From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id F05BF1FF15C
	for <inbox@lore.proxmox.com>; Fri, 14 Nov 2025 15:59:13 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id E11D216609;
	Fri, 14 Nov 2025 16:00:03 +0100 (CET)
From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Fri, 14 Nov 2025 15:59:18 +0100
Message-ID: <20251114145927.3766668-4-d.csapak@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20251114145927.3766668-1-d.csapak@proxmox.com>
References: <20251114145927.3766668-1-d.csapak@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.028 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [httpserver.pm, pvesh.pm]
Subject: [pve-devel] [PATCH manager v4 1/3] http server/pvesh: set
 credentials if necessary
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

the new 'expose_credentials' property of api calls requires us to
set the credentials into the RPCEnvironment. Do that for the HTTPServer
and for the pvesh.

Delete the credentials after executing the api call.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 PVE/CLI/pvesh.pm  | 18 ++++++++++++++++++
 PVE/HTTPServer.pm |  5 +++++
 2 files changed, 23 insertions(+)

diff --git a/PVE/CLI/pvesh.pm b/PVE/CLI/pvesh.pm
index 2a994ee9..acd9a605 100755
--- a/PVE/CLI/pvesh.pm
+++ b/PVE/CLI/pvesh.pm
@@ -356,8 +356,26 @@ sub call_api_method {
             $param->{$p} = $uri_param->{$p};
         }
 
+        if ($info->{expose_credentials}) {
+            # create a ticket for the root@pam user, since the
+            # api call expects to read those credentials
+            my $rpcenv = PVE::RPCEnvironment->get();
+            my $authuser = $rpcenv->get_user();
+
+            my $ticket = PVE::AccessControl::assemble_ticket($authuser);
+            my $csrf_token = PVE::AccessControl::assemble_csrf_prevention_token($authuser);
+            $rpcenv->set_credentials({
+                userid => $authuser,
+                ticket => $ticket,
+                token => $csrf_token,
+            });
+        }
+
         $data = $handler->handle($info, $param);
 
+        # remove credentials after api call
+        PVE::RPCEnvironment->get()->set_credentials(undef);
+
         # TODO: remove 'download' check with PVE 9.0
         if (
             ref($data) eq 'HASH'
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 660d87e8..bb8052e3 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -184,6 +184,10 @@ sub rest_handler {
             return;
         }
 
+        if ($info->{expose_credentials}) {
+            $rpcenv->set_credentials($auth);
+        }
+
         $resp = {
             data => $handler->handle($info, $uri_param),
             info => $info, # useful to format output
@@ -201,6 +205,7 @@ sub rest_handler {
     my $err = $@;
 
     $rpcenv->set_user(undef); # clear after request
+    $rpcenv->set_credentials(undef); # clear after request
 
     if ($err) {
         $resp = { info => $info };
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel