From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id AA57E62DA3 for ; Wed, 28 Oct 2020 12:37:12 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A64C81E813 for ; Wed, 28 Oct 2020 12:36:42 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id F1FFF1E808 for ; Wed, 28 Oct 2020 12:36:41 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BFE5D434E4 for ; Wed, 28 Oct 2020 12:36:41 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Wed, 28 Oct 2020 12:36:25 +0100 Message-Id: <20201028113632.814586-5-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20201028113632.814586-1-f.gruenbichler@proxmox.com> References: <20201028113632.814586-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.029 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [config.rs] Subject: [pbs-devel] [PATCH proxmox-backup 02/16] config: add token.shadow file X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2020 11:37:12 -0000 containing pairs of token ids and hashed secret values. Signed-off-by: Fabian Grünbichler --- src/config.rs | 1 + src/config/token_shadow.rs | 91 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 src/config/token_shadow.rs diff --git a/src/config.rs b/src/config.rs index 65c0577e..6f19da7c 100644 --- a/src/config.rs +++ b/src/config.rs @@ -21,6 +21,7 @@ pub mod datastore; pub mod network; pub mod remote; pub mod sync; +pub mod token_shadow; pub mod user; pub mod verify; diff --git a/src/config/token_shadow.rs b/src/config/token_shadow.rs new file mode 100644 index 00000000..4033450b --- /dev/null +++ b/src/config/token_shadow.rs @@ -0,0 +1,91 @@ +use std::collections::HashMap; +use std::time::Duration; + +use anyhow::{bail, format_err, Error}; +use serde::{Serialize, Deserialize}; +use serde_json::{from_value, Value}; + +use proxmox::tools::fs::{open_file_locked, CreateOptions}; + +use crate::api2::types::Authid; +use crate::auth; + +const LOCK_FILE: &str = "/etc/proxmox-backup/token.shadow.lock"; +const CONF_FILE: &str = "/etc/proxmox-backup/token.shadow"; +const LOCK_TIMEOUT: Duration = Duration::from_secs(5); + +#[serde(rename_all="kebab-case")] +#[derive(Serialize, Deserialize)] +/// ApiToken id / secret pair +pub struct ApiTokenSecret { + pub tokenid: Authid, + pub secret: String, +} + +fn read_file() -> Result, Error> { + let json = proxmox::tools::fs::file_get_json(CONF_FILE, Some(Value::Null))?; + + if json == Value::Null { + Ok(HashMap::new()) + } else { + // swallow serde error which might contain sensitive data + from_value(json).map_err(|_err| format_err!("unable to parse '{}'", CONF_FILE)) + } +} + +fn write_file(data: HashMap) -> Result<(), Error> { + let backup_user = crate::backup::backup_user()?; + let options = CreateOptions::new() + .perm(nix::sys::stat::Mode::from_bits_truncate(0o0640)) + .owner(backup_user.uid) + .group(backup_user.gid); + + let json = serde_json::to_vec(&data)?; + proxmox::tools::fs::replace_file(CONF_FILE, &json, options) +} + +/// Verifies that an entry for given tokenid / API token secret exists +pub fn verify_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> { + if !tokenid.is_token() { + bail!("not an API token ID"); + } + + let data = read_file()?; + match data.get(tokenid) { + Some(hashed_secret) => { + auth::verify_crypt_pw(secret, &hashed_secret) + }, + None => bail!("invalid API token"), + } +} + +/// Adds a new entry for the given tokenid / API token secret. The secret is stored as salted hash. +pub fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> { + if !tokenid.is_token() { + bail!("not an API token ID"); + } + + let _guard = open_file_locked(LOCK_FILE, LOCK_TIMEOUT, true)?; + + let mut data = read_file()?; + let hashed_secret = auth::encrypt_pw(secret)?; + data.insert(tokenid.clone(), hashed_secret); + write_file(data)?; + + Ok(()) +} + +/// Deletes the entry for the given tokenid. +pub fn delete_secret(tokenid: &Authid) -> Result<(), Error> { + if !tokenid.is_token() { + bail!("not an API token ID"); + } + + let _guard = open_file_locked(LOCK_FILE, LOCK_TIMEOUT, true)?; + + let mut data = read_file()?; + data.remove(tokenid); + write_file(data)?; + + Ok(()) +} -- 2.20.1