feat(xo-server/rest-api): limit patches listing and RPU (#6864)

Same restriction as in the UI.
vatesfr · May 31, 2023 · 83c5c97 · 83c5c97
1 parent 18bd2c6
commit 83c5c97
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/packages/xo-server/src/xo-mixins/authorization.mjs b/packages/xo-server/src/xo-mixins/authorization.mjs
@@ -30,6 +30,8 @@ const AUTHORIZATIONS = {
   EXPORT: {
     XVA: STARTER, // @todo handleExport in xen-orchestra/packages/xo-server/src/api/vm.mjs
   },
+  LIST_MISSING_PATCHES: STARTER,
+  ROLLING_POOL_UPDATE: ENTERPRISE,
 }
 
 export default class Authorization {

diff --git a/packages/xo-server/src/xo-mixins/rest-api.mjs b/packages/xo-server/src/xo-mixins/rest-api.mjs
@@ -1,7 +1,7 @@
 import { asyncEach } from '@vates/async-each'
 import { every } from '@vates/predicates'
 import { ifDef } from '@xen-orchestra/defined'
-import { invalidCredentials, noSuchObject } from 'xo-common/api-errors.js'
+import { featureUnauthorized, invalidCredentials, noSuchObject } from 'xo-common/api-errors.js'
 import { pipeline } from 'node:stream/promises'
 import { json, Router } from 'express'
 import path from 'node:path'
@@ -89,7 +89,9 @@ function wrap(middleware, handleNoSuchObject = false) {
     try {
       await middleware.apply(this, arguments)
     } catch (error) {
-      if (handleNoSuchObject && noSuchObject.is(error)) {
+      if (featureUnauthorized.is(error)) {
+        res.sendStatus(403)
+      } else if (handleNoSuchObject && noSuchObject.is(error)) {
         res.sendStatus(404)
       } else {
         next(error)
@@ -156,6 +158,8 @@ export default class RestApi {
       __proto__: null,
 
       async missing_patches(req, res) {
+        await app.checkFeatureAuthorization('LIST_MISSING_PATCHES')
+
         const host = req.xapiObject
         res.json(await host.$xapi.listMissingPatches(host))
       },
@@ -165,6 +169,8 @@ export default class RestApi {
       __proto__: null,
 
       async missing_patches(req, res) {
+        await app.checkFeatureAuthorization('LIST_MISSING_PATCHES')
+
         const xapi = req.xapiObject.$xapi
         const missingPatches = new Map()
         await asyncEach(Object.values(xapi.objects.indexes.type.host ?? {}), async host => {
@@ -184,7 +190,11 @@ export default class RestApi {
     collections.pools.actions = {
       __proto__: null,
 
-      rolling_update: ({ xoObject }) => app.rollingPoolUpdate(xoObject).then(noop),
+      rolling_update: async ({ xoObject }) => {
+        await app.checkFeatureAuthorization('ROLLING_POOL_UPDATE')
+
+        await app.rollingPoolUpdate(xoObject)
+      },
     }
     collections.vms.actions = {
       __proto__: null,