proxmox-mirrors/proxmox-backup
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox-backup synced 2025-08-10 03:48:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix #3887: api: access: allow secret regeneration

Browse Source 
... through the token PUT endpoint by adding a new `regenerate` bool
parameter.

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
This commit is contained in:
Hannes Laimer 2025-04-04 17:32:09 +02:00 committed by Thomas Lamprecht
parent 6f9c16d5d4
commit f41a233a8e
1 changed files with 29 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/api2/access/user.rs
View File

@ -14,7 +14,8 @@ use proxmox_tfa::api::TfaConfig;
use pbs_api_types::{ use pbs_api_types::{
ApiToken, Authid, Tokenname, User, UserUpdater, UserWithTokens, Userid, ENABLE_USER_SCHEMA, ApiToken, Authid, Tokenname, User, UserUpdater, UserWithTokens, Userid, ENABLE_USER_SCHEMA,
EXPIRE_USER_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, EXPIRE_USER_SCHEMA, PASSWORD_FORMAT, PBS_PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY,
PRIV_SYS_AUDIT, PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA, PRIV_SYS_AUDIT, PROXMOX_CONFIG_DIGEST_SCHEMA, REGENERATE_TOKEN_SCHEMA,
SINGLE_LINE_COMMENT_SCHEMA,
}; };
use pbs_config::{acl::AclTree, token_shadow, CachedUserInfo}; use pbs_config::{acl::AclTree, token_shadow, CachedUserInfo};
@ -561,6 +562,10 @@ pub enum DeletableTokenProperty {
schema: EXPIRE_USER_SCHEMA, schema: EXPIRE_USER_SCHEMA,
optional: true, optional: true,
}, },
regenerate: {
schema: REGENERATE_TOKEN_SCHEMA,
optional: true,
},
delete: { delete: {
description: "List of properties to delete.", description: "List of properties to delete.",
type: Array, type: Array,
@ -574,6 +579,16 @@ pub enum DeletableTokenProperty {
schema: PROXMOX_CONFIG_DIGEST_SCHEMA, schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
}, },
}, },
},
returns: {
description: "Regenerated secret, if regenerate is set.",
properties: {
secret: {
type: String,
optional: true,
description: "The new API token secret",
},
},
}, },
access: { access: {
permission: &Permission::Or(&[ permission: &Permission::Or(&[
@ -589,9 +604,10 @@ pub fn update_token(
comment: Option<String>, comment: Option<String>,
enable: Option<bool>, enable: Option<bool>,
expire: Option<i64>, expire: Option<i64>,
regenerate: Option<bool>,
delete: Option<Vec<DeletableTokenProperty>>, delete: Option<Vec<DeletableTokenProperty>>,
digest: Option<String>, digest: Option<String>,
) -> Result<(), Error> { ) -> Result<Value, Error> {
let _lock = pbs_config::user::lock_config()?; let _lock = pbs_config::user::lock_config()?;
let (mut config, expected_digest) = pbs_config::user::config()?; let (mut config, expected_digest) = pbs_config::user::config()?;
@ -631,11 +647,21 @@ pub fn update_token(
data.expire = if expire > 0 { Some(expire) } else { None }; data.expire = if expire > 0 { Some(expire) } else { None };
} }
let new_secret = if regenerate.unwrap_or_default() {
Some(token_shadow::generate_and_set_secret(&tokenid)?)
} else {
None
};
config.set_data(&tokenid_string, "token", &data)?; config.set_data(&tokenid_string, "token", &data)?;
pbs_config::user::save_config(&config)?; pbs_config::user::save_config(&config)?;
Ok(()) if let Some(secret) = new_secret {
Ok(json!({"secret": secret}))
} else {
Ok(Value::Null)
}
} }
#[api( #[api(