guest helpers: add helper to abort active guest tasks of a certain type

Given a `(type, user, vmid)` tuple, the helper aborts all tasks of the
given `type` for guest `vmid` that `user` is allowed to abort:

- If `user` has `Sys.Modify` on the node, they can abort any task
- If `user` is an API token, it can abort any task it started itself
- If `user` is a user, they can abort any task started by themselves
  or one of their API tokens.

The helper is used to overrule any active qmshutdown/vzshutdown tasks
when attempting to stop a VM/CT (if requested).

Signed-off-by: Friedrich Weber <f.weber@proxmox.com>

src/PVE/GuestHelpers.pm

@@ -416,4 +416,39 @@ sub check_vnet_access {
 	if !($tag || $trunks);
 }
 
+sub abort_guest_tasks {
+    my ($rpcenv, $type, $vmid) = @_;
+
+    my $authuser = $rpcenv->get_user();
+    my $node = PVE::INotify::nodename();
+    my $can_abort_all = $rpcenv->check($authuser, "/nodes/$node", [ 'Sys.Modify' ], 1);
+
+    my $active_tasks = PVE::INotify::read_file('active');
+    my $aborted_tasks = [];
+    for my $task (@$active_tasks) {
+	if (!$task->{saved}
+	    && $task->{type} eq $type
+	    && $task->{id} eq $vmid
+	) {
+	    my $can_abort_task;
+	    # tasks started by a token can be aborted by the token or token owner,
+	    # tasks started by a user can be aborted by the user
+	    if (PVE::AccessControl::pve_verify_tokenid($task->{user}, 1)) {
+		my $full_tokenid = $task->{user};
+		my ($task_username, undef) = PVE::AccessControl::split_tokenid($full_tokenid);
+		$can_abort_task = $authuser eq $task_username || $authuser eq $full_tokenid;
+	    } else {
+		$can_abort_task = $authuser eq $task->{user};
+	    }
+
+	    if ($can_abort_all || $can_abort_task) {
+	       # passing `1` for parameter $killit aborts the task
+	       PVE::RPCEnvironment->check_worker($task->{upid}, 1);
+	       push @$aborted_tasks, $task->{upid};
+	   }
+	}
+    }
+    return $aborted_tasks;
+}
+
 1;