proxmox-mirrors/proxmox
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox synced 2025-05-21 22:37:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

make state directory configurable (pass state_dir as parameter)

Browse Source
This commit is contained in:
Dietmar Maurer 2021-06-18 10:49:38 +02:00
parent ca65d297b7
commit dd0d18d5ce
2 changed files with 34 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/auth_state.rs
View File

@ -1,6 +1,7 @@
use std::path::{Path, PathBuf};
use anyhow::{bail, Error}; use anyhow::{bail, Error};
use serde_json::{json, Value}; use serde_json::{json, Value};
use nix::unistd::Uid;
use proxmox::tools::{ use proxmox::tools::{
time::epoch_i64, time::epoch_i64,
@ -14,15 +15,23 @@ use proxmox::tools::{
use super::{PublicAuthState, PrivateAuthState}; use super::{PublicAuthState, PrivateAuthState};
fn load_auth_state_locked(realm: &str, default: Option<Value>) -> Result<(String, std::fs::File, Vec<Value>), Error> { fn load_auth_state_locked(
state_dir: &Path,
realm: &str,
default: Option<Value>,
) -> Result<(PathBuf, std::fs::File, Vec<Value>), Error> {
let mut lock_path = state_dir.to_owned();
lock_path.push("proxmox-openid-auth-state.lock");
let lock = open_file_locked( let lock = open_file_locked(
"/tmp/proxmox-openid-auth-state.lock", lock_path,
std::time::Duration::new(10, 0), std::time::Duration::new(10, 0),
true true
)?; )?;
let path = format!("/tmp/proxmox-openid-auth-state-{}", realm); let mut path = state_dir.to_owned();
path.push(format!("proxmox-openid-auth-state-{}", realm));
let now = epoch_i64(); let now = epoch_i64();
@ -43,27 +52,28 @@ fn load_auth_state_locked(realm: &str, default: Option<Value>) -> Result<(String
Ok((path, lock, data)) Ok((path, lock, data))
} }
fn replace_auth_state(path: &str, data: &Vec<Value>, state_owner: Uid) -> Result<(), Error> { fn replace_auth_state(
path: &Path,
data: &Vec<Value>,
) -> Result<(), Error> {
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600); let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
// set the correct owner/group/permissions while saving file let options = CreateOptions::new().perm(mode);
// owner(rw) = root
let options = CreateOptions::new()
.perm(mode)
.owner(state_owner);
let raw = serde_json::to_string_pretty(data)?; let raw = serde_json::to_string_pretty(data)?;
replace_file(&path, raw.as_bytes(), options)?; replace_file(path, raw.as_bytes(), options)?;
Ok(()) Ok(())
} }
pub fn verify_public_auth_state(state: &str, state_owner: Uid) -> Result<(String, PrivateAuthState), Error> { pub fn verify_public_auth_state(
state_dir: &Path,
state: &str,
) -> Result<(String, PrivateAuthState), Error> {
let public_auth_state: PublicAuthState = serde_json::from_str(state)?; let public_auth_state: PublicAuthState = serde_json::from_str(state)?;
let (path, _lock, old_data) = load_auth_state_locked(&public_auth_state.realm, None)?; let (path, _lock, old_data) = load_auth_state_locked(state_dir, &public_auth_state.realm, None)?;
let mut data: Vec<Value> = Vec::new(); let mut data: Vec<Value> = Vec::new();
@ -82,18 +92,18 @@ pub fn verify_public_auth_state(state: &str, state_owner: Uid) -> Result<(String
Some(entry) => entry, Some(entry) => entry,
}; };
replace_auth_state(&path, &data, state_owner)?; replace_auth_state(&path, &data)?;
Ok((public_auth_state.realm, entry)) Ok((public_auth_state.realm, entry))
} }
pub fn store_auth_state( pub fn store_auth_state(
state_dir: &Path,
realm: &str, realm: &str,
auth_state: &PrivateAuthState, auth_state: &PrivateAuthState,
state_owner: Uid,
) -> Result<(), Error> { ) -> Result<(), Error> {
let (path, _lock, mut data) = load_auth_state_locked(realm, Some(json!([])))?; let (path, _lock, mut data) = load_auth_state_locked(state_dir, realm, Some(json!([])))?;
if data.len() > 100 { if data.len() > 100 {
bail!("too many pending openid auth request for realm {}", realm); bail!("too many pending openid auth request for realm {}", realm);
@ -101,7 +111,7 @@ pub fn store_auth_state(
data.push(serde_json::to_value(&auth_state)?); data.push(serde_json::to_value(&auth_state)?);
replace_auth_state(&path, &data, state_owner)?; replace_auth_state(&path, &data)?;
Ok(()) Ok(())
} }

11
src/lib.rs
View File

@ -1,7 +1,8 @@
use std::path::Path;
use anyhow::{format_err, Error}; use anyhow::{format_err, Error};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use url::Url; use url::Url;
use nix::unistd::Uid;
mod http_client; mod http_client;
pub use http_client::http_client; pub use http_client::http_client;
@ -112,13 +113,13 @@ impl OpenIdAuthenticator {
}) })
} }
pub fn authorize_url(&self, realm: &str, state_owner: Uid) -> Result<Url, Error> { pub fn authorize_url(&self, state_dir: &str, realm: &str) -> Result<Url, Error> {
let private_auth_state = PrivateAuthState::new(); let private_auth_state = PrivateAuthState::new();
let public_auth_state = private_auth_state.public_state_string(realm.to_string())?; let public_auth_state = private_auth_state.public_state_string(realm.to_string())?;
let nonce = private_auth_state.nonce.clone(); let nonce = private_auth_state.nonce.clone();
store_auth_state(realm, &private_auth_state, state_owner)?; store_auth_state(Path::new(state_dir), realm, &private_auth_state)?;
// Generate the authorization URL to which we'll redirect the user. // Generate the authorization URL to which we'll redirect the user.
let (authorize_url, _csrf_state, _nonce) = self.client let (authorize_url, _csrf_state, _nonce) = self.client
@ -138,10 +139,10 @@ impl OpenIdAuthenticator {
} }
pub fn verify_public_auth_state( pub fn verify_public_auth_state(
state_dir: &str,
state: &str, state: &str,
state_owner: Uid,
) -> Result<(String, PrivateAuthState), Error> { ) -> Result<(String, PrivateAuthState), Error> {
verify_public_auth_state(state, state_owner) verify_public_auth_state(Path::new(state_dir), state)
} }
pub fn verify_authorization_code( pub fn verify_authorization_code(