group/Token/Acl configuration data for fast permission tests
|
||||
pub struct CachedUserInfo {
|
||||
user_cfg: Arc<SectionConfigData>,
|
||||
acl_tree: Arc<AclTree>,
|
||||
}
|
||||
|
||||
struct ConfigCache {
|
||||
data: Option<Arc<CachedUserInfo>>,
|
||||
last_update: i64,
|
||||
last_user_cache_generation: usize,
|
||||
}
|
||||
|
||||
impl CachedUserInfo {
|
||||
/// Returns a cached instance (up to 5 seconds old).
|
||||
pub fn new() -> Result<Arc<Self>, Error> {
|
||||
let now = epoch_i64();
|
||||
|
||||
let cache_generation = access_conf().cache_generation();
|
||||
|
||||
static CACHED_CONFIG: OnceLock<RwLock<ConfigCache>> = OnceLock::new();
|
||||
let cached_config = CACHED_CONFIG.get_or_init(|| {
|
||||
RwLock::new(ConfigCache {
|
||||
data: None,
|
||||
last_update: 0,
|
||||
last_user_cache_generation: 0,
|
||||
})
|
||||
});
|
||||
|
||||
{
|
||||
// limit scope
|
||||
let cache = cached_config.read().unwrap();
|
||||
if let Some(current_generation) = cache_generation {
|
||||
if (current_generation == cache.last_user_cache_generation)
|
||||
&& ((now - cache.last_update) < 5)
|
||||
{
|
||||
if let Some(ref config) = cache.data {
|
||||
return Ok(config.clone());
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
let config = Arc::new(CachedUserInfo {
|
||||
user_cfg: crate::user::cached_config()?,
|
||||
acl_tree: crate::acl::cached_config()?,
|
||||
});
|
||||
|
||||
let mut cache = cached_config.write().unwrap();
|
||||
|
||||
if let Some(current_generation) = cache_generation {
|
||||
cache.last_user_cache_generation = current_generation;
|
||||
}
|
||||
|
||||
cache.last_update = now;
|
||||
cache.data = Some(config.clone());
|
||||
|
||||
Ok(config)
|
||||
}
|
||||
|
||||
pub fn is_superuser(&self, auth_id: &Authid) -> bool {
|
||||
access_conf().is_superuser(auth_id)
|
||||
}
|
||||
|
||||
pub fn is_group_member(&self, user_id: &Userid, group: &str) -> bool {
|
||||
access_conf().is_group_member(user_id, group)
|
||||
}
|
||||
|
||||
/// Test if a user_id is enabled and not expired
|
||||
pub fn is_active_user_id(&self, userid: &Userid) -> bool {
|
||||
if let Ok(info) = self.user_cfg.lookup::<User>("user", userid.as_str()) {
|
||||
info.is_active()
|
||||
} else {
|
||||
false
|
||||
}
|
||||
}
|
||||
|
||||
/// Test if a authentication id is enabled and not expired
|
||||
pub fn is_active_auth_id(&self, auth_id: &Authid) -> bool {
|
||||
let userid = auth_id.user();
|
||||
|
||||
if !self.is_active_user_id(userid) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if auth_id.is_token() {
|
||||
if let Ok(info) = self
|
||||
.user_cfg
|
||||
.lookup::<ApiToken>("token", &auth_id.to_string())
|
||||
{
|
||||
return info.is_active();
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
true
|
||||
}
|
||||
|
||||
pub fn check_privs(
|
||||
&self,
|
||||
auth_id: &Authid,
|
||||
path: &[&str],
|
||||
required_privs: u64,
|
||||
partial: bool,
|
||||
) -> Result<(), Error> {
|
||||
let privs = self.lookup_privs(auth_id, path);
|
||||
let allowed = if partial {
|
||||
(privs & required_privs) != 0
|
||||
} else {
|
||||
(privs & required_privs) == required_privs
|
||||
};
|
||||
if !allowed {
|
||||
// printing the path doesn't leak any information as long as we
|
||||
// always check privilege before resource existence
|
||||
let priv_names = privs_to_priv_names(required_privs);
|
||||
let priv_names = if partial {
|
||||
priv_names.join("|")
|
||||
} else {
|
||||
priv_names.join("&")
|
||||
};
|
||||
bail!(
|
||||
"missing permissions '{priv_names}' on '/{}'",
|
||||
path.join("/")
|
||||
);
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub fn lookup_privs(&self, auth_id: &Authid, path: &[&str]) -> u64 {
|
||||
let (privs, _) = self.lookup_privs_details(auth_id, path);
|
||||
privs
|
||||
}
|
||||
|
||||
pub fn lookup_privs_details(&self, auth_id: &Authid, path: &[&str]) -> (u64, u64) {
|
||||
if self.is_superuser(auth_id) {
|
||||
let acm_config = access_conf();
|
||||
if let Some(admin) = acm_config.role_admin() {
|
||||
if let Some(admin) = acm_config.roles().get(admin) {
|
||||
return (*admin, *admin);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
let roles = self.acl_tree.roles(auth_id, path);
|
||||
let mut privs: u64 = 0;
|
||||
let mut propagated_privs: u64 = 0;
|
||||
for (role, propagate) in roles {
|
||||
if let Some(role_privs) = access_conf().roles().get(role.as_str()) {
|
||||
if propagate {
|
||||
propagated_privs |= role_privs;
|
||||
}
|
||||
privs |= role_privs;
|
||||
}
|
||||
}
|
||||
|
||||
if auth_id.is_token() {
|
||||
// limit privs to that of owning user
|
||||
let user_auth_id = Authid::from(auth_id.user().clone());
|
||||
let (owner_privs, owner_propagated_privs) =
|
||||
self.lookup_privs_details(&user_auth_id, path);
|
||||
privs &= owner_privs;
|
||||
propagated_privs &= owner_propagated_privs;
|
||||
}
|
||||
|
||||
(privs, propagated_privs)
|
||||
}
|
||||
|
||||
/// Checks whether the `auth_id` has any of the privilegs `privs` on any object below `path`.
|
||||
pub fn any_privs_below(
|
||||
&self,
|
||||
auth_id: &Authid,
|
||||
path: &[&str],
|
||||
privs: u64,
|
||||
) -> Result<bool, Error> {
|
||||
// if the anchor path itself has matching propagated privs, we skip checking children
|
||||
let (_privs, propagated_privs) = self.lookup_privs_details(auth_id, path);
|
||||
if propagated_privs & privs != 0 {
|
||||
return Ok(true);
|
||||
}
|
||||
|
||||
// get all sub-paths with roles defined for `auth_id`
|
||||
let paths = self.acl_tree.get_child_paths(auth_id, path)?;
|
||||
|
||||
for path in paths.iter() {
|
||||
// early return if any sub-path has any of the privs we are looking for
|
||||
if privs & self.lookup_privs(auth_id, &[path.as_str()]) != 0 {
|
||||
return Ok(true);
|
||||
}
|
||||
}
|
||||
|
||||
// no paths or no matching paths
|
||||
Ok(false)
|
||||
}
|
||||
}
|
||||
|
||||
impl UserInformation for CachedUserInfo {
|
||||
fn is_superuser(&self, userid: &str) -> bool {
|
||||
if let Ok(authid) = userid.parse() {
|
||||
return self.is_superuser(&authid);
|
||||
}
|
||||
|
||||
false
|
||||
}
|
||||
|
||||
fn is_group_member(&self, userid: &str, group: &str) -> bool {
|
||||
if let Ok(userid) = userid.parse() {
|
||||
return self.is_group_member(&userid, group);
|
||||
}
|
||||
|
||||
false
|
||||
}
|
||||
|
||||
fn lookup_privs(&self, auth_id: &str, path: &[&str]) -> u64 {
|
||||
match auth_id.parse::<Authid>() {
|
||||
Ok(auth_id) => Self::lookup_privs(self, &auth_id, path),
|
||||
Err(_) => 0,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub fn privs_to_priv_names(privs: u64) -> Vec<&'static str> {
|
||||
access_conf()
|
||||
.privileges()
|
||||
.iter()
|
||||
.fold(Vec::new(), |mut priv_names, (name, value)| {
|
||||
if value & privs != 0 {
|
||||
priv_names.push(name);
|
||||
}
|
||||
priv_names
|
||||
})
|
||||
}
|
@ -1,4 +1,5 @@
|
||||
use anyhow::{format_err, Error};
|
||||
use proxmox_auth_api::types::{Authid, Userid};
|
||||
use std::{
|
||||
collections::HashMap,
|
||||
path::{Path, PathBuf},
|
||||
@ -17,6 +18,39 @@ pub trait AccessControlConfig: Send + Sync {
|
||||
/// Returns a mapping of all recognized roles and their corresponding `u64` value.
|
||||
fn roles(&self) -> &HashMap<&str, u64>;
|
||||
|
||||
/// Checks whether an `Authid` has super user privileges or not.
|
||||
///
|
||||
/// Default: Always returns `false`.
|
||||
fn is_superuser(&self, _auth_id: &Authid) -> bool {
|
||||
false
|
||||
}
|
||||
|
||||
/// Checks whether a user is part of a group.
|
||||
///
|
||||
/// Default: Always returns `false`.
|
||||
fn is_group_member(&self, _user_id: &Userid, _group: &str) -> bool {
|
||||
false
|
||||
}
|
||||
|
||||
/// Returns the current cache generation of the user and acl configs. If the generation was
|
||||
/// incremented since the last time the cache was queried, the configs are loaded again from
|
||||
/// disk.
|
||||
///
|
||||
/// Returning `None` will always reload the cache.
|
||||
///
|
||||
/// Default: Always returns `None`.
|
||||
fn cache_generation(&self) -> Option<usize> {
|
||||
None
|
||||
}
|
||||
|
||||
/// Increment the cache generation of user and acl configs. This indicates that they were
|
||||
/// changed on disk.
|
||||
///
|
||||
/// Default: Does nothing.
|
||||
fn increment_cache_generation(&self) -> Result<(), Error> {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Optionally returns a role that has no access to any resource.
|
||||
///
|
||||
/// Default: Returns `None`.
|
||||
@ -72,6 +106,14 @@ pub(crate) fn acl_config_lock() -> PathBuf {
|
||||
conf_dir().join(".acl.lck")
|
||||
}
|
||||
|
||||
pub(crate) fn user_config() -> PathBuf {
|
||||
conf_dir().join("user.cfg")
|
||||
}
|
||||
|
||||
pub(crate) fn user_config_lock() -> PathBuf {
|
||||
conf_dir().join(".user.lck")
|
||||
}
|
||||
|
||||
pub(crate) fn token_shadow() -> PathBuf {
|
||||
conf_dir().join("token.shadow")
|
||||
}
|
||||
|
@ -2,3 +2,7 @@ pub mod acl;
|
||||
pub mod init;
|
||||
pub mod token_shadow;
|
||||
pub mod types;
|
||||
pub mod user;
|
||||
|
||||
mod cached_user_info;
|
||||
pub use cached_user_info::CachedUserInfo;
|
||||
|
180
proxmox-access-control/src/user.rs
Normal file
180
proxmox-access-control/src/user.rs
Normal file
@ -0,0 +1,180 @@
|
||||
use std::collections::HashMap;
|
||||
use std::sync::{Arc, OnceLock, RwLock};
|
||||
|
||||
use anyhow::{bail, Error};
|
||||
|
||||
use proxmox_auth_api::types::Authid;
|
||||
use proxmox_product_config::{open_api_lockfile, replace_privileged_config, ApiLockGuard};
|
||||
use proxmox_schema::*;
|
||||
use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
|
||||
|
||||
use crate::init::{access_conf, user_config, user_config_lock};
|
||||
use crate::types::{ApiToken, User};
|
||||
|
||||
fn get_or_init_config() -> &'static SectionConfig {
|
||||
static CONFIG: OnceLock<SectionConfig> = OnceLock::new();
|
||||
CONFIG.get_or_init(|| {
|
||||
let mut config = SectionConfig::new(&Authid::API_SCHEMA);
|
||||
|
||||
let user_schema = match User::API_SCHEMA {
|
||||
Schema::Object(ref user_schema) => user_schema,
|
||||
_ => unreachable!(),
|
||||
};
|
||||
let user_plugin =
|
||||
SectionConfigPlugin::new("user".to_string(), Some("userid".to_string()), user_schema);
|
||||
config.register_plugin(user_plugin);
|
||||
|
||||
let token_schema = match ApiToken::API_SCHEMA {
|
||||
Schema::Object(ref token_schema) => token_schema,
|
||||
_ => unreachable!(),
|
||||
};
|
||||
let token_plugin = SectionConfigPlugin::new(
|
||||
"token".to_string(),
|
||||
Some("tokenid".to_string()),
|
||||
token_schema,
|
||||
);
|
||||
config.register_plugin(token_plugin);
|
||||
|
||||
config
|
||||
})
|
||||
}
|
||||
|
||||
/// Get exclusive lock
|
||||
pub fn lock_config() -> Result<ApiLockGuard, Error> {
|
||||
open_api_lockfile(user_config_lock(), None, true)
|
||||
}
|
||||
|
||||
pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
|
||||
let content = proxmox_sys::fs::file_read_optional_string(user_config())?.unwrap_or_default();
|
||||
|
||||
let digest = openssl::sha::sha256(content.as_bytes());
|
||||
let data = get_or_init_config().parse(user_config(), &content)?;
|
||||
|
||||
Ok((data, digest))
|
||||
}
|
||||
|
||||
pub fn cached_config() -> Result<Arc<SectionConfigData>, Error> {
|
||||
struct ConfigCache {
|
||||
data: Option<Arc<SectionConfigData>>,
|
||||
last_mtime: i64,
|
||||
last_mtime_nsec: i64,
|
||||
}
|
||||
|
||||
static CACHED_CONFIG: OnceLock<RwLock<ConfigCache>> = OnceLock::new();
|
||||
let cached_config = CACHED_CONFIG.get_or_init(|| {
|
||||
RwLock::new(ConfigCache {
|
||||
data: None,
|
||||
last_mtime: 0,
|
||||
last_mtime_nsec: 0,
|
||||
})
|
||||
});
|
||||
|
||||
let stat = match nix::sys::stat::stat(&user_config()) {
|
||||
Ok(stat) => Some(stat),
|
||||
Err(nix::errno::Errno::ENOENT) => None,
|
||||
Err(err) => bail!("unable to stat '{}' - {err}", user_config().display()),
|
||||
};
|
||||
|
||||
{
|
||||
// limit scope
|
||||
let cache = cached_config.read().unwrap();
|
||||
if let Some(ref config) = cache.data {
|
||||
if let Some(stat) = stat {
|
||||
if stat.st_mtime == cache.last_mtime && stat.st_mtime_nsec == cache.last_mtime_nsec
|
||||
{
|
||||
return Ok(config.clone());
|
||||
}
|
||||
} else if cache.last_mtime == 0 && cache.last_mtime_nsec == 0 {
|
||||
return Ok(config.clone());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
let (config, _digest) = config()?;
|
||||
let config = Arc::new(config);
|
||||
|
||||
let mut cache = cached_config.write().unwrap();
|
||||
if let Some(stat) = stat {
|
||||
cache.last_mtime = stat.st_mtime;
|
||||
cache.last_mtime_nsec = stat.st_mtime_nsec;
|
||||
}
|
||||
cache.data = Some(config.clone());
|
||||
|
||||
Ok(config)
|
||||
}
|
||||
|
||||
pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
|
||||
let config_file = user_config();
|
||||
let raw = get_or_init_config().write(&config_file, config)?;
|
||||
replace_privileged_config(config_file, raw.as_bytes())?;
|
||||
|
||||
// increase cache generation so we reload it next time we access it
|
||||
access_conf().increment_cache_generation()?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Only exposed for testing
|
||||
#[doc(hidden)]
|
||||
pub fn test_cfg_from_str(raw: &str) -> Result<(SectionConfigData, [u8; 32]), Error> {
|
||||
let cfg = get_or_init_config();
|
||||
let parsed = cfg.parse("test_user_cfg", raw)?;
|
||||
|
||||
Ok((parsed, [0; 32]))
|
||||
}
|
||||
|
||||
// shell completion helper
|
||||
pub fn complete_userid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
|
||||
match config() {
|
||||
Ok((data, _digest)) => data
|
||||
.sections
|
||||
.iter()
|
||||
.filter_map(|(id, (section_type, _))| {
|
||||
if section_type == "user" {
|
||||
Some(id.to_string())
|
||||
} else {
|
||||
None
|
||||
}
|
||||
})
|
||||
.collect(),
|
||||
Err(_) => Vec::new(),
|
||||
}
|
||||
}
|
||||
|
||||
// shell completion helper
|
||||
pub fn complete_authid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
|
||||
match config() {
|
||||
Ok((data, _digest)) => data.sections.keys().map(|id| id.to_string()).collect(),
|
||||
Err(_) => vec![],
|
||||
}
|
||||
}
|
||||
|
||||
// shell completion helper
|
||||
pub fn complete_token_name(_arg: &str, param: &HashMap<String, String>) -> Vec<String> {
|
||||
let data = match config() {
|
||||
Ok((data, _digest)) => data,
|
||||
Err(_) => return Vec::new(),
|
||||
};
|
||||
|
||||
match param.get("userid") {
|
||||
Some(userid) => {
|
||||
let user = data.lookup::<User>("user", userid);
|
||||
let tokens = data.convert_to_typed_array("token");
|
||||
match (user, tokens) {
|
||||
(Ok(_), Ok(tokens)) => tokens
|
||||
.into_iter()
|
||||
.filter_map(|token: ApiToken| {
|
||||
let tokenid = token.tokenid;
|
||||
if tokenid.is_token() && tokenid.user() == userid {
|
||||
Some(tokenid.tokenname().unwrap().as_str().to_string())
|
||||
} else {
|
||||
None
|
||||
}
|
||||
})
|
||||
.collect(),
|
||||
_ => vec![],
|
||||
}
|
||||
}
|
||||
None => vec![],
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user