proxmox-backup/src/api2/access.rs

use failure::*;

use serde_json::{json, Value};

use proxmox::sortable;
use proxmox::api::{http_err, list_subdirs_api_method};
use proxmox::api::{ApiMethod, Router, RpcEnvironment};
use proxmox::api::router::SubdirMap;
use proxmox::api::api;

use crate::tools;
use crate::tools::ticket::*;
use crate::auth_helpers::*;

fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {

    let ticket_lifetime = tools::ticket::TICKET_LIFETIME;

    if password.starts_with("PBS:") {
        if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {
            if ticket_username == username {
                return Ok(());
            } else {
                bail!("ticket login failed - wrong username");
            }
        }
    }

    if username == "root@pam" {
        let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
        auth.get_handler().set_credentials("root", password);
        auth.authenticate()?;
        return Ok(());
    }

    bail!("inavlid credentials");
}

#[api]
#[input({
    properties: {
        username: {
            type: String,
            description: "User name.",
            max_length: 64,
        },
        password: {
            type: String,
            description: "The secret password. This can also be a valid ticket.",
        },
    },
})]
#[returns({
    properties: {
        username: {
            type: String,
            description: "User name.",
        },
        ticket: {
            type: String,
            description: "Auth ticket.",
        },
        CSRFPreventionToken: {
            type: String,
            description: "Cross Site Request Forgery Prevention Token.",
        },
    },
})]
#[protected]
/// Create or verify authentication ticket.
///
/// Returns: An authentication ticket with additional infos.
fn create_ticket(
    param: Value,
    _info: &ApiMethod,
    _rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> {

    let username = tools::required_string_param(&param, "username")?;
    let password = tools::required_string_param(&param, "password")?;

    match authenticate_user(username, password) {
        Ok(_) => {

            let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(username), None)?;

            let token = assemble_csrf_prevention_token(csrf_secret(), username);

            log::info!("successful auth for user '{}'", username);

            Ok(json!({
                "username": username,
                "ticket": ticket,
                "CSRFPreventionToken": token,
            }))
        }
        Err(err) => {
	    let client_ip = "unknown"; // $rpcenv->get_client_ip() || '';
            log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
            Err(http_err!(UNAUTHORIZED, "permission check failed.".into()))
        }
    }
}

#[sortable]
const SUBDIRS: SubdirMap = &[
    (
        "ticket", &Router::new()
            .post(&API_METHOD_CREATE_TICKET)
    )
];

pub const ROUTER: Router = Router::new()
    .get(&list_subdirs_api_method!(SUBDIRS))
    .subdirs(SUBDIRS);
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`use failure::*;`

sort all property lookup tables Required, because we use binary sreach to find items. 2019-11-21 12:10:49 +00:00			`use serde_json::{json, Value};`

first api macro usage test/example Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 09:05:37 +00:00			`use proxmox::sortable;`
api/compat: remove remaining api_schema references Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-21 13:53:15 +00:00			`use proxmox::api::{http_err, list_subdirs_api_method};`
first api macro usage test/example Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 09:05:37 +00:00			`use proxmox::api::{ApiMethod, Router, RpcEnvironment};`
api/compat: remove remaining api_schema references Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-21 13:53:15 +00:00			`use proxmox::api::router::SubdirMap;`
first api macro usage test/example Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 09:05:37 +00:00			`use proxmox::api::api;`
sort all property lookup tables Required, because we use binary sreach to find items. 2019-11-21 12:10:49 +00:00
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`use crate::tools;`
			`use crate::tools::ticket::*;`
			`use crate::auth_helpers::*;`

			`fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {`

src/api2/access.rs: authenticate_user() - add ticket login 2019-03-05 11:53:59 +00:00			`let ticket_lifetime = tools::ticket::TICKET_LIFETIME;`

			`if password.starts_with("PBS:") {`
			`if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {`
			`if ticket_username == username {`
			`return Ok(());`
			`} else {`
			`bail!("ticket login failed - wrong username");`
			`}`
			`}`
			`}`

depend on pam-auth, use pam for root login Please use username "root@pam" for login via GUI. 2019-02-01 08:30:50 +00:00			`if username == "root@pam" {`
update to pam 0.7 (renamed from pam-auth) It now supports custom conversation methods, so instead of new() we ask for a default authenticator taking a password via with_password(). Since the password is now handled by the now separate conversation handler, `set_credentials()` is now called on the handler we get via `.get_handler()`. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-02-15 09:32:14 +00:00			`let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();`
			`auth.get_handler().set_credentials("root", password);`
depend on pam-auth, use pam for root login Please use username "root@pam" for login via GUI. 2019-02-01 08:30:50 +00:00			`auth.authenticate()?;`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`return Ok(());`
			`}`

			`bail!("inavlid credentials");`
			`}`

first api macro usage test/example Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 09:05:37 +00:00			`#[api]`
			`#[input({`
			`properties: {`
			`username: {`
			`type: String,`
			`description: "User name.",`
			`max_length: 64,`
			`},`
			`password: {`
			`type: String,`
			`description: "The secret password. This can also be a valid ticket.",`
			`},`
			`},`
			`})]`
			`#[returns({`
			`properties: {`
			`username: {`
			`type: String,`
			`description: "User name.",`
			`},`
			`ticket: {`
			`type: String,`
			`description: "Auth ticket.",`
			`},`
			`CSRFPreventionToken: {`
			`type: String,`
			`description: "Cross Site Request Forgery Prevention Token.",`
			`},`
			`},`
			`})]`
			`#[protected]`
			`/// Create or verify authentication ticket.`
			`///`
			`/// Returns: An authentication ticket with additional infos.`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`fn create_ticket(`
			`param: Value,`
			`_info: &ApiMethod,`
tree-wide: use 'dyn' for all trait objects Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-06-07 11:10:56 +00:00			`_rpcenv: &mut dyn RpcEnvironment,`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`) -> Result<Value, Error> {`

			`let username = tools::required_string_param(&param, "username")?;`
			`let password = tools::required_string_param(&param, "password")?;`

			`match authenticate_user(username, password) {`
			`Ok(_) => {`

server/rest.rs: verify auth cookie 2019-01-31 11:22:00 +00:00			`let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(username), None)?;`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00
			`let token = assemble_csrf_prevention_token(csrf_secret(), username);`

			`log::info!("successful auth for user '{}'", username);`

avoid some clippy warnings 2019-10-26 09:36:01 +00:00			`Ok(json!({`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`"username": username,`
			`"ticket": ticket,`
			`"CSRFPreventionToken": token,`
avoid some clippy warnings 2019-10-26 09:36:01 +00:00			`}))`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`}`
			`Err(err) => {`
			`let client_ip = "unknown"; // $rpcenv->get_client_ip() \|\| '';`
			`log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());`
avoid some clippy warnings 2019-10-26 09:36:01 +00:00			`Err(http_err!(UNAUTHORIZED, "permission check failed.".into()))`
api2/access.rs: add ticket api 2019-01-30 14:14:20 +00:00			`}`
			`}`
			`}`

sort all property lookup tables Required, because we use binary sreach to find items. 2019-11-21 12:10:49 +00:00			`#[sortable]`
use const api definitions 2019-11-21 08:36:41 +00:00			`const SUBDIRS: SubdirMap = &[`
			`(`
			`"ticket", &Router::new()`
first api macro usage test/example Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-27 09:05:37 +00:00			`.post(&API_METHOD_CREATE_TICKET)`
use const api definitions 2019-11-21 08:36:41 +00:00			`)`
			`];`

			`pub const ROUTER: Router = Router::new()`
			`.get(&list_subdirs_api_method!(SUBDIRS))`
			`.subdirs(SUBDIRS);`