From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id D2F0D1FF13F
	for <inbox@lore.proxmox.com>; Thu, 09 Apr 2026 17:54:35 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 3BE82A9B7;
	Thu,  9 Apr 2026 17:55:19 +0200 (CEST)
From: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox v8 5/6] token shadow: inline set_secret fn
Date: Thu,  9 Apr 2026 17:54:25 +0200
Message-ID: <20260409155437.312760-6-s.rufinatscha@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260409155437.312760-1-s.rufinatscha@proxmox.com>
References: <20260409155437.312760-1-s.rufinatscha@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1775750013814
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.231 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED  0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: ORW6OY4Q6LVGJ5S2MU6UNS4EYINZYXG7
X-Message-ID-Hash: ORW6OY4Q6LVGJ5S2MU6UNS4EYINZYXG7
X-MailFrom: s.rufinatscha@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

Signed-off-by: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
---
 proxmox-access-control/src/token_shadow.rs | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/proxmox-access-control/src/token_shadow.rs b/proxmox-access-control/src/token_shadow.rs
index 4185351e..270f3bfa 100644
--- a/proxmox-access-control/src/token_shadow.rs
+++ b/proxmox-access-control/src/token_shadow.rs
@@ -161,8 +161,11 @@ pub fn verify_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
     }
 }
 
-/// Adds a new entry for the given tokenid / API token secret. The secret is stored as salted hash.
-pub fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
+/// Generates a new secret for the given tokenid / API token, sets it then returns it.
+/// The secret is stored as salted hash.
+pub fn generate_and_set_secret(tokenid: &Authid) -> Result<String, Error> {
+    let secret = format!("{:x}", proxmox_uuid::Uuid::generate());
+
     if !tokenid.is_token() {
         bail!("not an API token ID");
     }
@@ -173,13 +176,13 @@ pub fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
     let pre_meta = shadow_mtime_len().unwrap_or((None, None));
 
     let mut data = read_file()?;
-    let hashed_secret = proxmox_sys::crypt::encrypt_pw(secret)?;
+    let hashed_secret = proxmox_sys::crypt::encrypt_pw(&secret)?;
     data.insert(tokenid.clone(), hashed_secret);
     write_file(data)?;
 
-    apply_api_mutation(guard, tokenid, Some(secret), pre_meta);
+    apply_api_mutation(guard, tokenid, Some(&secret), pre_meta);
 
-    Ok(())
+    Ok(secret)
 }
 
 /// Deletes the entry for the given tokenid.
@@ -202,14 +205,6 @@ pub fn delete_secret(tokenid: &Authid) -> Result<(), Error> {
     Ok(())
 }
 
-/// Generates a new secret for the given tokenid / API token, sets it then returns it.
-/// The secret is stored as salted hash.
-pub fn generate_and_set_secret(tokenid: &Authid) -> Result<String, Error> {
-    let secret = format!("{:x}", proxmox_uuid::Uuid::generate());
-    set_secret(tokenid, &secret)?;
-    Ok(secret)
-}
-
 /// Cached secret.
 struct CachedSecret {
     secret: String,
-- 
2.47.3