From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 2D0791FF187 for ; Mon, 3 Nov 2025 15:30:57 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2BDA41F8B8; Mon, 3 Nov 2025 15:31:35 +0100 (CET) From: Robert Obkircher To: pve-devel@lists.proxmox.com Date: Mon, 3 Nov 2025 15:30:16 +0100 Message-ID: <20251103143034.121698-1-r.obkircher@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1762180244064 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.000 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH pve-storage] fix #6900: correctly detect PBS API tokens in storage plugin X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" The PBS storage plugin used PVE code to detect if an API token was entered in the username field. This lead to bad requests for some valid PBS tokens which are not valid PVE tokens. Relax the token pattern to allow token names that start with numbers or underscores. Also allow single character names, which are technically allowed on the Rust side even though they can't be created through the PBS Web UI. Signed-off-by: Robert Obkircher --- src/PVE/Storage/PBSPlugin.pm | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/PVE/Storage/PBSPlugin.pm b/src/PVE/Storage/PBSPlugin.pm index 5842004..892b4d5 100644 --- a/src/PVE/Storage/PBSPlugin.pm +++ b/src/PVE/Storage/PBSPlugin.pm @@ -14,6 +14,7 @@ use POSIX qw(mktime strftime ENOENT); use POSIX::strptime; use PVE::APIClient::LWP; +use PVE::Auth::Plugin; use PVE::JSONSchema qw(get_standard_option); use PVE::Network; use PVE::PBSClient; @@ -701,6 +702,27 @@ my sub snapshot_files_encrypted { return $any && $all; } +# On the Rust side this is TOKEN_NAME_REGEX_STR: = SAFE_ID_REGEX_STR +# which is = r"(?:[A-Za-z0-9_][A-Za-z0-9._\-]*)"; +our $token_subid_regex = qr/[A-Za-z0-9_][A-Za-z0-9\.\-_]*/; + +our $token_full_regex = + qr/((${PVE::Auth::Plugin::user_regex})\@(${PVE::Auth::Plugin::realm_regex}))!(${token_subid_regex})/; + +# Similar to PVE::AccessControl::pve_verify_tokenid, except that this +# also allows the subid to start with numbers or underscores. +sub pbs_verify_tokenid { + my ($tokenid, $noerr) = @_; + + if ($tokenid =~ /^${token_full_regex}$/) { + return wantarray ? ($tokenid, $2, $3, $4) : $tokenid; + } + + die "value '$tokenid' does not look like a valid token ID\n" if !$noerr; + + return undef; +} + # TODO: use a client with native rust/proxmox-backup bindings to profit from # API schema checks and types my sub pbs_api_connect { @@ -710,7 +732,7 @@ my sub pbs_api_connect { my $user = $scfg->{username} // 'root@pam'; - if (my $tokenid = PVE::AccessControl::pve_verify_tokenid($user, 1)) { + if (my $tokenid = pbs_verify_tokenid($user, 1)) { $params->{apitoken} = "PBSAPIToken=${tokenid}:${password}"; } else { $params->{password} = $password; -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel