proxmox-backup/src/api2/access.rs

use anyhow::{bail, format_err, Error};

use serde_json::{json, Value};

use proxmox::api::{api, RpcEnvironment, Permission, UserInformation};
use proxmox::api::router::{Router, SubdirMap};
use proxmox::{sortable, identity};
use proxmox::{http_err, list_subdirs_api_method};

use crate::tools;
use crate::tools::ticket::*;
use crate::auth_helpers::*;
use crate::api2::types::*;

use crate::config::cached_user_info::CachedUserInfo;
use crate::config::acl::PRIV_PERMISSIONS_MODIFY;

pub mod user;
pub mod domain;
pub mod acl;
pub mod role;

fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {

    let user_info = CachedUserInfo::new()?;

    if !user_info.is_active_user(&username) {
        bail!("user account disabled or expired.");
    }

    let ticket_lifetime = tools::ticket::TICKET_LIFETIME;

    if password.starts_with("PBS:") {
        if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {
            if ticket_username == username {
                return Ok(());
            } else {
                bail!("ticket login failed - wrong username");
            }
        }
    }

    crate::auth::authenticate_user(username, password)
}

#[api(
    input: {
        properties: {
            username: {
                schema: PROXMOX_USER_ID_SCHEMA,
            },
            password: {
                schema: PASSWORD_SCHEMA,
            },
        },
    },
    returns: {
        properties: {
            username: {
                type: String,
                description: "User name.",
            },
            ticket: {
                type: String,
                description: "Auth ticket.",
            },
            CSRFPreventionToken: {
                type: String,
                description: "Cross Site Request Forgery Prevention Token.",
            },
        },
    },
    protected: true,
    access: {
        permission: &Permission::World,
    },
)]
/// Create or verify authentication ticket.
///
/// Returns: An authentication ticket with additional infos.
fn create_ticket(username: String, password: String) -> Result<Value, Error> {
    match authenticate_user(&username, &password) {
        Ok(_) => {

            let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(&username), None)?;

            let token = assemble_csrf_prevention_token(csrf_secret(), &username);

            log::info!("successful auth for user '{}'", username);

            Ok(json!({
                "username": username,
                "ticket": ticket,
                "CSRFPreventionToken": token,
            }))
        }
        Err(err) => {
            let client_ip = "unknown"; // $rpcenv->get_client_ip() || '';
            log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
            Err(http_err!(UNAUTHORIZED, "permission check failed.".into()))
        }
    }
}

#[api(
    input: {
        properties: {
            userid: {
                schema: PROXMOX_USER_ID_SCHEMA,
            },
            password: {
                schema: PASSWORD_SCHEMA,
            },
        },
    },
    access: {
        description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",
        permission: &Permission::Anybody,
    },

)]
/// Change user password
///
/// Each user is allowed to change his own password. Superuser
/// can change all passwords.
fn change_password(
    userid: String,
    password: String,
    rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> {

    let current_user = rpcenv.get_user()
        .ok_or_else(|| format_err!("unknown user"))?;

    let mut allowed = userid == current_user;

    if userid == "root@pam" { allowed = true; }

    if !allowed {
        let user_info = CachedUserInfo::new()?;
        let privs = user_info.lookup_privs(&current_user, &[]);
        if (privs & PRIV_PERMISSIONS_MODIFY) != 0 { allowed = true; }
    }

    if !allowed {
        bail!("you are not authorized to change the password.");
    }

    let (username, realm) = crate::auth::parse_userid(&userid)?;
    let authenticator = crate::auth::lookup_authenticator(&realm)?;
    authenticator.store_password(&username, &password)?;

    Ok(Value::Null)
}

#[sortable]
const SUBDIRS: SubdirMap = &sorted!([
    ("acl", &acl::ROUTER),
    (
        "password", &Router::new()
            .put(&API_METHOD_CHANGE_PASSWORD)
    ),
    (
        "ticket", &Router::new()
            .post(&API_METHOD_CREATE_TICKET)
    ),
    ("domains", &domain::ROUTER),
    ("roles", &role::ROUTER),
    ("users", &user::ROUTER),
]);

pub const ROUTER: Router = Router::new()
    .get(&list_subdirs_api_method!(SUBDIRS))
    .subdirs(SUBDIRS);
switch from failure to anyhow Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-04-17 12:11:25 +00:00			`use anyhow::{bail, format_err, Error};`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00
sort all property lookup tables Required, because we use binary sreach to find items. 2019-11-21 12:10:49 +00:00			`use serde_json::{json, Value};`

src/api2/access/user.rs: add access permissions 2020-04-17 09:04:36 +00:00			`use proxmox::api::{api, RpcEnvironment, Permission, UserInformation};`
bump proxmox crate to 0.1.7 The -sys, -tools and -api crate have now been merged into the proxmx crate directly. Only macro crates are separate (but still reexported by the proxmox crate in their designated locations). When we need to depend on "parts" of the crate later on we'll just have to use features. The reason is mostly that these modules had inter-dependencies which really make them not independent enough to be their own crates. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-01-21 11:28:01 +00:00			`use proxmox::api::router::{Router, SubdirMap};`
api: correctly sort access subdirmap 2020-04-09 11:34:07 +00:00			`use proxmox::{sortable, identity};`
bump proxmox crate to 0.1.7 The -sys, -tools and -api crate have now been merged into the proxmx crate directly. Only macro crates are separate (but still reexported by the proxmox crate in their designated locations). When we need to depend on "parts" of the crate later on we'll just have to use features. The reason is mostly that these modules had inter-dependencies which really make them not independent enough to be their own crates. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-01-21 11:28:01 +00:00			`use proxmox::{http_err, list_subdirs_api_method};`
sort all property lookup tables Required, because we use binary sreach to find items. 2019-11-21 12:10:49 +00:00
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`use crate::tools;`
			`use crate::tools::ticket::*;`
			`use crate::auth_helpers::*;`
api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00			`use crate::api2::types::*;`
src/api2/access/user.rs: add access permissions 2020-04-17 09:04:36 +00:00
start impl. access permissions 2020-04-16 08:01:59 +00:00			`use crate::config::cached_user_info::CachedUserInfo;`
src/api2/access/user.rs: add access permissions 2020-04-17 09:04:36 +00:00			`use crate::config::acl::PRIV_PERMISSIONS_MODIFY;`
api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00
			`pub mod user;`
api: add list_domains 2020-04-09 09:36:45 +00:00			`pub mod domain;`
start ACL api 2020-04-13 09:09:44 +00:00			`pub mod acl;`
src/api2/access/role.rs: new api to list roles 2020-04-17 12:03:24 +00:00			`pub mod role;`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00
			`fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {`

start impl. access permissions 2020-04-16 08:01:59 +00:00			`let user_info = CachedUserInfo::new()?;`

			`if !user_info.is_active_user(&username) {`
			`bail!("user account disabled or expired.");`
			`}`

src/api2/access.rs: authenticate_user() - add ticket login 2019-03-05 11:53:59 +00:00			`let ticket_lifetime = tools::ticket::TICKET_LIFETIME;`

			`if password.starts_with("PBS:") {`
			`if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {`
			`if ticket_username == username {`
			`return Ok(());`
			`} else {`
			`bail!("ticket login failed - wrong username");`
			`}`
			`}`
			`}`

implement auth framework 2020-04-08 09:57:14 +00:00			`crate::auth::authenticate_user(username, password)`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`}`

update api macro invocation to new style Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 13:19:36 +00:00			`#[api(`
			`input: {`
			`properties: {`
			`username: {`
api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00			`schema: PROXMOX_USER_ID_SCHEMA,`
update api macro invocation to new style Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 13:19:36 +00:00			`},`
			`password: {`
api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00			`schema: PASSWORD_SCHEMA,`
update api macro invocation to new style Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 13:19:36 +00:00			`},`
first api macro usage test/example Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 09:05:37 +00:00			`},`
			`},`
update api macro invocation to new style Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 13:19:36 +00:00			`returns: {`
			`properties: {`
			`username: {`
			`type: String,`
			`description: "User name.",`
			`},`
			`ticket: {`
			`type: String,`
			`description: "Auth ticket.",`
			`},`
			`CSRFPreventionToken: {`
			`type: String,`
			`description: "Cross Site Request Forgery Prevention Token.",`
			`},`
first api macro usage test/example Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 09:05:37 +00:00			`},`
			`},`
update api macro invocation to new style Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 13:19:36 +00:00			`protected: true,`
start impl. access permissions 2020-04-16 08:01:59 +00:00			`access: {`
			`permission: &Permission::World,`
			`},`
update api macro invocation to new style Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 13:19:36 +00:00			`)]`
first api macro usage test/example Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 09:05:37 +00:00			`/// Create or verify authentication ticket.`
			`///`
			`/// Returns: An authentication ticket with additional infos.`
update api macro example usage Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-29 08:51:27 +00:00			`fn create_ticket(username: String, password: String) -> Result<Value, Error> {`
			`match authenticate_user(&username, &password) {`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`Ok(_) => {`

update api macro example usage Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-29 08:51:27 +00:00			`let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(&username), None)?;`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00
update api macro example usage Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-29 08:51:27 +00:00			`let token = assemble_csrf_prevention_token(csrf_secret(), &username);`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00
			`log::info!("successful auth for user '{}'", username);`

avoid some clippy warnings 2019-10-26 09:36:01 +00:00			`Ok(json!({`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`"username": username,`
			`"ticket": ticket,`
			`"CSRFPreventionToken": token,`
avoid some clippy warnings 2019-10-26 09:36:01 +00:00			`}))`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`}`
			`Err(err) => {`
whitespace fixup Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-29 08:52:15 +00:00			`let client_ip = "unknown"; // $rpcenv->get_client_ip() \|\| '';`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());`
avoid some clippy warnings 2019-10-26 09:36:01 +00:00			`Err(http_err!(UNAUTHORIZED, "permission check failed.".into()))`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`}`
			`}`
			`}`

api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00			`#[api(`
			`input: {`
			`properties: {`
			`userid: {`
			`schema: PROXMOX_USER_ID_SCHEMA,`
			`},`
			`password: {`
			`schema: PASSWORD_SCHEMA,`
			`},`
			`},`
			`},`
start impl. access permissions 2020-04-16 08:01:59 +00:00			`access: {`
src/api2/access/user.rs: add access permissions 2020-04-17 09:04:36 +00:00			`description: "Anybody is allowed to change there own password. In addition, users with 'Permissions:Modify' privilege may change any password.",`
start impl. access permissions 2020-04-16 08:01:59 +00:00			`permission: &Permission::Anybody,`
			`},`

api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00			`)]`
			`/// Change user password`
			`///`
			`/// Each user is allowed to change his own password. Superuser`
			`/// can change all passwords.`
			`fn change_password(`
			`userid: String,`
			`password: String,`
			`rpcenv: &mut dyn RpcEnvironment,`
			`) -> Result<Value, Error> {`

			`let current_user = rpcenv.get_user()`
			`.ok_or_else(\|\| format_err!("unknown user"))?;`

			`let mut allowed = userid == current_user;`

			`if userid == "root@pam" { allowed = true; }`

src/api2/access/user.rs: add access permissions 2020-04-17 09:04:36 +00:00			`if !allowed {`
			`let user_info = CachedUserInfo::new()?;`
			`let privs = user_info.lookup_privs(&current_user, &[]);`
			`if (privs & PRIV_PERMISSIONS_MODIFY) != 0 { allowed = true; }`
			`}`

api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00			`if !allowed {`
			`bail!("you are not authorized to change the password.");`
			`}`

			`let (username, realm) = crate::auth::parse_userid(&userid)?;`
			`let authenticator = crate::auth::lookup_authenticator(&realm)?;`
			`authenticator.store_password(&username, &password)?;`

			`Ok(Value::Null)`
			`}`

sort all property lookup tables Required, because we use binary sreach to find items. 2019-11-21 12:10:49 +00:00			`#[sortable]`
api: correctly sort access subdirmap 2020-04-09 11:34:07 +00:00			`const SUBDIRS: SubdirMap = &sorted!([`
start ACL api 2020-04-13 09:09:44 +00:00			`("acl", &acl::ROUTER),`
api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00			`(`
			`"password", &Router::new()`
			`.put(&API_METHOD_CHANGE_PASSWORD)`
			`),`
use const api definitions 2019-11-21 08:36:41 +00:00			`(`
			`"ticket", &Router::new()`
first api macro usage test/example Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 09:05:37 +00:00			`.post(&API_METHOD_CREATE_TICKET)`
api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00			`),`
api: add list_domains 2020-04-09 09:36:45 +00:00			`("domains", &domain::ROUTER),`
src/api2/access/role.rs: new api to list roles 2020-04-17 12:03:24 +00:00			`("roles", &role::ROUTER),`
api: move config/user to access/users, implement change_password To make it similar to the pve api 2020-04-09 08:19:38 +00:00			`("users", &user::ROUTER),`
api: correctly sort access subdirmap 2020-04-09 11:34:07 +00:00			`]);`
use const api definitions 2019-11-21 08:36:41 +00:00
			`pub const ROUTER: Router = Router::new()`
			`.get(&list_subdirs_api_method!(SUBDIRS))`
			`.subdirs(SUBDIRS);`