proxmox-backup/src/auth_helpers.rs

use std::path::PathBuf;

use anyhow::{bail, format_err, Error};
use lazy_static::lazy_static;
use openssl::pkey::{PKey, Private, Public};
use openssl::rsa::Rsa;
use openssl::sha;

use proxmox_lang::try_block;
use proxmox_sys::fs::{file_get_contents, replace_file, CreateOptions};

use pbs_api_types::Userid;
use pbs_buildcfg::configdir;

fn compute_csrf_secret_digest(timestamp: i64, secret: &[u8], userid: &Userid) -> String {
    let mut hasher = sha::Sha256::new();
    let data = format!("{:08X}:{}:", timestamp, userid);
    hasher.update(data.as_bytes());
    hasher.update(secret);

    base64::encode_config(&hasher.finish(), base64::STANDARD_NO_PAD)
}

pub fn assemble_csrf_prevention_token(secret: &[u8], userid: &Userid) -> String {
    let epoch = proxmox_time::epoch_i64();

    let digest = compute_csrf_secret_digest(epoch, secret, userid);

    format!("{:08X}:{}", epoch, digest)
}

pub fn verify_csrf_prevention_token(
    secret: &[u8],
    userid: &Userid,
    token: &str,
    min_age: i64,
    max_age: i64,
) -> Result<i64, Error> {
    use std::collections::VecDeque;

    let mut parts: VecDeque<&str> = token.split(':').collect();

    try_block!({
        if parts.len() != 2 {
            bail!("format error - wrong number of parts.");
        }

        let timestamp = parts.pop_front().unwrap();
        let sig = parts.pop_front().unwrap();

        let ttime = i64::from_str_radix(timestamp, 16)
            .map_err(|err| format_err!("timestamp format error - {}", err))?;

        let digest = compute_csrf_secret_digest(ttime, secret, userid);

        if digest != sig {
            bail!("invalid signature.");
        }

        let now = proxmox_time::epoch_i64();

        let age = now - ttime;
        if age < min_age {
            bail!("timestamp newer than expected.");
        }

        if age > max_age {
            bail!("timestamp too old.");
        }

        Ok(age)
    })
    .map_err(|err| format_err!("invalid csrf token - {}", err))
}

pub fn generate_csrf_key() -> Result<(), Error> {
    let path = PathBuf::from(configdir!("/csrf.key"));

    if path.exists() {
        return Ok(());
    }

    let rsa = Rsa::generate(2048).unwrap();

    let pem = rsa.private_key_to_pem()?;

    use nix::sys::stat::Mode;

    let backup_user = pbs_config::backup_user()?;

    replace_file(
        &path,
        &pem,
        CreateOptions::new()
            .perm(Mode::from_bits_truncate(0o0640))
            .owner(nix::unistd::ROOT)
            .group(backup_user.gid),
        true,
    )?;

    Ok(())
}

pub fn generate_auth_key() -> Result<(), Error> {
    let priv_path = PathBuf::from(configdir!("/authkey.key"));

    let mut public_path = priv_path.clone();
    public_path.set_extension("pub");

    if priv_path.exists() && public_path.exists() {
        return Ok(());
    }

    let rsa = Rsa::generate(4096).unwrap();

    let priv_pem = rsa.private_key_to_pem()?;

    use nix::sys::stat::Mode;

    replace_file(
        &priv_path,
        &priv_pem,
        CreateOptions::new().perm(Mode::from_bits_truncate(0o0600)),
        true,
    )?;

    let public_pem = rsa.public_key_to_pem()?;

    let backup_user = pbs_config::backup_user()?;

    replace_file(
        &public_path,
        &public_pem,
        CreateOptions::new()
            .perm(Mode::from_bits_truncate(0o0640))
            .owner(nix::unistd::ROOT)
            .group(backup_user.gid),
        true,
    )?;

    Ok(())
}

pub fn csrf_secret() -> &'static [u8] {
    lazy_static! {
        static ref SECRET: Vec<u8> = file_get_contents(configdir!("/csrf.key")).unwrap();
    }

    &SECRET
}

fn load_public_auth_key() -> Result<PKey<Public>, Error> {
    let pem = file_get_contents(configdir!("/authkey.pub"))?;
    let rsa = Rsa::public_key_from_pem(&pem)?;
    let key = PKey::from_rsa(rsa)?;

    Ok(key)
}

pub fn public_auth_key() -> &'static PKey<Public> {
    lazy_static! {
        static ref KEY: PKey<Public> = load_public_auth_key().unwrap();
    }

    &KEY
}

fn load_private_auth_key() -> Result<PKey<Private>, Error> {
    let pem = file_get_contents(configdir!("/authkey.key"))?;
    let rsa = Rsa::private_key_from_pem(&pem)?;
    let key = PKey::from_rsa(rsa)?;

    Ok(key)
}

pub fn private_auth_key() -> &'static PKey<Private> {
    lazy_static! {
        static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
    }

    &KEY
}
move more tools for the client into subcrates Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-07-15 10:15:50 +00:00			`use std::path::PathBuf;`

switch from failure to anyhow Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-04-17 12:11:25 +00:00			`use anyhow::{bail, format_err, Error};`
load auth keys on startup 2019-01-29 16:21:58 +00:00			`use lazy_static::lazy_static;`
drop pbs_tools::auth `pbs_client::connect_to_localhost` now requires the key as optional parameter Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-09-29 09:05:26 +00:00			`use openssl::pkey::{PKey, Private, Public};`
move more tools for the client into subcrates Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-07-15 10:15:50 +00:00			`use openssl::rsa::Rsa;`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00			`use openssl::sha;`
load auth keys on startup 2019-01-29 16:21:58 +00:00
update to first proxmox crate split Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-10-08 09:19:37 +00:00			`use proxmox_lang::try_block;`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`use proxmox_sys::fs::{file_get_contents, replace_file, CreateOptions};`
update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00
move more tools for the client into subcrates Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-07-15 10:15:50 +00:00			`use pbs_api_types::Userid;`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`use pbs_buildcfg::configdir;`
refactor time functions to tools Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-06-10 10:02:56 +00:00
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`fn compute_csrf_secret_digest(timestamp: i64, secret: &[u8], userid: &Userid) -> String {`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00			`let mut hasher = sha::Sha256::new();`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`let data = format!("{:08X}:{}:", timestamp, userid);`
auth_helpers.rs: add timestamp to csrf token 2019-01-29 16:50:03 +00:00			`hasher.update(data.as_bytes());`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00			`hasher.update(secret);`

cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00			`base64::encode_config(&hasher.finish(), base64::STANDARD_NO_PAD)`
			`}`

rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`pub fn assemble_csrf_prevention_token(secret: &[u8], userid: &Userid) -> String {`
update to first proxmox crate split Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-10-08 09:19:37 +00:00			`let epoch = proxmox_time::epoch_i64();`
cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`let digest = compute_csrf_secret_digest(epoch, secret, userid);`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00
auth_helpers.rs: add timestamp to csrf token 2019-01-29 16:50:03 +00:00			`format!("{:08X}:{}", epoch, digest)`
auth_helpers.rs: implement assemble_csrf_prevention_token 2019-01-29 16:41:45 +00:00			`}`

cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00			`pub fn verify_csrf_prevention_token(`
			`secret: &[u8],`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`userid: &Userid,`
cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00			`token: &str,`
			`min_age: i64,`
			`max_age: i64,`
			`) -> Result<i64, Error> {`
			`use std::collections::VecDeque;`

			`let mut parts: VecDeque<&str> = token.split(':').collect();`

			`try_block!({`
			`if parts.len() != 2 {`
			`bail!("format error - wrong number of parts.");`
			`}`

			`let timestamp = parts.pop_front().unwrap();`
			`let sig = parts.pop_front().unwrap();`

rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`let ttime = i64::from_str_radix(timestamp, 16)`
			`.map_err(\|err\| format_err!("timestamp format error - {}", err))?;`
cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`let digest = compute_csrf_secret_digest(ttime, secret, userid);`
cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00
			`if digest != sig {`
			`bail!("invalid signature.");`
			`}`

update to first proxmox crate split Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-10-08 09:19:37 +00:00			`let now = proxmox_time::epoch_i64();`
cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00
			`let age = now - ttime;`
			`if age < min_age {`
			`bail!("timestamp newer than expected.");`
			`}`

			`if age > max_age {`
			`bail!("timestamp too old.");`
			`}`

			`Ok(age)`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`})`
			`.map_err(\|err\| format_err!("invalid csrf token - {}", err))`
cleanup auth code, verify CSRF prevention token 2019-02-16 14:52:55 +00:00			`}`

auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00			`pub fn generate_csrf_key() -> Result<(), Error> {`
introduce buildcfg module and PROXMOX_CONFIGDIR buildcfg.rs should contain convenience variables or macros for using build-time configured variables For now we replace hardcoded "/etc/proxmox-backup/<foo>" with configdir!("<foo>"). Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-02-04 14:13:03 +00:00			`let path = PathBuf::from(configdir!("/csrf.key"));`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`if path.exists() {`
			`return Ok(());`
			`}`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`let rsa = Rsa::generate(2048).unwrap();`

			`let pem = rsa.private_key_to_pem()?;`

			`use nix::sys::stat::Mode;`

start new pbs-config workspace moved src/config/domains.rs 2021-09-02 10:47:11 +00:00			`let backup_user = pbs_config::backup_user()?;`
change proxy user from www-data to backup 2019-02-16 08:29:04 +00:00
replace file_set_contents with replace_file Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-12-18 10:05:30 +00:00			`replace_file(`
			`&path,`
			`&pem,`
			`CreateOptions::new()`
			`.perm(Mode::from_bits_truncate(0o0640))`
			`.owner(nix::unistd::ROOT)`
remove tools::getpwnam_ugid, impl. crate::backup::backup_user() And use new nix::unistd::User struct. 2019-12-19 09:20:13 +00:00			`.group(backup_user.gid),`
use new fsync parameter to replace_file and atomic_open_or_create Depend on proxmox 0.15.0 and proxmox-openid 0.8.1 Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-10-20 12:56:15 +00:00			`true,`
replace file_set_contents with replace_file Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-12-18 10:05:30 +00:00			`)?;`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`Ok(())`
			`}`

			`pub fn generate_auth_key() -> Result<(), Error> {`
introduce buildcfg module and PROXMOX_CONFIGDIR buildcfg.rs should contain convenience variables or macros for using build-time configured variables For now we replace hardcoded "/etc/proxmox-backup/<foo>" with configdir!("<foo>"). Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-02-04 14:13:03 +00:00			`let priv_path = PathBuf::from(configdir!("/authkey.key"));`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`let mut public_path = priv_path.clone();`
			`public_path.set_extension("pub");`

rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`if priv_path.exists() && public_path.exists() {`
			`return Ok(());`
			`}`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`let rsa = Rsa::generate(4096).unwrap();`

			`let priv_pem = rsa.private_key_to_pem()?;`

			`use nix::sys::stat::Mode;`

replace file_set_contents with replace_file Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-12-18 10:05:30 +00:00			`replace_file(`
use new fsync parameter to replace_file and atomic_open_or_create Depend on proxmox 0.15.0 and proxmox-openid 0.8.1 Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-10-20 12:56:15 +00:00			`&priv_path,`
			`&priv_pem,`
			`CreateOptions::new().perm(Mode::from_bits_truncate(0o0600)),`
			`true,`
			`)?;`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`let public_pem = rsa.public_key_to_pem()?;`

start new pbs-config workspace moved src/config/domains.rs 2021-09-02 10:47:11 +00:00			`let backup_user = pbs_config::backup_user()?;`
generate authkey: public part needs to be readable by backup group else the API proxy cannot use it and fails to run.. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2019-12-17 08:53:21 +00:00
replace file_set_contents with replace_file Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-12-18 10:05:30 +00:00			`replace_file(`
			`&public_path,`
			`&public_pem,`
			`CreateOptions::new()`
			`.perm(Mode::from_bits_truncate(0o0640))`
			`.owner(nix::unistd::ROOT)`
remove tools::getpwnam_ugid, impl. crate::backup::backup_user() And use new nix::unistd::User struct. 2019-12-19 09:20:13 +00:00			`.group(backup_user.gid),`
use new fsync parameter to replace_file and atomic_open_or_create Depend on proxmox 0.15.0 and proxmox-openid 0.8.1 Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-10-20 12:56:15 +00:00			`true,`
replace file_set_contents with replace_file Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-12-18 10:05:30 +00:00			`)?;`
auth_helpers.rs: split code into separate file 2019-01-29 15:55:49 +00:00
			`Ok(())`
			`}`
load auth keys on startup 2019-01-29 16:21:58 +00:00
			`pub fn csrf_secret() -> &'static [u8] {`
			`lazy_static! {`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`static ref SECRET: Vec<u8> = file_get_contents(configdir!("/csrf.key")).unwrap();`
load auth keys on startup 2019-01-29 16:21:58 +00:00			`}`

			`&SECRET`
			`}`

			`fn load_public_auth_key() -> Result<PKey<Public>, Error> {`
update to nix 0.14, use code from proxmox:tools 2019-08-03 11:05:38 +00:00			`let pem = file_get_contents(configdir!("/authkey.pub"))?;`
load auth keys on startup 2019-01-29 16:21:58 +00:00			`let rsa = Rsa::public_key_from_pem(&pem)?;`
			`let key = PKey::from_rsa(rsa)?;`

			`Ok(key)`
			`}`

			`pub fn public_auth_key() -> &'static PKey<Public> {`
			`lazy_static! {`
			`static ref KEY: PKey<Public> = load_public_auth_key().unwrap();`
			`}`

			`&KEY`
			`}`
drop pbs_tools::auth `pbs_client::connect_to_localhost` now requires the key as optional parameter Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-09-29 09:05:26 +00:00
			`fn load_private_auth_key() -> Result<PKey<Private>, Error> {`
			`let pem = file_get_contents(configdir!("/authkey.key"))?;`
			`let rsa = Rsa::private_key_from_pem(&pem)?;`
			`let key = PKey::from_rsa(rsa)?;`

			`Ok(key)`
			`}`

			`pub fn private_auth_key() -> &'static PKey<Private> {`
			`lazy_static! {`
			`static ref KEY: PKey<Private> = load_private_auth_key().unwrap();`
			`}`

			`&KEY`
			`}`