proxmox-backup/src/bin/proxmox_restore_daemon/auth.rs

//! Authentication via a static ticket file
use std::fs::File;
use std::io::prelude::*;

use anyhow::{bail, format_err, Error};

use pbs_api_types::Authid;

use pbs_config::CachedUserInfo;
use proxmox_backup::server::auth::{ApiAuth, AuthError};

const TICKET_FILE: &str = "/ticket";

pub struct StaticAuth {
    ticket: String,
}

impl ApiAuth for StaticAuth {
    fn check_auth(
        &self,
        headers: &http::HeaderMap,
        _method: &hyper::Method,
        _user_info: &CachedUserInfo,
    ) -> Result<Authid, AuthError> {
        match headers.get(hyper::header::AUTHORIZATION) {
            Some(header) if header.to_str().unwrap_or("") == &self.ticket => {
                Ok(Authid::root_auth_id().to_owned())
            }
            _ => {
                return Err(AuthError::Generic(format_err!(
                    "invalid file restore ticket provided"
                )));
            }
        }
    }
}

pub fn ticket_auth() -> Result<StaticAuth, Error> {
    let mut ticket_file = File::open(TICKET_FILE)?;
    let mut ticket = String::new();
    let len = ticket_file.read_to_string(&mut ticket)?;
    if len <= 0 {
        bail!("invalid ticket: cannot be empty");
    }
    Ok(StaticAuth { ticket })
}
file-restore-daemon: add binary with virtio-vsock API server Implements the base of a small daemon to run within a file-restore VM. The binary spawns an API server on a virtio-vsock socket, listening for connections from the host. This happens mostly manually via the standard Unix socket API, since tokio/hyper do not have support for vsock built in. Once we have the accept'ed file descriptor, we can create a UnixStream and use our tower service implementation for that. The binary is deliberately not installed in the usual $PATH location, since it shouldn't be executed on the host by a user anyway. For now, only the API calls 'status' and 'stop' are implemented, to demonstrate and test proxmox::api functionality. Authorization is provided via a custom ApiAuth only checking a header value against a static /ticket file. Since the REST server implementation uses the log!() macro, we can redirect its output to stdout by registering env_logger as the logging target. env_logger is already in our dependency tree via zstd/bindgen. Signed-off-by: Stefan Reiter <s.reiter@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-03-31 10:21:52 +00:00			`//! Authentication via a static ticket file`
			`use std::fs::File;`
			`use std::io::prelude::*;`

another import cleanup Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-09-01 12:37:11 +00:00			`use anyhow::{bail, format_err, Error};`

			`use pbs_api_types::Authid;`

move user configuration to pbs_config workspace Also moved memcom.rs and cached_user_info.rs 2021-09-10 04:53:53 +00:00			`use pbs_config::CachedUserInfo;`
file-restore-daemon: add binary with virtio-vsock API server Implements the base of a small daemon to run within a file-restore VM. The binary spawns an API server on a virtio-vsock socket, listening for connections from the host. This happens mostly manually via the standard Unix socket API, since tokio/hyper do not have support for vsock built in. Once we have the accept'ed file descriptor, we can create a UnixStream and use our tower service implementation for that. The binary is deliberately not installed in the usual $PATH location, since it shouldn't be executed on the host by a user anyway. For now, only the API calls 'status' and 'stop' are implemented, to demonstrate and test proxmox::api functionality. Authorization is provided via a custom ApiAuth only checking a header value against a static /ticket file. Since the REST server implementation uses the log!() macro, we can redirect its output to stdout by registering env_logger as the logging target. env_logger is already in our dependency tree via zstd/bindgen. Signed-off-by: Stefan Reiter <s.reiter@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-03-31 10:21:52 +00:00			`use proxmox_backup::server::auth::{ApiAuth, AuthError};`

			`const TICKET_FILE: &str = "/ticket";`

			`pub struct StaticAuth {`
			`ticket: String,`
			`}`

			`impl ApiAuth for StaticAuth {`
			`fn check_auth(`
			`&self,`
			`headers: &http::HeaderMap,`
			`_method: &hyper::Method,`
			`_user_info: &CachedUserInfo,`
			`) -> Result<Authid, AuthError> {`
			`match headers.get(hyper::header::AUTHORIZATION) {`
			`Some(header) if header.to_str().unwrap_or("") == &self.ticket => {`
			`Ok(Authid::root_auth_id().to_owned())`
			`}`
			`_ => {`
			`return Err(AuthError::Generic(format_err!(`
			`"invalid file restore ticket provided"`
			`)));`
			`}`
			`}`
			`}`
			`}`

			`pub fn ticket_auth() -> Result<StaticAuth, Error> {`
			`let mut ticket_file = File::open(TICKET_FILE)?;`
			`let mut ticket = String::new();`
			`let len = ticket_file.read_to_string(&mut ticket)?;`
			`if len <= 0 {`
			`bail!("invalid ticket: cannot be empty");`
			`}`
			`Ok(StaticAuth { ticket })`
			`}`