From: Lukas Wagner <l.wagner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH v3 proxmox-backup 07/18] auth: add LDAP realm authenticator
Date: Thu, 9 Feb 2023 14:31:17 +0100 [thread overview]
Message-ID: <20230209133128.695211-8-l.wagner@proxmox.com> (raw)
In-Reply-To: <20230209133128.695211-1-l.wagner@proxmox.com>
This commits also makes user authentication async, so that e.g. a not
responding LDAP server cannot block other logins.
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
Cargo.toml | 2 +
src/api2/access/mod.rs | 8 +--
src/api2/access/tfa.rs | 15 ++--
src/auth.rs | 157 +++++++++++++++++++++++++++++++++++------
4 files changed, 151 insertions(+), 31 deletions(-)
diff --git a/Cargo.toml b/Cargo.toml
index 2bf9ae48..f087cc47 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -62,6 +62,7 @@ proxmox-fuse = "0.1.3"
proxmox-http = { version = "0.7", features = [ "client", "http-helpers", "websocket" ] } # see below
proxmox-io = "1.0.1" # tools and client use "tokio" feature
proxmox-lang = "1.1"
+proxmox-ldap = "0.1"
proxmox-metrics = "0.2"
proxmox-rest-server = "0.2.1"
# some use "cli", some use "cli" and "server", pbs-config uses nothing
@@ -205,6 +206,7 @@ proxmox-compression.workspace = true
proxmox-http = { workspace = true, features = [ "client-trait", "proxmox-async" ] } # pbs-client doesn't use these
proxmox-io.workspace = true
proxmox-lang.workspace = true
+proxmox-ldap.workspace = true
proxmox-metrics.workspace = true
proxmox-rest-server.workspace = true
proxmox-router = { workspace = true, features = [ "cli", "server"] }
diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
index 9274b782..d3e21763 100644
--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@@ -43,7 +43,7 @@ enum AuthResult {
Partial(Box<TfaChallenge>),
}
-fn authenticate_user(
+async fn authenticate_user(
userid: &Userid,
password: &str,
path: Option<String>,
@@ -107,7 +107,7 @@ fn authenticate_user(
#[allow(clippy::let_unit_value)]
{
- let _: () = crate::auth::authenticate_user(userid, password)?;
+ let _: () = crate::auth::authenticate_user(userid, password).await?;
}
Ok(match crate::config::tfa::login_challenge(userid)? {
@@ -190,7 +190,7 @@ fn authenticate_2nd(
/// Create or verify authentication ticket.
///
/// Returns: An authentication ticket with additional infos.
-pub fn create_ticket(
+pub async fn create_ticket(
username: Userid,
password: String,
path: Option<String>,
@@ -206,7 +206,7 @@ pub fn create_ticket(
.downcast_ref::<RestEnvironment>()
.ok_or_else(|| format_err!("detected wrong RpcEnvironment type"))?;
- match authenticate_user(&username, &password, path, privs, port, tfa_challenge) {
+ match authenticate_user(&username, &password, path, privs, port, tfa_challenge).await {
Ok(AuthResult::Success) => Ok(json!({ "username": username })),
Ok(AuthResult::CreateTicket) => {
let api_ticket = ApiTicket::Full(username.clone());
diff --git a/src/api2/access/tfa.rs b/src/api2/access/tfa.rs
index 7e6d028a..599aee60 100644
--- a/src/api2/access/tfa.rs
+++ b/src/api2/access/tfa.rs
@@ -19,7 +19,7 @@ use crate::config::tfa::UserAccess;
/// This means that user admins need to type in their own password while editing a user, and
/// regular users, which can only change their own TFA settings (checked at the API level), can
/// change their own settings using their own password.
-fn tfa_update_auth(
+async fn tfa_update_auth(
rpcenv: &mut dyn RpcEnvironment,
userid: &Userid,
password: Option<String>,
@@ -32,6 +32,7 @@ fn tfa_update_auth(
#[allow(clippy::let_unit_value)]
{
let _: () = crate::auth::authenticate_user(authid.user(), &password)
+ .await
.map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?;
}
}
@@ -114,13 +115,13 @@ fn get_tfa_entry(userid: Userid, id: String) -> Result<methods::TypedTfaInfo, Er
},
)]
/// Delete a single TFA entry.
-fn delete_tfa(
+async fn delete_tfa(
userid: Userid,
id: String,
password: Option<String>,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
- tfa_update_auth(rpcenv, &userid, password, false)?;
+ tfa_update_auth(rpcenv, &userid, password, false).await?;
let _lock = crate::config::tfa::write_lock()?;
@@ -207,7 +208,7 @@ fn list_tfa(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<methods::TfaUser>, Er
)]
/// Add a TFA entry to the user.
#[allow(clippy::too_many_arguments)]
-fn add_tfa_entry(
+async fn add_tfa_entry(
userid: Userid,
description: Option<String>,
totp: Option<String>,
@@ -217,7 +218,7 @@ fn add_tfa_entry(
r#type: methods::TfaType,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<methods::TfaUpdateInfo, Error> {
- tfa_update_auth(rpcenv, &userid, password, true)?;
+ tfa_update_auth(rpcenv, &userid, password, true).await?;
let _lock = crate::config::tfa::write_lock()?;
@@ -269,7 +270,7 @@ fn add_tfa_entry(
},
)]
/// Update user's TFA entry description.
-fn update_tfa_entry(
+async fn update_tfa_entry(
userid: Userid,
id: String,
description: Option<String>,
@@ -277,7 +278,7 @@ fn update_tfa_entry(
password: Option<String>,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
- tfa_update_auth(rpcenv, &userid, password, true)?;
+ tfa_update_auth(rpcenv, &userid, password, true).await?;
let _lock = crate::config::tfa::write_lock()?;
diff --git a/src/auth.rs b/src/auth.rs
index f1d5c0a1..30feb936 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -3,16 +3,27 @@
//! This library contains helper to authenticate users.
use std::io::Write;
+use std::path::PathBuf;
+use std::pin::Pin;
use std::process::{Command, Stdio};
use anyhow::{bail, format_err, Error};
+use futures::Future;
+use proxmox_router::http_bail;
use serde_json::json;
-use pbs_api_types::{RealmRef, Userid, UsernameRef};
+use pbs_api_types::{LdapMode, LdapRealmConfig, RealmRef, Userid, UsernameRef};
use pbs_buildcfg::configdir;
+use crate::auth_helpers;
+use proxmox_ldap::{Config, Connection, ConnectionMode};
+
pub trait ProxmoxAuthenticator {
- fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
+ fn authenticate_user<'a>(
+ &'a self,
+ username: &'a UsernameRef,
+ password: &'a str,
+ ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>>;
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
}
@@ -21,12 +32,18 @@ pub trait ProxmoxAuthenticator {
struct PAM();
impl ProxmoxAuthenticator for PAM {
- fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
- let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
- auth.get_handler()
- .set_credentials(username.as_str(), password);
- auth.authenticate()?;
- Ok(())
+ fn authenticate_user<'a>(
+ &self,
+ username: &'a UsernameRef,
+ password: &'a str,
+ ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+ Box::pin(async move {
+ let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
+ auth.get_handler()
+ .set_credentials(username.as_str(), password);
+ auth.authenticate()?;
+ Ok(())
+ })
}
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
@@ -67,7 +84,10 @@ impl ProxmoxAuthenticator for PAM {
// do not remove password for pam users
fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
- Ok(())
+ http_bail!(
+ NOT_IMPLEMENTED,
+ "removing passwords is not implemented for PAM realms"
+ );
}
}
@@ -77,13 +97,19 @@ struct PBS();
const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");
impl ProxmoxAuthenticator for PBS {
- fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
- let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
- match data[username.as_str()].as_str() {
- None => bail!("no password set"),
- Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?,
- }
- Ok(())
+ fn authenticate_user<'a>(
+ &self,
+ username: &'a UsernameRef,
+ password: &'a str,
+ ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+ Box::pin(async move {
+ let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
+ match data[username.as_str()].as_str() {
+ None => bail!("no password set"),
+ Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?,
+ }
+ Ok(())
+ })
}
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
@@ -122,16 +148,107 @@ impl ProxmoxAuthenticator for PBS {
}
}
+#[allow(clippy::upper_case_acronyms)]
+pub struct LdapAuthenticator {
+ config: LdapRealmConfig,
+}
+
+impl ProxmoxAuthenticator for LdapAuthenticator {
+ /// Authenticate user in LDAP realm
+ fn authenticate_user<'a>(
+ &'a self,
+ username: &'a UsernameRef,
+ password: &'a str,
+ ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+ Box::pin(async move {
+ let ldap_config = Self::api_type_to_config(&self.config)?;
+ let ldap = Connection::new(ldap_config);
+ ldap.authenticate_user(username.as_str(), password).await?;
+ Ok(())
+ })
+ }
+
+ fn store_password(&self, _username: &UsernameRef, _password: &str) -> Result<(), Error> {
+ http_bail!(
+ NOT_IMPLEMENTED,
+ "storing passwords is not implemented for LDAP realms"
+ );
+ }
+
+ fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+ http_bail!(
+ NOT_IMPLEMENTED,
+ "removing passwords is not implemented for LDAP realms"
+ );
+ }
+}
+
+impl LdapAuthenticator {
+ pub fn api_type_to_config(config: &LdapRealmConfig) -> Result<Config, Error> {
+ let mut servers = vec![config.server1.clone()];
+ if let Some(server) = &config.server2 {
+ servers.push(server.clone());
+ }
+
+ let tls_mode = match config.mode.unwrap_or_default() {
+ LdapMode::Ldap => ConnectionMode::Ldap,
+ LdapMode::StartTls => ConnectionMode::StartTls,
+ LdapMode::Ldaps => ConnectionMode::Ldaps,
+ };
+
+ let (ca_store, trusted_cert) = if let Some(capath) = config.capath.as_deref() {
+ let path = PathBuf::from(capath);
+ if path.is_dir() {
+ (Some(path), None)
+ } else {
+ (None, Some(vec![path]))
+ }
+ } else {
+ (None, None)
+ };
+
+ Ok(Config {
+ servers,
+ port: config.port,
+ user_attr: config.user_attr.clone(),
+ base_dn: config.base_dn.clone(),
+ bind_dn: config.bind_dn.clone(),
+ bind_password: auth_helpers::get_ldap_bind_password(&config.realm)?,
+ tls_mode,
+ verify_certificate: config.verify.unwrap_or_default(),
+ additional_trusted_certificates: trusted_cert,
+ certificate_store_path: ca_store,
+ })
+ }
+}
+
/// Lookup the autenticator for the specified realm
-pub fn lookup_authenticator(realm: &RealmRef) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {
+pub fn lookup_authenticator(
+ realm: &RealmRef,
+) -> Result<Box<dyn ProxmoxAuthenticator + Send + Sync + 'static>, Error> {
match realm.as_str() {
"pam" => Ok(Box::new(PAM())),
"pbs" => Ok(Box::new(PBS())),
- _ => bail!("unknown realm '{}'", realm.as_str()),
+ realm => {
+ let (domains, _digest) = pbs_config::domains::config()?;
+ if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
+ Ok(Box::new(LdapAuthenticator { config }))
+ } else {
+ bail!("unknown realm '{}'", realm);
+ }
+ }
}
}
/// Authenticate users
-pub fn authenticate_user(userid: &Userid, password: &str) -> Result<(), Error> {
- lookup_authenticator(userid.realm())?.authenticate_user(userid.name(), password)
+pub fn authenticate_user<'a>(
+ userid: &'a Userid,
+ password: &'a str,
+) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+ Box::pin(async move {
+ lookup_authenticator(userid.realm())?
+ .authenticate_user(userid.name(), password)
+ .await?;
+ Ok(())
+ })
}
--
2.30.2
next prev parent reply other threads:[~2023-02-09 13:32 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-09 13:31 [pbs-devel] [PATCH v3 proxmox{, -backup, -widget-toolkit} 00/18] add LDAP realm support Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox 01/18] rest-server: add handle_worker from backup debug cli Lukas Wagner
2023-02-10 9:44 ` [pbs-devel] applied: " Wolfgang Bumiller
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 02/18] debug cli: use handle_worker in proxmox-rest-server Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 03/18] pbs-config: add delete_authid to ACL-tree Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 04/18] ui: add 'realm' field in user edit Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 05/18] api-types: add LDAP configuration type Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 06/18] api: add routes for managing LDAP realms Lukas Wagner
2023-02-09 13:31 ` Lukas Wagner [this message]
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 08/18] api-types: add config options for LDAP user sync Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 09/18] server: add LDAP realm sync job Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 10/18] manager: add commands for managing LDAP realms Lukas Wagner
2023-02-10 10:16 ` Fabian Grünbichler
2023-02-10 10:30 ` Lukas Wagner
2023-02-10 12:42 ` Wolfgang Bumiller
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 11/18] docs: add configuration file reference for domains.cfg Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 12/18] docs: add documentation for LDAP realms Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 13/18] auth: add dummy OpenIdAuthenticator struct Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 14/18] auth: unify naming for all authenticator implementations Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-widget-toolkit 15/18] auth ui: add LDAP realm edit panel Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-widget-toolkit 16/18] auth ui: add LDAP sync UI Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-widget-toolkit 17/18] auth ui: add `onlineHelp` for AuthEditLDAP Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-widget-toolkit 18/18] auth ui: add `firstname` and `lastname` sync-attribute fields Lukas Wagner
2023-02-10 12:39 ` [pbs-devel] partially-applied: [PATCH v3 proxmox{, -backup, -widget-toolkit} 00/18] add LDAP realm support Wolfgang Bumiller
2023-02-10 14:01 ` [pbs-devel] " Friedrich Weber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230209133128.695211-8-l.wagner@proxmox.com \
--to=l.wagner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox