From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ronja.mits.lan by ronja.mits.lan with LMTP id piRWDt+qcmZ4MQAAxxbTJA (envelope-from ); Wed, 19 Jun 2024 11:54:39 +0200 Received: from proxmox-new.maurer-it.com (unknown [192.168.2.33]) by ronja.mits.lan (Postfix) with ESMTPS id 1F2DDF63D90; Wed, 19 Jun 2024 11:54:39 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 031CB47C8B; Wed, 19 Jun 2024 11:54:39 +0200 (CEST) Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by proxmox-new.maurer-it.com (Proxmox) with ESMTPS; Wed, 19 Jun 2024 11:54:38 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7740B1704; Wed, 19 Jun 2024 11:54:36 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Date: Wed, 19 Jun 2024 11:54:14 +0200 Message-Id: <20240619095418.126368-4-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240619095418.126368-1-s.sterz@proxmox.com> References: <20240619095418.126368-1-s.sterz@proxmox.com> MIME-Version: 1.0 Subject: [pbs-devel] [PATCH proxmox v3 3/7] access-control: make token shadow implementation re-usable X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" X-SPAM-LEVEL: Spam detection results: 0 DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods MAILING_LIST_MULTI -2 Multiple indicators imply a widely-seen list manager RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record T_SCC_BODY_TEXT_LINE -0.01 - this commit factors out the token shadow implementation from `proxmox-backup` so it can be used in other products. Signed-off-by: Shannon Sterz --- proxmox-access-control/Cargo.toml | 2 + proxmox-access-control/src/init.rs | 7 ++ proxmox-access-control/src/lib.rs | 1 + proxmox-access-control/src/token_shadow.rs | 84 ++++++++++++++++++++++ 4 files changed, 94 insertions(+) create mode 100644 proxmox-access-control/src/token_shadow.rs diff --git a/proxmox-access-control/Cargo.toml b/proxmox-access-control/Cargo.toml index 68cbf460..01ab5f5a 100644 --- a/proxmox-access-control/Cargo.toml +++ b/proxmox-access-control/Cargo.toml @@ -17,9 +17,11 @@ anyhow.workspace = true nix.workspace = true openssl.workspace = true serde.workspace = true +serde_json.workspace = true # proxmox-notify.workspace = true proxmox-auth-api = { workspace = true, features = [ "api-types" ] } proxmox-schema.workspace = true proxmox-product-config.workspace = true +proxmox-sys = { workspace = true, features = [ "crypt" ] } proxmox-time.workspace = true diff --git a/proxmox-access-control/src/init.rs b/proxmox-access-control/src/init.rs index a8dfa24e..2f5593ea 100644 --- a/proxmox-access-control/src/init.rs +++ b/proxmox-access-control/src/init.rs @@ -72,3 +72,10 @@ pub(crate) fn acl_config_lock() -> PathBuf { conf_dir().join(".acl.lck") } +pub(crate) fn token_shadow() -> PathBuf { + conf_dir().join("token.shadow") +} + +pub(crate) fn token_shadow_lock() -> PathBuf { + conf_dir().join("token.shadow.lock") +} diff --git a/proxmox-access-control/src/lib.rs b/proxmox-access-control/src/lib.rs index edb42568..524b0e60 100644 --- a/proxmox-access-control/src/lib.rs +++ b/proxmox-access-control/src/lib.rs @@ -1,3 +1,4 @@ pub mod acl; pub mod init; +pub mod token_shadow; pub mod types; diff --git a/proxmox-access-control/src/token_shadow.rs b/proxmox-access-control/src/token_shadow.rs new file mode 100644 index 00000000..ab8925b7 --- /dev/null +++ b/proxmox-access-control/src/token_shadow.rs @@ -0,0 +1,84 @@ +use std::collections::HashMap; + +use anyhow::{bail, format_err, Error}; +use proxmox_product_config::{open_api_lockfile, replace_config, ApiLockGuard}; +use serde::{Deserialize, Serialize}; +use serde_json::{from_value, Value}; + +use proxmox_auth_api::types::Authid; + +use crate::init::{token_shadow, token_shadow_lock}; + +#[derive(Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +/// ApiToken id / secret pair +pub struct ApiTokenSecret { + pub tokenid: Authid, + pub secret: String, +} + +// Get exclusive lock +fn lock_config() -> Result { + open_api_lockfile(token_shadow_lock(), None, true) +} + +fn read_file() -> Result, Error> { + let json = proxmox_sys::fs::file_get_json(token_shadow(), Some(Value::Null))?; + + if json == Value::Null { + Ok(HashMap::new()) + } else { + // swallow serde error which might contain sensitive data + from_value(json) + .map_err(|_err| format_err!("unable to parse '{}'", token_shadow().display())) + } +} + +fn write_file(data: HashMap) -> Result<(), Error> { + let json = serde_json::to_vec(&data)?; + replace_config(token_shadow(), &json) +} + +/// Verifies that an entry for given tokenid / API token secret exists +pub fn verify_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> { + if !tokenid.is_token() { + bail!("not an API token ID"); + } + + let data = read_file()?; + match data.get(tokenid) { + Some(hashed_secret) => proxmox_sys::crypt::verify_crypt_pw(secret, hashed_secret), + None => bail!("invalid API token"), + } +} + +/// Adds a new entry for the given tokenid / API token secret. The secret is stored as salted hash. +pub fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> { + if !tokenid.is_token() { + bail!("not an API token ID"); + } + + let _guard = lock_config()?; + + let mut data = read_file()?; + let hashed_secret = proxmox_sys::crypt::encrypt_pw(secret)?; + data.insert(tokenid.clone(), hashed_secret); + write_file(data)?; + + Ok(()) +} + +/// Deletes the entry for the given tokenid. +pub fn delete_secret(tokenid: &Authid) -> Result<(), Error> { + if !tokenid.is_token() { + bail!("not an API token ID"); + } + + let _guard = lock_config()?; + + let mut data = read_file()?; + data.remove(tokenid); + write_file(data)?; + + Ok(()) +} -- 2.39.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel