From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox v3 2/7] access-control: define `User`, `UserWithTokens` and `ApiTokens` types
Date: Wed, 19 Jun 2024 11:54:13 +0200 [thread overview]
Message-ID: <20240619095418.126368-3-s.sterz@proxmox.com> (raw)
In-Reply-To: <20240619095418.126368-1-s.sterz@proxmox.com>
these types are used by the user config in `proxmox-backup` server.
this commit factors them out so we can re-use them in other products
as well as this crate.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
proxmox-access-control/Cargo.toml | 3 +
proxmox-access-control/src/lib.rs | 1 +
proxmox-access-control/src/types.rs | 228 ++++++++++++++++++++++++++++
3 files changed, 232 insertions(+)
create mode 100644 proxmox-access-control/src/types.rs
diff --git a/proxmox-access-control/Cargo.toml b/proxmox-access-control/Cargo.toml
index b783a21f..68cbf460 100644
--- a/proxmox-access-control/Cargo.toml
+++ b/proxmox-access-control/Cargo.toml
@@ -16,7 +16,10 @@ description = "A collection of utilities to implement access control management.
anyhow.workspace = true
nix.workspace = true
openssl.workspace = true
+serde.workspace = true
# proxmox-notify.workspace = true
proxmox-auth-api = { workspace = true, features = [ "api-types" ] }
+proxmox-schema.workspace = true
proxmox-product-config.workspace = true
+proxmox-time.workspace = true
diff --git a/proxmox-access-control/src/lib.rs b/proxmox-access-control/src/lib.rs
index 8ad2c83d..edb42568 100644
--- a/proxmox-access-control/src/lib.rs
+++ b/proxmox-access-control/src/lib.rs
@@ -1,2 +1,3 @@
pub mod acl;
pub mod init;
+pub mod types;
diff --git a/proxmox-access-control/src/types.rs b/proxmox-access-control/src/types.rs
new file mode 100644
index 00000000..9ed4e9cd
--- /dev/null
+++ b/proxmox-access-control/src/types.rs
@@ -0,0 +1,228 @@
+use proxmox_auth_api::types::{Authid, Userid, PROXMOX_TOKEN_ID_SCHEMA};
+use serde::{Deserialize, Serialize};
+
+use proxmox_schema::{
+ api,
+ api_types::{COMMENT_SCHEMA, SINGLE_LINE_COMMENT_FORMAT},
+ BooleanSchema, IntegerSchema, Schema, StringSchema, Updater,
+};
+
+pub const ENABLE_USER_SCHEMA: Schema = BooleanSchema::new(
+ "Enable the account (default). You can set this to '0' to disable the account.",
+)
+.default(true)
+.schema();
+
+pub const EXPIRE_USER_SCHEMA: Schema = IntegerSchema::new(
+ "Account expiration date (seconds since epoch). '0' means no expiration date.",
+)
+.default(0)
+.minimum(0)
+.schema();
+
+pub const FIRST_NAME_SCHEMA: Schema = StringSchema::new("First name.")
+ .format(&SINGLE_LINE_COMMENT_FORMAT)
+ .min_length(2)
+ .max_length(64)
+ .schema();
+
+pub const LAST_NAME_SCHEMA: Schema = StringSchema::new("Last name.")
+ .format(&SINGLE_LINE_COMMENT_FORMAT)
+ .min_length(2)
+ .max_length(64)
+ .schema();
+
+pub const EMAIL_SCHEMA: Schema = StringSchema::new("E-Mail Address.")
+ .format(&SINGLE_LINE_COMMENT_FORMAT)
+ .min_length(2)
+ .max_length(64)
+ .schema();
+
+#[api(
+ properties: {
+ userid: {
+ type: Userid,
+ },
+ comment: {
+ optional: true,
+ schema: COMMENT_SCHEMA,
+ },
+ enable: {
+ optional: true,
+ schema: ENABLE_USER_SCHEMA,
+ },
+ expire: {
+ optional: true,
+ schema: EXPIRE_USER_SCHEMA,
+ },
+ firstname: {
+ optional: true,
+ schema: FIRST_NAME_SCHEMA,
+ },
+ lastname: {
+ schema: LAST_NAME_SCHEMA,
+ optional: true,
+ },
+ email: {
+ schema: EMAIL_SCHEMA,
+ optional: true,
+ },
+ tokens: {
+ type: Array,
+ optional: true,
+ description: "List of user's API tokens.",
+ items: {
+ type: ApiToken
+ },
+ },
+ "totp-locked": {
+ type: bool,
+ optional: true,
+ default: false,
+ description: "True if the user is currently locked out of TOTP factors",
+ },
+ "tfa-locked-until": {
+ optional: true,
+ description: "Contains a timestamp until when a user is locked out of 2nd factors",
+ },
+ }
+)]
+#[derive(Serialize, Deserialize, Clone, PartialEq)]
+#[serde(rename_all = "kebab-case")]
+/// User properties with added list of ApiTokens
+pub struct UserWithTokens {
+ pub userid: Userid,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub comment: Option<String>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub enable: Option<bool>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub expire: Option<i64>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub firstname: Option<String>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub lastname: Option<String>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub email: Option<String>,
+ #[serde(skip_serializing_if = "Vec::is_empty", default)]
+ pub tokens: Vec<ApiToken>,
+ #[serde(skip_serializing_if = "bool_is_false", default)]
+ pub totp_locked: bool,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub tfa_locked_until: Option<i64>,
+}
+
+fn bool_is_false(b: &bool) -> bool {
+ !b
+}
+
+#[api(
+ properties: {
+ tokenid: {
+ schema: PROXMOX_TOKEN_ID_SCHEMA,
+ },
+ comment: {
+ optional: true,
+ schema: COMMENT_SCHEMA,
+ },
+ enable: {
+ optional: true,
+ schema: ENABLE_USER_SCHEMA,
+ },
+ expire: {
+ optional: true,
+ schema: EXPIRE_USER_SCHEMA,
+ },
+ }
+)]
+#[derive(Serialize, Deserialize, Clone, PartialEq)]
+/// ApiToken properties.
+pub struct ApiToken {
+ pub tokenid: Authid,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub comment: Option<String>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub enable: Option<bool>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub expire: Option<i64>,
+}
+
+impl ApiToken {
+ pub fn is_active(&self) -> bool {
+ if !self.enable.unwrap_or(true) {
+ return false;
+ }
+ if let Some(expire) = self.expire {
+ let now = proxmox_time::epoch_i64();
+ if expire > 0 && expire <= now {
+ return false;
+ }
+ }
+ true
+ }
+}
+
+#[api(
+ properties: {
+ userid: {
+ type: Userid,
+ },
+ comment: {
+ optional: true,
+ schema: COMMENT_SCHEMA,
+ },
+ enable: {
+ optional: true,
+ schema: ENABLE_USER_SCHEMA,
+ },
+ expire: {
+ optional: true,
+ schema: EXPIRE_USER_SCHEMA,
+ },
+ firstname: {
+ optional: true,
+ schema: FIRST_NAME_SCHEMA,
+ },
+ lastname: {
+ schema: LAST_NAME_SCHEMA,
+ optional: true,
+ },
+ email: {
+ schema: EMAIL_SCHEMA,
+ optional: true,
+ },
+ }
+)]
+#[derive(Serialize, Deserialize, Updater, PartialEq, Eq)]
+/// User properties.
+pub struct User {
+ #[updater(skip)]
+ pub userid: Userid,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub comment: Option<String>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub enable: Option<bool>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub expire: Option<i64>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub firstname: Option<String>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub lastname: Option<String>,
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub email: Option<String>,
+}
+
+impl User {
+ pub fn is_active(&self) -> bool {
+ if !self.enable.unwrap_or(true) {
+ return false;
+ }
+ if let Some(expire) = self.expire {
+ let now = proxmox_time::epoch_i64();
+ if expire > 0 && expire <= now {
+ return false;
+ }
+ }
+ true
+ }
+}
--
2.39.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2024-06-19 9:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-19 9:54 [pbs-devel] [PATCH proxmox v3 0/7] add proxmox-access-control crate Shannon Sterz
2024-06-19 9:54 ` [pbs-devel] [PATCH proxmox v3 1/7] access-control: add the proxmox-access crate to reuse acl trees Shannon Sterz
2024-06-19 9:54 ` Shannon Sterz [this message]
2024-06-19 9:54 ` [pbs-devel] [PATCH proxmox v3 3/7] access-control: make token shadow implementation re-usable Shannon Sterz
2024-06-19 9:54 ` [pbs-devel] [PATCH proxmox v3 4/7] access-control: factor out user config handling Shannon Sterz
2024-06-19 9:54 ` [pbs-devel] [PATCH proxmox v3 5/7] access: increment user cache generation when saving acl config Shannon Sterz
2024-06-19 9:54 ` [pbs-devel] [PATCH proxmox v3 6/7] access: move to flatten `User` into `UserWithToken` Shannon Sterz
2024-06-19 9:54 ` [pbs-devel] [PATCH proxmox v3 7/7] access-control: split crate in `default` and `impl` features Shannon Sterz
2024-06-19 12:48 ` [pbs-devel] applied-series: [PATCH proxmox v3 0/7] add proxmox-access-control crate Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240619095418.126368-3-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.