proxmox-mirrors/proxmox-backup
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox-backup synced 2025-04-29 19:08:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix #4382: api: access: remove permissions of token on deletion

Browse Source 
... and move token deletion into new `do_delete_token` function.
Since it'll be resued later on user deletion.

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
This commit is contained in:
Hannes Laimer 2025-04-04 17:32:07 +02:00 committed by Thomas Lamprecht
parent 17f183c40b
commit d93d7a8299
1 changed files with 21 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/api2/access/user.rs
View File

@ -8,6 +8,7 @@ use std::collections::HashMap;
use proxmox_router::{ApiMethod, Permission, Router, RpcEnvironment, SubdirMap}; use proxmox_router::{ApiMethod, Permission, Router, RpcEnvironment, SubdirMap};
use proxmox_schema::api; use proxmox_schema::api;
use proxmox_section_config::SectionConfigData;
use proxmox_tfa::api::TfaConfig; use proxmox_tfa::api::TfaConfig;
use pbs_api_types::{ use pbs_api_types::{
@ -15,9 +16,7 @@ use pbs_api_types::{
EXPIRE_USER_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, EXPIRE_USER_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY,
PRIV_SYS_AUDIT, PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA, PRIV_SYS_AUDIT, PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA,
}; };
use pbs_config::token_shadow; use pbs_config::{acl::AclTree, token_shadow, CachedUserInfo};
use pbs_config::CachedUserInfo;
fn new_user_with_tokens(user: User, tfa: &TfaConfig) -> UserWithTokens { fn new_user_with_tokens(user: User, tfa: &TfaConfig) -> UserWithTokens {
UserWithTokens { UserWithTokens {
@ -651,29 +650,41 @@ pub fn delete_token(
token_name: Tokenname, token_name: Tokenname,
digest: Option<String>, digest: Option<String>,
) -> Result<(), Error> { ) -> Result<(), Error> {
let _lock = pbs_config::user::lock_config()?; let _acl_lock = pbs_config::acl::lock_config()?;
let _user_lock = pbs_config::user::lock_config()?;
let (mut config, expected_digest) = pbs_config::user::config()?; let (mut user_config, expected_digest) = pbs_config::user::config()?;
if let Some(ref digest) = digest { if let Some(ref digest) = digest {
let digest = <[u8; 32]>::from_hex(digest)?; let digest = <[u8; 32]>::from_hex(digest)?;
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?; crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
} }
let (mut acl_config, _digest) = pbs_config::acl::config()?;
do_delete_token(token_name, &userid, &mut user_config, &mut acl_config)?;
pbs_config::user::save_config(&user_config)?;
pbs_config::acl::save_config(&acl_config)?;
Ok(())
}
fn do_delete_token(
token_name: Tokenname,
userid: &Userid,
user_config: &mut SectionConfigData,
acl_config: &mut AclTree,
) -> Result<(), Error> {
let tokenid = Authid::from((userid.clone(), Some(token_name.clone()))); let tokenid = Authid::from((userid.clone(), Some(token_name.clone())));
let tokenid_string = tokenid.to_string(); let tokenid_string = tokenid.to_string();
if user_config.sections.remove(&tokenid_string).is_none() {
if config.sections.remove(&tokenid_string).is_none() {
bail!( bail!(
"token '{}' of user '{}' does not exist.", "token '{}' of user '{}' does not exist.",
token_name.as_str(), token_name.as_str(),
userid userid
); );
} }
token_shadow::delete_secret(&tokenid)?; token_shadow::delete_secret(&tokenid)?;
acl_config.delete_authid(&tokenid);
pbs_config::user::save_config(&config)?;
Ok(()) Ok(())
} }