proxmox-backup/src/auth.rs

//! Proxmox Backup Server Authentication
//!
//! This library contains helper to authenticate users.

use std::process::{Command, Stdio};
use std::io::Write;
use std::ffi::{CString, CStr};

use anyhow::{bail, format_err, Error};
use serde_json::json;

use crate::api2::types::{Userid, UsernameRef, RealmRef};

pub trait ProxmoxAuthenticator {
    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
    fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
}

pub struct PAM();

impl ProxmoxAuthenticator for PAM {

    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
        let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
        auth.get_handler().set_credentials(username.as_str(), password);
        auth.authenticate()?;
        Ok(())
    }

    fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
        let mut child = Command::new("passwd")
            .arg(username.as_str())
            .stdin(Stdio::piped())
            .stderr(Stdio::piped())
            .spawn()
            .map_err(|err| format_err!(
                "unable to set password for '{}' - execute passwd failed: {}",
                username.as_str(),
                err,
            ))?;

        // Note: passwd reads password twice from stdin (for verify)
        writeln!(child.stdin.as_mut().unwrap(), "{}\n{}", password, password)?;

        let output = child
            .wait_with_output()
            .map_err(|err| format_err!(
                "unable to set password for '{}' - wait failed: {}",
                username.as_str(),
                err,
            ))?;

        if !output.status.success() {
            bail!(
                "unable to set password for '{}' - {}",
                username.as_str(),
                String::from_utf8_lossy(&output.stderr),
            );
        }

        Ok(())
    }
}

pub struct PBS();

pub fn crypt(password: &[u8], salt: &str) -> Result<String, Error> {

    #[link(name="crypt")]
    extern "C" {
        #[link_name = "crypt"]
        fn __crypt(key: *const libc::c_char, salt:  *const libc::c_char) -> * mut libc::c_char;
    }

    let salt = CString::new(salt)?;
    let password = CString::new(password)?;

    let res = unsafe {
        CStr::from_ptr(
            __crypt(
                password.as_c_str().as_ptr(),
                salt.as_c_str().as_ptr()
            )
        )
    };
    Ok(String::from(res.to_str()?))
}


pub fn encrypt_pw(password: &str) -> Result<String, Error> {

    let salt = proxmox::sys::linux::random_data(8)?;
    let salt = format!("$5${}$", base64::encode_config(&salt, base64::CRYPT));

    crypt(password.as_bytes(), &salt)
}

pub fn verify_crypt_pw(password: &str, enc_password: &str) -> Result<(), Error> {
    let verify = crypt(password.as_bytes(), enc_password)?;
    if verify != enc_password {
        bail!("invalid credentials");
    }
    Ok(())
}

const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");

impl ProxmoxAuthenticator for PBS {

    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
        let data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
        match data[username.as_str()].as_str() {
            None => bail!("no password set"),
            Some(enc_password) => verify_crypt_pw(password, enc_password)?,
        }
        Ok(())
    }

    fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
        let enc_password = encrypt_pw(password)?;
        let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
        data[username.as_str()] = enc_password.into();

        let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
        let options =  proxmox::tools::fs::CreateOptions::new()
            .perm(mode)
            .owner(nix::unistd::ROOT)
            .group(nix::unistd::Gid::from_raw(0));

        let data = serde_json::to_vec_pretty(&data)?;
        proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;

        Ok(())
    }
}

/// Lookup the autenticator for the specified realm
pub fn lookup_authenticator(realm: &RealmRef) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {
    match realm.as_str() {
        "pam" => Ok(Box::new(PAM())),
        "pbs" => Ok(Box::new(PBS())),
        _ => bail!("unknown realm '{}'", realm.as_str()),
    }
}

/// Authenticate users
pub fn authenticate_user(userid: &Userid, password: &str) -> Result<(), Error> {

    lookup_authenticator(userid.realm())?
        .authenticate_user(userid.name(), password)
}
implement auth framework 2020-04-08 09:57:14 +00:00			`//! Proxmox Backup Server Authentication`
			`//!`
			`//! This library contains helper to authenticate users.`

			`use std::process::{Command, Stdio};`
			`use std::io::Write;`
			`use std::ffi::{CString, CStr};`

switch from failure to anyhow Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-04-17 12:11:25 +00:00			`use anyhow::{bail, format_err, Error};`
implement auth framework 2020-04-08 09:57:14 +00:00			`use serde_json::json;`

introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`use crate::api2::types::{Userid, UsernameRef, RealmRef};`

implement auth framework 2020-04-08 09:57:14 +00:00			`pub trait ProxmoxAuthenticator {`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;`
			`fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`

			`pub struct PAM();`

			`impl ProxmoxAuthenticator for PAM {`

introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {`
implement auth framework 2020-04-08 09:57:14 +00:00			`let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`auth.get_handler().set_credentials(username.as_str(), password);`
implement auth framework 2020-04-08 09:57:14 +00:00			`auth.authenticate()?;`
clippy fixups Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-10-14 09:18:26 +00:00			`Ok(())`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`

introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {`
implement auth framework 2020-04-08 09:57:14 +00:00			`let mut child = Command::new("passwd")`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`.arg(username.as_str())`
implement auth framework 2020-04-08 09:57:14 +00:00			`.stdin(Stdio::piped())`
			`.stderr(Stdio::piped())`
			`.spawn()`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`.map_err(\|err\| format_err!(`
			`"unable to set password for '{}' - execute passwd failed: {}",`
			`username.as_str(),`
			`err,`
			`))?;`
implement auth framework 2020-04-08 09:57:14 +00:00
			`// Note: passwd reads password twice from stdin (for verify)`
			`writeln!(child.stdin.as_mut().unwrap(), "{}\n{}", password, password)?;`

introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`let output = child`
			`.wait_with_output()`
			`.map_err(\|err\| format_err!(`
			`"unable to set password for '{}' - wait failed: {}",`
			`username.as_str(),`
			`err,`
			`))?;`
implement auth framework 2020-04-08 09:57:14 +00:00
			`if !output.status.success() {`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`bail!(`
			`"unable to set password for '{}' - {}",`
			`username.as_str(),`
			`String::from_utf8_lossy(&output.stderr),`
			`);`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`

			`Ok(())`
			`}`
			`}`

			`pub struct PBS();`

			`pub fn crypt(password: &[u8], salt: &str) -> Result<String, Error> {`

			`#[link(name="crypt")]`
			`extern "C" {`
			`#[link_name = "crypt"]`
			`fn __crypt(key: const libc::c_char, salt: const libc::c_char) -> * mut libc::c_char;`
			`}`

			`let salt = CString::new(salt)?;`
			`let password = CString::new(password)?;`

			`let res = unsafe {`
			`CStr::from_ptr(`
			`__crypt(`
			`password.as_c_str().as_ptr(),`
			`salt.as_c_str().as_ptr()`
			`)`
			`)`
			`};`
			`Ok(String::from(res.to_str()?))`
			`}`


			`pub fn encrypt_pw(password: &str) -> Result<String, Error> {`

			`let salt = proxmox::sys::linux::random_data(8)?;`
			`let salt = format!("$5${}$", base64::encode_config(&salt, base64::CRYPT));`

			`crypt(password.as_bytes(), &salt)`
			`}`

			`pub fn verify_crypt_pw(password: &str, enc_password: &str) -> Result<(), Error> {`
			`let verify = crypt(password.as_bytes(), enc_password)?;`
clippy fixups Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-10-14 09:18:26 +00:00			`if verify != enc_password {`
implement auth framework 2020-04-08 09:57:14 +00:00			`bail!("invalid credentials");`
			`}`
			`Ok(())`
			`}`

introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");`
implement auth framework 2020-04-08 09:57:14 +00:00
			`impl ProxmoxAuthenticator for PBS {`

introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {`
implement auth framework 2020-04-08 09:57:14 +00:00			`let data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`match data[username.as_str()].as_str() {`
implement auth framework 2020-04-08 09:57:14 +00:00			`None => bail!("no password set"),`
			`Some(enc_password) => verify_crypt_pw(password, enc_password)?,`
			`}`
			`Ok(())`
			`}`

introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {`
implement auth framework 2020-04-08 09:57:14 +00:00			`let enc_password = encrypt_pw(password)?;`
			`let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`data[username.as_str()] = enc_password.into();`
implement auth framework 2020-04-08 09:57:14 +00:00
			`let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);`
			`let options = proxmox::tools::fs::CreateOptions::new()`
			`.perm(mode)`
			`.owner(nix::unistd::ROOT)`
			`.group(nix::unistd::Gid::from_raw(0));`

			`let data = serde_json::to_vec_pretty(&data)?;`
			`proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;`

			`Ok(())`
			`}`
			`}`

start impl. access permissions 2020-04-16 08:01:59 +00:00			`/// Lookup the autenticator for the specified realm`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`pub fn lookup_authenticator(realm: &RealmRef) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {`
			`match realm.as_str() {`
implement auth framework 2020-04-08 09:57:14 +00:00			`"pam" => Ok(Box::new(PAM())),`
			`"pbs" => Ok(Box::new(PBS())),`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`_ => bail!("unknown realm '{}'", realm.as_str()),`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`
			`}`

start impl. access permissions 2020-04-16 08:01:59 +00:00			`/// Authenticate users`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`pub fn authenticate_user(userid: &Userid, password: &str) -> Result<(), Error> {`
implement auth framework 2020-04-08 09:57:14 +00:00
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`lookup_authenticator(userid.realm())?`
			`.authenticate_user(userid.name(), password)`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`