From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox v4 16/21] client: add compatibility with HttpOnly cookies
Date: Tue, 4 Mar 2025 13:05:01 +0100 [thread overview]
Message-ID: <20250304120506.135617-17-s.sterz@proxmox.com> (raw)
In-Reply-To: <20250304120506.135617-1-s.sterz@proxmox.com>
this should make it possible to use the proxmox-client crate outside
of context where HttpOnly cookies are handled for us. if a cookie
name is provided to a client, it tries to find a corresponding
`Set-Cookie` header in the login response and passes tries to parse
it as a ticket. that ticket is then passed on to proxmox-login like
any regular ticket.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
proxmox-client/src/client.rs | 69 +++++++++++++++++++++++++++---------
1 file changed, 52 insertions(+), 17 deletions(-)
diff --git a/proxmox-client/src/client.rs b/proxmox-client/src/client.rs
index 9b078a98..07a53873 100644
--- a/proxmox-client/src/client.rs
+++ b/proxmox-client/src/client.rs
@@ -12,6 +12,7 @@ use hyper::body::{Body, HttpBody};
use openssl::hash::MessageDigest;
use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
use openssl::x509::{self, X509};
+use proxmox_login::Ticket;
use serde::Serialize;
use proxmox_login::ticket::Validity;
@@ -67,6 +68,7 @@ pub struct Client {
auth: Mutex<Option<Arc<AuthenticationKind>>>,
client: Arc<proxmox_http::client::Client>,
pve_compat: bool,
+ cookie_name: Option<String>,
}
impl Client {
@@ -75,6 +77,13 @@ impl Client {
Client::with_client(api_url, Arc::new(proxmox_http::client::Client::new()))
}
+ pub fn new_with_cookie(api_url: Uri, cookie_name: &str) -> Self {
+ let mut client =
+ Client::with_client(api_url, Arc::new(proxmox_http::client::Client::new()));
+ client.set_cookie_name(cookie_name);
+ client
+ }
+
/// Instantiate a client for an API with a given HTTP client instance.
pub fn with_client(api_url: Uri, client: Arc<proxmox_http::client::Client>) -> Self {
Self {
@@ -82,6 +91,7 @@ impl Client {
auth: Mutex::new(None),
client,
pve_compat: false,
+ cookie_name: None,
}
}
@@ -174,6 +184,10 @@ impl Client {
self.pve_compat = compatibility;
}
+ pub fn set_cookie_name(&mut self, cookie_name: &str) {
+ self.cookie_name = Some(cookie_name.to_string());
+ }
+
/// Get the currently used API url.
pub fn api_url(&self) -> &Uri {
&self.api_url
@@ -309,7 +323,10 @@ impl Client {
Ok(())
}
- async fn do_login_request(&self, request: proxmox_login::Request) -> Result<Vec<u8>, Error> {
+ async fn do_login_request(
+ &self,
+ request: proxmox_login::Request,
+ ) -> Result<(Option<Ticket>, Vec<u8>), Error> {
let request = http::Request::builder()
.method(Method::POST)
.uri(request.url)
@@ -330,10 +347,26 @@ impl Client {
return Err(Error::api(api_response.status(), "authentication failed"));
}
- let (_, body) = api_response.into_parts();
+ let (parts, body) = api_response.into_parts();
let body = read_body(body).await?;
- Ok(body)
+ let ticket: Option<Ticket> = self.cookie_name.as_ref().and_then(|cookie_name| {
+ parts
+ .headers
+ .get_all(http::header::SET_COOKIE)
+ .iter()
+ .filter_map(|c| c.to_str().ok())
+ .filter_map(|c| match (c.find('='), c.find(';')) {
+ (Some(begin), Some(end)) if begin < end && &c[..begin] == cookie_name => {
+ Some(&c[begin + 1..end])
+ }
+ _ => None,
+ })
+ .filter_map(|t| t.parse().ok())
+ .next()
+ });
+
+ Ok((ticket, body))
}
/// Attempt to refresh the current ticket.
@@ -349,10 +382,10 @@ impl Client {
let login = Login::renew(self.api_url.to_string(), auth.ticket.to_string())
.map_err(Error::Ticket)?;
- let api_response = self.do_login_request(login.request()).await?;
+ let (ticket, api_response) = self.do_login_request(login.request()).await?;
- match login.response(&api_response)? {
- TicketResult::Full(auth) => {
+ match login.response_with_cookie_ticket(ticket, &api_response)? {
+ TicketResult::Full(auth) | TicketResult::HttpOnly(auth) => {
*self.auth.lock().unwrap() = Some(Arc::new(auth.into()));
Ok(())
}
@@ -373,15 +406,17 @@ impl Client {
pub async fn login(&self, login: Login) -> Result<Option<SecondFactorChallenge>, Error> {
let login = login.pve_compatibility(self.pve_compat);
- let api_response = self.do_login_request(login.request()).await?;
-
- Ok(match login.response(&api_response)? {
- TicketResult::TfaRequired(challenge) => Some(challenge),
- TicketResult::Full(auth) => {
- *self.auth.lock().unwrap() = Some(Arc::new(auth.into()));
- None
- }
- })
+ let (ticket, api_response) = self.do_login_request(login.request()).await?;
+
+ Ok(
+ match login.response_with_cookie_ticket(ticket, &api_response)? {
+ TicketResult::TfaRequired(challenge) => Some(challenge),
+ TicketResult::Full(auth) | TicketResult::HttpOnly(auth) => {
+ *self.auth.lock().unwrap() = Some(Arc::new(auth.into()));
+ None
+ }
+ },
+ )
}
/// Attempt to finish a 2nd factor login.
@@ -393,9 +428,9 @@ impl Client {
challenge: SecondFactorChallenge,
challenge_response: proxmox_login::Request,
) -> Result<(), Error> {
- let api_response = self.do_login_request(challenge_response).await?;
+ let (ticket, api_response) = self.do_login_request(challenge_response).await?;
- let auth = challenge.response(&api_response)?;
+ let auth = challenge.response_with_cookie_ticket(ticket, &api_response)?;
*self.auth.lock().unwrap() = Some(Arc::new(auth.into()));
Ok(())
}
--
2.39.5
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-03-04 12:05 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-04 12:04 [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 01/21] time: add new `epoch_to_http_date` helper Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 02/21] rest-server: borrow parts parameter in `get_request_parameter` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 03/21] router/rest-server: add new `AsyncHttpBodyParameters` api handler type Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 04/21] auth-api: extend `AuthContext` with prefixed cookie name Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 05/21] auth-api: check for new prefixed cookies as well Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 06/21] auth-api: introduce new CreateTicket and CreateTickeReponse api types Shannon Sterz
2025-03-04 14:16 ` Wolfgang Bumiller
2025-03-07 10:06 ` Maximiliano Sandoval
2025-03-07 10:14 ` Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 07/21] auth-api: add endpoint for issuing tickets as HttpOnly tickets Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 08/21] auth-api: make regular ticket endpoint use the new types and handler Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 09/21] auth-api: add logout method Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 10/21] login: add optional field for ticket_info and make password optional Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 11/21] login: make password optional when creating Login requests Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 12/21] login: add helpers to pass cookie values when parsing login responses Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 13/21] login: add `TicketResult::HttpOnly` member Shannon Sterz
2025-03-04 12:04 ` [pdm-devel] [PATCH proxmox v4 14/21] login: add helper to check whether a ticket is just informational Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 15/21] login: add functions to specify full cookie names Shannon Sterz
2025-03-04 12:05 ` Shannon Sterz [this message]
2025-03-04 12:05 ` [pdm-devel] [PATCH proxmox v4 17/21] client: specify cookie names for authentication headers where possible Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 18/21] HttpClient: add helpers to refresh HttpOnly cookies and remove them Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 19/21] LoginPanel/http helpers: add support for handling HttpOnly cookies Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH yew-comp v4 20/21] http helpers: ask server to remove `__Host-` prefixed cookie on logout Shannon Sterz
2025-03-04 12:05 ` [pdm-devel] [PATCH datacenter-manager v4 21/21] api: switch ticket endpoint over to new http only endpoint Shannon Sterz
2025-03-04 14:43 ` [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v4 00/21] use HttpOnly cookies in new projects Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250304120506.135617-17-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox