* [pbs-devel] [PATCH proxmox-backup 0/2] prerequisites for console
@ 2020-07-17 13:38 Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 1/2] server/config: add mechanism to update template Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 2/2] api2/access: implement term ticket Dominik Csapak
0 siblings, 2 replies; 3+ messages in thread
From: Dominik Csapak @ 2020-07-17 13:38 UTC (permalink / raw)
To: pbs-devel
these patches are required for the upcoming websocket/console feature
Dominik Csapak (2):
server/config: add mechanism to update template
api2/access: implement term ticket
src/api2/access.rs | 70 +++++++++++++++++++++++++++++----
src/bin/proxmox-backup-proxy.rs | 6 ++-
src/server/config.rs | 67 +++++++++++++++++++++++++++----
src/server/rest.rs | 13 +++---
src/tools/ticket.rs | 18 +++++++++
5 files changed, 150 insertions(+), 24 deletions(-)
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 1/2] server/config: add mechanism to update template
2020-07-17 13:38 [pbs-devel] [PATCH proxmox-backup 0/2] prerequisites for console Dominik Csapak
@ 2020-07-17 13:38 ` Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 2/2] api2/access: implement term ticket Dominik Csapak
1 sibling, 0 replies; 3+ messages in thread
From: Dominik Csapak @ 2020-07-17 13:38 UTC (permalink / raw)
To: pbs-devel
instead of exposing handlebars itself, offer a register_template and
a render_template ourselves.
render_template checks if the template file was modified since
the last render and reloads it when necessary
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/bin/proxmox-backup-proxy.rs | 6 ++-
src/server/config.rs | 67 +++++++++++++++++++++++++++++----
src/server/rest.rs | 13 +++----
3 files changed, 70 insertions(+), 16 deletions(-)
diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index 75f53b9..1e93886 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -1,5 +1,5 @@
use std::sync::Arc;
-use std::path::Path;
+use std::path::{Path, PathBuf};
use anyhow::{bail, format_err, Error};
use futures::*;
@@ -53,6 +53,10 @@ async fn run() -> Result<(), Error> {
config.add_alias("css", "/usr/share/javascript/proxmox-backup/css");
config.add_alias("docs", "/usr/share/doc/proxmox-backup/html");
+ let mut indexpath = PathBuf::from(buildcfg::JS_DIR);
+ indexpath.push("index.hbs");
+ config.register_template("index", &indexpath)?;
+
let rest_server = RestServer::new(config);
//openssl req -x509 -newkey rsa:4096 -keyout /etc/proxmox-backup/proxy.key -out /etc/proxmox-backup/proxy.pem -nodes
diff --git a/src/server/config.rs b/src/server/config.rs
index e8b3c94..3ee4ea1 100644
--- a/src/server/config.rs
+++ b/src/server/config.rs
@@ -1,9 +1,13 @@
use std::collections::HashMap;
-use std::path::{PathBuf};
-use anyhow::Error;
+use std::path::PathBuf;
+use std::time::SystemTime;
+use std::fs::metadata;
+use std::sync::RwLock;
+use anyhow::{bail, Error, format_err};
use hyper::Method;
use handlebars::Handlebars;
+use serde::Serialize;
use proxmox::api::{ApiMethod, Router, RpcEnvironmentType};
@@ -12,21 +16,20 @@ pub struct ApiConfig {
router: &'static Router,
aliases: HashMap<String, PathBuf>,
env_type: RpcEnvironmentType,
- pub templates: Handlebars<'static>,
+ templates: RwLock<Handlebars<'static>>,
+ template_files: RwLock<HashMap<String, (SystemTime, PathBuf)>>,
}
impl ApiConfig {
pub fn new<B: Into<PathBuf>>(basedir: B, router: &'static Router, env_type: RpcEnvironmentType) -> Result<Self, Error> {
- let mut templates = Handlebars::new();
- let basedir = basedir.into();
- templates.register_template_file("index", basedir.join("index.hbs"))?;
Ok(Self {
- basedir,
+ basedir: basedir.into(),
router,
aliases: HashMap::new(),
env_type,
- templates
+ templates: RwLock::new(Handlebars::new()),
+ template_files: RwLock::new(HashMap::new()),
})
}
@@ -67,4 +70,52 @@ impl ApiConfig {
pub fn env_type(&self) -> RpcEnvironmentType {
self.env_type
}
+
+ pub fn register_template<P>(&self, name: &str, path: P) -> Result<(), Error>
+ where
+ P: Into<PathBuf>
+ {
+ if self.template_files.read().unwrap().contains_key(name) {
+ bail!("template already registered");
+ }
+
+ let path: PathBuf = path.into();
+ let metadata = metadata(&path)?;
+ let mtime = metadata.modified()?;
+
+ self.templates.write().unwrap().register_template_file(name, &path)?;
+ self.template_files.write().unwrap().insert(name.to_string(), (mtime, path));
+
+ Ok(())
+ }
+
+ /// Checks if the template was modified since the last rendering
+ /// if yes, it loads a the new version of the template
+ pub fn render_template<T>(&self, name: &str, data: &T) -> Result<String, Error>
+ where
+ T: Serialize,
+ {
+ let path;
+ let mtime;
+ {
+ let template_files = self.template_files.read().unwrap();
+ let (old_mtime, old_path) = template_files.get(name).ok_or_else(|| format_err!("template not found"))?;
+
+ mtime = metadata(old_path)?.modified()?;
+ if mtime <= *old_mtime {
+ return self.templates.read().unwrap().render(name, data).map_err(|err| format_err!("{}", err));
+ }
+ path = old_path.to_path_buf();
+ }
+
+ {
+ let mut template_files = self.template_files.write().unwrap();
+ let mut templates = self.templates.write().unwrap();
+
+ templates.register_template_file(name, &path)?;
+ template_files.insert(name.to_string(), (mtime, path));
+
+ templates.render(name, data).map_err(|err| format_err!("{}", err))
+ }
+ }
}
diff --git a/src/server/rest.rs b/src/server/rest.rs
index d05e51a..a7b0a23 100644
--- a/src/server/rest.rs
+++ b/src/server/rest.rs
@@ -16,7 +16,6 @@ use serde_json::{json, Value};
use tokio::fs::File;
use tokio::time::Instant;
use url::form_urlencoded;
-use handlebars::Handlebars;
use proxmox::http_err;
use proxmox::api::{ApiHandler, ApiMethod, HttpError};
@@ -312,7 +311,7 @@ pub async fn handle_api_request<Env: RpcEnvironment, S: 'static + BuildHasher +
Ok(resp)
}
-fn get_index(username: Option<String>, token: Option<String>, template: &Handlebars, parts: Parts) -> Response<Body> {
+fn get_index(username: Option<String>, token: Option<String>, api: &Arc<ApiConfig>, parts: Parts) -> Response<Body> {
let nodename = proxmox::tools::nodename();
let username = username.unwrap_or_else(|| String::from(""));
@@ -338,11 +337,11 @@ fn get_index(username: Option<String>, token: Option<String>, template: &Handleb
let mut ct = "text/html";
- let index = match template.render("index", &data) {
+ let index = match api.render_template("index", &data) {
Ok(index) => index,
Err(err) => {
ct = "text/plain";
- format!("Error rendering template: {}", err.desc)
+ format!("Error rendering template: {}", err)
},
};
@@ -580,15 +579,15 @@ pub async fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> Result<R
match check_auth(&method, &ticket, &token, &user_info) {
Ok(username) => {
let new_token = assemble_csrf_prevention_token(csrf_secret(), &username);
- return Ok(get_index(Some(username), Some(new_token), &api.templates, parts));
+ return Ok(get_index(Some(username), Some(new_token), &api, parts));
}
_ => {
tokio::time::delay_until(Instant::from_std(delay_unauth_time)).await;
- return Ok(get_index(None, None, &api.templates, parts));
+ return Ok(get_index(None, None, &api, parts));
}
}
} else {
- return Ok(get_index(None, None, &api.templates, parts));
+ return Ok(get_index(None, None, &api, parts));
}
} else {
let filename = api.find_alias(&components);
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 2/2] api2/access: implement term ticket
2020-07-17 13:38 [pbs-devel] [PATCH proxmox-backup 0/2] prerequisites for console Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 1/2] server/config: add mechanism to update template Dominik Csapak
@ 2020-07-17 13:38 ` Dominik Csapak
1 sibling, 0 replies; 3+ messages in thread
From: Dominik Csapak @ 2020-07-17 13:38 UTC (permalink / raw)
To: pbs-devel
modeled after pves/pmgs vncticket (i substituted the vnc with term)
by putting the path and username as secret data in the ticket
when sending the ticket to /access/ticket it only verifies it,
checks the privs on the path and does not generate a new ticket
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/api2/access.rs | 70 +++++++++++++++++++++++++++++++++++++++------
src/tools/ticket.rs | 18 ++++++++++++
2 files changed, 80 insertions(+), 8 deletions(-)
diff --git a/src/api2/access.rs b/src/api2/access.rs
index f5855ed..780fa9b 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -13,15 +13,21 @@ use crate::auth_helpers::*;
use crate::api2::types::*;
use crate::config::cached_user_info::CachedUserInfo;
-use crate::config::acl::PRIV_PERMISSIONS_MODIFY;
+use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY};
pub mod user;
pub mod domain;
pub mod acl;
pub mod role;
-fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
-
+/// returns Ok(true) if a ticket has to be created
+/// and Ok(false) if not
+fn authenticate_user(
+ username: &str,
+ password: &str,
+ path: Option<String>,
+ privs: Option<String>,
+) -> Result<bool, Error> {
let user_info = CachedUserInfo::new()?;
if !user_info.is_active_user(&username) {
@@ -33,14 +39,42 @@ fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
if password.starts_with("PBS:") {
if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {
if ticket_username == username {
- return Ok(());
+ return Ok(true);
} else {
bail!("ticket login failed - wrong username");
}
}
+ } else if password.starts_with("PBSTERM:") {
+ if path.is_none() || privs.is_none() {
+ bail!("cannot check termnal ticket without path and priv");
+ }
+
+ let path = path.unwrap();
+ let privilege_name = privs.unwrap();
+
+ if let Ok((_age, _data)) = tools::ticket::verify_term_ticket(public_auth_key(), &username, &path, password) {
+
+ for (name, privilege) in PRIVILEGES {
+ if *name == privilege_name {
+
+ let mut path_vec = Vec::new();
+ for part in path.split('/') {
+ if part != "" {
+ path_vec.push(part);
+ }
+ }
+
+ user_info.check_privs(username, &path_vec, *privilege, false)?;
+ return Ok(false);
+ }
+ }
+
+ bail!("No such privilege");
+ }
}
- crate::auth::authenticate_user(username, password)
+ let _ = crate::auth::authenticate_user(username, password)?;
+ Ok(true)
}
#[api(
@@ -52,6 +86,16 @@ fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
password: {
schema: PASSWORD_SCHEMA,
},
+ path: {
+ type: String,
+ description: "path",
+ optional: true,
+ },
+ privs: {
+ type: String,
+ description: "privs",
+ optional: true,
+ },
},
},
returns: {
@@ -78,9 +122,14 @@ fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
/// Create or verify authentication ticket.
///
/// Returns: An authentication ticket with additional infos.
-fn create_ticket(username: String, password: String) -> Result<Value, Error> {
- match authenticate_user(&username, &password) {
- Ok(_) => {
+fn create_ticket(
+ username: String,
+ password: String,
+ path: Option<String>,
+ privs: Option<String>,
+) -> Result<Value, Error> {
+ match authenticate_user(&username, &password, path, privs) {
+ Ok(true) => {
let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(&username), None)?;
@@ -94,6 +143,11 @@ fn create_ticket(username: String, password: String) -> Result<Value, Error> {
"CSRFPreventionToken": token,
}))
}
+ Ok(false) => {
+ Ok(json!({
+ "username": username,
+ }))
+ }
Err(err) => {
let client_ip = "unknown"; // $rpcenv->get_client_ip() || '';
log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
diff --git a/src/tools/ticket.rs b/src/tools/ticket.rs
index 4727b1e..fc8750e 100644
--- a/src/tools/ticket.rs
+++ b/src/tools/ticket.rs
@@ -11,6 +11,24 @@ use crate::tools::epoch_now_u64;
pub const TICKET_LIFETIME: i64 = 3600*2; // 2 hours
+const TERM_PREFIX: &str = "PBSTERM";
+
+pub fn assemble_term_ticket(
+ keypair: &PKey<Private>,
+ username: &str,
+ path: &str,
+) -> Result<String, Error> {
+ assemble_rsa_ticket(keypair, TERM_PREFIX, None, Some(&format!("{}{}", username, path)))
+}
+
+pub fn verify_term_ticket(
+ keypair: &PKey<Public>,
+ username: &str,
+ path: &str,
+ ticket: &str,
+) -> Result<(i64, Option<String>), Error> {
+ verify_rsa_ticket(keypair, TERM_PREFIX, ticket, Some(&format!("{}{}", username, path)), -300, TICKET_LIFETIME)
+}
pub fn assemble_rsa_ticket(
keypair: &PKey<Private>,
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-17 13:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-17 13:38 [pbs-devel] [PATCH proxmox-backup 0/2] prerequisites for console Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 1/2] server/config: add mechanism to update template Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 2/2] api2/access: implement term ticket Dominik Csapak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.