the new 'expose_credentials' property of api calls requires us to set the credentials into the RPCEnvironment. Do that for the HTTPServer and for the pvesh.
Delete the credentials after executing the api call. Signed-off-by: Dominik Csapak <[email protected]> --- PVE/CLI/pvesh.pm | 18 ++++++++++++++++++ PVE/HTTPServer.pm | 5 +++++ 2 files changed, 23 insertions(+) diff --git a/PVE/CLI/pvesh.pm b/PVE/CLI/pvesh.pm index 2a994ee9..acd9a605 100755 --- a/PVE/CLI/pvesh.pm +++ b/PVE/CLI/pvesh.pm @@ -356,8 +356,26 @@ sub call_api_method { $param->{$p} = $uri_param->{$p}; } + if ($info->{expose_credentials}) { + # create a ticket for the root@pam user, since the + # api call expects to read those credentials + my $rpcenv = PVE::RPCEnvironment->get(); + my $authuser = $rpcenv->get_user(); + + my $ticket = PVE::AccessControl::assemble_ticket($authuser); + my $csrf_token = PVE::AccessControl::assemble_csrf_prevention_token($authuser); + $rpcenv->set_credentials({ + userid => $authuser, + ticket => $ticket, + token => $csrf_token, + }); + } + $data = $handler->handle($info, $param); + # remove credentials after api call + PVE::RPCEnvironment->get()->set_credentials(undef); + # TODO: remove 'download' check with PVE 9.0 if ( ref($data) eq 'HASH' diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm index 660d87e8..bb8052e3 100755 --- a/PVE/HTTPServer.pm +++ b/PVE/HTTPServer.pm @@ -184,6 +184,10 @@ sub rest_handler { return; } + if ($info->{expose_credentials}) { + $rpcenv->set_credentials($auth); + } + $resp = { data => $handler->handle($info, $uri_param), info => $info, # useful to format output @@ -201,6 +205,7 @@ sub rest_handler { my $err = $@; $rpcenv->set_user(undef); # clear after request + $rpcenv->set_credentials(undef); # clear after request if ($err) { $resp = { info => $info }; -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
