public inbox for pdm-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox v3 08/21] auth-api: make regular ticket endpoint use the new types and handler
Date: Thu, 27 Feb 2025 15:06:59 +0100	[thread overview]
Message-ID: <20250227140712.209679-9-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250227140712.209679-1-s.sterz@proxmox.com>

so we can re-use more code between the different ticket endpoints

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 proxmox-auth-api/src/api/access.rs | 94 +++---------------------------
 1 file changed, 9 insertions(+), 85 deletions(-)

diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index 273d7701..fb72b443 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -11,9 +11,7 @@ use proxmox_rest_server::{extract_cookie, RestEnvironment};
 use proxmox_router::{
     http_err, ApiHandler, ApiMethod, ApiResponseFuture, Permission, RpcEnvironment,
 };
-use proxmox_schema::{
-    api, api_types::PASSWORD_SCHEMA, AllOfSchema, ApiType, ParameterSchema, ReturnType,
-};
+use proxmox_schema::{api, AllOfSchema, ApiType, ParameterSchema, ReturnType};
 use proxmox_tfa::api::TfaChallenge;
 
 use super::ApiTicket;
@@ -36,51 +34,14 @@ enum AuthResult {
 #[api(
     input: {
         properties: {
-            username: {
-                type: Userid,
-            },
-            password: {
-                schema: PASSWORD_SCHEMA,
-            },
-            path: {
-                type: String,
-                description: "Path for verifying terminal tickets.",
-                optional: true,
-            },
-            privs: {
-                type: String,
-                description: "Privilege for verifying terminal tickets.",
-                optional: true,
-            },
-            port: {
-                type: Integer,
-                description: "Port for verifying terminal tickets.",
-                optional: true,
-            },
-            "tfa-challenge": {
-                type: String,
-                description: "The signed TFA challenge string the user wants to respond to.",
-                optional: true,
-            },
+            create_params: {
+                type: CreateTicket,
+                flatten: true,
+            }
         },
     },
     returns: {
-        properties: {
-            username: {
-                type: String,
-                description: "User name.",
-            },
-            ticket: {
-                type: String,
-                description: "Auth ticket.",
-            },
-            CSRFPreventionToken: {
-                type: String,
-                description:
-                    "Cross Site Request Forgery Prevention Token. \
-                     For partial tickets this is the string \"invalid\".",
-            },
-        },
+        type: CreateTicketResponse,
     },
     protected: true,
     access: {
@@ -91,52 +52,15 @@ enum AuthResult {
 ///
 /// Returns: An authentication ticket with additional infos.
 pub async fn create_ticket(
-    username: Userid,
-    password: String,
-    path: Option<String>,
-    privs: Option<String>,
-    port: Option<u16>,
-    tfa_challenge: Option<String>,
+    create_params: CreateTicket,
     rpcenv: &mut dyn RpcEnvironment,
-) -> Result<Value, Error> {
+) -> Result<CreateTicketResponse, Error> {
     let env: &RestEnvironment = rpcenv
         .as_any()
         .downcast_ref::<RestEnvironment>()
         .ok_or_else(|| format_err!("detected wrong RpcEnvironment type"))?;
 
-    match authenticate_user(&username, &password, path, privs, port, tfa_challenge, env).await {
-        Ok(AuthResult::Success) => Ok(json!({ "username": username })),
-        Ok(AuthResult::CreateTicket) => {
-            let auth_context = auth_context()?;
-            let api_ticket = ApiTicket::Full(username.clone());
-            let ticket = Ticket::new(auth_context.auth_prefix(), &api_ticket)?
-                .sign(auth_context.keyring(), None)?;
-            let token = assemble_csrf_prevention_token(auth_context.csrf_secret(), &username);
-
-            env.log_auth(username.as_str());
-
-            Ok(json!({
-                "username": username,
-                "ticket": ticket,
-                "CSRFPreventionToken": token,
-            }))
-        }
-        Ok(AuthResult::Partial(challenge)) => {
-            let auth_context = auth_context()?;
-            let api_ticket = ApiTicket::Partial(challenge);
-            let ticket = Ticket::new(auth_context.auth_prefix(), &api_ticket)?
-                .sign(auth_context.keyring(), Some(username.as_str()))?;
-            Ok(json!({
-                "username": username,
-                "ticket": ticket,
-                "CSRFPreventionToken": "invalid",
-            }))
-        }
-        Err(err) => {
-            env.log_failed_auth(Some(username.to_string()), &err.to_string());
-            Err(http_err!(UNAUTHORIZED, "permission check failed."))
-        }
-    }
+    handle_ticket_creation(create_params, env).await
 }
 
 
-- 
2.39.5



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel


  parent reply	other threads:[~2025-02-27 14:08 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-27 14:06 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v3 00/21] use HttpOnly cookies in new projects Shannon Sterz
2025-02-27 14:06 ` [pdm-devel] [PATCH proxmox v3 01/21] time: add new `epoch_to_http_date` helper Shannon Sterz
2025-02-27 14:06 ` [pdm-devel] [PATCH proxmox v3 02/21] rest-server: borrow parts parameter in `get_request_parameter` Shannon Sterz
2025-02-27 14:06 ` [pdm-devel] [PATCH proxmox v3 03/21] router/rest-server: add new `AsyncHttpBodyParameters` api handler type Shannon Sterz
2025-02-27 14:06 ` [pdm-devel] [PATCH proxmox v3 04/21] auth-api: extend `AuthContext` with prefixed cookie name Shannon Sterz
2025-02-27 14:06 ` [pdm-devel] [PATCH proxmox v3 05/21] auth-api: check for new prefixed cookies as well Shannon Sterz
2025-02-27 14:06 ` [pdm-devel] [PATCH proxmox v3 06/21] auth-api: introduce new CreateTicket and CreateTickeReponse api types Shannon Sterz
2025-02-27 14:06 ` [pdm-devel] [PATCH proxmox v3 07/21] auth-api: add endpoint for issuing tickets as HttpOnly tickets Shannon Sterz
2025-02-27 14:06 ` Shannon Sterz [this message]
2025-02-27 14:07 ` [pdm-devel] [PATCH proxmox v3 09/21] auth-api: add logout method Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH proxmox v3 10/21] login: add optional field for ticket_info and make password optional Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH proxmox v3 11/21] login: make password optional when creating Login requests Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH proxmox v3 12/21] login: add helpers to pass cookie values when parsing login responses Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH proxmox v3 13/21] login: add `TicketResult::HttpOnly` member Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH proxmox v3 14/21] login: add helper to check whether a ticket is just informational Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH proxmox v3 15/21] login: add functions to specify full cookie names Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH proxmox v3 16/21] client: add compatibility with HttpOnly cookies Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH proxmox v3 17/21] client: specify cookie names for authentication headers where possible Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH yew-comp v3 18/21] HttpClient: add helpers to refresh HttpOnly cookies and remove them Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH yew-comp v3 19/21] LoginPanel/http helpers: add support for handling HttpOnly cookies Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH yew-comp v3 20/21] http helpers: ask server to remove `__Host-` prefixed cookie on logout Shannon Sterz
2025-02-27 14:07 ` [pdm-devel] [PATCH datacenter-manager v3 21/21] api: switch ticket endpoint over to new http only endpoint Shannon Sterz
2025-02-27 14:08 ` [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v3 00/21] use HttpOnly cookies in new projects Shannon Sterz
2025-03-04 12:08 ` Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250227140712.209679-9-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal