From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup] api tokens: add authorization method
Date: Fri, 30 Oct 2020 13:10:38 +0100 [thread overview]
Message-ID: <20201030121038.2699389-1-f.gruenbichler@proxmox.com> (raw)
and properly decode secret (which is a no-op with the current scheme).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
note: this breaks older clients obviously, but given the short time it's
been out, and the lack of documentation I think this is okay..
src/client/http_client.rs | 4 ++--
src/server/rest.rs | 9 ++++++++-
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/client/http_client.rs b/src/client/http_client.rs
index 3b7597fe..99558dba 100644
--- a/src/client/http_client.rs
+++ b/src/client/http_client.rs
@@ -493,7 +493,7 @@ impl HttpClient {
let auth = self.login().await?;
if auth.auth_id.is_token() {
- let enc_api_token = format!("{}:{}", auth.auth_id, percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
+ let enc_api_token = format!("PBSAPIToken {}:{}", auth.auth_id, percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
req.headers_mut().insert("Authorization", HeaderValue::from_str(&enc_api_token).unwrap());
} else {
let enc_ticket = format!("PBSAuthCookie={}", percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
@@ -602,7 +602,7 @@ impl HttpClient {
let auth = self.login().await?;
if auth.auth_id.is_token() {
- let enc_api_token = format!("{}:{}", auth.auth_id, percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
+ let enc_api_token = format!("PBSAPIToken {}:{}", auth.auth_id, percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
req.headers_mut().insert("Authorization", HeaderValue::from_str(&enc_api_token).unwrap());
} else {
let enc_ticket = format!("PBSAuthCookie={}", percent_encode(auth.ticket.as_bytes(), DEFAULT_ENCODE_SET));
diff --git a/src/server/rest.rs b/src/server/rest.rs
index 365e3570..85ad3746 100644
--- a/src/server/rest.rs
+++ b/src/server/rest.rs
@@ -17,6 +17,7 @@ use lazy_static::lazy_static;
use serde_json::{json, Value};
use tokio::fs::File;
use tokio::time::Instant;
+use percent_encoding::percent_decode_str;
use url::form_urlencoded;
use regex::Regex;
@@ -568,7 +569,9 @@ fn extract_auth_data(headers: &http::HeaderMap) -> Option<AuthData> {
}
match headers.get("AUTHORIZATION").map(|v| v.to_str()) {
- Some(Ok(v)) => Some(AuthData::ApiToken(v.to_owned())),
+ Some(Ok(v)) if v.starts_with("PBSAPIToken ") => {
+ Some(AuthData::ApiToken(v["PBSAPIToken ".len()..].to_owned()))
+ },
_ => None,
}
}
@@ -609,6 +612,10 @@ fn check_auth(
let tokensecret = parts.next()
.ok_or_else(|| format_err!("failed to split API token header"))?;
+ let tokensecret = percent_decode_str(tokensecret)
+ .decode_utf8()
+ .map_err(|_| format_err!("failed to decode API token header"))?;
+
crate::config::token_shadow::verify_secret(&tokenid, &tokensecret)?;
Ok(tokenid)
--
2.20.1
next reply other threads:[~2020-10-30 12:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-30 12:10 Fabian Grünbichler [this message]
2020-10-30 12:36 ` [pbs-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201030121038.2699389-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox