* [pbs-devel] [PATCH proxmox-backup 0/2] prerequisites for console
@ 2020-07-17 13:38 Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 1/2] server/config: add mechanism to update template Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 2/2] api2/access: implement term ticket Dominik Csapak
0 siblings, 2 replies; 3+ messages in thread
From: Dominik Csapak @ 2020-07-17 13:38 UTC (permalink / raw)
To: pbs-devel
these patches are required for the upcoming websocket/console feature
Dominik Csapak (2):
server/config: add mechanism to update template
api2/access: implement term ticket
src/api2/access.rs | 70 +++++++++++++++++++++++++++++----
src/bin/proxmox-backup-proxy.rs | 6 ++-
src/server/config.rs | 67 +++++++++++++++++++++++++++----
src/server/rest.rs | 13 +++---
src/tools/ticket.rs | 18 +++++++++
5 files changed, 150 insertions(+), 24 deletions(-)
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 1/2] server/config: add mechanism to update template
2020-07-17 13:38 [pbs-devel] [PATCH proxmox-backup 0/2] prerequisites for console Dominik Csapak
@ 2020-07-17 13:38 ` Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 2/2] api2/access: implement term ticket Dominik Csapak
1 sibling, 0 replies; 3+ messages in thread
From: Dominik Csapak @ 2020-07-17 13:38 UTC (permalink / raw)
To: pbs-devel
instead of exposing handlebars itself, offer a register_template and
a render_template ourselves.
render_template checks if the template file was modified since
the last render and reloads it when necessary
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/bin/proxmox-backup-proxy.rs | 6 ++-
src/server/config.rs | 67 +++++++++++++++++++++++++++++----
src/server/rest.rs | 13 +++----
3 files changed, 70 insertions(+), 16 deletions(-)
diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index 75f53b9..1e93886 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -1,5 +1,5 @@
use std::sync::Arc;
-use std::path::Path;
+use std::path::{Path, PathBuf};
use anyhow::{bail, format_err, Error};
use futures::*;
@@ -53,6 +53,10 @@ async fn run() -> Result<(), Error> {
config.add_alias("css", "/usr/share/javascript/proxmox-backup/css");
config.add_alias("docs", "/usr/share/doc/proxmox-backup/html");
+ let mut indexpath = PathBuf::from(buildcfg::JS_DIR);
+ indexpath.push("index.hbs");
+ config.register_template("index", &indexpath)?;
+
let rest_server = RestServer::new(config);
//openssl req -x509 -newkey rsa:4096 -keyout /etc/proxmox-backup/proxy.key -out /etc/proxmox-backup/proxy.pem -nodes
diff --git a/src/server/config.rs b/src/server/config.rs
index e8b3c94..3ee4ea1 100644
--- a/src/server/config.rs
+++ b/src/server/config.rs
@@ -1,9 +1,13 @@
use std::collections::HashMap;
-use std::path::{PathBuf};
-use anyhow::Error;
+use std::path::PathBuf;
+use std::time::SystemTime;
+use std::fs::metadata;
+use std::sync::RwLock;
+use anyhow::{bail, Error, format_err};
use hyper::Method;
use handlebars::Handlebars;
+use serde::Serialize;
use proxmox::api::{ApiMethod, Router, RpcEnvironmentType};
@@ -12,21 +16,20 @@ pub struct ApiConfig {
router: &'static Router,
aliases: HashMap<String, PathBuf>,
env_type: RpcEnvironmentType,
- pub templates: Handlebars<'static>,
+ templates: RwLock<Handlebars<'static>>,
+ template_files: RwLock<HashMap<String, (SystemTime, PathBuf)>>,
}
impl ApiConfig {
pub fn new<B: Into<PathBuf>>(basedir: B, router: &'static Router, env_type: RpcEnvironmentType) -> Result<Self, Error> {
- let mut templates = Handlebars::new();
- let basedir = basedir.into();
- templates.register_template_file("index", basedir.join("index.hbs"))?;
Ok(Self {
- basedir,
+ basedir: basedir.into(),
router,
aliases: HashMap::new(),
env_type,
- templates
+ templates: RwLock::new(Handlebars::new()),
+ template_files: RwLock::new(HashMap::new()),
})
}
@@ -67,4 +70,52 @@ impl ApiConfig {
pub fn env_type(&self) -> RpcEnvironmentType {
self.env_type
}
+
+ pub fn register_template<P>(&self, name: &str, path: P) -> Result<(), Error>
+ where
+ P: Into<PathBuf>
+ {
+ if self.template_files.read().unwrap().contains_key(name) {
+ bail!("template already registered");
+ }
+
+ let path: PathBuf = path.into();
+ let metadata = metadata(&path)?;
+ let mtime = metadata.modified()?;
+
+ self.templates.write().unwrap().register_template_file(name, &path)?;
+ self.template_files.write().unwrap().insert(name.to_string(), (mtime, path));
+
+ Ok(())
+ }
+
+ /// Checks if the template was modified since the last rendering
+ /// if yes, it loads a the new version of the template
+ pub fn render_template<T>(&self, name: &str, data: &T) -> Result<String, Error>
+ where
+ T: Serialize,
+ {
+ let path;
+ let mtime;
+ {
+ let template_files = self.template_files.read().unwrap();
+ let (old_mtime, old_path) = template_files.get(name).ok_or_else(|| format_err!("template not found"))?;
+
+ mtime = metadata(old_path)?.modified()?;
+ if mtime <= *old_mtime {
+ return self.templates.read().unwrap().render(name, data).map_err(|err| format_err!("{}", err));
+ }
+ path = old_path.to_path_buf();
+ }
+
+ {
+ let mut template_files = self.template_files.write().unwrap();
+ let mut templates = self.templates.write().unwrap();
+
+ templates.register_template_file(name, &path)?;
+ template_files.insert(name.to_string(), (mtime, path));
+
+ templates.render(name, data).map_err(|err| format_err!("{}", err))
+ }
+ }
}
diff --git a/src/server/rest.rs b/src/server/rest.rs
index d05e51a..a7b0a23 100644
--- a/src/server/rest.rs
+++ b/src/server/rest.rs
@@ -16,7 +16,6 @@ use serde_json::{json, Value};
use tokio::fs::File;
use tokio::time::Instant;
use url::form_urlencoded;
-use handlebars::Handlebars;
use proxmox::http_err;
use proxmox::api::{ApiHandler, ApiMethod, HttpError};
@@ -312,7 +311,7 @@ pub async fn handle_api_request<Env: RpcEnvironment, S: 'static + BuildHasher +
Ok(resp)
}
-fn get_index(username: Option<String>, token: Option<String>, template: &Handlebars, parts: Parts) -> Response<Body> {
+fn get_index(username: Option<String>, token: Option<String>, api: &Arc<ApiConfig>, parts: Parts) -> Response<Body> {
let nodename = proxmox::tools::nodename();
let username = username.unwrap_or_else(|| String::from(""));
@@ -338,11 +337,11 @@ fn get_index(username: Option<String>, token: Option<String>, template: &Handleb
let mut ct = "text/html";
- let index = match template.render("index", &data) {
+ let index = match api.render_template("index", &data) {
Ok(index) => index,
Err(err) => {
ct = "text/plain";
- format!("Error rendering template: {}", err.desc)
+ format!("Error rendering template: {}", err)
},
};
@@ -580,15 +579,15 @@ pub async fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> Result<R
match check_auth(&method, &ticket, &token, &user_info) {
Ok(username) => {
let new_token = assemble_csrf_prevention_token(csrf_secret(), &username);
- return Ok(get_index(Some(username), Some(new_token), &api.templates, parts));
+ return Ok(get_index(Some(username), Some(new_token), &api, parts));
}
_ => {
tokio::time::delay_until(Instant::from_std(delay_unauth_time)).await;
- return Ok(get_index(None, None, &api.templates, parts));
+ return Ok(get_index(None, None, &api, parts));
}
}
} else {
- return Ok(get_index(None, None, &api.templates, parts));
+ return Ok(get_index(None, None, &api, parts));
}
} else {
let filename = api.find_alias(&components);
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 2/2] api2/access: implement term ticket
2020-07-17 13:38 [pbs-devel] [PATCH proxmox-backup 0/2] prerequisites for console Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 1/2] server/config: add mechanism to update template Dominik Csapak
@ 2020-07-17 13:38 ` Dominik Csapak
1 sibling, 0 replies; 3+ messages in thread
From: Dominik Csapak @ 2020-07-17 13:38 UTC (permalink / raw)
To: pbs-devel
modeled after pves/pmgs vncticket (i substituted the vnc with term)
by putting the path and username as secret data in the ticket
when sending the ticket to /access/ticket it only verifies it,
checks the privs on the path and does not generate a new ticket
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/api2/access.rs | 70 +++++++++++++++++++++++++++++++++++++++------
src/tools/ticket.rs | 18 ++++++++++++
2 files changed, 80 insertions(+), 8 deletions(-)
diff --git a/src/api2/access.rs b/src/api2/access.rs
index f5855ed..780fa9b 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -13,15 +13,21 @@ use crate::auth_helpers::*;
use crate::api2::types::*;
use crate::config::cached_user_info::CachedUserInfo;
-use crate::config::acl::PRIV_PERMISSIONS_MODIFY;
+use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY};
pub mod user;
pub mod domain;
pub mod acl;
pub mod role;
-fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
-
+/// returns Ok(true) if a ticket has to be created
+/// and Ok(false) if not
+fn authenticate_user(
+ username: &str,
+ password: &str,
+ path: Option<String>,
+ privs: Option<String>,
+) -> Result<bool, Error> {
let user_info = CachedUserInfo::new()?;
if !user_info.is_active_user(&username) {
@@ -33,14 +39,42 @@ fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
if password.starts_with("PBS:") {
if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {
if ticket_username == username {
- return Ok(());
+ return Ok(true);
} else {
bail!("ticket login failed - wrong username");
}
}
+ } else if password.starts_with("PBSTERM:") {
+ if path.is_none() || privs.is_none() {
+ bail!("cannot check termnal ticket without path and priv");
+ }
+
+ let path = path.unwrap();
+ let privilege_name = privs.unwrap();
+
+ if let Ok((_age, _data)) = tools::ticket::verify_term_ticket(public_auth_key(), &username, &path, password) {
+
+ for (name, privilege) in PRIVILEGES {
+ if *name == privilege_name {
+
+ let mut path_vec = Vec::new();
+ for part in path.split('/') {
+ if part != "" {
+ path_vec.push(part);
+ }
+ }
+
+ user_info.check_privs(username, &path_vec, *privilege, false)?;
+ return Ok(false);
+ }
+ }
+
+ bail!("No such privilege");
+ }
}
- crate::auth::authenticate_user(username, password)
+ let _ = crate::auth::authenticate_user(username, password)?;
+ Ok(true)
}
#[api(
@@ -52,6 +86,16 @@ fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
password: {
schema: PASSWORD_SCHEMA,
},
+ path: {
+ type: String,
+ description: "path",
+ optional: true,
+ },
+ privs: {
+ type: String,
+ description: "privs",
+ optional: true,
+ },
},
},
returns: {
@@ -78,9 +122,14 @@ fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
/// Create or verify authentication ticket.
///
/// Returns: An authentication ticket with additional infos.
-fn create_ticket(username: String, password: String) -> Result<Value, Error> {
- match authenticate_user(&username, &password) {
- Ok(_) => {
+fn create_ticket(
+ username: String,
+ password: String,
+ path: Option<String>,
+ privs: Option<String>,
+) -> Result<Value, Error> {
+ match authenticate_user(&username, &password, path, privs) {
+ Ok(true) => {
let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(&username), None)?;
@@ -94,6 +143,11 @@ fn create_ticket(username: String, password: String) -> Result<Value, Error> {
"CSRFPreventionToken": token,
}))
}
+ Ok(false) => {
+ Ok(json!({
+ "username": username,
+ }))
+ }
Err(err) => {
let client_ip = "unknown"; // $rpcenv->get_client_ip() || '';
log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
diff --git a/src/tools/ticket.rs b/src/tools/ticket.rs
index 4727b1e..fc8750e 100644
--- a/src/tools/ticket.rs
+++ b/src/tools/ticket.rs
@@ -11,6 +11,24 @@ use crate::tools::epoch_now_u64;
pub const TICKET_LIFETIME: i64 = 3600*2; // 2 hours
+const TERM_PREFIX: &str = "PBSTERM";
+
+pub fn assemble_term_ticket(
+ keypair: &PKey<Private>,
+ username: &str,
+ path: &str,
+) -> Result<String, Error> {
+ assemble_rsa_ticket(keypair, TERM_PREFIX, None, Some(&format!("{}{}", username, path)))
+}
+
+pub fn verify_term_ticket(
+ keypair: &PKey<Public>,
+ username: &str,
+ path: &str,
+ ticket: &str,
+) -> Result<(i64, Option<String>), Error> {
+ verify_rsa_ticket(keypair, TERM_PREFIX, ticket, Some(&format!("{}{}", username, path)), -300, TICKET_LIFETIME)
+}
pub fn assemble_rsa_ticket(
keypair: &PKey<Private>,
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-17 13:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-17 13:38 [pbs-devel] [PATCH proxmox-backup 0/2] prerequisites for console Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 1/2] server/config: add mechanism to update template Dominik Csapak
2020-07-17 13:38 ` [pbs-devel] [PATCH proxmox-backup 2/2] api2/access: implement term ticket Dominik Csapak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox