proxmox-backup/src/auth_helpers.rs

use failure::*;
use lazy_static::lazy_static;

use openssl::rsa::{Rsa};
use openssl::pkey::{PKey, Public, Private};
use openssl::sha;

use std::path::PathBuf;

use proxmox::tools::{
    try_block,
    fs::{file_get_contents, file_set_contents, file_set_contents_full},
};

fn compute_csrf_secret_digest(
    timestamp: i64,
    secret: &[u8],
    username: &str,
) -> String {

    let mut hasher = sha::Sha256::new();
    let data = format!("{:08X}:{}:", timestamp, username);
    hasher.update(data.as_bytes());
    hasher.update(secret);

    base64::encode_config(&hasher.finish(), base64::STANDARD_NO_PAD)
}

pub fn assemble_csrf_prevention_token(
    secret: &[u8],
    username: &str,
) -> String {

    let epoch = std::time::SystemTime::now().duration_since(
        std::time::SystemTime::UNIX_EPOCH).unwrap().as_secs() as i64;

    let digest = compute_csrf_secret_digest(epoch, secret, username);

    format!("{:08X}:{}", epoch, digest)
}

pub fn verify_csrf_prevention_token(
    secret: &[u8],
    username: &str,
    token: &str,
    min_age: i64,
    max_age: i64,
) -> Result<i64, Error> {

    use std::collections::VecDeque;

    let mut parts: VecDeque<&str> = token.split(':').collect();

    try_block!({

        if parts.len() != 2 {
            bail!("format error - wrong number of parts.");
        }

        let timestamp = parts.pop_front().unwrap();
        let sig = parts.pop_front().unwrap();

        let ttime = i64::from_str_radix(timestamp, 16).
            map_err(|err| format_err!("timestamp format error - {}", err))?;

        let digest = compute_csrf_secret_digest(ttime, secret, username);

        if digest != sig {
            bail!("invalid signature.");
        }

        let now = std::time::SystemTime::now().duration_since(
            std::time::SystemTime::UNIX_EPOCH)?.as_secs() as i64;

        let age = now - ttime;
        if age < min_age {
            bail!("timestamp newer than expected.");
        }

        if age > max_age {
            bail!("timestamp too old.");
        }

        Ok(age)
    }).map_err(|err| format_err!("invalid csrf token - {}", err))
}

pub fn generate_csrf_key() -> Result<(), Error> {

    let path = PathBuf::from(configdir!("/csrf.key"));

    if path.exists() { return Ok(()); }

    let rsa = Rsa::generate(2048).unwrap();

    let pem = rsa.private_key_to_pem()?;

    use nix::sys::stat::Mode;

    let (_, backup_gid) = crate::tools::getpwnam_ugid("backup")?;
    let uid = Some(nix::unistd::ROOT);
    let gid = Some(nix::unistd::Gid::from_raw(backup_gid));

    file_set_contents_full(
        &path, &pem, Some(Mode::from_bits_truncate(0o0640)), uid, gid)?;

    Ok(())
}

pub fn generate_auth_key() -> Result<(), Error> {

    let priv_path = PathBuf::from(configdir!("/authkey.key"));

    let mut public_path = priv_path.clone();
    public_path.set_extension("pub");

    if priv_path.exists() && public_path.exists() { return Ok(()); }

    let rsa = Rsa::generate(4096).unwrap();

    let priv_pem = rsa.private_key_to_pem()?;

    use nix::sys::stat::Mode;

    file_set_contents(
        &priv_path, &priv_pem, Some(Mode::from_bits_truncate(0o0600)))?;


    let public_pem = rsa.public_key_to_pem()?;

    file_set_contents(&public_path, &public_pem, None)?;

    Ok(())
}

pub fn csrf_secret() -> &'static [u8] {

    lazy_static! {
        static ref SECRET: Vec<u8> =
            file_get_contents(configdir!("/csrf.key")).unwrap();
    }

    &SECRET
}

fn load_private_auth_key() -> Result<PKey<Private>, Error> {

    let pem = file_get_contents(configdir!("/authkey.key"))?;
    let rsa = Rsa::private_key_from_pem(&pem)?;
    let key = PKey::from_rsa(rsa)?;

    Ok(key)
}

pub fn private_auth_key() -> &'static PKey<Private> {

    lazy_static! {
        static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
    }

    &KEY
}

fn load_public_auth_key() -> Result<PKey<Public>, Error> {

    let pem = file_get_contents(configdir!("/authkey.pub"))?;
    let rsa = Rsa::public_key_from_pem(&pem)?;
    let key = PKey::from_rsa(rsa)?;

    Ok(key)
}

pub fn public_auth_key() -> &'static PKey<Public> {

    lazy_static! {
        static ref KEY: PKey<Public> = load_public_auth_key().unwrap();
    }

    &KEY
}
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00			`use failure::*;`
load auth keys on startup 2019-01-29 16:21:58 +00:00			`use lazy_static::lazy_static;`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`use openssl::rsa::{Rsa};`
load auth keys on startup 2019-01-29 16:21:58 +00:00			`use openssl::pkey::{PKey, Public, Private};`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00			`use openssl::sha;`
load auth keys on startup 2019-01-29 16:21:58 +00:00
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00			`use std::path::PathBuf;`

update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00			`use proxmox::tools::{`
			`try_block,`
			`fs::{file_get_contents, file_set_contents, file_set_contents_full},`
			`};`

cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00			`fn compute_csrf_secret_digest(`
			`timestamp: i64,`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00			`secret: &[u8],`
			`username: &str,`
			`) -> String {`

			`let mut hasher = sha::Sha256::new();`
cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00			`let data = format!("{:08X}:{}:", timestamp, username);`
auth_helpers.rs: add timestamp to csrf token 2019-01-29 16:50:03 +00:00			`hasher.update(data.as_bytes());`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00			`hasher.update(secret);`

cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00			`base64::encode_config(&hasher.finish(), base64::STANDARD_NO_PAD)`
			`}`

			`pub fn assemble_csrf_prevention_token(`
			`secret: &[u8],`
			`username: &str,`
			`) -> String {`

			`let epoch = std::time::SystemTime::now().duration_since(`
			`std::time::SystemTime::UNIX_EPOCH).unwrap().as_secs() as i64;`

			`let digest = compute_csrf_secret_digest(epoch, secret, username);`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00
auth_helpers.rs: add timestamp to csrf token 2019-01-29 16:50:03 +00:00			`format!("{:08X}:{}", epoch, digest)`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00			`}`

cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00			`pub fn verify_csrf_prevention_token(`
			`secret: &[u8],`
			`username: &str,`
			`token: &str,`
			`min_age: i64,`
			`max_age: i64,`
			`) -> Result<i64, Error> {`

			`use std::collections::VecDeque;`

			`let mut parts: VecDeque<&str> = token.split(':').collect();`

			`try_block!({`

			`if parts.len() != 2 {`
			`bail!("format error - wrong number of parts.");`
			`}`

			`let timestamp = parts.pop_front().unwrap();`
			`let sig = parts.pop_front().unwrap();`

			`let ttime = i64::from_str_radix(timestamp, 16).`
			`map_err(\|err\| format_err!("timestamp format error - {}", err))?;`

			`let digest = compute_csrf_secret_digest(ttime, secret, username);`

			`if digest != sig {`
			`bail!("invalid signature.");`
			`}`

			`let now = std::time::SystemTime::now().duration_since(`
			`std::time::SystemTime::UNIX_EPOCH)?.as_secs() as i64;`

			`let age = now - ttime;`
			`if age < min_age {`
			`bail!("timestamp newer than expected.");`
			`}`

			`if age > max_age {`
			`bail!("timestamp too old.");`
			`}`

			`Ok(age)`
			`}).map_err(\|err\| format_err!("invalid csrf token - {}", err))`
			`}`

auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00			`pub fn generate_csrf_key() -> Result<(), Error> {`

introduce buildcfg module and PROXMOX_CONFIGDIR buildcfg.rs should contain convenience variables or macros for using build-time configured variables For now we replace hardcoded "/etc/proxmox-backup/<foo>" with configdir!("<foo>"). Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-02-04 14:13:03 +00:00			`let path = PathBuf::from(configdir!("/csrf.key"));`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`if path.exists() { return Ok(()); }`

			`let rsa = Rsa::generate(2048).unwrap();`

			`let pem = rsa.private_key_to_pem()?;`

			`use nix::sys::stat::Mode;`

update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00			`let (_, backup_gid) = crate::tools::getpwnam_ugid("backup")?;`
src/server/worker_task.rs: carefully handle file permissions 2019-04-06 15:53:12 +00:00			`let uid = Some(nix::unistd::ROOT);`
			`let gid = Some(nix::unistd::Gid::from_raw(backup_gid));`
change proxy user from www-data to backup 2019-02-16 08:29:04 +00:00
update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00			`file_set_contents_full(`
src/server/worker_task.rs: carefully handle file permissions 2019-04-06 15:53:12 +00:00			`&path, &pem, Some(Mode::from_bits_truncate(0o0640)), uid, gid)?;`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`Ok(())`
			`}`

			`pub fn generate_auth_key() -> Result<(), Error> {`

introduce buildcfg module and PROXMOX_CONFIGDIR buildcfg.rs should contain convenience variables or macros for using build-time configured variables For now we replace hardcoded "/etc/proxmox-backup/<foo>" with configdir!("<foo>"). Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-02-04 14:13:03 +00:00			`let priv_path = PathBuf::from(configdir!("/authkey.key"));`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`let mut public_path = priv_path.clone();`
			`public_path.set_extension("pub");`

			`if priv_path.exists() && public_path.exists() { return Ok(()); }`

			`let rsa = Rsa::generate(4096).unwrap();`

			`let priv_pem = rsa.private_key_to_pem()?;`

			`use nix::sys::stat::Mode;`

update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00			`file_set_contents(`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00			`&priv_path, &priv_pem, Some(Mode::from_bits_truncate(0o0600)))?;`


			`let public_pem = rsa.public_key_to_pem()?;`

update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00			`file_set_contents(&public_path, &public_pem, None)?;`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`Ok(())`
			`}`
load auth keys on startup 2019-01-29 16:21:58 +00:00
			`pub fn csrf_secret() -> &'static [u8] {`

			`lazy_static! {`
			`static ref SECRET: Vec<u8> =`
update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00			`file_get_contents(configdir!("/csrf.key")).unwrap();`
load auth keys on startup 2019-01-29 16:21:58 +00:00			`}`

			`&SECRET`
			`}`

			`fn load_private_auth_key() -> Result<PKey<Private>, Error> {`

update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00			`let pem = file_get_contents(configdir!("/authkey.key"))?;`
load auth keys on startup 2019-01-29 16:21:58 +00:00			`let rsa = Rsa::private_key_from_pem(&pem)?;`
			`let key = PKey::from_rsa(rsa)?;`

			`Ok(key)`
			`}`

			`pub fn private_auth_key() -> &'static PKey<Private> {`

			`lazy_static! {`
			`static ref KEY: PKey<Private> = load_private_auth_key().unwrap();`
			`}`

			`&KEY`
			`}`

			`fn load_public_auth_key() -> Result<PKey<Public>, Error> {`

update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00			`let pem = file_get_contents(configdir!("/authkey.pub"))?;`
load auth keys on startup 2019-01-29 16:21:58 +00:00			`let rsa = Rsa::public_key_from_pem(&pem)?;`
			`let key = PKey::from_rsa(rsa)?;`

			`Ok(key)`
			`}`

			`pub fn public_auth_key() -> &'static PKey<Public> {`

			`lazy_static! {`
			`static ref KEY: PKey<Public> = load_public_auth_key().unwrap();`
			`}`

			`&KEY`
			`}`