config: use new dedicated PAM and PBS realm types

Currently, the built-in PAM and PBS authentication realms are (hackily) hardcoded. Replace that with the new, proper API types for these two realms, thus treating them like any other authentication realm. Signed-off-by: Christoph Heiss <c.heiss@proxmox.com> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com> Tested-by: Lukas Wagner <l.wagner@proxmox.com>
2025-04-28 18:12:55 +00:00 · 2025-03-21 14:45:35 +01:00 · 2025-03-21 14:45:35 +01:00 · a738d2bcc9
commit a738d2bcc9
parent 234de23a50
4 changed files with 45 additions and 15 deletions
--- a/pbs-config/src/domains.rs
+++ b/pbs-config/src/domains.rs
@ -8,17 +8,34 @@ use proxmox_schema::{ApiType, ObjectSchema};
 use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};

 use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};
-use pbs_api_types::{AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, REALM_ID_SCHEMA};
+use pbs_api_types::{
+    AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, PamRealmConfig, PbsRealmConfig,
+    REALM_ID_SCHEMA,
+};

 pub static CONFIG: LazyLock<SectionConfig> = LazyLock::new(init);

 fn init() -> SectionConfig {
+    const PAM_SCHEMA: &ObjectSchema = PamRealmConfig::API_SCHEMA.unwrap_object_schema();
+    const PBS_SCHEMA: &ObjectSchema = PbsRealmConfig::API_SCHEMA.unwrap_object_schema();
    const AD_SCHEMA: &ObjectSchema = AdRealmConfig::API_SCHEMA.unwrap_object_schema();
    const LDAP_SCHEMA: &ObjectSchema = LdapRealmConfig::API_SCHEMA.unwrap_object_schema();
    const OPENID_SCHEMA: &ObjectSchema = OpenIdRealmConfig::API_SCHEMA.unwrap_object_schema();

    let mut config = SectionConfig::new(&REALM_ID_SCHEMA);

+    config.register_plugin(SectionConfigPlugin::new(
+        "pam".to_owned(),
+        Some("realm".to_owned()),
+        PAM_SCHEMA,
+    ));
+
+    config.register_plugin(SectionConfigPlugin::new(
+        "pbs".to_owned(),
+        Some("realm".to_owned()),
+        PBS_SCHEMA,
+    ));
+
    let plugin = SectionConfigPlugin::new(
        "openid".to_string(),
        Some(String::from("realm")),
@ -78,7 +95,7 @@ pub fn unset_default_realm(config: &mut SectionConfigData) -> Result<(), Error>

 /// Check if a realm with the given name exists
 pub fn exists(domains: &SectionConfigData, realm: &str) -> bool {
-    realm == "pbs" || realm == "pam" || domains.sections.contains_key(realm)
+    domains.sections.contains_key(realm)
 }

 // shell completion helper
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@ -29,19 +29,6 @@ use crate::server::jobstate::Job;
 /// Authentication domain/realm index.
 fn list_domains(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInfo>, Error> {
    let mut list = Vec::new();
-
-    list.push(serde_json::from_value(json!({
-        "realm": "pam",
-        "type": "pam",
-        "comment": "Linux PAM standard authentication",
-        "default": Some(true),
-    }))?);
-    list.push(serde_json::from_value(json!({
-        "realm": "pbs",
-        "type": "pbs",
-        "comment": "Proxmox Backup authentication server",
-    }))?);
-
    let (config, digest) = pbs_config::domains::config()?;

    for (_, (section_type, v)) in config.sections.iter() {
--- a/src/bin/proxmox-backup-api.rs
+++ b/src/bin/proxmox-backup-api.rs
@ -48,6 +48,7 @@ async fn run() -> Result<(), Error> {
    config::create_configdir()?;

    config::update_self_signed_cert(false)?;
+    config::update_default_realms()?;

    proxmox_backup::server::create_run_dir()?;
    proxmox_backup::server::create_state_dir()?;
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@ -12,6 +12,7 @@ use std::path::Path;

 use proxmox_lang::try_block;

+use pbs_api_types::{PamRealmConfig, PbsRealmConfig};
 use pbs_buildcfg::{self, configdir};

 pub mod acme;
@ -194,3 +195,27 @@ pub(crate) fn set_proxy_certificate(cert_pem: &[u8], key_pem: &[u8]) -> Result<(

    Ok(())
 }
+
+pub fn update_default_realms() -> Result<(), Error> {
+    let _lock = pbs_config::domains::lock_config()?;
+    let (mut domains, _) = pbs_config::domains::config()?;
+
+    if !pbs_config::domains::exists(&domains, "pam") {
+        domains.set_data(
+            "pam",
+            "pam",
+            PamRealmConfig {
+                // Setting it as default here is safe, because if we perform this
+                // migration, the user had not had any chance to set a custom default anyway.
+                default: Some(true),
+                ..Default::default()
+            },
+        )?;
+    }
+
+    if !pbs_config::domains::exists(&domains, "pbs") {
+        domains.set_data("pbs", "pbs", PbsRealmConfig::default())?;
+    }
+
+    pbs_config::domains::save_config(&domains)
+}