From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9122391F80 for ; Thu, 9 Feb 2023 14:32:35 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DC752249A5 for ; Thu, 9 Feb 2023 14:31:41 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 9 Feb 2023 14:31:38 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D44F14654E for ; Thu, 9 Feb 2023 14:31:37 +0100 (CET) From: Lukas Wagner To: pbs-devel@lists.proxmox.com Date: Thu, 9 Feb 2023 14:31:17 +0100 Message-Id: <20230209133128.695211-8-l.wagner@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230209133128.695211-1-l.wagner@proxmox.com> References: <20230209133128.695211-1-l.wagner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.190 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [mod.rs, auth.rs, tfa.rs] Subject: [pbs-devel] [PATCH v3 proxmox-backup 07/18] auth: add LDAP realm authenticator X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2023 13:32:35 -0000 This commits also makes user authentication async, so that e.g. a not responding LDAP server cannot block other logins. Signed-off-by: Lukas Wagner --- Cargo.toml | 2 + src/api2/access/mod.rs | 8 +-- src/api2/access/tfa.rs | 15 ++-- src/auth.rs | 157 +++++++++++++++++++++++++++++++++++------ 4 files changed, 151 insertions(+), 31 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 2bf9ae48..f087cc47 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -62,6 +62,7 @@ proxmox-fuse = "0.1.3" proxmox-http = { version = "0.7", features = [ "client", "http-helpers", "websocket" ] } # see below proxmox-io = "1.0.1" # tools and client use "tokio" feature proxmox-lang = "1.1" +proxmox-ldap = "0.1" proxmox-metrics = "0.2" proxmox-rest-server = "0.2.1" # some use "cli", some use "cli" and "server", pbs-config uses nothing @@ -205,6 +206,7 @@ proxmox-compression.workspace = true proxmox-http = { workspace = true, features = [ "client-trait", "proxmox-async" ] } # pbs-client doesn't use these proxmox-io.workspace = true proxmox-lang.workspace = true +proxmox-ldap.workspace = true proxmox-metrics.workspace = true proxmox-rest-server.workspace = true proxmox-router = { workspace = true, features = [ "cli", "server"] } diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs index 9274b782..d3e21763 100644 --- a/src/api2/access/mod.rs +++ b/src/api2/access/mod.rs @@ -43,7 +43,7 @@ enum AuthResult { Partial(Box), } -fn authenticate_user( +async fn authenticate_user( userid: &Userid, password: &str, path: Option, @@ -107,7 +107,7 @@ fn authenticate_user( #[allow(clippy::let_unit_value)] { - let _: () = crate::auth::authenticate_user(userid, password)?; + let _: () = crate::auth::authenticate_user(userid, password).await?; } Ok(match crate::config::tfa::login_challenge(userid)? { @@ -190,7 +190,7 @@ fn authenticate_2nd( /// Create or verify authentication ticket. /// /// Returns: An authentication ticket with additional infos. -pub fn create_ticket( +pub async fn create_ticket( username: Userid, password: String, path: Option, @@ -206,7 +206,7 @@ pub fn create_ticket( .downcast_ref::() .ok_or_else(|| format_err!("detected wrong RpcEnvironment type"))?; - match authenticate_user(&username, &password, path, privs, port, tfa_challenge) { + match authenticate_user(&username, &password, path, privs, port, tfa_challenge).await { Ok(AuthResult::Success) => Ok(json!({ "username": username })), Ok(AuthResult::CreateTicket) => { let api_ticket = ApiTicket::Full(username.clone()); diff --git a/src/api2/access/tfa.rs b/src/api2/access/tfa.rs index 7e6d028a..599aee60 100644 --- a/src/api2/access/tfa.rs +++ b/src/api2/access/tfa.rs @@ -19,7 +19,7 @@ use crate::config::tfa::UserAccess; /// This means that user admins need to type in their own password while editing a user, and /// regular users, which can only change their own TFA settings (checked at the API level), can /// change their own settings using their own password. -fn tfa_update_auth( +async fn tfa_update_auth( rpcenv: &mut dyn RpcEnvironment, userid: &Userid, password: Option, @@ -32,6 +32,7 @@ fn tfa_update_auth( #[allow(clippy::let_unit_value)] { let _: () = crate::auth::authenticate_user(authid.user(), &password) + .await .map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?; } } @@ -114,13 +115,13 @@ fn get_tfa_entry(userid: Userid, id: String) -> Result, rpcenv: &mut dyn RpcEnvironment, ) -> Result<(), Error> { - tfa_update_auth(rpcenv, &userid, password, false)?; + tfa_update_auth(rpcenv, &userid, password, false).await?; let _lock = crate::config::tfa::write_lock()?; @@ -207,7 +208,7 @@ fn list_tfa(rpcenv: &mut dyn RpcEnvironment) -> Result, Er )] /// Add a TFA entry to the user. #[allow(clippy::too_many_arguments)] -fn add_tfa_entry( +async fn add_tfa_entry( userid: Userid, description: Option, totp: Option, @@ -217,7 +218,7 @@ fn add_tfa_entry( r#type: methods::TfaType, rpcenv: &mut dyn RpcEnvironment, ) -> Result { - tfa_update_auth(rpcenv, &userid, password, true)?; + tfa_update_auth(rpcenv, &userid, password, true).await?; let _lock = crate::config::tfa::write_lock()?; @@ -269,7 +270,7 @@ fn add_tfa_entry( }, )] /// Update user's TFA entry description. -fn update_tfa_entry( +async fn update_tfa_entry( userid: Userid, id: String, description: Option, @@ -277,7 +278,7 @@ fn update_tfa_entry( password: Option, rpcenv: &mut dyn RpcEnvironment, ) -> Result<(), Error> { - tfa_update_auth(rpcenv, &userid, password, true)?; + tfa_update_auth(rpcenv, &userid, password, true).await?; let _lock = crate::config::tfa::write_lock()?; diff --git a/src/auth.rs b/src/auth.rs index f1d5c0a1..30feb936 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -3,16 +3,27 @@ //! This library contains helper to authenticate users. use std::io::Write; +use std::path::PathBuf; +use std::pin::Pin; use std::process::{Command, Stdio}; use anyhow::{bail, format_err, Error}; +use futures::Future; +use proxmox_router::http_bail; use serde_json::json; -use pbs_api_types::{RealmRef, Userid, UsernameRef}; +use pbs_api_types::{LdapMode, LdapRealmConfig, RealmRef, Userid, UsernameRef}; use pbs_buildcfg::configdir; +use crate::auth_helpers; +use proxmox_ldap::{Config, Connection, ConnectionMode}; + pub trait ProxmoxAuthenticator { - fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>; + fn authenticate_user<'a>( + &'a self, + username: &'a UsernameRef, + password: &'a str, + ) -> Pin> + Send + 'a>>; fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>; fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>; } @@ -21,12 +32,18 @@ pub trait ProxmoxAuthenticator { struct PAM(); impl ProxmoxAuthenticator for PAM { - fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> { - let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap(); - auth.get_handler() - .set_credentials(username.as_str(), password); - auth.authenticate()?; - Ok(()) + fn authenticate_user<'a>( + &self, + username: &'a UsernameRef, + password: &'a str, + ) -> Pin> + Send + 'a>> { + Box::pin(async move { + let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap(); + auth.get_handler() + .set_credentials(username.as_str(), password); + auth.authenticate()?; + Ok(()) + }) } fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> { @@ -67,7 +84,10 @@ impl ProxmoxAuthenticator for PAM { // do not remove password for pam users fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> { - Ok(()) + http_bail!( + NOT_IMPLEMENTED, + "removing passwords is not implemented for PAM realms" + ); } } @@ -77,13 +97,19 @@ struct PBS(); const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json"); impl ProxmoxAuthenticator for PBS { - fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> { - let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?; - match data[username.as_str()].as_str() { - None => bail!("no password set"), - Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?, - } - Ok(()) + fn authenticate_user<'a>( + &self, + username: &'a UsernameRef, + password: &'a str, + ) -> Pin> + Send + 'a>> { + Box::pin(async move { + let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?; + match data[username.as_str()].as_str() { + None => bail!("no password set"), + Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?, + } + Ok(()) + }) } fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> { @@ -122,16 +148,107 @@ impl ProxmoxAuthenticator for PBS { } } +#[allow(clippy::upper_case_acronyms)] +pub struct LdapAuthenticator { + config: LdapRealmConfig, +} + +impl ProxmoxAuthenticator for LdapAuthenticator { + /// Authenticate user in LDAP realm + fn authenticate_user<'a>( + &'a self, + username: &'a UsernameRef, + password: &'a str, + ) -> Pin> + Send + 'a>> { + Box::pin(async move { + let ldap_config = Self::api_type_to_config(&self.config)?; + let ldap = Connection::new(ldap_config); + ldap.authenticate_user(username.as_str(), password).await?; + Ok(()) + }) + } + + fn store_password(&self, _username: &UsernameRef, _password: &str) -> Result<(), Error> { + http_bail!( + NOT_IMPLEMENTED, + "storing passwords is not implemented for LDAP realms" + ); + } + + fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> { + http_bail!( + NOT_IMPLEMENTED, + "removing passwords is not implemented for LDAP realms" + ); + } +} + +impl LdapAuthenticator { + pub fn api_type_to_config(config: &LdapRealmConfig) -> Result { + let mut servers = vec![config.server1.clone()]; + if let Some(server) = &config.server2 { + servers.push(server.clone()); + } + + let tls_mode = match config.mode.unwrap_or_default() { + LdapMode::Ldap => ConnectionMode::Ldap, + LdapMode::StartTls => ConnectionMode::StartTls, + LdapMode::Ldaps => ConnectionMode::Ldaps, + }; + + let (ca_store, trusted_cert) = if let Some(capath) = config.capath.as_deref() { + let path = PathBuf::from(capath); + if path.is_dir() { + (Some(path), None) + } else { + (None, Some(vec![path])) + } + } else { + (None, None) + }; + + Ok(Config { + servers, + port: config.port, + user_attr: config.user_attr.clone(), + base_dn: config.base_dn.clone(), + bind_dn: config.bind_dn.clone(), + bind_password: auth_helpers::get_ldap_bind_password(&config.realm)?, + tls_mode, + verify_certificate: config.verify.unwrap_or_default(), + additional_trusted_certificates: trusted_cert, + certificate_store_path: ca_store, + }) + } +} + /// Lookup the autenticator for the specified realm -pub fn lookup_authenticator(realm: &RealmRef) -> Result, Error> { +pub fn lookup_authenticator( + realm: &RealmRef, +) -> Result, Error> { match realm.as_str() { "pam" => Ok(Box::new(PAM())), "pbs" => Ok(Box::new(PBS())), - _ => bail!("unknown realm '{}'", realm.as_str()), + realm => { + let (domains, _digest) = pbs_config::domains::config()?; + if let Ok(config) = domains.lookup::("ldap", realm) { + Ok(Box::new(LdapAuthenticator { config })) + } else { + bail!("unknown realm '{}'", realm); + } + } } } /// Authenticate users -pub fn authenticate_user(userid: &Userid, password: &str) -> Result<(), Error> { - lookup_authenticator(userid.realm())?.authenticate_user(userid.name(), password) +pub fn authenticate_user<'a>( + userid: &'a Userid, + password: &'a str, +) -> Pin> + Send + 'a>> { + Box::pin(async move { + lookup_authenticator(userid.realm())? + .authenticate_user(userid.name(), password) + .await?; + Ok(()) + }) } -- 2.30.2