From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 5E9971FF3AE for ; Thu, 13 Jun 2024 14:52:46 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B775C30E51; Thu, 13 Jun 2024 14:53:24 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Date: Thu, 13 Jun 2024 14:52:32 +0200 Message-Id: <20240613125236.236802-4-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240613125236.236802-1-s.sterz@proxmox.com> References: <20240613125236.236802-1-s.sterz@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.053 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pbs-devel] [PATCH proxmox v2 3/7] access-control: make token shadow implementation re-usable X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" this commit factors out the token shadow implementation from `proxmox-backup` so it can be used in other products. Signed-off-by: Shannon Sterz --- proxmox-access-control/Cargo.toml | 2 + proxmox-access-control/src/init.rs | 7 ++ proxmox-access-control/src/lib.rs | 1 + proxmox-access-control/src/token_shadow.rs | 84 ++++++++++++++++++++++ 4 files changed, 94 insertions(+) create mode 100644 proxmox-access-control/src/token_shadow.rs diff --git a/proxmox-access-control/Cargo.toml b/proxmox-access-control/Cargo.toml index 68cbf460..01ab5f5a 100644 --- a/proxmox-access-control/Cargo.toml +++ b/proxmox-access-control/Cargo.toml @@ -17,9 +17,11 @@ anyhow.workspace = true nix.workspace = true openssl.workspace = true serde.workspace = true +serde_json.workspace = true # proxmox-notify.workspace = true proxmox-auth-api = { workspace = true, features = [ "api-types" ] } proxmox-schema.workspace = true proxmox-product-config.workspace = true +proxmox-sys = { workspace = true, features = [ "crypt" ] } proxmox-time.workspace = true diff --git a/proxmox-access-control/src/init.rs b/proxmox-access-control/src/init.rs index 195ee131..0863a699 100644 --- a/proxmox-access-control/src/init.rs +++ b/proxmox-access-control/src/init.rs @@ -74,3 +74,10 @@ pub(crate) fn acl_config_lock() -> PathBuf { conf_dir().with_file_name(".acl.lck") } +pub(crate) fn token_shadow() -> PathBuf { + conf_dir().with_file_name("token.shadow") +} + +pub(crate) fn token_shadow_lock() -> PathBuf { + conf_dir().with_file_name("token.shadow.lock") +} diff --git a/proxmox-access-control/src/lib.rs b/proxmox-access-control/src/lib.rs index edb42568..524b0e60 100644 --- a/proxmox-access-control/src/lib.rs +++ b/proxmox-access-control/src/lib.rs @@ -1,3 +1,4 @@ pub mod acl; pub mod init; +pub mod token_shadow; pub mod types; diff --git a/proxmox-access-control/src/token_shadow.rs b/proxmox-access-control/src/token_shadow.rs new file mode 100644 index 00000000..ab8925b7 --- /dev/null +++ b/proxmox-access-control/src/token_shadow.rs @@ -0,0 +1,84 @@ +use std::collections::HashMap; + +use anyhow::{bail, format_err, Error}; +use proxmox_product_config::{open_api_lockfile, replace_config, ApiLockGuard}; +use serde::{Deserialize, Serialize}; +use serde_json::{from_value, Value}; + +use proxmox_auth_api::types::Authid; + +use crate::init::{token_shadow, token_shadow_lock}; + +#[derive(Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +/// ApiToken id / secret pair +pub struct ApiTokenSecret { + pub tokenid: Authid, + pub secret: String, +} + +// Get exclusive lock +fn lock_config() -> Result { + open_api_lockfile(token_shadow_lock(), None, true) +} + +fn read_file() -> Result, Error> { + let json = proxmox_sys::fs::file_get_json(token_shadow(), Some(Value::Null))?; + + if json == Value::Null { + Ok(HashMap::new()) + } else { + // swallow serde error which might contain sensitive data + from_value(json) + .map_err(|_err| format_err!("unable to parse '{}'", token_shadow().display())) + } +} + +fn write_file(data: HashMap) -> Result<(), Error> { + let json = serde_json::to_vec(&data)?; + replace_config(token_shadow(), &json) +} + +/// Verifies that an entry for given tokenid / API token secret exists +pub fn verify_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> { + if !tokenid.is_token() { + bail!("not an API token ID"); + } + + let data = read_file()?; + match data.get(tokenid) { + Some(hashed_secret) => proxmox_sys::crypt::verify_crypt_pw(secret, hashed_secret), + None => bail!("invalid API token"), + } +} + +/// Adds a new entry for the given tokenid / API token secret. The secret is stored as salted hash. +pub fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> { + if !tokenid.is_token() { + bail!("not an API token ID"); + } + + let _guard = lock_config()?; + + let mut data = read_file()?; + let hashed_secret = proxmox_sys::crypt::encrypt_pw(secret)?; + data.insert(tokenid.clone(), hashed_secret); + write_file(data)?; + + Ok(()) +} + +/// Deletes the entry for the given tokenid. +pub fn delete_secret(tokenid: &Authid) -> Result<(), Error> { + if !tokenid.is_token() { + bail!("not an API token ID"); + } + + let _guard = lock_config()?; + + let mut data = read_file()?; + data.remove(tokenid); + write_file(data)?; + + Ok(()) +} -- 2.39.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel