From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ronja.mits.lan by ronja.mits.lan with LMTP id 0CdOAOCqcmbWLwAAxxbTJA (envelope-from ); Wed, 19 Jun 2024 11:54:40 +0200 Received: from proxmox-new.maurer-it.com (unknown [192.168.2.33]) by ronja.mits.lan (Postfix) with ESMTPS id DA503F645D0; Wed, 19 Jun 2024 11:54:39 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BFDF747C6B; Wed, 19 Jun 2024 11:54:39 +0200 (CEST) Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by proxmox-new.maurer-it.com (Proxmox) with ESMTPS; Wed, 19 Jun 2024 11:54:38 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 60323172E; Wed, 19 Jun 2024 11:54:37 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Date: Wed, 19 Jun 2024 11:54:13 +0200 Message-Id: <20240619095418.126368-3-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240619095418.126368-1-s.sterz@proxmox.com> References: <20240619095418.126368-1-s.sterz@proxmox.com> MIME-Version: 1.0 Subject: [pbs-devel] [PATCH proxmox v3 2/7] access-control: define `User`, `UserWithTokens` and `ApiTokens` types X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" X-SPAM-LEVEL: Spam detection results: 0 DMARC_MISSING 0.1 Missing DMARC policy ENA_SUBJ_ODD_CASE 2.6 Subject has odd case KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods MAILING_LIST_MULTI -2 Multiple indicators imply a widely-seen list manager RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record T_SCC_BODY_TEXT_LINE -0.01 - these types are used by the user config in `proxmox-backup` server. this commit factors them out so we can re-use them in other products as well as this crate. Signed-off-by: Shannon Sterz --- proxmox-access-control/Cargo.toml | 3 + proxmox-access-control/src/lib.rs | 1 + proxmox-access-control/src/types.rs | 228 ++++++++++++++++++++++++++++ 3 files changed, 232 insertions(+) create mode 100644 proxmox-access-control/src/types.rs diff --git a/proxmox-access-control/Cargo.toml b/proxmox-access-control/Cargo.toml index b783a21f..68cbf460 100644 --- a/proxmox-access-control/Cargo.toml +++ b/proxmox-access-control/Cargo.toml @@ -16,7 +16,10 @@ description = "A collection of utilities to implement access control management. anyhow.workspace = true nix.workspace = true openssl.workspace = true +serde.workspace = true # proxmox-notify.workspace = true proxmox-auth-api = { workspace = true, features = [ "api-types" ] } +proxmox-schema.workspace = true proxmox-product-config.workspace = true +proxmox-time.workspace = true diff --git a/proxmox-access-control/src/lib.rs b/proxmox-access-control/src/lib.rs index 8ad2c83d..edb42568 100644 --- a/proxmox-access-control/src/lib.rs +++ b/proxmox-access-control/src/lib.rs @@ -1,2 +1,3 @@ pub mod acl; pub mod init; +pub mod types; diff --git a/proxmox-access-control/src/types.rs b/proxmox-access-control/src/types.rs new file mode 100644 index 00000000..9ed4e9cd --- /dev/null +++ b/proxmox-access-control/src/types.rs @@ -0,0 +1,228 @@ +use proxmox_auth_api::types::{Authid, Userid, PROXMOX_TOKEN_ID_SCHEMA}; +use serde::{Deserialize, Serialize}; + +use proxmox_schema::{ + api, + api_types::{COMMENT_SCHEMA, SINGLE_LINE_COMMENT_FORMAT}, + BooleanSchema, IntegerSchema, Schema, StringSchema, Updater, +}; + +pub const ENABLE_USER_SCHEMA: Schema = BooleanSchema::new( + "Enable the account (default). You can set this to '0' to disable the account.", +) +.default(true) +.schema(); + +pub const EXPIRE_USER_SCHEMA: Schema = IntegerSchema::new( + "Account expiration date (seconds since epoch). '0' means no expiration date.", +) +.default(0) +.minimum(0) +.schema(); + +pub const FIRST_NAME_SCHEMA: Schema = StringSchema::new("First name.") + .format(&SINGLE_LINE_COMMENT_FORMAT) + .min_length(2) + .max_length(64) + .schema(); + +pub const LAST_NAME_SCHEMA: Schema = StringSchema::new("Last name.") + .format(&SINGLE_LINE_COMMENT_FORMAT) + .min_length(2) + .max_length(64) + .schema(); + +pub const EMAIL_SCHEMA: Schema = StringSchema::new("E-Mail Address.") + .format(&SINGLE_LINE_COMMENT_FORMAT) + .min_length(2) + .max_length(64) + .schema(); + +#[api( + properties: { + userid: { + type: Userid, + }, + comment: { + optional: true, + schema: COMMENT_SCHEMA, + }, + enable: { + optional: true, + schema: ENABLE_USER_SCHEMA, + }, + expire: { + optional: true, + schema: EXPIRE_USER_SCHEMA, + }, + firstname: { + optional: true, + schema: FIRST_NAME_SCHEMA, + }, + lastname: { + schema: LAST_NAME_SCHEMA, + optional: true, + }, + email: { + schema: EMAIL_SCHEMA, + optional: true, + }, + tokens: { + type: Array, + optional: true, + description: "List of user's API tokens.", + items: { + type: ApiToken + }, + }, + "totp-locked": { + type: bool, + optional: true, + default: false, + description: "True if the user is currently locked out of TOTP factors", + }, + "tfa-locked-until": { + optional: true, + description: "Contains a timestamp until when a user is locked out of 2nd factors", + }, + } +)] +#[derive(Serialize, Deserialize, Clone, PartialEq)] +#[serde(rename_all = "kebab-case")] +/// User properties with added list of ApiTokens +pub struct UserWithTokens { + pub userid: Userid, + #[serde(skip_serializing_if = "Option::is_none")] + pub comment: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub enable: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub expire: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub firstname: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub lastname: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub email: Option, + #[serde(skip_serializing_if = "Vec::is_empty", default)] + pub tokens: Vec, + #[serde(skip_serializing_if = "bool_is_false", default)] + pub totp_locked: bool, + #[serde(skip_serializing_if = "Option::is_none")] + pub tfa_locked_until: Option, +} + +fn bool_is_false(b: &bool) -> bool { + !b +} + +#[api( + properties: { + tokenid: { + schema: PROXMOX_TOKEN_ID_SCHEMA, + }, + comment: { + optional: true, + schema: COMMENT_SCHEMA, + }, + enable: { + optional: true, + schema: ENABLE_USER_SCHEMA, + }, + expire: { + optional: true, + schema: EXPIRE_USER_SCHEMA, + }, + } +)] +#[derive(Serialize, Deserialize, Clone, PartialEq)] +/// ApiToken properties. +pub struct ApiToken { + pub tokenid: Authid, + #[serde(skip_serializing_if = "Option::is_none")] + pub comment: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub enable: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub expire: Option, +} + +impl ApiToken { + pub fn is_active(&self) -> bool { + if !self.enable.unwrap_or(true) { + return false; + } + if let Some(expire) = self.expire { + let now = proxmox_time::epoch_i64(); + if expire > 0 && expire <= now { + return false; + } + } + true + } +} + +#[api( + properties: { + userid: { + type: Userid, + }, + comment: { + optional: true, + schema: COMMENT_SCHEMA, + }, + enable: { + optional: true, + schema: ENABLE_USER_SCHEMA, + }, + expire: { + optional: true, + schema: EXPIRE_USER_SCHEMA, + }, + firstname: { + optional: true, + schema: FIRST_NAME_SCHEMA, + }, + lastname: { + schema: LAST_NAME_SCHEMA, + optional: true, + }, + email: { + schema: EMAIL_SCHEMA, + optional: true, + }, + } +)] +#[derive(Serialize, Deserialize, Updater, PartialEq, Eq)] +/// User properties. +pub struct User { + #[updater(skip)] + pub userid: Userid, + #[serde(skip_serializing_if = "Option::is_none")] + pub comment: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub enable: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub expire: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub firstname: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub lastname: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub email: Option, +} + +impl User { + pub fn is_active(&self) -> bool { + if !self.enable.unwrap_or(true) { + return false; + } + if let Some(expire) = self.expire { + let now = proxmox_time::epoch_i64(); + if expire > 0 && expire <= now { + return false; + } + } + true + } +} -- 2.39.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel