From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id F42161FF184 for ; Thu, 20 Nov 2025 14:12:37 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4EC1B83D2; Thu, 20 Nov 2025 14:12:42 +0100 (CET) From: Robert Obkircher To: pve-devel@lists.proxmox.com Date: Thu, 20 Nov 2025 14:09:10 +0100 Message-ID: <20251120131149.147981-1-r.obkircher@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1763644296866 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.081 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH v4 pve-storage] fix #6900: correctly detect PBS API tokens in storage plugin X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" The PBS storage plugin used PVE code to detect if an API token was entered in the username field. This lead to bad requests for some valid PBS tokens which are not valid PVE tokens. Examples are "root@pam!1234" and "root@pam!_-". Relax the token pattern to allow token names and realms that start with numbers or underscores. Also allow single character token names, which are allowed on the backend even though they can't be created through the PBS Web UI. Signed-off-by: Robert Obkircher --- Changes in v4: - drop commented out Rust code - comment why the regexes are necessary and where they come from Changes in v3: - drop importing now unused PVE::Auth::Plugin module Changes in v2: - port all regexes, not just the token name src/PVE/Storage/PBSPlugin.pm | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/PVE/Storage/PBSPlugin.pm b/src/PVE/Storage/PBSPlugin.pm index 5842004..1e0e038 100644 --- a/src/PVE/Storage/PBSPlugin.pm +++ b/src/PVE/Storage/PBSPlugin.pm @@ -701,6 +701,20 @@ my sub snapshot_files_encrypted { return $any && $all; } +# We cannot use the PVE API token regexes as we're stricter in PVE, +# so some tokens that would be valid for PBS would get rejected. +# Adapt over the PBS ones from proxmox-auth-api/src/types.rs: + +my $safe_id_regex = qr/(?:[A-Za-z0-9_][A-Za-z0-9\._\-]*)/; + +my $token_name_regex = $safe_id_regex; + +my $user_name_regex = qr/(?:[^\s:\/\p{PosixCntrl}]+)/; + +my $user_id_regex = qr/${user_name_regex}\@${safe_id_regex}/; + +my $apitoken_id_regex = qr/${user_id_regex}\!${token_name_regex}/; + # TODO: use a client with native rust/proxmox-backup bindings to profit from # API schema checks and types my sub pbs_api_connect { @@ -710,8 +724,8 @@ my sub pbs_api_connect { my $user = $scfg->{username} // 'root@pam'; - if (my $tokenid = PVE::AccessControl::pve_verify_tokenid($user, 1)) { - $params->{apitoken} = "PBSAPIToken=${tokenid}:${password}"; + if ($user =~ qr/^${apitoken_id_regex}$/) { + $params->{apitoken} = "PBSAPIToken=${user}:${password}"; } else { $params->{password} = $password; $params->{username} = $user; -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel