From: Christoph Heiss <c.heiss@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [RFC PATCH proxmox-backup v2 14/15] api: add case-insensitive support for Active Directory realms
Date: Wed, 16 Aug 2023 16:47:44 +0200 [thread overview]
Message-ID: <20230816144746.1265108-15-c.heiss@proxmox.com> (raw)
In-Reply-To: <20230816144746.1265108-1-c.heiss@proxmox.com>
To properly support case-insensitive comparison of user names,
`CachedUserInfo` first needs to gain logic whether to look up the userid
in a case-sensitive or -insensitive manner.
The API part is pretty straight-forward, adding a new `case-sensitive`
parameter to the API (which is on-by-default).
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
It probably would be a good idea to warn the user/administrator in
`CachedUserInfo::is_active_user_id() that an ambiguous userid match
occured, but pulling the `log` crate into `pbs-config` seems
unneccesary. Should the error be bubbled up the call chain?
Changes v1 -> v2:
* New patch
pbs-api-types/src/ad.rs | 3 ++
pbs-config/src/cached_user_info.rs | 35 ++++++++++++---
pbs-config/src/domains.rs | 69 +++++++++++++++++++++++++++++-
src/api2/config/access/ad.rs | 9 ++++
src/api2/config/sync.rs | 18 +++++++-
5 files changed, 126 insertions(+), 8 deletions(-)
diff --git a/pbs-api-types/src/ad.rs b/pbs-api-types/src/ad.rs
index 910571a0..446715c7 100644
--- a/pbs-api-types/src/ad.rs
+++ b/pbs-api-types/src/ad.rs
@@ -61,6 +61,9 @@ pub struct AdRealmConfig {
/// overridden if the need arises.
#[serde(skip_serializing_if = "Option::is_none")]
pub base_dn: Option<String>,
+ /// Whether usernames should be matched case-sensitive
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub case_sensitive: Option<bool>,
/// Comment
#[serde(skip_serializing_if = "Option::is_none")]
pub comment: Option<String>,
diff --git a/pbs-config/src/cached_user_info.rs b/pbs-config/src/cached_user_info.rs
index b9534b80..5731fb0a 100644
--- a/pbs-config/src/cached_user_info.rs
+++ b/pbs-config/src/cached_user_info.rs
@@ -9,7 +9,9 @@ use proxmox_router::UserInformation;
use proxmox_section_config::SectionConfigData;
use proxmox_time::epoch_i64;
-use pbs_api_types::{privs_to_priv_names, ApiToken, Authid, User, Userid, ROLE_ADMIN};
+use pbs_api_types::{
+ privs_to_priv_names, AdRealmConfig, ApiToken, Authid, User, Userid, ROLE_ADMIN,
+};
use crate::acl::{AclTree, ROLE_NAMES};
use crate::ConfigVersionCache;
@@ -17,6 +19,7 @@ use crate::ConfigVersionCache;
/// Cache User/Group/Token/Acl configuration data for fast permission tests
pub struct CachedUserInfo {
user_cfg: Arc<SectionConfigData>,
+ domains_cfg: Arc<SectionConfigData>,
acl_tree: Arc<AclTree>,
}
@@ -56,6 +59,7 @@ impl CachedUserInfo {
let config = Arc::new(CachedUserInfo {
user_cfg: crate::user::cached_config()?,
+ domains_cfg: crate::domains::cached_config()?,
acl_tree: crate::acl::cached_config()?,
});
@@ -69,19 +73,40 @@ impl CachedUserInfo {
/// Only exposed for testing
#[doc(hidden)]
- pub fn test_new(user_cfg: SectionConfigData, acl_tree: AclTree) -> Self {
+ pub fn test_new(
+ user_cfg: SectionConfigData,
+ domains_cfg: SectionConfigData,
+ acl_tree: AclTree,
+ ) -> Self {
Self {
user_cfg: Arc::new(user_cfg),
+ domains_cfg: Arc::new(domains_cfg),
acl_tree: Arc::new(acl_tree),
}
}
/// Test if a user_id is enabled and not expired
pub fn is_active_user_id(&self, userid: &Userid) -> bool {
- if let Ok(info) = self.user_cfg.lookup::<User>("user", userid.as_str()) {
- info.is_active()
+ // Only Active Directory realms have the possibility to be case-insensitive
+ // Default is case-sensitive
+ let case_sensitive = match self
+ .domains_cfg
+ .lookup::<AdRealmConfig>("ad", userid.realm().as_str())
+ {
+ Ok(ad) => ad.case_sensitive.unwrap_or(true),
+ _ => true,
+ };
+
+ if case_sensitive {
+ self.user_cfg
+ .lookup::<User>("user", userid.as_str())
+ .map(|info| info.is_active())
+ .unwrap_or_default()
} else {
- false
+ match self.user_cfg.lookup_icase::<User>("user", userid.as_str()) {
+ Ok(users) if users.len() == 1 => users[0].is_active(),
+ _ => false,
+ }
}
}
diff --git a/pbs-config/src/domains.rs b/pbs-config/src/domains.rs
index 4a9beec3..49a7b2d9 100644
--- a/pbs-config/src/domains.rs
+++ b/pbs-config/src/domains.rs
@@ -1,6 +1,9 @@
-use std::collections::HashMap;
+use std::{
+ collections::HashMap,
+ sync::{Arc, RwLock},
+};
-use anyhow::Error;
+use anyhow::{bail, Error};
use lazy_static::lazy_static;
use pbs_buildcfg::configdir;
@@ -58,11 +61,73 @@ pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
Ok((data, digest))
}
+/// Returns a cached [`SectionConfigData`] or fresh copy read directly from the [default
+/// path](DOMAINS_CFG_FILENAME).
+///
+/// This allows fast access to the domains config without having to read and parse it every time.
+pub fn cached_config() -> Result<Arc<SectionConfigData>, Error> {
+ struct ConfigCache {
+ data: Option<Arc<SectionConfigData>>,
+ last_mtime: i64,
+ last_mtime_nsec: i64,
+ }
+
+ lazy_static! {
+ static ref CACHED_CONFIG: RwLock<ConfigCache> = RwLock::new(ConfigCache {
+ data: None,
+ last_mtime: 0,
+ last_mtime_nsec: 0
+ });
+ }
+
+ let stat = match nix::sys::stat::stat(DOMAINS_CFG_FILENAME) {
+ Ok(stat) => Some(stat),
+ Err(nix::errno::Errno::ENOENT) => None,
+ Err(err) => bail!("unable to stat '{}' - {}", DOMAINS_CFG_FILENAME, err),
+ };
+
+ {
+ // limit scope
+ let cache = CACHED_CONFIG.read().unwrap();
+ if let Some(ref config) = cache.data {
+ if let Some(stat) = stat {
+ if stat.st_mtime == cache.last_mtime && stat.st_mtime_nsec == cache.last_mtime_nsec
+ {
+ return Ok(config.clone());
+ }
+ } else if cache.last_mtime == 0 && cache.last_mtime_nsec == 0 {
+ return Ok(config.clone());
+ }
+ }
+ }
+
+ let (config, _digest) = config()?;
+ let config = Arc::new(config);
+
+ let mut cache = CACHED_CONFIG.write().unwrap();
+ if let Some(stat) = stat {
+ cache.last_mtime = stat.st_mtime;
+ cache.last_mtime_nsec = stat.st_mtime_nsec;
+ }
+ cache.data = Some(config.clone());
+
+ Ok(config)
+}
+
pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
let raw = CONFIG.write(DOMAINS_CFG_FILENAME, config)?;
replace_backup_config(DOMAINS_CFG_FILENAME, raw.as_bytes())
}
+/// Only exposed for testing
+#[doc(hidden)]
+pub fn test_cfg_from_str(raw: &str) -> Result<(SectionConfigData, [u8; 32]), Error> {
+ let cfg = init();
+ let parsed = cfg.parse("test_domains_cfg", raw)?;
+
+ Ok((parsed, [0; 32]))
+}
+
/// Check if a realm with the given name exists
pub fn exists(domains: &SectionConfigData, realm: &str) -> bool {
realm == "pbs" || realm == "pam" || domains.sections.get(realm).is_some()
diff --git a/src/api2/config/access/ad.rs b/src/api2/config/access/ad.rs
index c202291a..f59b80af 100644
--- a/src/api2/config/access/ad.rs
+++ b/src/api2/config/access/ad.rs
@@ -152,6 +152,8 @@ pub enum DeletableProperty {
SyncAttributes,
/// User classes
UserClasses,
+ /// Whether usernames are compared case-sensitive or not
+ CaseSensitive,
}
#[api(
@@ -244,6 +246,9 @@ pub async fn update_ad_realm(
DeletableProperty::UserClasses => {
config.user_classes = None;
}
+ DeletableProperty::CaseSensitive => {
+ config.case_sensitive = None;
+ }
}
}
}
@@ -301,6 +306,10 @@ pub async fn update_ad_realm(
config.user_classes = Some(user_classes);
}
+ if let Some(case_sensitive) = update.case_sensitive {
+ config.case_sensitive = Some(case_sensitive);
+ }
+
let mut ldap_config = if password.is_some() {
AdAuthenticator::api_type_to_config_with_password(&config, password.clone())?
} else {
diff --git a/src/api2/config/sync.rs b/src/api2/config/sync.rs
index 01e5f2ce..86b53b72 100644
--- a/src/api2/config/sync.rs
+++ b/src/api2/config/sync.rs
@@ -481,6 +481,22 @@ user: write@pbs
"###,
)
.expect("test user.cfg is not parsable");
+ let (domains_cfg, _) = pbs_config::domains::test_cfg_from_str(
+ r###"
+ldap: ldap_example
+ base-dn dc=example,dc=com
+ mode ldap
+ server1 192.0.2.1
+ user-attr uid
+
+ad: ad_example
+ base-dn dc=example,dc=com
+ mode ldaps
+ server1 192.0.2.1
+
+"###,
+ )
+ .expect("test domains.cfg is not parsable");
let acl_tree = pbs_config::acl::AclTree::from_raw(
r###"
acl:1:/datastore/localstore1:read@pbs,write@pbs:DatastoreAudit
@@ -493,7 +509,7 @@ acl:1:/remote/remote1/remotestore1:write@pbs:RemoteSyncOperator
)
.expect("test acl.cfg is not parsable");
- let user_info = CachedUserInfo::test_new(user_cfg, acl_tree);
+ let user_info = CachedUserInfo::test_new(user_cfg, domains_cfg, acl_tree);
let root_auth_id = Authid::root_auth_id();
--
2.41.0
next prev parent reply other threads:[~2023-08-16 14:49 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-16 14:47 [pbs-devel] [PATCH proxmox/proxmox-backup/pwt v2 0/15] add Active Directory realm support Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox v2 01/15] ldap: avoid superfluous allocation when calling .search() Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox v2 02/15] ldap: add method for retrieving root DSE attributes Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox v2 03/15] auth-api: implement `Display` for `Realm{, Ref}` Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox-backup v2 04/15] api-types: factor out `LdapMode` -> `ConnectionMode` conversion into own fn Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox-backup v2 05/15] auth: factor out CA store and cert lookup " Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox-backup v2 06/15] realm sync: generic-ify `LdapSyncSettings` and `GeneralSyncSettings` Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox-backup v2 07/15] api: access: add routes for managing AD realms Christoph Heiss
2023-11-28 8:23 ` Fabian Grünbichler
2023-12-12 12:19 ` Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox-backup v2 08/15] config: domains: add new "ad" section type for " Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox-backup v2 09/15] realm sync: add sync job " Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox-backup v2 10/15] manager: add subcommand for managing " Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox-backup v2 11/15] docs: user-management: add section about AD realm support Christoph Heiss
2023-11-28 8:33 ` Fabian Grünbichler
2023-12-12 12:20 ` Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [PATCH proxmox-widget-toolkit v2 12/15] window: add Active Directory auth panel Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [RFC PATCH proxmox v2 13/15] section-config: add method to retrieve case-insensitive entries Christoph Heiss
2023-08-16 14:47 ` Christoph Heiss [this message]
2023-11-27 9:57 ` [pbs-devel] [RFC PATCH proxmox-backup v2 14/15] api: add case-insensitive support for Active Directory realms Lukas Wagner
2023-12-12 12:19 ` Christoph Heiss
2023-08-16 14:47 ` [pbs-devel] [RFC PATCH proxmox-widget-toolkit v2 15/15] window: ldap auth edit: add case-sensitive checkbox for AD realms Christoph Heiss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230816144746.1265108-15-c.heiss@proxmox.com \
--to=c.heiss@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox