2020-10-07 11:09:13 +00:00
|
|
|
use std::collections::HashMap;
|
|
|
|
|
|
|
|
use anyhow::{bail, format_err, Error};
|
|
|
|
use serde::{Serialize, Deserialize};
|
|
|
|
use serde_json::{from_value, Value};
|
|
|
|
|
2021-11-23 16:57:00 +00:00
|
|
|
use proxmox_sys::fs::CreateOptions;
|
2020-10-07 11:09:13 +00:00
|
|
|
|
2021-09-08 12:00:14 +00:00
|
|
|
use pbs_api_types::Authid;
|
|
|
|
//use crate::auth;
|
|
|
|
use crate::{open_backup_lockfile, BackupLockGuard};
|
2020-10-07 11:09:13 +00:00
|
|
|
|
2021-07-06 09:56:35 +00:00
|
|
|
const LOCK_FILE: &str = pbs_buildcfg::configdir!("/token.shadow.lock");
|
|
|
|
const CONF_FILE: &str = pbs_buildcfg::configdir!("/token.shadow");
|
2020-10-07 11:09:13 +00:00
|
|
|
|
|
|
|
#[derive(Serialize, Deserialize)]
|
2021-05-31 12:53:08 +00:00
|
|
|
#[serde(rename_all="kebab-case")]
|
2020-10-07 11:09:13 +00:00
|
|
|
/// ApiToken id / secret pair
|
|
|
|
pub struct ApiTokenSecret {
|
|
|
|
pub tokenid: Authid,
|
|
|
|
pub secret: String,
|
|
|
|
}
|
|
|
|
|
2021-09-08 12:00:14 +00:00
|
|
|
// Get exclusive lock
|
|
|
|
fn lock_config() -> Result<BackupLockGuard, Error> {
|
|
|
|
open_backup_lockfile(LOCK_FILE, None, true)
|
|
|
|
}
|
|
|
|
|
2020-10-07 11:09:13 +00:00
|
|
|
fn read_file() -> Result<HashMap<Authid, String>, Error> {
|
2021-11-23 16:57:00 +00:00
|
|
|
let json = proxmox_sys::fs::file_get_json(CONF_FILE, Some(Value::Null))?;
|
2020-10-07 11:09:13 +00:00
|
|
|
|
|
|
|
if json == Value::Null {
|
|
|
|
Ok(HashMap::new())
|
|
|
|
} else {
|
|
|
|
// swallow serde error which might contain sensitive data
|
|
|
|
from_value(json).map_err(|_err| format_err!("unable to parse '{}'", CONF_FILE))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
fn write_file(data: HashMap<Authid, String>) -> Result<(), Error> {
|
2021-09-08 12:00:14 +00:00
|
|
|
let backup_user = crate::backup_user()?;
|
2020-10-07 11:09:13 +00:00
|
|
|
let options = CreateOptions::new()
|
|
|
|
.perm(nix::sys::stat::Mode::from_bits_truncate(0o0640))
|
|
|
|
.owner(backup_user.uid)
|
|
|
|
.group(backup_user.gid);
|
|
|
|
|
|
|
|
let json = serde_json::to_vec(&data)?;
|
2021-11-23 16:57:00 +00:00
|
|
|
proxmox_sys::fs::replace_file(CONF_FILE, &json, options, true)
|
2020-10-07 11:09:13 +00:00
|
|
|
}
|
|
|
|
|
2021-09-08 12:00:14 +00:00
|
|
|
|
2020-10-07 11:09:13 +00:00
|
|
|
/// Verifies that an entry for given tokenid / API token secret exists
|
|
|
|
pub fn verify_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
|
|
|
|
if !tokenid.is_token() {
|
|
|
|
bail!("not an API token ID");
|
|
|
|
}
|
|
|
|
|
|
|
|
let data = read_file()?;
|
|
|
|
match data.get(tokenid) {
|
|
|
|
Some(hashed_secret) => {
|
2021-12-30 11:57:37 +00:00
|
|
|
proxmox_sys::crypt::verify_crypt_pw(secret, hashed_secret)
|
2020-10-07 11:09:13 +00:00
|
|
|
},
|
|
|
|
None => bail!("invalid API token"),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Adds a new entry for the given tokenid / API token secret. The secret is stored as salted hash.
|
|
|
|
pub fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
|
|
|
|
if !tokenid.is_token() {
|
|
|
|
bail!("not an API token ID");
|
|
|
|
}
|
|
|
|
|
2021-09-08 12:00:14 +00:00
|
|
|
let _guard = lock_config()?;
|
2020-10-07 11:09:13 +00:00
|
|
|
|
|
|
|
let mut data = read_file()?;
|
2021-11-19 09:51:41 +00:00
|
|
|
let hashed_secret = proxmox_sys::crypt::encrypt_pw(secret)?;
|
2020-10-07 11:09:13 +00:00
|
|
|
data.insert(tokenid.clone(), hashed_secret);
|
|
|
|
write_file(data)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Deletes the entry for the given tokenid.
|
|
|
|
pub fn delete_secret(tokenid: &Authid) -> Result<(), Error> {
|
|
|
|
if !tokenid.is_token() {
|
|
|
|
bail!("not an API token ID");
|
|
|
|
}
|
|
|
|
|
2021-09-08 12:00:14 +00:00
|
|
|
let _guard = lock_config()?;
|
2020-10-07 11:09:13 +00:00
|
|
|
|
|
|
|
let mut data = read_file()?;
|
|
|
|
data.remove(tokenid);
|
|
|
|
write_file(data)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|