From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id CC3B46B2A4 for ; Mon, 20 Sep 2021 09:38:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C38CC1C4A0 for ; Mon, 20 Sep 2021 09:38:27 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id C786D1C3D3 for ; Mon, 20 Sep 2021 09:38:19 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A0065449AB; Mon, 20 Sep 2021 09:38:19 +0200 (CEST) From: Dietmar Maurer To: pbs-devel@lists.proxmox.com Date: Mon, 20 Sep 2021 09:38:08 +0200 Message-Id: <20210920073813.3178009-10-dietmar@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210920073813.3178009-1-dietmar@proxmox.com> References: <20210920073813.3178009-1-dietmar@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.644 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 10/15] rest server: return UserInformation from ApiAuth::check_auth X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2021 07:38:57 -0000 This need impl UserInformation for Arc which is implemented with proxmox 0.13.2 (thus the version bump). --- Cargo.toml | 2 +- pbs-api-types/Cargo.toml | 2 +- pbs-client/Cargo.toml | 2 +- pbs-config/Cargo.toml | 2 +- pbs-datastore/Cargo.toml | 2 +- pbs-fuse-loop/Cargo.toml | 2 +- pbs-server/Cargo.toml | 2 +- pbs-server/src/lib.rs | 3 ++- pbs-systemd/Cargo.toml | 2 +- pbs-tape/Cargo.toml | 2 +- pbs-tools/Cargo.toml | 2 +- proxmox-backup-client/Cargo.toml | 2 +- proxmox-backup-debug/Cargo.toml | 2 +- proxmox-file-restore/Cargo.toml | 2 +- pxar-bin/Cargo.toml | 2 +- src/bin/proxmox_restore_daemon/auth.rs | 16 ++++++++++++++-- src/server/auth.rs | 9 ++++++--- src/server/rest.rs | 23 +++++++++++++++++------ 18 files changed, 53 insertions(+), 26 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 58abf7c6..f2739b91 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -96,7 +96,7 @@ zstd = { version = "0.6", features = [ "bindgen" ] } pathpatterns = "0.1.2" pxar = { version = "0.10.1", features = [ "tokio-io" ] } -proxmox = { version = "0.13.0", features = [ "sortable-macro", "api-macro", "cli", "router", "tfa" ] } +proxmox = { version = "0.13.2", features = [ "sortable-macro", "api-macro", "cli", "router", "tfa" ] } proxmox-acme-rs = "0.2.1" proxmox-apt = "0.7.0" proxmox-http = { version = "0.4.0", features = [ "client", "http-helpers", "websocket" ] } diff --git a/pbs-api-types/Cargo.toml b/pbs-api-types/Cargo.toml index 15507328..5a5785fa 100644 --- a/pbs-api-types/Cargo.toml +++ b/pbs-api-types/Cargo.toml @@ -14,7 +14,7 @@ openssl = "0.10" regex = "1.2" serde = { version = "1.0", features = ["derive"] } -proxmox = { version = "0.13.0", default-features = false, features = [ "api-macro" ] } +proxmox = { version = "0.13.2", default-features = false, features = [ "api-macro" ] } pbs-systemd = { path = "../pbs-systemd" } pbs-tools = { path = "../pbs-tools" } diff --git a/pbs-client/Cargo.toml b/pbs-client/Cargo.toml index fb12636f..8ed5fcb6 100644 --- a/pbs-client/Cargo.toml +++ b/pbs-client/Cargo.toml @@ -28,7 +28,7 @@ tower-service = "0.3.0" xdg = "2.2" pathpatterns = "0.1.2" -proxmox = { version = "0.13.0", default-features = false, features = [ "cli" ] } +proxmox = { version = "0.13.2", default-features = false, features = [ "cli" ] } proxmox-fuse = "0.1.1" proxmox-http = { version = "0.4.0", features = [ "client", "http-helpers", "websocket" ] } pxar = { version = "0.10.1", features = [ "tokio-io" ] } diff --git a/pbs-config/Cargo.toml b/pbs-config/Cargo.toml index 7f4258bd..553cbdd5 100644 --- a/pbs-config/Cargo.toml +++ b/pbs-config/Cargo.toml @@ -16,7 +16,7 @@ nix = "0.19.1" regex = "1.2" once_cell = "1.3.1" -proxmox = { version = "0.13.0", default-features = false, features = [ "cli" ] } +proxmox = { version = "0.13.2", default-features = false, features = [ "cli" ] } pbs-api-types = { path = "../pbs-api-types" } pbs-buildcfg = { path = "../pbs-buildcfg" } diff --git a/pbs-datastore/Cargo.toml b/pbs-datastore/Cargo.toml index 32eae0d7..fd54e756 100644 --- a/pbs-datastore/Cargo.toml +++ b/pbs-datastore/Cargo.toml @@ -23,7 +23,7 @@ zstd = { version = "0.6", features = [ "bindgen" ] } pathpatterns = "0.1.2" pxar = "0.10.1" -proxmox = { version = "0.13.0", default-features = false, features = [ "api-macro" ] } +proxmox = { version = "0.13.2", default-features = false, features = [ "api-macro" ] } pbs-api-types = { path = "../pbs-api-types" } pbs-tools = { path = "../pbs-tools" } diff --git a/pbs-fuse-loop/Cargo.toml b/pbs-fuse-loop/Cargo.toml index 5865a463..eaf3fe3f 100644 --- a/pbs-fuse-loop/Cargo.toml +++ b/pbs-fuse-loop/Cargo.toml @@ -14,7 +14,7 @@ nix = "0.19.1" regex = "1.2" tokio = { version = "1.6", features = [] } -proxmox = "0.13.0" +proxmox = "0.13.2" proxmox-fuse = "0.1.1" pbs-tools = { path = "../pbs-tools" } diff --git a/pbs-server/Cargo.toml b/pbs-server/Cargo.toml index 9f76f720..581016c8 100644 --- a/pbs-server/Cargo.toml +++ b/pbs-server/Cargo.toml @@ -20,7 +20,7 @@ serde = { version = "1.0", features = [] } serde_json = "1.0" tokio = { version = "1.6", features = ["signal", "process"] } -proxmox = { version = "0.13.0", features = [ "router"] } +proxmox = { version = "0.13.2", features = [ "router"] } # fixme: remove this dependency (pbs_tools::broadcast_future) pbs-tools = { path = "../pbs-tools" } diff --git a/pbs-server/src/lib.rs b/pbs-server/src/lib.rs index 9107a03f..55a10ca6 100644 --- a/pbs-server/src/lib.rs +++ b/pbs-server/src/lib.rs @@ -3,6 +3,7 @@ use std::os::unix::io::RawFd; use anyhow::{bail, format_err, Error}; use proxmox::tools::fd::Fd; +use proxmox::api::UserInformation; mod compression; pub use compression::*; @@ -41,7 +42,7 @@ pub trait ApiAuth { &self, headers: &http::HeaderMap, method: &hyper::Method, - ) -> Result; + ) -> Result<(String, Box), AuthError>; } static mut SHUTDOWN_REQUESTED: bool = false; diff --git a/pbs-systemd/Cargo.toml b/pbs-systemd/Cargo.toml index fcb60445..82bde2c0 100644 --- a/pbs-systemd/Cargo.toml +++ b/pbs-systemd/Cargo.toml @@ -11,6 +11,6 @@ bitflags = "1.2.1" lazy_static = "1.4" nom = "5.1" -proxmox = { version = "0.13.0", default-features = false } +proxmox = { version = "0.13.2", default-features = false } pbs-tools = { path = "../pbs-tools" } diff --git a/pbs-tape/Cargo.toml b/pbs-tape/Cargo.toml index 719ef01c..19c75c82 100644 --- a/pbs-tape/Cargo.toml +++ b/pbs-tape/Cargo.toml @@ -18,7 +18,7 @@ bitflags = "1.2.1" regex = "1.2" udev = ">= 0.3, <0.5" -proxmox = { version = "0.13.0", default-features = false, features = [] } +proxmox = { version = "0.13.2", default-features = false, features = [] } pbs-api-types = { path = "../pbs-api-types" } pbs-tools = { path = "../pbs-tools" } diff --git a/pbs-tools/Cargo.toml b/pbs-tools/Cargo.toml index 89c6303c..6d31eb44 100644 --- a/pbs-tools/Cargo.toml +++ b/pbs-tools/Cargo.toml @@ -30,7 +30,7 @@ url = "2.1" walkdir = "2" zstd = { version = "0.6", features = [ "bindgen" ] } -proxmox = { version = "0.13.0", default-features = false, features = [ "tokio" ] } +proxmox = { version = "0.13.2", default-features = false, features = [ "tokio" ] } pbs-buildcfg = { path = "../pbs-buildcfg" } pbs-runtime = { path = "../pbs-runtime" } diff --git a/proxmox-backup-client/Cargo.toml b/proxmox-backup-client/Cargo.toml index b1ecf3e4..cfe0952f 100644 --- a/proxmox-backup-client/Cargo.toml +++ b/proxmox-backup-client/Cargo.toml @@ -22,7 +22,7 @@ zstd = { version = "0.6", features = [ "bindgen" ] } pathpatterns = "0.1.2" pxar = { version = "0.10.1", features = [ "tokio-io" ] } -proxmox = { version = "0.13.0", features = [ "sortable-macro", "api-macro", "cli", "router" ] } +proxmox = { version = "0.13.2", features = [ "sortable-macro", "api-macro", "cli", "router" ] } pbs-api-types = { path = "../pbs-api-types" } pbs-buildcfg = { path = "../pbs-buildcfg" } diff --git a/proxmox-backup-debug/Cargo.toml b/proxmox-backup-debug/Cargo.toml index 7f1f596d..0af375d3 100644 --- a/proxmox-backup-debug/Cargo.toml +++ b/proxmox-backup-debug/Cargo.toml @@ -9,7 +9,7 @@ anyhow = "1.0" walkdir = "2" serde_json = "1.0" -proxmox = { version = "0.13.0", features = [ "api-macro", "cli" ] } +proxmox = { version = "0.13.2", features = [ "api-macro", "cli" ] } pbs-config = { path = "../pbs-config" } pbs-client = { path = "../pbs-client" } diff --git a/proxmox-file-restore/Cargo.toml b/proxmox-file-restore/Cargo.toml index 127397b6..2d0415e4 100644 --- a/proxmox-file-restore/Cargo.toml +++ b/proxmox-file-restore/Cargo.toml @@ -16,7 +16,7 @@ tokio = { version = "1.6", features = [ "io-std", "rt", "rt-multi-thread", "time pxar = { version = "0.10.1", features = [ "tokio-io" ] } -proxmox = { version = "0.13.0", features = [ "api-macro", "cli" ] } +proxmox = { version = "0.13.2", features = [ "api-macro", "cli" ] } pbs-api-types = { path = "../pbs-api-types" } pbs-buildcfg = { path = "../pbs-buildcfg" } diff --git a/pxar-bin/Cargo.toml b/pxar-bin/Cargo.toml index e1a47604..43d63218 100644 --- a/pxar-bin/Cargo.toml +++ b/pxar-bin/Cargo.toml @@ -16,7 +16,7 @@ serde_json = "1.0" tokio = { version = "1.6", features = [ "rt", "rt-multi-thread" ] } pathpatterns = "0.1.2" -proxmox = { version = "0.13.0", default-features = false, features = [] } +proxmox = { version = "0.13.2", default-features = false, features = [] } pxar = { version = "0.10.1", features = [ "tokio-io" ] } pbs-client = { path = "../pbs-client" } diff --git a/src/bin/proxmox_restore_daemon/auth.rs b/src/bin/proxmox_restore_daemon/auth.rs index e24ef160..05e7f9ce 100644 --- a/src/bin/proxmox_restore_daemon/auth.rs +++ b/src/bin/proxmox_restore_daemon/auth.rs @@ -4,10 +4,22 @@ use std::io::prelude::*; use anyhow::{bail, format_err, Error}; +use proxmox::api::UserInformation; + use pbs_server::{ApiAuth, AuthError}; const TICKET_FILE: &str = "/ticket"; +struct SimpleUserInformation {} + +impl UserInformation for SimpleUserInformation { + fn is_superuser(&self, userid: &str) -> bool { + userid == "root@pam" + } + fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false } + fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 } +} + pub struct StaticAuth { ticket: String, } @@ -17,10 +29,10 @@ impl ApiAuth for StaticAuth { &self, headers: &http::HeaderMap, _method: &hyper::Method, - ) -> Result { + ) -> Result<(String, Box), AuthError> { match headers.get(hyper::header::AUTHORIZATION) { Some(header) if header.to_str().unwrap_or("") == &self.ticket => { - Ok(String::from("root@pam")) + Ok((String::from("root@pam"), Box::new(SimpleUserInformation {}))) } _ => { return Err(AuthError::Generic(format_err!( diff --git a/src/server/auth.rs b/src/server/auth.rs index d7fbf511..e67b9d9d 100644 --- a/src/server/auth.rs +++ b/src/server/auth.rs @@ -3,6 +3,8 @@ use anyhow::format_err; use std::sync::Arc; +use proxmox::api::UserInformation; + use pbs_tools::ticket::{self, Ticket}; use pbs_config::{token_shadow, CachedUserInfo}; use pbs_api_types::{Authid, Userid}; @@ -56,11 +58,12 @@ impl UserApiAuth { } impl ApiAuth for UserApiAuth { + fn check_auth( &self, headers: &http::HeaderMap, method: &hyper::Method, - ) -> Result { + ) -> Result<(String, Box), AuthError> { let user_info = CachedUserInfo::new()?; @@ -93,7 +96,7 @@ impl ApiAuth for UserApiAuth { } } - Ok(auth_id.to_string()) + Ok((auth_id.to_string(), Box::new(user_info))) } Some(AuthData::ApiToken(api_token)) => { let mut parts = api_token.splitn(2, ':'); @@ -115,7 +118,7 @@ impl ApiAuth for UserApiAuth { token_shadow::verify_secret(&tokenid, &tokensecret)?; - Ok(tokenid.to_string()) + Ok((tokenid.to_string(), Box::new(user_info))) } None => Err(AuthError::NoData), } diff --git a/src/server/rest.rs b/src/server/rest.rs index 659179c7..fab9705c 100644 --- a/src/server/rest.rs +++ b/src/server/rest.rs @@ -26,7 +26,7 @@ use proxmox::api::schema::{ }; use proxmox::api::{ check_api_permission, ApiHandler, ApiMethod, HttpError, Permission, RpcEnvironment, - RpcEnvironmentType, + RpcEnvironmentType, UserInformation, }; use proxmox::http_err; use proxmox::tools::fs::CreateOptions; @@ -40,12 +40,18 @@ use pbs_server::{ }; use pbs_server::formatter::*; -use pbs_config::CachedUserInfo; - extern "C" { fn tzset(); } +struct EmptyUserInformation {} + +impl UserInformation for EmptyUserInformation { + fn is_superuser(&self, _userid: &str) -> bool { false } + fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false } + fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 } +} + pub struct RestServer { pub api_config: Arc, } @@ -652,9 +658,14 @@ async fn handle_request( } } + let mut user_info: Box = Box::new(EmptyUserInformation {}); + if auth_required { match auth.check_auth(&parts.headers, &method) { - Ok(authid) => rpcenv.set_auth_id(Some(authid)), + Ok((authid, info)) => { + rpcenv.set_auth_id(Some(authid)); + user_info = info; + } Err(auth_err) => { let err = match auth_err { AuthError::Generic(err) => err, @@ -683,7 +694,7 @@ async fn handle_request( } Some(api_method) => { let auth_id = rpcenv.get_auth_id(); - let user_info = CachedUserInfo::new()?; + let user_info = user_info; if !check_api_permission( api_method.access.permission, @@ -727,7 +738,7 @@ async fn handle_request( if comp_len == 0 { let language = extract_lang_header(&parts.headers); match auth.check_auth(&parts.headers, &method) { - Ok(auth_id) => { + Ok((auth_id, _user_info)) => { return Ok(api.get_index(Some(auth_id), language, parts)); } Err(AuthError::Generic(_)) => { -- 2.30.2