From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 1BDC91FF15E for ; Fri, 4 Oct 2024 15:41:16 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DDCBFF97E; Fri, 4 Oct 2024 15:41:38 +0200 (CEST) From: Shannon Sterz To: pbs-devel@lists.proxmox.com Date: Fri, 4 Oct 2024 15:40:52 +0200 Message-Id: <20241004134054.263913-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241004134054.263913-1-s.sterz@proxmox.com> References: <20241004134054.263913-1-s.sterz@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.196 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 1/3] api: ignore password parameter in the update_user endpoint X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" currently if a password is provided, we check whether the user that is going to be updated can authenticate with it. later on, the password is then set as the same password. this means that the password here can only be changed if it is the exact same one that is already used. so in essence, the password cannot be changed through this endpoint already. remove all of this logic here in favor of the `PUT /access/password` endpoint. to keep the api stable for now, just ignore the parameter and add a description that explains what to use instead. Signed-off-by: Shannon Sterz --- src/api2/access/user.rs | 32 +++++++++++--------------------- 1 file changed, 11 insertions(+), 21 deletions(-) diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs index 1b4adaf8..6101d5f1 100644 --- a/src/api2/access/user.rs +++ b/src/api2/access/user.rs @@ -12,8 +12,8 @@ use proxmox_tfa::api::TfaConfig; use pbs_api_types::{ ApiToken, Authid, Tokenname, User, UserUpdater, UserWithTokens, Userid, ENABLE_USER_SCHEMA, - EXPIRE_USER_SCHEMA, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT, - PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA, + EXPIRE_USER_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, + PRIV_SYS_AUDIT, PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA, }; use pbs_config::token_shadow; @@ -223,7 +223,11 @@ pub enum DeletableProperty { flatten: true, }, password: { - schema: PBS_PASSWORD_SCHEMA, + type: String, + description: "This parameter is ignored, please use 'PUT /access/password' to change a user's password", + min_length: 1, + max_length: 1024, + format: &PASSWORD_FORMAT, optional: true, }, delete: { @@ -247,7 +251,7 @@ pub enum DeletableProperty { ]), }, )] -/// Update user configuration. +/// Update user configuration. To change a user's password use the 'PUT /access/password' endpoint. #[allow(clippy::too_many_arguments)] pub async fn update_user( userid: Userid, @@ -255,11 +259,10 @@ pub async fn update_user( password: Option, delete: Option>, digest: Option, - rpcenv: &mut dyn RpcEnvironment, ) -> Result<(), Error> { - if password.is_some() { - super::user_update_auth(rpcenv, &userid, password.as_deref(), false).await?; - } + // ignore password here, updating passwords should happen through 'PUT /access/password' + // TODO: Remove with PBS 4 + let _ = password; let _lock = pbs_config::user::lock_config()?; @@ -300,19 +303,6 @@ pub async fn update_user( data.expire = if expire > 0 { Some(expire) } else { None }; } - if let Some(password) = password { - let user_info = CachedUserInfo::new()?; - let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; - let self_service = current_auth_id.user() == &userid; - let target_realm = userid.realm(); - if !self_service && target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) { - bail!("only superuser can edit pam credentials!"); - } - let authenticator = crate::auth::lookup_authenticator(userid.realm())?; - let client_ip = rpcenv.get_client_ip().map(|sa| sa.ip()); - authenticator.store_password(userid.name(), &password, client_ip.as_ref())?; - } - if let Some(firstname) = update.firstname { data.firstname = if firstname.is_empty() { None -- 2.39.5 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel