proxmox-mirrors/proxmox-backup
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox-backup synced 2025-06-16 10:32:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

provide separate helpers for pub/priv auth keyring access

Browse Source 
This used to be the case before the switch to the auth api
crate and is required for some helpers where we don't want
to have to setup the complete auth context.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2023-03-29 14:37:20 +02:00
parent 6477df8f89
commit 569324cb95
4 changed files with 23 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/api2/access/openid.rs
View File

@ -21,7 +21,7 @@ use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M;
use pbs_config::open_backup_lockfile; use pbs_config::open_backup_lockfile;
use pbs_config::CachedUserInfo; use pbs_config::CachedUserInfo;
use crate::auth::auth_keyring; use crate::auth::private_auth_keyring;
use crate::auth_helpers::*; use crate::auth_helpers::*;
fn openid_authenticator( fn openid_authenticator(
@ -200,7 +200,7 @@ pub fn openid_login(
} }
let api_ticket = ApiTicket::Full(user_id.clone()); let api_ticket = ApiTicket::Full(user_id.clone());
let ticket = Ticket::new("PBS", &api_ticket)?.sign(auth_keyring(), None)?; let ticket = Ticket::new("PBS", &api_ticket)?.sign(private_auth_keyring(), None)?;
let token = assemble_csrf_prevention_token(csrf_secret(), &user_id); let token = assemble_csrf_prevention_token(csrf_secret(), &user_id);
env.log_auth(user_id.as_str()); env.log_auth(user_id.as_str());

6
src/api2/node/mod.rs
View File

@ -26,7 +26,7 @@ use proxmox_sys::fd::fd_change_cloexec;
use pbs_api_types::{NODE_SCHEMA, PRIV_SYS_CONSOLE}; use pbs_api_types::{NODE_SCHEMA, PRIV_SYS_CONSOLE};
use crate::auth::auth_keyring; use crate::auth::{private_auth_keyring, public_auth_keyring};
use crate::tools; use crate::tools;
pub mod apt; pub mod apt;
@ -119,7 +119,7 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
let port = listener.local_addr()?.port(); let port = listener.local_addr()?.port();
let ticket = Ticket::new(crate::auth::TERM_PREFIX, &Empty)?.sign( let ticket = Ticket::new(crate::auth::TERM_PREFIX, &Empty)?.sign(
auth_keyring(), private_auth_keyring(),
Some(&tools::ticket::term_aad(userid, path, port)), Some(&tools::ticket::term_aad(userid, path, port)),
)?; )?;
@ -290,7 +290,7 @@ fn upgrade_to_websocket(
// will be checked again by termproxy // will be checked again by termproxy
Ticket::<Empty>::parse(ticket)?.verify( Ticket::<Empty>::parse(ticket)?.verify(
auth_keyring(), public_auth_keyring(),
crate::auth::TERM_PREFIX, crate::auth::TERM_PREFIX,
Some(&tools::ticket::term_aad(userid, "/system", port)), Some(&tools::ticket::term_aad(userid, "/system", port)),
)?; )?;

25
src/auth.rs
View File

@ -7,7 +7,7 @@ use std::pin::Pin;
use anyhow::{bail, Error}; use anyhow::{bail, Error};
use futures::Future; use futures::Future;
use once_cell::sync::OnceCell; use once_cell::sync::{Lazy, OnceCell};
use proxmox_router::http_bail; use proxmox_router::http_bail;
use serde_json::json; use serde_json::json;
@ -221,13 +221,17 @@ pub(crate) fn authenticate_user<'a>(
}) })
} }
static PRIVATE_KEYRING: Lazy<Keyring> =
Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into()));
static PUBLIC_KEYRING: Lazy<Keyring> =
Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into()));
static AUTH_CONTEXT: OnceCell<PbsAuthContext> = OnceCell::new(); static AUTH_CONTEXT: OnceCell<PbsAuthContext> = OnceCell::new();
pub fn setup_auth_context(use_private_key: bool) { pub fn setup_auth_context(use_private_key: bool) {
let keyring = if use_private_key { let keyring = if use_private_key {
Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into()) &*PRIVATE_KEYRING
} else { } else {
Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into()) &*PUBLIC_KEYRING
}; };
AUTH_CONTEXT AUTH_CONTEXT
@ -241,15 +245,16 @@ pub fn setup_auth_context(use_private_key: bool) {
proxmox_auth_api::set_auth_context(AUTH_CONTEXT.get().unwrap()); proxmox_auth_api::set_auth_context(AUTH_CONTEXT.get().unwrap());
} }
pub(crate) fn auth_keyring() -> &'static Keyring { pub(crate) fn private_auth_keyring() -> &'static Keyring {
&AUTH_CONTEXT &*PRIVATE_KEYRING
.get() }
.expect("setup_auth_context not called")
.keyring pub(crate) fn public_auth_keyring() -> &'static Keyring {
&*PUBLIC_KEYRING
} }
struct PbsAuthContext { struct PbsAuthContext {
keyring: Keyring, keyring: &'static Keyring,
csrf_secret: Vec<u8>, csrf_secret: Vec<u8>,
} }
@ -260,7 +265,7 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
/// Get the current authentication keyring. /// Get the current authentication keyring.
fn keyring(&self) -> &Keyring { fn keyring(&self) -> &Keyring {
&self.keyring self.keyring
} }
/// The auth prefix without the separating colon. Eg. `"PBS"`. /// The auth prefix without the separating colon. Eg. `"PBS"`.

5
src/client_helpers.rs
View File

@ -5,14 +5,15 @@ use pbs_client::{HttpClient, HttpClientOptions};
use proxmox_auth_api::ticket::Ticket; use proxmox_auth_api::ticket::Ticket;
use crate::auth::auth_keyring; use crate::auth::private_auth_keyring;
/// Connect to localhost:8007 as root@pam /// Connect to localhost:8007 as root@pam
/// ///
/// This automatically creates a ticket if run as 'root' user. /// This automatically creates a ticket if run as 'root' user.
pub fn connect_to_localhost() -> Result<pbs_client::HttpClient, Error> { pub fn connect_to_localhost() -> Result<pbs_client::HttpClient, Error> {
let options = if nix::unistd::Uid::current().is_root() { let options = if nix::unistd::Uid::current().is_root() {
let ticket = Ticket::new("PBS", Userid::root_userid())?.sign(auth_keyring(), None)?; let ticket =
Ticket::new("PBS", Userid::root_userid())?.sign(private_auth_keyring(), None)?;
let fingerprint = crate::cert_info()?.fingerprint()?; let fingerprint = crate::cert_info()?.fingerprint()?;
HttpClientOptions::new_non_interactive(ticket, Some(fingerprint)) HttpClientOptions::new_non_interactive(ticket, Some(fingerprint))
} else { } else {