From 43810234b604e77539fad94f76cda1aa97231ab9 Mon Sep 17 00:00:00 2001 From: Arthur Lu Date: Tue, 23 Jul 2024 18:08:36 +0000 Subject: [PATCH] require params in all backend calls --- src/backends/backends.js | 48 +++++++++++++++++++-------------------- src/backends/localdb.js | 34 ++++++++++++++------------- src/backends/paasldap.js | 24 ++++++++++---------- src/routes/cluster.js | 4 ++-- src/routes/cluster/net.js | 2 +- src/routes/sync.js | 2 +- src/routes/user.js | 2 +- src/utils.js | 5 ++-- 8 files changed, 61 insertions(+), 60 deletions(-) diff --git a/src/backends/backends.js b/src/backends/backends.js index b563b00..ae83be9 100644 --- a/src/backends/backends.js +++ b/src/backends/backends.js @@ -66,7 +66,7 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {{ok: boolean, status: number, message: string}} error object or null */ - addUser (user, attributes, params = null) {} + addUser (user, attributes, params) {} /** * Get user from backend @@ -74,14 +74,14 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {Object} containing user data from this backend, null if user does not exist */ - getUser (user, params = null) {} + getUser (user, params) {} /** * Get all users from backend * @param {Object} params authentication params, usually req.cookies * @returns {Array} containing each user data from this backend */ - getAllUsers (params = null) {} + getAllUsers (params) {} /** * Modify user in backend @@ -90,7 +90,7 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {{ok: boolean, status: number, message: string}} error object or null */ - setUser (user, attributes, params = null) {} + setUser (user, attributes, params) {} /** * Delete user from backend @@ -98,7 +98,7 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {{ok: boolean, status: number, message: string}} error object or null */ - delUser (user, params = null) {} + delUser (user, params) {} /** * Add group to backend @@ -107,7 +107,7 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {{ok: boolean, status: number, message: string}} error object or null */ - addGroup (group, attributes, params = null) {} + addGroup (group, attributes, params) {} /** * Get group from backend @@ -115,14 +115,14 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {Object} containing group data from this backend, null if user does not exist */ - getGroup (group, params = null) {} + getGroup (group, params) {} /** * Get all users from backend * @param {Object} params authentication params, usually req.cookies * @returns {Array} containing each group data from this backend */ - getAllGroups (params = null) {} + getAllGroups (params) {} /** * Modify group in backend @@ -131,7 +131,7 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {{ok: boolean, status: number, message: string}} error object or null */ - setGroup (group, attributes, params = null) {} + setGroup (group, attributes, params) {} /** * Delete group from backend @@ -139,7 +139,7 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {{ok: boolean, status: number, message: string}} error object or null */ - delGroup (group, params = null) {} + delGroup (group, params) {} /** * Add user to group @@ -148,7 +148,7 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {{ok: boolean, status: number, message: string}} error object or null */ - addUserToGroup (user, group, params = null) {} + addUserToGroup (user, group, params) {} /** * Remove user from group @@ -157,7 +157,7 @@ class USER_BACKEND extends BACKEND { * @param {Object} params authentication params, usually req.cookies * @returns {{ok: boolean, status: number, message: string}} error object or null */ - delUserFromGroup (user, group, params = null) {} + delUserFromGroup (user, group, params) {} } /** @@ -191,9 +191,9 @@ class USER_BACKEND_MANAGER extends USER_BACKEND { return this.#config.realm[user.realm]; } - addUser (user, attributes, params = null) {} + addUser (user, attributes, params) {} - async getUser (user, params = null) { + async getUser (user, params) { let userData = {}; for (const backend of this.#config.realm[user.realm]) { const backendData = await global.backends[backend].getUser(user, params); @@ -204,7 +204,7 @@ class USER_BACKEND_MANAGER extends USER_BACKEND { return userData; } - async getAllUsers (params = null) { + async getAllUsers (params) { const userData = {}; for (const backend of this.#config.any) { const backendData = await global.backends[backend].getAllUsers(params); @@ -217,7 +217,7 @@ class USER_BACKEND_MANAGER extends USER_BACKEND { return userData; } - async setUser (user, attributes, params = null) { + async setUser (user, attributes, params) { const results = { ok: true, status: 200, @@ -234,13 +234,13 @@ class USER_BACKEND_MANAGER extends USER_BACKEND { return results; } - delUser (user, params = null) {} + delUser (user, params) {} - addGroup (group, attributes, params = null) {} + addGroup (group, attributes, params) {} - getGroup (group, params = null) {} + getGroup (group, params) {} - async getAllGroups (params = null) { + async getAllGroups (params) { const groupData = {}; for (const backend of this.#config.any) { const backendData = await global.backends[backend].getAllGroups(params); @@ -253,11 +253,11 @@ class USER_BACKEND_MANAGER extends USER_BACKEND { return groupData; } - setGroup (group, attributes, params = null) {} + setGroup (group, attributes, params) {} - delGroup (group, params = null) {} + delGroup (group, params) {} - addUserToGroup (user, group, params = null) {} + addUserToGroup (user, group, params) {} - delUserFromGroup (user, group, params = null) {} + delUserFromGroup (user, group, params) {} } diff --git a/src/backends/localdb.js b/src/backends/localdb.js index 7b4022a..d537c23 100644 --- a/src/backends/localdb.js +++ b/src/backends/localdb.js @@ -35,7 +35,7 @@ export default class LocalDB extends DB_BACKEND { writeFileSync(this.#path, JSON.stringify(this.#data)); } - addUser (user, attributes, params = null) { + addUser (user, attributes, params) { const username = `${user.id}@${user.realm}`; if (this.#data.users[username]) { // user already exists return { @@ -52,17 +52,20 @@ export default class LocalDB extends DB_BACKEND { } } - getUser (user, params = null) { - const username = `${user.id}@${user.realm}`; - if (this.#data.users[username]) { - return this.#data.users[username]; + getUser (user, params) { + const requestedUser = `${user.id}@${user.realm}`; + const requestingUser = params.username; // assume checkAuth has been run, which already checks that username matches PVE token + // user can access a user's db data if they are an admin OR are requesting own data + const authorized = this.#data.users[requestingUser].cluster.admin || requestingUser === requestedUser; + if (authorized && this.#data.users[requestedUser]) { + return this.#data.users[requestedUser]; } else { return null; } } - async getAllUsers (params = null) { + async getAllUsers (params) { const requestingUser = params.username; // assume checkAuth has been run, which already checks that username matches PVE token if (this.#data.users[requestingUser].cluster.admin === true) { return this.#data.users; @@ -72,7 +75,7 @@ export default class LocalDB extends DB_BACKEND { } } - setUser (user, attributes, params = null) { + setUser (user, attributes, params) { if (attributes.resources && attributes.cluster && attributes.templates) { // localdb should only deal with these attributes const username = `${user.id}@${user.realm}`; if (this.#data.users[username]) { @@ -89,7 +92,7 @@ export default class LocalDB extends DB_BACKEND { } } - delUser (user, params = null) { + delUser (user, params) { const username = `${user.id}@${user.realm}`; if (this.#data.users[username]) { delete this.#data.users[username]; @@ -102,17 +105,16 @@ export default class LocalDB extends DB_BACKEND { } // group methods not implemented because db backend does not store groups - addGroup (group, atrributes, params = null) {} - getGroup (group, params = null) {} - getAllGroups (params = null) { + addGroup (group, atrributes, params) {} + getGroup (group, params) {} + getAllGroups (params) { return null; } - - setGroup (group, attributes, params = null) {} - delGroup (group, params = null) {} + setGroup (group, attributes, params) {} + delGroup (group, params) {} // assume that adding to group also adds to group's pool - addUserToGroup (user, group, params = null) { + addUserToGroup (user, group, params) { const username = `${user.id}@${user.realm}`; if (this.#data.users[username]) { this.#data.users[username].cluster.pools[group.id] = true; @@ -124,7 +126,7 @@ export default class LocalDB extends DB_BACKEND { } // assume that adding to group also adds to group's pool - delUserFromGroup (user, group, params = null) { + delUserFromGroup (user, group, params) { const username = `${user.id}@${user.realm}`; if (this.#data.users[username] && this.#data.users[username].cluster.pools[group.id]) { delete this.#data.users[username].cluster.pools[group.id]; diff --git a/src/backends/paasldap.js b/src/backends/paasldap.js index 6a374c4..0625f03 100644 --- a/src/backends/paasldap.js +++ b/src/backends/paasldap.js @@ -86,12 +86,12 @@ export default class PAASLDAP extends AUTH_BACKEND { } } - async addUser (user, attributes, params = null) { + async addUser (user, attributes, params) { const res = await this.#request(`/users/${user.id}`, "POST", params, attributes); return this.#handleGenericReturn(res); } - async getUser (user, params = null) { + async getUser (user, params) { if (!params) { // params required, do nothing if params are missing return null; } @@ -104,7 +104,7 @@ export default class PAASLDAP extends AUTH_BACKEND { } } - async getAllUsers (params = null) { + async getAllUsers (params) { if (!params) { return null; } @@ -123,26 +123,26 @@ export default class PAASLDAP extends AUTH_BACKEND { } } - async setUser (user, attributes, params = null) { + async setUser (user, attributes, params) { const res = await this.#request(`/users/${user.id}`, "POST", params, attributes); return this.#handleGenericReturn(res); } - async delUser (user, params = null) { + async delUser (user, params) { const res = await this.#request(`/users/${user.id}`, "DELETE", params); return this.#handleGenericReturn(res); } - async addGroup (group, attributes, params = null) { + async addGroup (group, attributes, params) { const res = await this.#request(`/groups/${group.id}`, "POST", params); return this.#handleGenericReturn(res); } - async getGroup (group, params = null) { + async getGroup (group, params) { return await this.#request(`/groups/${group.id}`, "GET", params); } - async getAllGroups (params = null) { + async getAllGroups (params) { if (!params) { return null; } @@ -161,22 +161,22 @@ export default class PAASLDAP extends AUTH_BACKEND { } } - async setGroup (group, attributes, params = null) { + async setGroup (group, attributes, params) { // not implemented, LDAP groups do not have any attributes to change return null; } - async delGroup (group, params = null) { + async delGroup (group, params) { const res = await this.#request(`/groups/${group.id}`, "DELETE", params); return this.#handleGenericReturn(res); } - async addUserToGroup (user, group, params = null) { + async addUserToGroup (user, group, params) { const res = await this.#request(`/groups/${group.id}/members/${user.id}`, "POST", params); return this.#handleGenericReturn(res); } - async delUserFromGroup (user, group, params = null) { + async delUserFromGroup (user, group, params) { const res = await this.#request(`/groups/${group.id}/members/${user.id}`, "DELETE", params); return this.#handleGenericReturn(res); } diff --git a/src/routes/cluster.js b/src/routes/cluster.js index c9beb53..c86fc5e 100644 --- a/src/routes/cluster.js +++ b/src/routes/cluster.js @@ -35,7 +35,7 @@ router.get(`/:node(${nodeRegexP})/pci`, async (req, res) => { if (!auth) { return; } - const userNodes = (await global.userManager.getUser(userObj)).cluster.nodes; + const userNodes = (await global.userManager.getUser(userObj, req.cookies)).cluster.nodes; if (userNodes[params.node] !== true) { res.status(401).send({ auth: false, path: params.node }); res.end(); @@ -168,7 +168,7 @@ router.post(`${basePath}/create`, async (req, res) => { return; } // get user db config - const user = await global.userManager.getUser(userObj); + const user = await global.userManager.getUser(userObj, req.cookies); const vmid = Number.parseInt(params.vmid); const vmidMin = user.cluster.vmid.min; const vmidMax = user.cluster.vmid.max; diff --git a/src/routes/cluster/net.js b/src/routes/cluster/net.js index a412ebe..cbafab4 100644 --- a/src/routes/cluster/net.js +++ b/src/routes/cluster/net.js @@ -62,7 +62,7 @@ router.post("/:netid/create", async (req, res) => { return; } // setup action - const nc = (await global.userManager.getUser(userObj)).templates.network[params.type]; + const nc = (await global.userManager.getUser(userObj, req.cookies)).templates.network[params.type]; const action = {}; if (params.type === "lxc") { action[`net${params.netid}`] = `name=${params.name},bridge=${nc.bridge},ip=${nc.ip},ip6=${nc.ip6},tag=${nc.vlan},type=${nc.type},rate=${params.rate}`; diff --git a/src/routes/sync.js b/src/routes/sync.js index befa2b6..f4ff5ac 100644 --- a/src/routes/sync.js +++ b/src/routes/sync.js @@ -168,7 +168,7 @@ if (schemes.interrupt.enabled) { wsServer.handleUpgrade(req, socket, head, async (socket) => { // get the user pools const userObj = global.utils.getUserObjFromUsername(cookies.username); - const pools = Object.keys((await global.userManager.getUser(userObj)).cluster.pools); + const pools = Object.keys((await global.userManager.getUser(userObj, cookies)).cluster.pools); // emit the connection to initialize socket wsServer.emit("connection", socket, cookies.username, pools); }); diff --git a/src/routes/user.js b/src/routes/user.js index 3ea0242..82a5202 100644 --- a/src/routes/user.js +++ b/src/routes/user.js @@ -51,7 +51,7 @@ router.get("/config/:key", async (req, res) => { } const allowKeys = ["resources", "cluster"]; if (allowKeys.includes(params.key)) { - const config = await global.userManager.getUser(userObj); + const config = await global.userManager.getUser(userObj, req.cookies); res.status(200).send(config[params.key]); } else { diff --git a/src/utils.js b/src/utils.js index 8b5b369..d76658b 100644 --- a/src/utils.js +++ b/src/utils.js @@ -36,7 +36,7 @@ export async function checkAuth (cookies, res, vmpath = null) { return false; } - if ((await global.userManager.getUser(userObj)) === null) { // check if user exists in database + if ((await global.userManager.getUser(userObj, cookies)) === null) { // check if user exists in database res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in database.` }); res.end(); return false; @@ -130,8 +130,7 @@ async function getAllInstanceConfigs (req, diskprefixes) { */ export async function getUserResources (req, user) { const dbResources = global.config.resources; - const userResources = (await global.userManager.getUser(user)).resources; - + const userResources = (await global.userManager.getUser(user, req.cookies)).resources; // setup disk prefixes object const diskprefixes = []; for (const resourceName of Object.keys(dbResources)) {