From 569324cb952fb96b9deb9d02a1129a010d1b8ea4 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 29 Mar 2023 14:37:20 +0200
Subject: [PATCH] provide separate helpers for pub/priv auth keyring access

This used to be the case before the switch to the auth api
crate and is required for some helpers where we don't want
to have to setup the complete auth context.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/api2/access/openid.rs |  4 ++--
 src/api2/node/mod.rs      |  6 +++---
 src/auth.rs               | 25 +++++++++++++++----------
 src/client_helpers.rs     |  5 +++--
 4 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/src/api2/access/openid.rs b/src/api2/access/openid.rs
index bd6f7dee..8e39cbc9 100644
--- a/src/api2/access/openid.rs
+++ b/src/api2/access/openid.rs
@@ -21,7 +21,7 @@ use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M;
 use pbs_config::open_backup_lockfile;
 use pbs_config::CachedUserInfo;
 
-use crate::auth::auth_keyring;
+use crate::auth::private_auth_keyring;
 use crate::auth_helpers::*;
 
 fn openid_authenticator(
@@ -200,7 +200,7 @@ pub fn openid_login(
         }
 
         let api_ticket = ApiTicket::Full(user_id.clone());
-        let ticket = Ticket::new("PBS", &api_ticket)?.sign(auth_keyring(), None)?;
+        let ticket = Ticket::new("PBS", &api_ticket)?.sign(private_auth_keyring(), None)?;
         let token = assemble_csrf_prevention_token(csrf_secret(), &user_id);
 
         env.log_auth(user_id.as_str());
diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs
index db6d67ac..931143fd 100644
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@@ -26,7 +26,7 @@ use proxmox_sys::fd::fd_change_cloexec;
 
 use pbs_api_types::{NODE_SCHEMA, PRIV_SYS_CONSOLE};
 
-use crate::auth::auth_keyring;
+use crate::auth::{private_auth_keyring, public_auth_keyring};
 use crate::tools;
 
 pub mod apt;
@@ -119,7 +119,7 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
     let port = listener.local_addr()?.port();
 
     let ticket = Ticket::new(crate::auth::TERM_PREFIX, &Empty)?.sign(
-        auth_keyring(),
+        private_auth_keyring(),
         Some(&tools::ticket::term_aad(userid, path, port)),
     )?;
 
@@ -290,7 +290,7 @@ fn upgrade_to_websocket(
 
         // will be checked again by termproxy
         Ticket::<Empty>::parse(ticket)?.verify(
-            auth_keyring(),
+            public_auth_keyring(),
             crate::auth::TERM_PREFIX,
             Some(&tools::ticket::term_aad(userid, "/system", port)),
         )?;
diff --git a/src/auth.rs b/src/auth.rs
index 533f3b9d..e6331e6a 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -7,7 +7,7 @@ use std::pin::Pin;
 
 use anyhow::{bail, Error};
 use futures::Future;
-use once_cell::sync::OnceCell;
+use once_cell::sync::{Lazy, OnceCell};
 use proxmox_router::http_bail;
 use serde_json::json;
 
@@ -221,13 +221,17 @@ pub(crate) fn authenticate_user<'a>(
     })
 }
 
+static PRIVATE_KEYRING: Lazy<Keyring> =
+    Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into()));
+static PUBLIC_KEYRING: Lazy<Keyring> =
+    Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into()));
 static AUTH_CONTEXT: OnceCell<PbsAuthContext> = OnceCell::new();
 
 pub fn setup_auth_context(use_private_key: bool) {
     let keyring = if use_private_key {
-        Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into())
+        &*PRIVATE_KEYRING
     } else {
-        Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into())
+        &*PUBLIC_KEYRING
     };
 
     AUTH_CONTEXT
@@ -241,15 +245,16 @@ pub fn setup_auth_context(use_private_key: bool) {
     proxmox_auth_api::set_auth_context(AUTH_CONTEXT.get().unwrap());
 }
 
-pub(crate) fn auth_keyring() -> &'static Keyring {
-    &AUTH_CONTEXT
-        .get()
-        .expect("setup_auth_context not called")
-        .keyring
+pub(crate) fn private_auth_keyring() -> &'static Keyring {
+    &*PRIVATE_KEYRING
+}
+
+pub(crate) fn public_auth_keyring() -> &'static Keyring {
+    &*PUBLIC_KEYRING
 }
 
 struct PbsAuthContext {
-    keyring: Keyring,
+    keyring: &'static Keyring,
     csrf_secret: Vec<u8>,
 }
 
@@ -260,7 +265,7 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
 
     /// Get the current authentication keyring.
     fn keyring(&self) -> &Keyring {
-        &self.keyring
+        self.keyring
     }
 
     /// The auth prefix without the separating colon. Eg. `"PBS"`.
diff --git a/src/client_helpers.rs b/src/client_helpers.rs
index da179831..c7c595b2 100644
--- a/src/client_helpers.rs
+++ b/src/client_helpers.rs
@@ -5,14 +5,15 @@ use pbs_client::{HttpClient, HttpClientOptions};
 
 use proxmox_auth_api::ticket::Ticket;
 
-use crate::auth::auth_keyring;
+use crate::auth::private_auth_keyring;
 
 /// Connect to localhost:8007 as root@pam
 ///
 /// This automatically creates a ticket if run as 'root' user.
 pub fn connect_to_localhost() -> Result<pbs_client::HttpClient, Error> {
     let options = if nix::unistd::Uid::current().is_root() {
-        let ticket = Ticket::new("PBS", Userid::root_userid())?.sign(auth_keyring(), None)?;
+        let ticket =
+            Ticket::new("PBS", Userid::root_userid())?.sign(private_auth_keyring(), None)?;
         let fingerprint = crate::cert_info()?.fingerprint()?;
         HttpClientOptions::new_non_interactive(ticket, Some(fingerprint))
     } else {