all lists on lists.proxmox.com
 help / color / mirror / Atom feed
From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox v4 08/21] auth-api: make regular ticket endpoint use the new types and handler
Date: Tue,  4 Mar 2025 13:04:53 +0100	[thread overview]
Message-ID: <20250304120506.135617-9-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250304120506.135617-1-s.sterz@proxmox.com>

so we can re-use more code between the different ticket endpoints

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 proxmox-auth-api/src/api/access.rs | 94 +++---------------------------
 1 file changed, 9 insertions(+), 85 deletions(-)

diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index 3e737339..260440bf 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -11,9 +11,7 @@ use proxmox_rest_server::{extract_cookie, RestEnvironment};
 use proxmox_router::{
     http_err, ApiHandler, ApiMethod, ApiResponseFuture, Permission, RpcEnvironment,
 };
-use proxmox_schema::{
-    api, api_types::PASSWORD_SCHEMA, AllOfSchema, ApiType, ParameterSchema, ReturnType,
-};
+use proxmox_schema::{api, AllOfSchema, ApiType, ParameterSchema, ReturnType};
 use proxmox_tfa::api::TfaChallenge;
 
 use super::ApiTicket;
@@ -36,51 +34,14 @@ enum AuthResult {
 #[api(
     input: {
         properties: {
-            username: {
-                type: Userid,
-            },
-            password: {
-                schema: PASSWORD_SCHEMA,
-            },
-            path: {
-                type: String,
-                description: "Path for verifying terminal tickets.",
-                optional: true,
-            },
-            privs: {
-                type: String,
-                description: "Privilege for verifying terminal tickets.",
-                optional: true,
-            },
-            port: {
-                type: Integer,
-                description: "Port for verifying terminal tickets.",
-                optional: true,
-            },
-            "tfa-challenge": {
-                type: String,
-                description: "The signed TFA challenge string the user wants to respond to.",
-                optional: true,
-            },
+            create_params: {
+                type: CreateTicket,
+                flatten: true,
+            }
         },
     },
     returns: {
-        properties: {
-            username: {
-                type: String,
-                description: "User name.",
-            },
-            ticket: {
-                type: String,
-                description: "Auth ticket.",
-            },
-            CSRFPreventionToken: {
-                type: String,
-                description:
-                    "Cross Site Request Forgery Prevention Token. \
-                     For partial tickets this is the string \"invalid\".",
-            },
-        },
+        type: CreateTicketResponse,
     },
     protected: true,
     access: {
@@ -91,52 +52,15 @@ enum AuthResult {
 ///
 /// Returns: An authentication ticket with additional infos.
 pub async fn create_ticket(
-    username: Userid,
-    password: String,
-    path: Option<String>,
-    privs: Option<String>,
-    port: Option<u16>,
-    tfa_challenge: Option<String>,
+    create_params: CreateTicket,
     rpcenv: &mut dyn RpcEnvironment,
-) -> Result<Value, Error> {
+) -> Result<CreateTicketResponse, Error> {
     let env: &RestEnvironment = rpcenv
         .as_any()
         .downcast_ref::<RestEnvironment>()
         .ok_or_else(|| format_err!("detected wrong RpcEnvironment type"))?;
 
-    match authenticate_user(&username, &password, path, privs, port, tfa_challenge, env).await {
-        Ok(AuthResult::Success) => Ok(json!({ "username": username })),
-        Ok(AuthResult::CreateTicket) => {
-            let auth_context = auth_context()?;
-            let api_ticket = ApiTicket::Full(username.clone());
-            let ticket = Ticket::new(auth_context.auth_prefix(), &api_ticket)?
-                .sign(auth_context.keyring(), None)?;
-            let token = assemble_csrf_prevention_token(auth_context.csrf_secret(), &username);
-
-            env.log_auth(username.as_str());
-
-            Ok(json!({
-                "username": username,
-                "ticket": ticket,
-                "CSRFPreventionToken": token,
-            }))
-        }
-        Ok(AuthResult::Partial(challenge)) => {
-            let auth_context = auth_context()?;
-            let api_ticket = ApiTicket::Partial(challenge);
-            let ticket = Ticket::new(auth_context.auth_prefix(), &api_ticket)?
-                .sign(auth_context.keyring(), Some(username.as_str()))?;
-            Ok(json!({
-                "username": username,
-                "ticket": ticket,
-                "CSRFPreventionToken": "invalid",
-            }))
-        }
-        Err(err) => {
-            env.log_failed_auth(Some(username.to_string()), &err.to_string());
-            Err(http_err!(UNAUTHORIZED, "permission check failed."))
-        }
-    }
+    handle_ticket_creation(create_params, env).await
 }
 
 
-- 
2.39.5



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel


  parent reply	other threads:[~2025-03-04 12:05 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-04 12:04 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 01/21] time: add new `epoch_to_http_date` helper Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 02/21] rest-server: borrow parts parameter in `get_request_parameter` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 03/21] router/rest-server: add new `AsyncHttpBodyParameters` api handler type Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 04/21] auth-api: extend `AuthContext` with prefixed cookie name Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 05/21] auth-api: check for new prefixed cookies as well Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 06/21] auth-api: introduce new CreateTicket and CreateTickeReponse api types Shannon Sterz
2025-03-04 14:16   ` Wolfgang Bumiller
2025-03-07 10:06     ` Maximiliano Sandoval
2025-03-07 10:14       ` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 07/21] auth-api: add endpoint for issuing tickets as HttpOnly tickets Shannon Sterz
2025-03-04 12:04 ` Shannon Sterz [this message]
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 09/21] auth-api: add logout method Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 10/21] login: add optional field for ticket_info and make password optional Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 11/21] login: make password optional when creating Login requests Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 12/21] login: add helpers to pass cookie values when parsing login responses Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 13/21] login: add `TicketResult::HttpOnly` member Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 14/21] login: add helper to check whether a ticket is just informational Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 15/21] login: add functions to specify full cookie names Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 16/21] client: add compatibility with HttpOnly cookies Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 17/21] client: specify cookie names for authentication headers where possible Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 18/21] HttpClient: add helpers to refresh HttpOnly cookies and remove them Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 19/21] LoginPanel/http helpers: add support for handling HttpOnly cookies Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 20/21] http helpers: ask server to remove `__Host-` prefixed cookie on logout Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH datacenter-manager v4 21/21] api: switch ticket endpoint over to new http only endpoint Shannon Sterz
2025-03-04 14:43 ` [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250304120506.135617-9-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal