From: Hannes Laimer <h.laimer@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup v3 2/5] fix #4382: api: access: remove permissions of token on deletion
Date: Fri, 4 Apr 2025 17:32:07 +0200 [thread overview]
Message-ID: <20250404153210.48017-3-h.laimer@proxmox.com> (raw)
In-Reply-To: <20250404153210.48017-1-h.laimer@proxmox.com>
... and move token deletion into new `do_delete_token` function.
Since it'll be resued later on user deletion.
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/api2/access/user.rs | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
index 8a5afb7b0..bba5bb2c0 100644
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@@ -8,6 +8,7 @@ use std::collections::HashMap;
use proxmox_router::{ApiMethod, Permission, Router, RpcEnvironment, SubdirMap};
use proxmox_schema::api;
+use proxmox_section_config::SectionConfigData;
use proxmox_tfa::api::TfaConfig;
use pbs_api_types::{
@@ -15,9 +16,7 @@ use pbs_api_types::{
EXPIRE_USER_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY,
PRIV_SYS_AUDIT, PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
};
-use pbs_config::token_shadow;
-
-use pbs_config::CachedUserInfo;
+use pbs_config::{acl::AclTree, token_shadow, CachedUserInfo};
fn new_user_with_tokens(user: User, tfa: &TfaConfig) -> UserWithTokens {
UserWithTokens {
@@ -651,29 +650,41 @@ pub fn delete_token(
token_name: Tokenname,
digest: Option<String>,
) -> Result<(), Error> {
- let _lock = pbs_config::user::lock_config()?;
+ let _acl_lock = pbs_config::acl::lock_config()?;
+ let _user_lock = pbs_config::user::lock_config()?;
- let (mut config, expected_digest) = pbs_config::user::config()?;
+ let (mut user_config, expected_digest) = pbs_config::user::config()?;
if let Some(ref digest) = digest {
let digest = <[u8; 32]>::from_hex(digest)?;
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
}
+ let (mut acl_config, _digest) = pbs_config::acl::config()?;
+ do_delete_token(token_name, &userid, &mut user_config, &mut acl_config)?;
+
+ pbs_config::user::save_config(&user_config)?;
+ pbs_config::acl::save_config(&acl_config)?;
+ Ok(())
+}
+
+fn do_delete_token(
+ token_name: Tokenname,
+ userid: &Userid,
+ user_config: &mut SectionConfigData,
+ acl_config: &mut AclTree,
+) -> Result<(), Error> {
let tokenid = Authid::from((userid.clone(), Some(token_name.clone())));
let tokenid_string = tokenid.to_string();
-
- if config.sections.remove(&tokenid_string).is_none() {
+ if user_config.sections.remove(&tokenid_string).is_none() {
bail!(
"token '{}' of user '{}' does not exist.",
token_name.as_str(),
userid
);
}
-
token_shadow::delete_secret(&tokenid)?;
-
- pbs_config::user::save_config(&config)?;
+ acl_config.delete_authid(&tokenid);
Ok(())
}
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-04-04 15:33 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 15:32 [pbs-devel] [PATCH proxmox-backup v3 0/5] ACL removal on user/token deletion + token regeneration Hannes Laimer
2025-04-04 15:32 ` [pbs-devel] [PATCH proxmox-backup v3 1/5] pbs-config: move secret generation into token_shadow Hannes Laimer
2025-04-04 15:32 ` Hannes Laimer [this message]
2025-04-04 15:32 ` [pbs-devel] [PATCH proxmox-backup v3 3/5] fix #4382: api: remove permissions and tokens of user on deletion Hannes Laimer
2025-04-04 15:32 ` [pbs-devel] [PATCH proxmox-backup v3 4/5] fix #3887: api: access: allow secret regeneration Hannes Laimer
2025-04-04 15:32 ` [pbs-devel] [PATCH proxmox-backup v3 5/5] fix #3887: ui: add regenerate token button Hannes Laimer
2025-04-05 17:12 ` [pbs-devel] applied-series: [PATCH proxmox-backup v3 0/5] ACL removal on user/token deletion + token regeneration Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250404153210.48017-3-h.laimer@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal