proxmox-backup/src/auth.rs

//! Proxmox Backup Server Authentication
//!
//! This library contains helper to authenticate users.

use std::io::Write;
use std::process::{Command, Stdio};

use anyhow::{bail, format_err, Error};
use serde_json::json;

use pbs_api_types::{RealmRef, Userid, UsernameRef};
use pbs_buildcfg::configdir;

pub trait ProxmoxAuthenticator {
    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
    fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
    fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
}

struct PAM();

impl ProxmoxAuthenticator for PAM {
    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
        let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
        auth.get_handler()
            .set_credentials(username.as_str(), password);
        auth.authenticate()?;
        Ok(())
    }

    fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
        let mut child = Command::new("passwd")
            .arg(username.as_str())
            .stdin(Stdio::piped())
            .stderr(Stdio::piped())
            .spawn()
            .map_err(|err| {
                format_err!(
                    "unable to set password for '{}' - execute passwd failed: {}",
                    username.as_str(),
                    err,
                )
            })?;

        // Note: passwd reads password twice from stdin (for verify)
        writeln!(child.stdin.as_mut().unwrap(), "{}\n{}", password, password)?;

        let output = child.wait_with_output().map_err(|err| {
            format_err!(
                "unable to set password for '{}' - wait failed: {}",
                username.as_str(),
                err,
            )
        })?;

        if !output.status.success() {
            bail!(
                "unable to set password for '{}' - {}",
                username.as_str(),
                String::from_utf8_lossy(&output.stderr),
            );
        }

        Ok(())
    }

    // do not remove password for pam users
    fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
        Ok(())
    }
}

struct PBS();

const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");

impl ProxmoxAuthenticator for PBS {
    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
        let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
        match data[username.as_str()].as_str() {
            None => bail!("no password set"),
            Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?,
        }
        Ok(())
    }

    fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
        let enc_password = proxmox_sys::crypt::encrypt_pw(password)?;
        let mut data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
        data[username.as_str()] = enc_password.into();

        let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
        let options = proxmox_sys::fs::CreateOptions::new()
            .perm(mode)
            .owner(nix::unistd::ROOT)
            .group(nix::unistd::Gid::from_raw(0));

        let data = serde_json::to_vec_pretty(&data)?;
        proxmox_sys::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options, true)?;

        Ok(())
    }

    fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
        let mut data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
        if let Some(map) = data.as_object_mut() {
            map.remove(username.as_str());
        }

        let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
        let options = proxmox_sys::fs::CreateOptions::new()
            .perm(mode)
            .owner(nix::unistd::ROOT)
            .group(nix::unistd::Gid::from_raw(0));

        let data = serde_json::to_vec_pretty(&data)?;
        proxmox_sys::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options, true)?;

        Ok(())
    }
}

/// Lookup the autenticator for the specified realm
pub fn lookup_authenticator(realm: &RealmRef) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {
    match realm.as_str() {
        "pam" => Ok(Box::new(PAM())),
        "pbs" => Ok(Box::new(PBS())),
        _ => bail!("unknown realm '{}'", realm.as_str()),
    }
}

/// Authenticate users
pub fn authenticate_user(userid: &Userid, password: &str) -> Result<(), Error> {
    lookup_authenticator(userid.realm())?.authenticate_user(userid.name(), password)
}
implement auth framework 2020-04-08 09:57:14 +00:00			`//! Proxmox Backup Server Authentication`
			`//!`
			`//! This library contains helper to authenticate users.`

			`use std::io::Write;`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`use std::process::{Command, Stdio};`
implement auth framework 2020-04-08 09:57:14 +00:00
switch from failure to anyhow Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-04-17 12:11:25 +00:00			`use anyhow::{bail, format_err, Error};`
implement auth framework 2020-04-08 09:57:14 +00:00			`use serde_json::json;`

rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`use pbs_api_types::{RealmRef, Userid, UsernameRef};`
split out pbs-buildcfg module Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-07-06 09:56:35 +00:00			`use pbs_buildcfg::configdir;`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00
implement auth framework 2020-04-08 09:57:14 +00:00			`pub trait ProxmoxAuthenticator {`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;`
			`fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;`
api2/access/user: remove password for @pbs users on removal so that their password entry is not left in the shadow.json Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2021-04-14 13:30:42 +00:00			`fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`

move token_shadow to pbs_config workspace Also moved out crypt.rs (libcrypt bindings) to pbs_tools workspace. 2021-09-08 12:00:14 +00:00			`struct PAM();`
implement auth framework 2020-04-08 09:57:14 +00:00
			`impl ProxmoxAuthenticator for PAM {`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {`
implement auth framework 2020-04-08 09:57:14 +00:00			`let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`auth.get_handler()`
			`.set_credentials(username.as_str(), password);`
implement auth framework 2020-04-08 09:57:14 +00:00			`auth.authenticate()?;`
clippy fixups Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-10-14 09:18:26 +00:00			`Ok(())`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`

introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {`
implement auth framework 2020-04-08 09:57:14 +00:00			`let mut child = Command::new("passwd")`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`.arg(username.as_str())`
implement auth framework 2020-04-08 09:57:14 +00:00			`.stdin(Stdio::piped())`
			`.stderr(Stdio::piped())`
			`.spawn()`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`.map_err(\|err\| {`
			`format_err!(`
			`"unable to set password for '{}' - execute passwd failed: {}",`
			`username.as_str(),`
			`err,`
			`)`
			`})?;`
implement auth framework 2020-04-08 09:57:14 +00:00
			`// Note: passwd reads password twice from stdin (for verify)`
			`writeln!(child.stdin.as_mut().unwrap(), "{}\n{}", password, password)?;`

rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`let output = child.wait_with_output().map_err(\|err\| {`
			`format_err!(`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`"unable to set password for '{}' - wait failed: {}",`
			`username.as_str(),`
			`err,`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`)`
			`})?;`
implement auth framework 2020-04-08 09:57:14 +00:00
			`if !output.status.success() {`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`bail!(`
			`"unable to set password for '{}' - {}",`
			`username.as_str(),`
			`String::from_utf8_lossy(&output.stderr),`
			`);`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`

			`Ok(())`
			`}`
api2/access/user: remove password for @pbs users on removal so that their password entry is not left in the shadow.json Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2021-04-14 13:30:42 +00:00
			`// do not remove password for pam users`
			`fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {`
			`Ok(())`
			`}`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`

move token_shadow to pbs_config workspace Also moved out crypt.rs (libcrypt bindings) to pbs_tools workspace. 2021-09-08 12:00:14 +00:00			`struct PBS();`
implement auth framework 2020-04-08 09:57:14 +00:00
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");`
implement auth framework 2020-04-08 09:57:14 +00:00
			`impl ProxmoxAuthenticator for PBS {`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {`
update to proxmox-sys 0.2 crate - imported pbs-api-types/src/common_regex.rs from old proxmox crate - use hex crate to generate/parse hex digest - remove all reference to proxmox crate (use proxmox-sys and proxmox-serde instead) Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-23 16:57:00 +00:00			`let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`match data[username.as_str()].as_str() {`
implement auth framework 2020-04-08 09:57:14 +00:00			`None => bail!("no password set"),`
use new proxmox-sys crate Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-19 09:51:41 +00:00			`Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?,`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`
			`Ok(())`
			`}`

introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {`
use new proxmox-sys crate Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-19 09:51:41 +00:00			`let enc_password = proxmox_sys::crypt::encrypt_pw(password)?;`
update to proxmox-sys 0.2 crate - imported pbs-api-types/src/common_regex.rs from old proxmox crate - use hex crate to generate/parse hex digest - remove all reference to proxmox crate (use proxmox-sys and proxmox-serde instead) Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-23 16:57:00 +00:00			`let mut data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`data[username.as_str()] = enc_password.into();`
implement auth framework 2020-04-08 09:57:14 +00:00
			`let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`let options = proxmox_sys::fs::CreateOptions::new()`
implement auth framework 2020-04-08 09:57:14 +00:00			`.perm(mode)`
			`.owner(nix::unistd::ROOT)`
			`.group(nix::unistd::Gid::from_raw(0));`

			`let data = serde_json::to_vec_pretty(&data)?;`
update to proxmox-sys 0.2 crate - imported pbs-api-types/src/common_regex.rs from old proxmox crate - use hex crate to generate/parse hex digest - remove all reference to proxmox crate (use proxmox-sys and proxmox-serde instead) Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-23 16:57:00 +00:00			`proxmox_sys::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options, true)?;`
implement auth framework 2020-04-08 09:57:14 +00:00
			`Ok(())`
			`}`
api2/access/user: remove password for @pbs users on removal so that their password entry is not left in the shadow.json Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2021-04-14 13:30:42 +00:00
			`fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {`
update to proxmox-sys 0.2 crate - imported pbs-api-types/src/common_regex.rs from old proxmox crate - use hex crate to generate/parse hex digest - remove all reference to proxmox crate (use proxmox-sys and proxmox-serde instead) Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-23 16:57:00 +00:00			`let mut data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;`
api2/access/user: remove password for @pbs users on removal so that their password entry is not left in the shadow.json Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2021-04-14 13:30:42 +00:00			`if let Some(map) = data.as_object_mut() {`
			`map.remove(username.as_str());`
			`}`

			`let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`let options = proxmox_sys::fs::CreateOptions::new()`
api2/access/user: remove password for @pbs users on removal so that their password entry is not left in the shadow.json Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2021-04-14 13:30:42 +00:00			`.perm(mode)`
			`.owner(nix::unistd::ROOT)`
			`.group(nix::unistd::Gid::from_raw(0));`

			`let data = serde_json::to_vec_pretty(&data)?;`
update to proxmox-sys 0.2 crate - imported pbs-api-types/src/common_regex.rs from old proxmox crate - use hex crate to generate/parse hex digest - remove all reference to proxmox crate (use proxmox-sys and proxmox-serde instead) Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> 2021-11-23 16:57:00 +00:00			`proxmox_sys::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options, true)?;`
api2/access/user: remove password for @pbs users on removal so that their password entry is not left in the shadow.json Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> 2021-04-14 13:30:42 +00:00
			`Ok(())`
			`}`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`

start impl. access permissions 2020-04-16 08:01:59 +00:00			`/// Lookup the autenticator for the specified realm`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`pub fn lookup_authenticator(realm: &RealmRef) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {`
			`match realm.as_str() {`
implement auth framework 2020-04-08 09:57:14 +00:00			`"pam" => Ok(Box::new(PAM())),`
			`"pbs" => Ok(Box::new(PBS())),`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`_ => bail!("unknown realm '{}'", realm.as_str()),`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`
			`}`

start impl. access permissions 2020-04-16 08:01:59 +00:00			`/// Authenticate users`
introduce Username, Realm and Userid api types and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2020-08-06 13:46:01 +00:00			`pub fn authenticate_user(userid: &Userid, password: &str) -> Result<(), Error> {`
rust fmt for pbs src Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2022-04-14 12:03:46 +00:00			`lookup_authenticator(userid.realm())?.authenticate_user(userid.name(), password)`
implement auth framework 2020-04-08 09:57:14 +00:00			`}`