From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 2DBF11FF1A6
	for <inbox@lore.proxmox.com>; Fri,  5 Dec 2025 14:25:47 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id C9DB31D3CC;
	Fri,  5 Dec 2025 14:26:10 +0100 (CET)
From: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Fri,  5 Dec 2025 14:25:58 +0100
Message-ID: <20251205132559.197434-6-s.rufinatscha@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20251205132559.197434-1-s.rufinatscha@proxmox.com>
References: <20251205132559.197434-1-s.rufinatscha@proxmox.com>
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1764941117017
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.270 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pbs-devel] [PATCH proxmox 2/3] proxmox-access-control: invalidate
 token-secret cache on token.shadow changes
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

Previously the in-memory token-secret cache was only updated via
set_secret() and delete_secret(), so manual edits to token.shadow were
not reflected.

This patch adds file change detection to the cache. It tracks the mtime
and length of token.shadow and clears the in-memory token secret cache
whenever these values change.

Note, this patch fetches file stats on every request. An TTL-based
optimization will be covered in a subsequent patch of the series.

This patch is a partly-fix.

Signed-off-by: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
---
 proxmox-access-control/src/token_shadow.rs | 35 ++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/proxmox-access-control/src/token_shadow.rs b/proxmox-access-control/src/token_shadow.rs
index 2dcd117d..d08fb06a 100644
--- a/proxmox-access-control/src/token_shadow.rs
+++ b/proxmox-access-control/src/token_shadow.rs
@@ -1,5 +1,8 @@
 use std::collections::HashMap;
+use std::fs;
+use std::io::ErrorKind;
 use std::sync::{OnceLock, RwLock};
+use std::time::SystemTime;
 
 use anyhow::{bail, format_err, Error};
 use serde_json::{from_value, Value};
@@ -38,12 +41,38 @@ fn write_file(data: HashMap<Authid, String>) -> Result<(), Error> {
     replace_config(token_shadow(), &json)
 }
 
+fn refresh_cache_if_file_changed() -> Result<(), Error> {
+    let mut cache = token_secret_cache().write().unwrap();
+
+    // Fetch the current token.shadow metadata
+    let (new_mtime, new_len) = match fs::metadata(token_shadow().as_path()) {
+        Ok(meta) => (meta.modified().ok(), Some(meta.len())),
+        Err(e) if e.kind() == ErrorKind::NotFound => (None, None),
+        Err(e) => return Err(e.into()),
+    };
+
+    // Fast path: file did not change, keep the cache
+    if cache.file_mtime == new_mtime && cache.file_len == new_len {
+        return Ok(());
+    }
+
+    // File changed, drop all cached secrets
+    cache.secrets.clear();
+    cache.file_mtime = new_mtime;
+    cache.file_len = new_len;
+
+    Ok(())
+}
+
 /// Verifies that an entry for given tokenid / API token secret exists
 pub fn verify_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
     if !tokenid.is_token() {
         bail!("not an API token ID");
     }
 
+    // Ensure cache is in sync with on-disk token.shadow file
+    refresh_cache_if_file_changed()?;
+
     // Fast path
     if let Some(cached) = token_secret_cache().read().unwrap().secrets.get(tokenid) {
         // Compare cached secret with provided one using constant time comparison
@@ -117,12 +146,18 @@ struct ApiTokenSecretCache {
     /// `generate_and_set_secret`. Used to avoid repeated
     /// password-hash computation on subsequent authentications.
     secrets: HashMap<Authid, String>,
+    // shadow file mtime to detect changes
+    file_mtime: Option<SystemTime>,
+    // shadow file length to detect changes
+    file_len: Option<u64>,
 }
 
 fn token_secret_cache() -> &'static RwLock<ApiTokenSecretCache> {
     TOKEN_SECRET_CACHE.get_or_init(|| {
         RwLock::new(ApiTokenSecretCache {
             secrets: HashMap::new(),
+            file_mtime: None,
+            file_len: None,
         })
     })
 }
-- 
2.47.3



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel