From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 8C99960968 for ; Mon, 19 Oct 2020 09:40:28 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 44F0229836 for ; Mon, 19 Oct 2020 09:39:46 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 208C629829 for ; Mon, 19 Oct 2020 09:39:45 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id DAA3345D69 for ; Mon, 19 Oct 2020 09:39:44 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Mon, 19 Oct 2020 09:39:10 +0200 Message-Id: <20201019073919.588521-7-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20201019073919.588521-1-f.gruenbichler@proxmox.com> References: <20201019073919.588521-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.032 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [RFC proxmox-backup 06/15] config: add token.shadow file X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2020 07:40:28 -0000 containing pairs of token ids and hashed secret values. Signed-off-by: Fabian Grünbichler --- Notes: we could also do a simple tokenid:crypt(tokensecret) but then we'd need to be careful w.r.t. tokenid characters and quoting and whatnot.. src/config.rs | 1 + src/config/token_shadow.rs | 79 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 src/config/token_shadow.rs diff --git a/src/config.rs b/src/config.rs index c2ac6da1..a70740e1 100644 --- a/src/config.rs +++ b/src/config.rs @@ -23,6 +23,7 @@ pub mod network; pub mod remote; pub mod sync; pub mod user; +pub mod token_shadow; /// Check configuration directory permissions /// diff --git a/src/config/token_shadow.rs b/src/config/token_shadow.rs new file mode 100644 index 00000000..afec6135 --- /dev/null +++ b/src/config/token_shadow.rs @@ -0,0 +1,79 @@ +use std::collections::HashMap; +use std::time::Duration; + +use anyhow::{bail, format_err, Error}; +use serde::{Serialize, Deserialize}; +use serde_json::{from_value, Value}; + +use proxmox::tools::fs::{open_file_locked, CreateOptions}; + +use crate::api2::types::Userid; +use crate::auth; + +const LOCK_FILE: &str = "/etc/proxmox-backup/token.shadow.lock"; +const CONF_FILE: &str = "/etc/proxmox-backup/token.shadow"; +const LOCK_TIMEOUT: Duration = Duration::from_secs(5); + +#[serde(rename_all="kebab-case")] +#[derive(Serialize, Deserialize)] +/// ApiToken id / secret pair +pub struct ApiTokenSecret { + pub tokenid: Userid, + pub secret: String, +} + +fn read_file() -> Result, Error> { + let json = proxmox::tools::fs::file_get_json(CONF_FILE, Some(Value::Null))?; + + if json == Value::Null { + Ok(HashMap::new()) + } else { + // swallow serde error which might contain sensitive data + from_value(json).map_err(|_err| format_err!("unable to parse '{}'", CONF_FILE)) + } +} + +fn write_file(data: HashMap) -> Result<(), Error> { + let backup_user = crate::backup::backup_user()?; + let options = CreateOptions::new() + .perm(nix::sys::stat::Mode::from_bits_truncate(0o0640)) + .owner(backup_user.uid) + .group(backup_user.gid); + + let json = serde_json::to_vec(&data)?; + proxmox::tools::fs::replace_file(CONF_FILE, &json, options) +} + +/// Verifies that an entry for given tokenid / API token secret exists +pub fn verify_secret(tokenid: &Userid, secret: &str) -> Result<(), Error> { + let data = read_file()?; + match data.get(tokenid) { + Some(hashed_secret) => { + auth::verify_crypt_pw(secret, &hashed_secret) + }, + None => bail!("invalid API token"), + } +} + +/// Adds a new entry for the given tokenid / API token secret. The secret is stored as salted hash. +pub fn set_secret(tokenid: &Userid, secret: &str) -> Result<(), Error> { + let _guard = open_file_locked(LOCK_FILE, LOCK_TIMEOUT, true)?; + + let mut data = read_file()?; + let hashed_secret = auth::encrypt_pw(secret)?; + data.insert(tokenid.clone(), hashed_secret); + write_file(data)?; + + Ok(()) +} + +/// Deletes the entry for the given tokenid. +pub fn delete_secret(tokenid: &Userid) -> Result<(), Error> { + let _guard = open_file_locked(LOCK_FILE, LOCK_TIMEOUT, true)?; + + let mut data = read_file()?; + data.remove(tokenid); + write_file(data)?; + + Ok(()) +} -- 2.20.1