pbs-config: move secret generation into token_shadow

so we have only one place where we generate secrets. Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
2025-04-28 05:44:39 +00:00 · 2025-04-04 17:32:06 +02:00 · 2025-04-04 17:32:06 +02:00 · 17f183c40b
commit 17f183c40b
parent d977da6411
3 changed files with 11 additions and 3 deletions
--- a/pbs-config/Cargo.toml
+++ b/pbs-config/Cargo.toml
@ -24,6 +24,7 @@ proxmox-section-config.workspace = true
 proxmox-shared-memory.workspace = true
 proxmox-sys = { workspace = true, features = [ "acl", "crypt", "timer" ] }
 proxmox-time.workspace = true
+proxmox-uuid.workspace = true

 pbs-api-types.workspace = true
 pbs-buildcfg.workspace = true
--- a/pbs-config/src/token_shadow.rs
+++ b/pbs-config/src/token_shadow.rs
@ -61,8 +61,16 @@ pub fn verify_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
    }
 }

+/// Generates a new secret for the given tokenid / API token, sets it then returns it.
+/// The secret is stored as salted hash.
+pub fn generate_and_set_secret(tokenid: &Authid) -> Result<String, Error> {
+    let secret = format!("{:x}", proxmox_uuid::Uuid::generate());
+    set_secret(tokenid, &secret)?;
+    Ok(secret)
+}
+
 /// Adds a new entry for the given tokenid / API token secret. The secret is stored as salted hash.
-pub fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
+fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
    if !tokenid.is_token() {
        bail!("not an API token ID");
    }
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@ -495,8 +495,7 @@ pub fn generate_token(
        );
    }

-    let secret = format!("{:x}", proxmox_uuid::Uuid::generate());
-    token_shadow::set_secret(&tokenid, &secret)?;
+    let secret = token_shadow::generate_and_set_secret(&tokenid)?;

    let token = ApiToken {
        tokenid,