proxmox-mirrors/proxmox
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox synced 2025-08-15 10:08:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rest-server: drop Router from ApiConfig

Browse Source 
instead, allow attaching routers to path prefixes and also
add an optional non-formatting router

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2023-01-24 14:54:32 +01:00
parent 258e2399a6
commit 4a5360aef4
6 changed files with 518 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
proxmox-rest-server/src/api_config.rs
View File

@ -5,22 +5,23 @@ use std::sync::{Arc, Mutex};
use anyhow::{format_err, Error}; use anyhow::{format_err, Error};
use hyper::http::request::Parts; use hyper::http::request::Parts;
use hyper::{Body, Method, Response}; use hyper::{Body, Response};
use proxmox_router::{ApiMethod, Router, RpcEnvironmentType, UserInformation}; use proxmox_router::{Router, RpcEnvironmentType, UserInformation};
use proxmox_sys::fs::{create_path, CreateOptions}; use proxmox_sys::fs::{create_path, CreateOptions};
use crate::rest::Handler;
use crate::{AuthError, CommandSocket, FileLogOptions, FileLogger, RestEnvironment, ServerAdapter}; use crate::{AuthError, CommandSocket, FileLogOptions, FileLogger, RestEnvironment, ServerAdapter};
/// REST server configuration /// REST server configuration
pub struct ApiConfig { pub struct ApiConfig {
basedir: PathBuf, basedir: PathBuf,
router: &'static Router,
aliases: HashMap<String, PathBuf>, aliases: HashMap<String, PathBuf>,
env_type: RpcEnvironmentType, env_type: RpcEnvironmentType,
request_log: Option<Arc<Mutex<FileLogger>>>, request_log: Option<Arc<Mutex<FileLogger>>>,
auth_log: Option<Arc<Mutex<FileLogger>>>, auth_log: Option<Arc<Mutex<FileLogger>>>,
adapter: Pin<Box<dyn ServerAdapter + Send + Sync>>, adapter: Pin<Box<dyn ServerAdapter + Send + Sync>>,
handlers: Vec<Handler>,
#[cfg(feature = "templates")] #[cfg(feature = "templates")]
templates: templates::Templates, templates: templates::Templates,
@ -31,8 +32,6 @@ impl ApiConfig {
/// ///
/// `basedir` - File lookups are relative to this directory. /// `basedir` - File lookups are relative to this directory.
/// ///
/// `router` - The REST API definition.
///
/// `env_type` - The environment type. /// `env_type` - The environment type.
/// ///
/// `api_auth` - The Authentication handler /// `api_auth` - The Authentication handler
@ -43,18 +42,17 @@ impl ApiConfig {
/// ([render_template](Self::render_template) to generate pages. /// ([render_template](Self::render_template) to generate pages.
pub fn new<B: Into<PathBuf>>( pub fn new<B: Into<PathBuf>>(
basedir: B, basedir: B,
router: &'static Router,
env_type: RpcEnvironmentType, env_type: RpcEnvironmentType,
adapter: impl ServerAdapter + 'static, adapter: impl ServerAdapter + 'static,
) -> Self { ) -> Self {
Self { Self {
basedir: basedir.into(), basedir: basedir.into(),
router,
aliases: HashMap::new(), aliases: HashMap::new(),
env_type, env_type,
request_log: None, request_log: None,
auth_log: None, auth_log: None,
adapter: Box::pin(adapter), adapter: Box::pin(adapter),
handlers: Vec::new(),
#[cfg(feature = "templates")] #[cfg(feature = "templates")]
templates: Default::default(), templates: Default::default(),
@ -77,15 +75,6 @@ impl ApiConfig {
self.adapter.check_auth(headers, method).await self.adapter.check_auth(headers, method).await
} }
pub(crate) fn find_method(
&self,
components: &[&str],
method: Method,
uri_param: &mut HashMap<String, String>,
) -> Option<&'static ApiMethod> {
self.router.find_method(components, method, uri_param)
}
pub(crate) fn find_alias(&self, mut components: &[&str]) -> PathBuf { pub(crate) fn find_alias(&self, mut components: &[&str]) -> PathBuf {
let mut filename = self.basedir.clone(); let mut filename = self.basedir.clone();
if components.is_empty() { if components.is_empty() {
@ -233,6 +222,37 @@ impl ApiConfig {
pub(crate) fn get_auth_log(&self) -> Option<&Arc<Mutex<FileLogger>>> { pub(crate) fn get_auth_log(&self) -> Option<&Arc<Mutex<FileLogger>>> {
self.auth_log.as_ref() self.auth_log.as_ref()
} }
pub(crate) fn find_handler<'a>(&'a self, path_components: &[&str]) -> Option<&'a Handler> {
self.handlers
.iter()
.find(|handler| path_components.strip_prefix(handler.prefix).is_some())
}
pub fn add_default_api2_handler(&mut self, router: &'static Router) -> &mut Self {
self.handlers.push(Handler::default_api2_handler(router));
self
}
pub fn add_formatted_router(
&mut self,
prefix: &'static [&'static str],
router: &'static Router,
) -> &mut Self {
self.handlers
.push(Handler::formatted_router(prefix, router));
self
}
pub fn add_unformatted_router(
&mut self,
prefix: &'static [&'static str],
router: &'static Router,
) -> &mut Self {
self.handlers
.push(Handler::unformatted_router(prefix, router));
self
}
} }
#[cfg(feature = "templates")] #[cfg(feature = "templates")]

2
proxmox-rest-server/src/environment.rs
View File

@ -9,7 +9,7 @@ use crate::ApiConfig;
/// Encapsulates information about the runtime environment /// Encapsulates information about the runtime environment
pub struct RestEnvironment { pub struct RestEnvironment {
env_type: RpcEnvironmentType, pub(crate) env_type: RpcEnvironmentType,
result_attributes: Value, result_attributes: Value,
auth_id: Option<String>, auth_id: Option<String>,
client_ip: Option<SocketAddr>, client_ip: Option<SocketAddr>,

6
proxmox-rest-server/src/formatter.rs
View File

@ -133,6 +133,11 @@ impl OutputFormatter for JsonFormatter {
} }
fn format_error(&self, err: Error) -> Response<Body> { fn format_error(&self, err: Error) -> Response<Body> {
error_to_response(err)
}
}
pub(crate) fn error_to_response(err: Error) -> Response<Body> {
let mut response = if let Some(apierr) = err.downcast_ref::<HttpError>() { let mut response = if let Some(apierr) = err.downcast_ref::<HttpError>() {
let mut resp = Response::new(Body::from(apierr.message.clone())); let mut resp = Response::new(Body::from(apierr.message.clone()));
*resp.status_mut() = apierr.code; *resp.status_mut() = apierr.code;
@ -153,7 +158,6 @@ impl OutputFormatter for JsonFormatter {
.insert(ErrorMessageExtension(err.to_string())); .insert(ErrorMessageExtension(err.to_string()));
response response
}
} }
/// Format data as ExtJS compatible ``application/json`` /// Format data as ExtJS compatible ``application/json``

4
proxmox-rest-server/src/h2service.rs
View File

@ -12,7 +12,7 @@ use proxmox_router::http_err;
use proxmox_router::{ApiResponseFuture, HttpError, Router, RpcEnvironment}; use proxmox_router::{ApiResponseFuture, HttpError, Router, RpcEnvironment};
use crate::formatter::*; use crate::formatter::*;
use crate::{normalize_uri_path, WorkerTask}; use crate::{normalize_path_with_components, WorkerTask};
/// Hyper Service implementation to handle stateful H2 connections. /// Hyper Service implementation to handle stateful H2 connections.
/// ///
@ -47,7 +47,7 @@ impl<E: RpcEnvironment + Clone> H2Service<E> {
let method = parts.method.clone(); let method = parts.method.clone();
let (path, components) = match normalize_uri_path(parts.uri.path()) { let (path, components) = match normalize_path_with_components(parts.uri.path()) {
Ok((p, c)) => (p, c), Ok((p, c)) => (p, c),
Err(err) => return future::err(http_err!(BAD_REQUEST, "{}", err)).boxed(), Err(err) => return future::err(http_err!(BAD_REQUEST, "{}", err)).boxed(),
}; };

37
proxmox-rest-server/src/lib.rs
View File

@ -15,6 +15,7 @@
//! - worker task management //! - worker task management
//! * generic interface to authenticate user //! * generic interface to authenticate user
use std::fmt;
use std::future::Future; use std::future::Future;
use std::os::unix::io::{FromRawFd, OwnedFd}; use std::os::unix::io::{FromRawFd, OwnedFd};
use std::pin::Pin; use std::pin::Pin;
@ -222,7 +223,9 @@ pub fn cookie_from_header(headers: &http::HeaderMap, cookie_name: &str) -> Optio
/// ///
/// Do not allow ".", "..", or hidden files ".XXXX" /// Do not allow ".", "..", or hidden files ".XXXX"
/// Also remove empty path components /// Also remove empty path components
pub fn normalize_uri_path(path: &str) -> Result<(String, Vec<&str>), Error> { pub fn normalize_path_with_components(
path: &str,
) -> Result<(String, Vec<&str>), IllegalPathComponents> {
let items = path.split('/'); let items = path.split('/');
let mut path = String::new(); let mut path = String::new();
@ -233,7 +236,7 @@ pub fn normalize_uri_path(path: &str) -> Result<(String, Vec<&str>), Error> {
continue; continue;
} }
if name.starts_with('.') { if name.starts_with('.') {
bail!("Path contains illegal components."); return Err(IllegalPathComponents);
} }
path.push('/'); path.push('/');
path.push_str(name); path.push_str(name);
@ -242,3 +245,33 @@ pub fn normalize_uri_path(path: &str) -> Result<(String, Vec<&str>), Error> {
Ok((path, components)) Ok((path, components))
} }
#[derive(Debug)]
pub struct IllegalPathComponents;
impl std::error::Error for IllegalPathComponents {}
impl fmt::Display for IllegalPathComponents {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
f.write_str("path contains illegal components")
}
}
/// Normalize a uri path by stripping empty components.
/// Components starting with a '.' are illegal.
pub fn normalize_path(path: &str) -> Result<String, IllegalPathComponents> {
let mut output = String::with_capacity(path.len());
for item in path.split('/') {
if item.is_empty() {
continue;
}
if item.starts_with('.') {
return Err(IllegalPathComponents);
}
output.push('/');
output.push_str(item);
}
Ok(output)
}

396
proxmox-rest-server/src/rest.rs
View File

@ -1,6 +1,7 @@
use std::collections::HashMap; use std::collections::HashMap;
use std::future::Future; use std::future::Future;
use std::hash::BuildHasher; use std::hash::BuildHasher;
use std::io;
use std::path::{Path, PathBuf}; use std::path::{Path, PathBuf};
use std::pin::Pin; use std::pin::Pin;
use std::sync::{Arc, Mutex}; use std::sync::{Arc, Mutex};
@ -32,7 +33,7 @@ use proxmox_async::stream::AsyncReaderStream;
use proxmox_compression::{DeflateEncoder, Level}; use proxmox_compression::{DeflateEncoder, Level};
use crate::{ use crate::{
formatter::*, normalize_uri_path, ApiConfig, AuthError, CompressionMethod, FileLogger, formatter::*, normalize_path, ApiConfig, AuthError, CompressionMethod, FileLogger,
RestEnvironment, RestEnvironment,
}; };
@ -42,7 +43,7 @@ extern "C" {
struct AuthStringExtension(String); struct AuthStringExtension(String);
struct EmptyUserInformation {} pub(crate) struct EmptyUserInformation {}
impl UserInformation for EmptyUserInformation { impl UserInformation for EmptyUserInformation {
fn is_superuser(&self, _userid: &str) -> bool { fn is_superuser(&self, _userid: &str) -> bool {
@ -90,7 +91,7 @@ impl<T: PeerAddress> Service<&T> for RestServer {
Err(err) => Err(format_err!("unable to get peer address - {}", err)), Err(err) => Err(format_err!("unable to get peer address - {}", err)),
Ok(peer) => Ok(ApiService { Ok(peer) => Ok(ApiService {
peer, peer,
api_config: self.api_config.clone(), api_config: Arc::clone(&self.api_config),
}), }),
}) })
} }
@ -387,6 +388,14 @@ async fn proxy_protected_request(
Ok(resp) Ok(resp)
} }
fn delay_unauth_time() -> std::time::Instant {
std::time::Instant::now() + std::time::Duration::from_millis(3000)
}
fn access_forbidden_time() -> std::time::Instant {
std::time::Instant::now() + std::time::Duration::from_millis(500)
}
pub(crate) async fn handle_api_request<Env: RpcEnvironment, S: 'static + BuildHasher + Send>( pub(crate) async fn handle_api_request<Env: RpcEnvironment, S: 'static + BuildHasher + Send>(
mut rpcenv: Env, mut rpcenv: Env,
info: &'static ApiMethod, info: &'static ApiMethod,
@ -395,7 +404,6 @@ pub(crate) async fn handle_api_request<Env: RpcEnvironment, S: 'static + BuildHa
req_body: Body, req_body: Body,
uri_param: HashMap<String, String, S>, uri_param: HashMap<String, String, S>,
) -> Result<Response<Body>, Error> { ) -> Result<Response<Body>, Error> {
let delay_unauth_time = std::time::Instant::now() + std::time::Duration::from_millis(3000);
let compression = extract_compression_method(&parts.headers); let compression = extract_compression_method(&parts.headers);
let result = match info.handler { let result = match info.handler {
@ -438,7 +446,7 @@ pub(crate) async fn handle_api_request<Env: RpcEnvironment, S: 'static + BuildHa
Err(err) => { Err(err) => {
if let Some(httperr) = err.downcast_ref::<HttpError>() { if let Some(httperr) = err.downcast_ref::<HttpError>() {
if httperr.code == StatusCode::UNAUTHORIZED { if httperr.code == StatusCode::UNAUTHORIZED {
tokio::time::sleep_until(Instant::from_std(delay_unauth_time)).await; tokio::time::sleep_until(Instant::from_std(delay_unauth_time())).await;
} }
} }
formatter.format_error(err) formatter.format_error(err)
@ -472,6 +480,100 @@ pub(crate) async fn handle_api_request<Env: RpcEnvironment, S: 'static + BuildHa
Ok(resp) Ok(resp)
} }
async fn handle_unformatted_api_request<Env: RpcEnvironment, S: 'static + BuildHasher + Send>(
mut rpcenv: Env,
info: &'static ApiMethod,
parts: Parts,
req_body: Body,
uri_param: HashMap<String, String, S>,
) -> Result<Response<Body>, Error> {
let compression = extract_compression_method(&parts.headers);
fn to_json_response<Env: RpcEnvironment>(
value: Value,
env: &Env,
) -> Result<Response<Body>, Error> {
if let Some(attr) = env.result_attrib().as_object() {
if !attr.is_empty() {
http_bail!(
INTERNAL_SERVER_ERROR,
"result attributes are no longer supported"
);
}
}
let value = serde_json::to_string(&value)?;
Ok(Response::builder().status(200).body(value.into())?)
}
let result = match info.handler {
ApiHandler::AsyncHttp(handler) => {
let params = parse_query_parameters(info.parameters, "", &parts, &uri_param)?;
(handler)(parts, req_body, params, info, Box::new(rpcenv)).await
}
ApiHandler::Sync(handler) => {
let params =
get_request_parameters(info.parameters, parts, req_body, uri_param).await?;
(handler)(params, info, &mut rpcenv).and_then(|v| to_json_response(v, &rpcenv))
}
ApiHandler::Async(handler) => {
let params =
get_request_parameters(info.parameters, parts, req_body, uri_param).await?;
(handler)(params, info, &mut rpcenv)
.await
.and_then(|v| to_json_response(v, &rpcenv))
}
ApiHandler::StreamingSync(_) => http_bail!(
INTERNAL_SERVER_ERROR,
"old-style streaming calls not supported"
),
ApiHandler::StreamingAsync(_) => http_bail!(
INTERNAL_SERVER_ERROR,
"old-style streaming calls not supported"
),
_ => {
bail!("Unknown API handler type");
}
};
let mut resp = match result {
Ok(resp) => resp,
Err(err) => {
if let Some(httperr) = err.downcast_ref::<HttpError>() {
if httperr.code == StatusCode::UNAUTHORIZED {
tokio::time::sleep_until(Instant::from_std(delay_unauth_time())).await;
}
}
return Err(err);
}
};
let resp = match compression {
Some(CompressionMethod::Deflate) => {
resp.headers_mut().insert(
header::CONTENT_ENCODING,
CompressionMethod::Deflate.content_encoding(),
);
resp.map(|body| {
Body::wrap_stream(DeflateEncoder::with_quality(
TryStreamExt::map_err(body, |err| {
proxmox_lang::io_format_err!("error during compression: {}", err)
}),
Level::Default,
))
})
}
None => resp,
};
if info.reload_timezone {
unsafe {
tzset();
}
}
Ok(resp)
}
fn extension_to_content_type(filename: &Path) -> (&'static str, bool) { fn extension_to_content_type(filename: &Path) -> (&'static str, bool) {
if let Some(ext) = filename.extension().and_then(|osstr| osstr.to_str()) { if let Some(ext) = filename.extension().and_then(|osstr| osstr.to_str()) {
return match ext { return match ext {
@ -575,9 +677,13 @@ async fn handle_static_file_download(
filename: PathBuf, filename: PathBuf,
compression: Option<CompressionMethod>, compression: Option<CompressionMethod>,
) -> Result<Response<Body>, Error> { ) -> Result<Response<Body>, Error> {
let metadata = tokio::fs::metadata(filename.clone()) let metadata = match tokio::fs::metadata(filename.clone()).await {
.map_err(|err| http_err!(BAD_REQUEST, "File access problems: {}", err)) Ok(metadata) => metadata,
.await?; Err(err) if err.kind() == io::ErrorKind::NotFound => {
http_bail!(NOT_FOUND, "no such file: {filename:?}")
}
Err(err) => http_bail!(BAD_REQUEST, "File access problems: {}", err),
};
let (content_type, nocomp) = extension_to_content_type(&filename); let (content_type, nocomp) = extension_to_content_type(&filename);
let compression = if nocomp { None } else { compression }; let compression = if nocomp { None } else { compression };
@ -609,9 +715,8 @@ impl ApiConfig {
) -> Result<Response<Body>, Error> { ) -> Result<Response<Body>, Error> {
let (parts, body) = req.into_parts(); let (parts, body) = req.into_parts();
let method = parts.method.clone(); let method = parts.method.clone();
let (path, components) = normalize_uri_path(parts.uri.path())?; let path = normalize_path(parts.uri.path())?;
let components: Vec<&str> = path.split('/').filter(|s| !s.is_empty()).collect();
let comp_len = components.len();
let query = parts.uri.query().unwrap_or_default(); let query = parts.uri.query().unwrap_or_default();
if path.len() + query.len() > MAX_URI_QUERY_LENGTH { if path.len() + query.len() > MAX_URI_QUERY_LENGTH {
@ -626,13 +731,126 @@ impl ApiConfig {
rpcenv.set_client_ip(Some(*peer)); rpcenv.set_client_ip(Some(*peer));
let delay_unauth_time = std::time::Instant::now() + std::time::Duration::from_millis(3000); if let Some(handler) = self.find_handler(&components) {
let access_forbidden_time = let relative_path_components = &components[handler.prefix.len()..];
std::time::Instant::now() + std::time::Duration::from_millis(500); return handler
.handle_request(ApiRequestData {
parts,
body,
peer,
config: &self,
full_path: &path,
relative_path_components,
rpcenv,
})
.await;
}
if comp_len >= 1 && components[0] == "api2" { if method != hyper::Method::GET {
if comp_len >= 2 { http_bail!(BAD_REQUEST, "invalid http method for path");
let format = components[1]; }
if components.is_empty() {
match self.check_auth(&parts.headers, &method).await {
Ok((auth_id, _user_info)) => {
rpcenv.set_auth_id(Some(auth_id));
return Ok(self.get_index(rpcenv, parts).await);
}
Err(AuthError::Generic(_)) => {
tokio::time::sleep_until(Instant::from_std(delay_unauth_time())).await;
}
Err(AuthError::NoData) => {}
}
return Ok(self.get_index(rpcenv, parts).await);
} else {
let filename = self.find_alias(&components);
let compression = extract_compression_method(&parts.headers);
return handle_static_file_download(filename, compression).await;
}
}
}
pub(crate) struct Handler {
pub prefix: &'static [&'static str],
action: Action,
}
impl Handler {
async fn handle_request(&self, data: ApiRequestData<'_>) -> Result<Response<Body>, Error> {
self.action.handle_request(data).await
}
pub(crate) fn default_api2_handler(router: &'static proxmox_router::Router) -> Self {
Self::formatted_router(&["api2"], router)
}
pub(crate) fn formatted_router(
prefix: &'static [&'static str],
router: &'static proxmox_router::Router,
) -> Self {
Self {
prefix,
action: Action::Formatted(Formatted { router }),
}
}
pub(crate) fn unformatted_router(
prefix: &'static [&'static str],
router: &'static proxmox_router::Router,
) -> Self {
Self {
prefix,
action: Action::Unformatted(Unformatted { router }),
}
}
}
pub(crate) enum Action {
Formatted(Formatted),
Unformatted(Unformatted),
}
impl Action {
async fn handle_request(&self, data: ApiRequestData<'_>) -> Result<Response<Body>, Error> {
match self {
Action::Formatted(a) => a.handle_request(data).await,
Action::Unformatted(a) => a.handle_request(data).await,
}
}
}
pub struct ApiRequestData<'a> {
parts: Parts,
body: Body,
peer: &'a std::net::SocketAddr,
config: &'a ApiConfig,
full_path: &'a str,
relative_path_components: &'a [&'a str],
rpcenv: RestEnvironment,
}
pub(crate) struct Formatted {
router: &'static proxmox_router::Router,
}
impl Formatted {
pub async fn handle_request(
&self,
ApiRequestData {
parts,
body,
peer,
config,
full_path,
relative_path_components,
mut rpcenv,
}: ApiRequestData<'_>,
) -> Result<Response<Body>, Error> {
if relative_path_components.is_empty() {
http_bail!(NOT_FOUND, "invalid api path '{}'", full_path);
}
let format = relative_path_components[0];
let formatter: &dyn OutputFormatter = match format { let formatter: &dyn OutputFormatter = match format {
"json" => JSON_FORMATTER, "json" => JSON_FORMATTER,
@ -641,7 +859,11 @@ impl ApiConfig {
}; };
let mut uri_param = HashMap::new(); let mut uri_param = HashMap::new();
let api_method = self.find_method(&components[2..], method.clone(), &mut uri_param); let api_method = self.router.find_method(
&relative_path_components[1..],
parts.method.clone(),
&mut uri_param,
);
let mut auth_required = true; let mut auth_required = true;
if let Some(api_method) = api_method { if let Some(api_method) = api_method {
@ -654,7 +876,7 @@ impl ApiConfig {
Box::new(EmptyUserInformation {}); Box::new(EmptyUserInformation {});
if auth_required { if auth_required {
match self.check_auth(&parts.headers, &method).await { match config.check_auth(&parts.headers, &parts.method).await {
Ok((authid, info)) => { Ok((authid, info)) => {
rpcenv.set_auth_id(Some(authid)); rpcenv.set_auth_id(Some(authid));
user_info = info; user_info = info;
@ -671,7 +893,7 @@ impl ApiConfig {
// always delay unauthorized calls by 3 seconds (from start of request) // always delay unauthorized calls by 3 seconds (from start of request)
let err = http_err!(UNAUTHORIZED, "authentication failed - {}", err); let err = http_err!(UNAUTHORIZED, "authentication failed - {}", err);
tokio::time::sleep_until(Instant::from_std(delay_unauth_time)).await; tokio::time::sleep_until(Instant::from_std(delay_unauth_time())).await;
return Ok(formatter.format_error(err)); return Ok(formatter.format_error(err));
} }
} }
@ -679,7 +901,7 @@ impl ApiConfig {
match api_method { match api_method {
None => { None => {
let err = http_err!(NOT_FOUND, "Path '{}' not found.", path); let err = http_err!(NOT_FOUND, "Path '{}' not found.", full_path);
return Ok(formatter.format_error(err)); return Ok(formatter.format_error(err));
} }
Some(api_method) => { Some(api_method) => {
@ -693,19 +915,16 @@ impl ApiConfig {
user_info.as_ref(), user_info.as_ref(),
) { ) {
let err = http_err!(FORBIDDEN, "permission check failed"); let err = http_err!(FORBIDDEN, "permission check failed");
tokio::time::sleep_until(Instant::from_std(access_forbidden_time)) tokio::time::sleep_until(Instant::from_std(access_forbidden_time())).await;
.await;
return Ok(formatter.format_error(err)); return Ok(formatter.format_error(err));
} }
let result = let result = if api_method.protected
if api_method.protected && env_type == RpcEnvironmentType::PUBLIC { && rpcenv.env_type == RpcEnvironmentType::PUBLIC
proxy_protected_request(api_method, parts, body, peer).await {
proxy_protected_request(api_method, parts, body, &peer).await
} else { } else {
handle_api_request( handle_api_request(rpcenv, api_method, formatter, parts, body, uri_param).await
rpcenv, api_method, formatter, parts, body, uri_param,
)
.await
}; };
let mut response = match result { let mut response = match result {
@ -723,32 +942,109 @@ impl ApiConfig {
} }
} }
} }
}
pub(crate) struct Unformatted {
router: &'static proxmox_router::Router,
}
impl Unformatted {
pub async fn handle_request(
&self,
ApiRequestData {
parts,
body,
peer,
config,
full_path,
relative_path_components,
mut rpcenv,
}: ApiRequestData<'_>,
) -> Result<Response<Body>, Error> {
if relative_path_components.is_empty() {
http_bail!(NOT_FOUND, "invalid api path '{}'", full_path);
}
let mut uri_param = HashMap::new();
let api_method = self.router.find_method(
relative_path_components,
parts.method.clone(),
&mut uri_param,
);
let mut auth_required = true;
if let Some(api_method) = api_method {
if let Permission::World = *api_method.access.permission {
auth_required = false; // no auth for endpoints with World permission
}
}
let user_info: Box<dyn UserInformation + Send + Sync>;
if auth_required {
match config.check_auth(&parts.headers, &parts.method).await {
Ok((authid, info)) => {
rpcenv.set_auth_id(Some(authid));
user_info = info;
}
Err(auth_err) => {
let err = match auth_err {
AuthError::Generic(err) => err,
AuthError::NoData => {
format_err!("no authentication credentials provided.")
}
};
// fixme: log Username??
rpcenv.log_failed_auth(None, &err.to_string());
// always delay unauthorized calls by 3 seconds (from start of request)
let err = http_err!(UNAUTHORIZED, "authentication failed - {}", err);
tokio::time::sleep_until(Instant::from_std(delay_unauth_time())).await;
return Err(err);
}
}
} else { } else {
// not Auth required for accessing files! user_info = Box::new(EmptyUserInformation {});
if method != hyper::Method::GET {
http_bail!(BAD_REQUEST, "invalid http method for path");
} }
if comp_len == 0 { match api_method {
match self.check_auth(&parts.headers, &method).await { None => http_bail!(NOT_FOUND, "Path '{}' not found.", full_path),
Ok((auth_id, _user_info)) => { Some(api_method) => {
rpcenv.set_auth_id(Some(auth_id)); let auth_id = rpcenv.get_auth_id();
return Ok(self.get_index(rpcenv, parts).await); let user_info = user_info;
if !check_api_permission(
api_method.access.permission,
auth_id.as_deref(),
&uri_param,
user_info.as_ref(),
) {
let err = http_err!(FORBIDDEN, "permission check failed");
tokio::time::sleep_until(Instant::from_std(access_forbidden_time())).await;
return Err(err);
} }
Err(AuthError::Generic(_)) => {
tokio::time::sleep_until(Instant::from_std(delay_unauth_time)).await; let result = if api_method.protected
} && rpcenv.env_type == RpcEnvironmentType::PUBLIC
Err(AuthError::NoData) => {} {
} proxy_protected_request(api_method, parts, body, &peer).await
return Ok(self.get_index(rpcenv, parts).await);
} else { } else {
let filename = self.find_alias(&components); handle_unformatted_api_request(rpcenv, api_method, parts, body, uri_param).await
let compression = extract_compression_method(&parts.headers); };
return handle_static_file_download(filename, compression).await;
} let mut response = match result {
Ok(resp) => resp,
Err(err) => crate::formatter::error_to_response(err),
};
if let Some(auth_id) = auth_id {
response
.extensions_mut()
.insert(AuthStringExtension(auth_id));
} }
Err(http_err!(NOT_FOUND, "Path '{}' not found.", path)) return Ok(response);
}
}
} }
} }