proxmox-backup/proxmox-restore-daemon/src/proxmox_restore_daemon/auth.rs

//! Authentication via a static ticket file
use std::fs::File;
use std::io::prelude::*;

use anyhow::{bail, format_err, Error};

use proxmox::api::UserInformation;

use proxmox_rest_server::{ApiAuth, AuthError};

const TICKET_FILE: &str = "/ticket";

struct SimpleUserInformation {}

impl UserInformation for SimpleUserInformation {
    fn is_superuser(&self, userid: &str) -> bool {
        userid == "root@pam"
    }
    fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false }
    fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 }
}

pub struct StaticAuth {
    ticket: String,
}

impl ApiAuth for StaticAuth {
    fn check_auth(
        &self,
        headers: &http::HeaderMap,
        _method: &hyper::Method,
    ) -> Result<(String, Box<dyn UserInformation + Send + Sync>),  AuthError> {
        match headers.get(hyper::header::AUTHORIZATION) {
            Some(header) if header.to_str().unwrap_or("") == &self.ticket => {
                Ok((String::from("root@pam"), Box::new(SimpleUserInformation {})))
            }
            _ => {
                return Err(AuthError::Generic(format_err!(
                    "invalid file restore ticket provided"
                )));
            }
        }
    }
}

pub fn ticket_auth() -> Result<StaticAuth, Error> {
    let mut ticket_file = File::open(TICKET_FILE)?;
    let mut ticket = String::new();
    let len = ticket_file.read_to_string(&mut ticket)?;
    if len <= 0 {
        bail!("invalid ticket: cannot be empty");
    }
    Ok(StaticAuth { ticket })
}
file-restore-daemon: add binary with virtio-vsock API server Implements the base of a small daemon to run within a file-restore VM. The binary spawns an API server on a virtio-vsock socket, listening for connections from the host. This happens mostly manually via the standard Unix socket API, since tokio/hyper do not have support for vsock built in. Once we have the accept'ed file descriptor, we can create a UnixStream and use our tower service implementation for that. The binary is deliberately not installed in the usual $PATH location, since it shouldn't be executed on the host by a user anyway. For now, only the API calls 'status' and 'stop' are implemented, to demonstrate and test proxmox::api functionality. Authorization is provided via a custom ApiAuth only checking a header value against a static /ticket file. Since the REST server implementation uses the log!() macro, we can redirect its output to stdout by registering env_logger as the logging target. env_logger is already in our dependency tree via zstd/bindgen. Signed-off-by: Stefan Reiter <s.reiter@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-03-31 10:21:52 +00:00			`//! Authentication via a static ticket file`
			`use std::fs::File;`
			`use std::io::prelude::*;`

another import cleanup Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2021-09-01 12:37:11 +00:00			`use anyhow::{bail, format_err, Error};`

rest server: return UserInformation from ApiAuth::check_auth This need impl UserInformation for Arc<CachedUserInfo> which is implemented with proxmox 0.13.2 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-09-21 05:58:48 +00:00			`use proxmox::api::UserInformation;`

move ApiConfig, FileLogger and CommandoSocket to proxmox-rest-server workspace ApiConfig: avoid using pbs_config::backup_user() CommandoSocket: avoid using pbs_config::backup_user() FileLogger: avoid using pbs_config::backup_user() - use atomic_open_or_create_file() Auth Trait: moved definitions to proxmox-rest-server/src/lib.rs - removed CachedUserInfo patrameter - return user as String (not Authid) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-09-21 05:58:40 +00:00			`use proxmox_rest_server::{ApiAuth, AuthError};`
file-restore-daemon: add binary with virtio-vsock API server Implements the base of a small daemon to run within a file-restore VM. The binary spawns an API server on a virtio-vsock socket, listening for connections from the host. This happens mostly manually via the standard Unix socket API, since tokio/hyper do not have support for vsock built in. Once we have the accept'ed file descriptor, we can create a UnixStream and use our tower service implementation for that. The binary is deliberately not installed in the usual $PATH location, since it shouldn't be executed on the host by a user anyway. For now, only the API calls 'status' and 'stop' are implemented, to demonstrate and test proxmox::api functionality. Authorization is provided via a custom ApiAuth only checking a header value against a static /ticket file. Since the REST server implementation uses the log!() macro, we can redirect its output to stdout by registering env_logger as the logging target. env_logger is already in our dependency tree via zstd/bindgen. Signed-off-by: Stefan Reiter <s.reiter@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-03-31 10:21:52 +00:00
			`const TICKET_FILE: &str = "/ticket";`

rest server: return UserInformation from ApiAuth::check_auth This need impl UserInformation for Arc<CachedUserInfo> which is implemented with proxmox 0.13.2 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-09-21 05:58:48 +00:00			`struct SimpleUserInformation {}`

			`impl UserInformation for SimpleUserInformation {`
			`fn is_superuser(&self, userid: &str) -> bool {`
			`userid == "root@pam"`
			`}`
			`fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false }`
			`fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 }`
			`}`

file-restore-daemon: add binary with virtio-vsock API server Implements the base of a small daemon to run within a file-restore VM. The binary spawns an API server on a virtio-vsock socket, listening for connections from the host. This happens mostly manually via the standard Unix socket API, since tokio/hyper do not have support for vsock built in. Once we have the accept'ed file descriptor, we can create a UnixStream and use our tower service implementation for that. The binary is deliberately not installed in the usual $PATH location, since it shouldn't be executed on the host by a user anyway. For now, only the API calls 'status' and 'stop' are implemented, to demonstrate and test proxmox::api functionality. Authorization is provided via a custom ApiAuth only checking a header value against a static /ticket file. Since the REST server implementation uses the log!() macro, we can redirect its output to stdout by registering env_logger as the logging target. env_logger is already in our dependency tree via zstd/bindgen. Signed-off-by: Stefan Reiter <s.reiter@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-03-31 10:21:52 +00:00			`pub struct StaticAuth {`
			`ticket: String,`
			`}`

			`impl ApiAuth for StaticAuth {`
			`fn check_auth(`
			`&self,`
			`headers: &http::HeaderMap,`
			`_method: &hyper::Method,`
rest server: return UserInformation from ApiAuth::check_auth This need impl UserInformation for Arc<CachedUserInfo> which is implemented with proxmox 0.13.2 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-09-21 05:58:48 +00:00			`) -> Result<(String, Box<dyn UserInformation + Send + Sync>), AuthError> {`
file-restore-daemon: add binary with virtio-vsock API server Implements the base of a small daemon to run within a file-restore VM. The binary spawns an API server on a virtio-vsock socket, listening for connections from the host. This happens mostly manually via the standard Unix socket API, since tokio/hyper do not have support for vsock built in. Once we have the accept'ed file descriptor, we can create a UnixStream and use our tower service implementation for that. The binary is deliberately not installed in the usual $PATH location, since it shouldn't be executed on the host by a user anyway. For now, only the API calls 'status' and 'stop' are implemented, to demonstrate and test proxmox::api functionality. Authorization is provided via a custom ApiAuth only checking a header value against a static /ticket file. Since the REST server implementation uses the log!() macro, we can redirect its output to stdout by registering env_logger as the logging target. env_logger is already in our dependency tree via zstd/bindgen. Signed-off-by: Stefan Reiter <s.reiter@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-03-31 10:21:52 +00:00			`match headers.get(hyper::header::AUTHORIZATION) {`
			`Some(header) if header.to_str().unwrap_or("") == &self.ticket => {`
rest server: return UserInformation from ApiAuth::check_auth This need impl UserInformation for Arc<CachedUserInfo> which is implemented with proxmox 0.13.2 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-09-21 05:58:48 +00:00			`Ok((String::from("root@pam"), Box::new(SimpleUserInformation {})))`
file-restore-daemon: add binary with virtio-vsock API server Implements the base of a small daemon to run within a file-restore VM. The binary spawns an API server on a virtio-vsock socket, listening for connections from the host. This happens mostly manually via the standard Unix socket API, since tokio/hyper do not have support for vsock built in. Once we have the accept'ed file descriptor, we can create a UnixStream and use our tower service implementation for that. The binary is deliberately not installed in the usual $PATH location, since it shouldn't be executed on the host by a user anyway. For now, only the API calls 'status' and 'stop' are implemented, to demonstrate and test proxmox::api functionality. Authorization is provided via a custom ApiAuth only checking a header value against a static /ticket file. Since the REST server implementation uses the log!() macro, we can redirect its output to stdout by registering env_logger as the logging target. env_logger is already in our dependency tree via zstd/bindgen. Signed-off-by: Stefan Reiter <s.reiter@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> 2021-03-31 10:21:52 +00:00			`}`
			`_ => {`
			`return Err(AuthError::Generic(format_err!(`
			`"invalid file restore ticket provided"`
			`)));`
			`}`
			`}`
			`}`
			`}`

			`pub fn ticket_auth() -> Result<StaticAuth, Error> {`
			`let mut ticket_file = File::open(TICKET_FILE)?;`
			`let mut ticket = String::new();`
			`let len = ticket_file.read_to_string(&mut ticket)?;`
			`if len <= 0 {`
			`bail!("invalid ticket: cannot be empty");`
			`}`
			`Ok(StaticAuth { ticket })`
			`}`