From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 7BD9191662 for ; Wed, 21 Dec 2022 10:56:48 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5A8DE5D37 for ; Wed, 21 Dec 2022 10:56:48 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 21 Dec 2022 10:56:47 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5E5A641030 for ; Wed, 21 Dec 2022 10:56:47 +0100 (CET) Message-ID: <085a267f-64e3-7e94-3781-9400589c870a@proxmox.com> Date: Wed, 21 Dec 2022 10:56:45 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Thunderbird/109.0 Content-Language: en-GB To: Proxmox Backup Server development discussion , Hannes Laimer References: <20221220145714.63985-1-h.laimer@proxmox.com> <20221220145714.63985-5-h.laimer@proxmox.com> From: Thomas Lamprecht In-Reply-To: <20221220145714.63985-5-h.laimer@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.551 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.161 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [user.rs] Subject: Re: [pbs-devel] [PATCH proxmox-backup 4/5] fix #3887: api2: add regenerate token endpoint X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Dec 2022 09:56:48 -0000 On 20/12/2022 15:57, Hannes Laimer wrote: > Signed-off-by: Hannes Laimer > --- > src/api2/access/user.rs | 61 ++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 60 insertions(+), 1 deletion(-) > > diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs > index 40177c8d..c2b563f7 100644 > --- a/src/api2/access/user.rs > +++ b/src/api2/access/user.rs > @@ -628,6 +628,59 @@ pub fn update_token( > Ok(()) > } > > +#[api( > + protected: true, > + input: { > + properties: { > + userid: { > + type: Userid, > + }, > + "token-name": { > + type: Tokenname, > + }, > + }, > + }, > + access: { > + permission: &Permission::Or(&[ > + &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false), > + &Permission::UserParam("userid"), > + ]), > + }, > + returns: { > + description: "API token identifier + new generated secret.", > + properties: { > + value: { "token-secret" ? > + type: String, > + description: "The API token secret", > + }, > + tokenid: { "token-id" ? Or maybe, as we're on a token API call anyway we could drop the "token" completely and just use "id" and "secret" > + type: String, > + description: "The API token identifier", > + }, > + }, > + }, > +)] > +/// Regenerate an API token's secret, revokes the old secret and create a new one > +pub fn regenerate_token(userid: Userid, token_name: Tokenname) -> Result { > + let _user_lock = pbs_config::user::lock_config()?; > + > + let tokenid = Authid::from((userid.clone(), Some(token_name.clone()))); > + let tokenid_string = tokenid.to_string(); > + > + let (user_config, _digest) = pbs_config::user::config()?; > + > + // token just has to exist, we don't actually need it > + let _data: ApiToken = user_config.lookup("token", &tokenid_string)?; dumb question: do we want to check the token expiration date, if any, and bail from regeneration if it expired? > + > + let secret = format!("{:x}", proxmox_uuid::Uuid::generate()); would be IMO nicer to have a central method that generates the secret, even for things that ain't _that_ likely to change it's just nicer to avoid having the way its assembled re-done multiple times manually. maybe that could be moved into token_shadow so that we then only call something like: let secret = token_shadow::generate_and_set_secret(&tokenid); > + token_shadow::set_secret(&tokenid, &secret)?; > + > + Ok(json!({ > + "tokenid": tokenid_string, > + "value": secret > + })) > +} > + > #[api( > protected: true, > input: { > @@ -754,11 +807,17 @@ pub fn list_tokens( > Ok(res) > } > > +const TOKEN_SUBDIRS: SubdirMap = &[( > + "regenerate", > + &Router::new().post(&API_METHOD_REGENERATE_TOKEN), > +)]; > + > const TOKEN_ITEM_ROUTER: Router = Router::new() > .get(&API_METHOD_READ_TOKEN) > .put(&API_METHOD_UPDATE_TOKEN) > .post(&API_METHOD_GENERATE_TOKEN) > - .delete(&API_METHOD_DELETE_TOKEN); > + .delete(&API_METHOD_DELETE_TOKEN) > + .subdirs(TOKEN_SUBDIRS); hmm, but now I cannot get the available subdir's via GET due to that being already used for reading the token info. Besides the added imperfection, I'm actually not sure from top of my head about the implications in PBS, but in PVE this would cause some technical issues in pvesh/api-viewer - did you check how those (debug api and api-viewer) handle to a shared subdir + "normal" get on the same API endpoint? > > const TOKEN_ROUTER: Router = Router::new() > .get(&API_METHOD_LIST_TOKENS)