From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
by lore.proxmox.com (Postfix) with ESMTPS id 0B1D41FF168
for <inbox@lore.proxmox.com>; Tue, 4 Mar 2025 13:05:30 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id BED9B1D939;
Tue, 4 Mar 2025 13:05:23 +0100 (CET)
From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Date: Tue, 4 Mar 2025 13:04:53 +0100
Message-Id: <20250304120506.135617-9-s.sterz@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250304120506.135617-1-s.sterz@proxmox.com>
References: <20250304120506.135617-1-s.sterz@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.019 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: [pdm-devel] [PATCH proxmox v4 08/21] auth-api: make regular ticket
endpoint use the new types and handler
X-BeenThere: pdm-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
<pdm-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pdm-devel>,
<mailto:pdm-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pdm-devel/>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel>,
<mailto:pdm-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Datacenter Manager development discussion
<pdm-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pdm-devel-bounces@lists.proxmox.com
Sender: "pdm-devel" <pdm-devel-bounces@lists.proxmox.com>
so we can re-use more code between the different ticket endpoints
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
proxmox-auth-api/src/api/access.rs | 94 +++---------------------------
1 file changed, 9 insertions(+), 85 deletions(-)
diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index 3e737339..260440bf 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -11,9 +11,7 @@ use proxmox_rest_server::{extract_cookie, RestEnvironment};
use proxmox_router::{
http_err, ApiHandler, ApiMethod, ApiResponseFuture, Permission, RpcEnvironment,
};
-use proxmox_schema::{
- api, api_types::PASSWORD_SCHEMA, AllOfSchema, ApiType, ParameterSchema, ReturnType,
-};
+use proxmox_schema::{api, AllOfSchema, ApiType, ParameterSchema, ReturnType};
use proxmox_tfa::api::TfaChallenge;
use super::ApiTicket;
@@ -36,51 +34,14 @@ enum AuthResult {
#[api(
input: {
properties: {
- username: {
- type: Userid,
- },
- password: {
- schema: PASSWORD_SCHEMA,
- },
- path: {
- type: String,
- description: "Path for verifying terminal tickets.",
- optional: true,
- },
- privs: {
- type: String,
- description: "Privilege for verifying terminal tickets.",
- optional: true,
- },
- port: {
- type: Integer,
- description: "Port for verifying terminal tickets.",
- optional: true,
- },
- "tfa-challenge": {
- type: String,
- description: "The signed TFA challenge string the user wants to respond to.",
- optional: true,
- },
+ create_params: {
+ type: CreateTicket,
+ flatten: true,
+ }
},
},
returns: {
- properties: {
- username: {
- type: String,
- description: "User name.",
- },
- ticket: {
- type: String,
- description: "Auth ticket.",
- },
- CSRFPreventionToken: {
- type: String,
- description:
- "Cross Site Request Forgery Prevention Token. \
- For partial tickets this is the string \"invalid\".",
- },
- },
+ type: CreateTicketResponse,
},
protected: true,
access: {
@@ -91,52 +52,15 @@ enum AuthResult {
///
/// Returns: An authentication ticket with additional infos.
pub async fn create_ticket(
- username: Userid,
- password: String,
- path: Option<String>,
- privs: Option<String>,
- port: Option<u16>,
- tfa_challenge: Option<String>,
+ create_params: CreateTicket,
rpcenv: &mut dyn RpcEnvironment,
-) -> Result<Value, Error> {
+) -> Result<CreateTicketResponse, Error> {
let env: &RestEnvironment = rpcenv
.as_any()
.downcast_ref::<RestEnvironment>()
.ok_or_else(|| format_err!("detected wrong RpcEnvironment type"))?;
- match authenticate_user(&username, &password, path, privs, port, tfa_challenge, env).await {
- Ok(AuthResult::Success) => Ok(json!({ "username": username })),
- Ok(AuthResult::CreateTicket) => {
- let auth_context = auth_context()?;
- let api_ticket = ApiTicket::Full(username.clone());
- let ticket = Ticket::new(auth_context.auth_prefix(), &api_ticket)?
- .sign(auth_context.keyring(), None)?;
- let token = assemble_csrf_prevention_token(auth_context.csrf_secret(), &username);
-
- env.log_auth(username.as_str());
-
- Ok(json!({
- "username": username,
- "ticket": ticket,
- "CSRFPreventionToken": token,
- }))
- }
- Ok(AuthResult::Partial(challenge)) => {
- let auth_context = auth_context()?;
- let api_ticket = ApiTicket::Partial(challenge);
- let ticket = Ticket::new(auth_context.auth_prefix(), &api_ticket)?
- .sign(auth_context.keyring(), Some(username.as_str()))?;
- Ok(json!({
- "username": username,
- "ticket": ticket,
- "CSRFPreventionToken": "invalid",
- }))
- }
- Err(err) => {
- env.log_failed_auth(Some(username.to_string()), &err.to_string());
- Err(http_err!(UNAUTHORIZED, "permission check failed."))
- }
- }
+ handle_ticket_creation(create_params, env).await
}
--
2.39.5
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel