From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id 8C99960968
for <pbs-devel@lists.proxmox.com>; Mon, 19 Oct 2020 09:40:28 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 44F0229836
for <pbs-devel@lists.proxmox.com>; Mon, 19 Oct 2020 09:39:46 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
[212.186.127.180])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS id 208C629829
for <pbs-devel@lists.proxmox.com>; Mon, 19 Oct 2020 09:39:45 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
by proxmox-new.maurer-it.com (Proxmox) with ESMTP id DAA3345D69
for <pbs-devel@lists.proxmox.com>; Mon, 19 Oct 2020 09:39:44 +0200 (CEST)
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Mon, 19 Oct 2020 09:39:10 +0200
Message-Id: <20201019073919.588521-7-f.gruenbichler@proxmox.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20201019073919.588521-1-f.gruenbichler@proxmox.com>
References: <20201019073919.588521-1-f.gruenbichler@proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.032 Adjusted score from AWL reputation of From: address
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/,
medium trust
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: [pbs-devel] [RFC proxmox-backup 06/15] config: add token.shadow file
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
<pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2020 07:40:28 -0000
containing pairs of token ids and hashed secret values.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
we could also do a simple
tokenid:crypt(tokensecret)
but then we'd need to be careful w.r.t. tokenid characters and quoting and whatnot..
src/config.rs | 1 +
src/config/token_shadow.rs | 79 ++++++++++++++++++++++++++++++++++++++
2 files changed, 80 insertions(+)
create mode 100644 src/config/token_shadow.rs
diff --git a/src/config.rs b/src/config.rs
index c2ac6da1..a70740e1 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -23,6 +23,7 @@ pub mod network;
pub mod remote;
pub mod sync;
pub mod user;
+pub mod token_shadow;
/// Check configuration directory permissions
///
diff --git a/src/config/token_shadow.rs b/src/config/token_shadow.rs
new file mode 100644
index 00000000..afec6135
--- /dev/null
+++ b/src/config/token_shadow.rs
@@ -0,0 +1,79 @@
+use std::collections::HashMap;
+use std::time::Duration;
+
+use anyhow::{bail, format_err, Error};
+use serde::{Serialize, Deserialize};
+use serde_json::{from_value, Value};
+
+use proxmox::tools::fs::{open_file_locked, CreateOptions};
+
+use crate::api2::types::Userid;
+use crate::auth;
+
+const LOCK_FILE: &str = "/etc/proxmox-backup/token.shadow.lock";
+const CONF_FILE: &str = "/etc/proxmox-backup/token.shadow";
+const LOCK_TIMEOUT: Duration = Duration::from_secs(5);
+
+#[serde(rename_all="kebab-case")]
+#[derive(Serialize, Deserialize)]
+/// ApiToken id / secret pair
+pub struct ApiTokenSecret {
+ pub tokenid: Userid,
+ pub secret: String,
+}
+
+fn read_file() -> Result<HashMap<Userid, String>, Error> {
+ let json = proxmox::tools::fs::file_get_json(CONF_FILE, Some(Value::Null))?;
+
+ if json == Value::Null {
+ Ok(HashMap::new())
+ } else {
+ // swallow serde error which might contain sensitive data
+ from_value(json).map_err(|_err| format_err!("unable to parse '{}'", CONF_FILE))
+ }
+}
+
+fn write_file(data: HashMap<Userid, String>) -> Result<(), Error> {
+ let backup_user = crate::backup::backup_user()?;
+ let options = CreateOptions::new()
+ .perm(nix::sys::stat::Mode::from_bits_truncate(0o0640))
+ .owner(backup_user.uid)
+ .group(backup_user.gid);
+
+ let json = serde_json::to_vec(&data)?;
+ proxmox::tools::fs::replace_file(CONF_FILE, &json, options)
+}
+
+/// Verifies that an entry for given tokenid / API token secret exists
+pub fn verify_secret(tokenid: &Userid, secret: &str) -> Result<(), Error> {
+ let data = read_file()?;
+ match data.get(tokenid) {
+ Some(hashed_secret) => {
+ auth::verify_crypt_pw(secret, &hashed_secret)
+ },
+ None => bail!("invalid API token"),
+ }
+}
+
+/// Adds a new entry for the given tokenid / API token secret. The secret is stored as salted hash.
+pub fn set_secret(tokenid: &Userid, secret: &str) -> Result<(), Error> {
+ let _guard = open_file_locked(LOCK_FILE, LOCK_TIMEOUT, true)?;
+
+ let mut data = read_file()?;
+ let hashed_secret = auth::encrypt_pw(secret)?;
+ data.insert(tokenid.clone(), hashed_secret);
+ write_file(data)?;
+
+ Ok(())
+}
+
+/// Deletes the entry for the given tokenid.
+pub fn delete_secret(tokenid: &Userid) -> Result<(), Error> {
+ let _guard = open_file_locked(LOCK_FILE, LOCK_TIMEOUT, true)?;
+
+ let mut data = read_file()?;
+ data.remove(tokenid);
+ write_file(data)?;
+
+ Ok(())
+}
--
2.20.1