From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id DCC9E1FF17A for ; Tue, 11 Nov 2025 13:24:00 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C3C9E8EE2; Tue, 11 Nov 2025 13:24:43 +0100 (CET) Date: Tue, 11 Nov 2025 13:24:35 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20251103143034.121698-1-r.obkircher@proxmox.com> In-Reply-To: <20251103143034.121698-1-r.obkircher@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.17.0 (https://github.com/astroidmail/astroid) Message-Id: <1762863602.p7qhhpkq2d.astroid@yuna.none> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1762863855507 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.046 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, pbsplugin.pm] Subject: Re: [pve-devel] [PATCH pve-storage] fix #6900: correctly detect PBS API tokens in storage plugin X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On November 3, 2025 3:30 pm, Robert Obkircher wrote: > The PBS storage plugin used PVE code to detect if an API token was > entered in the username field. This lead to bad requests for some > valid PBS tokens which are not valid PVE tokens. > > Relax the token pattern to allow token names that start with numbers > or underscores. Also allow single character names, which are > technically allowed on the Rust side even though they can't be created > through the PBS Web UI. > > Signed-off-by: Robert Obkircher > --- > src/PVE/Storage/PBSPlugin.pm | 24 +++++++++++++++++++++++- > 1 file changed, 23 insertions(+), 1 deletion(-) > > diff --git a/src/PVE/Storage/PBSPlugin.pm b/src/PVE/Storage/PBSPlugin.pm > index 5842004..892b4d5 100644 > --- a/src/PVE/Storage/PBSPlugin.pm > +++ b/src/PVE/Storage/PBSPlugin.pm > @@ -14,6 +14,7 @@ use POSIX qw(mktime strftime ENOENT); > use POSIX::strptime; > > use PVE::APIClient::LWP; > +use PVE::Auth::Plugin; > use PVE::JSONSchema qw(get_standard_option); > use PVE::Network; > use PVE::PBSClient; > @@ -701,6 +702,27 @@ my sub snapshot_files_encrypted { > return $any && $all; > } > > +# On the Rust side this is TOKEN_NAME_REGEX_STR: = SAFE_ID_REGEX_STR > +# which is = r"(?:[A-Za-z0-9_][A-Za-z0-9._\-]*)"; > +our $token_subid_regex = qr/[A-Za-z0-9_][A-Za-z0-9\.\-_]*/; > + > +our $token_full_regex = > + qr/((${PVE::Auth::Plugin::user_regex})\@(${PVE::Auth::Plugin::realm_regex}))!(${token_subid_regex})/; nit: these two don't need to be "our" did you verify the other two parts here are identical between PVE and PBS? > + > +# Similar to PVE::AccessControl::pve_verify_tokenid, except that this > +# also allows the subid to start with numbers or underscores. > +sub pbs_verify_tokenid { nit: and this could be a private helper, unless we expect a need to verify this outside as well? > + my ($tokenid, $noerr) = @_; > + > + if ($tokenid =~ /^${token_full_regex}$/) { > + return wantarray ? ($tokenid, $2, $3, $4) : $tokenid; > + } > + > + die "value '$tokenid' does not look like a valid token ID\n" if !$noerr; > + > + return undef; > +} > + > # TODO: use a client with native rust/proxmox-backup bindings to profit from > # API schema checks and types > my sub pbs_api_connect { > @@ -710,7 +732,7 @@ my sub pbs_api_connect { > > my $user = $scfg->{username} // 'root@pam'; > > - if (my $tokenid = PVE::AccessControl::pve_verify_tokenid($user, 1)) { > + if (my $tokenid = pbs_verify_tokenid($user, 1)) { > $params->{apitoken} = "PBSAPIToken=${tokenid}:${password}"; > } else { > $params->{password} = $password; > -- > 2.47.3 > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel