proxmox-backup/pbs-config/src/user.rs

use std::collections::HashMap;
use std::sync::{Arc, RwLock};

use anyhow::{bail, Error};
use lazy_static::lazy_static;

use proxmox_schema::*;
use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};

use pbs_api_types::{ApiToken, Authid, User, Userid};

use crate::ConfigVersionCache;

use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};

lazy_static! {
    pub static ref CONFIG: SectionConfig = init();
}

fn init() -> SectionConfig {
    let mut config = SectionConfig::new(&Authid::API_SCHEMA);

    let user_schema = match User::API_SCHEMA {
        Schema::Object(ref user_schema) => user_schema,
        _ => unreachable!(),
    };
    let user_plugin =
        SectionConfigPlugin::new("user".to_string(), Some("userid".to_string()), user_schema);
    config.register_plugin(user_plugin);

    let token_schema = match ApiToken::API_SCHEMA {
        Schema::Object(ref token_schema) => token_schema,
        _ => unreachable!(),
    };
    let token_plugin = SectionConfigPlugin::new(
        "token".to_string(),
        Some("tokenid".to_string()),
        token_schema,
    );
    config.register_plugin(token_plugin);

    config
}

pub const USER_CFG_FILENAME: &str = "/etc/proxmox-backup/user.cfg";
pub const USER_CFG_LOCKFILE: &str = "/etc/proxmox-backup/.user.lck";

/// Get exclusive lock
pub fn lock_config() -> Result<BackupLockGuard, Error> {
    open_backup_lockfile(USER_CFG_LOCKFILE, None, true)
}

pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
    let content = proxmox_sys::fs::file_read_optional_string(USER_CFG_FILENAME)?
        .unwrap_or_else(|| "".to_string());

    let digest = openssl::sha::sha256(content.as_bytes());
    let mut data = CONFIG.parse(USER_CFG_FILENAME, &content)?;

    if data.sections.get("root@pam").is_none() {
        let user: User = User {
            userid: Userid::root_userid().clone(),
            comment: Some("Superuser".to_string()),
            enable: None,
            expire: None,
            firstname: None,
            lastname: None,
            email: None,
        };
        data.set_data("root@pam", "user", &user).unwrap();
    }

    Ok((data, digest))
}

pub fn cached_config() -> Result<Arc<SectionConfigData>, Error> {
    struct ConfigCache {
        data: Option<Arc<SectionConfigData>>,
        last_mtime: i64,
        last_mtime_nsec: i64,
    }

    lazy_static! {
        static ref CACHED_CONFIG: RwLock<ConfigCache> = RwLock::new(ConfigCache {
            data: None,
            last_mtime: 0,
            last_mtime_nsec: 0
        });
    }

    let stat = match nix::sys::stat::stat(USER_CFG_FILENAME) {
        Ok(stat) => Some(stat),
        Err(nix::Error::Sys(nix::errno::Errno::ENOENT)) => None,
        Err(err) => bail!("unable to stat '{}' - {}", USER_CFG_FILENAME, err),
    };

    {
        // limit scope
        let cache = CACHED_CONFIG.read().unwrap();
        if let Some(ref config) = cache.data {
            if let Some(stat) = stat {
                if stat.st_mtime == cache.last_mtime && stat.st_mtime_nsec == cache.last_mtime_nsec
                {
                    return Ok(config.clone());
                }
            } else if cache.last_mtime == 0 && cache.last_mtime_nsec == 0 {
                return Ok(config.clone());
            }
        }
    }

    let (config, _digest) = config()?;
    let config = Arc::new(config);

    let mut cache = CACHED_CONFIG.write().unwrap();
    if let Some(stat) = stat {
        cache.last_mtime = stat.st_mtime;
        cache.last_mtime_nsec = stat.st_mtime_nsec;
    }
    cache.data = Some(config.clone());

    Ok(config)
}

pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
    let raw = CONFIG.write(USER_CFG_FILENAME, config)?;
    replace_backup_config(USER_CFG_FILENAME, raw.as_bytes())?;

    // increase user version
    // We use this in CachedUserInfo
    let version_cache = ConfigVersionCache::new()?;
    version_cache.increase_user_cache_generation();

    Ok(())
}

/// Only exposed for testing
#[doc(hidden)]
pub fn test_cfg_from_str(raw: &str) -> Result<(SectionConfigData, [u8; 32]), Error> {
    let cfg = init();
    let parsed = cfg.parse("test_user_cfg", raw)?;

    Ok((parsed, [0; 32]))
}

// shell completion helper
pub fn complete_userid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
    match config() {
        Ok((data, _digest)) => data
            .sections
            .iter()
            .filter_map(|(id, (section_type, _))| {
                if section_type == "user" {
                    Some(id.to_string())
                } else {
                    None
                }
            })
            .collect(),
        Err(_) => return vec![],
    }
}

// shell completion helper
pub fn complete_authid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
    match config() {
        Ok((data, _digest)) => data.sections.iter().map(|(id, _)| id.to_string()).collect(),
        Err(_) => vec![],
    }
}

// shell completion helper
pub fn complete_token_name(_arg: &str, param: &HashMap<String, String>) -> Vec<String> {
    let data = match config() {
        Ok((data, _digest)) => data,
        Err(_) => return Vec::new(),
    };

    match param.get("userid") {
        Some(userid) => {
            let user = data.lookup::<User>("user", userid);
            let tokens = data.convert_to_typed_array("token");
            match (user, tokens) {
                (Ok(_), Ok(tokens)) => tokens
                    .into_iter()
                    .filter_map(|token: ApiToken| {
                        let tokenid = token.tokenid;
                        if tokenid.is_token() && tokenid.user() == userid {
                            Some(tokenid.tokenname().unwrap().as_str().to_string())
                        } else {
                            None
                        }
                    })
                    .collect(),
                _ => vec![],
            }
        }
        None => vec![],
    }
}
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00			`use std::collections::HashMap;`
			`use std::sync::{Arc, RwLock};`

switch from failure to anyhow Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-04-17 12:11:25 +00:00			`use anyhow::{bail, Error};`
add user configiguration 2020-04-06 10:09:27 +00:00			`use lazy_static::lazy_static;`

update to first proxmox crate split Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-10-08 09:19:37 +00:00			`use proxmox_schema::*;`
			`use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};`
add user configiguration 2020-04-06 10:09:27 +00:00
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`use pbs_api_types::{ApiToken, Authid, User, Userid};`
move client to pbs-client subcrate Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-07-19 08:50:18 +00:00
pbs-config: use new SharedMemory helpers from proxmox-shared-memory crate depend on proxmox-shared-memory crate. Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-12 17:44:28 +00:00			`use crate::ConfigVersionCache;`
move user configuration to pbs_config workspace Also moved memcom.rs and cached_user_info.rs 2021-09-10 04:53:53 +00:00
			`use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};`
add user configiguration 2020-04-06 10:09:27 +00:00
			`lazy_static! {`
docs: add utility binary to generate docs 2021-02-10 09:27:40 +00:00			`pub static ref CONFIG: SectionConfig = init();`
add user configiguration 2020-04-06 10:09:27 +00:00			`}`

			`fn init() -> SectionConfig {`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`let mut config = SectionConfig::new(&Authid::API_SCHEMA);`

			`let user_schema = match User::API_SCHEMA {`
			`Schema::Object(ref user_schema) => user_schema,`
add user configiguration 2020-04-06 10:09:27 +00:00			`_ => unreachable!(),`
			`};`
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`let user_plugin =`
			`SectionConfigPlugin::new("user".to_string(), Some("userid".to_string()), user_schema);`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`config.register_plugin(user_plugin);`
add user configiguration 2020-04-06 10:09:27 +00:00
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`let token_schema = match ApiToken::API_SCHEMA {`
			`Schema::Object(ref token_schema) => token_schema,`
			`_ => unreachable!(),`
			`};`
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`let token_plugin = SectionConfigPlugin::new(`
			`"token".to_string(),`
			`Some("tokenid".to_string()),`
			`token_schema,`
			`);`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`config.register_plugin(token_plugin);`
add user configiguration 2020-04-06 10:09:27 +00:00
			`config`
			`}`

			`pub const USER_CFG_FILENAME: &str = "/etc/proxmox-backup/user.cfg";`
			`pub const USER_CFG_LOCKFILE: &str = "/etc/proxmox-backup/.user.lck";`

cleanup User configuration: use Updater 2021-09-09 11:14:28 +00:00			`/// Get exclusive lock`
			`pub fn lock_config() -> Result<BackupLockGuard, Error> {`
			`open_backup_lockfile(USER_CFG_LOCKFILE, None, true)`
			`}`

config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {`
update to proxmox-sys 0.2 crate - imported pbs-api-types/src/common_regex.rs from old proxmox crate - use hex crate to generate/parse hex digest - remove all reference to proxmox crate (use proxmox-sys and proxmox-serde instead) Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-23 16:57:00 +00:00			`let content = proxmox_sys::fs::file_read_optional_string(USER_CFG_FILENAME)?`
clippy: us *_or_else with function calls Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2021-01-19 13:04:46 +00:00			`.unwrap_or_else(\|\| "".to_string());`
add user configiguration 2020-04-06 10:09:27 +00:00
			`let digest = openssl::sha::sha256(content.as_bytes());`
			`let mut data = CONFIG.parse(USER_CFG_FILENAME, &content)?;`

			`if data.sections.get("root@pam").is_none() {`
user: create default root user as typed struct we added a userid attribute to the User struct, but missed that we created the default user without that attribuet via the json! macro which lead to a runtime panic on the deserialization by using the struct directly, such errors will be caught by the compiler in the future with this change, we can remove the serde_json import here Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-19 14:24:54 +00:00			`let user: User = User {`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`userid: Userid::root_userid().clone(),`
user: create default root user as typed struct we added a userid attribute to the User struct, but missed that we created the default user without that attribuet via the json! macro which lead to a runtime panic on the deserialization by using the struct directly, such errors will be caught by the compiler in the future with this change, we can remove the serde_json import here Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2020-05-19 14:24:54 +00:00			`comment: Some("Superuser".to_string()),`
			`enable: None,`
			`expire: None,`
			`firstname: None,`
			`lastname: None,`
			`email: None,`
			`};`
add user configiguration 2020-04-06 10:09:27 +00:00			`data.set_data("root@pam", "user", &user).unwrap();`
			`}`

			`Ok((data, digest))`
			`}`

src/config/user.rs - cached_config: do not store/return digest 2020-04-15 09:35:57 +00:00			`pub fn cached_config() -> Result<Arc<SectionConfigData>, Error> {`
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00			`struct ConfigCache {`
src/config/user.rs - cached_config: do not store/return digest 2020-04-15 09:35:57 +00:00			`data: Option<Arc<SectionConfigData>>,`
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00			`last_mtime: i64,`
			`last_mtime_nsec: i64,`
			`}`

			`lazy_static! {`
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`static ref CACHED_CONFIG: RwLock<ConfigCache> = RwLock::new(ConfigCache {`
			`data: None,`
			`last_mtime: 0,`
			`last_mtime_nsec: 0`
			`});`
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00			`}`

avoid problems with missing acl.cfg and user.cfg 2020-04-29 08:40:42 +00:00			`let stat = match nix::sys::stat::stat(USER_CFG_FILENAME) {`
			`Ok(stat) => Some(stat),`
			`Err(nix::Error::Sys(nix::errno::Errno::ENOENT)) => None,`
			`Err(err) => bail!("unable to stat '{}' - {}", USER_CFG_FILENAME, err),`
			`};`
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`{`
			`// limit scope`
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00			`let cache = CACHED_CONFIG.read().unwrap();`
cached_config: avoid parsing non-existent files multiple times 2020-04-30 05:04:23 +00:00			`if let Some(ref config) = cache.data {`
			`if let Some(stat) = stat {`
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`if stat.st_mtime == cache.last_mtime && stat.st_mtime_nsec == cache.last_mtime_nsec`
			`{`
cached_config: avoid parsing non-existent files multiple times 2020-04-30 05:04:23 +00:00			`return Ok(config.clone());`
			`}`
			`} else if cache.last_mtime == 0 && cache.last_mtime_nsec == 0 {`
src/config/user.rs - cached_config: do not store/return digest 2020-04-15 09:35:57 +00:00			`return Ok(config.clone());`
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00			`}`
			`}`
			`}`

src/config/user.rs - cached_config: do not store/return digest 2020-04-15 09:35:57 +00:00			`let (config, _digest) = config()?;`
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00			`let config = Arc::new(config);`

			`let mut cache = CACHED_CONFIG.write().unwrap();`
avoid problems with missing acl.cfg and user.cfg 2020-04-29 08:40:42 +00:00			`if let Some(stat) = stat {`
			`cache.last_mtime = stat.st_mtime;`
			`cache.last_mtime_nsec = stat.st_mtime_nsec;`
			`}`
src/config/user.rs - cached_config: do not store/return digest 2020-04-15 09:35:57 +00:00			`cache.data = Some(config.clone());`
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00
src/config/user.rs - cached_config: do not store/return digest 2020-04-15 09:35:57 +00:00			`Ok(config)`
src/config/user.rs: implement user config cache 2020-04-14 11:45:45 +00:00			`}`

add user configiguration 2020-04-06 10:09:27 +00:00			`pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {`
tree-wide: fix needless borrows found and fixed via clippy Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2021-12-30 11:57:37 +00:00			`let raw = CONFIG.write(USER_CFG_FILENAME, config)?;`
cleanup User configuration: use Updater 2021-09-09 11:14:28 +00:00			`replace_backup_config(USER_CFG_FILENAME, raw.as_bytes())?;`
add user configiguration 2020-04-06 10:09:27 +00:00
pbs-config: use new SharedMemory helpers from proxmox-shared-memory crate depend on proxmox-shared-memory crate. Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-12 17:44:28 +00:00			`// increase user version`
fix CachedUserInfo by using a shared memory version counter 2021-06-25 08:52:38 +00:00			`// We use this in CachedUserInfo`
pbs-config: use new SharedMemory helpers from proxmox-shared-memory crate depend on proxmox-shared-memory crate. Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-12 17:44:28 +00:00			`let version_cache = ConfigVersionCache::new()?;`
			`version_cache.increase_user_cache_generation();`
fix CachedUserInfo by using a shared memory version counter 2021-06-25 08:52:38 +00:00
add user configiguration 2020-04-06 10:09:27 +00:00			`Ok(())`
			`}`

move user configuration to pbs_config workspace Also moved memcom.rs and cached_user_info.rs 2021-09-10 04:53:53 +00:00			`/// Only exposed for testing`
			`#[doc(hidden)]`
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`pub fn test_cfg_from_str(raw: &str) -> Result<(SectionConfigData, [u8; 32]), Error> {`
user.cfg/user info: add test constructors Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-11-02 10:48:09 +00:00			`let cfg = init();`
			`let parsed = cfg.parse("test_user_cfg", raw)?;`

config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`Ok((parsed, [0; 32]))`
user.cfg/user info: add test constructors Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-11-02 10:48:09 +00:00			`}`

add user configiguration 2020-04-06 10:09:27 +00:00			`// shell completion helper`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00			`pub fn complete_userid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {`
add user configiguration 2020-04-06 10:09:27 +00:00			`match config() {`
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`Ok((data, _digest)) => data`
			`.sections`
			`.iter()`
			`.filter_map(\|(id, (section_type, _))\| {`
			`if section_type == "user" {`
			`Some(id.to_string())`
			`} else {`
			`None`
			`}`
			`})`
			`.collect(),`
add user configiguration 2020-04-06 10:09:27 +00:00			`Err(_) => return vec![],`
			`}`
			`}`
replace Userid with Authid in most generic places. this is accompanied by a change in RpcEnvironment to purposefully break existing call sites. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-23 11:33:21 +00:00
			`// shell completion helper`
			`pub fn complete_authid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {`
			`match config() {`
			`Ok((data, _digest)) => data.sections.iter().map(\|(id, _)\| id.to_string()).collect(),`
			`Err(_) => vec![],`
			`}`
			`}`
manager: add token commands to generate, list and delete tokens. adding them to ACLs already works out of the box. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-15 12:49:04 +00:00
			`// shell completion helper`
			`pub fn complete_token_name(_arg: &str, param: &HashMap<String, String>) -> Vec<String> {`
			`let data = match config() {`
			`Ok((data, _digest)) => data,`
			`Err(_) => return Vec::new(),`
			`};`

			`match param.get("userid") {`
			`Some(userid) => {`
			`let user = data.lookup::<User>("user", userid);`
			`let tokens = data.convert_to_typed_array("token");`
			`match (user, tokens) {`
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`(Ok(_), Ok(tokens)) => tokens`
			`.into_iter()`
			`.filter_map(\|token: ApiToken\| {`
			`let tokenid = token.tokenid;`
			`if tokenid.is_token() && tokenid.user() == userid {`
			`Some(tokenid.tokenname().unwrap().as_str().to_string())`
			`} else {`
			`None`
			`}`
			`})`
			`.collect(),`
manager: add token commands to generate, list and delete tokens. adding them to ACLs already works out of the box. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-15 12:49:04 +00:00			`_ => vec![],`
			`}`
config: rustfmt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 11:32:04 +00:00			`}`
manager: add token commands to generate, list and delete tokens. adding them to ACLs already works out of the box. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> 2020-10-15 12:49:04 +00:00			`None => vec![],`
			`}`
			`}`