From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox-backup 3/4] api: node shell: allow access for tokens
Date: Tue, 11 Nov 2025 09:29:19 +0100 [thread overview]
Message-ID: <20251111082938.221008-13-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20251111082938.221008-1-f.gruenbichler@proxmox.com>
needed for PDM, but backwards compatible for existing user-based usage.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
new in v1, requires bumped termproxy
src/api2/node/mod.rs | 28 ++++++++--------------------
src/auth.rs | 5 ++---
src/tools/ticket.rs | 6 +++---
3 files changed, 13 insertions(+), 26 deletions(-)
diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs
index 72df9ea72..a5ec903a7 100644
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@@ -98,7 +98,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
)]
/// Call termproxy and return shell ticket
async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Result<Value, Error> {
- let root_user = Userid::root_userid();
+ let root_auth_id = Authid::root_auth_id();
// intentionally user only for now
let auth_id: Authid = rpcenv
@@ -106,12 +106,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
.ok_or_else(|| format_err!("no authid available"))?
.parse()?;
- if auth_id.is_token() {
- bail!("API tokens cannot access this API endpoint");
- }
-
- let userid = auth_id.user();
-
let path = "/system";
// use port 0 and let the kernel decide which port is free
@@ -120,21 +114,21 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
let ticket = Ticket::new(crate::auth::TERM_PREFIX, &Empty)?.sign(
private_auth_keyring(),
- Some(&tools::ticket::term_aad(userid, path, port)),
+ Some(&tools::ticket::term_aad(&auth_id, path, port)),
)?;
let mut command = Vec::new();
match cmd.as_deref() {
Some("login") | None => {
command.push("login");
- if userid == root_user {
+ if auth_id == *root_auth_id {
command.push("-f");
command.push("root");
}
}
Some("upgrade") => {
- if userid != root_user {
- bail!("only {root_user} can upgrade");
+ if auth_id != *root_auth_id {
+ bail!("only {root_auth_id} can upgrade");
}
// TODO: add nicer/safer wrapper like in PVE instead
command.push("sh");
@@ -144,7 +138,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
_ => bail!("invalid command"),
};
- let username = userid.name().to_owned();
let upid = WorkerTask::spawn(
"termproxy",
None,
@@ -166,6 +159,7 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
"--authport",
"82",
"--port-as-fd",
+ "--vncticket-endpoint",
"--",
]);
arguments.extend_from_slice(&command);
@@ -234,9 +228,8 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
},
)?;
- // FIXME: We're returning the user NAME only?
Ok(json!({
- "user": username,
+ "user": auth_id,
"ticket": ticket,
"port": port,
"upid": upid,
@@ -278,11 +271,6 @@ fn upgrade_to_websocket(
.ok_or_else(|| format_err!("no authid available"))?
.parse()?;
- if auth_id.is_token() {
- bail!("API tokens cannot access this API endpoint");
- }
-
- let userid = auth_id.user();
let ticket = pbs_tools::json::required_string_param(¶m, "vncticket")?;
let port: u16 = pbs_tools::json::required_integer_param(¶m, "port")? as u16;
@@ -290,7 +278,7 @@ fn upgrade_to_websocket(
Ticket::<Empty>::parse(ticket)?.verify(
public_auth_keyring(),
crate::auth::TERM_PREFIX,
- Some(&tools::ticket::term_aad(userid, "/system", port)),
+ Some(&tools::ticket::term_aad(&auth_id, "/system", port)),
)?;
let (ws, response) = WebSocket::new(parts.headers.clone())?;
diff --git a/src/auth.rs b/src/auth.rs
index ac24c8cac..a930d8cd9 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -449,7 +449,7 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
/// Check path based tickets. (Used for terminal tickets).
fn check_path_ticket(
&self,
- userid: &Userid,
+ auth_id: &Authid,
password: &str,
path: String,
privs: String,
@@ -463,11 +463,10 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
ticket.verify(
self.keyring,
TERM_PREFIX,
- Some(&crate::tools::ticket::term_aad(userid, &path, port)),
+ Some(&crate::tools::ticket::term_aad(auth_id, &path, port)),
)
}) {
let user_info = pbs_config::CachedUserInfo::new()?;
- let auth_id = Authid::from(userid.clone());
for (name, privilege) in pbs_api_types::PRIVILEGES {
if *name == privs {
let mut path_vec = Vec::new();
diff --git a/src/tools/ticket.rs b/src/tools/ticket.rs
index 8dd3c968a..f086d2d82 100644
--- a/src/tools/ticket.rs
+++ b/src/tools/ticket.rs
@@ -1,5 +1,5 @@
-use pbs_api_types::Userid;
+use pbs_api_types::Authid;
-pub fn term_aad(userid: &Userid, path: &str, port: u16) -> String {
- format!("{userid}{path}{port}")
+pub fn term_aad(auth_id: &Authid, path: &str, port: u16) -> String {
+ format!("{auth_id}{path}{port}")
}
--
2.47.3
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-11-11 8:29 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-11 8:29 [pdm-devel] [PATCH access-control/manager/proxmox{, -backup, -yew-comp, -datacenter-manager}/xtermjs 00/25] add remote node shell Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH pve-xtermjs 1/2] xtermjs: add support for remote node shells via PDM Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH pve-xtermjs 2/2] termproxy: allow using new vncticket endpoint Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH access-control 1/1] api: ticket: allow token-owned VNC ticket verification Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH manager 1/3] api: termproxy/vncwebsocket: allow tokens Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH manager 2/3] api: termproxy: add description to return schema Fabian Grünbichler
2025-11-13 10:38 ` Stefan Hanreich
2025-11-11 8:29 ` [pdm-devel] [PATCH manager 3/3] http server: allow unauthenticated access to /access/vncticket Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox 1/3] pbs-api-types: add NodeShellTicket Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox 2/3] auth-api: use Authid for path ticket validation Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox 3/3] auth-api: add vncticket verification endpoint and type Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-backup 1/4] tree-wide: user Userid::root_user() instead of hard-coded root@pam Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-backup 2/4] api: access: add vncticket verification endpoint Fabian Grünbichler
2025-11-11 8:29 ` Fabian Grünbichler [this message]
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-backup 4/4] api: termproxy: use NodeShellTicket type from pbs-api-types Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-yew-comp 1/3] xtermjs: add remote PVE support Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-yew-comp 2/3] xtermjs: merge ConsoleType to parameters conversion Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-yew-comp 3/3] xtermjs: add remote PBS console type Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 1/9] auth: allow tokens in term tickets Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 2/9] connection: add access to "raw" client Fabian Grünbichler
2025-11-13 10:39 ` Stefan Hanreich
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 3/9] pbs client: add termproxy wrapper Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 4/9] api: add remote_shell module with termproxy endpoint Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 5/9] api: remote shell: add websocket endpoint Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 6/9] api: pve: wire up remote shell support Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 7/9] ui: pve: node: add shell tab Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 8/9] api: pbs: wire up node shell endpoints Fabian Grünbichler
2025-11-11 8:29 ` [pdm-devel] [PATCH proxmox-datacenter-manager 9/9] ui: add PBS remote shell button Fabian Grünbichler
2025-11-13 10:40 ` [pdm-devel] [PATCH access-control/manager/proxmox{, -backup, -yew-comp, -datacenter-manager}/xtermjs 00/25] add remote node shell Stefan Hanreich
2025-11-14 11:04 ` [pdm-devel] partially-applied: " Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251111082938.221008-13-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox