[pdm-devel] [PATCH proxmox 3/3] auth-api: add vncticket verification endpoint and type

["Fabian Grünbichler" <f.gruenbichler@proxmox.com>]

needed to allow token-based shells in PBS/PDM.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    new in v1, required for PBS

 proxmox-auth-api/src/api/access.rs | 32 +++++++++++++++++++++++++++++-
 proxmox-auth-api/src/api/mod.rs    |  4 ++--
 proxmox-auth-api/src/types.rs      | 22 ++++++++++++++++++++
 3 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index 6921ea29..3ff1d0e8 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -16,7 +16,7 @@ use proxmox_tfa::api::TfaChallenge;
 use super::ApiTicket;
 use super::{auth_context, HMACKey};
 use crate::ticket::Ticket;
-use crate::types::{Authid, CreateTicket, CreateTicketResponse, Userid};
+use crate::types::{Authid, CreateTicket, CreateTicketResponse, Userid, VerifyVNCTicket};
 
 #[allow(clippy::large_enum_variant)]
 enum AuthResult {
@@ -68,6 +68,36 @@ pub async fn create_ticket(
         })
 }
 
+#[api(
+    input: {
+        properties: {
+            verify_params: {
+                type: VerifyVNCTicket,
+                flatten: true,
+            }
+        },
+    },
+    protected: true,
+    access: {
+        permission: &Permission::World,
+    },
+)]
+/// Verify that a VNC ticket is valid for a given Authid, path and privilege(s).
+pub async fn verify_vnc_ticket(verify_params: VerifyVNCTicket) -> Result<(), Error> {
+    let auth_context = auth_context()?;
+    match auth_context.check_path_ticket(
+        &verify_params.authid,
+        &verify_params.vncticket,
+        verify_params.path,
+        verify_params.privs,
+        verify_params.port.unwrap_or_default(),
+    )? {
+        None => bail!("Checking VNC ticket failed"), // no path based tickets supported, just fall through.
+        Some(true) => return Ok(()),
+        Some(false) => bail!("No such privilege"),
+    }
+}
+
 pub const API_METHOD_LOGOUT: ApiMethod = ApiMethod::new(
     &ApiHandler::AsyncHttpBodyParameters(&logout_handler),
     &ObjectSchema::new("", &[]),
diff --git a/proxmox-auth-api/src/api/mod.rs b/proxmox-auth-api/src/api/mod.rs
index 3c07ead3..98cf77e9 100644
--- a/proxmox-auth-api/src/api/mod.rs
+++ b/proxmox-auth-api/src/api/mod.rs
@@ -19,8 +19,8 @@ use crate::ticket::Ticket;
 use access::verify_csrf_prevention_token;
 
 pub use access::{
-    assemble_csrf_prevention_token, create_ticket, API_METHOD_CREATE_TICKET,
-    API_METHOD_CREATE_TICKET_HTTP_ONLY, API_METHOD_LOGOUT,
+    assemble_csrf_prevention_token, create_ticket, verify_vnc_ticket, API_METHOD_CREATE_TICKET,
+    API_METHOD_CREATE_TICKET_HTTP_ONLY, API_METHOD_LOGOUT, API_METHOD_VERIFY_VNC_TICKET,
 };
 pub use ticket::{ApiTicket, PartialTicket};
 
diff --git a/proxmox-auth-api/src/types.rs b/proxmox-auth-api/src/types.rs
index 9bde661c..86b79d70 100644
--- a/proxmox-auth-api/src/types.rs
+++ b/proxmox-auth-api/src/types.rs
@@ -706,6 +706,28 @@ pub struct CreateTicket {
     pub tfa_challenge: Option<String>,
 }
 
+#[api]
+/// The parameter object for verifying a VNC ticket.
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct VerifyVNCTicket {
+    /// Userid or Token
+    pub authid: Authid,
+
+    /// The VNC ticket
+    #[serde(default)]
+    pub vncticket: String,
+
+    /// Verify ticket, and check if user have access 'privs' on 'path'.
+    pub path: String,
+
+    /// Verify ticket, and check if user have access 'privs' on 'path'.
+    pub privs: String,
+
+    /// Port for verifying terminal tickets.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub port: Option<u16>,
+}
+
 #[api]
 /// The API response for a ticket call.
 #[derive(Debug, Deserialize, Serialize)]
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel