From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 09F626B860 for ; Tue, 21 Sep 2021 07:59:59 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id ACB068FBF for ; Tue, 21 Sep 2021 07:59:05 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D8EA58E62 for ; Tue, 21 Sep 2021 07:58:59 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9F5BB449DD; Tue, 21 Sep 2021 07:58:59 +0200 (CEST) From: Dietmar Maurer To: pbs-devel@lists.proxmox.com Date: Tue, 21 Sep 2021 07:58:48 +0200 Message-Id: <20210921055854.3799470-11-dietmar@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210921055854.3799470-1-dietmar@proxmox.com> References: <20210921055854.3799470-1-dietmar@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.599 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [auth.rs, lib.rs, rest.rs] Subject: [pbs-devel] [PATCH proxmox-backup v2 10/16] rest server: return UserInformation from ApiAuth::check_auth X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Sep 2021 05:59:59 -0000 This need impl UserInformation for Arc which is implemented with proxmox 0.13.2 --- proxmox-rest-server/src/lib.rs | 3 ++- src/bin/proxmox_restore_daemon/auth.rs | 16 ++++++++++++++-- src/server/auth.rs | 9 ++++++--- src/server/rest.rs | 23 +++++++++++++++++------ 4 files changed, 39 insertions(+), 12 deletions(-) diff --git a/proxmox-rest-server/src/lib.rs b/proxmox-rest-server/src/lib.rs index 9107a03f..55a10ca6 100644 --- a/proxmox-rest-server/src/lib.rs +++ b/proxmox-rest-server/src/lib.rs @@ -3,6 +3,7 @@ use std::os::unix::io::RawFd; use anyhow::{bail, format_err, Error}; use proxmox::tools::fd::Fd; +use proxmox::api::UserInformation; mod compression; pub use compression::*; @@ -41,7 +42,7 @@ pub trait ApiAuth { &self, headers: &http::HeaderMap, method: &hyper::Method, - ) -> Result; + ) -> Result<(String, Box), AuthError>; } static mut SHUTDOWN_REQUESTED: bool = false; diff --git a/src/bin/proxmox_restore_daemon/auth.rs b/src/bin/proxmox_restore_daemon/auth.rs index ea1dabe6..6d6e9c58 100644 --- a/src/bin/proxmox_restore_daemon/auth.rs +++ b/src/bin/proxmox_restore_daemon/auth.rs @@ -4,10 +4,22 @@ use std::io::prelude::*; use anyhow::{bail, format_err, Error}; +use proxmox::api::UserInformation; + use proxmox_rest_server::{ApiAuth, AuthError}; const TICKET_FILE: &str = "/ticket"; +struct SimpleUserInformation {} + +impl UserInformation for SimpleUserInformation { + fn is_superuser(&self, userid: &str) -> bool { + userid == "root@pam" + } + fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false } + fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 } +} + pub struct StaticAuth { ticket: String, } @@ -17,10 +29,10 @@ impl ApiAuth for StaticAuth { &self, headers: &http::HeaderMap, _method: &hyper::Method, - ) -> Result { + ) -> Result<(String, Box), AuthError> { match headers.get(hyper::header::AUTHORIZATION) { Some(header) if header.to_str().unwrap_or("") == &self.ticket => { - Ok(String::from("root@pam")) + Ok((String::from("root@pam"), Box::new(SimpleUserInformation {}))) } _ => { return Err(AuthError::Generic(format_err!( diff --git a/src/server/auth.rs b/src/server/auth.rs index e4cf9034..90252435 100644 --- a/src/server/auth.rs +++ b/src/server/auth.rs @@ -3,6 +3,8 @@ use anyhow::format_err; use std::sync::Arc; +use proxmox::api::UserInformation; + use pbs_tools::ticket::{self, Ticket}; use pbs_config::{token_shadow, CachedUserInfo}; use pbs_api_types::{Authid, Userid}; @@ -56,11 +58,12 @@ impl UserApiAuth { } impl ApiAuth for UserApiAuth { + fn check_auth( &self, headers: &http::HeaderMap, method: &hyper::Method, - ) -> Result { + ) -> Result<(String, Box), AuthError> { let user_info = CachedUserInfo::new()?; @@ -93,7 +96,7 @@ impl ApiAuth for UserApiAuth { } } - Ok(auth_id.to_string()) + Ok((auth_id.to_string(), Box::new(user_info))) } Some(AuthData::ApiToken(api_token)) => { let mut parts = api_token.splitn(2, ':'); @@ -115,7 +118,7 @@ impl ApiAuth for UserApiAuth { token_shadow::verify_secret(&tokenid, &tokensecret)?; - Ok(tokenid.to_string()) + Ok((tokenid.to_string(), Box::new(user_info))) } None => Err(AuthError::NoData), } diff --git a/src/server/rest.rs b/src/server/rest.rs index 9ed0eb32..d87985c1 100644 --- a/src/server/rest.rs +++ b/src/server/rest.rs @@ -26,7 +26,7 @@ use proxmox::api::schema::{ }; use proxmox::api::{ check_api_permission, ApiHandler, ApiMethod, HttpError, Permission, RpcEnvironment, - RpcEnvironmentType, + RpcEnvironmentType, UserInformation, }; use proxmox::http_err; use proxmox::tools::fs::CreateOptions; @@ -40,12 +40,18 @@ use proxmox_rest_server::{ }; use proxmox_rest_server::formatter::*; -use pbs_config::CachedUserInfo; - extern "C" { fn tzset(); } +struct EmptyUserInformation {} + +impl UserInformation for EmptyUserInformation { + fn is_superuser(&self, _userid: &str) -> bool { false } + fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false } + fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 } +} + pub struct RestServer { pub api_config: Arc, } @@ -652,9 +658,14 @@ async fn handle_request( } } + let mut user_info: Box = Box::new(EmptyUserInformation {}); + if auth_required { match auth.check_auth(&parts.headers, &method) { - Ok(authid) => rpcenv.set_auth_id(Some(authid)), + Ok((authid, info)) => { + rpcenv.set_auth_id(Some(authid)); + user_info = info; + } Err(auth_err) => { let err = match auth_err { AuthError::Generic(err) => err, @@ -683,7 +694,7 @@ async fn handle_request( } Some(api_method) => { let auth_id = rpcenv.get_auth_id(); - let user_info = CachedUserInfo::new()?; + let user_info = user_info; if !check_api_permission( api_method.access.permission, @@ -727,7 +738,7 @@ async fn handle_request( if comp_len == 0 { let language = extract_lang_header(&parts.headers); match auth.check_auth(&parts.headers, &method) { - Ok(auth_id) => { + Ok((auth_id, _user_info)) => { return Ok(api.get_index(Some(auth_id), language, parts)); } Err(AuthError::Generic(_)) => { -- 2.30.2