Proxmox-Port/proxmox
1
0
Fork 0
forked from proxmox-mirrors/proxmox
Code Pull Requests Activity

replace Userid with Authid

Browse Source 
in most generic places. this is accompanied by a change in
RpcEnvironment to purposefully break existing call sites.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-10-23 13:33:21 +02:00 committed by Wolfgang Bumiller
parent 9af79677b2
commit ed512bc26f
2 changed files with 26 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/server/environment.rs
View File

@ -6,7 +6,7 @@ use proxmox::api::{RpcEnvironment, RpcEnvironmentType};
pub struct RestEnvironment { pub struct RestEnvironment {
env_type: RpcEnvironmentType, env_type: RpcEnvironmentType,
result_attributes: Value, result_attributes: Value,
user: Option<String>, auth_id: Option<String>,
client_ip: Option<std::net::SocketAddr>, client_ip: Option<std::net::SocketAddr>,
} }
@ -14,7 +14,7 @@ impl RestEnvironment {
pub fn new(env_type: RpcEnvironmentType) -> Self { pub fn new(env_type: RpcEnvironmentType) -> Self {
Self { Self {
result_attributes: json!({}), result_attributes: json!({}),
user: None, auth_id: None,
client_ip: None, client_ip: None,
env_type, env_type,
} }
@ -35,12 +35,12 @@ impl RpcEnvironment for RestEnvironment {
self.env_type self.env_type
} }
fn set_user(&mut self, user: Option<String>) { fn set_auth_id(&mut self, auth_id: Option<String>) {
self.user = user; self.auth_id = auth_id;
} }
fn get_user(&self) -> Option<String> { fn get_auth_id(&self) -> Option<String> {
self.user.clone() self.auth_id.clone()
} }
fn set_client_ip(&mut self, client_ip: Option<std::net::SocketAddr>) { fn set_client_ip(&mut self, client_ip: Option<std::net::SocketAddr>) {

38
src/server/rest.rs
View File

@ -42,7 +42,7 @@ use super::formatter::*;
use super::ApiConfig; use super::ApiConfig;
use crate::auth_helpers::*; use crate::auth_helpers::*;
use crate::api2::types::Userid; use crate::api2::types::{Authid, Userid};
use crate::tools; use crate::tools;
use crate::tools::FileLogger; use crate::tools::FileLogger;
use crate::tools::ticket::Ticket; use crate::tools::ticket::Ticket;
@ -138,9 +138,9 @@ fn log_response(
log::error!("{} {}: {} {}: [client {}] {}", method.as_str(), path, status.as_str(), reason, peer, message); log::error!("{} {}: {} {}: [client {}] {}", method.as_str(), path, status.as_str(), reason, peer, message);
} }
if let Some(logfile) = logfile { if let Some(logfile) = logfile {
let user = match resp.extensions().get::<Userid>() { let auth_id = match resp.extensions().get::<Authid>() {
Some(userid) => userid.as_str(), Some(auth_id) => auth_id.to_string(),
None => "-", None => "-".to_string(),
}; };
let now = proxmox::tools::time::epoch_i64(); let now = proxmox::tools::time::epoch_i64();
// time format which apache/nginx use (by default), copied from pve-http-server // time format which apache/nginx use (by default), copied from pve-http-server
@ -153,7 +153,7 @@ fn log_response(
.log(format!( .log(format!(
"{} - {} [{}] \"{} {}\" {} {} {}", "{} - {} [{}] \"{} {}\" {} {} {}",
peer.ip(), peer.ip(),
user, auth_id,
datetime, datetime,
method.as_str(), method.as_str(),
path, path,
@ -441,7 +441,7 @@ fn get_index(
.unwrap(); .unwrap();
if let Some(userid) = userid { if let Some(userid) = userid {
resp.extensions_mut().insert(userid); resp.extensions_mut().insert(Authid::from((userid, None)));
} }
resp resp
@ -555,14 +555,15 @@ fn check_auth(
ticket: &Option<String>, ticket: &Option<String>,
csrf_token: &Option<String>, csrf_token: &Option<String>,
user_info: &CachedUserInfo, user_info: &CachedUserInfo,
) -> Result<Userid, Error> { ) -> Result<Authid, Error> {
let ticket_lifetime = tools::ticket::TICKET_LIFETIME; let ticket_lifetime = tools::ticket::TICKET_LIFETIME;
let ticket = ticket.as_ref().map(String::as_str); let ticket = ticket.as_ref().map(String::as_str);
let userid: Userid = Ticket::parse(&ticket.ok_or_else(|| format_err!("missing ticket"))?)? let userid: Userid = Ticket::parse(&ticket.ok_or_else(|| format_err!("missing ticket"))?)?
.verify_with_time_frame(public_auth_key(), "PBS", None, -300..ticket_lifetime)?; .verify_with_time_frame(public_auth_key(), "PBS", None, -300..ticket_lifetime)?;
if !user_info.is_active_user(&userid) { let auth_id = Authid::from(userid.clone());
if !user_info.is_active_auth_id(&auth_id) {
bail!("user account disabled or expired."); bail!("user account disabled or expired.");
} }
@ -574,7 +575,7 @@ fn check_auth(
} }
} }
Ok(userid) Ok(Authid::from(userid))
} }
async fn handle_request( async fn handle_request(
@ -632,7 +633,7 @@ async fn handle_request(
if auth_required { if auth_required {
let (ticket, csrf_token, _) = extract_auth_data(&parts.headers); let (ticket, csrf_token, _) = extract_auth_data(&parts.headers);
match check_auth(&method, &ticket, &csrf_token, &user_info) { match check_auth(&method, &ticket, &csrf_token, &user_info) {
Ok(userid) => rpcenv.set_user(Some(userid.to_string())), Ok(authid) => rpcenv.set_auth_id(Some(authid.to_string())),
Err(err) => { Err(err) => {
// always delay unauthorized calls by 3 seconds (from start of request) // always delay unauthorized calls by 3 seconds (from start of request)
let err = http_err!(UNAUTHORIZED, "authentication failed - {}", err); let err = http_err!(UNAUTHORIZED, "authentication failed - {}", err);
@ -648,8 +649,8 @@ async fn handle_request(
return Ok((formatter.format_error)(err)); return Ok((formatter.format_error)(err));
} }
Some(api_method) => { Some(api_method) => {
let user = rpcenv.get_user(); let auth_id = rpcenv.get_auth_id();
if !check_api_permission(api_method.access.permission, user.as_deref(), &uri_param, user_info.as_ref()) { if !check_api_permission(api_method.access.permission, auth_id.as_deref(), &uri_param, user_info.as_ref()) {
let err = http_err!(FORBIDDEN, "permission check failed"); let err = http_err!(FORBIDDEN, "permission check failed");
tokio::time::delay_until(Instant::from_std(access_forbidden_time)).await; tokio::time::delay_until(Instant::from_std(access_forbidden_time)).await;
return Ok((formatter.format_error)(err)); return Ok((formatter.format_error)(err));
@ -666,9 +667,9 @@ async fn handle_request(
Err(err) => (formatter.format_error)(err), Err(err) => (formatter.format_error)(err),
}; };
if let Some(user) = user { if let Some(auth_id) = auth_id {
let userid: Userid = user.parse()?; let auth_id: Authid = auth_id.parse()?;
response.extensions_mut().insert(userid); response.extensions_mut().insert(auth_id);
} }
return Ok(response); return Ok(response);
@ -687,9 +688,10 @@ async fn handle_request(
let (ticket, csrf_token, language) = extract_auth_data(&parts.headers); let (ticket, csrf_token, language) = extract_auth_data(&parts.headers);
if ticket != None { if ticket != None {
match check_auth(&method, &ticket, &csrf_token, &user_info) { match check_auth(&method, &ticket, &csrf_token, &user_info) {
Ok(userid) => { Ok(auth_id) => {
let new_csrf_token = assemble_csrf_prevention_token(csrf_secret(), &userid); let userid = auth_id.user();
return Ok(get_index(Some(userid), Some(new_csrf_token), language, &api, parts)); let new_csrf_token = assemble_csrf_prevention_token(csrf_secret(), userid);
return Ok(get_index(Some(userid.clone()), Some(new_csrf_token), language, &api, parts));
} }
_ => { _ => {
tokio::time::delay_until(Instant::from_std(delay_unauth_time)).await; tokio::time::delay_until(Instant::from_std(delay_unauth_time)).await;