konevsa/proxmox
1
0
Fork 0
forked from Proxmox/proxmox
Code Pull Requests Activity

access-control: factor out user config handling

Browse Source 
this commit factors out the user config. it also add two new functions
to the `AccessControlConfig` trait to handle caching in a more
generalized way.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
This commit is contained in:
Shannon Sterz 2024-06-19 11:54:15 +02:00 committed by Wolfgang Bumiller
parent ed6a17cec9
commit 84537a02b1
7 changed files with 480 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Cargo.toml
View File

@ -127,6 +127,7 @@ proxmox-router = { version = "2.1.3", path = "proxmox-router" }
proxmox-schema = { version = "3.1.1", path = "proxmox-schema" }
proxmox-section-config = { version = "2.0.0", path = "proxmox-section-config" }
proxmox-serde = { version = "0.1.1", path = "proxmox-serde", features = [ "serde_json" ] }
proxmox-shared-memory = { version = "0.3.0", path = "proxmox-shared-memory" }
proxmox-sortable-macro = { version = "0.1.3", path = "proxmox-sortable-macro" }
proxmox-sys = { version = "0.5.5", path = "proxmox-sys" }
proxmox-tfa = { version = "4.0.4", path = "proxmox-tfa" }

3
proxmox-access-control/Cargo.toml
View File

@ -21,7 +21,10 @@ serde_json.workspace = true
# proxmox-notify.workspace = true
proxmox-auth-api = { workspace = true, features = [ "api-types" ] }
proxmox-router = { workspace = true }
proxmox-schema.workspace = true
proxmox-section-config.workspace = true
proxmox-product-config.workspace = true
proxmox-shared-memory.workspace = true
proxmox-sys = { workspace = true, features = [ "crypt" ] }
proxmox-time.workspace = true

4
proxmox-access-control/src/acl.rs
View File

@ -665,6 +665,10 @@ mod test {
&self.roles
}
fn privileges(&self) -> &HashMap<&str, u64> {
unreachable!("acl tests don't need privileges")
}
fn role_no_access(&self) -> Option<&'static str> {
Some("NoAccess")
}

246
proxmox-access-control/src/cached_user_info.rs Normal file
View File

@ -0,0 +1,246 @@
//! Cached user info for fast ACL permission checks
use std::sync::{Arc, OnceLock, RwLock};
use anyhow::{bail, Error};
use proxmox_auth_api::types::{Authid, Userid};
use proxmox_router::UserInformation;
use proxmox_section_config::SectionConfigData;
use proxmox_time::epoch_i64;
use crate::acl::AclTree;
use crate::init::access_conf;
use crate::types::{ApiToken, User};
/// Cache User/Group/Token/Acl configuration data for fast permission tests
pub struct CachedUserInfo {
user_cfg: Arc<SectionConfigData>,
acl_tree: Arc<AclTree>,
}
struct ConfigCache {
data: Option<Arc<CachedUserInfo>>,
last_update: i64,
last_user_cache_generation: usize,
}
impl CachedUserInfo {
/// Returns a cached instance (up to 5 seconds old).
pub fn new() -> Result<Arc<Self>, Error> {
let now = epoch_i64();
let cache_generation = access_conf().cache_generation();
static CACHED_CONFIG: OnceLock<RwLock<ConfigCache>> = OnceLock::new();
let cached_config = CACHED_CONFIG.get_or_init(|| {
RwLock::new(ConfigCache {
data: None,
last_update: 0,
last_user_cache_generation: 0,
})
});
{
// limit scope
let cache = cached_config.read().unwrap();
if let Some(current_generation) = cache_generation {
if (current_generation == cache.last_user_cache_generation)
&& ((now - cache.last_update) < 5)
{
if let Some(ref config) = cache.data {
return Ok(config.clone());
}
}
}
}
let config = Arc::new(CachedUserInfo {
user_cfg: crate::user::cached_config()?,
acl_tree: crate::acl::cached_config()?,
});
let mut cache = cached_config.write().unwrap();
if let Some(current_generation) = cache_generation {
cache.last_user_cache_generation = current_generation;
}
cache.last_update = now;
cache.data = Some(config.clone());
Ok(config)
}
pub fn is_superuser(&self, auth_id: &Authid) -> bool {
access_conf().is_superuser(auth_id)
}
pub fn is_group_member(&self, user_id: &Userid, group: &str) -> bool {
access_conf().is_group_member(user_id, group)
}
/// Test if a user_id is enabled and not expired
pub fn is_active_user_id(&self, userid: &Userid) -> bool {
if let Ok(info) = self.user_cfg.lookup::<User>("user", userid.as_str()) {
info.is_active()
} else {
false
}
}
/// Test if a authentication id is enabled and not expired
pub fn is_active_auth_id(&self, auth_id: &Authid) -> bool {
let userid = auth_id.user();
if !self.is_active_user_id(userid) {
return false;
}
if auth_id.is_token() {
if let Ok(info) = self
.user_cfg
.lookup::<ApiToken>("token", &auth_id.to_string())
{
return info.is_active();
} else {
return false;
}
}
true
}
pub fn check_privs(
&self,
auth_id: &Authid,
path: &[&str],
required_privs: u64,
partial: bool,
) -> Result<(), Error> {
let privs = self.lookup_privs(auth_id, path);
let allowed = if partial {
(privs & required_privs) != 0
} else {
(privs & required_privs) == required_privs
};
if !allowed {
// printing the path doesn't leak any information as long as we
// always check privilege before resource existence
let priv_names = privs_to_priv_names(required_privs);
let priv_names = if partial {
priv_names.join("|")
} else {
priv_names.join("&")
};
bail!(
"missing permissions '{priv_names}' on '/{}'",
path.join("/")
);
}
Ok(())
}
pub fn lookup_privs(&self, auth_id: &Authid, path: &[&str]) -> u64 {
let (privs, _) = self.lookup_privs_details(auth_id, path);
privs
}
pub fn lookup_privs_details(&self, auth_id: &Authid, path: &[&str]) -> (u64, u64) {
if self.is_superuser(auth_id) {
let acm_config = access_conf();
if let Some(admin) = acm_config.role_admin() {
if let Some(admin) = acm_config.roles().get(admin) {
return (*admin, *admin);
}
}
}
let roles = self.acl_tree.roles(auth_id, path);
let mut privs: u64 = 0;
let mut propagated_privs: u64 = 0;
for (role, propagate) in roles {
if let Some(role_privs) = access_conf().roles().get(role.as_str()) {
if propagate {
propagated_privs |= role_privs;
}
privs |= role_privs;
}
}
if auth_id.is_token() {
// limit privs to that of owning user
let user_auth_id = Authid::from(auth_id.user().clone());
let (owner_privs, owner_propagated_privs) =
self.lookup_privs_details(&user_auth_id, path);
privs &= owner_privs;
propagated_privs &= owner_propagated_privs;
}
(privs, propagated_privs)
}
/// Checks whether the `auth_id` has any of the privilegs `privs` on any object below `path`.
pub fn any_privs_below(
&self,
auth_id: &Authid,
path: &[&str],
privs: u64,
) -> Result<bool, Error> {
// if the anchor path itself has matching propagated privs, we skip checking children
let (_privs, propagated_privs) = self.lookup_privs_details(auth_id, path);
if propagated_privs & privs != 0 {
return Ok(true);
}
// get all sub-paths with roles defined for `auth_id`
let paths = self.acl_tree.get_child_paths(auth_id, path)?;
for path in paths.iter() {
// early return if any sub-path has any of the privs we are looking for
if privs & self.lookup_privs(auth_id, &[path.as_str()]) != 0 {
return Ok(true);
}
}
// no paths or no matching paths
Ok(false)
}
}
impl UserInformation for CachedUserInfo {
fn is_superuser(&self, userid: &str) -> bool {
if let Ok(authid) = userid.parse() {
return self.is_superuser(&authid);
}
false
}
fn is_group_member(&self, userid: &str, group: &str) -> bool {
if let Ok(userid) = userid.parse() {
return self.is_group_member(&userid, group);
}
false
}
fn lookup_privs(&self, auth_id: &str, path: &[&str]) -> u64 {
match auth_id.parse::<Authid>() {
Ok(auth_id) => Self::lookup_privs(self, &auth_id, path),
Err(_) => 0,
}
}
}
pub fn privs_to_priv_names(privs: u64) -> Vec<&'static str> {
access_conf()
.privileges()
.iter()
.fold(Vec::new(), |mut priv_names, (name, value)| {
if value & privs != 0 {
priv_names.push(name);
}
priv_names
})
}

42
proxmox-access-control/src/init.rs
View File

@ -1,4 +1,5 @@
use anyhow::{format_err, Error};
use proxmox_auth_api::types::{Authid, Userid};
use std::{
collections::HashMap,
path::{Path, PathBuf},
@ -17,6 +18,39 @@ pub trait AccessControlConfig: Send + Sync {
/// Returns a mapping of all recognized roles and their corresponding `u64` value.
fn roles(&self) -> &HashMap<&str, u64>;
/// Checks whether an `Authid` has super user privileges or not.
///
/// Default: Always returns `false`.
fn is_superuser(&self, _auth_id: &Authid) -> bool {
false
}
/// Checks whether a user is part of a group.
///
/// Default: Always returns `false`.
fn is_group_member(&self, _user_id: &Userid, _group: &str) -> bool {
false
}
/// Returns the current cache generation of the user and acl configs. If the generation was
/// incremented since the last time the cache was queried, the configs are loaded again from
/// disk.
///
/// Returning `None` will always reload the cache.
///
/// Default: Always returns `None`.
fn cache_generation(&self) -> Option<usize> {
None
}
/// Increment the cache generation of user and acl configs. This indicates that they were
/// changed on disk.
///
/// Default: Does nothing.
fn increment_cache_generation(&self) -> Result<(), Error> {
Ok(())
}
/// Optionally returns a role that has no access to any resource.
///
/// Default: Returns `None`.
@ -72,6 +106,14 @@ pub(crate) fn acl_config_lock() -> PathBuf {
conf_dir().join(".acl.lck")
}
pub(crate) fn user_config() -> PathBuf {
conf_dir().join("user.cfg")
}
pub(crate) fn user_config_lock() -> PathBuf {
conf_dir().join(".user.lck")
}
pub(crate) fn token_shadow() -> PathBuf {
conf_dir().join("token.shadow")
}

4
proxmox-access-control/src/lib.rs
View File

@ -2,3 +2,7 @@ pub mod acl;
pub mod init;
pub mod token_shadow;
pub mod types;
pub mod user;
mod cached_user_info;
pub use cached_user_info::CachedUserInfo;

180
proxmox-access-control/src/user.rs Normal file
View File

@ -0,0 +1,180 @@
use std::collections::HashMap;
use std::sync::{Arc, OnceLock, RwLock};
use anyhow::{bail, Error};
use proxmox_auth_api::types::Authid;
use proxmox_product_config::{open_api_lockfile, replace_privileged_config, ApiLockGuard};
use proxmox_schema::*;
use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
use crate::init::{access_conf, user_config, user_config_lock};
use crate::types::{ApiToken, User};
fn get_or_init_config() -> &'static SectionConfig {
static CONFIG: OnceLock<SectionConfig> = OnceLock::new();
CONFIG.get_or_init(|| {
let mut config = SectionConfig::new(&Authid::API_SCHEMA);
let user_schema = match User::API_SCHEMA {
Schema::Object(ref user_schema) => user_schema,
_ => unreachable!(),
};
let user_plugin =
SectionConfigPlugin::new("user".to_string(), Some("userid".to_string()), user_schema);
config.register_plugin(user_plugin);
let token_schema = match ApiToken::API_SCHEMA {
Schema::Object(ref token_schema) => token_schema,
_ => unreachable!(),
};
let token_plugin = SectionConfigPlugin::new(
"token".to_string(),
Some("tokenid".to_string()),
token_schema,
);
config.register_plugin(token_plugin);
config
})
}
/// Get exclusive lock
pub fn lock_config() -> Result<ApiLockGuard, Error> {
open_api_lockfile(user_config_lock(), None, true)
}
pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
let content = proxmox_sys::fs::file_read_optional_string(user_config())?.unwrap_or_default();
let digest = openssl::sha::sha256(content.as_bytes());
let data = get_or_init_config().parse(user_config(), &content)?;
Ok((data, digest))
}
pub fn cached_config() -> Result<Arc<SectionConfigData>, Error> {
struct ConfigCache {
data: Option<Arc<SectionConfigData>>,
last_mtime: i64,
last_mtime_nsec: i64,
}
static CACHED_CONFIG: OnceLock<RwLock<ConfigCache>> = OnceLock::new();
let cached_config = CACHED_CONFIG.get_or_init(|| {
RwLock::new(ConfigCache {
data: None,
last_mtime: 0,
last_mtime_nsec: 0,
})
});
let stat = match nix::sys::stat::stat(&user_config()) {
Ok(stat) => Some(stat),
Err(nix::errno::Errno::ENOENT) => None,
Err(err) => bail!("unable to stat '{}' - {err}", user_config().display()),
};
{
// limit scope
let cache = cached_config.read().unwrap();
if let Some(ref config) = cache.data {
if let Some(stat) = stat {
if stat.st_mtime == cache.last_mtime && stat.st_mtime_nsec == cache.last_mtime_nsec
{
return Ok(config.clone());
}
} else if cache.last_mtime == 0 && cache.last_mtime_nsec == 0 {
return Ok(config.clone());
}
}
}
let (config, _digest) = config()?;
let config = Arc::new(config);
let mut cache = cached_config.write().unwrap();
if let Some(stat) = stat {
cache.last_mtime = stat.st_mtime;
cache.last_mtime_nsec = stat.st_mtime_nsec;
}
cache.data = Some(config.clone());
Ok(config)
}
pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
let config_file = user_config();
let raw = get_or_init_config().write(&config_file, config)?;
replace_privileged_config(config_file, raw.as_bytes())?;
// increase cache generation so we reload it next time we access it
access_conf().increment_cache_generation()?;
Ok(())
}
/// Only exposed for testing
#[doc(hidden)]
pub fn test_cfg_from_str(raw: &str) -> Result<(SectionConfigData, [u8; 32]), Error> {
let cfg = get_or_init_config();
let parsed = cfg.parse("test_user_cfg", raw)?;
Ok((parsed, [0; 32]))
}
// shell completion helper
pub fn complete_userid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
match config() {
Ok((data, _digest)) => data
.sections
.iter()
.filter_map(|(id, (section_type, _))| {
if section_type == "user" {
Some(id.to_string())
} else {
None
}
})
.collect(),
Err(_) => Vec::new(),
}
}
// shell completion helper
pub fn complete_authid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
match config() {
Ok((data, _digest)) => data.sections.keys().map(|id| id.to_string()).collect(),
Err(_) => vec![],
}
}
// shell completion helper
pub fn complete_token_name(_arg: &str, param: &HashMap<String, String>) -> Vec<String> {
let data = match config() {
Ok((data, _digest)) => data,
Err(_) => return Vec::new(),
};
match param.get("userid") {
Some(userid) => {
let user = data.lookup::<User>("user", userid);
let tokens = data.convert_to_typed_array("token");
match (user, tokens) {
(Ok(_), Ok(tokens)) => tokens
.into_iter()
.filter_map(|token: ApiToken| {
let tokenid = token.tokenid;
if tokenid.is_token() && tokenid.user() == userid {
Some(tokenid.tokenname().unwrap().as_str().to_string())
} else {
None
}
})
.collect(),
_ => vec![],
}
}
None => vec![],
}
}