From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id C077E1FF2A1 for ; Tue, 16 Jul 2024 15:45:05 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0B7471C736; Tue, 16 Jul 2024 15:45:28 +0200 (CEST) From: Christoph Heiss To: pbs-devel@lists.proxmox.com Date: Tue, 16 Jul 2024 15:45:10 +0200 Message-ID: <20240716134514.1656795-12-c.heiss@proxmox.com> X-Mailer: git-send-email 2.45.1 In-Reply-To: <20240716134514.1656795-1-c.heiss@proxmox.com> References: <20240716134514.1656795-1-c.heiss@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.020 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 11/14] api2: access: add update support for built-in PAM realm X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Signed-off-by: Christoph Heiss --- src/api2/config/access/mod.rs | 2 + src/api2/config/access/pam.rs | 130 ++++++++++++++++++++++++++++++++++ 2 files changed, 132 insertions(+) create mode 100644 src/api2/config/access/pam.rs diff --git a/src/api2/config/access/mod.rs b/src/api2/config/access/mod.rs index b551e662..36ecd005 100644 --- a/src/api2/config/access/mod.rs +++ b/src/api2/config/access/mod.rs @@ -5,10 +5,12 @@ use proxmox_sortable_macro::sortable; pub mod ad; pub mod ldap; pub mod openid; +pub mod pam; pub mod tfa; #[sortable] const SUBDIRS: SubdirMap = &sorted!([ + ("pam", &pam::ROUTER), ("ad", &ad::ROUTER), ("ldap", &ldap::ROUTER), ("openid", &openid::ROUTER), diff --git a/src/api2/config/access/pam.rs b/src/api2/config/access/pam.rs new file mode 100644 index 00000000..04ae616b --- /dev/null +++ b/src/api2/config/access/pam.rs @@ -0,0 +1,130 @@ +use ::serde::{Deserialize, Serialize}; +use anyhow::Error; +use hex::FromHex; + +use proxmox_router::{Permission, Router, RpcEnvironment}; +use proxmox_schema::api; + +use pbs_api_types::{ + PamRealmConfig, PamRealmConfigUpdater, PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT, + PROXMOX_CONFIG_DIGEST_SCHEMA, +}; + +use pbs_config::domains; + +#[api( + returns: { + type: PamRealmConfig, + }, + access: { + permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT, false), + }, +)] +/// Read the PAM realm configuration +pub fn read_pam_realm(rpcenv: &mut dyn RpcEnvironment) -> Result { + let (domains, digest) = domains::config()?; + + let config = domains.lookup("pam", "pam")?; + + rpcenv["digest"] = hex::encode(digest).into(); + + Ok(config) +} + +#[api] +#[derive(Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +/// Deletable property name +pub enum DeletableProperty { + /// Delete the comment property. + Comment, + /// Delete the default property. + Default, +} + +#[api( + protected: true, + input: { + properties: { + update: { + type: PamRealmConfigUpdater, + flatten: true, + }, + delete: { + description: "List of properties to delete.", + type: Array, + optional: true, + items: { + type: DeletableProperty, + } + }, + digest: { + optional: true, + schema: PROXMOX_CONFIG_DIGEST_SCHEMA, + }, + }, + }, + returns: { + type: PamRealmConfig, + }, + access: { + permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false), + }, +)] +/// Update the PAM realm configuration +pub fn update_pam_realm( + update: PamRealmConfigUpdater, + delete: Option>, + digest: Option, + _rpcenv: &mut dyn RpcEnvironment, +) -> Result<(), Error> { + let _lock = domains::lock_config()?; + + let (mut domains, expected_digest) = domains::config()?; + + if let Some(ref digest) = digest { + let digest = <[u8; 32]>::from_hex(digest)?; + crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?; + } + + let mut config: PamRealmConfig = domains.lookup("pam", "pam")?; + + if let Some(delete) = delete { + for delete_prop in delete { + match delete_prop { + DeletableProperty::Comment => { + config.comment = None; + } + DeletableProperty::Default => { + config.default = None; + } + } + } + } + + if let Some(comment) = update.comment { + let comment = comment.trim().to_string(); + if comment.is_empty() { + config.comment = None; + } else { + config.comment = Some(comment); + } + } + + if let Some(true) = update.default { + pbs_config::domains::unset_default_realm(&mut domains)?; + config.default = Some(true); + } else { + config.default = None; + } + + domains.set_data("pam", "pam", &config)?; + + domains::save_config(&domains)?; + + Ok(()) +} + +pub const ROUTER: Router = Router::new() + .get(&API_METHOD_READ_PAM_REALM) + .put(&API_METHOD_UPDATE_PAM_REALM); -- 2.45.1 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel