check folder privileges

rvanderp3 · rvanderp3 · commit 316743cafc5b · 2021-08-10T15:43:25.000-04:00
diff --git a/README.md b/README.md
@@ -38,7 +38,15 @@ vSphere object: vSphere vCenter Datacenter
 Resource.AssignVMToPool, VApp.Import, VirtualMachine.Config.AddExistingDisk, VirtualMachine.Config.AddNewDisk, VirtualMachine.Config.AddRemoveDevice, VirtualMachine.Config.AdvancedConfig, VirtualMachine.Config.Annotation, VirtualMachine.Config.CPUCount, VirtualMachine.Config.DiskExtend, VirtualMachine.Config.DiskLease, VirtualMachine.Config.EditDevice, VirtualMachine.Config.Memory, VirtualMachine.Config.RemoveDisk, VirtualMachine.Config.Rename, VirtualMachine.Config.ResetGuestInfo, VirtualMachine.Config.Resource, VirtualMachine.Config.Settings, VirtualMachine.Config.UpgradeVirtualHardware, VirtualMachine.Interact.GuestControl, VirtualMachine.Interact.PowerOff, VirtualMachine.Interact.PowerOn, VirtualMachine.Interact.Reset, VirtualMachine.Inventory.Create, VirtualMachine.Inventory.CreateFromExisting, VirtualMachine.Inventory.Delete, VirtualMachine.Provisioning.Clone, Folder.Create, Folder.Delete
 ~~~
 
-## Missing Checks
+### Checking Folder Permissions
+
+Checking user privileges on a folder can be a bit tough as privileges can't be validated until the folder is created.  Additionally, privileges to create a folder are provided by the [vSphere vCenter Datacenter](https://docs.openshift.com/container-platform/latest/installing/installing_vsphere/installing-vsphere-installer-provisioned.html#installation-vsphere-installer-infra-requirements-account_installing-vsphere-installer-provisioned).
 
+If a preexisting folder is being checked(i.e. installing in to an existing folder, creating a UPI machineset which creates machines in a specific folder), the folder can be checked by running:
+
+~~~
+./bin/vsphere-priv-check --check-folder=vcentertest-24lrs
+~~~
+
+## Missing Checks
 - Privilege Propagation
-- Virtual Machine Folder
diff --git a/cmd/vsphere-priv-check/vsphere-priv-check.go b/cmd/vsphere-priv-check/vsphere-priv-check.go
@@ -3,12 +3,33 @@ package main
 import (
 	"context"
 	"fmt"
-	util "github.com/rvanderp/vsphere-perm-check/pkg/util"
+	"github.com/rvanderp/vsphere-perm-check/pkg/util"
+	"github.com/spf13/cobra"
 	"log"
+	"os"
+	"path/filepath"
 )
 
-func main() {
-	fmt.Printf("OpenShift vSphere Pre-Flight Permissions Validator\n\n")
+var (
+	rootOpts struct {
+		checkFolder string
+	}
+)
+
+func newRootCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:           filepath.Base(os.Args[0]),
+		Short:         "Verifies vCenter user account privileges",
+		Long:          "",
+		Run:           runRootCmd,
+		SilenceErrors: true,
+		SilenceUsage:  true,
+	}
+	cmd.Flags().StringVar(&rootOpts.checkFolder, "check-folder", "", "verify privileges for folder")
+	return cmd
+}
+
+func runRootCmd(cmd *cobra.Command, args []string) {
 	installConfig, err := util.LoadConfig()
 	if err != nil {
 		log.Fatal(err)
@@ -20,13 +41,19 @@ func main() {
 		log.Fatal(err)
 		return
 	}
-
+	log.Printf("folder: %s", rootOpts.checkFolder)
 	log.Printf("checking permissions for user %s\n\n", installConfig.Username)
-	err = util.ValidatePrivileges(ssn, installConfig)
+	err = util.ValidatePrivileges(ssn, installConfig, rootOpts.checkFolder)
 
 	if err != nil {
 		log.Printf("error while validating required privileges:\n\n%s", err.Error())
 	} else {
 		log.Printf("no missing privileges found for user")
 	}
 }
+
+func main() {
+	fmt.Printf("OpenShift vSphere Pre-Flight Permissions Validator\n\n")
+	rootCmd := newRootCmd()
+	rootCmd.Execute()
+}
diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.15
 require (
 	github.com/davecgh/go-spew v1.1.1
 	github.com/mitchellh/mapstructure v1.4.1
+	github.com/spf13/cobra v1.2.1
 	github.com/vmware/govmomi v0.26.0
 	k8s.io/apimachinery v0.22.0 // indirect
 	sigs.k8s.io/yaml v1.2.0
diff --git a/pkg/util/privileges.go b/pkg/util/privileges.go
@@ -35,8 +35,9 @@ func ComparePrivileges(derived []types.UserPrivilegeResult, required []string) e
 	return nil
 }
 
-func ValidatePrivileges(ssn *Session, p *pctypes.Platform) error {
+func ValidatePrivileges(ssn *Session, p *pctypes.Platform, folder string) error {
 	ctx := context.TODO()
+	var missingPrivileges = ""
 	authManager := object.NewAuthorizationManager(ssn.Vim25Client)
 
 	finder := find.NewFinder(ssn.Vim25Client)
@@ -52,8 +53,7 @@ func ValidatePrivileges(ssn *Session, p *pctypes.Platform) error {
 		}
 		err = ComparePrivileges(res, val.Privileges)
 		if err != nil {
-			out := fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n", val.Name, err.Error())
-			return errors.New(out)
+			missingPrivileges = missingPrivileges + fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n\n", val.Name, err.Error())
 		}
 	}
 
@@ -75,8 +75,7 @@ func ValidatePrivileges(ssn *Session, p *pctypes.Platform) error {
 		}
 		err = ComparePrivileges(res, val.Privileges)
 		if err != nil {
-			out := fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n", val.Name, err.Error())
-			return errors.New(out)
+			missingPrivileges = missingPrivileges + fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n\n", val.Name, err.Error())
 		}
 	}
 
@@ -91,8 +90,7 @@ func ValidatePrivileges(ssn *Session, p *pctypes.Platform) error {
 		}
 		err = ComparePrivileges(res, val.Privileges)
 		if err != nil {
-			out := fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n", val.Name, err.Error())
-			return errors.New(out)
+			missingPrivileges = missingPrivileges + fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n\n", val.Name, err.Error())
 		}
 	}
 
@@ -107,8 +105,7 @@ func ValidatePrivileges(ssn *Session, p *pctypes.Platform) error {
 		}
 		err = ComparePrivileges(res, val.Privileges)
 		if err != nil {
-			out := fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n", val.Name, err.Error())
-			return errors.New(out)
+			missingPrivileges = missingPrivileges + fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n\n", val.Name, err.Error())
 		}
 	}
 	if val, ok := permissions.RequiredPermissions["vCenter"]; ok {
@@ -119,9 +116,27 @@ func ValidatePrivileges(ssn *Session, p *pctypes.Platform) error {
 		}
 		err = ComparePrivileges(res, val.Privileges)
 		if err != nil {
-			out := fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n", val.Name, err.Error())
-			return errors.New(out)
+			missingPrivileges = missingPrivileges + fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n\n", val.Name, err.Error())
+		}
+	}
+	if folder != "" {
+		if val, ok := permissions.RequiredPermissions["Folder"]; ok {
+			folderObj, err := finder.Folder(ctx, folder)
+			if err != nil {
+				return err
+			}
+			res, err := authManager.FetchUserPrivilegeOnEntities(ctx, []types.ManagedObjectReference{folderObj.Reference()}, p.Username)
+			if err != nil {
+				return err
+			}
+			err = ComparePrivileges(res, val.Privileges)
+			if err != nil {
+				missingPrivileges = missingPrivileges + fmt.Sprintf("*** Missing Privileges ***\nvSphere object: %s\n%s\n\n", val.Name, err.Error())
+			}
 		}
 	}
+	if missingPrivileges != "" {
+		return errors.New(missingPrivileges)
+	}
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -35,8 +35,9 @@ func ComparePrivileges(derived []types.UserPrivilegeResult, required []string) e`
`35`	`35`	`return nil`
`36`	`36`	`}`
`37`	`37`
`38`		`-func ValidatePrivileges(ssn Session, p pctypes.Platform) error {`
	`38`	`+func ValidatePrivileges(ssn Session, p pctypes.Platform, folder string) error {`
`39`	`39`	`ctx := context.TODO()`
	`40`	`+ var missingPrivileges = ""`
`40`	`41`	`authManager := object.NewAuthorizationManager(ssn.Vim25Client)`
`41`	`42`
`42`	`43`	`finder := find.NewFinder(ssn.Vim25Client)`
`@@ -52,8 +53,7 @@ func ValidatePrivileges(ssn Session, p pctypes.Platform) error {`
`52`	`53`	`}`
`53`	`54`	`err = ComparePrivileges(res, val.Privileges)`
`54`	`55`	`if err != nil {`
`55`		`- out := fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n", val.Name, err.Error())`
`56`		`- return errors.New(out)`
	`56`	`+ missingPrivileges = missingPrivileges + fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n\n", val.Name, err.Error())`
`57`	`57`	`}`
`58`	`58`	`}`
`59`	`59`
`@@ -75,8 +75,7 @@ func ValidatePrivileges(ssn Session, p pctypes.Platform) error {`
`75`	`75`	`}`
`76`	`76`	`err = ComparePrivileges(res, val.Privileges)`
`77`	`77`	`if err != nil {`
`78`		`- out := fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n", val.Name, err.Error())`
`79`		`- return errors.New(out)`
	`78`	`+ missingPrivileges = missingPrivileges + fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n\n", val.Name, err.Error())`
`80`	`79`	`}`
`81`	`80`	`}`
`82`	`81`
`@@ -91,8 +90,7 @@ func ValidatePrivileges(ssn Session, p pctypes.Platform) error {`
`91`	`90`	`}`
`92`	`91`	`err = ComparePrivileges(res, val.Privileges)`
`93`	`92`	`if err != nil {`
`94`		`- out := fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n", val.Name, err.Error())`
`95`		`- return errors.New(out)`
	`93`	`+ missingPrivileges = missingPrivileges + fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n\n", val.Name, err.Error())`
`96`	`94`	`}`
`97`	`95`	`}`
`98`	`96`
`@@ -107,8 +105,7 @@ func ValidatePrivileges(ssn Session, p pctypes.Platform) error {`
`107`	`105`	`}`
`108`	`106`	`err = ComparePrivileges(res, val.Privileges)`
`109`	`107`	`if err != nil {`
`110`		`- out := fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n", val.Name, err.Error())`
`111`		`- return errors.New(out)`
	`108`	`+ missingPrivileges = missingPrivileges + fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n\n", val.Name, err.Error())`
`112`	`109`	`}`
`113`	`110`	`}`
`114`	`111`	`if val, ok := permissions.RequiredPermissions["vCenter"]; ok {`
`@@ -119,9 +116,27 @@ func ValidatePrivileges(ssn Session, p pctypes.Platform) error {`
`119`	`116`	`}`
`120`	`117`	`err = ComparePrivileges(res, val.Privileges)`
`121`	`118`	`if err != nil {`
`122`		`- out := fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n", val.Name, err.Error())`
`123`		`- return errors.New(out)`
	`119`	`+ missingPrivileges = missingPrivileges + fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n\n", val.Name, err.Error())`
	`120`	`+ }`
	`121`	`+ }`
	`122`	`+ if folder != "" {`
	`123`	`+ if val, ok := permissions.RequiredPermissions["Folder"]; ok {`
	`124`	`+ folderObj, err := finder.Folder(ctx, folder)`
	`125`	`+ if err != nil {`
	`126`	`+ return err`
	`127`	`+ }`
	`128`	`+ res, err := authManager.FetchUserPrivilegeOnEntities(ctx, []types.ManagedObjectReference{folderObj.Reference()}, p.Username)`
	`129`	`+ if err != nil {`
	`130`	`+ return err`
	`131`	`+ }`
	`132`	`+ err = ComparePrivileges(res, val.Privileges)`
	`133`	`+ if err != nil {`
	`134`	`+ missingPrivileges = missingPrivileges + fmt.Sprintf("* Missing Privileges *\nvSphere object: %s\n%s\n\n", val.Name, err.Error())`
	`135`	`+ }`
`124`	`136`	`}`
`125`	`137`	`}`
	`138`	`+ if missingPrivileges != "" {`
	`139`	`+ return errors.New(missingPrivileges)`
	`140`	`+ }`
`126`	`141`	`return nil`
`127`	`142`	`}`