From 01a080215dded9b84555a87e9a03ccfe9f7b9fa3 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 29 Sep 2021 11:05:26 +0200 Subject: [PATCH] drop pbs_tools::auth `pbs_client::connect_to_localhost` now requires the key as optional parameter Signed-off-by: Wolfgang Bumiller --- pbs-client/src/lib.rs | 21 ++++++----------- pbs-tools/src/auth.rs | 26 --------------------- pbs-tools/src/lib.rs | 1 - src/api2/access/mod.rs | 6 ++--- src/api2/access/openid.rs | 4 +--- src/api2/node/mod.rs | 5 ++-- src/auth_helpers.rs | 18 +++++++++++++- src/bin/proxmox-backup-api.rs | 1 - src/bin/proxmox-backup-manager.rs | 5 ++-- src/bin/proxmox-tape.rs | 3 ++- src/bin/proxmox_backup_debug/api.rs | 4 +++- src/bin/proxmox_backup_manager/datastore.rs | 3 ++- src/bin/proxmox_tape/backup_job.rs | 3 ++- src/client_helpers.rs | 13 +++++++++++ src/lib.rs | 2 ++ 15 files changed, 57 insertions(+), 58 deletions(-) delete mode 100644 pbs-tools/src/auth.rs create mode 100644 src/client_helpers.rs diff --git a/pbs-client/src/lib.rs b/pbs-client/src/lib.rs index d14a3617..eeeff71e 100644 --- a/pbs-client/src/lib.rs +++ b/pbs-client/src/lib.rs @@ -4,11 +4,11 @@ //! server using https. use anyhow::Error; +use openssl::pkey::{PKey, Private}; use pbs_api_types::{Authid, Userid}; use pbs_tools::ticket::Ticket; use pbs_tools::cert::CertInfo; -use pbs_tools::auth::private_auth_key; pub mod catalog_shell; pub mod dynamic_index; @@ -53,22 +53,15 @@ pub const PROXMOX_BACKUP_TCP_KEEPALIVE_TIME: u32 = 120; /// Connect to localhost:8007 as root@pam /// /// This automatically creates a ticket if run as 'root' user. -pub fn connect_to_localhost() -> Result { - - let uid = nix::unistd::Uid::current(); - - let client = if uid.is_root() { +pub fn connect_to_localhost(auth_key: Option<&PKey>) -> Result { + let options = if let Some(auth_key) = auth_key { let ticket = Ticket::new("PBS", Userid::root_userid())? - .sign(private_auth_key(), None)?; + .sign(auth_key, None)?; let fingerprint = CertInfo::new()?.fingerprint()?; - let options = HttpClientOptions::new_non_interactive(ticket, Some(fingerprint)); - - HttpClient::new("localhost", 8007, Authid::root_auth_id(), options)? + HttpClientOptions::new_non_interactive(ticket, Some(fingerprint)) } else { - let options = HttpClientOptions::new_interactive(None, None); - - HttpClient::new("localhost", 8007, Authid::root_auth_id(), options)? + HttpClientOptions::new_interactive(None, None) }; - Ok(client) + HttpClient::new("localhost", 8007, Authid::root_auth_id(), options) } diff --git a/pbs-tools/src/auth.rs b/pbs-tools/src/auth.rs deleted file mode 100644 index 6e605dd8..00000000 --- a/pbs-tools/src/auth.rs +++ /dev/null @@ -1,26 +0,0 @@ -//! Helpers for authentication used by both client and server. - -use anyhow::Error; -use lazy_static::lazy_static; -use openssl::pkey::{PKey, Private}; -use openssl::rsa::Rsa; - -use proxmox::tools::fs::file_get_contents; - -use pbs_buildcfg::configdir; - -fn load_private_auth_key() -> Result, Error> { - let pem = file_get_contents(configdir!("/authkey.key"))?; - let rsa = Rsa::private_key_from_pem(&pem)?; - let key = PKey::from_rsa(rsa)?; - - Ok(key) -} - -pub fn private_auth_key() -> &'static PKey { - lazy_static! { - static ref KEY: PKey = load_private_auth_key().unwrap(); - } - - &KEY -} diff --git a/pbs-tools/src/lib.rs b/pbs-tools/src/lib.rs index 6c2f0ff5..6b7b600b 100644 --- a/pbs-tools/src/lib.rs +++ b/pbs-tools/src/lib.rs @@ -1,5 +1,4 @@ pub mod acl; -pub mod auth; pub mod blocking; pub mod borrow; pub mod broadcast_future; diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs index 52963d3c..7e11edaa 100644 --- a/src/api2/access/mod.rs +++ b/src/api2/access/mod.rs @@ -15,15 +15,13 @@ use pbs_api_types::{ Userid, Authid, PASSWORD_SCHEMA, ACL_PATH_SCHEMA, PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT, }; -use pbs_tools::auth::private_auth_key; use pbs_tools::ticket::{self, Empty, Ticket}; use pbs_config::acl::AclTreeNode; +use pbs_config::CachedUserInfo; use crate::auth_helpers::*; -use crate::server::ticket::ApiTicket; - -use pbs_config::CachedUserInfo; use crate::config::tfa::TfaChallenge; +use crate::server::ticket::ApiTicket; pub mod acl; pub mod domain; diff --git a/src/api2/access/openid.rs b/src/api2/access/openid.rs index 8fe62ad2..4da1ff04 100644 --- a/src/api2/access/openid.rs +++ b/src/api2/access/openid.rs @@ -13,16 +13,14 @@ use proxmox_openid::{OpenIdAuthenticator, OpenIdConfig}; use pbs_api_types::{Userid, User, REALM_ID_SCHEMA}; use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M; -use pbs_tools::auth::private_auth_key; use pbs_tools::ticket::Ticket; use pbs_config::domains::{OpenIdUserAttribute, OpenIdRealmConfig}; -use crate::server::ticket::ApiTicket; use pbs_config::CachedUserInfo; - use pbs_config::open_backup_lockfile; use crate::auth_helpers::*; +use crate::server::ticket::ApiTicket; fn openid_authenticator(realm_config: &OpenIdRealmConfig, redirect_url: &str) -> Result { let config = OpenIdConfig { diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs index 9f206472..9a427235 100644 --- a/src/api2/node/mod.rs +++ b/src/api2/node/mod.rs @@ -20,12 +20,13 @@ use proxmox::list_subdirs_api_method; use proxmox::{identity, sortable}; use proxmox_http::websocket::WebSocket; +use proxmox_rest_server::WorkerTask; + use pbs_api_types::{Authid, NODE_SCHEMA, PRIV_SYS_CONSOLE}; -use pbs_tools::auth::private_auth_key; use pbs_tools::ticket::{self, Empty, Ticket}; -use proxmox_rest_server::WorkerTask; use crate::tools; +use crate::auth_helpers::private_auth_key; pub mod apt; pub mod certificates; diff --git a/src/auth_helpers.rs b/src/auth_helpers.rs index 890816ac..d88bf8cc 100644 --- a/src/auth_helpers.rs +++ b/src/auth_helpers.rs @@ -2,7 +2,7 @@ use std::path::PathBuf; use anyhow::{bail, format_err, Error}; use lazy_static::lazy_static; -use openssl::pkey::{PKey, Public}; +use openssl::pkey::{PKey, Private, Public}; use openssl::rsa::Rsa; use openssl::sha; @@ -170,3 +170,19 @@ pub fn public_auth_key() -> &'static PKey { &KEY } + +fn load_private_auth_key() -> Result, Error> { + let pem = file_get_contents(configdir!("/authkey.key"))?; + let rsa = Rsa::private_key_from_pem(&pem)?; + let key = PKey::from_rsa(rsa)?; + + Ok(key) +} + +pub fn private_auth_key() -> &'static PKey { + lazy_static! { + static ref KEY: PKey = load_private_auth_key().unwrap(); + } + + &KEY +} diff --git a/src/bin/proxmox-backup-api.rs b/src/bin/proxmox-backup-api.rs index e3f2531f..d687cda0 100644 --- a/src/bin/proxmox-backup-api.rs +++ b/src/bin/proxmox-backup-api.rs @@ -9,7 +9,6 @@ use proxmox::try_block; use proxmox::api::RpcEnvironmentType; use proxmox::tools::fs::CreateOptions; -use pbs_tools::auth::private_auth_key; use proxmox_rest_server::{daemon, ApiConfig, RestServer}; use proxmox_backup::server::auth::default_api_auth; diff --git a/src/bin/proxmox-backup-manager.rs b/src/bin/proxmox-backup-manager.rs index 9fb60691..87f7034d 100644 --- a/src/bin/proxmox-backup-manager.rs +++ b/src/bin/proxmox-backup-manager.rs @@ -7,7 +7,7 @@ use serde_json::{json, Value}; use proxmox::api::{api, cli::*, RpcEnvironment}; use proxmox::tools::fs::CreateOptions; -use pbs_client::{connect_to_localhost, display_task_log, view_task_result}; +use pbs_client::{display_task_log, view_task_result}; use pbs_tools::percent_encoding::percent_encode_component; use pbs_tools::json::required_string_param; use pbs_api_types::{ @@ -17,8 +17,9 @@ use pbs_api_types::{ use proxmox_rest_server::wait_for_local_worker; -use proxmox_backup::config; use proxmox_backup::api2; +use proxmox_backup::client_helpers::connect_to_localhost; +use proxmox_backup::config; mod proxmox_backup_manager; use proxmox_backup_manager::*; diff --git a/src/bin/proxmox-tape.rs b/src/bin/proxmox-tape.rs index 615c8a91..98d28c95 100644 --- a/src/bin/proxmox-tape.rs +++ b/src/bin/proxmox-tape.rs @@ -14,7 +14,7 @@ use proxmox::{ }, }; -use pbs_client::{connect_to_localhost, view_task_result}; +use pbs_client::view_task_result; use pbs_tools::format::{ HumanByte, render_epoch, @@ -49,6 +49,7 @@ use proxmox_backup::{ proxmox_tape_magic_to_text, }, }, + client_helpers::connect_to_localhost, }; mod proxmox_tape; diff --git a/src/bin/proxmox_backup_debug/api.rs b/src/bin/proxmox_backup_debug/api.rs index 003f6677..141c0579 100644 --- a/src/bin/proxmox_backup_debug/api.rs +++ b/src/bin/proxmox_backup_debug/api.rs @@ -16,9 +16,11 @@ use proxmox::api::{ }; use pbs_api_types::{PROXMOX_UPID_REGEX, UPID}; -use pbs_client::{connect_to_localhost, view_task_result}; +use pbs_client::view_task_result; use proxmox_rest_server::normalize_uri_path; +use proxmox_backup::client_helpers::connect_to_localhost; + const PROG_NAME: &str = "proxmox-backup-debug api"; const URL_ASCIISET: percent_encoding::AsciiSet = percent_encoding::NON_ALPHANUMERIC.remove(b'/'); diff --git a/src/bin/proxmox_backup_manager/datastore.rs b/src/bin/proxmox_backup_manager/datastore.rs index 969e0420..e5ef2660 100644 --- a/src/bin/proxmox_backup_manager/datastore.rs +++ b/src/bin/proxmox_backup_manager/datastore.rs @@ -3,10 +3,11 @@ use serde_json::Value; use proxmox::api::{api, cli::*, RpcEnvironment, ApiHandler}; -use pbs_client::{connect_to_localhost, view_task_result}; +use pbs_client::view_task_result; use pbs_api_types::{DataStoreConfig, DATASTORE_SCHEMA}; use proxmox_backup::api2; +use proxmox_backup::client_helpers::connect_to_localhost; #[api( input: { diff --git a/src/bin/proxmox_tape/backup_job.rs b/src/bin/proxmox_tape/backup_job.rs index 65e1ac45..b5662f16 100644 --- a/src/bin/proxmox_tape/backup_job.rs +++ b/src/bin/proxmox_tape/backup_job.rs @@ -4,9 +4,10 @@ use serde_json::Value; use proxmox::api::{api, cli::*, RpcEnvironment, ApiHandler}; use pbs_api_types::JOB_ID_SCHEMA; -use pbs_client::{connect_to_localhost, view_task_result}; +use pbs_client::view_task_result; use proxmox_backup::api2; +use proxmox_backup::client_helpers::connect_to_localhost; #[api( input: { diff --git a/src/client_helpers.rs b/src/client_helpers.rs new file mode 100644 index 00000000..154d7fd0 --- /dev/null +++ b/src/client_helpers.rs @@ -0,0 +1,13 @@ +use anyhow::Error; + +use crate::auth_helpers::private_auth_key; + +/// As root we have access to the private key file and can use it directly. Otherwise the connect +/// call will interactively query the password. +pub fn connect_to_localhost() -> Result { + pbs_client::connect_to_localhost(if nix::unistd::Uid::current().is_root() { + Some(private_auth_key()) + } else { + None + }) +} diff --git a/src/lib.rs b/src/lib.rs index fcbc2e18..fa08b4fa 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -25,3 +25,5 @@ pub mod rrd; pub mod tape; pub mod acme; + +pub mod client_helpers;