proxmox-backup/src/auth.rs

//! Proxmox Backup Server Authentication
//!
//! This library contains helper to authenticate users.

use std::process::{Command, Stdio};
use std::io::Write;
use std::ffi::{CString, CStr};

use base64;
use anyhow::{bail, format_err, Error};
use serde_json::json;

pub trait ProxmoxAuthenticator {
    fn authenticate_user(&self, username: &str, password: &str) -> Result<(), Error>;
    fn store_password(&self, username: &str, password: &str) -> Result<(), Error>;
}

pub struct PAM();

impl ProxmoxAuthenticator for PAM {

    fn authenticate_user(&self, username: &str, password: &str) -> Result<(), Error> {
        let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
        auth.get_handler().set_credentials(username, password);
        auth.authenticate()?;
        return Ok(());

    }

    fn store_password(&self, username: &str, password: &str) -> Result<(), Error> {
        let mut child = Command::new("passwd")
            .arg(username)
            .stdin(Stdio::piped())
            .stderr(Stdio::piped())
            .spawn()
            .or_else(|err| Err(format_err!("unable to set password for '{}' - execute passwd failed: {}", username, err)))?;

        // Note: passwd reads password twice from stdin (for verify)
        writeln!(child.stdin.as_mut().unwrap(), "{}\n{}", password, password)?;

        let output = child.wait_with_output()
            .or_else(|err| Err(format_err!("unable to set password for '{}' - wait failed: {}", username, err)))?;

        if !output.status.success() {
            bail!("unable to set password for '{}' - {}", username, String::from_utf8_lossy(&output.stderr));
        }

        Ok(())
    }
}

pub struct PBS();

pub fn crypt(password: &[u8], salt: &str) -> Result<String, Error> {

    #[link(name="crypt")]
    extern "C" {
        #[link_name = "crypt"]
        fn __crypt(key: *const libc::c_char, salt:  *const libc::c_char) -> * mut libc::c_char;
    }

    let salt = CString::new(salt)?;
    let password = CString::new(password)?;

    let res = unsafe {
        CStr::from_ptr(
            __crypt(
                password.as_c_str().as_ptr(),
                salt.as_c_str().as_ptr()
            )
        )
    };
    Ok(String::from(res.to_str()?))
}


pub fn encrypt_pw(password: &str) -> Result<String, Error> {

    let salt = proxmox::sys::linux::random_data(8)?;
    let salt = format!("$5${}$", base64::encode_config(&salt, base64::CRYPT));

    crypt(password.as_bytes(), &salt)
}

pub fn verify_crypt_pw(password: &str, enc_password: &str) -> Result<(), Error> {
    let verify = crypt(password.as_bytes(), enc_password)?;
    if &verify != enc_password {
        bail!("invalid credentials");
    }
    Ok(())
}

const SHADOW_CONFIG_FILENAME: &str = "/etc/proxmox-backup/shadow.json";

impl ProxmoxAuthenticator for PBS {

    fn authenticate_user(&self, username: &str, password: &str) -> Result<(), Error> {
        let data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
        match data[username].as_str() {
            None => bail!("no password set"),
            Some(enc_password) => verify_crypt_pw(password, enc_password)?,
        }
        Ok(())
    }

    fn store_password(&self, username: &str, password: &str) -> Result<(), Error> {
        let enc_password = encrypt_pw(password)?;
        let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
        data[username] = enc_password.into();

        let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
        let options =  proxmox::tools::fs::CreateOptions::new()
            .perm(mode)
            .owner(nix::unistd::ROOT)
            .group(nix::unistd::Gid::from_raw(0));

        let data = serde_json::to_vec_pretty(&data)?;
        proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;

        Ok(())
    }
}

pub fn parse_userid(userid: &str) -> Result<(String, String), Error> {
    let data: Vec<&str> = userid.rsplitn(2, '@').collect();

    if data.len() != 2 {
        bail!("userid '{}' has no realm", userid);
    }
    Ok((data[1].to_owned(), data[0].to_owned()))
}

/// Lookup the autenticator for the specified realm
pub fn lookup_authenticator(realm: &str) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {
    match realm {
        "pam" => Ok(Box::new(PAM())),
        "pbs" => Ok(Box::new(PBS())),
        _ => bail!("unknown realm '{}'", realm),
    }
}

/// Authenticate users
pub fn authenticate_user(userid: &str, password: &str) -> Result<(), Error> {
    let (username, realm) = parse_userid(userid)?;

    lookup_authenticator(&realm)?
    .authenticate_user(&username, password)
}
implement auth framework 2020-04-08 09:57:14 +00:00			`//! Proxmox Backup Server Authentication`
			`//!`
			`//! This library contains helper to authenticate users.`

			`use std::process::{Command, Stdio};`
			`use std::io::Write;`
			`use std::ffi::{CString, CStr};`

			`use base64;`
switch from failure to anyhow Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-04-17 12:11:25 +00:00			`use anyhow::{bail, format_err, Error};`
implement auth framework 2020-04-08 09:57:14 +00:00			`use serde_json::json;`

			`pub trait ProxmoxAuthenticator {`
			`fn authenticate_user(&self, username: &str, password: &str) -> Result<(), Error>;`
			`fn store_password(&self, username: &str, password: &str) -> Result<(), Error>;`
			`}`

			`pub struct PAM();`

			`impl ProxmoxAuthenticator for PAM {`

			`fn authenticate_user(&self, username: &str, password: &str) -> Result<(), Error> {`
			`let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();`
			`auth.get_handler().set_credentials(username, password);`
			`auth.authenticate()?;`
			`return Ok(());`

			`}`

			`fn store_password(&self, username: &str, password: &str) -> Result<(), Error> {`
			`let mut child = Command::new("passwd")`
			`.arg(username)`
			`.stdin(Stdio::piped())`
			`.stderr(Stdio::piped())`
			`.spawn()`
			`.or_else(\|err\| Err(format_err!("unable to set password for '{}' - execute passwd failed: {}", username, err)))?;`

			`// Note: passwd reads password twice from stdin (for verify)`
			`writeln!(child.stdin.as_mut().unwrap(), "{}\n{}", password, password)?;`

			`let output = child.wait_with_output()`
			`.or_else(\|err\| Err(format_err!("unable to set password for '{}' - wait failed: {}", username, err)))?;`

			`if !output.status.success() {`
			`bail!("unable to set password for '{}' - {}", username, String::from_utf8_lossy(&output.stderr));`
			`}`

			`Ok(())`
			`}`
			`}`

			`pub struct PBS();`

			`pub fn crypt(password: &[u8], salt: &str) -> Result<String, Error> {`

			`#[link(name="crypt")]`
			`extern "C" {`
			`#[link_name = "crypt"]`
			`fn __crypt(key: const libc::c_char, salt: const libc::c_char) -> * mut libc::c_char;`
			`}`

			`let salt = CString::new(salt)?;`
			`let password = CString::new(password)?;`

			`let res = unsafe {`
			`CStr::from_ptr(`
			`__crypt(`
			`password.as_c_str().as_ptr(),`
			`salt.as_c_str().as_ptr()`
			`)`
			`)`
			`};`
			`Ok(String::from(res.to_str()?))`
			`}`


			`pub fn encrypt_pw(password: &str) -> Result<String, Error> {`

			`let salt = proxmox::sys::linux::random_data(8)?;`
			`let salt = format!("$5${}$", base64::encode_config(&salt, base64::CRYPT));`

			`crypt(password.as_bytes(), &salt)`
			`}`

			`pub fn verify_crypt_pw(password: &str, enc_password: &str) -> Result<(), Error> {`
			`let verify = crypt(password.as_bytes(), enc_password)?;`
			`if &verify != enc_password {`
			`bail!("invalid credentials");`
			`}`
			`Ok(())`
			`}`

			`const SHADOW_CONFIG_FILENAME: &str = "/etc/proxmox-backup/shadow.json";`

			`impl ProxmoxAuthenticator for PBS {`

			`fn authenticate_user(&self, username: &str, password: &str) -> Result<(), Error> {`
			`let data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;`
			`match data[username].as_str() {`
			`None => bail!("no password set"),`
			`Some(enc_password) => verify_crypt_pw(password, enc_password)?,`
			`}`
			`Ok(())`
			`}`

			`fn store_password(&self, username: &str, password: &str) -> Result<(), Error> {`
			`let enc_password = encrypt_pw(password)?;`
			`let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;`
			`data[username] = enc_password.into();`

			`let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);`
			`let options = proxmox::tools::fs::CreateOptions::new()`
			`.perm(mode)`
			`.owner(nix::unistd::ROOT)`
			`.group(nix::unistd::Gid::from_raw(0));`

			`let data = serde_json::to_vec_pretty(&data)?;`
			`proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;`

			`Ok(())`
			`}`
			`}`

			`pub fn parse_userid(userid: &str) -> Result<(String, String), Error> {`
			`let data: Vec<&str> = userid.rsplitn(2, '@').collect();`

			`if data.len() != 2 {`
			`bail!("userid '{}' has no realm", userid);`
			`}`
			`Ok((data[1].to_owned(), data[0].to_owned()))`
			`}`

start impl. access permissions 2020-04-16 08:01:59 +00:00			`/// Lookup the autenticator for the specified realm`
implement auth framework 2020-04-08 09:57:14 +00:00			`pub fn lookup_authenticator(realm: &str) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {`
			`match realm {`
			`"pam" => Ok(Box::new(PAM())),`
			`"pbs" => Ok(Box::new(PBS())),`
			`_ => bail!("unknown realm '{}'", realm),`
			`}`
			`}`

start impl. access permissions 2020-04-16 08:01:59 +00:00			`/// Authenticate users`
implement auth framework 2020-04-08 09:57:14 +00:00			`pub fn authenticate_user(userid: &str, password: &str) -> Result<(), Error> {`
			`let (username, realm) = parse_userid(userid)?;`

			`lookup_authenticator(&realm)?`
			`.authenticate_user(&username, password)`
			`}`