mirror of
https://git.proxmox.com/git/proxmox
synced 2025-05-21 17:55:10 +00:00
make state directory configurable (pass state_dir as parameter)
This commit is contained in:
Dietmar Maurer
parent
ca65d297b7
commit
dd0d18d5ce
@ -1,6 +1,7 @@
|
||||
use std::path::{Path, PathBuf};
|
||||
|
||||
use anyhow::{bail, Error};
|
||||
use serde_json::{json, Value};
|
||||
use nix::unistd::Uid;
|
||||
|
||||
use proxmox::tools::{
|
||||
time::epoch_i64,
|
||||
@ -14,15 +15,23 @@ use proxmox::tools::{
|
||||
|
||||
use super::{PublicAuthState, PrivateAuthState};
|
||||
|
||||
fn load_auth_state_locked(realm: &str, default: Option<Value>) -> Result<(String, std::fs::File, Vec<Value>), Error> {
|
||||
fn load_auth_state_locked(
|
||||
state_dir: &Path,
|
||||
realm: &str,
|
||||
default: Option<Value>,
|
||||
) -> Result<(PathBuf, std::fs::File, Vec<Value>), Error> {
|
||||
|
||||
let mut lock_path = state_dir.to_owned();
|
||||
lock_path.push("proxmox-openid-auth-state.lock");
|
||||
|
||||
let lock = open_file_locked(
|
||||
"/tmp/proxmox-openid-auth-state.lock",
|
||||
lock_path,
|
||||
std::time::Duration::new(10, 0),
|
||||
true
|
||||
)?;
|
||||
|
||||
let path = format!("/tmp/proxmox-openid-auth-state-{}", realm);
|
||||
let mut path = state_dir.to_owned();
|
||||
path.push(format!("proxmox-openid-auth-state-{}", realm));
|
||||
|
||||
let now = epoch_i64();
|
||||
|
||||
@ -43,27 +52,28 @@ fn load_auth_state_locked(realm: &str, default: Option<Value>) -> Result<(String
|
||||
Ok((path, lock, data))
|
||||
}
|
||||
|
||||
fn replace_auth_state(path: &str, data: &Vec<Value>, state_owner: Uid) -> Result<(), Error> {
|
||||
fn replace_auth_state(
|
||||
path: &Path,
|
||||
data: &Vec<Value>,
|
||||
) -> Result<(), Error> {
|
||||
|
||||
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
|
||||
// set the correct owner/group/permissions while saving file
|
||||
// owner(rw) = root
|
||||
let options = CreateOptions::new()
|
||||
.perm(mode)
|
||||
.owner(state_owner);
|
||||
|
||||
let options = CreateOptions::new().perm(mode);
|
||||
let raw = serde_json::to_string_pretty(data)?;
|
||||
|
||||
replace_file(&path, raw.as_bytes(), options)?;
|
||||
replace_file(path, raw.as_bytes(), options)?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub fn verify_public_auth_state(state: &str, state_owner: Uid) -> Result<(String, PrivateAuthState), Error> {
|
||||
pub fn verify_public_auth_state(
|
||||
state_dir: &Path,
|
||||
state: &str,
|
||||
) -> Result<(String, PrivateAuthState), Error> {
|
||||
|
||||
let public_auth_state: PublicAuthState = serde_json::from_str(state)?;
|
||||
|
||||
let (path, _lock, old_data) = load_auth_state_locked(&public_auth_state.realm, None)?;
|
||||
let (path, _lock, old_data) = load_auth_state_locked(state_dir, &public_auth_state.realm, None)?;
|
||||
|
||||
let mut data: Vec<Value> = Vec::new();
|
||||
|
||||
@ -82,18 +92,18 @@ pub fn verify_public_auth_state(state: &str, state_owner: Uid) -> Result<(String
|
||||
Some(entry) => entry,
|
||||
};
|
||||
|
||||
replace_auth_state(&path, &data, state_owner)?;
|
||||
replace_auth_state(&path, &data)?;
|
||||
|
||||
Ok((public_auth_state.realm, entry))
|
||||
}
|
||||
|
||||
pub fn store_auth_state(
|
||||
state_dir: &Path,
|
||||
realm: &str,
|
||||
auth_state: &PrivateAuthState,
|
||||
state_owner: Uid,
|
||||
) -> Result<(), Error> {
|
||||
|
||||
let (path, _lock, mut data) = load_auth_state_locked(realm, Some(json!([])))?;
|
||||
let (path, _lock, mut data) = load_auth_state_locked(state_dir, realm, Some(json!([])))?;
|
||||
|
||||
if data.len() > 100 {
|
||||
bail!("too many pending openid auth request for realm {}", realm);
|
||||
@ -101,7 +111,7 @@ pub fn store_auth_state(
|
||||
|
||||
data.push(serde_json::to_value(&auth_state)?);
|
||||
|
||||
replace_auth_state(&path, &data, state_owner)?;
|
||||
replace_auth_state(&path, &data)?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
11
src/lib.rs
11
src/lib.rs
@ -1,7 +1,8 @@
|
||||
use std::path::Path;
|
||||
|
||||
use anyhow::{format_err, Error};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use url::Url;
|
||||
use nix::unistd::Uid;
|
||||
|
||||
mod http_client;
|
||||
pub use http_client::http_client;
|
||||
@ -112,13 +113,13 @@ impl OpenIdAuthenticator {
|
||||
})
|
||||
}
|
||||
|
||||
pub fn authorize_url(&self, realm: &str, state_owner: Uid) -> Result<Url, Error> {
|
||||
pub fn authorize_url(&self, state_dir: &str, realm: &str) -> Result<Url, Error> {
|
||||
|
||||
let private_auth_state = PrivateAuthState::new();
|
||||
let public_auth_state = private_auth_state.public_state_string(realm.to_string())?;
|
||||
let nonce = private_auth_state.nonce.clone();
|
||||
|
||||
store_auth_state(realm, &private_auth_state, state_owner)?;
|
||||
store_auth_state(Path::new(state_dir), realm, &private_auth_state)?;
|
||||
|
||||
// Generate the authorization URL to which we'll redirect the user.
|
||||
let (authorize_url, _csrf_state, _nonce) = self.client
|
||||
@ -138,10 +139,10 @@ impl OpenIdAuthenticator {
|
||||
}
|
||||
|
||||
pub fn verify_public_auth_state(
|
||||
state_dir: &str,
|
||||
state: &str,
|
||||
state_owner: Uid,
|
||||
) -> Result<(String, PrivateAuthState), Error> {
|
||||
verify_public_auth_state(state, state_owner)
|
||||
verify_public_auth_state(Path::new(state_dir), state)
|
||||
}
|
||||
|
||||
pub fn verify_authorization_code(
|
||||
|
||||
Loading…
Reference in New Issue
Block a user