From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 5CF856114A for ; Tue, 20 Oct 2020 10:34:27 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 53D84BC04 for ; Tue, 20 Oct 2020 10:34:27 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 0E8FEBBF8 for ; Tue, 20 Oct 2020 10:34:26 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id C681F45DFB for ; Tue, 20 Oct 2020 10:34:25 +0200 (CEST) Date: Tue, 20 Oct 2020 10:34:24 +0200 From: Wolfgang Bumiller To: Fabian =?utf-8?Q?Gr=C3=BCnbichler?= Cc: pbs-devel@lists.proxmox.com Message-ID: <20201020083424.tbukffeyxhvy6uvp@olga.proxmox.com> References: <20201019073919.588521-1-f.gruenbichler@proxmox.com> <20201019073919.588521-8-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20201019073919.588521-8-f.gruenbichler@proxmox.com> User-Agent: NeoMutt/20180716 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.016 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [rest.rs] Subject: Re: [pbs-devel] [RFC proxmox-backup 07/15] REST: extract and handle API tokens X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2020 08:34:27 -0000 On Mon, Oct 19, 2020 at 09:39:11AM +0200, Fabian Grünbichler wrote: > Signed-off-by: Fabian Grünbichler > --- > > Notes: > exact format up for discussion, obviously. we probably want some sort of prefix > like with PVE > > src/server/rest.rs | 63 +++++++++++++++++++++++++++++++--------------- > 1 file changed, 43 insertions(+), 20 deletions(-) > > diff --git a/src/server/rest.rs b/src/server/rest.rs > index c650a3aa..a87b1e75 100644 > --- a/src/server/rest.rs > +++ b/src/server/rest.rs > @@ -3,6 +3,7 @@ use std::future::Future; > use std::hash::BuildHasher; > use std::path::{Path, PathBuf}; > use std::pin::Pin; > +use std::str::FromStr; > use std::sync::{Arc, Mutex}; > use std::task::{Context, Poll}; > > @@ -531,7 +532,7 @@ async fn handle_static_file_download(filename: PathBuf) -> Result } > } > > -fn extract_auth_data(headers: &http::HeaderMap) -> (Option, Option, Option) { > +fn extract_auth_data(headers: &http::HeaderMap) -> (Option, Option, Option, Option) { Please turn this return type into a struct. > > let mut ticket = None; > let mut language = None; > @@ -542,37 +543,59 @@ fn extract_auth_data(headers: &http::HeaderMap) -> (Option, Option } > } > > + let api_token = match headers.get("AUTHORIZATION").map(|v| v.to_str()) { > + Some(Ok(v)) => Some(v.to_owned()), > + _ => None, > + }; > + > let csrf_token = match headers.get("CSRFPreventionToken").map(|v| v.to_str()) { > Some(Ok(v)) => Some(v.to_owned()), > _ => None, > }; > > - (ticket, csrf_token, language) > + (ticket, csrf_token, language, api_token) > } > > fn check_auth( > method: &hyper::Method, > ticket: &Option, > csrf_token: &Option, > + api_token: &Option, > user_info: &CachedUserInfo, > ) -> Result { > - let ticket_lifetime = tools::ticket::TICKET_LIFETIME; > + let userid = if let Some(ticket) = ticket { > + let ticket_lifetime = tools::ticket::TICKET_LIFETIME; > > - let ticket = ticket.as_ref().map(String::as_str); > - let userid: Userid = Ticket::parse(&ticket.ok_or_else(|| format_err!("missing ticket"))?)? > - .verify_with_time_frame(public_auth_key(), "PBS", None, -300..ticket_lifetime)?; > + let ticket = ticket.as_str(); > + let userid: Userid = Ticket::parse(ticket)? > + .verify_with_time_frame(public_auth_key(), "PBS", None, -300..ticket_lifetime)?; > > - if !user_info.is_active_user(&userid) { > - bail!("user account disabled or expired."); > - } > + if !user_info.is_active_user(&userid) { > + bail!("user account disabled or expired."); > + } > > - if method != hyper::Method::GET { > - if let Some(csrf_token) = csrf_token { > - verify_csrf_prevention_token(csrf_secret(), &userid, &csrf_token, -300, ticket_lifetime)?; > - } else { > - bail!("missing CSRF prevention token"); > + if method != hyper::Method::GET { > + if let Some(csrf_token) = csrf_token { > + verify_csrf_prevention_token(csrf_secret(), &userid, &csrf_token, -300, ticket_lifetime)?; > + } else { > + bail!("missing CSRF prevention token"); > + } > } > - } > + userid > + } else if let Some(api_token) = api_token { > + let mut parts = api_token.splitn(2, ':'); > + let tokenid = parts.next() > + .ok_or_else(|| format_err!("failed to split API token header"))?; > + let tokenid = Userid::from_str(tokenid)?; > + > + let tokensecret = parts.next() > + .ok_or_else(|| format_err!("failed to split API token header"))?; > + crate::config::token_shadow::verify_secret(&tokenid, &tokensecret)?; > + > + tokenid > + } else { > + bail!("neither ticket nor API token provided - unauthorized"); > + }; > > Ok(userid) > } > @@ -630,8 +653,8 @@ async fn handle_request( > } > > if auth_required { > - let (ticket, csrf_token, _) = extract_auth_data(&parts.headers); > - match check_auth(&method, &ticket, &csrf_token, &user_info) { > + let (ticket, csrf_token, _, api_token) = extract_auth_data(&parts.headers); > + match check_auth(&method, &ticket, &csrf_token, &api_token, &user_info) { > Ok(userid) => rpcenv.set_user(Some(userid.to_string())), > Err(err) => { > // always delay unauthorized calls by 3 seconds (from start of request) > @@ -684,9 +707,9 @@ async fn handle_request( > } > > if comp_len == 0 { > - let (ticket, csrf_token, language) = extract_auth_data(&parts.headers); > - if ticket != None { > - match check_auth(&method, &ticket, &csrf_token, &user_info) { > + let (ticket, csrf_token, language, api_token) = extract_auth_data(&parts.headers); > + if ticket != None || api_token != None { > + match check_auth(&method, &ticket, &csrf_token, &api_token, &user_info) { > Ok(userid) => { > let new_csrf_token = assemble_csrf_prevention_token(csrf_secret(), &userid); > return Ok(get_index(Some(userid), Some(new_csrf_token), language, &api, parts)); > -- > 2.20.1